Nobody likes reading the fine print, least of all when you’re just downloading some 3D model. While printing a copy for personal use this is rarely an issue, things can get a lot more complicated when you make and distribute a derived version of a particular model.

Case in the point the ever popular 3DBenchy model, which was intended to serve as a diagnostic aid by designer [Creative Tools]. Although folks have been spinning up their own versions of this benchmark print for years, such derivative works were technically forbidden by the original model’s license — a fact that the company is now starting to take seriously, with derivative models reportedly getting pulled from Printables.

The license for the 3DBenchy model is (and always has been) the Creative Commons BY-ND 4.0, which requires attribution and forbids distributing of derivative works. This means that legally any derived version of this popular model being distributed on Thingiverse, Printables, etc. is illegal, as already noted seven years ago by an observant user on Reddit. According to the message received by a Printables user, all derived 3DBenchy models will be removed from the site while the license is now (belatedly) being enforced.

Although it’s going to be a bit of an adjustment with this license enforcement, ultimately the idea of Creative Commons licenses was that they set clear rules for usage, which become meaningless if not observed.

Thanks to [JohnU] for the tip.

hackaday.com/2025/01/09/3dbenc…

Le azioni delle aziende nel settore della computazione quantistica, come Rigetti Computing, IonQ e D-Wave, hanno subito un duro colpo dopo le dichiarazioni di Jensen Huang, CEO di Nvidia, durante un evento di settore. Huang ha affermato che i computer quantistici pratici potrebbero essere lontani dai 15 ai 30 anni, una previsione che contrasta con l’ottimismo prevalente tra molte startup e investitori. La dichiarazione ha generato un’ondata di vendite che ha fatto crollare le azioni delle principali aziende del settore.

Rigetti Computing e D-Wave hanno avuto un calo significativo a seguito alle dichiarazioni di Huang. Questa reazione riflette la sensibilità del mercato a prospettive a lungo termine e all’incertezza legata ai progressi tecnologici. Le valutazioni delle aziende quantistiche, molte delle quali sono diventate pubbliche tramite fusioni con SPAC, erano già sotto pressione a causa delle difficoltà nel dimostrare applicazioni pratiche e redditività nel breve termine.

Huang, considerato un’autorità nel campo della tecnologia avanzata, ha messo in dubbio la possibilità che i computer quantistici possano raggiungere livelli di utilità diffusi nel futuro prossimo.

“Se avessi detto 15 anni per computer quantistici molto utili, probabilmente saresti stato un po’ presto”, ha detto durante l’analista di Nvidia. “Se avessi detto 30, probabilmente saresti stato un po’ tardi. Ma se avessi scelto 20, penso che un bel po’ di noi ci avrebbe creduto”. Ha sottolineato che, sebbene i progressi nel settore siano impressionanti, ci sono ancora ostacoli significativi da superare, inclusi problemi legati alla correzione degli errori e alla scalabilità.

La computazione quantistica ha il potenziale per rivoluzionare settori come la chimica, la finanza e l’intelligenza artificiale, grazie alla sua capacità di elaborare informazioni a una velocità immensamente superiore rispetto ai computer tradizionali. Tuttavia, la tecnologia è ancora nella sua infanzia e richiede enormi investimenti in ricerca e sviluppo. Nonostante le sfide, molte aziende del settore continuano a sostenere che i progressi siano sufficienti per giustificare l’entusiasmo degli investitori.

Gli analisti ritengono che le parole di Huang rappresentino una dose di realismo per un mercato che spesso sopravvaluta l’imminenza di rivoluzioni tecnologiche. Mentre alcune aziende stanno mostrando progressi promettenti, come lo sviluppo di algoritmi quantistici per problemi specifici, la strada verso un’adozione diffusa rimane lunga e incerta. Le dichiarazioni di Huang potrebbero spingere gli investitori a rivedere le loro aspettative e a concentrarsi su settori tecnologici con ritorni più immediati.

In questo contesto, Nvidia stessa sta investendo in tecnologie che supportano la computazione quantistica, come le simulazioni quantistiche sui supercomputer. Questo suggerisce che, nonostante le sue previsioni prudenti, Huang riconosca il potenziale a lungo termine della tecnologia.

