Commodore 64: il ritorno del computer retrò più venduto di tutti i tempi è ora
Il record di computer desktop più venduto di sempre è ancora oggi detenuto dal Commodore64, come attestato dal Guinness dei primati, nonostante la sua produzione sia stata interrotta già dal 1994. In ogni caso, la Commodore sembra stia facendo rivivere il C64, seppur in maniera alquanto limitata.
L’azienda originale ha dichiarato bancarotta più di trent’anni fa e i suoi beni sono stati venduti. Ma lo YouTuber Christian Simpson ha recentemente accettato di acquistare tutti i 47 marchi Commodore, creando di fatto una nuova azienda con un vecchio nome: Commodore International. E dopo aver assunto un team che include alcuni veterani del Commodore originale e alcuni nuovi arrivati, la nuova azienda sta lanciando un nuovo Commodore 64 Ultimate.
È un computer moderno con un design retrò e supporto per la maggior parte dei giochi e delle applicazioni Commodore classici. Il Commodore 64 Ultimate è in preordine a partire da 300 dollari e le spedizioni dovrebbero iniziare a ottobre o novembre.
Il prezzo di partenza è per un modello BASIC Beige che assomiglia molto al computer classico, ma i clienti possono anche pagare 50 dollari in più per un modello “Starlight Edition” con custodia trasparente o 500 dollari per una versione limitata Founders Edition che aggiunge un distintivo Commodore in oro 24 carati e qualche altro extra.
Dal punto di vista funzionale, però, sono tutti uguali. Potrebbero non avere esattamente lo stesso hardware del C64 originale, ma utilizzano un AMD Xilinx Artix-7 GPA per ricreare il processore originale, consentendo a giochi, cartucce e periferiche classiche di funzionare senza emulazione software.
Il computer ha comunque alcune caratteristiche moderne, tra cui un’uscita HDMI, porte USB Type-C e Type-A, un lettore di schede microSD, Ethernet da 100 Mbps e WiFi. Ma dispone anche di connettori per i controller e i supporti classici del C64, oltre a uscite video analogiche. È quindi possibile utilizzare questo nuovissimo dispositivo con hardware più datato, tra cui un televisore a tubo catodico o cartucce, unità disco e altri accessori compatibili con il Commodore 64.
Sebbene negli ultimi anni siano stati lanciati altri dispositivi a marchio Commodore, la maggior parte è stata realizzata da aziende terze: il C64 Mini , ad esempio, è stato prodotto da Retro Games Ltd, che ha concesso in licenza il marchio Commodore. Ciò che rende questo nuovo modello diverso è il fatto di essere il primo prodotto “ufficiale” Commodore da decenni.
Detto questo, è anche di fatto il primo nuovo dispositivo di un’azienda appena lanciata, e sta trattando i preordini come una campagna di crowdfunding: sta accettando ordini ora per raccogliere i fondi che verranno utilizzati per la produzione, tra le altre cose. Ma la pagina dei preordini promette una “garanzia di rimborso” e che i clienti possono annullare gli ordini prima della spedizione per richiedere un rimborso.
L'articolo Commodore 64: il ritorno del computer retrò più venduto di tutti i tempi è ora proviene da il blog della sicurezza informatica.
From Leash to Locomotion: CARA the Robotic Dog
Normally when you hear the words “rope” and “dog” in the same sentence, you think about a dog on a leash, but in this robot dog, the rope is what makes it move, not what stops it from going too far. [Aaed Musa]’s latest project is CARA, a robotic dog made mostly of 3D printed parts, with brushless motors and ropes used to tie the motors and legs together.
In a previous post, we covered [Aaed Musa]’s use of rope as a mechanism to make capstan drives, enabling high torque and little to no backlash. Taking that gearbox design, tweaking it a bit, and using three motors, he was able to make a leg capable of moving in all three axes. He had to do a good deal of inverse kinematics math to get the leg moving around as desired; once he had the motion of a step defined, it was time to build the rest of the dog.
CARA is made primarily of 3D printed parts, with several carbon fiber tubes running its length for rigidity. The legs are all free to move not only forward and back but side to side some, as in a real dog. He uses 12 large brushless motors, as they provide the torque needed, and ODrive S1 motor controllers to control each one, controlled over CAN by a Teensy 4.1 microcontroller. There is also a small BNO086 IMU to sense CARA’s position relative to gravity, and a 24V cordless tool battery powers everything.
Once assembled, there was some more tuning of what type of motion CARA’s legs take while walking. There were a few tweaks to the printed parts to address some structural issues, and then a good deal more inverse kinematics math to make full use of the IMU, allowing CARA to handle inclines and make a much more natural movement style. [Aaed Musa] does a great job explaining his approach on his site as well as in the video below; we’re looking forward to seeing his future projects!
CARA isn’t alone on this site—be sure to check out the other robot dogs we’ve featured here.
youtube.com/embed/8s9TjRz01fo?…
Jcorp Nomad: ESP32-S3 Offline Media Server in a Thumbdrive
[Jackson Studner] wrote in to let us know about his ESP32-based media server: Jcorp Nomad.
This project uses a ESP32-S3 to create a WiFi hotspot you can connect to from your devices. The hotspot is a captive portal which directs the user to a web-interface comprised of static HTML assets which are in situ with the various media on an attached SD card formatted with a FAT32 file system. The static HTML assets are generated by the media.py Python 3 script when the ESP32 boots.
This project exists because the typical Raspberry Pi media server costs more than an ESP32 does. The ESP32 is smaller too, and demands less power.
According to [Jackson] this ESP32-based solution can support at least four concurrent viewers. The captive portal is implemented with DNS and HTTP services from the ESP32. The firmware is an Arduino project that integrates a bunch of libraries to provide the necessary services. The Jcorp Nomad media template supports Books (in pdf files), Music (in mp3 files), and Movies and Shows (in mp4 files). Also there is a convention for including JPEG files which can represent media in the user-interface.
And the icing on the cake? The project files include STL files so you can 3D print an enclosure. All in all, a very nice hack.
What Will It Take to Restore a Serious Flight Simulator?
[Jared] managed to find a professional FAA-certified flight simulator at an auction (a disassembled, partial one anyway) and wondered, what would it take to rebuild it into the coolest flight sim rig ever?
In a video, [Jared] gives a tour of the system and highlights the potential as well as pointing out challenges and drawbacks. Fortunately the system is of a modular design overall, and the motion control system is documented. The chassis and physical parts are great, but the avionics stack is a mixed bag with some missing parts and evidence of previous tinkering — that part being not quite so well documented.
Conceptually, a mid-tier gaming rig with a wraparound display will take care of the flight software part, and some custom electronics work (and probably a Raspberry Pi or three) will do for interfacing to various hardware elements. But a lot of details will need to be worked out in order to turn the pile of components into an entertaining flight sim rig, so [Jared] invites anyone who is interested to join him in collaborating on innovative approaches to the myriad little challenges this build presents.
We’ve seen the community pull off some clever things when it comes to flight sims, so we know the expertise is out there.
youtube.com/embed/I3BM3D72Q3I?…
Un raggio di luce da 265 milioni di km: l’ESA stabilisce il primo collegamento ottico per l’internet del futuro
Il 7 luglio 2025, l’Agenzia Spaziale Europea ha stabilito con successo il suo primo collegamento ottico con una sonda interplanetaria. Il segnale laser ha percorso 265 milioni di chilometri e ha raggiunto l’esperimento Deep Space Optical Communications a bordo della sonda americana Psyche, che ora si trova a una distanza di 1,8 unità astronomiche dalla Terra.
Il collegamento è stato fornito da due stazioni ottiche in Grecia. All’osservatorio di Kryoneri, vicino ad Atene, un potente laser ha emesso un fascio stretto che ha permesso allo strumento DSOC di catturare il segnale e inviare una risposta. Il laser di ritorno è stato ricevuto dall’osservatorio Helmos, situato sulla cima di una montagna vicina, a trentasette chilometri di distanza.
Il Direttore delle Operazioni dell’ESA, Rolf Densing, ha definito la dimostrazione un passo importante verso l’internet ad alta velocità nello spazio profondo e ha sottolineato l’importanza della cooperazione internazionale. Mariella Spada, Responsabile dell’Innovazione dei Sistemi di Terra, ha aggiunto che anni di standardizzazione e nuove soluzioni ingegneristiche hanno posto le basi della futura rete interplanetaria.
Gli ingegneri si sono trovati di fronte a due sfide principali. Dovevano puntare il laser verso un veicolo spaziale distante senza alcuna deviazione e, allo stesso tempo, creare un ricevitore in grado di catturare diversi fotoni dopo aver attraversato l’intero sistema solare. Il Jet Propulsion Laboratory della NASA si è occupato di calcolare la traiettoria utilizzando il metodo Delta-DOR, mentre l’European Space Operations Center ha compensato gli effetti dell’atmosfera e del moto planetario. La sicurezza del volo è stata oggetto di particolare attenzione, con la chiusura temporanea di alcune sezioni dello spazio aereo greco.
Il trasmettitore terrestre costruito per l’esperimento combina cinque laser ad alta potenza in un contenitore con una piattaforma di sollevamento che nasconde le ottiche dalla luce del giorno e le mostra dopo il tramonto. Il sistema di ricezione si basa sul telescopio Aristarchus, di due metri e tre di diametro, situato a un’altitudine di duemilatrecentoquaranta metri. Un rivelatore sulla piastra posteriore del telescopio distingue i singoli fotoni.
Prima della sessione principale, il team ha testato l’apparecchiatura inviando un segnale al satellite europeo Alphasat in orbita geostazionaria. Nonostante la complessità del compito, l’installazione di laser, cavi e sistemi di raffreddamento è stata completata in un solo giorno, e il debug completo è stato eseguito da meno di venti specialisti in due siti.
I collegamenti ottici possono trasmettere dati da dieci a cento volte più velocemente dei collegamenti radio, il che è fondamentale per il crescente flusso di informazioni provenienti dalle future missioni. Il successo della campagna greca sostiene l’iniziativa ASSIGN dell’ESA, che mira a combinare reti a radiofrequenza e laser in un’infrastruttura interplanetaria sostenibile, nonché progetti come LightShip, progettato per trasportare equipaggi su Marte e supportarne le comunicazioni e la navigazione.
La prima connessione con Psyche ha segnato l’inizio di una serie di quattro sessioni di comunicazione programmate per quest’estate e ha fornito un chiaro segnale che l’era di Internet laser ad alta velocità nello spazio profondo è già iniziata.
L'articolo Un raggio di luce da 265 milioni di km: l’ESA stabilisce il primo collegamento ottico per l’internet del futuro proviene da il blog della sicurezza informatica.
An Open-Concept 3D Printer Using Cantilever Arms
If you’re looking for a more open, unenclosed 3D printer design than a cubic frame can accommodate, but don’t want to use a bed-slinger, you don’t have many options. [Boothy Builds] recently found himself in this situation, so he designed the Hi5, a printer that holds its hotend between two cantilevered arms.
The hotend uses bearings to slide along the metal arms, which themselves run along linear rails. The most difficult part of the design was creating the coupling between the guides that slides along the arms. It had to be rigid enough to position the hotend accurately and repeatably, but also flexible enough avoid binding. The current design uses springs to tension the bearings, though [Boothy Builds] eventually intends to find a more elegant solution. Three independent rails support the print bed, which lets the printer make small alterations to the bed’s tilt, automatically tramming it. Earlier iterations used CNC-milled bed supports, but [Boothy Builds] found that 3D printed plastic supports did a better job of damping out vibrations.
[Boothy Builds] notes that the current design puts the X and Y belts under considerable load, which sometimes causes them to slip, leading to occasional layer shifts and noise in the print. He acknowledges that the design still has room for improvement, but the design seems quite promising to us.
This printer’s use of cantilevered arms to support the print head puts it in good company with another interesting printer we’ve seen. Of course, that design element does also lend itself to the very cheapest of printers.
youtube.com/embed/9SezI9cAfXA?…
Thanks to [Keith Olson] for the tip!
Die Cut Machine Makes Portable Metal Cuts
[Kevin Cheung] likes to upcycle old soda cans into — well — things. The metal is thin enough to cut by hand, but he’d started using a manual die-cutting machine, and it worked well. The problem? The machine was big and heavy, weighing well over 30 pounds. The solution was to get a lightweight die cutter. It worked better than expected, but [Kevin] really wanted it to be more portable, so he stripped it down and built the mechanism into a new case.
The video below isn’t quite a “how-to” video, but if you like watching someone handcraft something with a lot of skill, you’ll enjoy it. It also might give you ideas about how you could use one of these cutters, even if you don’t bother building a nice case for it.
We’ve seen cutters that use computer control, but they aren’t inexpensive. They will, however, make the same kind of cuts. But these manual die cutters are very inexpensive, and you simply have to find a way to make the die. You can easily make them for cutting paper, and, with the right materials, you can make the kind you see in [Kevin]’s video, too.
We have to admit, carrying the gizmo into a public place seemed to make a lot of people happy. So maybe portability is a good goal. But either way, you can have some fun with a machine like that.
