VFETs are (Almost) Solid State Tubes
We always enjoy videos from [w2aew]. His recent entry looks at vertical or VFETs, which are, as he puts it, a JFET that thinks it is a triode. He clearly explains how the transistor works as a conductor unless you bias the gate to form a depletion zone.
The transistors have a short channel, which means they conduct quite well. The low gate resistance and capacitance mean the devices can also switch very quickly. These devices were once in vogue for audio applications. However, they’d fallen out of favor until recently. The reason is that they work quite well in switching power supplies.
How good is the on resistance? So good that his meter reported the probes were shorted instead of measuring the resistance. Pretty good. We’ve seen these VFET transistors used as switches to drive magnetic field coils many years ago and they replaced much more complex circuitry.
The curve tracer in the video is a beautiful instrument of its own. The digital displays give it a high tech yet retro look. A curve tracer, if you haven’t used one, plots stepped voltages against current flowing, and is very useful for examining semiconductor devices. While not as fancy, it is possible to make one to connect to a scope quite easily.
We are pretty sure that it is a Tektronix 576. We watched a repair of a similar unit, the 577, if you’d like to see some (probably) similar insides.
youtube.com/embed/93ke5wM0gZ0?…
Hackaday Links: October 26, 2025
There was a bit of a kerfuffle this week with the news that an airliner had been hit by space junk. The plane, a United Airlines 737, was operating at 36,000 feet on a flight between Denver and Los Angeles when the right windscreen was completely shattered by the impact, peppering the arm of one pilot with bits of glass. Luckily, the heavily reinforced laminated glass stayed intact, but the flight immediately diverted to Salt Lake City and landed safely with no further injuries. The “space junk” report apparently got started by the captain, who reported that they saw what hit them and that “it looked like space debris.”
We were a little skeptical of this initial assessment, mainly because the pilots and everyone aboard the flight were still alive, which we’d assume would be spectacularly untrue had the plane been hit by anything beyond the smallest bit of space junk. As it turns out, our suspicions were justified when Silicon Valley startup WindBorne Systems admitted that one of its high-altitude balloons hit the flight. The company, which uses HABs to gather weather data for paying customers, seems to have complied with all the pertinent regulations, like filing a NOTAM, so why the collision happened is a bit of a mystery.
Their blog post about the incident contains a clue, though, since they have made an immediate change to “minimize time spent between 30,000 and 40,000 feet,” which is the sweet spot for commercial aviation. They also state that future changes will allow them to monitor flight tracking data and autonomously avoid planes. From this, we gather that the balloons can at least control their altitude, which perhaps means this one somehow got stuck at 36,000 feet. We’d love to know more about these HABs; we wonder if there’s any way to track and recover these things like there is for radiosondes?
In other initially fake news, there was a bit of a stir in amateur radio circles with a report that Hytera ham radios were being banned from sale in the U.S. The report came in a video from Matt Covers Tech, and suggested that Hytera’s handy talkie radios had somehow fallen afoul of regulators. We did some checking around but couldn’t come up with anything to back up this claim until the indispensable Josh (KI6NAZ) over at Ham Radio Crash Course got ahold of the story and did his usual bang-up analysis. TL;DW — no, Hytera handy talkies are not being banned from sale in the U.S., but yes, the company does seem to be in a heap of trouble with the FCC and the federal government over some of their other shenanigans, to the point of felony indictments.
youtube.com/embed/RsX3JztCcLU?…
Back in the day, pranks were pretty simple and, with the possible exception of a burning poop-filled paper bag catching the bushes next to your front step on fire, mostly harmless. But pranks seem to scale with time and with technology, to the point where it’s now possible to stuff a dead-end street with 50 Waymos robotaxis. The stunt, which prankster Riley Walz describes in high-tech terms as “the world’s first Waymo DDoS” attack — we seriously doubt that — was carried out in a decidedly low-tech manner by enlisting 50 co-conspirators to simultaneously order a ride to San Francisco’s longest dead-end street. The Jaguar robotaxis dutifully reported to the address, packing the narrow street with waiting cars. Nobody got into the cars, resulting in a $5 missed-ride charge, but even if the riders did show up, we assume the autonomous cars would have had the robot equivalent of a stroke trying to figure out how to get out of each other’s way. Like most pranks, it was pretty cool as long as you weren’t the one on the receiving end. It’s not clear whether there were any repercussions for Riley — again, we doubt it — but we can imagine there would have been had anyone on that street needed fire or EMS while the attack was in progress.
If you’ve been worried about AI, you’re not alone. And while there’s plenty to be concerned about, according to Andy Masley, water use by AI data centers shouldn’t be one of them. In his excellent analysis, he looks at all the details of AI water use and comes to the convincing conclusion that, all things considered, U.S. data centers really don’t use that much water — about 0.2% of the 132 billion gallons consumed nationwide every day. Even then, that fraction of a percent includes the water needed to generate the electricity for those data centers; take that out, and the number drops to about 50 million gallons a day. And those figures are for all data centers; limited to just AI data centers, that number drops to about 0.008% of the freshwater consumed daily nationwide. We haven’t checked Andy’s math, of course, nor have we vetted his bona fides or checked to see if he has an axe to grind in this area. But it’s an eye-opening article nonetheless.
And finally, if you just can’t get enough of the surveillance state while you’re out in the world, you can now extend pervasive monitoring tech into the very heart of your home with the world’s first toilet wearable. The aptly named Throne One clips to the rim of your toilet and uses an array of sensors to monitor your gut health. The company doesn’t specify what sensors are used, but since the main data points seem to be where your poop falls on the Bristol Stool Scale and measuring hydration by urine color, there’s got to be a camera in there somewhere. There’s also allowance for multiple users, and while we suppose the polar opposite of facial recognition could be used to distinguish one butt from another, we’d imagine it would be simpler to determine who’s using the toilet via Bluetooth. There’s also a microphone, to listen in on “urinary dynamics” for those who pee standing up. Honestly, while we’d never actually use this thing, we’d love to do a teardown and see what’s inside. New in box only, of course.
Examining the First Mechanical Calculator
Blaise Pascal is known for a number of things, but we remember him best for the Pascaline, an early mechanical calculator. [Chris Staecker] got a chance to take a close look at one, which is quite a feat since there were only about 20 made, and today we only know where nine of them wound up.
This Pascaline was lost for many years, and turned up in an antique store, where they thought it was a music box of some kind. The recent owner passed away, and now this machine is going to go up for auction, probably for more than we can afford. While he wasn’t able to handle the antique, he has plenty of knock-offs that were made back when people actually used them, which wasn’t that long ago. One of these is transparent, so you can see the mechanism inside.
The idea is to use the wheels like an old-fashioned phone dial to add counts to an output wheel. A linkage moves the next input wheel every time the current output wheel passes nine. Of course, if you have a multi-digit carry, it might take a little more elbow grease than just flipping the dial one normal position.
The Pascaline could subtract, too, but modern versions use a more efficient method. Pascal was worried about the extra elbow grease required to push the carry, and the Pascaline actually stored energy to drive the carry mechanism. Pretty forward-thinking for someone building the very first mechanical calculator.
This Pascaline was unusual because it was made for surveying and used old French units. If it were made today, for example, it would have inch wheels that would carry a foot when they went past 11.
What a beautiful machine. You’d like to think that if you lived in the 1650s, you’d dream up this machine. But, to be honest, we probably wouldn’t. We can’t say anything about you.
We’ve seen Pascaline machines before, of course. While we love complex mechanical computers, there’s a certain charm to the simple ones, too.
youtube.com/embed/CROrLQpN6dc?…
Making Math Less Stressful with a Python Super-Calculator
In a recent write-up, [David Delony] explains how he built a Wolfram Mathematica-like engine with Python.
Core to the system is SymPy for symbolic math support. [David] said being able to work with symbolic math easily has helped his understanding of calculus and linear algebra. For statistics support he includes NumPy, pandas, and SciPy. NumPy is useful for creating multidimensional arrays and supports basic descriptive statistics such as mean, median, and standard deviation; pandas is a library for operating on tabular data arranged into “DataFrames”, it can load data from spreadsheets (including Excel) and relational databases; and SciPy is a “grab bag” of operations designed for scientific computing, it includes some useful statistics operations, including common probability distributions, such as the binomial, normal, and Student’s t-distribution.
For regression analysis [David] includes statsmodels and Pingouin. If you’re not familiar with the term “regression analysis” it basically refers to the process of curve fitting. When your data is two-dimensional, with one dependent variable, the simple linear regression algorithm will generate a function that fits the data as y = mx + b, including the slope (m) and the y-intercept (b); this can be extrapolated to higher dimensional data and other types of regression.
If you have an interest in symbolic math you might enjoy learning about Mathematica And Wolfram On The Raspberry Pi.
Spreadsheets Apple ][ Style
It is hard to remember a time when no one had a spreadsheet. Sure, you had big paper ledgers if you were an accountant. But most people just scribbled their math on note paper or, maybe, an engineering pad. [Christopher Drum] wanted to look at what the state of the art in 1978 spreadsheet technology could do. So he ran VisiCalc.
Surprisingly, VisiCalc got a lot of things right that we still use today. One thing we don’t see much of is the text-based menu. As [Christopher] puts it, when you press the slash key, “what first appears to be ‘the entire alphabet’ pops up at the top of the screen.” In reality, it is a menu of letters that each correspond to some command. For example, C will clear the sheet (after prompting you, of course).
Interestingly, VisiCalc of the day didn’t do a natural order of evaluation. It would process by rows or by columns, your choice. So if cell A1 depended on cell B5, you’d probably get a wrong answer since A1 would always be computed before B5. Interestingly, the old Apple didn’t have up and down keys, so you had to toggle what the right and left keys did using the space bar. Different times!
This is a great look into a very influential piece of software and its tutorials. If you have old VisiCalc files you want to drag into the 21st century, [Christopher] explains the convoluted process to get mostly there.
We’ve been known to abuse spreadsheets pretty badly, although we’ve seen worse.
HRV Gets Home Automation Upgrades
In our modern semi-dystopia, it seems like most companies add automation features to their products to lock them down and get consumers to buy even more proprietary, locked-down components. The few things that are still user-upgradable are getting fewer and farther between, but there are still a few things that can be modified and improved to our own liking like this control panel for a heat recovery ventilator (HRV).
HRVs are systems that exchange fresh, outside air with stale, inside air while passing them both through a heat exchanger to keep from wasting energy. Many systems run continuously but they aren’t always needed, so some automation is beneficial. This upgrade from [vincentmakes] improves the default display for a Zehnder Comfoair Q350 HRV with a color display as well as adding it in to a home automation system, letting a user control fan speeds remotely as well as alerting the user when it’s time for filter replacements and providing up-to-date information from all the sensors in the HRV.
The project builds on a previous project which adapted an ESP32 to interact with the CAN bus used on these devices. With these upgrades the user can forgo the $300 proprietary upgrade that would be needed to get the same functionality otherwise. It’s also fully open-source so all that’s needed is to flash the firmware, replace the display, and enjoy the fresh air. There’s other modern HVAC equipment that can benefit from new controllers and a bit of automation as well.
youtube.com/embed/69VF5-dpnYU?…
Mentre Papa Francesco è Vivo e continua il suo ministero, la disinformazione Galoppa
Un’indagine condotta dall’Unione Europea di Radiodiffusione (EBU), con il supporto della BBC, ha messo in luce che i chatbot più popolari tendono a distorcere le notizie, modificandone il senso, confondendo le fonti e fornendo dati non aggiornati.
Il progetto, a cui hanno preso parte 22 redazioni di 18 nazioni, ha visto gli esperti sottoporre ChatGPT, Microsoft Copilot, Google Gemini e Perplexity a migliaia di query standardizzate, comparando le risposte ottenute con quelle pubblicate effettivamente.
I risultati emersi sono stati piuttosto inquietanti: circa la metà delle risposte presentava errori significativi, mentre in otto casi su dieci sono state riscontrate piccole imprecisioni.
Secondo il rapporto, il 45% delle risposte presentava problemi significativi, il 31% fonti confuse e il 20% errori gravi come dati inventati e date errate.