Per ora, però, il mercato sembra aver preso atto che la promessa della computazione quantistica potrebbe richiedere decenni per realizzarsi pienamente.

L'articolo NVIDIA Distrugge i Sogni del Quantum Computing: Ancora 20 o 30 Anni di Attesa! proviene da il blog della sicurezza informatica.

There are many ways to build a radio receiver, but most have a few things in common, such as oscillators, tuned circuits, detectors, mixers, and amplifiers. Put those together in the right order and you’ve got a receiver ready to tune in whatever you want to listen to. But if you don’t really care about tuning and want to hear everything all at once, that greatly simplifies the job and leaves you with something like this homebrew all-band receiver.

Granted, dispensing with everything but a detector and an audio amplifier will seriously limit any receiver’s capabilities. But that wasn’t really a design concern for [Ido Roseman], who was in search of a simple and unobtrusive way to monitor air traffic control conversations while flying. True, there are commercially available radios that tune the aviation bands, and there are plenty of software-defined radio (SDR) options, but air travel authorities and fellow travelers alike may take a dim view of an antenna sticking out of a pocket.

So [Ido] did a little digging and found a dead-simple circuit that can receive signals from the medium-wave bands up into the VHF range without regard for modulation. The basic circuit is a Schottky diode detector between an antenna and a high-gain audio amplifier driving high-impedance headphones; [Ido] built a variation that also has an LM386 amplifier stage to allow the use of regular earbuds, which along with a simple 3D-printed case aids in the receiver’s stealth.

With only a short piece of wire as an antenna, reception is limited to nearby powerful transmitters, but that makes it suitable for getting at least the pilot side of ATC conversations. It works surprisingly well — [Ido] included a few clips that are perfectly understandable, even if the receiver also captured things like cell phones chirping and what sounds like random sferics. It seems like a fun circuit to play with, although with our luck we’d probably not try to take it on a plane.

hackaday.com/2025/01/09/all-ba…

Un nuovo caso di cybercrime ha attirato l’attenzione degli esperti di sicurezza informatica. Su un noto forum underground, un threat actor in lingua russa con il nome utente “espe0n” ha messo in vendita un accesso avanzato a un’azienda italiana non specificata, operante nel settore dell’elettricità, petrolio e gas.

Il post, include dettagli tecnici sull’accesso e una descrizione che delinea chiaramente l’obiettivo del venditore: offrire una “porta d’ingresso” a criminali informatici interessati a compromettere l’azienda per scopi malevoli, come ransomware o furto di dati sensibili.

Chi sono gli Initial Access Broker?

Gli Initial Access Broker (IAB) sono attori del cybercrime specializzati nella compromissione iniziale delle infrastrutture informatiche. Il loro scopo è ottenere un accesso privilegiato ai sistemi di un’organizzazione, spesso con diritti amministrativi (Domain Admin). Una volta ottenuto l’accesso, questi broker lo mettono in vendita a terzi, come gang di ransomware, che lo utilizzano per lanciare attacchi devastanti.

Questo modello di business è una componente chiave dell’ecosistema del cybercrime. Gli IAB sfruttano metodi come phishing, vulnerabilità software non patchate o credenziali rubate per ottenere gli accessi, che poi vendono su forum o canali dedicati nel dark web e nell’underground criminale. Le cyber gang ransomware, in particolare, sono tra i principali acquirenti, trasformando gli accessi iniziali in violazioni di rete complete.

I dettagli del caso

Nel post pubblicato, “espe0n” ha fornito informazioni tecniche dettagliate:

• Accesso offerto: Tipo C2 con privilegi di Domain Admin.
• Antivirus presente: Kaspersky EDR (Endpoint Detection and Response).
• Settore aziendale: Energia, petrolio e gas.
• Fatturato dell’azienda: Superiore a 50 milioni di dollari.
• Modalità di contatto: Attraverso ToxID, un metodo tipico per garantire l’anonimato nelle comunicazioni.

La descrizione include anche la possibilità di utilizzare un “garante automatico” per la transazione, una funzione diffusa nei forum underground per tutelare venditori e acquirenti e garantire la buona riuscita dell’accordo.

L’utente ha una discreta reputazione all’interno del forum underground russo.

Perché gli accessi sono così richiesti?