If you want to cut paper, these work great. If you want paper to make the cuts, we have just the thing for you.
youtube.com/embed/AKVGbrK1mh0?…
Playing Snake with Digital Microfluidics
Display technology has come a long way since the advent of the CRT in the late 1800s (yes, really!). Since then, we’ve enjoyed the Nixie tubes, flip dots, gas plasma, LCD, LED, ePaper, the list goes on. Now, there’s a new kid on the block — water.
[Steve Mould] recently got his hands on an OpenDrop — an open-source digital microfluidics platform for biology research. It’s essentially a grid of electrodes coated in a dielectric. Water sits atop this insulating layer, and due to its polarized nature, droplets can be moved around the grid by voltages applied to the electrodes. The original intent was to automate experiments (see 8:19 in the video below for some wild examples), but [Steve] had far more important uses in mind.
When [Steve]’s €1,000 device shipped from Switzerland, it was destined for greatness. It was turned into a game console for classics such as Pac-Man, Frogger, and of course, Snake. With help from the OpenDrop’s inventor (and Copilot), he built paired-down versions of the games that could run on the 8×14 “pixel” grid. Pac-Man in particular proved difficult, because due to the conservation of mass, whenever Pac-Man ate a ghost, he grew and eventually became unwieldy. Fortunately, Snake is one of the few videogames that actually respects the laws of classical mechanics, as the snake grows by one unit each time it consumes food.
[Steve] has also issued a challenge — if you code up another game, he’ll run it on his OpenDrop. He’s even offering a prize for the first working Tetris implementation, so be sure to check out his source code linked in the video description as a starting point. We’ve seen Tetris on oscilloscopes and 3D LED matrices before, so it’s about time we get a watery implementation.
youtube.com/embed/rf-efIZI_Dg?…
Thanks to [deʃhipu] for the tip!
2025 One Hertz Challenge: An Ancient Transistor Counts The Seconds
If you’ve worked with germanium transistors, you’ll know that many of them have a disappointingly low maximum frequency of operation. This has more to do with some of the popular ones dating from the earliest years of the transistor age than it does to germanium being inherently a low frequency semiconductor, but it’s fair to say you won’t be using an OC71 in a high frequency RF application. It’s clear that [Ken Yap]’s project is taking no chances though, because he’s using a vintage germanium transistor at a very low frequency — 1 Hz, to be exact.
The circuit is a simple enough phase shift oscillator that flashes a white LED, in which a two transistor amplifier feeds back on itself through an RC phase shift network. The germanium part is a CV7001, while the other transistor is more modern but still pretty old these days silicon part, a BC109. The phase shift network has a higher value resistor than you might expect at 1.8 MOhms, because of the low frequency of operation. Power meanwhile comes from a pair of AA cells.
We like this project not least for its use of very period passive components and stripboard to accompany the vintage semiconductor parts. Perhaps it won’t met atomic standards for timing, but that’s hardly the point.
This project is an entry in the 2025 One Hertz Challenge. Why not enter your own second-accurate project?
Wire Like a Pro: Peeking into Wire Harness Mastery
There are many ways to learn, but few to none of them compare to that of spending time standing over the shoulder of a master of the craft. This awesome page sent in by [JohnU] is a fantastic corner of the internet that lets us all peek over that shoulder to see someone who’s not only spent decades learning the art of of creating cable harnesses, but has taken the time to distill some of that vast experience for the rest of us to benefit from.
This page is focused on custom automotive and motorcycle modifications, but it’s absolutely jam-packed with things applicable in so many areas. It points out how often automotive wiring is somewhat taken for granted, but it shouldn’t be; there are hundreds of lines, all of which need to work for your car to run in hot and cold, wet and dry. The reliability of wiring is crucial not just for your car, but much larger things such as the 530 km (330 mi) of wiring inside an Airbus A380 which, while a large plane, is still well under 100 m in length.
This page doesn’t just talk about cable harnessing in the abstract; in fact, the overwhelming majority of it revolves around the practical and applicable. There is a deep dive into wiring selection, tubing and sealing selection, epoxy to stop corrosion, and more. It touches on many of the most common connectors used in vehicles, as well as connectors not commonly used in the automotive industry but that possess many of the same qualities. There are some real hidden gems in the midst of the 20,000+ word compendium, such as thermocouple wiring and some budget environmental sealing options.
There is far more to making a thing beyond selecting the right parts; how it’s assembled and the tools used are just as important. This page touches on tooling, technique, and planning for a wire harness build-up. While there are some highly specialized tools identified, there are also things such as re-purposed knitting needles. Once a harness is fully assembled it’s not complete, as there is also a need for testing that must take place which is also touched on here.
Thanks to [JohnU] for sending in this incredible learning resource. If this has captured your attention like it has ours, be sure to check out some of the other wire harness tips we’ve featured!
Criminal Hacker contro Criminal hacker! RansomedVC umilia Medusa pubblicando le chat del gruppo
Il gruppo di criminali informatici RansomedVC, tornato sulla scena nel 2025, ha pubblicando sul suo sito web ufficiale una fuga di notizie di corrispondenza interna del gruppo di hacker Medusa, uno dei più noti gruppi di ransomware al mondo. La pubblicazione è stata programmata in concomitanza con il lancio di un nuovo Data Leak Site (DLS) che ha coinvolto due vittime, una statunitense e una brasiliana. Si è trattato della prima azione di alto profilo da quando RansomedVC è tornato sulla scena informatica.
RansomedVC si è concentrato sulla divulgazione delle chat di Medusa risalenti all’11 dicembre 2022 e al marzo 2023. La corrispondenza suggerisce che il gruppo utilizzava un account chiamato MediaTeam per promuovere le proprie attività su Telegram e YouTube.
Medusa è un gruppo che ha raggiunto la notorietà nel 2023. Contrariamente a quanto si potrebbe pensare, il loro modello di business è molto diverso dal classico Ransomware as a Service e operano su una divisione monitorata di sottogruppi. Ultimamente abbiamo notato uno strano comportamento da parte dell’amministratore, come confermato da altri affiliati: sembra completamente assente e insensibile alle esigenze dei suoi membri. Ha recentemente eliminato tutti i gruppi sul server di RocketChat senza preavviso, lasciando agli affiliati solo due plausibili motivi: exit scam o arresto dell’amministratore da parte delle autorità. Vi fidereste di Medusa se tornasse attivo? Di seguito vi abbiamo lasciato un interessante elenco di affiliati che partecipano al programma Medusa, ora sapete dove ripopolare il gruppo e guadagnare un sacco di soldi con le vostre competenze 😀
Per accedere ai sistemi, erano necessari degli hash dump e Medusa preferiva il servizio put.io con un piano da 10 TB e Mega Pro 2 come storage cloud. Le informazioni sulle versioni software delle vittime sono state raccolte dalla documentazione ufficiale delle aziende. L’utility GMER è stata utilizzata per gestire i rootkit, mentre gli strumenti Volatility e LSADump sono stati utilizzati per estrarre le password. Tra gli obiettivi menzionati figuravano Green Cloud e StoreOnce.
Annuncio di fuga di notizie su Medusa su RansomedVC
Sono stati utilizzati exploit specifici su sistemi vulnerabili, tra cui CVE-2022-26134 , una vulnerabilità critica in Atlassian Confluence. Sono stati inoltre discussi la vulnerabilità ProxyNotShell , che colpisce Outlook Web App, e i problemi di bypass antivirus in Windows Defender.
Tra i membri di Medusa menzionati ci sono circa 20 nickname affiliati. Tra questi c’è “drumrlu”, ampiamente conosciuto sui forum underground come Initial Access broker (IaB). In precedenza, aveva fornito accesso al gruppo Thanos. In uno degli episodi, si lamenta del fatto che il firewall Fortinet bloccasse tutto il traffico e descrive come ha aggirato il problema installando Anydesk tramite TOR e configurando un proxy per il controllo remoto: la sessione è durata un’ora.
La chat rivela anche conflitti interni: quando uno dei partecipanti, Ray, ha chiesto a drumrlu uno script, questi ha rifiutato, temendo di “bruciare” il metodo, ma ha espresso il suo supporto. Anche la traccia linguistica è caratteristica: il partecipante Jester scriveva costantemente in russo. Atari ha mostrato interesse nell’aggirare Windows Defender e nopiro ha confermato di aver sfruttato la suddetta vulnerabilità di Confluence. Si ritiene che il datastore del partecipante fosse in precedenza membro di Makop, un altro noto gruppo ransomware .
Il presunto leader di Medusa, nascosto sotto il soprannome di “boss”, propose di inviare messaggi sull’attacco hacker a tutti i dipendenti delle aziende e ai giornalisti, sperando in questo modo di attirare l’attenzione del pubblico. Si discusse anche di formazione su YouTube: i video sulla disattivazione delle protezioni di Windows erano molto richiesti.
La pubblicazione delle chat ha coinciso con la creazione di una nuova versione del sito di RansomedVC l’8 luglio 2025. Ciò suggerisce che la fuga di notizie fosse stata pianificata in anticipo e mirasse ad aumentare l’interesse per il gruppo testando la reazione alle prime due vittime. In questo modo, RansomedVC sta cercando di affermarsi come un attore di rilievo nell’ecosistema dei ransomware, cercando al contempo di minare la reputazione dei suoi concorrenti.
Di particolare interesse è stata la corrispondenza in cui Ray ha condiviso uno script volto ad attivare la Modalità provvisoria in Windows per disabilitare i meccanismi di protezione. Lo script crea un servizio, lo registra nel registro e commuta il sistema in Modalità provvisoria con un successivo riavvio. Tuttavia, errori di sintassi e presupposti relativi al funzionamento della rete in Modalità provvisoria si sono rivelati un fallimento per gli hacker: la rete non funziona in questa modalità di default e, senza ulteriori accorgimenti, l’accesso remoto viene perso. Inoltre, alcuni parametri erano scritti in modo errato, il che rendeva instabile l’avvio del servizio.
Le chat mostrano che Medusa si sta concentrando sui prodotti Fortinet: sia le chat che gli eventi del 2024 menzionano tentativi di sfruttare le SQL injection in questi sistemi. Tutte le attività indicano un focus sugli Stati Uniti, il Paese più spesso menzionato tra gli obiettivi.
RansomedVC sottolinea di aver avuto accesso a questi dati grazie a “insider“. Considerando l’arco temporale della corrispondenza e il ritorno del gruppo stesso, non si può escludere che uno dei membri di RansomedVC abbia collaborato con Medusa in passato. Ciò potrebbe anche indicare un conflitto interno o un tentativo di destabilizzare un concorrente attraverso una fuga di notizie deliberata.
La struttura stessa del mondo della criminalità informatica sta diventando più aggressiva e competitiva: i gruppi si contendono partner affiliati, massimizzano il numero delle vittime, offrono supporto personalizzato durante le negoziazioni, si dedicano al rebranding, lottano per la reputazione e lo spazio informativo. La fuga di notizie di Medusa si sta inserendo in questa lotta e RansomedVC la sta sfruttando per tornare in gioco.
L'articolo Criminal Hacker contro Criminal hacker! RansomedVC umilia Medusa pubblicando le chat del gruppo proviene da il blog della sicurezza informatica.
Trickle Down: When Doing Something Silly Actually Makes Sense
One of the tropes of the space race back in the 1960s, which helped justify the spending for the part of the public who thought it wasn’t worth it, was that the technology developed for use in space would help us out here back on earth. The same goes for the astronomical expenses in Formula 1, or even on more pedestrian tech like racing bikes or cinematography cameras. The idea is that the boundaries pushed out in the most extreme situations could nonetheless teach us something applicable to everyday life.
This week, we saw another update from the Minuteman project, which is by itself entirely ridiculous – a 3D printer that aims to print a 3D Benchy in a minute or less. Of course, the Minuteman isn’t alone in this absurd goal: there’s an entire 3D printer enthusiast community that is pushing the speed boundaries of this particular benchmark print, and times below five minutes are competitive these days, although with admittedly varying quality. (For reference, on my printer, a decent-looking Benchy takes about half an hour, but I’m after high quality rather than high speed.)
One could totally be forgiven for scoffing at the Speed Benchy goal in general, the Minuteman, or even The 100, another machine that trades off print volume for extreme speed. But there is definitely trickle-down for the normal printers among us. After all, pressure advance used to be an exotic feature that only people who were using high-end homemade rigs used to care about, and now it’s gone mainstream. Who knows if the Minuteman’s variable temperature or rate smoothing, or the rigid and damped frames of The 100, or its successor The 250, will make normal printers better.
So here’s to the oddball machines, that push boundaries in possibly ridiculous directions, but then share their learnings with those of us who only need to print kinda-fast, but who like to print other things than little plastic boats that don’t even really float. At least in the open-source hardware community, trickle-down is very real.
This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter. Want this type of article to hit your inbox every Friday morning? You should sign up!
The Cantareel is Hurdy-Guitar Turned Inside Out
Sometimes, all you need to make something work is to come at it from a different angle from anyone else — flip the problem on its head, so to speak. That’s what [Keizo Ishibashi] did to create his Cantareel, a modified guitar that actually sounds like a hurdy-gurdy.