Il controllo delle referenze ha rivelato che Gemini ha ottenuto i risultati peggiori: il 72% delle sue risposte presentava fonti errate o non verificate. A titolo di confronto, ChatGPT presentava errori di questo tipo nel 24% dei casi, mentre Perplexity e Copilot ne presentavano il 15% ciascuno.
Nel frattempo, l’uso delle reti neurali per l’informazione è in crescita. Secondo un sondaggio Ipsos condotto su 2.000 residenti nel Regno Unito, il 42% si affida ai chatbot per la fornitura di riassunti e, tra gli utenti sotto i 35 anni, la percentuale scende a quasi la metà. Tuttavia, l’84% degli intervistati ha affermato che anche un solo errore fattuale riduce drasticamente la fiducia in tali sistemi. Per i media, questo significa una cosa: più il pubblico si affida ai riassunti automatici, maggiore è il rischio di danni alla reputazione derivanti da eventuali inesattezze.
Esempi illustrativi dello studio sono stati forniti anche dai ricercatori. Mentre Gemini ha affermato con insistenza che la NASA non ha mai avuto astronauti bloccati nello spazio, nonostante due di loro abbiano trascorso nove mesi a bordo della ISS in attesa di rientro, ChatGPT ha dichiarato che Papa Francesco prosegue il suo ministero anche a distanza di settimane dalla sua scomparsa.
E’ emerso persino un caso in cui il bot ha sconsigliato espressamente di prendere la finzione per realtà, rappresentando un esempio chiaro di come un tono di sicurezza possa celare l’ignoranza.
Il progetto è diventato il più grande studio sull’accuratezza degli assistenti giornalistici. Questa scala – decine di redazioni, migliaia di risposte – esclude coincidenze casuali e dimostra che i problemi sono sistemici. Modelli diversi commettono errori diversi, ma sono fondamentalmente simili per un aspetto: tendono a “indovinare” la risposta, anche quando non sono sicuri.
Gli sviluppatori stessi lo riconoscono in parte. A settembre, OpenAI ha pubblicato un rapporto in cui si afferma che l’addestramento dei modelli a volte incoraggia congetture piuttosto che oneste ammissioni di ignoranza. E a maggio, gli avvocati di Anthropic sono stati costretti a scusarsi con il tribunale per documenti contenenti citazioni false generate dal loro modello Claude. Queste storie spiegano chiaramente perché un testo scorrevole non garantisce la veridicità.
Per ridurre l’incidenza di tali errori, i partecipanti al progetto hanno preparato una serie di raccomandazioni pratiche per sviluppatori e redazione. Descrive i requisiti per fonti trasparenti, i principi per la gestione dei dati discutibili e un meccanismo di verifica pre-pubblicazione. L’idea principale è semplice: se il sistema non è sicuro, dovrebbe segnalarlo all’utente, anziché inventare una risposta.
L’Unione Europea di Radiodiffusione avverte che quando le persone non riescono più a distinguere un’informazione affidabile da un’imitazione convincente, la fiducia nelle notizie in generale crolla. Per evitare questo, le redazioni e le aziende tecnologiche dovranno concordare standard comuni: l’accuratezza dovrebbe avere priorità sulla velocità e la verifica dovrebbe avere priorità sull’impatto.
L'articolo Mentre Papa Francesco è Vivo e continua il suo ministero, la disinformazione Galoppa proviene da Red Hot Cyber.
Gemini 3.0 Pro: Google si prepara al salto generazionale e punta a superare GPT-5 e Claude 4.5
Negli ultimi giorni, alcuni utenti hanno ricevuto una notifica che informava che i loro dispositivi Gemini Advanced sono stati “aggiornati dal modello di generazione precedente alla versione 3.0 Pro, il modello più intelligente di sempre”
Questo suggerisce che Google potrebbe lanciare silenziosamente il modello di prossima generazione. Sulla base dei primi test e delle indiscrezioni, si prevede che Gemini 3.0 Pro migliorerà significativamente la programmazione, la creazione di interfacce utente e le capacità di ragionamento multimodale; potrebbe svolgere un ruolo fondamentale in Gemini Advanced, Google Workspace (Docs, Gmail, Slides) e Gemini Enterprise Edition.
Sebbene la data ufficiale di lancio non sia ancora chiara (sembra essere dicembre), stanno cominciando a trapelare molte informazioni che ci forniscono dettagli importanti sulla strategia di Google per il lancio di questo modello di nuova generazione.
Informazioni rivelate dai canali dei primi utilizzatori
L’indicatore più significativo è l’esperienza utente stessa: alcuni account hanno visto un messaggio di aggiornamento “3.0 Pro” nell’interfaccia di Gemini Advanced, con Google che lo ha definito il modello “più intelligente” di sempre. Questa pratica è coerente con la tradizione di Google di rilasci “silenziosi” della serie Gemini, come avvenuto per Gemini 1.5 Pro rilasciato prima di un post ufficiale sul blog o di un evento.
L’obiettivo di questa strategia è valutare le prestazioni in condizioni reali, raccogliere feedback e apportare modifiche prima di stabilire una data di rilascio.
Con la crescente complessità dei modelli di intelligenza artificiale, coinvolgere un sottoinsieme di utenti in test estesi aiuta i fornitori a gestire i rischi e a migliorare la stabilità.
Cosa si nasconde dietro il termine “multimodale”?
Le informazioni trapelate indicano che la versione 3.0 Pro migliora il ragionamento multimodale, ovvero la capacità di elaborare in modo più efficiente dati provenienti da più formati di input (testo, immagini, ecc.) all’interno dello stesso prompt. Dal punto di vista applicativo, ciò si riflette nelle funzionalità sopra menzionate: programmazione, creazione di interfacce utente e generazione di codice SVG.
SVG è una grafica vettoriale strutturata; per generare codice SVG “corretto” è necessario che i modelli comprendano relazioni geometriche, gerarchie di raggruppamento, proprietà di visualizzazione e vincoli di layout. Pertanto, i progressi nella tecnologia SVG promettono di migliorare la capacità dei modelli di dedurre la struttura e di rispettare i vincoli formali, capacità che in genere sono più difficili da raggiungere rispetto alla generazione di testo semplice.
Claude 4.5 Sonnet vs Gemini 3 Pro on the robot SVG testI think there's a clear winner here pic.twitter.com/3cD9hqb9DF
— leo(@synthwavedd) September 29, 2025
Creazione dell’interfaccia utente ed efficienza della programmazione
I miglioramenti nella creazione di interfacce utente sono spesso correlati alla capacità di descrivere le strutture di layout, comprendere le convenzioni dei componenti e limitare le interazioni. La competenza di programmazione, invece, è associata alla correttezza sintattica, alla coerenza logica e alla copertura dei test.
Questi miglioramenti, se ampiamente convalidati, avranno un impatto significativo sull’integrazione in Documenti, Gmail, Presentazioni e nei flussi di lavoro aziendali che danno priorità all’automazione dei processi.
Ostacoli e sfide di cui essere consapevoli
- Trasparenza delle release: le release silenziose possono rendere difficile la correzione delle release durante i test, soprattutto per le organizzazioni che richiedono un controllo rigoroso.
- Rischio di regressione: il sistema non è stato confrontato con i concorrenti (Claude 4.5 Sonnet, GPT-5 Codex) e la sua stabilità nei diversi domini di attività è sconosciuta.
- Governance e conformità: man mano che i modelli diventano fondamentali per gli spazi di lavoro e gli ambienti aziendali, i requisiti di auditing, registrazione e autorizzazione diventano critici.
- Esperienza utente: le modifiche nella qualità del modello incidono sulle aspettative e sui flussi di lavoro; sono necessari meccanismi di feedback rapidi e canali di supporto chiari.
Integrazione di 3.0 Pro nel panorama competitivo e nella roadmap
Sulla base dei dati disponibili, è impossibile stabilire se la versione 3.0 Pro superi Claude 4.5 Sonnet o sia inferiore a GPT-5 Codex in base alle metriche standard. Tuttavia, il fatto che la versione 3.0 Pro sia pensata per fungere da infrastruttura modello per Gemini Advanced, Workspace ed Enterprise suggerisce che Google stia dando priorità alla sua preparazione per distribuzioni su larga scala e alla profonda integrazione con i prodotti esistenti.
Questa strategia “prima implementa, poi rilascia” (impiegata anche da Gemini 1.5 Pro, come visto in precedenza) riflette la priorità di Google di dare priorità all’utilizzo di dati operativi reali per perfezionare i modelli prima della loro diffusione su larga scala. Con l’avvicinarsi della data di rilascio ufficiale, gli aspetti chiave da monitorare includono la stabilità tra le versioni, le metriche pubbliche programmatiche e multimodali e l’ambito delle integrazioni API e degli strumenti aziendali.
Conclusione: i primi segnali di miglioramento delle capacità
Le osservazioni finora condotte suggeriscono che Gemini 3.0 Pro potrebbe rappresentare un significativo passo avanti, in particolare per attività che richiedono conformità strutturale come SVG, nonché funzionalità di creazione e programmazione di interfacce utente.
Questa implementazione stealth aiuta a ottimizzare la qualità prima della scalabilità, ponendo al contempo i modelli al centro dell’ecosistema di prodotto.
Finché non sarà rilasciato ufficialmente e sottoposto a benchmark indipendenti, il quadro rimane poco chiaro; tuttavia, la profonda integrazione di Gemini 3.0 Pro con Gemini Advanced, Workspace ed Enterprise suggerisce che 3.0 Pro svolgerà un ruolo infrastrutturale nella strategia di intelligenza artificiale di Google.
L'articolo Gemini 3.0 Pro: Google si prepara al salto generazionale e punta a superare GPT-5 e Claude 4.5 proviene da Red Hot Cyber.
BreachForums rinasce ancora dopo l’ennesima chiusura dell’FBI
Spesso abbiamo citato questa frase: “Combattere il cybercrime è come estirpare le erbacce: se non le estirpi completamente rinasceranno, molto più vigorose di prima” e mai come ora risulta essere attuale.
Dopo mesi di silenzio e la confisca del dominio breachforums.sh da parte dell’FBI, la comunità underground del cybercrime torna a far parlare di sé: BreachForums è tornato online.
L’annuncio è stato pubblicato il 20 ottobre 2025 dall’utente e moderatore koko, che in un post ufficiale ha comunicato la riapertura della piattaforma e il rilancio della sua infrastruttura, promettendo «una ricostruzione sicura e responsabile della community».
Disclaimer: Questo rapporto include screenshot e/o testo tratti da fonti pubblicamente accessibili. Le informazioni fornite hanno esclusivamente finalità di intelligence sulle minacce e di sensibilizzazione sui rischi di cybersecurity. Red Hot Cyber condanna qualsiasi accesso non autorizzato, diffusione impropria o utilizzo illecito di tali dati.
Nel messaggio, koko afferma di essere stato moderatore tra il 2023 e il 2024 e di aver deciso, insieme al team, di “riportare in vita BreachForums”.
Il post cita aggiornamenti tecnici come il ripristino completo dei backup, la ricostruzione da zero del sistema di escrow (dopo che il precedente era stato compromesso da autorità e infiltrazioni), e nuove misure per la sicurezza degli utenti e la gestione dei rank.
L’amministratore consiglia inoltre di non utilizzare i vecchi username, invitando gli utenti a creare nuove identità per motivi di opsec (operational security).
Dalle radici di Raid Forums al ritorno di BreachForums
Per comprendere la portata del ritorno di BreachForums, è necessario ripercorrere la sua genealogia.
Tutto parte da Raid Forums, un forum nato anni fa come punto di incontro per hacker e criminali informatici, dove si scambiavano dati rubati, exploit e informazioni sensibili.
Negli anni, Raid Forums divenne un’istituzione nella comunità underground, ma anche un prezioso osservatorio per ricercatori di sicurezza e forze dell’ordine.
Nel 2022, un’operazione internazionale portò alla chiusura di Raid Forums e all’arresto del suo fondatore. Da quella diaspora nacque la prima incarnazione di BreachForums (MKI), che si presentava come il suo erede naturale.
L’amministratore di quella versione, Brian Fitzpatrick alias PomPomPurin, venne però arrestato nel marzo 2023. L’FBI chiuse il forum e sequestrò i server. Tuttavia, pochi mesi dopo, uno degli ex membri – conosciuto come Baphomet – dichiarò di avere un backup della piattaforma e avviò BreachForums MKII, promettendo di ricostruirlo su basi più sicure.