Gli accessi iniziali offerti dagli IAB sono estremamente preziosi per i criminali informatici. Attraverso questi accessi, è possibile:

1. Installare ransomware: Le gang possono criptare i dati dell’azienda e richiedere un riscatto multimilionario.
2. Rubare informazioni: I dati sensibili possono essere venduti o utilizzati per ulteriori attacchi.
3. Compromettere le operazioni aziendali: Nel settore dell’energia, ad esempio, un’interruzione può avere conseguenze devastanti a livello economico e sociale.

Il ruolo degli Initial Access Broker è sempre più centrale nel panorama del cybercrime. Secondo studi recenti, il prezzo degli accessi varia in base al tipo di azienda e ai privilegi offerti, con cifre che possono raggiungere decine di migliaia di dollari. Questa collaborazione tra broker e gang ransomware dimostra la crescente sofisticazione degli attacchi e la necessità di misure preventive adeguate.

Conclusioni

Questo episodio è un chiaro esempio di come il cybercrime si stia evolvendo verso modelli sempre più strutturati e professionali. Le aziende, in particolare quelle di settori critici come energia e gas, devono adottare strategie di difesa proattive per identificare e mitigare minacce simili.
Monitorare i forum underground e i canali di comunicazione utilizzati dai cybercriminali è fondamentale per rilevare segnali di attività illecite e agire tempestivamente.

Il mondo della cybersecurity è un campo di battaglia in continua evoluzione, e solo una combinazione di tecnologie avanzate, consapevolezza e prontezza operativa può garantire un’efficace protezione contro minacce così insidiose.

L'articolo Qual è L’Azienda Italiana Del Comparto Energetico nel Mirino degli Initial Access Broker (IaB)? proviene da il blog della sicurezza informatica.

Many of us used “big iron” back in the day. Computers like the IBM S/360 or 3090 are hard to find, transport, and operate, so you don’t see many retrocomputer enthusiasts with an S/370 in their garages. We’ve known for a while that the Hercules emulators would let you run virtual copies of these old mainframes, but every time we’ve looked at setting any up, it winds up being more work than we wanted to spend. Enter [Ernie] of [ErnieTech’s Little Mainframes]. He’s started a channel to show you how to “build” your own mainframe — emulated, of course.

One problem with the mainframe environment is that there are a bunch of operating system-like things like MVS, VM/CMS, and TSO. There were even custom systems like MUSIC/SP, which he shows in the video below.

On top of that, you have to learn a lot of new software. Scripting? Rexx. Editing? Several choices, but none you are likely to know about if you haven’t used a mainframe before. Programming languages? You can find C sometimes, but it might not be a modern dialect. You might have more luck with FORTRAN or COBOL.

In addition, IBM has specific terms for things we don’t use in the rest of the world. Boot? IPL (initial program load). Disk? DASD. Security? RACF.

So far, [Ernie] only has an overview and a short demo. If you can’t wait, cruise over to the Hercules page and see how far you can get. You may decide to wait for [Ernie’s] next video.

If you want to shortcut, there are entire environments in Docker that can be handy. If your IBM nostalgia runs to the smaller System/3, AS/400, or POWER systems, someone already has something ready for you to use.

youtube.com/embed/Gy7GQtjS9U0?…

hackaday.com/2025/01/08/retro-…

Different cultures have their own conventions for naming locations, for example in the United Kingdom there are plenty of places named for monarchs, while in many other countries there are not. An aspect of this fascinated [Ben Ashforth], who decided to find all the streets in Europe named after auspicious dates, and then visit enough to make a calendar. He gave a lightning talk about it at last year’s EMF Camp, which we’ve embedded below.

Starting with an aborted attempt to query Google Maps, he then moved on to the OpenStreetMap database. From there he was able to construct a list of date-related street name across the whole of Europe, and reveal a few surprising things about their distribution. He came up with a routing algorithm to devise the best progression in which to see them, and with a few tweaks to account for roads whose names had changed, arrived at an epic-but-efficient traversal of the continent. The result is a full year’s calendar of street names, which you can download from his website.