We wrote recently about a maker’s quest to create just such a hybrid instrument, and why it ended in failure: pressing strings onto the fretboard also pushed them tighter to the wheel, ruining the all-important tension. To recap, the spinning wheel of a hurdy-gurdy excites the strings exactly like a violin bow, and like a violin bow, the pressure has to be just right. There’s no evidence [Keizo Ishibashi] was aware of that work, but he solved the problem regardless, simply by thinking outside the box — the soundbox, that is.
Unlike a hurdy-gurdy, the Cantareel keeps its wheel outside the soundbox. The wheel also does not rub directly upon the strings: instead, it turns what appears to be a pair of o-rings. Each rosined o-ring bows 2 of the guitar’s strings, giving four strings a’ singing. (Five golden rings can only be assumed.) The outer two strings of this ex-six-string are used to hold the wheel assembly in place by feeding through holes on the mounting arms. The guitar is otherwise unmodified, making this hack reversible.
It differs from the classic hurdy-gurdy in one particular: on the Cantareel, every string is a drone string. There’s no way to keep the rubber rings from rubbing against the strings, so all four are always singing. This may just be the price you pay to get that smooth gurdy sound out of a guitar form factor. We’re not even sure it’s right to call it a price when it sounds this good.
youtube.com/embed/1fVSCuUCHtA?…
Thanks to [Petitefromage] for the tip. If you run into any wild and wonderful instruments, don’t forget to let us know.
The 555 Writ Large
Few electronic ICs can claim to be as famous as the 555 timer. Maybe part of the reason is that the IC doesn’t have a specific function. It has a lot of building blocks that you can use to create timers and many other kinds of circuits. Now [Stoppi] has decided to make a 555 out of discrete components. The resulting IC, as you can see in the video below, won’t win any prizes for diminutive size. But it is fun to see all the circuitry laid bare at the macro level.
The reality is that the chip doesn’t have much inside. There’s a transistor to discharge the external capacitor, a current source, two comparators, and an RS flip flop. All the hundreds of circuits you can build with those rely on how they are wired together along with a few external components.
Even on [stoppi]’s page, you can find how to wire the device to be monostable, stable, or generate tones. You can also find circuits to do several time delays. A versatile chip now blown up as big as you are likely to ever need it.
Practical? Probably not, unless you need a 555 with some kind of custom modification. But for understanding the 555, there’s not much like it.
We’ve seen macro 555s before. It is amazing how many things you can do with a 555. Seriously.
youtube.com/embed/pK1dVKZuLpk?…
Get Roped Into Magnetic Core Memory with this 512 bit Module
Magnetic Core memory was the RAM at the heart of many computer systems through the 1970s, and is undergoing something of a resurgence today since it is easiest form of memory for an enterprising hacker to DIY. [Han] has anexcellent writeup that goes deep in the best-practices of how to wire up core memory, that pairs with his512-bit MagneticCoreMemoryController on GitHub.
Magnetic core memory works by storing data inside the magnetic flux of a ferrite ‘core’. Magnetize it in one direction, you have a 1; the other is a 0. Sensing is current-based, and erases the existing value, requiring a read-rewrite circuit. You want the gory details? Check out [Han]’s writeup; he explains it better than we can, complete with how to wire the ferrites and oscilloscope traces to explain why you want to wiring them that way. It may be the most complete design brief to be written about magnetic core memory to be written this decade.
This little memory pack [Han] built with this information is rock-solid: it ran for 24 hours straight, undergoing multiple continuous memory tests — a total of several gigabytes of information, with zero errors. That was always the strength of ferrite memory, though, along with the fact you can lose power and keep your data. In in the retrocomputer world, 512 bits doesn’t seem like much, but it’s enough to play with. We’ve even featured smaller magnetic core modules, likethe Core 64. (No prize if you guess how many bits that is.) One could be excused for considering them toys; in the old days,you’d have had cabinets full of these sorts of hand-wound memory cards.
Magnetic core memory should not be confused withcore-rope memory, which was a ROM solution of similar vintage. The legendaryApollo Guidance Computer used both.
We’d love to see a hack that makes real use of these pre-modern memory modality– if you know of one, send in a tip.
Measuring the Impact of LLMs on Experienced Developer Productivity
Recently AI risk and benefit evaluation company METR ran a randomized control test (RCT) on a gaggle of experienced open source developers to gain objective data on how the use of LLMs affects their productivity. Their findings were that using LLM-based tools like Cursor Pro with Claude 3.5/3.7 Sonnet reduced productivity by about 19%, with the full study by [Joel Becker] et al. available as PDF.
This study was also intended to establish a methodology to assess the impact from introducing LLM-based tools in software development. In the RCT, 16 experienced open source software developers were given 246 tasks, after which their effective performance was evaluated.
A large focus of the methodology was on creating realistic scenarios instead of using canned benchmarks. This included adding features to code, bug fixes and refactoring, much as they would do in the work on their respective open source projects. The observed increase in the time it took to complete tasks with the LLM’s assistance was found to be likely due to a range of factors, including over-optimism about the LLM tool capabilities, LLMs interfering with existing knowledge on the codebase, poor LLM performance on large codebases, low reliability of the generated code and the LLM doing very poorly on using tactic knowledge and context.
Although METR suggests that this poor showing may improve over time, it seems fair to argue whether LLM coding tools are at all a useful coding partner.
DIY X-Rays Made Easy
Who doesn’t want an X-ray machine? But you need a special tube and super high voltage, right? [Project 326] says no, and produces a USB-powered device that uses a tube you can pick up two for a dollar. You might guess the machine doesn’t generate X-rays with a lot of energy, and you’d be right. But you can make up for it with long exposure times. Check out the video below, with host [Posh Arthur].
The video admits there are limitations, of course. We were somewhat sad that [Project 326] elected not to share the exact parts list and 3D printed files because in the unlikely event someone managed to hurt themselves with it, there could be a hysterical reaction. We agreed, though, that if you are smart enough to handle this, you’ll be smart enough to figure out how to duplicate it — it doesn’t look that hard, and there are plenty of not-so-subtle clues in the video.
The video points out that you can buy used X-ray tube for about $100, but then you need a 70kV power supply. A 1Z11 tube diode has the same basic internal structure, but isn’t optimized for the purpose. But it does emit X-rays as a natural byproduct of its operation, especially with filament voltage.
The high voltage supply needs to supply at least 1mA at about 20 kV. Part of the problem is that with low X-ray emission, you’ll need long exposure times and, thus, a power supply needs to be able to operate for an extended period. We wondered if you could reduce the duty cycle, which might make the exposure time even longer, but should be easier on the power supply.
The device features a wired remote, allowing for a slight distance between the user and the hot tube. USB power is supplied through a USB-C PD device, which provides a higher voltage. In this case, the project utilizes 20V, which is distributed to two DC-DC converters: one to supply the high-voltage anode and another to drive the filament.
To get the image, he’s using self-developing X-ray film made for dental use. It is relatively sensitive and inexpensive (about a dollar a shot). There are also some lead blocks to reduce stray X-ray emission. Many commercial machines are completely enclosed and we think you could do that with this one, if you wanted to.
You need something that will lie flat on the film. How long did it take? A leaf image needed a 50-minute exposure. Some small ICs took 16 hours! Good thing the film is cheap because you have to experiment to get the exposure correct.
This really makes us want to puzzle out the design and build one, too. If you do, please be careful. This project has a lot to not recommend it: high voltage, X-rays, and lead. If you laugh at danger and want a proper machine, you can build one of those, too.
youtube.com/embed/jLOBMBN8A4A?…
Designing a CPU with only Memory Chips
Building a simple 8-bit computer is a great way to understand computing fundamentals, but there’s only so much you can learn by building a system around an existing processor. If you want to learn more, you’ll have to go further and build the CPU yourself, as [MINT] demonstrated with his EPROMINT project (video in Polish, but with English subtitles).
The CPU began when [MINT] began experimenting with uses for his collection of old memory chips, and quickly realized that they could do quite a bit more than store data. After building a development board for single-chip based programmable logic, he decided to build a full CPU out of (E)EPROMs. The resulting circuit spans four large pieces of perfboard, weighs in at over half a kilogram, and took several weeks of soldering to create.
The star of the system is the ALU, which runs an instruction set inspired by the Z80, but with some optimizations and added features. In particular, it has new operations for multiplication, division, bitstream operations, more advanced bit shifting, and a wide range of mathematical functions, including exponents, roots, and trigonometric functions. [MINT] documented all of this in a nicely-formatted offline booklet, available under the project’s GitHub repository. It’s currently only possible to program for the CPU using opcodes or a custom flavor of assembly, but there are plans to write a C compiler for it.
Even without being able to write in a higher-level language than assembly, [MINT] was able to drive a VFD screen with the EPROMINT, which he used to display some clips from The Matrix. This provided an opportunity to demonstrate basic debugging methods, which involved dumping and analyzing the memory contents after a failed program execution.
Using memory chips as programmable logic gates is an interesting hack, and we’ve seen Lisp programs written to make this easier. Of course, this isn’t the first CPU we’ve seen built without any chips intended for logic operations.
youtube.com/embed/xBB1nAUvuqU?…
Thanks to [Piotr] for the tip!
An Induction Lamp Made on the Same Principle as Ordinary Fluorescent Lamp
Over on YouTube, [Technology Connections] has a new video: Induction lamps: fluorescent lighting’s final form.
This video is about a wireless fluorescent light which uses induction to transfer power from the electrical system into the lamp. As this lamp doesn’t require wiring it is not prone to “sputtering” as typical fluorescent lights are, thus improving the working life by an order of magnitude. As explained in the video sputtering is the process where the electrodes in a typical fluorescent lamp lose their material over time until they lose their ability to emit electrons at all.
This particular lamp has a power rating of 200 W and light output of 16,000 lumens, which is quite good. But the truly remarkable thing about this type of lighting is its service life. As the lamp is simply a phosphor-coated tube filled with argon gas and a pellet of mercury amalgam it has a theoretically unlimited lifespan. Or let’s call it 23 years.
Given that the service life is so good, why don’t we see induction lamps everywhere? The answer is that the electronics to support them are very expensive, and these days LED lighting has trounced every lighting technology that we’ve ever made in terms of energy efficiency, quality of light, and so on. So induction lamps are obsolete before they ever had their day. Still pretty interesting technology though!
youtube.com/embed/SaKKzZRrPIg?…
Thanks to [Keith Olson] for writing in about this one.
Dearest C++, Let Me Count the Ways I Love/Hate Thee
My first encounter with C++ was way back in the 1990s, when it was one of the Real Programming Languages
Why did I pick C++ as my primary programming language? Mainly because it was well supported and with free tooling: a free Borland compiler or g++ on the GCC side. Alternatives like VB, Java, and D felt far too niche compared to established languages, while C++ gave you access to the lingua franca of C while adding many modern features like OOP and a more streamlined syntax in addition to the Standard Template Library (STL) with gobs of useful building blocks.
Years later, as a grizzled senior C++ developer, I have come to embrace the notion that being good at a programming language also means having strong opinions on all that is wrong with the language. True to form, while C++ has many good points, there are still major warts and many heavily neglected aspects that get me and other C++ developers riled up.
Why We Fell In Love
What frightened me about C++ initially was just how big and scary it seemed, with gargantuan IDEs like Microsoft’s Visual Studio, complex build systems, and graphical user interface that seemed to require black magic far beyond my tiny brain’s comprehension. Although using the pure C-based Win32 API does indeed require ritual virgin sacrifices, and Windows developers only talk about MFC when put under extreme duress, the truth is that C++ itself is rather simple, and writing complex applications is easy once you break it down into steps. For me the breakthrough came after buying a copy of Stroustrup’s The C++ Programming Language, specifically the third edition that covered the C++98 standard.
More than just a reference, it laid out clearly for me not only how to write basic C++ programs, but also how to structure my code and projects, as well as the reasonings behind each of these aspects. For many years this book was my go-to resource, as I developed my rudimentary, scripting language-afflicted skills into something more robust.
Probably the best part about C++ is its flexibility. It never limits you to a single programming paradigm, while it gives you the freedom to pick the desire path of your choice. Although an astounding number of poor choices can be made here, with a modicum of care and research you do not have to end up hoisted with your own petard. Straying into the C-compatibility part of C++ is especially fraught with hazards, but that’s why we have the C++ bits so that we don’t have to touch those.
Reflecting With C++11
It would take until 2011 for the first major update to the C++ standard, by which time I had been using C++ mostly for increasingly more elaborate hobby projects. But then I got tossed into a number of commercial C and C++ projects that would put my burgeoning skills to the test. Around this time I found the first major items in C++ that are truly vexing.
Common issues like header-include order and link order, which can lead to circular dependencies, are some of such truly delightful aspects. The former is mostly caused by the rather simplistic way that header files are just slapped straight into the source code by the preprocessor. Like in C, the preprocessor simply looks at your #include "widget/foo.h" and replaces it with the contents of foo.h with absolutely no consideration for side effects and cases of spontaneous combustion.
Along the way, further preprocessor statements further mangle the code in happy-fun ways, which is why the GCC g++ and compatible compilers like Clang have the -E flag to only run the preprocessor so that you can inspect the preprocessed barf that was going to be sent to the compiler prior to it violently exploding. The trauma suffered here is why I heartily agree with Mr. Stroustrup that the preprocessor is basically evil and should only be used for the most basic stuff like includes, very simple constants and selective compilation. Never try to be cute or smart with the preprocessor or whoever inherits your codebase will find you.