Questa seconda istanza rimase attiva fino al giugno 2024, quando, a seguito di una fuga di dati della Europol pubblicata da IntelBroker (anch’egli membro del gruppo ShinyHunters), il sito fu nuovamente sequestrato.
Anche il canale Telegram associato, Jacuzzi, fu chiuso dalle autorità, ma poco dopo riapparve con il nome Jacuzzi 2, simbolo di una resilienza quasi leggendaria nel mondo del cybercrime.
ShinyHunters e la lunga ombra del cybercrime
BreachForums è da sempre legato a ShinyHunters, uno dei gruppi di hacking più noti degli ultimi anni, coinvolto in massicce violazioni ai danni di Microsoft, Banco Santander, Ticketmaster, Tokopedia e altre grandi aziende globali.
Formatisi nel 2020, gli ShinyHunters si sono guadagnati una reputazione per la quantità e la portata dei dati rubati, spesso venduti o distribuiti proprio su BreachForums.
Alcuni membri sono stati arrestati – come Sébastien Raoult, estradato dal Marocco verso gli Stati Uniti – ma il gruppo, o ciò che ne resta, continua a operare in forme più decentralizzate e difficilmente tracciabili.
Il ritorno sulla clearnet e il nuovo corso annunciato da koko
La riapertura annunciata da koko segna un ritorno sulla clearnet, rendendo l’accesso al forum più semplice e immediato, senza passare dalla rete Tor. Una scelta che, se da un lato facilita la partecipazione, dall’altro espone il sito a un monitoraggio costante da parte delle autorità.
Nel suo post, koko sottolinea l’impegno a rendere BreachForums «un luogo sicuro e responsabile». Un’affermazione che stride con la lunga storia della piattaforma, epicentro dello scambio di credenziali rubate, database aziendali compromessi e informazioni personali di milioni di utenti.
Nonostante ciò, la risposta della comunità underground è stata immediata: molti vecchi utenti si sono già riversati sulla nuova istanza, mentre sui canali Telegram legati al forum circolano messaggi di entusiasmo e nostalgia per “il ritorno del vecchio Breach”.
Un’erba cattiva che non muore mai
Il ritorno di BreachForums dimostra ancora una volta come il cybercrime sia un ecosistema estremamente resiliente. Ogni volta che un forum viene chiuso, ne emerge un altro, più difficile da colpire, più decentralizzato e più sofisticato dal punto di vista operativo.
Le forze dell’ordine continueranno a inseguire i nuovi amministratori, ma la storia insegna che dove c’è domanda di dati rubati, ci sarà sempre qualcuno disposto a offrirli.
Il nuovo corso di BreachForums si presenta come una rinascita tecnica e ideologica, ma resta da vedere quanto durerà prima che un nuovo sequestro ne decreti la fine. In un panorama dove la sicurezza informatica e il cybercrime sono in continua evoluzione, questa ennesima resurrezione è l’ennesimo monito: la lotta al crimine digitale non è mai davvero finita.
L'articolo BreachForums rinasce ancora dopo l’ennesima chiusura dell’FBI proviene da Red Hot Cyber.
Windows 95, With Just a Floppy Drive
It’s something of a shock to be reminded that Microsoft’s Windows 95 is now 30 years old — but the PC operating system that brought 32-bit computing to the masses and left behind a graphical interface legacy which persists to this day, is now old enough that many in the community have never actually seen it. The original requirements were a 386 or better, 4 megabytes of memory, and a hard drive. [Robert’s Retro] is exploding one of those requirements, creating a full Windows 95 install using only a floppy drive.
As you might imagine, even if you had one of the super-rare 2.88 megabyte drives, such a feat would require a few tricks. In this case the biggest trick is the FlashPath, a curious 1990s peripheral that allows a SmartMedia card to be used in a floppy drive. With a special DOS driver it allows what is in effect a 32 megabyte floppy disk, but even that’s not enough for ’95. In come a couple of further tricks, installing Windows 95 to a compressed DriveSpace volume which is copied to the FlashPath, and copying the Drivespace volume to a RAM drive and mounting it, on boot. It needs a conventional floppy to boot before swapping to the FlashPath and it seems the copying process is extremely slow, but we’d expect Windows 95 from RAM to be very quick indeed.
There have been other minimalist Windows 95s over the years, but what makes this one unusual is that it’s a full install. Five years ago at the OS’s quarter century we took a look at it with 2020 eyes, and tried gauge its effect on modern desktops.
youtube.com/embed/EtVliZx1Q8o?…
A Nuclear Physics Lab in your Pocket
If you want to work with radioactive material, a cheap Geiger counter isn’t really what you want. According to [Project 326], you need a gamma ray spectrometer. The video below reviews the Radiacode 110. The channel has reviewed other Radiacode products, and they haven’t always been pleased with them, apparently. Is the 110 better?
The little spectrometer uses a scintillation crystal and performs a spectrogram on the result. It has a large library of materials so, at least for radioactive materials, you can point it at something and tell what kind of material you are dealing with and how radioactive it is.
While the smartphone app seems well done, the Windows application left something to be desired. Even still, it was able to identify several isotopes. The device can even pick up some alpha emitters that don’t directly register. However, it can identify some materials by different decomposition products. Unlike some earlier models, this device is supposed to be highly sensitive and high-resolution.
To confirm this, [Project 326] built a lead shielding structure and read a reference sample. Crunching some numbers confirmed that the claimed performance was accurate. It could even read very low-energy sources, though there were some limitations. The ergonomics of the device could be better, apparently, but it does deliver on performance.
Do you need a gamma ray spectrometer? We don’t know, but we suspect if you do, you don’t need us to tell you.
youtube.com/embed/7dDWei4sHKE?…
A Simple $25 Robot Based on the ESP32
[Paul McCabe] wrote in to let us know about his $25 robot. This small wheeled robot is based on an ESP32 and made using cardboard and hot glue.
You drive the contraption using a Bluetooth game controller thanks to the Bluepad32 library, which boasts a long list of supported hardware. [Paul] provides a Bill of Materials (BoM), complete with current component pricing. We don’t know about you, but it struck us as funny that the microcontroller is less expensive than the battery! Ah, the times we live in. Also [Paul] assumes you already have an appropriate Bluetooth controller and doesn’t include that in the total cost.
The software and related material is available on GitHub: github.com/paulemccabe1/DirtCheapRobot. The Arduino-flavored source code is here: DirtCheapRobot_Code.ino.
At time of writing [Paul]’s next steps are listed as:
- Investigate ESP32 boards with built in LiPo charging so a smaller LiPo battery with a JST connector can be used
- Eliminate use of the breadboard
- Create Soccer Robot with linear actuator for kicking
We wish [Paul] every success. If you’re interested in cheap robots you might be interested in a cheap robotic mower or a cheap robotic microscope.
youtube.com/embed/-seIKjbGRwk?…
What if Tinkercad was Self-Hosted?
While we use a lot of CAD tools, many of us are fans of Tinkercad — especially for working with kids or just doing something quick. But many people dislike having to work across the Internet with their work stored on someone’s servers. We get it. So does [CommonWealthRobotics], which offers CaDoodle. It is nearly a total clone of Tinkercad but runs on Windows, Linux, Mac, or even Chrome OS.
Is it exactly Tinkercad? No, but that’s not always a bad thing. For example, CaDoodle can work with Blender, FreeCAD, OpenSCAD, and more. However, on the business end, it sure looks like the core functions of Tinkercad.
The program appears fairly new, so you have to make some allowances. For example, the Linux AppImage seems to have difficulty loading plugins (which it needs to import many of its file formats). In addition, on at least some systems, you have to resize the window after it starts, or it won’t respond. But, overall, it is pretty impressive. The Settings, by the way, has a checkbox for advanced features, and there are some other goodies there, too.
One reason we found this interesting is that we sometimes go into schools, and they don’t want us to have kids on the Internet. Of course, they don’t like us installing random software either, so you can pick your battles.
Tinkercad, of course, continues to add features. Not all of which you’d expect in a drawing package.
Thermite Pottery Fires Itself
Finely powdered aluminium can make almost anything more pyrotechnically interesting, from fireworks to machine shop cleanups – even ceramics, as [Degree of Freedom] discovered. He was experimenting with mixing aluminium powder with various other substances to see whether they could make a thermite-like combination, and found that he could shape a paste of aluminium powder and clay into a form, dry it, and ignite it. After burning, it left behind a hard ceramic material.
[Degree of Freedom] was naturally interested in the possibilities of self-firing clay, so he ran a series of experiments to optimize the composition, and found that a mixture of three parts of aluminium to five parts clay by volume worked best. However, he noticed that bubbles of hydrogen were forming under the surface of the clay, which could cause cracks during the firing. The aluminium was reacting with water to form the bubbles, somewhat like a unwanted form of aerated concrete, and for some reason the kaolinite in clay seemed to accelerate the reaction. Trying to passivate the aluminium by heating it in air or water didn’t prevent the reaction, but [Degree of Freedom] did find that clay extracted from the dirt in his back yard didn’t accelerate it as kaolinite did, and the mixture could dry out without forming bubbles.
This mixture wasn’t totally reliable, so to make it a bit more consistent [Degree of Freedom] added some iron oxide to accelerate the burn through an actual thermite reaction – some mixtures burned hot enough to start to melt the clay. After many tests, he found that sixteen parts clay, seven parts aluminium, and five parts iron oxide gave the best results. He fired two cups made of the mixture, a thin rod, and a cube, with mixed results. The clay expanded a bit during firing, which sometimes produced a rough finish, cracking, and fragility, but in some cases it was surprisingly strong.
The actual chemistry at work in the clay-aluminium mixtures is a bit obscure, but not all thermite reactions need to involve iron oxide, so there might have been some thermite component even in the earlier mixtures. If you need heat rather than ceramic, we’ve also seen a moldable thermite paste extruded from a 3D printer.
youtube.com/embed/ZGinCJWuInA?…
Thanks to [kooshi] for the tip!
Relay Computer Knows the Sequence
When we first saw [DiPDoT’s] homebrew computer, we thought it was an Altair 8800. But, no. While it has a very familiar front panel, the working parts are all based on relays. While it isn’t finished, the machine can already do some simple calculations as you can see in the video below.
Turns out, the Altair front panel isn’t a coincidence. He wants to put the device in an Altair-style case. This limits him to two backplane cards, but he’s running out of space, so part of what he does in the video is redesign the backplanes.
We need to watch some more of these videos to figure out how he’s making his logic gates. A common approach is to wire and gates as series relays and or gates as parallel relays. However, there are some advantages to using relays as two-to-one multiplexers, which can create any logic gate you want.
If you just want to see the computer run, you can watch it generate a Fibonacci sequence around the 14:30 mark. Glorious sound from a beautiful bunch of relays. Not exactly a speed demon, mind you, but not half bad for a bunch of electromechanical relays.
There was a time when computers like this were state-of-the-art. In a way, we miss those days. But then again, in some ways, we don’t.
youtube.com/embed/NLK1gFGy3lY?…
Get Ready for Supercon
It’s just about all we can think about over here: the week leading up to the 2025 Superconference. From what we hear, it’s all-hands-on over in Pasadena right now, as everyone is putting the finishing touches on preparations for Hackaday’s annual US gathering.
We’ve been heads-down in the badge for a little while, and between that and all of the logistics, it’s easy to get lost in the work. And then we saw this video that [InstantArcade] shot, just casually walking through the event a couple years back. It’s not particularly a highlights reel, but seeing so many of the people I recognized, and remembering the many fantastic conversations we’d had. So much energy, interest, and simple excitement in sharing stories, what they’re working on, or just what they’ve seen lately that blew their mind.
There is no substitute for being there in person, but that doesn’t mean we’re not going to try! We’ll be putting the talks up on our YouTube channel next Saturday, and as always, you’re invited to join in the discussion on our Discord server both during the event and whenever. If you’re not going to be there in the alley, join us virtually!
We’ll be meeting up Thursday night at 7:00 pm at King’s Row for an informal pre-meetup. Bring a hack if you’ve got something to share! Then things start for real on Friday morning over at Supplyframe HQ. We’ll talk badges, get to know each other, and just nerd out and chill. (I love Fridays!) Halloween / sci-fi costume party Friday night, get some sleep, and head on over to the LACM and Design Lab for two tracks of talks and a full day on Saturday going late into the night. And as usual, the change back to standard time gets you an extra hour of sleep so that you’re rested and ready for Sunday.