If you got your code’s architectural issues and header includes sorted out, you’ll find that C++’s linker is just as dumb as that of C. After being handed the compiled object files and looking at the needed symbols, it’ll waddle into the list of libraries, look at each one in order and happily ignore previously seen symbols if they’re needed later. You’ll suffer for this with tools like ldd and readelf as you try to determine whether you are just dense, the linker is dense or both are having buoyancy issues.
These points alone are pretty traumatic, but you learn to cope with them like you cope with a gaggle of definitely teething babies a few rows behind you on that transatlantic flight. The worst part is probably that neither C++11 nor subsequent standards have addressed either to any noticeable degree, with a shift from C-style compile units to Ada-like modules probably never going to happen.
The ‘modules at home‘ feature introduced with C++20 are effectively just limited C-style headers without the preprocessor baggage, without the dependency analysis and other features that make languages like Ada such a joy to build code with.
Non-Deterministic Initialization
Although C++ and C++11 in particular removes a lot of undefined behavior that C is infamous for, there are still many parts where expected behavior is effectively random or at least platform-specific. One such example is that of static initialization, officially known as the Static initialization order fiasco. Essentially what it means is that you cannot count on a variable declared static to be initialized during general initialization between different compile units.
This also affects the same compile units when you are initializing a static std::map instance with data during initialization, as I learned the hard way during a project when I saw random segmentation faults on start-up related to the static data structure instance. The executive summary here is that you should not assume that anything has been implicitly initialized during application startup, and instead you should do explicit initialization for such static structures.
An example of this can be found in my NymphRPC project, in which I used this same solution to prevent initialization crashes. This involves explicitly creating the static map rather than praying that it gets created in time:
static map<UInt32, NymphMethod*> &methodsIdsStatic = NymphRemoteClient::methodsIds();
With the methodsIds() function:
map<UInt32, NymphMethod*>& NymphRemoteClient::methodsIds() {
static map<UInt32, NymphMethod*>* methodsIdsStatic = new map<UInt32, NymphMethod*>();
return *methodsIdsStatic;
}
It are these kind of niggles along with the earlier covered build-time issues that tend to sap a lot of time during development until you learn to recognize them in advance along with fixes.
Fading Love
Don’t get me wrong, I still think that C++ is a good programming language at its core, it is just that it has those rough spots and sharp edges that you wish weren’t there. There is also the lack of improvements to some rather fundamental aspects in the STL, such as the unloved C++ string library. Compared to Ada standard library strings, the C++ STL string API is very barebones, with a lot of string manipulation requiring writing the same tedious code over and over as convenience functions are apparently on nobody’s wish list.
One good thing that C++11 brought to the STL was multi-tasking support, with threads, mutexes and so on finally natively available. It’s just a shame that its condition variables are plagued by spurious wake-ups and a more complicated syntax than necessary. This gets even worse with the Filesystem library that got added in C++17. Although it’s nice to have more than just basic file I/O in C++ by default, it is based on the library in Boost, which uses a coding style, type encapsulation obsession, and abuse of namespaces that you apparently either love or hate.
I personally have found the POCO C++ libraries to be infinitely easier to use, with a relatively easy to follow implementation. I even used the POCO libraries for the NPoco project, which adapts the code to microcontroller use and adds FreeRTOS support.
Finally, there are some core language changes that I fundamentally disagree with, such as the addition of type inference with the auto keyword outside of templates, which is a weakly typed feature. As if it wasn’t bad enough to have the chaos of mixed explicit and implicit type casting, now we fully put our faith into the compiler, pray nobody updates code elsewhere that may cause explosions later on, and remove any type-related cues that could be useful to a developer reading the code.
But at least we got [url=https://en.cppreference.com/w/cpp/language/constexpr.html]constexpr[/url], which is probably incredibly useful to people who use C++ for academic dissertations rather than actual programming.
Hope For The Future
I’ll probably keep using C++ for the foreseeable future, while grumbling about all of ’em whippersnappers adding useless things that nobody was asking for. Since the general take on adding new features to C++ is that you need to do all the legwork yourself – like getting into the C++ working groups to promote your feature(s) – it’s very likely that few actually needed features will make it into new C++ standards, as those of us who are actually using the language are too busy doing things like writing production code in it, while simultaneously being completely disinterested in working group politics.
Fortunately there is excellent backward compatibility in C++, so those of us in the trenches can keep using the language any way we like along with all the patches we wrote to ease the pains. It’s just sad that there’s now such a split forming between C++ developers and C++ academics.
It’s one of the reasons why I have felt increasingly motivated over the past years to seek out other languages, with Ada being one of my favorites. Unlike C++, it doesn’t have the aforementioned build-time issues, and while its super-strong type system makes getting started with writing the business logic slower, it prevents so many issues later on, along with its universal runtime bounds checking. It’s not often that using a programming language makes me feel something approaching joy.
Giving up on a programming language with which you quite literally grew up is hard, but as in any relationship you have to be honest about any issues, no matter whether it’s you or the programming language. That said, maybe some relationship counseling will patch things up again in the future, with us developers are once again involved in the language’s development.
Vulnerabilità critiche nella tecnologia eSIM: un attacco può compromettere la rete di qualsiasi operatore
Il laboratorio di ricerca Security Explorations ha presentatoi risultati di mesi di lavoro volti a svelarevulnerabilità nel cuore della tecnologia eSIM. L’attenzione si è concentrata sulla scheda eUICC di Kigen, certificata secondo gli standard GSMA e basata su un’implementazione proprietaria della macchina virtuale Java Card.
Nonostante i meccanismi di sicurezza multistrato dichiarati, tra cui la certificazione EAL4+, l’isolamento della memoria integrato e la resistenza agli attacchi di terze parti, il prodotto era suscettibile a un attacco riuscito che non solo consentiva il controllo dell’eSIM, ma dimostrava anche un crollo completo del modello di sicurezza affidabile nell’ecosistema eUICC.
La ricerca ha dimostrato che le vulnerabilità segnalate da Security Explorations nel 2019, ma all’epoca ignorate, non sono solo reali, ma anche potenzialmente devastanti. All’epoca, Oracle definì questi problemi “preoccupanti” e si rifiutò di riconoscerne la criticità. Oggi è chiaro: i bug ignorati nell’implementazione del bytecode di Java Card, come il type confusion tra oggetti e array, non sono stati risolti né nell’implementazione di riferimento di Oracle né in prodotti di terze parti come Kigen eUICC.
Security Explorations ha compromesso con successo una scheda eUICC Kigen, incluso il profilo di test TS.48, simulando l’installazione di un’applicazione Java dannosa sul canale SMS-PP. L’attacco ha estratto la chiave privata ECC che identifica la scheda GSMA, consentendo all’attaccante di scaricare e decriptare senza problemi i profili eSIM di diversi operatori di telefonia mobile, tra cui AT&T, Vodafone, Orange, T-Mobile e altri. Questi profili contenevano non solo impostazioni di rete, ma anche chiavi OTA sensibili, ID abbonato, applicazioni Java e parametri di servizio. In alcuni casi, le applicazioni estratte potevano essere modificate e reinstallate senza essere rilevate dall’operatore.
Uno dei test più significativi è stato un attacco alla rete Orange. I ricercatori hanno dimostrato la possibilità di clonazione di eSIM: un profilo duplicato installato su un altro dispositivo ha permesso l’intercettazione di chiamate e SMS in arrivo. Mentre il dispositivo malevolo era acceso, l’utente legittimo non ha ricevuto alcun messaggio, che la rete ha considerato recapitato. Tale comportamento minaccia non solo la privacy, ma anche l’affidabilità dei servizi di autenticazione a due fattori utilizzati da banche, servizi postali e altri sistemi critici.
Kigen ha riconosciuto la vulnerabilità e ha iniziato a collaborare con i ricercatori. L’azienda ha pagato una ricompensa di 30.000 dollari per un rapporto tecnico dettagliato e ha accettato un periodo di riservatezza di 90 giorni prima della pubblicazione. In seguito all’analisi, sono stati effettuati tentativi di eliminare la vulnerabilità implementando il controllo dei tipi in tutti i bytecode di Java Card. Tuttavia, Security Explorations ha osservato che il tentativo era formale e inefficace: il sistema controllava solo la parte superiore dello stack senza tracciare il flusso di controllo, il che lasciava decine di scenari vulnerabili. In altre parole, il “controllo universale” introdotto si è rivelato non funzionale, lasciando oltre 100 potenziali punti per gli attacchi.
In risposta alle vulnerabilità, la GSMA ha rivisto la specifica TS.48 per disabilitare la possibilità di installare applicazioni Java nei profili di test. Ha inoltre pubblicato un documento speciale con raccomandazioni per gli operatori del settore, che sottolinea la necessità di controllare le chiavi di gestione remota delle applicazioni. Tuttavia, i ricercatori ritengono che questi passaggi siano poco convincenti e non risolvano la radice del problema: una debolezza architetturale nella macchina virtuale Java Card, su cui è basato l’intero ecosistema eSIM.
È interessante notare che Kigen, nonostante la sua dichiarata indipendenza da Oracle, ha creato una propria implementazione della macchina virtuale, che tuttavia riproduceva gli stessi errori concettuali riscontrati nella Java Card Reference Implementation di Oracle. Allo stesso tempo, l’azienda ha dichiarato di non essere a conoscenza delle vulnerabilità segnalate da Security Explorations nel 2019. Tuttavia, secondo i ricercatori, un tentativo di contattare Kigen è stato effettuato già a novembre 2020 tramite un modulo di feedback dopo il webinar congiunto dell’azienda con Orange.
Uno dei risultati più allarmanti è stato che i server di Remote SIM Provisioning, inclusi quelli di IDEMIA e Thales, non riconoscevano i certificati eUICC compromessi. Ciò indica una mancanza sistemica di convalida e monitoraggio, che consente attacchi su larga scala senza essere rilevati. Inoltre, l’analisi ha mostrato che molte eSIM non implementano la verifica completa del bytecode Java Card, nonostante le raccomandazioni in tal senso contenute nella specifica SGP.25.
Il set di strumenti utilizzato dagli esperti ha permesso non solo di hackerare le schede ed estrarne il contenuto, ma anche di verificare la presenza di problemi di sicurezza tipici delle Java Card. È in grado di controllare automaticamente memoria, stack, variabili locali ed eseguire analisi del bytecode. Questi strumenti sono stati utilizzati sia per l’analisi eUICC di Kigen che per test su reti reali.
Gli autori dello studio sottolineano che il loro lavoro è stato svolto a proprie spese, senza finanziamenti esterni e, con un adeguato supporto, sarebbero pronti a fornire i risultati gratuitamente a tutti i membri GSMA. L’obiettivo dello studio è dimostrare il valore dell’analisi di sicurezza indipendente e l’importanza di prestare attenzione a dettagli sistematicamente ignorati dal settore per molti anni.
L'articolo Vulnerabilità critiche nella tecnologia eSIM: un attacco può compromettere la rete di qualsiasi operatore proviene da il blog della sicurezza informatica.
Hackaday Podcast Episode 328: Benchies, Beanies, and Back to the Future
This week, Hackaday’s Elliot Williams and Kristina Panos joined forces to bring you the latest news, mystery sound, and of course, a big bunch of hacks from the previous week.
In Hackaday news, the One Hertz Challenge ticks on. You have until Tuesday, August 19th to show us what you’ve got, so head over to Hackaday.IO and get started now! In other news, we’ve just wrapped the call for Supercon proposals, so you can probably expect to see tickets for sale fairly soon.
On What’s That Sound, Kristina actually got this one with some prodding. Congratulations to [Alex] who knew exactly what it was and wins a limited edition Hackaday Podcast t-shirt!
After that, it’s on to the hacks and such, beginning with a ridiculously fast Benchy. We take a look at a bunch of awesome 3D prints a PEZ blaster and a cowbell that rings true. Then we explore chisanbop, which is not actually K-Pop for toddlers, as well as a couple of clocks. Finally, we talk a bit about dithering before taking a look at the top tech of 1985 as shown in Back to the Future (1985).
Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!
html5-player.libsyn.com/embed/…
Download in DRM-free MP3 and savor at your leisure.
Where to Follow Hackaday Podcast
Places to follow Hackaday podcasts:
Episode 328 Show Notes:
News:
What’s that Sound?
- Congratulations to [Alex] for knowing it was the Scientist NPC from Half-Life.