There is still a lot to do behind the scenes, but seeing you all there makes it more than worth it! See you at Supercon.
(Oh, and no newsletter next week, but you can spend all day Saturday and Sunday watching the talks. That makes up for it, right?)
This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter. Want this type of article to hit your inbox every Friday morning? You should sign up!
Neolix raccoglie 600 milioni di dollari per la guida autonoma nella logistica urbana
La startup cinese Neolix, specializzata in veicoli autonomi di livello 4 per le consegne urbane, ha annunciato il 23 ottobre la chiusura di un round di Serie D da oltre 600 milioni di dollari, stabilendo il più alto investimento privato nel settore della guida autonoma in Cina e uno dei maggiori del 2025.
Il finanziamento è stato guidato dalla società emiratina StoneVenture, con la partecipazione di Gaocheng Investment, Xinchen Capital (sussidiaria di CITIC Capital), CDH VGC, Chaoxi Capital, Beijing Artificial Intelligence Industry Investment Fund e un’importante azienda Internet cinese.
Secondo il fondatore e CEO Yu Enyuan, i fondi saranno destinati allo sviluppo di algoritmi, nuove tecnologie e all’espansione della rete di servizi per rispondere alla crescente domanda del mercato delle consegne autonome, sia in Cina che all’estero.
Un mercato in rapida espansione
Dall’inizio del 2025, il settore della logistica urbana autonoma L4 (RoboVan) ha attirato oltre 4 miliardi di RMB in finanziamenti. Tra le principali operazioni figurano il round Serie C+ da 1 miliardo di RMB di Neolix a febbraio, i 400 milioni di dollari raccolti da Jiushi Intelligent la scorsa settimana e i 500 milioni di RMB ottenuti da White Rhino ad agosto.
La spinta del capitale deriva dalla maturità tecnologica raggiunta dal settore. Le aziende hanno ormai dimostrato che i veicoli autonomi possono ridurre significativamente i costi di logistica e migliorare l’efficienza. “Dal 2022 collaboriamo con le principali società di consegna – ha spiegato Yu – e alla fine del 2024 i nostri clienti hanno constatato una riduzione dei costi fino a due terzi”.
L’efficienza come motore della crescita
I dati del settore confermano questa tendenza. ZTO Express ha superato le 1.800 unità autonome in flotta, SF Express ha raggiunto lo stesso numero, mentre China Post ha concluso un progetto di noleggio da 7.000 veicoli senza pilota.
Secondo un rapporto di iResearch (“2025 China L4 Intelligent Driving Scenario Commercial Development Insight Report”), l’introduzione dei veicoli autonomi può abbattere i costi operativi del 19%, semplificando i processi e riducendo il numero di mezzi e personale necessario.
Parallelamente, i produttori stanno lavorando per abbattere i costi dei veicoli stessi. Yu Enyuan ha dichiarato che Neolix è riuscita a ridurre il prezzo per unità a meno di 100.000 yuan, con una capacità produttiva superiore a 10.000 veicoli all’anno.
Un’altra azienda del settore ha introdotto un modello ibrido di vendita hardware + abbonamento software, portando il costo complessivo a circa 50.000 yuan per veicolo.
L'articolo Neolix raccoglie 600 milioni di dollari per la guida autonoma nella logistica urbana proviene da Red Hot Cyber.
Identifying Fake Small-Signal Transistors
It’s rather amazing how many electronic components you can buy right now are not quite the genuine parts that they are sold as. Outside of dedicated platforms like Mouser, Digikey and LCSC you pretty much enter a Wild West of unverifiable claims and questionable authenticity. When it comes to sites like eBay and AliExpress, [hjf] would go so far as to state that any of the power transistors available for sale on these sites are 100% fake. But even small-signal transistors are subject to fakes, as proven in a comparison.
Found within the comparison are a Mouser-sourced BC546C, as well as a BC547C, SN3904 and PN2222A. These latter three all sourced from ‘auction sites’. As a base level test all transistors are put in a generic component tester, which identifies all of them correctly as NPN transistors, but the ‘BC547C’ and ‘PN2222A’ fail the test for having a much too low hFE. According to the generic tester at least, but it’s one red flag, along with the pin-out for the ‘BC547C’ showing up as being inverted from the genuine part.
Next is a pass through the HP4145B curve tracer, which confirms the fake BC547C findings, including the abysmal hFE. For the PN2222A the hFE is within spec according to the curve tracer, defying the component tester’s failing grade.
What these results make clear is that these cheap component testers are not a realistic ‘fake’ tester. It also shows that some of the fake transistors you find on $auction_site are clearly fake, while others are much harder to pin down. The PN2222A and 2N3904 used here almost pass the sniff test, but have that distinct off-genuine feeling, while the fake BC547C didn’t even bother to get its pinout right.
As always, caveat emptor. These cheapo transistors can be a nice source for some tinkering, just be aware of possibly wasting hours debugging an issue caused by an off-nominal parameter in a fake part.
Teaching Math with 3D Printers
We’ve often thought that 3D printers make excellent school projects. No matter what a student’s interests are: art, software, electronics, robotics, chemistry, or physics, there’s something for everyone. A recent blog post from [Prusa Research] shows how Johannes Kepler University is using 3D printing to teach math. You can see a video with Professor [Zsolt Lavicza] explaining their vision below.
Instead of relying on abstract 3D shapes projected on a 2D screen, GeoGebra, educational math software, creates shapes that you can produce on a 3D printer. Students can physically handle and observe these shapes in the real world instead of on a flat screen.
One example of how the 3D printer finds use in a math class is producing “Genius Square,” a multilevel tic-tac-toe game. You can find the model for that and other designs used in the classes, on Printables. Some prints are like puzzles where students assemble shapes from pieces.
Putting 3D printers in school isn’t a new idea, of course. However, machines have become much simpler to use in recent years, so maybe the time is now. If you can’t find money for printers in school, you can always teach robotics using some low-tech methods.
youtube.com/embed/Gem1S3Fk_LM?…
Nuova campagna di attacchi informatici del gruppo BO Team
All’inizio di settembre 2025, gli esperti di Kaspersky Lab hanno scoperto una nuova campagna del gruppo BO Team, rivolta a organizzazioni russe operanti in vari settori. Gli hacktivisti hanno aggiornato il loro toolkit, prendendo di mira le aziende con una nuova versione della backdoor BrockenDoor.
Il gruppo di hacktivisti BO Team (noto anche come Black Owl, Lifting Zmiy e Hoody Hyena) ha fatto la sua prima apparizione all’inizio del 2024 tramite un canale Telegram.
Prende di mira principalmente l’infrastruttura IT delle vittime e, in alcuni casi, crittografa i dati e commette estorsioni. I ricercatori avvertono che si tratta di una minaccia seria, volta sia a infliggere il massimo danno all’organizzazione attaccata sia a ottenere un guadagno finanziario. I principali obiettivi degli aggressori includono il settore pubblico e le grandi aziende.
Per accedere ai sistemi delle vittime, gli aggressori inviano e-mail di spear-phishing contenenti archivi dannosi. Il contenuto di queste e-mail sembra essere personalizzato per ogni specifico attacco.
Ad esempio, un’e-mail sosteneva di aver rilevato prove di abuso di una polizza assicurativa sanitaria volontaria. L’archivio allegato conteneva un file eseguibile camuffato da documento PDF. L’estensione effettiva del file è .exe e gli aggressori l’hanno intenzionalmente separata dal nome del file con numerosi spazi per nascondere la sostituzione. L’archivio era protetto da password, fornita nel corpo dell’e-mail.
Se la vittima apre il file, viene visualizzato un documento escamotage: un falso rapporto di un’“indagine ufficiale”. A differenza delle campagne precedenti, il file dannoso non verrà eseguito a meno che sul sistema non sia installato il layout di tastiera russo. Ciò significa che gli attacchi sono rivolti solo agli utenti di lingua russa.
Gli analisti scrivono che il codice core della versione aggiornata della backdoor BrockenDoor è stato completamente riscritto in C#, semplificando il processo di programmazione per gli aggressori. Inoltre, sono disponibili numerosi obfuscator e packer per C# in grado di nascondere payload dannosi. Inoltre, i nomi completi dei comandi sono ora abbreviati a due o tre caratteri, complicando l’analisi. Ad esempio, il comando set_poll_interval ora si chiama spi e run_program ora si chiama rp.
Nel complesso, la funzionalità della backdoor non è cambiata in modo significativo. BrockenDoor contatta il server degli aggressori e invia diverse informazioni (nome utente e nome del computer, versione del sistema operativo e un elenco dei file presenti sul desktop). Se gli aggressori ritengono questi dati interessanti, la backdoor riceve comandi per sviluppare ulteriormente l’attacco.
Il rapporto rileva inoltre che la nuova campagna ha utilizzato BrockenDoor per installare una versione aggiornata di un’altra backdoor, ZeronetKit, scritta in Go, utilizzata anche da BO Team.
L'articolo Nuova campagna di attacchi informatici del gruppo BO Team proviene da Red Hot Cyber.
Avoid Missed Connections with The Connectorbook’s Web Tool
Connectors are wonderful and terrible things. Wonderful, in that splicing wires every time you need to disassemble something is really, really annoying. Terrible in that it can be just such an incredible pain-in-the-assets to find the right one if you’re stuck with just a male or a female for some unfortunate reason. We’ve all been there, and all spent time growing increasingly frustrated pouring over the DigiKey catalog (or its local equivalent) trying to figure out what the heck we were dealing with. That’s why [Davide Andrea]’s The Connectorbook exists–and even better, the free web service they call Identiconn.
The tool isn’t super new–the Wayback Machine has snapshots of it dating back to 2021–but it’s still very much worth highlighting. There’s a “quick pick” option that lets you narrow it down with photos, or if you want to get specific there are dozens of filters to try and help you find your exact part. You can filter based on everything from the pitch and geometry of the connectors, to how it terminates, attachments, latches, et cetera. While we can’t guarantee the database is fully exhaustive, it looks pretty darn big, and using it is going to be a lot less exhausting than pouring through catalogs hoping that particular vendor or manufacturer lists the matching part.
Some might argue that this database is not a hack, but it’s certainly going to enable a certain amount of hacking. That’s why we’re grateful to [Alex] for the tip! If you’ve got a know tool you think we all should know about that hasn’t been shared yet, please let us know.
The Great ADS1115 Pricing and Sourcing Mystery
Following up on the recent test of a set of purported ADS1115 ADCs sourced from Amazon [James Bowman] didn’t just test a genuine Ti part, but also dug into some of the questions that came up after the first article. As expected, the AdaFruit board featuring a presumed genuine Ti ADS1115 part performed very well, even performing significantly better on the tested parameters than the datasheet guarantees.
Thus we can confirm that when you get the genuine Ti part, you can expect very good and reliable performance for your ADC purposes. Which leaves the unaddressed questions about what these cheapo Amazon-sourced ADS1115 ICs are, and how it can be that LCSC has what should be the same parts for so much cheaper than US distributors?
As far as LCSC pricing is concerned, these are likely to be genuine parts, but also the subject of what is known as price discrimination. This involves pricing the same product differently depending on the targeted market segment, with e.g. Digikey customers assumed to be okay with paying more to get the brand name assurance and other assumed perks.
Regarding the cheapo parts off Amazon, these could be QA failed parts, ‘third shift’ or other grey zone parts being sold for less, as well as outright fakes. The Analogy ADX111 for example is basically a drop-in clone of the ADS1115, down to parts of the datasheet, with the heading image showing a section to compare the two. Interestingly, the ADX111 is sold for $1.77 in 1,000 quantities on LCSC.
Ultimately it’s hard to tell the true origin of the ‘ADS1115’ ICs on one of these cheap boards. They could have fallen off a genuine ADS1115 production line, be QA failed ADX111 parts or something else entirely. Without decapping a few samples and further in-depth research we’ll likely never know.
Yet as some already commented, does it truly matter? You get the cheapo parts when you’re just screwing around with a prototype rather than splurging for the gold-plated AdaFruit version, and source from LCSC or Digikey when it’s time for PCBA. In the end everyone is happy, even without knowing whether it’s truly meat a Ti part that we’re using.
Making a Cardboard Airplane Wing
Ideally, an aircraft would be made of something reasonably strong, light, and weather resistant. Cardboard, is none of those things. But that did not stop [PeterSripol] from building an ultralight wing out of cardboard.
Firstly, he wanted to figure out the strongest orientation of the cardboard flutes for the wing spars. He decided on a mix of horizontal and vertical flutes for the wing spar, with the horizontal flutes resisting vertical deformations and the vertical flutes resisting chord wise deformations.
The main spar is made up of two long strips of these cardboard pieces, glued together with a single sheet of cardboard on the top and bottom to create a structural beam. Unfortunately, the glue had not fully dried on one of the sheets before making the spar resulting in the final spar warping. Fortunately, the first wing was always intended to be tested to destruction. The wing’s ribs are made of laser cut cardboard, with doublers on the inside providing greater surface area for hot glue and a stronger rib.
Testing revealed the aft wing spar failed around 200 lbs, approximately equivalent to a 2G wing loading with a fully weighted aircraft. Since the aft wing spar broke, for the final production wings, that spar was reinforced with an separate piece of cardboard positioned perpendicular to the spar creating more of an I beam shape.
After the lessons learned from the cardboard flute orientation tests and the first wing destruction, the two wings for the final ultralight could be built. Minor changes were made from the prototype wing. After testing one wing to 150 pounds of loading, they were skinned in butcher paper to match the esthetic of cardboard. The wings came out weighing 21.8 lbs, more then ideal, but certainly workable for a single flight ultralight aircraft.
We look forward to seeing this plane fly, so stay tuned for more coverage! While you wait, make sure to check out his previous ultralight build!
youtube.com/embed/T46SHLzlV1A?…
Tiny UPS Keeps WiFi Online
For any mission-critical computer system, it’s a good idea to think about how the system will handle power outages. At the very least it’s a good idea to give the computer enough time to gracefully shut down if the power outage will last for an indefinite time. But for extremely critical infrastructure, like our home Wi-Fi, we might consider a more long-term battery backup that can let us get through the longest of power outages.
Part of why this project from [ ] works so well is that most off-the-shelf routers don’t actually use that much energy. Keeping that and a modem online when the power is out only requires a few lithium batteries. To that end, three lithium ion cells are arranged in series to provide the router with between 9 and 12 volts, complete with a battery management system (BMS) to ensure they aren’t over- or under-charged and that they are balanced. The router plugs directly into a barrel jack, eliminating any switching losses from having to use an inverter during battery operation.
While [ ] is a student who lives in an area with frequent interruptions to the electricity supply, this does a good job of keeping him online. If you’re planning for worse or longer outages, a design like this is easily adapted for more batteries provided the correct BMS is used to keep the cells safely charged and regulated. You can also adapt much larger UPS systems to power more of your home’s electrical system, provided you can find enough batteries.
The Isetta TTL Computer Makes Some Noise
Our Hackaday colleague [Bil Herd] is known for being the mind behind the Commodore 128, a machine which famously had both a 6502 and a Z80 processor on board. The idea of a machine which could do the job of both those processors in hardware while containing neither would have blown the mind of any 1980s computer enthusiast, yet that’s exactly what [Roelh]’s Isetta TTL computer does. It’s an extremely clever design whose targeted microcode allows the processor-swap trick, and since he’s brought it from prototype to production and has it running SymbOS since we last saw it, it’s time we gave it another look.
The video below the break shows the machine in action, with the Windows 95-like SymbOS GUI running a series of sound tests in the emulated AY-3-8910 sound generator, as well as a Lemmings-like game. It also runs Sinclair ZX Spectrum software, giving it access to a huge library.
We were lucky enough to see some of this in person when we encountered it for a second time on our travels during the summer — and it’s just as impressive in the real as it looks in the video. The feeling really hits you of how this would have blown away anything on the 8-bit market in 1985, made more impressive by the silicon in use being not too far from what was available at the time.
We’re told you can now buy one for yourself as a kit, and we’re looking forward to seeing it generate an ecosystem. We’re particularly curious as to whether that retargetable microcode could allow it to support other archetctures of the day.
Our original coverage can be read here, and we’ve also touched upon SymbOS.
youtube.com/embed/EDrEPg-4vi4?…
Hackaday Podcast Episode 343: Double Component Abuse, a Tinkercad Twofer, and a Pair of Rants
This week, Hackaday’s Elliot Williams and Kristina Panos met up across the universe to bring you the latest news, mystery sound, and of course, a big bunch of hacks from the previous seven days or so.
On What’s That Sound, Kristina failed spectacularly. Will you fare better and perhaps win a Hackaday Podcast t-shirt? Mayhap you will.
After that, it’s on to the hacks and such, beginning with a really cool entry into the Component Abuse Challenge wherein a simple transmission line is used to multiply a voltage. We watch as a POV globe takes to the skies, once it has enough motors.
Then we discuss several awesome hacks such as an incredible desk that simulates beehive activity, a really great handheld PC build, and a Tinkercad twofer. Finally, we discuss the future of removable batteries, and the history of movable type.
Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!
html5-player.libsyn.com/embed/…
Download in DRM-free MP3 and savor at your leisure.
Where to Follow Hackaday Podcast
Places to follow Hackaday podcasts:
Episode 343 Show Notes:
News:
What’s that Sound?
Interesting Hacks of the Week:
- 2025 Component Abuse Challenge: Boosting Voltage With Just A Wire
- 2025 Component Abuse Challenge: Conductive Filament Makes A Meltable Fuse
- POV Globe Takes To The Skies
- Classy Desk Simulates Beehive Activity
- What Happened To Running What You Wanted On Your Own Machine?
- Handheld PC Build Is Pleasantly Chunky
Quick Hacks:
- Elliot’s Picks:
- Open Source Hack Lets The Razer Nari Headset Work With Linux
- Making A Clock With A Retooled Unihiker K10
- Tinkercad In Color
- Tinkercad Continues To Grow Up
- Kristina’s Picks:
- Building A Minecraft Lantern For Halloween
- Kitchen Bench Splash Guard Powered By Arduino
- 2025 Component Abuse Challenge: Nail Your Next Decal
Can’t-Miss Articles:
hackaday.com/2025/10/24/hackad…
Making WiFi Sound Like Dial-Up Internet
Dial-up modems had a distinctive sound when connecting, with the glittering, screeching song becoming a familiar melody to those jumping online in the early days of the Internet. Modern digital connections don’t really have an analog to this, by virtue of being entirely digital. And yet, [Nick Bild] decided to make WiFi audible in a pleasing tribute to the modems of yore.
The reason you could hear your dial-up modem is because it was actually communicating in audio over old-fashioned telephone lines. The initialization process happened at a low enough speed that you could hear individual sections of the handshake that sounded quite unique. Ultimately, though, once a connection was established at higher speed, particularly 33.6 k or 56 k, the sound of transmission became hard to discern from static.
Modern communication methods like Ethernet, DSL, and WiFi all occur purely digitally — and in frequencies far above the audible range. Thus, you can’t really “listen” to a Wi-Fi signal any more than you can listen to the rays of light beaming out from the sun. However, [Nick] found an anachronistic way to make a sound out of WiFi signals that sounds vaguely reminiscent of old-school modems. He used a Raspberry Pi 3 equipped with a WiFi adapter, which sniffs network traffic, honing in on data going to one computer. The packet data is then sent to an Adafruit QT Py microcontroller, which uses the data to vary the amplitude of a sound wave that’s then fed to a speaker through a digital-to-analog converter. [Nick] notes this mostly just sounds like static, so he adds some adjustments to the amplitude and frequency to make it more reminiscent of old modem sounds, but it’s all still driven by the WiFi data itself.
It’s basically WiFi driven synthesis, rather than listening to WiFi itself, but it’s a fun reference to the past. We’ve talked a lot about dial-up of late; from the advanced technology that made 56 k possible, to the downfall of AOL’s long-lived service. Video after the break.
youtube.com/embed/OxAJHiVkBEM?…
This Week in Security: Court Orders, GlassWorm, TARmageddon, and It was DNS
This week, a US federal court has ruled that NSO Group is no longer allowed to use Pegasus spyware against users of WhatsApp. And for their trouble, NSO was also fined $4 million. It’s unclear how much this ruling will actually change NSO’s behavior, as it intentionally stopped short of applying to foreign governments.
There may be an unexpected source of leverage the US courts can exert over NSO, with the news that American investors are acquiring the company. Among the requirements of the ruling is that NSO cannot reverse engineer WhatsApp code, cannot create new WhatsApp accounts, and must delete any existing WhatsApp code in their possession. Whether this actually happens remains to be seen.
Points On the Curve
Cryptography is hard. Your implementation can do everything right, and still have a weakness. This was demonstrated yet again in the Cloudflare CIRCL cryptography library. The issue here is a Diffie-Hellman scheme using the Curve4Q elliptic curve.
Quick review: Diffie-Hellman is a technique where Bob and Alice can exchange public keys, and each combine the received public key with their own private key, and arrive at a shared secret. This can be accomplished on an elliptic curve by choosing a scalar value as a private key, and multiplying a standard generator point by that scalar to derive a new point on the curve, which serves as the public key. After the public key points are exchanged, Alice and Bob each multiply the received public point by their own secret scalar. Just like simple multiplication, this function is commutative, and results in the same answer for both.
There is a catch that can cause problems. Not every value is a valid point on the curve, and doing calculations on these invalid points can lead to unusual results. The danger here isn’t remote code execution (RCE), but leaking information about the private key when doing an invalid calculation using these invalid points.
The CIRCL library had a couple instances where invalid points could be used. There’s a quirk of deserializing FourQ points, that the x value can be interpreted two ways, essentially a positive or negative x. The CIRCL logic attempts to deserialize an incoming point in one way, and if that point is not actually on the curve, the value is inverted (technically “conjugated”), and the new point is accepted without testing. There were a few other similar cases where points weren’t being validated. These flaws were reported to Cloudflare and fixed earlier this year.
GlassWorm
We recently covered Shai Hulud, an npm worm that actively uploaded itself into other npm libraries when it found valid credentials on compromised computers. It was something of a sea change in the world of library security. Now a month later, we have GlassWorm, a vscode extension worm.
GlassWorm combines several very sneaky techniques. When it injects code into an extension, that code is hidden with Unicode shenanigans, rendering in VSCode as blank lines. Once this malicious VSCode extension is loaded, it reaches out to some interesting Command and Control (C2) infrastructure: The Solana blockchain is used as a sort of bulletproof DNS, hosting a a C2 IP address. There’s a second, almost equally weird C2 mechanism: Hosting those IP addresses in entries on a public Google Calendar.
Once this malware is running, it harvests credentials, and if it gets a chance, injects itself in the code for other extensions and tries to publish. And it also turns the compromised machine into a “Zombi”, part of a botnet, but also working as a RAT (Remote Access Trojan). All told, it’s really nasty malware, and seems to indicate a shift towards these meta-worms that are intended to infiltrate Open Source software repositories.
Speaking of npm, GitHub has begun making security enhancements in response to the Shai Hulud worm. It looks like good changes, like the deprecation of classic access tokens, in favor of shorter lived, granular tokens. TOTP (Time based One Time Password) is going away as a second factor of authentication, in favor of passkeys and similar. And finally, npm is encouraging the use of doing away with long-lived access tokens altogether, and publishing strictly from CI/CD systems.
TARmageddon
We’ve cheered on the progress of the Rust language and its security wins, particularly in the realm of memory safety. But memory management is not the only cause of security issues. The async-tar rust package had a parsing bug that allowed a .tar file to smuggle additional contents that were not seen by the initial validation step.
That has all sorts of potential security ramifications, like smuggling malicious files, bypassing filters, and more. But what’s really interesting about this particular bug is that it’s been around since the first release of the package, and async-tar has been forked into many other published packeges, some of which are in use but no longer maintained. This has turned what should have been a simple fix into a mess, and the popular tokio-tar is still unfixed.