Interesting Hacks of the Week:
- Managing Temperatures For Ultrafast Benchy Printing
- When Is A Synth A Woodwind? When It’s A Pneumatone
- Budget Brilliance: DHO800 Function Generator
- I Gotta Print More Cowbell
- Kids Vs Computers: Chisanbop Remembered
- Pez Blaster Shoots Candy Dangerously Fast
Quick Hacks:
- Elliot’s Picks:
- IR Point And Shoot Has A Raspberry Heart In A 35mm Body
- Turning PET Plastic Into Paracetamol With This One Bacterial Trick
- Five-minute(ish) Beanie Is The Fastest We’ve Seen Yet
- Kristina’s Picks:
- CIS-4 Is A Monkish Clock Inside A Ceiling Lamp
- 3D Printer Turbo-Charges A Vintage Vehicle
- Shadow Clock Shows The Time On The Wall
Can’t-Miss Articles:
- Dithering With Quantization To Smooth Things Over
- Back To The Future, 40 Years Old, Looks Like The Past
hackaday.com/2025/07/11/hackad…
PlayStation Case Mod Hides Gamer Shame
[Zac] of Zac Builds has a shameful secret: he, a fully grown man, plays video games. Shocking, we know, but such people do exist in our society. After being rightfully laughed out of the family living room, [Zac] relocated his indecent activities to his office, but he knew that was not enough. Someone might enter, might see his secret shame: his PlayStation 5. He decided the only solution was to tear the game console apart, and rebuild it inside of his desk.
All sarcasm aside, it’s hard to argue that [Zac]’s handmade wooden desk doesn’t look better than the stock PS5, even if you’re not one of the people who disliked Sony’s styling this generation. The desk also contains his PC, a project we seem to have somehow missed; the two machines live in adjacent drawers.
While aesthetics are a big motivator behind this case mod, [Zac] also takes the time to improve on Sony’s work: the noisy stock fan is replaced by three silent-running Noctua case fans; the easy-to-confuse power and eject buttons are relocated and differentiated; and the Blu-ray drive gets a proper affordance so he’ll never miss the slot again. An NVMe SSD finishes off the upgrades.
Aside from the woodworking to create the drawer, this project relies mostly on 3D printing for custom mounts and baffles to hold the PS5’s parts and direct airflow where it needs to go. This was made much, much easier for [Zac] via the use of a 3D scanner. If you haven’t used one, this project demonstrates how handy they can be — and also some of the limitations, as the structured-light device (a Creality Raptor) had trouble with the shinier parts of the build. Dealing with that trouble still saved [Zac] a lot of time and effort compared to measuring everything.
While we missed [Zac]’s desk build, we’ve seen his work before: everything from a modernized iPod to woodensound diffusion panels.
youtube.com/embed/aSUcNWWdg8Y?…
Milioni di veicoli a rischio di attacchi RCE tramite il bug Bluetooth PerfektBlue
Quattro vulnerabilità, denominate PerfektBlue, interessano lo stack Bluetooth BlueSDK di OpenSynergy. Le vulnerabilità consentono l’esecuzione remota di codice arbitrario e potrebbero contribuire all’accesso a componenti critici nei veicoli di produttori come Mercedes-Benz AG, Volkswagen e Škoda. OpenSynergy ha confermato i problemi a giugno 2024 e ha rilasciato le patch a settembre. Tuttavia, molte case automobilistiche non hanno ancora implementato gli aggiornamenti nel loro firmware.
Le vulnerabilità sono state scoperte dagli specialisti di PCA Cyber Security, un’azienda specializzata in sicurezza automobilistica. È importante sottolineare che l’azienda partecipa regolarmente alla competizione Pwn2Own Automotive e ha scoperto più di 50 bug in diversi sistemi automobilistici dall’anno scorso. Secondo i ricercatori, i problemi di PerfektBlue riguardano “milioni di dispositivi nel settore automobilistico e non solo”. Tuttavia, gli esperti hanno studiato il binario compilato di BlueSDK, poiché semplicemente non disponevano del codice sorgente.
Le vulnerabilità variano in gravità e possono consentire l’accesso ai componenti interni di diversi veicoli tramite il sistema di infotainment.
- CVE-2024-45434 – utilizzo dopo la liberazione nel servizio AVRCP responsabile della gestione dei profili multimediali tramite Bluetooth;
- CVE-2024-45431 – Validazione errata dell’identificativo del canale CID in L2CAP (Logical Link Control and Adaptation Protocol);
- CVE-2024-45433 – Errore di terminazione della funzione del protocollo RFCOMM (Radio Frequency Communication);
- CVE-2024-45432 – Parametro non valido passato durante la chiamata della funzione RFCOMM.
Sebbene i ricercatori non rendano noti tutti i dettagli tecnici, scrivono che un aggressore connesso a un dispositivo vulnerabile ha la capacità di manipolare il sistema, aumentare i privilegi e passare ad altri componenti. PerfektBlue è un attacco RCE a 1 clic, perché l’attaccante deve solo convincere l’utente ad accettare la richiesta di associazione con il proprio dispositivo. Alcune case automobilistiche configurano i loro sistemi in modo tale che l’associazione sia possibile anche senza conferma.
PCA Cyber Security ha dimostrato che PerfektBlue funziona con le unità principali di Volkswagen ID.4 (sistema ICSA3), Mercedes-Benz (NTG6) e Skoda Superb (MIB3).
Guscio posteriore per Mercedes-Benz NTG6
Si sottolinea che dopo l’esecuzione di codice remoto nel contesto del sistema di infotainment dell’auto, un aggressore può tracciare le coordinate GPS, origliare le conversazioni in auto, accedere ai contatti telefonici del proprietario e anche eseguire movimenti laterali e raggiungere sottosistemi critici dell’auto. BlueSDK di OpenSynergy è ampiamente utilizzato al di fuori del settore automobilistico, ma è difficile individuare chi altro lo utilizzi nei propri prodotti (a causa della personalizzazione, del rebranding e della mancanza di trasparenza).
I ricercatori hanno informato Volkswagen, Mercedes-Benz e Škoda dei problemi riscontrati, concedendo loro tempo sufficiente per implementare le soluzioni. Tuttavia, gli esperti non hanno mai ricevuto risposta dalle case automobilistiche. I rappresentanti della Mercedes-Benz non hanno risposto alle richieste dei giornalisti e la Volkswagen ha affermato di aver avviato un’indagine subito dopo aver ricevuto informazioni sulle vulnerabilità. “L’indagine ha dimostrato che in determinate condizioni è possibile connettersi al sistema di infotainment del veicolo tramite Bluetooth senza autorizzazione”, ha affermato la Volkswagen.
Ma l’azienda ha sottolineato che l’exploit funzionerà solo se saranno soddisfatte alcune condizioni:
- l’aggressore si trova entro un raggio di 5-7 metri dall’auto;
- il quadro dell’auto è acceso;
- il sistema di infotainment è in modalità di associazione (l’utente ha avviato manualmente l’aggiunta del dispositivo);
- l’utente conferma sullo schermo la connessione di un dispositivo Bluetooth esterno.
Anche se queste condizioni sono soddisfatte, durante l’attacco l’aggressore deve rimanere entro un raggio di 5-7 metri dall’auto per mantenere l’accesso. L’azienda ha fatto notare separatamente che, anche in caso di compromissione riuscita, un hacker non sarà in grado di compromettere le funzioni critiche dell’auto, tra cui lo sterzo, i sistemi di assistenza alla guida, il funzionamento del motore e l’impianto frenante (che sono controllati da un’unità separata con meccanismi di protezione propri).
L'articolo Milioni di veicoli a rischio di attacchi RCE tramite il bug Bluetooth PerfektBlue proviene da il blog della sicurezza informatica.
This Week in Security: Bitchat, CitrixBleed Part 2, Opossum, and TSAs
@jack is back with a weekend project. Yes, that Jack. [Jack Dorsey] spent last weekend learning about Bluetooth meshing, and built Bitchat, a BLE mesh encrypted messaging application. It uses X25519 for key exchange, and AES-GCM for message encryption. [Alex Radocea] took a look at the current state of the project, suspects it was vibe coded, and points out a glaring problem with the cryptography.
So let’s take a quick look at the authentication and encryption layer of Bitchat. The whitepaper is useful, but still leaves out some of the important details, like how the identity key is tied to the encryption keys. The problem here is that it isn’t.
Bitchat has, by necessity, a trust-on-first-use authentication model. There is intentionally no authentication central authority to verify the keys of any given user, and the application hasn’t yet added an out-of-band authentication method, like scanning QR codes. Instead, it has a favorites system, where the user can mark a remote user as a favorite, and the app saves those keys forever. There isn’t necessarily anything wrong with this approach, especially if users understand the limitations.
The other quirk is that Bitchat uses ephemeral keys for each chat session, in an effort to have some forward secrecy. In modern protocols, it’s desirable to have some protection against a single compromised encryption key exposing all the messages in the chain. It appears that Bitchat accomplishes this by generating dedicated encryption keys for each new chat session. But those ephemeral keys aren’t properly verified. In fact, they aren’t verified by a user’s identity key at all!
The attack then, is to send a private message to another user, present the public key of whoever your’re trying to impersonate, and include new ephemeral encryption keys. Even if your target has this remote user marked as a favorite, the new encryption keys are trusted. So the victim thinks this is a conversation with a trusted person, and it’s actually a conversation with an attacker. Not great.
Now when you read the write-up, you’ll notice it ends with [Alex] opening an issue on the Bitchat GitHub repository, asking how to do security reports. The issue was closed without comment, and that’s about the end of the write-up. It is worth pointing out that the issue has been re-opened, and updated with some guidance on how to report flaws.
Post-Quantum Scanning
There’s a deadline coming. Depending on where you land on the quantum computing skepticism scale, it’s either the end of cryptography as we know it, or a pipe dream that’s always going to be about 10 years away. My suspicion happens to be that keeping qubits in sync is a hard problem in much the same way that factoring large numbers is a hard problem. But I don’t recommend basing your cryptography on that hunch.
Governments around the world are less skeptical of the quantum computer future, and have set specific deadlines to migrate away from quantum-vulnerable algorithms. The issue here is that finding all those uses of “vulnerable” algorithms is quite the challenge. TLS, SSH, and many more protocols support a wide range of cryptography schemes, and only a few are considered Post Quantum Cryptography (PQC).
Anvil Secure has seen this issue, and released an Open Source tool to help. Pqcscan is a simple idea: Scan a list of targets and collect their supported cryptography via an SSH and TLS scan. At the end, the tool generates a simple report of how many of the endpoints support PQC. This sort of compliance is usually no fun, but having some decent tools certainly helps.
Citrixbleed 2
Citrix devices have a problem. Again. The nickname for this particular issue is CitrixBleed 2, which hearkens all the way back to Heartbleed. The “bleed” here refers to an attack that leaks little bits of memory to attackers. We know that it’s related to an endpoint called doAuthentication.do.
The folks at Horizon3 have a bit more detail, and it’s a memory management issue, where structures are left pointing to arbitrary memory locations. The important thing is that an incomplete login message is received, the code leaks 127 bytes of memory at a time.
What makes this vulnerability particularly bad is that Citrix didn’t share any signs of attempted exploitation. Researchers have evidence of this vulnerability being used in the wild back to July 1st. That’s particularly a problem because the memory leak is capable of revealing session keys, allowing for further exploitation. Amazingly, in an email with Ars Technica, Citrix still refused to admit that the flaw was being used in the wild.
Opossum
We have a new TLS attack, and it’s a really interesting approach. The Opossum Attack is a Man in the Middle (MitM) attack that takes advantage of of opportunistic TLS. This TLS upgrade approach isn’t widely seen outside of something like email protocols, where the StartTLS command is used. The important point here is that these connections allow a connection to be initiated using the plaintext protocol, and then upgrade to a TLS protocol.
The Opossum attack happens when an attacker in a MitM position intercepts a new TCP connection bound for a TLS-only port. The attacker then initiates a plaintext connection to that remote resource, using the opportunistic port. The attacker can then issue the command to start a TLS upgrade, and like an old-time telephone operator, patch the victim through to the opportunistic port with the session already in progress.
The good news is that this attack doesn’t result in encryption compromise. The basic guarantees of TLS remain. The problem is that there is now a mismatch between exactly how the server and client expect the connection to behave. There is also some opportunity for the attacker to poison that connection before the TLS upgrade takes place.
TSAs
AMD has announced yet another new Transient Execution attack, the Transient Scheduler Attack. The AMD PDF has a bit of information about this new approach. The newly discovered leak primitive is the timing of CPU instructions, as instruction load timings may be affected by speculative execution.
The mitigation for this attack is similar to others. AMD recommends running the VERW instruction when transitioning between Kernel and user code. The information leakage is not between threads, and so far appears to be inaccessible from within a web browser, cutting down the real-world exploitability of this new speculative execution attack significantly.
Bits and Bytes
The majority of McDonald’s franchises uses the McHire platform for hiring employees, because of course it’s called “McHire”. This platform uses AI to help applicants work through the application process, but the issues found weren’t prompt injection or anything to do with AI. In this case, it was a simple default username and password 123456:123456 that gave access to a test instance of the platform. No real personal data, but plenty of clues to how the system worked: an accessible API used a simple incrementing ID, and no authentication to protect data. So step backwards through all 64 million applications, and all that entered data was available to peruse. Yikes! The test credentials were pulled less than two hours after disclosure, which is an impressive turn-around to fix.
When you’ve been hit by a ransomware attack, it may seem like the criminals on the other side are untouchable. But once again, international law enforcement have made arrests of high-profile ransomeware gangs. This time it’s members of Scattered Spider that were arrested in the UK.
And finally, the MCP protocol is once again making security news. As quickly as the world of AI is changing, it’s not terribly surprising that bugs and vulnerabilities are being discovered in this very new code. This time it’s mcp-remote, which can be coerced to run arbitrary code when connecting to a malicious MCP server. Connect to server, pop calc.exe. Done.