It Was DNS
You probably noticed that the Internet was sort of a dumpster fire on Monday — more than normal. Most of the world, it seems, runs on Amazon’s AWS, and when AWS goes down, it’s surprising what else fails. There were the normal sites and services down, like Reddit, Signal, Fortnight, and Prime Video. It was a bit of a surprise that some banks were down and flights delayed. And then there were IoT devices, like smart beds, litter boxes, and smart bulbs.
And the problem, naturally, was DNS. It’s always DNS. Specifically, Amazon has pinned the outage on “…a latent race condition in the DynamoDB DNS management system that resulted in an incorrect empty DNS record…”. This bad record brought down other services that relied on it, and it didn’t take long for the problem to spin out of control.
Bits and Bytes
There’s even more DNS, with [Dan Kaminsky]’s infamous cache poisoning making an unwelcome comeback. DNS has historically run over UDP, and the Kaminsky attack was based on the lack of authorization in DNS responses. The solution was to randomize the port a request was sent from, requiring the matching response be delivered to the same port number. What’s new here is that the Pseudo Random Number Generator (PRNG) in BIND has a weakness, that could have allowed predicting those values.
TP-Link’s Omada gateways had a pair of vulnerabilities that allowed for RCE. The more serious of the two didn’t require any authentication. Noword on whether this flaw was accessible from the WAN interface by default. Patched firmware is now available.
The better-auth library patched an issue early this month, that allowed the createApiKey endpoint to run without authRequired set true, simply by providing a valid user ID. This bug has been in the library ever since API keys were added to the project. The fix landed in 1.3.26.
And for bonus points, go check out the ZDI post on Pwn2Own Ireland, that just wrapped. There were lots of IoT hacks, including at least one instance of Doom running on a printer. Summoning Team took the Master of Pwn award, nearly doubling the points earned by second place. Congrats!
Robot Phone Home…Or Else
We would have enjoyed [Harishankar’s] tear down of a robot vacuum cleaner, even if it didn’t have a savage twist at the end. Turns out, the company deliberately bricked his smart vacuum.
Like many of us, [Harishankar] is suspicious of devices beaming data back to their makers. He noted a new vacuum cleaner was pinging a few IP address, including one that was spitting out logging or telemetry data frequently. Of course, he had the ability to block the IP address which he did. End of story, right?
No. After a few days of working perfectly, the robot wouldn’t turn on. He returned it under warranty, but the company declared it worked fine. They returned it and, indeed, it was working. A few days later, it quit again. This started a cycle of returning the device where it would work, it would come home and work for a few days, then quit again.
You can probably guess where this is going, but to be fair, we gave you a big hint. The fact that it would work for days after blocking the IP address wouldn’t seem like a smoking gun in real time.
Essentially, he wrote his own software to read all the sensors and drive all the motors using his own computers, bypassing the onboard CPU. But he found one thing interesting. The Android Debug Bridge was wide open on the Linux computer. Sort of.
The problem was, you could only get in a few seconds after booting up. After that, it would disconnect. A little more poking fixed that. The software stack was impressive, using Google Cartographer to map the house, for example.
But what wasn’t impressive was the reason for the repeated failures. A deliberate command was sent to kill the robot when it quit phoning home with telemetry. Of course, at the service center, it was able to report and so it worked fine.
The hardware and the software are impressive. The enforcement of unnecessary data collection is not. It does, however, make us want to buy one of these just for the development platform. [Harishankar] has already done the work to make it useful.
It isn’t just vacuums. Android phones spew a notorious amount of data. Even your smart matress — yes, there are smart matresses — can get into the act.
Tommy Flowers: How An Engineer Won The War
Back in 2016, we took you to a collection of slightly dilapidated prefabricated huts in the English Home Counties, and showed you a computer. The place was the National Museum of Computing, next to the famous Bletchley Park codebreaking museum, and the machine was their reconstruction of Colossus, the world’s first fully electronic digital computer. Its designer was a telephone engineer named Tommy Flowers, and the Guardian has a piece detailing his efforts in its creation.
It’s a piece written for a non-technical audience so you’ll have to forgive it glossing over some of the more interesting details, but nevertheless it sets out to right a long-held myth that the machine was instead the work of the mathematician Alan Turing. Flowers led the research department at the British Post Office, who ran the country’s telephone system, and was instrumental both in proposing the use of electronic switches in computing, and in producing a working machine. The connection is obvious when you see Colossus, as its racks are the same as those used in British telephone exchanges of the era.
All in all, the article makes for an interesting read for anyone with an interest in technology. You can take a look at Colossus as we saw it in 2016 here, and if your interest extends to the only glimpse the British public had of the technology behind it in the 1950s, we’ve also taken a look at another Tommy Flowers creation, ERNIE, the UK Premium Bond computer.
La Russia e il Cybercrimine: un equilibrio tra repressione selettiva e interesse statale
L’ecosistema del cybercrimine russo è entrato in una fase di profonda mutazione, innescata da una combinazione di fattori: una pressione internazionale senza precedenti da parte delle forze dell’ordine, un riorientamento delle priorità interne e i persistenti, benché evoluti, legami tra la criminalità organizzata e lo Stato russo.
Un evento chiave è stata l’Operazione Endgame, lanciata nel maggio 2024, un’iniziativa multinazionale volta a colpire gruppi di ransomware, servizi di riciclaggio e infrastrutture correlate, anche all’interno di giurisdizioni russe. In risposta, le autorità russe hanno condotto una serie di arresti e sequestri di alto profilo.
Queste azioni segnano un allontanamento dalla storica posizione di quasi totale non interferenza della Russia nei confronti dei cybercriminali che operano a livello interno. Il tradizionale concetto di Russia come “rifugio sicuro” per questi attori si complica, divenendo sempre più condizionato e selettivo. Questa analisi si basa su un recente report elaborato dagli esperti di Recorded Future, un’organizzazione statunitense con cui Red Hot Cyber collabora attivamente nelle attività di intelligence.
Dark Covenant e la Gestione Statale
Chat e resoconti investigativi trapelati hanno confermato che figure di spicco della criminalità informatica intrattengono da tempo rapporti con i servizi di intelligence russi. Questi contatti includono la fornitura di dati, l’esecuzione di compiti specifici o lo sfruttamento di legami politici e corruzione per assicurarsi l’impunità.
Recorded Future, attraverso le analisi del suo Insikt Group, ha rilevato che il rapporto del governo russo con i cybercriminali si è evoluto da una tolleranza passiva a una gestione attiva. Dal 2023, si è osservato un chiaro cambiamento: l’applicazione selettiva della legge, arresti “orchestrati” ed “esempi” pubblici utilizzati per rafforzare l’autorità statale. Le comunicazioni intercettate rivelano persino un coordinamento operativo diretto tra i leader criminali e gli intermediari dell’intelligence.
Questa dinamica rientra nel framework “Dark Covenant”, che descrive una rete di relazioni (dirette, indirette e tacite) che legano il mondo del crimine informatico russo agli elementi dello Stato. In questo contesto, il cybercrimine non è solo un affare commerciale, ma anche uno strumento di influenza, un mezzo per acquisire informazioni e una responsabilità solo quando minaccia la stabilità interna o danneggia gli interessi russi.
Reazioni Clandestine e Pressione Internazionale
All’interno della comunità underground, la crescente ingerenza statale e le operazioni internazionali hanno minato la fiducia. I dati raccolti da Recorded Future sul dark web indicano che la criminalità informatica russa sta subendo una frattura sotto la doppia pressione del controllo statale e della sfiducia interna.
Questa doppia pressione ha accelerato gli adattamenti operativi:
- Rafforzamento dei Controlli: I programmi ransomware-as-a-service (RaaS) hanno introdotto verifiche più severe.
- Rebranding e Decentralizzazione: I gruppi di ransomware si sono riorganizzati, cambiando nome e adottando piattaforme di comunicazione decentralizzate per mitigare i rischi di infiltrazione e sorveglianza. I dati raccolti rivelano come i gruppi stiano decentralizzando le loro operazioni per eludere la sorveglianza sia occidentale che interna.
Contemporaneamente, i governi occidentali hanno inasprito le loro politiche, valutando il divieto di pagare riscatti, introducendo la segnalazione obbligatoria degli incidenti e persino operazioni cyber offensive.
Questa posizione più aggressiva coincide con negoziati e scambi di prigionieri. Insikt Group ritiene che la Russia stia sfruttando strategicamente i cybercriminali come strumenti geopolitici, collegando arresti e rilasci a cicli diplomatici più ampi.
Il Dopo Operazione Endgame: Aumento della Selezione e Regole Interne Più Dure
L’Operazione Endgame, pur non avendo smantellato il modello ransomware-as-a-service (RaaS), ha innescato un’immediata autodisciplina operativa all’interno dell’ecosistema criminale. Gli operatori RaaS non hanno modificato la struttura di base del loro modello di business, ma hanno drasticamente aumentato la soglia di accesso per mitigarne il rischio di rilevamento. Il reclutamento è diventato più selettivo: i gestori danno ora la priorità alle cerchie conosciute, intensificano lo screening e, di fatto, esternalizzano il rischio di eventuali operazioni di infiltrazione agli stessi affiliati.
Per mantenere l’integrità e la liquidità delle reti, gli operatori RaaS hanno introdotto requisiti di attività e garanzie finanziarie più rigorosi. Affiliati inattivi per un breve periodo (a volte solo 10 o 14 giorni, a seconda del gruppo, come Mamona o PlayBoy RaaS) vengono bannati per eliminare potenziali infiltrati “dormienti”. In aggiunta, per i nuovi membri, il capitale sociale è stato sostituito da garanzie economiche: sono richiesti depositi (ad esempio, 5.000 dollari) su altri forum affidabili. Questo costo d’ingresso eleva le barriere per i truffatori e rende l’infiltrazione molto più onerosa.
Parallelamente, i gruppi hanno affinato le loro regole di targeting per evitare di attirare l’attenzione politica e delle forze dell’ordine. Molti operatori, tra cui Anubis e PlayBoy RaaS, hanno formalmente vietato attacchi contro enti governativi, organizzazioni sanitarie e non-profit. Tali restrizioni servono sia come protezione reputazionale sia come allineamento implicito con i “limiti da non oltrepassare” del Dark Covenant russo. Sono stati imposti anche riscatti minimi (spesso 50.000 dollari o più) per prioritizzare le vittime con alto rendimento e sono stati vietati attacchi ripetuti per tutelare la credibilità delle negoziazioni.
In sostanza, la crescente pressione esterna e la condizione sempre più precaria della tolleranza statale hanno spinto la comunità criminale a una severa autoregolamentazione. Come lamentato da membri sui forum del dark web, l’aumento della truffa e l’afflusso di agenti non qualificati hanno portato a un deterioramento del controllo basato sulla reputazione. Di conseguenza, i mercati criminali si sono spostati verso canali chiusi e si affidano a garanzie finanziarie, sacrificando l’apertura in favore di una maggiore resilienza e sopravvivenza.
Conti e Trickbot: Immunità Relativa
Il gruppo Conti Ransomware e la sua rete associata Trickbot (considerati la culla di talenti e l’anello di congiunzione con i servizi russi) sono stati duramente presi di mira dalle autorità europee. Nonostante questa pressione, la risposta russa nei confronti delle figure di alto livello legate a Conti e Trickbot è stata modesta o ambigua. Arresti sporadici, come quello di Fyodor Aleksandrovich Andreev (“Angelo”) o di altri membri di Conti, sono stati seguiti da rapidi rilasci o da una scarsa copertura ufficiale.
L’assenza di azioni di contrasto contro altri individui ricercati dall’UE, come Iskander Rifkatovich Sharafetdinov (“alik”) o Vitalii Nikolaevich Kovalev (“stern”, “Bentley”), indica una protezione interna duratura. Kovalev, il presunto leader di Trickbot/Conti, è ritenuto legato al Servizio federale di sicurezza russo (FSB).
Questa protezione è multilivello:
- Contatti di Intelligence: Alcuni membri di Conti avrebbero fornito incarichi o informazioni, talvolta dietro compenso, ai servizi di intelligence russi (GRU e SVR).
- Obiettivi Allineati: La selezione delle vittime di Conti, che includeva il contractor militare statunitense Academi LLC e la rete di giornalismo investigativo Bellingcat, allinea gli interessi criminali con le priorità di raccolta di informazioni dello Stato.