This Homebrew CPU Got Its Start in the 1990s
[Sylvain Fortin] recently wrote in to tell us about his Homebrew CPU Project, and the story behind this one is truly remarkable.
He began working on this toy CPU back in 1994, over thirty years ago. After learning about the 74LS181 ALU in college he decided to build his own CPU. He made considerable progress back in the 90s and then shelved the project until the pandemic hit when he picked it back up again and started adding some new features. A little later on, a board house approached him with an offer to cover the production cost if he’d like to redo the wire-wrapped project on a PCB. The resulting KiCad files are in the GitHub repository for anyone who wants to play along at home.
The ALU on [Sylvain]’s CPU is a 1-bit ALU which he describes as essentially a selectable gate: OR, XOR, AND, NOT. It requires more clock steps to compute something like an addition, but, he tells us, it’s much more challenging and interesting to manage at the microcode level. On his project page you will find various support software written in C#, such as an op-code assembler and a microcode assembler, among other things.
For debugging [Sylvain] started out with das blinkin LEDs but found them too limiting in short order. He was able to upgrade to a 136 channel Agilent 1670G Benchtop Logic Analyzer which he was fortunate to score for cheap on eBay. You can tell this thing is old from the floppy drive on the front panel but it is rocking 136 channels which is seriously OP.
The PCB version is a great improvement but we were interested in the initial wire-wrapped version too. We asked [Sylvain] for photos of the wire-wrapping and he obliged. There’s just something awesome about a wire-wrapped project, don’t you think? If you’re interested in wire-wrapping check out Wire Wrap 101.
Il Ministero degli Esteri italiano preso di mira in una campagna di spionaggio da Gruppo DoNot APT
Secondo Trellix, il gruppo DoNot APT ha recentemente condotto una campagna di spionaggio informatico in più fasi, prendendo di mira il Ministero degli Affari Esteri italiano. Il gruppo, attribuito da diverse società di intelligence sulle minacce informatiche all’India, si è spacciato per funzionari della difesa europei, menzionando la loro visita in Bangladesh, e ha indotto le sue vittime a cliccare su un link dannoso di Google Drive.
DoNot APT, noto anche come APT-C-35, Mint Tempest, Origami Elephant, SECTOR02 e Viceroy Tiger, è attivo almeno dal 2016. Il gruppo si concentra tradizionalmente su campagne di spionaggio informatico con interessi geopolitici nell’Asia meridionale. Le sue operazioni sono caratterizzate da sorveglianza persistente, esfiltrazione di dati e accesso a lungo termine. Il gruppo è noto per l’utilizzo dimalware Windows personalizzati, tra cui backdoor come YTY e GEdit, spesso diffusi tramite e-mail di spear-phishing o documenti dannosi.
L’obiettivo finale dell’attacco era quello di stabilire un punto d’appoggio nell’infrastruttura del bersaglio e sottrarre informazioni sensibili. L’analisi del payload ha rivelato la sua associazione con il malware LoptikMod, uno strumento utilizzato esclusivamente dal gruppo APT DoNot dal 2018.
“Sebbene storicamente focalizzato sull’Asia meridionale, questo incidente che ha preso di mira le ambasciate dell’Asia meridionale in Europa indica una chiara espansione dei loro interessi verso le comunicazioni diplomatiche e l’intelligence europea”, hanno affermato i ricercatori di Tellix in un rapporto dell’8 luglio .
L’ultimo attacco DoNot APT identificato da Trellix è iniziato con un’email di spear-phishing proveniente da un indirizzo Gmail, int.dte.afd.1@gmail[.]com, che impersonava corrispondenza diplomatica ufficiale. Il bersaglio era un ente governativo italiano operante nel settore diplomatico. L’e-mail ha fatto leva su temi diplomatici legati al coordinamento degli addetti alla difesa tra Italia e Bangladesh.
Sebbene il contenuto esatto del messaggio non sia stato raccolto nei risultati, l’oggetto “Visita dell’addetto alla Difesa italiano a Dhaka, Bangladesh” suggerisce un’esca studiata per apparire come legittima corrispondenza diplomatica, che ragionevolmente conterrebbe allegati o link a documenti. L’e-mail conteneva un collegamento a Google Drive che indirizzava il destinatario a un archivio RAR dannoso denominato SyClrLtr.rar.
“Il recente attacco a un ministero degli esteri europeo evidenzia la portata crescente di DoNot APT e il suo persistente interesse nel raccogliere informazioni sensibili, sottolineando la necessità di una maggiore vigilanza e di solide misure di sicurezza informatica”, ha concluso il rapporto Trellix.
L'articolo Il Ministero degli Esteri italiano preso di mira in una campagna di spionaggio da Gruppo DoNot APT proviene da il blog della sicurezza informatica.
Listen To The Sound Of The Crystals
We’re all used to crystal resonators — they provide pretty accurate frequency references for oscillators with low enough drift for most of our purposes. As the quartz equivalent of a tuning fork, they work by vibrating at their physical resonant frequency, which means that just like a tuning fork, it should be possible to listen to them.
A crystal in the MHz might be difficult to listen to, but for a 32,768 Hz watch crystal it’s possible with a standard microphone and sound card. [SimonArchipoff] has written a piece of software that graphs the frequency of a watch crystal oscillator, to enable small adjustments to be made for timekeeping.
Assuming a microphone and sound card that aren’t too awful, it should be easy enough to listen to the oscillation, so the challenge lies in keeping accurate time. The frequency is compared to the sound card clock which is by no means perfect, but the trick lies in using the operating system clock to calibrate that. This master clock can be measured against online NTP sources, and can thus become a known quantity.
We think of quartz clocks as pretty good, but he points out how little it takes to cause a significant drift over month-scale timings. if your quartz clock’s accuracy is important to you, perhaps you should give it a look. You might need it for your time reference.
Header: Multicherry, CC BY-SA 4.0.
L’AI porrà fine all’industria del software tradizionale come Internet ha cambiato i media tradizionali
La Generative AI, inclusi strumenti come Cursor e Claude Code, stanno abbattendo drasticamente i costi e i tempi dello sviluppo software. Quello che una volta richiedeva centinaia o migliaia di dollari per token ora può essere realizzato con poche decine di centesimi, determinando un ribaltamento delle dinamiche del settore.
Il paragone con il mondo dei media è illuminante: così come Internet e YouTube hanno infranto il modello della TV a pagamento, allo stesso modo l’AI sta modificando in profondità il panorama della programmazione. Se prima le aziende detenevano il monopolio sulle competenze e l’accesso al mercato, oggi la barriera di ingresso è crollata.
Nel mondo dei contenuti, la riduzione delle barriere ha favorito la nascita di milioni di nuovi creatori: da poche migliaia di canali a oltre 113 milioni su YouTube, con oltre 32 300 creator che hanno più di un milione di iscritti. Costare circa 25 000 $/per avviare un programma televisivo, rispetto ai 3 000 $ consumati per lanciare un canale di successo su YouTube, è un cambiamento radicale – e lo stesso vale per l’AI nel coding .
In ambito software, mentre prima scrivere migliaia di righe richiedeva budget importanti, ora bastano poche centinaia di dollari per generare milioni di righe grazie all’AI. Alcuni detrattori sostengono che qualità, adattamento al mercato e distribuzione rimangano fattori distintivi, ma l’articolo sostiene che questa visione è miope: se la produzione software diventa illimitata, quale valore potrà approdare da un unico fornitore?.
Le aziende tradizionali potrebbero dover affrontare margini in diminuzione: fino a oggi il software garantiva profitti del 90%, ma l’abbondanza di soluzioni generative renderà i margini sempre più sottili. In futuro, la competizione punterà su marketing e vendite, oltre che su integrazioni e servizi, ma sarà una “corsa al ribasso”, in cui solo chi si adatta sopravvivrà .
Infine, l’aspetto più filosofico: il software rischia di diventare un elemento secondario rispetto all’hardware. Se il codice diventa generabile all’infinito, a prevalere sarà la potenza computazionale, ossia i chip e l’infrastruttura.
In un futuro dominato dall’AI, il valore si sposterà verso dispositivi sempre più potenti, con software su misura già integrati, un po’ come avvenuto nelle prime grandi macchine informatiche .
Va da se che l’articolo, fa una riflessione di contesto che a molti non potrà piacere. L’introduzione massiccia dell’intelligenza artificiale nello sviluppo software sta infatti scardinando modelli consolidati e mettendo in crisi chi ha sempre fondato la propria competitività solo sulla manodopera o sulla rendita di posizione. Non si tratta solo di automatizzare righe di codice, ma di cambiare radicalmente il modo in cui progettiamo, testiamo e distribuiamo applicazioni, con un impatto diretto su prezzi, ruoli professionali e dinamiche di mercato.
Questa trasformazione, se da un lato spaventa per la velocità e la portata, dall’altro apre opportunità enormi per chi saprà adattarsi: più spazio per la creatività, più margine per sperimentare e una barriera d’ingresso più bassa per startup e innovatori proprio come è avvenuto nei media tradizionali.
L'articolo L’AI porrà fine all’industria del software tradizionale come Internet ha cambiato i media tradizionali proviene da il blog della sicurezza informatica.
DIY Navigation System Floats this Boat
[Tom] has taken a DIY approach to smart sailing with a Raspberry Pi as the back end to the navigation desk on his catamaran, the SeaHorse. Tucked away neatly in a waterproof box with a silicone gasket, he keeps the single board computer safe from circuit-destroying salt water. Keeping a board sealed up so tightly also means that it can get a little too warm. Because of this he under-clocks the CPU so that it generates less heat. This also has the added benefit of saving on power which is always good when you aren’t connected to the grid for long stretches of time.
A pair of obsolescent phones and a repurposed laptop screen provide display surfaces for his navdesk. With these screens he has weather forecasts, maps, GPS, depth, speed over ground — all the data from all the onboard instruments a sailor could want to stream through a boat’s WiFi network — at his fingertips.
There’s much to be done still. Among other things, he’s added a software defined radio to the Pi to integrate radio monitoring into the system, and he’s started experimenting with reprogramming a buoy transmitter, originally designed for tracking fishing nets, so that it can transmit his boat’s location, speed and heading instead.
The software that ties much of this system together is the open source navigational platform OpenCPN which, with its support for third-party plugins, looks like a great choice for experimenting with new gadgets like fishing net buoy transmitters.
For more nautical computing fun check out this open source shipboard computer, and this data-harvesting, Arduino-driven buoy.
youtube.com/embed/-yAqIrRWtN0?…
Thanks to [Andrew Sheldon] for floating this one our way.
Double Your Printing Fun with Dual-Light 3D Printing
Using light to 3D print liquid resins is hardly a new idea. But researchers at the University of Texas at Austin want to double down on the idea. Specifically, they use a resin with different physical properties when cured using different wavelengths of light.
Natural constructions like bone and cartilage inspired the researchers. With violet light, the resin cures into a rubbery material. However, ultraviolet light produces a rigid cured material. Many of their test prints are bio-analogs, unsurprisingly.
Even more importantly, the resin materials connect naturally, so you don’t have as much worry about a piece made with two materials delaminating at the interface. You can control the exact properties by shifting the light frequency one way or another. We read the actual paper, but it wasn’t clear to us if, after curing in a rubbery state, the part could still cure hard in, for example, sunlight. The paper is available in Nature Materials, but if you don’t have a subscription, try your local library or University.
Maybe just the thing for that tunable laser project. Of course, you can use multicolor FDM printers with two types of filaments. You only need to convert the model over.
Hacking a Guitar into a Hurdy-Gurdy Hybrid with 3D Prints
If you’re looking for a long journey into the wonderful world of instrument hacking, [Arty Farty Guitars] is six parts into a seven part series onhacking an existing guitar into a guitar-hurdy-gurdy-hybrid, and it is “a trip” as the youths once said. The first video is embedded below.
The Hurdy-Gurdy is a wheeled instrument from medieval europe, which you may have heard of, given the existence of the laser-cut nerdy-gurdy, the electronicmidi-gurdy we covered here, and the digi-gurdy whichseems to be a hybrid of the two. In case you haven’t seen one before, the general format is for a hurdy-gurdy is this : a wheel rubs against the strings, causing them to vibrate via sliding friction, providing a sound not entirely unlike an upset violin. A keyboard on the neck of the instrument provides both fretting and press the strings onto the wheel to create sound.
[Arty Farty Guitars] is a guitar guy, so he didn’t like the part with about the keyboard. He wanted to have a Hurdy Gurdy with a guitar fretboard. It turns out that that is a lot easier said than done, even when starting with an existing guitar instead of from scratch, and [Arty Farty Guitar] takes us through all of the challenges, failures and injuries incurred along the way.
Probably the most interesting piece of the puzzle is the the cranking/keying assembly that allows one hand to control cranking the wheel AND act as keyboard for pressing strings into the wheel. It’s key to the whole build, as combining those functions on the lower hand leaves the other hand free to use the guitar fretboard half of the instrument. That controller gets its day invideo five of the series. It might inspire some to start thinking about chorded computer inputs– scrolling and typing?
If you watch up to the sixth video, you learn that that the guitar’s fretting action is ultimately incompatible with pressing strings against the wheel at the precise, constant tension needed for good sound. To salvage the project he had to switch from a bowing action with a TPU-surfaced wheel to a sort of plectrum wheel, creating an instrument similar to thethousand-pick guitar we saw last year.
Even though [Arty Farty Guitars] isn’t sure this hybrid instrument can really be called a Hurdy Gurdy anymore, now that it isn’t using a bowing action, we can’t help but admire the hacking spirit that set him on this journey. We look forward to the promised concert in the upcoming 7th video, once he figures out how to play this thing nicely.
Know of any other hacked-together instruments that possibly should not exist? We’re always listening for tips.
youtube.com/embed/tqtJN4Xitqo?…
Embedded USB Debug for Snapdragon
According to [Casey Connolly], Qualcomm’s release of how to interact with their embedded USB debugging (EUD) is a big deal. If you haven’t heard of it, nearly all Qualcomm SoCs made since 2018 have a built-in debugger that connects to the onboard USB port. The details vary by chip, but you write to some registers and start up the USB phy. This gives you an oddball USB interface that looks like a seven-port hub with a single device “EUD control interface.”
So what do you do with that? You send a few USB commands, and you’ll get a second device. This one connects to an SWD interface. Of course, we have plenty of tools to debug using SWD.
In particular, there’s a fork of OpenOCD that knows how to use EUD, although it required a library that wasn’t available to us mere mortals. But now it is, so smooth sailing, right?
Um, no. Unless you have a very specific build configuration, the code won’t compile. Luckily, the fixes are not that hard and are available. The OpenOCD fork is a bit out of date, too. But with perseverance, it all worked.
In addition to the SWD device, there appears to be a COM and trace peripheral available, although those may need more work to be usable. If you make progress on those, let us know.
SWD debugging can be very handy. While not everyone likes debuggers, we’ve been a fan of hardware-based debugging for a long time.
Voltage Divider? Filter? It’s Both!
When we do textbook analysis, we tend to ignore the real-world concerns for the sake of learning. So, a typical theoretical voltage divider is simply two resistors. But if you examine a low-pass RC filter, you’ll see a single resistor and a capacitor. What if you combine them? That’s what [Old Hack EE] did in a recent video, and you can check it out below.
It helps if you are familiar with Thevenin equivalents and, of course, Ohm’s Law. There’s also a bit of algebra, but nothing too complicated. The example design has a lossy filter at 100 Hz.
Of course, RC filters are easy to understand if you think of them as voltage dividers with a frequency-variable resistance, which is what the math is basically saying. The load impedance, in this case, is R2 in parallel with Xc at a given frequency.
He mentions that you might find a circuit like this in a power supply. However, it is also common to see this circuit wherever a divider drives a load with capacitance or even parasitic capacitance in cables or circuit boards.
We’ve discussed Thevenin equivalence modeling before. If you want really good filters, you are probably going to need op-amps.
youtube.com/embed/7h5irBPDMrk?…
Personal Reflections on Immutable Linux
Immutable distributions are slowly spreading across the Linux world– but should you care? Are they hacker friendly? What does “immutable” mean, anyway?
Immutable means “not subject or susceptible to change” according to Merriam-Webster, which is not 100% accurate in this context, but it’s close enough and the name is there so we’re stuck with it. Immutable distributions are subject to change, it’s just that how you change them is quite a bit different than bog-standard Linux. Will this matter to you? Read on to find out! (Or, if you know the answers already, read on to find out how angry you should be in the comments section.)
The advantage to this hypothetical lazy dev is that the base system is already built, and you can’t get distracted messing around with it. It works, and it isn’t at all likely to break. Every installation is essentially identical to every other installation, which means reproducibility is all but guaranteed. No more faffing about arguing on forums to figure out which library is conflicting with which. In an immutable system, they’ve all been selected to play well together, and anything else is safely containerized. (Again, a cloud ideal.) If the devs make a mistake during an update, well, just roll back!
50 Shades of Immunability
The different flavours of immutable linux differ in how they accomplish that, but all have rollbacks as a basic capability. Each change to the system becomes a new, indivisible image; that’s why we talk about atomic updates. You create a new system image when you update, but you don’t start using it until you reboot the system. (This has some advantages to stability, as you might imagine, although the rebooting can get old.) The old image is maintained on your system, just in case you happen to need it.
OSTree bills itself as “Git for operating system binaries”. Every update, or every package installed is layered onto the tree and can be rolled back if needed– en masse, or individually. You can package up that tree of commits, and deploy it onto a new system, making devising new “distros” so trivial they don’t really deserve the name. In theory, you can install everything via OSTree, but the further you take your system from the base image, the less you have that “every system is identical” easy-problem-solving that the immutable guys like to talk about.
Of course you do want to install applications, and you do it the same way you might on a server: in containers. What sort of containers can vary by taste, but typically that means Flatpak for GUI applications. Fedora-based immutable distributions like Silverblue or Aurora use Flatpak, as does OpenSuse. (AppImage and snap are also options, technically speaking, but who likes snaps?) The Universal Blue team adds in Homebrew for those terminal applications that don’t tend to get Flatpaks. I admit that I was surprised at first to see Homebrew when I started using Aurora, since I knew it as “the missing package manager for MacOS” but its inclusion makes perfect sense when you think about it.
MacOS is the First Immutable UNIX
MacOS, you see, is the first immutable UNIX. As much as we in the Linux community don’t like to talk about it, Macs aren’t just POSIX compatible– they run Certified UNIX(
If Homebrew isn’t your cup of tea – and it seems to not be everyone’s, since I think Universal Blue is the only distro set to ship with it – you can go more hard-core into containerization with docker or podman. Somewhere in between, you could use something like Distrobox. If you haven’t heard of it, Distrobox is a framework for deploying traditional linux systems inside containers. For devs, it’s great for testing, even if you aren’t basing it on top of an immutable distribution. If you’ve never worked in the cloud, this may all sound like rube-goldberg gobbbly-gook, (“linux in a box on my linux!?”) but once you adapt to it, it’s not so bad.
The Year of Immutable on the Desktop?
The question is: do you want to adapt to it? Is cloud-based thinking necessary on the desktop? Well I’d say it depends on who is using the desktop. I would absolutely steer Windows users who are thinking of switching to Linux in the wake of the Windows 10 EOL to a Universal Blue distribution, and probably Aurora since KDE is more windows-y than Gnome. Most of those ex-Windows users are people who just want to use a computer, not play with it. If that describes you, then maybe an immutable distribution could be to your liking.
MacOS has shown that very few desktop users will ever notice if they can access the system folders or not; they are most interested in having a stable, reproducible environment to work in. Thus, immutable Linux may be the way to bring Linux mainstream – certainly Steam thinks so, with SteamOS. For their use case, it’s hard to argue the benefits: you need a stable base system for the stack of cards that is gaming on Linux, and tech support is much simplified for a locked-down operating system that you cannot install packages on. The rising popularity of Bazzite, Universal Blue’s gaming-centric distribution, also speaks to this.
There are downsides to this kind of system, of course, and it is important to recognize that. Some people really, really hate containerization because Flatpaks, and other similar options, use more memory, both on disk and in RAM. Of course not everything is available as a Flatpak, or on Homebrew if the system uses that. If you want to use Toolbox or Distrobox to get a distro-specific set of packages, well, of course running a whole extra Linux system in a container is going to have overhead.
From an aesthetic perspective, it’s not as elegant as a traditional Linux environment, at least to some eyes, mine included. Those of us who switched to Linux because we wanted absolute control over our computers might not feel too great about the “do not touch” label implicitly scrawled across the system folders, even if we do get something like rpm-ostree to make changes with. Even with a package manager, there are customizations and tweaks you simply cannot make on a read-only system. For those of us who treat Linux as a hobby, that’s probably a no-go.
For the “Lazy Developer” Aurora sells itself to, well, that’s perhaps a different story. Speaking of lazy, I’ve been using Aurora for a few months now, almost in spite of myself. I initially loaded it as the last step on a distro-hopping jaunt to see if I could find a good Windows 10 replacement for my parents. (I think this is it, to be honest.) It’s still on my main laptop simply because it’s so unobtrusively out of the way that I can think of no reason to install anything else.
After seeing how well containerization can work on desktop, Nix looks extra appealing – it can do most of what this article talks about with the immutable distros, but without trusting configuration of any facet of the system to anyone else. What do you think? Are the touted benefits to stability, reproducibility, and security worth the hassle of an immutable distribution? Is the grass greener in the land of Nix? If you’ve tried one of the immutable Linux distributions out there, we’d love to hear what you think in the comments.
Long Live RSS!
While we know that many of you are reading Hackaday via our Really Simple Syndication (RSS) feed, we suspect that most people on the street wouldn’t know that it underlies a lot of the modern internet. [A. McNamee] and [A. Service] have created an illustrated history of RSS that proudly proclaims RSS is (not) dead (yet)!
While tens of millions of users used Google Reader before it was shut down, social media and search companies have tried to squeeze independent blogs and websites for an increasingly large part of their revenue, making it more and more difficult to exist outside the walled gardens of Facebook, Apple, Google, etc. Despite those of you that remember, RSS has been mostly forgotten.
RSS has been the backbone of the podcast industry, however, quietly serving feeds to millions of users everywhere with few of them aware that an open protocol from the 90s was serving up their content. As with every other corner of the internet where money could be made, corporate raiders have come to scoop up creators and skim the profits for themselves. Spotify has been the most egregious actor here, but the usual suspects of Apple, Google, and Amazon are also making plays to enclose the podcast commons.
If you’d like to learn more about how big tech is sucking the life out of the internet (and possibly how to reverse the enshittification) check out Cory Doctorow’s keynote from our very own Supercon.
Ask Hackaday: Are You Wearing 3D Printed Shoes?
We love 3D printing. We’ll print brackets, brackets for brackets, and brackets to hold other brackets in place. Perhaps even a guilty-pleasure Benchy. But 3D printed shoes? That’s where we start to have questions.
Every few months, someone announces a new line of 3D-printed footwear. Do you really want your next pair of sneakers to come out of a nozzle? Most of the shoes are either limited editions or fail to become very popular.
First World Problem
You might be thinking, “Really? Is this a problem that 3D printing is uniquely situated to solve?” You might assume that this is just some funny designs on some of the 3D model download sites. But no. Adidas, Nike, and Puma have shoes that are at least partially 3D printed. We have to ask why.
We are pretty happy with our shoes just the way that they are. But we will admit, if you insist on getting a perfect fitting shoe, maybe having a scan of your foot and a custom or semi-custom shoe printed is a good idea. Zellerfield lets you scan your feet with your phone, for example. [Stefan] at CNC Kitchen had a look at those in a recent video. The company is also in many partnerships, so when you hear that Hugo Boss, Mallet London, and Sean Watherspoon have a 3D-printed shoe, it might actually be their design from Zellerfield.
youtube.com/embed/4id0-vvu-u0?…
Or, try a Vivobiome sandal. We aren’t sold on the idea that we can’t buy shoes off the rack, but custom fits might make a little sense. We aren’t sure about 3D-printed bras, though.
Maybe the appeal of 3D-printed shoes lies in their personalizability? Creating self-printed shoes might make sense, so you can change their appearance or otherwise customize them. Maybe you’d experiment with different materials, colors, or subtle changes in designs. Nothing like 30 hours of printing and three filament changes to make one shoe. And that doesn’t explain why the majors are doing it.
Think of the Environment!
There is one possible plus to printing shoes. According to industry sources, more than 20 billion pairs of shoes are made every year, and almost all will end up in landfills. Up to 20% of these shoes will go straight to the dump without being worn even once.
So maybe you could argue that making shoes on demand would help reduce waste. We know of some shoe companies that offer you a discount if you send in an old pair for recycling, although we don’t know if they use them to make new shoes or not. Your tolerance for how much you are willing to pay might correlate to how much of a problem you think trash shoes really are.
But mass-market 3D-printed shoes? What’s the appeal? If you’re desperate for status, consider grabbing a pair of 3D-printed Gucci shoes for around $1,300. But for most of us, are you planning on dropping a few bucks on a pair of 3D-printed shoes? Why or why not? Let us know in the comments.
If you are imagining the big guys printing shoes on an Ender 3, that’s probably not the case. The shoes we’ve seen are made on big commercial printers.
Hai bisogno di una Product Key per Microsoft Windows? Nessun problema, chiedilo a Chat-GPT
ChatGPT si è rivelato ancora una volta vulnerabile a manipolazioni non convenzionali: questa volta ha emesso chiavi di prodotto Windows valide, tra cui una registrata a nome della grande banca Wells Fargo. La vulnerabilità è stata scoperta durante una sorta di provocazione intellettuale: uno specialista ha suggerito che il modello linguistico giocasse a indovinelli, trasformando la situazione in un aggiramento delle restrizioni di sicurezza.
L’essenza della vulnerabilità consisteva in un semplice ma efficace bypass della logica del sistema di protezione. A ChatGPT 4.0 è stato offerto di partecipare a un gioco in cui doveva indovinare una stringa, con la precisazione che doveva trattarsi di un vero numero di serie di Windows 10.