- Clientelismo Politico: Sono stati segnalati presunti legami tra membri di Conti e Vladimir Ivanovich Plotnikov, un membro in carica della Duma russa, ampliando lo scudo protettivo oltre i servizi di sicurezza.
Il Sacrificio dei Facilitatori Finanziari
Al contrario, i servizi finanziari sono risultati sacrificabili. Nel settembre 2024, le autorità americane ed europee hanno sequestrato infrastrutture e fondi in criptovaluta relativi ai servizi di riciclaggio di denaro Cryptex, PM2BTC e UAPS. Questi servizi, gestiti da Sergey Ivanov, avrebbero riciclato oltre un miliardo di dollari di proventi illeciti.
La reazione russa è stata rapida e visibile: a ottobre 2024, il Comitato Investigativo russo (SKR) ha annunciato l’apertura di un’indagine, l’arresto di quasi 100 persone associate e il sequestro di 16 milioni di dollari in rubli e diverse proprietà. La scelta di colpire i facilitatori finanziari, piuttosto che gli operatori ransomware principali, dimostra che la Russia agisce quando la pressione internazionale è alta e il valore in termini di intelligence di questi servizi è basso. Il segnale è chiaro: il “rifugio sicuro” russo è condizionato dagli interessi dello Stato, non dalla legge.
Prospettive
L’evoluzione dell’ecosistema dipenderà dalla capacità delle autorità russe di bilanciare le pressioni esterne, le sensibilità politiche interne e il valore strategico a lungo termine fornito dai proxy cybercriminali. La Russia si presenta meno come un “rifugio” uniforme e più come un mercato controllato, dove sono gli interessi statali a determinare chi gode di protezione e chi viene represso.
L'articolo La Russia e il Cybercrimine: un equilibrio tra repressione selettiva e interesse statale proviene da Red Hot Cyber.
Gli hacker possono accedere alle chat e email di Microsoft Teams tramite token di accesso
Una recente scoperta ha rivelato che gli hacker possono sfruttare una falla in Microsoft Teams su Windows per ottenere token di autenticazione crittografati, i quali garantiscono l’accesso a chat, email e file archiviati su SharePoint senza autorizzazione. Brahim El Fikhi ha dettagliato questa vulnerabilità in un post pubblicato il 23 ottobre 2025, evidenziando come i token, conservati all’interno di un database di cookie ispirato a quello di Chromium, siano vulnerabili alla decrittazione tramite l’utilizzo dell’API di Protezione Dati (DPAPI) fornita da Windows.
I token di accesso offrono agli aggressori la possibilità di impersonare gli utenti, inviando ad esempio messaggi o email di Teams a nome delle vittime, al fine di eseguire attacchi di ingegneria sociale o per mantenere la persistenza. Tali metodi eludono i recenti potenziamenti della sicurezza, mettendo a rischio gli ambienti aziendali con possibili spostamenti laterali e conseguente esfiltrazione dei dati.
Il focus di El Fikhi sulle applicazioni desktop di Office, soprattutto Teams, rivela vulnerabilità nei componenti browser incorporati, deputati alla gestione dell’autenticazione tramite login.microsoftonline.com. Un’analisi recente segnala che l’ecosistema Microsoft resta un bersaglio privilegiato, vista la diffusione capillare all’interno delle aziende.
Le prime versioni di Microsoft Teams memorizzavano i cookie di autenticazione in testo normale all’interno del file SQLite in %AppData%LocalMicrosoftTeamsCookies, una falla scoperta da Vectra AI nel 2022 che consentiva semplici letture di file per raccogliere token per l’abuso della Graph API, bypassando l’MFA.
Gli aggiornamenti hanno eliminato questo tipo di archiviazione in testo normale, adottando formati crittografati allineati alla protezione dei cookie di Chromium per impedire il furto su disco. Tuttavia, questo cambiamento introduce nuovi vettori di attacco. I token ora utilizzano la crittografia AES-256-GCM protetta da DPAPI, un’API di Windows che collega le chiavi ai contesti utente o macchina per l’isolamento dei dati.
Per contrastare le minacce, sono previste misure che comprendono il monitoraggio delle interruzioni anomale di ms-teams.exe o di pattern ProcMon inusuali.
Inoltre, è consigliabile utilizzare l’uso di team basati sul web in modo da limitare l’archiviazione locale. La rotazione dei token tramite policy ID Entra e il monitoraggio dei log API per rilevare irregolarità sono ulteriori passaggi cruciali.
Man mano che le minacce a Teams si evolvono, assumono un’importanza fondamentale le regole EDR che si basano su DPAPI.
L'articolo Gli hacker possono accedere alle chat e email di Microsoft Teams tramite token di accesso proviene da Red Hot Cyber.
Violato il sito della FIA: esposti i dati personali di Max Verstappen e di oltre 7.000 piloti
I ricercatori della sicurezza hanno scoperto delle vulnerabilità in un sito web della FIA che conteneva informazioni personali sensibili e documenti relativi ai piloti, tra cui il campione del mondo Max Verstappen .
Ian Carroll, uno dei tre ricercatori che ha esaminato il sito, ha rivelato la violazione in un post sul blog mercoledì. Ha affermato che la FIA ha affrontato le vulnerabilità nei suoi sistemi immediatamente dopo essere stata contattata nello scorso giugno.
La FIA ha confermato la violazione e ha affermato di aver adottato misure per proteggere i dati dei piloti. Ha contattato i piloti coinvolti e le autorità competenti per la protezione dei dati.
I ricercatori hanno dichiarato di non aver avuto accesso né conservato informazioni sensibili relative a nessuno dei soggetti individuati tramite l’attacco informatico e hanno immediatamente segnalato i risultati alla FIA.
Il sito web è stato compromesso tramite l’utilizzo di un account utente normale. I ricercatori hanno sfruttato le vulnerabilità del sistema per ottenere privilegi di amministratore. Questo ha dato loro la possibilità di accedere alle informazioni personali sensibili di qualsiasi pilota di loro scelta.
“Sembrava che avessimo pieno accesso amministrativo al sito web di categorizzazione dei piloti della FIA”, hanno osservato. “Abbiamo interrotto i test dopo aver constatato che era possibile accedere al passaporto, al curriculum, alla patente, all’hash della password e alle informazioni personali identificabili di Max Verstappen”, ha scritto Carroll. “Questi dati potevano essere accessibili a tutti i piloti di F1 tramite una categorizzazione, insieme a informazioni sensibili relative alle operazioni interne della FIA. Non abbiamo avuto accesso ad alcun passaporto o informazione sensibile e tutti i dati sono stati cancellati”.
Il sito web della FIA dedicato alla classificazione dei piloti contiene i dati di quasi 7.000 piloti.
“La FIA è venuta a conoscenza di un incidente informatico che ha coinvolto il sito web FIA Driver Categorization durante l’estate”, ha affermato. “Sono state adottate misure immediate per proteggere i dati dei piloti e la FIA ha segnalato il problema alle autorità competenti per la protezione dei dati, in conformità con gli obblighi della FIA. È stato inoltre segnalato il numero limitato di piloti interessati da questo problema. Nessun’altra piattaforma digitale della FIA è stata interessata da questo incidente.”
Secondo i ricercatori, la FIA ha disattivato il sito web il 3 giugno, lo stesso giorno in cui è stata informata della violazione. Una settimana dopo, ha fornito i dettagli di una “soluzione completa”.
La FIA afferma di aver “investito ampiamente in misure di sicurezza informatica e resilienza in tutto il suo patrimonio digitale” e di “aver messo in atto misure di sicurezza dei dati di livello mondiale per proteggere tutti i suoi stakeholder e implementare una politica di sicurezza fin dalla progettazione in tutte le nuove iniziative digitali”.
L'articolo Violato il sito della FIA: esposti i dati personali di Max Verstappen e di oltre 7.000 piloti proviene da Red Hot Cyber.
Automatically Serving Up Canned Cat Food
If there’s any one benefit to having a cat as a pet instead of a dog, it’s that they’re a bit more independent and able to care for themselves for many days without human intervention. The only thing that’s really needed is a way to make sure they get food and water at regular intervals, but there are plenty of off-the-shelf options for these tasks. Assuming your cat can be fed dry food, that is. [Ben Heck]’s cat has a health problem that requires a special canned wet food, and since there aren’t automatic feeders for this he built his own cat-feeding robot.
Unlike dry food that can dispense a measured amount from a hopper full of food, the wet food needs to be opened and dispensed every day. To accomplish this, his robot has a mechanism that slowly slides a wedge under the pull tab on the can, punctures the can with it, and then pulls it back to remove the lid. From there the food is ejected from the feeder down a ramp to a waiting (and sometimes startled) cat. The cans are loaded into 3D-printed cartridges and then stacked into the machine on top of each other, so the machine can dispense food cans until it runs out. This design has space for six cans.
Although there are many benefits to having pets of any sort, one of the fun side quests of pet ownership is building fun things for them to enjoy or to make caring for them easier. We even had an entire Hackaday contest based on this premise. And, if biological life forms aren’t your cup of tea, there are always virtual pets to care for as well.
Thanks to [Michael C] for the tip!
youtube.com/embed/Mlp_DXk-Sz8?…
Making the Smallest and Dumbest LLM with Extreme Quantization
The reason why large language models are called ‘large’ is not because of how smart they are, but as a factor of their sheer size in bytes. At billions of parameters at four bytes each, they pose a serious challenge when it comes to not just their size on disk, but also in RAM, specifically the RAM of your videocard (VRAM). Reducing this immense size, as is done routinely for the smaller pretrained models which one can download for local use, involves quantization. This process is explained and demonstrated by [Codeically], who takes it to its logical extreme: reducing what could be a GB-sized model down to a mere 63 MB by reducing the bits per parameter.
While you can offload a model, i.e. keep only part of it in VRAM and the rest in system RAM, this massively impacts performance. An alternative is to use fewer bits per weight in the model, called ‘compression’, which typically involves reducing 16-bit floating point to 8-bit, reducing memory usage by about 75%. Going lower than this is generally deemed unadvisable.
Using GPT-2 as the base, it was trained with a pile of internet quotes, creating parameters with a very anemic 4-bit integer size. After initially manually zeroing the weights made the output too garbled, the second attempt without the zeroing did somewhat produce usable output before flying off the rails. Yet it did this with a 63 MB model at 78 tokens a second on just the CPU, demonstrating that you can create a pocket-sized chatbot to spout nonsense even without splurging on expensive hardware.
youtube.com/embed/a7TOameRqoY?…
Keep An Eye On Your Air-Cooled Engine
There was a time, long ago, when passenger vehicles used to be much simpler than they are today. There were many downsides of this era, safety chief among them, but there were some perks as well. They were in general cheaper to own and maintain, and plenty could be worked on with simple tools. There’s perhaps no easier car to work on than an air-cooled Volkswagen, either, but for all its simplicity there are a number of modern features owners add to help them with these antiques. [Pegor] has created his own custom engine head temperature monitor for these vehicles.
As one could imagine with an air-cooled engine, keeping an eye on the engine temperature is critical to ensuring their longevity but the original designs omitted this feature. There are some off-the-shelf aftermarket solutions but this custom version has a few extra features that others don’t. It’s based on a ATMega32u4 microcontroller and will work with any K-type thermocouple, and thanks to its open nature can use a wide array of displays. [Pegor] chose one to blend in with the rest of the instrumentation on this classic VW. The largest issue that needed to be sorted out was around grounding, but a DC-DC converter created an isolated power supply for the microcontroller, allowing the thermocouple to be bonded to the grounded engine without disrupting operation of the microcontroller.
The finished product looks excellent and does indeed blend in to the dashboard more than the off-the-shelf temperature monitor that was in use before. The only thing that is planned for future versions is a way to automatically dim the display when the headlights are on, as [Pegor] finds it a little bright at night. We also enjoy seeing anything that helps these antiques stay on the road more reliably as their modern descendants don’t have any of the charm or engineering of these classics.
A Logical Clock That Pretends To Be Analog
[kcraske] had a simple plan for their clock build. They wanted a digital clock that was inspired by the appearance of an analog one, and they only wanted to use basic logic, with no microprocessors involved. Ultimately, they achieved just that.