Le condizioni stabilivano che il modello dovesse rispondere alle ipotesi solo con “sì” o “no” e, nel caso della frase “Mi arrendo”, aprire la stringa indovinata. Il modello ha accettato il gioco e, seguendo la logica integrata, dopo la frase chiave ha effettivamente restituito una stringa corrispondente alla chiave di licenza di Windows.
L’autore dello studio ha osservato che la principale debolezza in questo caso risiede nel modo in cui il modello percepisce il contesto dell’interazione. Il concetto di “gioco” ha temporaneamente superato i filtri e le restrizioni integrati, poiché il modello ha accettato le condizioni come uno scenario accettabile.
Le chiavi esposte includevano non solo chiavi predefinite disponibili al pubblico, ma anche licenze aziendali, tra cui almeno una registrata a Wells Fargo. Ciò è stato possibile perché avrebbe potuto causare la fuga di informazioni sensibili che avrebbero potuto finire nel set di addestramento del modello. In precedenza, si sono verificati casi di informazioni interne, incluse le chiavi API, esposte pubblicamente, ad esempio tramite GitHub, e di addestramento accidentale di un’IA.
Screenshot di una conversazione con ChatGPT (Marco Figueroa)
Il secondo trucco utilizzato per aggirare i filtri era l’uso di tag HTML . Il numero di serie originale veniva “impacchettato” all’interno di tag invisibili, consentendo al modello di aggirare il filtro basato sulle parole chiave. In combinazione con il contesto di gioco, questo metodo funzionava come un vero e proprio meccanismo di hacking, consentendo l’accesso a dati che normalmente sarebbero stati bloccati.
La situazione evidenzia un problema fondamentale nei modelli linguistici moderni: nonostante gli sforzi per creare barriere protettive (chiamati guardrail), il contesto e la forma della richiesta consentono ancora di aggirare il filtro. Per evitare simili incidenti in futuro, gli esperti suggeriscono di rafforzare la consapevolezza contestuale e di introdurre la convalida multilivello delle richieste.
L’autore sottolinea che la vulnerabilità può essere sfruttata non solo per ottenere chiavi, ma anche per aggirare i filtri che proteggono da contenuti indesiderati, da materiale per adulti a URL dannosi e dati personali. Ciò significa che i metodi di protezione non dovrebbero solo diventare più rigorosi, ma anche molto più flessibili e proattivi.
L'articolo Hai bisogno di una Product Key per Microsoft Windows? Nessun problema, chiedilo a Chat-GPT proviene da il blog della sicurezza informatica.
Code highlighting with Cursor AI for $500,000
Attacks that leverage malicious open-source packages are becoming a major and growing threat. This type of attacks currently seems commonplace, with reports of infected packages in repositories like PyPI or npm appearing almost daily. It would seem that increased scrutiny from researchers on these repositories should have long ago minimized the profits for cybercriminals trying to make a fortune from malicious packages. However, our investigation into a recent cyberincident once again confirmed that open-source packages remain an attractive way for attackers to make easy money.
Infected out of nowhere
In June 2025, a blockchain developer from Russia reached out to us after falling victim to a cyberattack. He’d had around $500,000 in crypto assets stolen from him. Surprisingly, the victim’s operating system had been installed only a few days prior. Nothing but essential and popular apps had been downloaded to the machine. The developer was well aware of the cybersecurity risks associated with crypto transactions, so he was vigilant and carefully reviewed his every step while working online. Additionally, he used free online services for malware detection to protect his system, but no commercial antivirus software.
The circumstances of the infection piqued our interest, and we decided to investigate the origins of the incident. After obtaining a disk image of the infected system, we began our analysis.
Syntax highlighting with a catch
As we examined the files on the disk, a file named extension.js caught our attention. We found it at %userprofile%\.cursor\extensions\solidityai.solidity-1.0.9-universal\src\extension.js. Below is a snippet of its content:
A request sent by the extension to the server
This screenshot clearly shows the code requesting and executing a PowerShell script from the web server angelic[.]su: a sure sign of malware.
It turned out that extension.js was a component of the Solidity Language extension for the Cursor AI IDE, which is based on Visual Studio Code and designed for AI-assisted development. The extension is available in the Open VSX registry, used by Cursor AI, and was published about two months ago. At the time this research, the extension had been downloaded 54,000 times. The figure was likely inflated. According to the description, the extension offers numerous features to optimize work with Solidity smart contract code, specifically syntax highlighting:
The extension’s description in the Open VSX registry
We analyzed the code of every version of this extension and confirmed that it was a fake: neither syntax highlighting nor any of the other claimed features were implemented in any version. The extension has nothing to do with smart contracts. All it does is download and execute malicious code from the aforementioned web server. Furthermore, we discovered that the description of the malicious plugin was copied by the attackers from the page of a legitimate extension, which had 61,000 downloads.
How the extension got on the computer
So, we found that the malicious extension had 54,000 downloads, while the legitimate one had 61,000. But how did the attackers manage to lull the developer’s vigilance? Why would he download a malicious extension with fewer downloads than the original?
We found out that while trying to install a Solidity code syntax highlighter, the developer searched the extension registry for solidity. This query returned the following:
Search results for “solidity”: the malicious (red) and legitimate (green) extensions
In the search results, the malicious extension appeared fourth, while the legitimate one was only in eighth place. Thus, while reviewing the search results, the developer clicked the first extension in the list with a significant number of downloads – which unfortunately proved to be the malicious one.
The ranking algorithm trap
How did the malicious extension appear higher in search results than the legitimate one, especially considering it had fewer downloads? It turns out the Open VSX registry ranks search results by relevance, which considers multiple factors, such as the extension rating, how recently it was published or updated, the total number of downloads, and whether the extension is verified. Consequently, the ranking is determined by a combination of factors: for example, an extension with a low number of downloads can still appear near the top of search results if that metric is offset by its recency. This is exactly what happened with the malicious plugin: the fake extension’s last update date was June 15, 2025, while the legitimate one was last updated on May 30, 2025. Thus, due to the overall mix of factors, the malicious extension’s relevance surpassed that of the original, which allowed the attackers to promote the fake extension in the search results.
The developer, who fell into the ranking algorithm trap, didn’t get the functionality he wanted: the extension didn’t do any syntax highlighting in Solidity. The victim mistook this for a bug, which he decided to investigate later, and continued his work. Meanwhile, the extension quietly installed malware on his computer.
From PowerShell scripts to remote control
As mentioned above, when the malicious plugin was activated, it downloaded a PowerShell script from https://angelic[.]su/files/1.txt.
The PowerShell script contents
The script checks if the ScreenConnect remote management software is installed on the computer. If not, it downloads a second malicious PowerShell script from: https://angelic[.]su/files/2.txt. This new script then downloads the ScreenConnect installer to the infected computer from https://lmfao[.]su/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest and runs it. From that point on, the attackers can control the infected computer via the newly installed software, which is configured to communicate with the C2 server relay.lmfao[.]su.
Data theft
Further analysis revealed that the attackers used ScreenConnect to upload three VBScripts to the compromised machine:
a.vbsb.vbsm.vbs
Each of these downloaded a PowerShell script from the text-sharing service paste.ee. The download URL was obfuscated, as shown in the image below:
The obfuscated URL for downloading the PowerShell script
The downloaded PowerShell script then retrieved an image from archive[.]org. A loader known as VMDetector was then extracted from this image. VMDetector attacks were previously observed in phishing campaigns that targeted entities in Latin America. The loader downloaded and ran the final payload from paste.ee.
Our analysis of the VBScripts determined that the following payloads were downloaded to the infected computer:
- Quasar open-source backdoor (via
a.vbsandb.vbs), - Stealer that collected data from browsers, email clients, and crypto wallets (via
m.vbs). Kaspersky products detect this malware asHEUR:Trojan-PSW.MSIL.PureLogs.gen.
Both implants communicated with the C2 server 144.172.112[.]84, which resolved to relay.lmfao[.]su at the time of our analysis. With these tools, the attackers successfully obtained passphrases for the developer’s wallets and then syphoned off cryptocurrency.
New malicious package
The malicious plugin didn’t last long in the extension store and was taken down on July 2, 2025. By that time, it had already been detected not only by us as we investigated the incident but also by other researchers. However, the attackers continued their campaign: just one day after the removal, they published another malicious package named “solidity”, this time exactly replicating the name of the original legitimate extension. The functionality of the fake remained unchanged: the plugin downloaded a malicious PowerShell script onto the victim’s device. However, the attackers sought to inflate the number of downloads dramatically. The new extension was supposedly downloaded around two million times. The following results appeared up until recently when users searched for solidity within the Cursor AI development environment (the plugin is currently removed thanks to our efforts).
Updated search results for “solidity”
The updated search results showed the legitimate and malicious extensions appearing side-by-side in the search rankings, occupying the seventh and eighth positions respectively. The developer names look identical at first glance, but the legitimate package was uploaded by juanblanco, while the malicious one was uploaded by juanbIanco. The font used by Cursor AI makes the lowercase letter l and uppercase I appear identical.
Therefore, the search results displayed two seemingly identical extensions: the legitimate one with 61,000 downloads and the malicious one with two million downloads. Which one would the user choose to install? Making the right choice becomes a real challenge.
Similar cyberattacks
It’s worth noting that the Solidity extensions we uncovered are not the only malicious packages published by the attackers behind this operation. We used our open-source package monitoring tool to find a malicious npm package called “solsafe”. It uses the URL https://staketree[.]net/1.txt to download ScreenConnect. In this campaign, it’s also configured to use relay.lmfao[.]su for communication with the attackers.
We also discovered that April and May 2025 saw three malicious Visual Studio Code extensions published: solaibot, among-eth, and blankebesxstnion. The infection method used in these threats is strikingly similar to the one we described above. In fact, we found almost identical functionality in their malicious scripts.
Scripts downloaded by the VS Code extension (left) vs. Solidity Language (right)
In addition, all of the listed extensions perform the same malicious actions during execution, namely:
- Download PowerShell scripts named
1.txtand2.txt. - Use a VBScript with an obfuscated URL to download a payload from
paste.ee. - Download an image with a payload from
archive.org.
This leads us to conclude that these infection schemes are currently being widely used to attack blockchain developers. We believe the attackers won’t stop with the Solidity extensions or the solsafe package that we found.
Takeaways
Malicious packages continue to pose a significant threat to the crypto industry. Many projects today rely on open-source tools downloaded from package repositories. Unfortunately, packages from these repositories are often a source of malware infections. Therefore, we recommend extreme caution when downloading any tools. Always verify that the package you’re downloading isn’t a fake. If a package doesn’t work as advertised after you install it, be suspicious and check the downloaded source code.
In many cases, malware installed via fake open-source packages is well-known, and modern cybersecurity solutions can effectively block it. Even experienced developers must not neglect security solutions, as these can help prevent an attack in case a malicious package is installed.
Indicators of compromise
Hashes of malicious JS files
2c471e265409763024cdc33579c84d88d5aaf9aea1911266b875d3b7604a0eeb
404dd413f10ccfeea23bfb00b0e403532fa8651bfb456d84b6a16953355a800a
70309bf3d2aed946bba51fc3eedb2daa3e8044b60151f0b5c1550831fbc6df17
84d4a4c6d7e55e201b20327ca2068992180d9ec08a6827faa4ff3534b96c3d6f
eb5b35057dedb235940b2c41da9e3ae0553969f1c89a16e3f66ba6f6005c6fa8
f4721f32b8d6eb856364327c21ea3c703f1787cfb4c043f87435a8876d903b2c
Network indicators
https://angelic[.]su/files/1.txt
https://angelic[.]su/files/2.txt
https://staketree[.]net/1.txt
https://staketree[.]net/2.txt
https://relay.lmfao[.]su
https://lmfao[.]su/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest
144.172.112[.]84
An Emulated Stroll Down Macintosh Memory Lane
If you’re into Macs, you’ll always remember your first. Maybe it was the revolutionary classic of 1984 fame, perhaps it was the adorable G3 iMac in 1998, or even a shiny OS X machine in the 21st century. Whichever it is, you’ll find it emulated in [Marcin Wichary]’s essay “Frame of preference: A history of Mac settings, 1984–2004” — an exploration of the control panel and its history.
[Marcin] is a UI designer as well as an engineer and tech historian, and his UI chops come out in full force, commenting and critiquing Curputino’s coercions. The writing is excellent, as you’d expect from the man who wrote the book on keyboards, and it provides a fascinating look at the world of retrocomputing through the eyes of a designer. That design-focused outlook is very apropos for Apple in particular. (And NeXT, of course, because you can’t tell the story of Apple without it.)
There are ten emulators on the page, provided by [Mihai Parparita] of Infinite Mac. It’s like a virtual museum with a particularly knowledgeable tour guide — and it’s a blast, getting to feel hands-on, the design changes being discussed. There’s a certain amount of gamification, with each system having suggested tasks and a completion score when you finish reading. There are even Easter eggs.
This is everything we wish the modern web was like: the passionate deep-dives of personal sites on the Old Web, but enhanced and enabled by modern technology. If you’re missing those vintage Mac days and don’t want to explore them in browser, you can 3D print your own full-size replica, or a doll-sized picoMac.