Where today you might build a clock based around a microcontroller and a real-time clock module, or by querying a network time server, [kcraske] is doing all the timekeeping in simpler hardware. The clock is based around a bunch of 74-series logic chips, a CD4060 binary counter IC, and a 32.768 KHz crystal, which is easy to divide down to that critical 1 Hz. Time is displayed on the rings of LEDs around the perimeter of the clock—12 LEDs for hours, and 60 each for minutes and seconds. Inside the rings, the ICs that make up the clock are arranged in a pleasant radial configuration.
It’s a nice old-school build that reminds us not everything needs to run at 200 MHz or hook up to the internet to be worthwhile. We’ve featured some other fun old-school clocks of late, too. Meanwhile, if you’re cooking up your own arcane timepieces, we’d love to hear about it on the tipsline.
Intelligenza Artificiale Generale AGI: definito il primo standard globale per misurarla
Il 21 ottobre 2025, un gruppo internazionale di ricercatori provenienti da 29 istituzioni di prestigio – tra cui Stanford University, MIT e Università della California, Berkeley – ha completato uno studio che segna una tappa fondamentale nello sviluppo dell’intelligenza artificiale: la definizione del primo quadro quantitativo per valutare l’Intelligenza Artificiale Generale (AGI).
Basato sulla teoria psicologica Cattell-Horn-Carroll (CHC), il modello proposto suddivide l’intelligenza generale in dieci domini cognitivi distinti, ognuno con un peso del 10%, per un totale di 100 punti che rappresentano il livello cognitivo umano.
Sulla base di questa scala, GPT-4 ha raggiunto un punteggio del 27%, mentre GPT-5 ha ottenuto il 58%, evidenziando una distribuzione irregolare delle abilità, con risultati eccellenti in linguaggio e conoscenza, ma punteggi nulli nella memoria a lungo termine.
Un approccio scientifico per misurare la “vera intelligenza”
Secondo i ricercatori, stabilire se un’IA possa essere considerata “intelligente” come un essere umano richiede una valutazione ampia e multidimensionale. Come in un check-up medico completo che misura la salute di diversi organi, l’AGI viene analizzata su vari fronti cognitivi – dal ragionamento al linguaggio, dalla memoria alla percezione sensoriale.
Il nuovo quadro si fonda sulla teoria CHC, utilizzata da decenni in psicologia per misurare le capacità cognitive umane. Questo approccio consente di scomporre l’intelligenza in componenti analitiche, come conoscenza, ragionamento, elaborazione visiva e memoria.
L’obiettivo del team è stato trasformare questi principi in un sistema di misurazione oggettivo applicabile anche ai modelli di intelligenza artificiale.
Il “test cognitivo” dell’IA
I test hanno valutato GPT-4 e GPT-5 su dieci aree: conoscenze generali, comprensione e produzione di testo, matematica, ragionamento immediato, memoria di lavoro, memoria a lungo termine, recupero mnemonico, elaborazione visiva, elaborazione uditiva e velocità di reazione.
GPT-5 ha mostrato miglioramenti significativi rispetto al predecessore, raggiungendo punteggi quasi perfetti in linguaggio, conoscenza e matematica. Tuttavia, entrambe le versioni hanno fallito nei test di memoria a lungo termine e nella gestione coerente delle informazioni nel tempo.
Secondo gli studiosi, ciò dimostra che i sistemi di IA attuali compensano le proprie lacune attraverso strategie di “distorsione delle capacità”, sfruttando enormi quantità di dati o strumenti esterni per mascherare limiti strutturali.
La “mente a dente di sega” delle IA moderne
Il rapporto descrive la distribuzione dei risultati come “a dente di sega”: eccellenze in alcune aree e carenze gravi in altre. Ad esempio, GPT-5 si comporta come uno studente brillante in materie teoriche, ma incapace di ricordare le lezioni apprese. Questa frammentazione cognitiva evidenzia che, pur mostrando abilità avanzate, le IA non possiedono ancora una comprensione continua e autonoma del mondo.
Gli autori dello studio paragonano l’IA a un motore sofisticato ma privo di alcuni componenti essenziali. Anche con un sistema linguistico e matematico di altissimo livello, l’assenza di una memoria stabile e di un vero meccanismo di apprendimento limita la capacità complessiva. Per l’intelligenza artificiale, questo si traduce in prestazioni elevate in compiti specifici, ma scarsa adattabilità e apprendimento autonomo nel lungo periodo.
Implicazioni per il futuro dell’IA
Oltre a fornire una base scientifica per la valutazione dell’intelligenza artificiale, lo studio contribuisce a ridefinire le aspettative sullo sviluppo dell’AGI. Dimostra che la semplice crescita delle dimensioni dei modelli o l’aumento dei dati non bastano a raggiungere la cognizione umana: servono nuove architetture in grado di integrare memoria, ragionamento e apprendimento esperienziale.
Gli studiosi sottolineano anche l’importanza di affrontare le cosiddette “allucinazioni” dell’IA – errori di fabbricazione di informazioni – che rimangono un punto critico in tutti i modelli testati. La consapevolezza di questi limiti può guidare un uso più consapevole della tecnologia, evitando sia entusiasmi eccessivi che timori infondati.
In definitiva, il principale contributo di questa ricerca è l’introduzione di un vero e proprio “metro cognitivo” per misurare l’intelligenza artificiale in modo oggettivo e comparabile. Solo conoscendo i punti di forza e di debolezza attuali sarà possibile orientare in modo efficace la prossima generazione di sistemi intelligenti.
L'articolo Intelligenza Artificiale Generale AGI: definito il primo standard globale per misurarla proviene da Red Hot Cyber.
2025 Component Abuse Challenge: Nail Your Next Decal
One of the hardest parts of a project — assuming it makes it that far — is finishing it up in an aesthetically pleasing manner. As they say, the devil is in the details, wearing Prada. Apparently the devil also has an excellent manicure, because [Tamas Feher] has come up with a way to introduce incredibly detailed decals (down to 0.1 mm) in cheap, repeatable fashion, using a technique borrowed from the local nail salon. 
For those who aren’t in to nail art (which, statistically speaking, is likely to be most of you) there is a common “stamping” technique for putting details onto human fingernails. Nail polish is first applied to voids on a stencil-like plate, then picked up by a smooth silicone stamper, which is then pressed against the nail, reproducing the image that was on the stencil. If that’s clear as mud, there’s a quick demo video embedded bellow. There’s a common industrial technique that works the same way, which is actually where [Tamas] got the idea. For nail salons and at-home use, there are a huge variety of these stencils commercially available for nail art, but that doesn’t mean you’re likely to find what you want for your project’s front panel.
[Tamas] points out that by using a resin printer to produce the stencil plate, any arbitrary text or symbol can be used. Your logo, labels, whatever. By printing flat to the build plate, you can take advantage of the full resolution of the resin printer — even an older 2 K model would more than suffice here, while higher res like the new 16 K models become the definition of overkill. The prints go quick, as they don’t need any structural thickness: just enough to hold together coming off of the plate, plus enough extra to hold your designs at a 0.15 mm inset. That doesn’t seem very thick, but remember that this only has to hold enough nail polish to be picked up by the stamper.
[Tamas] cautions you have to work fast, as the thin layer of nail polish picked up by the stamper can dry in seconds. You’ll want plenty of nail polish remover (or plain acetone) on hand to clean the stamper once you’ve finished, as well as your stencil. [Tamas] cautions you’ll want to clean it immediately if you ever want to use it again. Good to know.
While this is going outside of the nail art kit’s comfort zone, it might not quite be abuse. It is however a very useful technique to add to our ever-growing quiver of how to make front panels. Besides, we don’t specify you have to literally make components suffer; we just want to see what wild and wonderful substitutions and improvisations you all come up with.
youtube.com/embed/NN003vlGLIk?…
Announcing the 2025 Hackaday Superconference Communicator Badge
It’s the moment you hard-core hardware nerds have been waiting for: the reveal of the 2025 Hackaday Supercon Communicator Badge. And this year, we’ve outdone ourselves, but that’s thanks to help from stellar collaboration with folks from the community, and help from sponsors. This badge is bigger than the sum of its parts, and we’ve planned for it to be useful for you to hack on in the afterlife. Indeed, as always, you are going to be the final collaborator, so we can’t wait to see what you’ll do with it.
You look up a topic, say Retro Computing or SAO trading, punch in the channel number on the numpad, and your badge starts listening to everything going on around that topic. But they also listen to everything else, and repeat anything they hear on to their neighbors. Like IRC, but LoRa.
But let’s talk hardware. The first thing that hits you is the custom keyboard, a hat-tip to portable computing devices of yore, but actually infinitely more capable and even nicer under the thumbs. Behind the keyboard is a custom dome-switch sticker sheet and a TC8418 I2C keyboard matrix multiplexer chip, which does away with all of the diodes and decoding and makes a keyboard design easy.
In the driver’s seat is an ESP32-S3, courtesy of Espressif, no less. We asked, and they made it rain: it’s the good one with 8 MB of PSRAM and 16 MB of flash – plenty of room for about anything, and just enough pins to run the show. We needed the form-factor of the LCD screen for the aesthetics, and we’ll just say there’s not much choice in this shape; we had to go for an LCD with a strange newish driver chip, but we made it work with the help of sketchy Arduino init scripts found around the interwebs.
Did we mention LoRa? A Communicator Badge is no good without a means of communication. Seeed makes these nice little SX1262 LoRa modules, and they were our first choice not only because they’re cute, but also because they come with a bring-your-own antenna option, and they had enough of them in stock. (This is not to be underestimated these days!) SMA adapter, LiPo and charging circuitry, and badge is your uncle! Super thanks go out to DigiKey for sponsoring us all manner of needed components.
Radio Frequency Madness
Here is where we run into our first problem, and it’s the exact opposite of the problem that mesh networks are designed to solve. Those little LoRa radios transmit easily 1 km to 2 km in open space, maybe half that in an urban neighborhood. And we’re putting 500 hundred of them in the alley, with often just a couple meters between badges.
Still, we’ve got some tricks up our sleeve, we’ve got a lot of bandwidth at our discretion, and we’ve got a smart bunch of hackers. We can make this work, and we will have some odd corners of radio spectrum for you to play around with too. Get together with a couple friends and have fun with RF.
We’ll also be broadcasting Supercon-relevant news out to the badges from time to time. Things like which talks are coming up, when and where the food has arrived, and so on.
The Keyboard
Other badges have come out using his stock keyboard, but only Hackaday and Supplyframe’s Design Lab was foolish enough to do something totally custom. Actually, it was super easy with [Arturo] leading the keyboard project, because he knows all about the details of preparing the designs for the keyboard dome sheets, and worked with the Design Lab team and Supplyframe’s designer [Bogdan Rosu] to get the custom silicone covers looking pretty. Thanks [Arturo]!
The Software?
The software is still under wraps. The folks at Design Lab are turning out badges as fast as they can, even as we write this, and that means that we’re still working on the software. The last minute is the sweetest minute. Again, though, we’re not alone.
The brains behind the software effort is [Spaceben], and I have to say I haven’t seen such clean Python code in my life. Everything is possible when you have good folks on your team.
We’re using the LVGL graphics framework for Micropython, which makes the GUI design a lot snazzier than it would otherwise be. It was also easy enough to port our funny display driver to lvgl_micropython, and we’re working on the keyboard too. We’ll see what works on Supercon Day 1!
Your Turn
And that brings us to you! Mesh-network-IRC is fun during the conference, but after the fact, these badges are going to be too good to just leave on the shelf. Porting Meshtastic to the badge would be a fantastic project. The keyboard, WiFi, and Bluetooth connectivity just beg for some kind of handheld remote-control device design. The panel for a home automation setup? Or heck, go super simple and just wire the I2C keyboard out to your next project that needs one. We’d bet a Jolly Wrencher sticker that the badge could be quickly transformed into an ELRS radio control unit.
We love the badge scene, and like many of you out there, we find it’s a pity when the badges just sit in the closet. So we tried to plan for the afterlife here by making the badge hardware as useful as we could, and by making the software side as accessible as possible. Those of you who hack on the badge during Supercon, you’ll be blazing the trails for the rest of us afterwards.
We hope you find it fun to chat with others at Supercon, a fun platform to work on, and something useful after the fact. Managing an ad-hoc chaos mesh network isn’t going to be easy, but the real goal is the friends you meet along the way. See you all at Supercon!