Being used to significant Interrail travel where this is written, we approve of an algorithmically generated Euro trip. We’re indebted to [Barney Livingstone] for the tip, and we agree with him that 150 slides in a 5 minute talk is impressive indeed.

media.ccc.de/v/emf2024-548-lig…

hackaday.com/2025/01/08/a-stre…

[Stephen Woodward] is familiar with digital potentiometers but is also familiar with their limitations. That spurred him to create the PWMPot which performs a similar function, but with better features than a traditional digital pot. Of course, he admits that this design has some limitations of its own, so — as usual — you have to make your design choices according to what’s important to you.

Perhaps the biggest limitation is that the PWMPot isn’t useful at even moderately high frequencies. The circuit works by driving two CMOS switches into an RC circuit. The switches’ inverted phase tends to cancel out any ripple in the signal.

The RC circuit is selected to trade response time with the precision of the final voltage output. The CMOS switches used are part of a 74HC4053B IC. While it might not solve all your digital potentiometer problems, there are cases where it will be just what you need.

We’ve looked at traditional digital pots before. If you prefer the hard way, grab a regular pot and a motor.

hackaday.com/2025/01/08/try-a-…

If you’ve owned a CD player or other piece of consumer digital audio gear manufactured since the 1980s, the chances are it has a TOSLINK port on the back. This is a fairly simple interface that sends I²S digital audio data down a short length of optical fibre, and it’s designed to run between something like a CD player and an external DAC. It’s ancient technology in optical fibre terms, with a lowish data rate and plastic fibre, but consider for a minute whether it could be adapted for modern ultra-high-speed conenctions. It’s what [Ben Cartwright-Cox] has done, and he delivered a talk about it at the recent 38C3 event in Germany.

if you’ve cast you eye over any fibre networking equipment recently, you’ll be familiar with SFP ports. These are a standard for plug-in fibre terminators, and they can be had in a wide variety of configurations for different speeds, topographies, and wavelengths. They’re often surprisingly simple inside, so he wondered if he could use them to carry TOSLINK instead of a more conventional network. And it worked, with the simple expedient of driving an SFP module with an LVDS driver to make a differential signal. There follows a series of experiments calling in favours from friends with data centre space in various locations around London, finally ending up with a 140 km round trip for CD-quality audio.

It’s an interesting experiment, but perhaps the most value here is in what it reveals to us about the way optical networking systems work. Most of us don’t spend our days in data centres, so that’s an interesting technology to learn about. The video of the talk itself is below the break.

youtube.com/embed/3qojgJGtTos?…

hackaday.com/2025/01/08/38c3-i…

This week, Jonathan Bennett and Randal chat with Matija Šuklje about Open Source and the Law! How do Open Source projects handle liability, what should a Contributor License Agreement (CLA) look like, and where can an individual or project turn for legal help?

• matija.suklje.name/
• openchainproject.org/feed/
• matija.suklje.name/fiduciary-l…

youtube.com/embed/YgeecPVHtPg?…

Did you know you can watch the live recording of the show Right on our YouTube Channel? Have someone you’d like us to interview? Let us know, or contact the guest and have them contact us! Take a look at the schedule here.

play.libsyn.com/embed/episode/…

Direct Download in DRM-free MP3.

If you’d rather read along, here’s the transcript for this week’s episode.

Places to follow the FLOSS Weekly Podcast:

• Spotify
• RSS

Theme music: “Newer Wave” Kevin MacLeod (incompetech.com)

Licensed under Creative Commons: By Attribution 4.0 License

hackaday.com/2025/01/08/floss-…

There are many AI models out there that you can play with from companies like OpenAI, Google, and a host of others. But when you use them, you get the experience they want, and you run it on their computer. There are a variety of reasons you might not like this. You may not want your data or ideas sent through someone else’s computer. Maybe you want to tune and tweak in ways they aren’t going to let you.

There are many more or less open models, but setting up to run them can be quite a chore and — unless you are very patient — require a substantial-sized video card to use as a vector processor. There’s very little help for the last problem. You can farm out processing, but then you might as well use a hosted chatbot. But there are some very easy ways to load and run many AI models on Windows, Linux, or a Mac. One of the easiest we’ve found is Msty. The program is free for personal use and claims to be private, although if you are really paranoid, you’ll want to verify that yourself.

What is Msty?

Talkin’ about Hackaday!
Msty is a desktop application that lets you do several things. First, it can let you chat with an AI engine either locally or remotely. It knows about many popular options and can take your keys for paid services. For local options, it can download, install, and run the engines of your choice.

For services or engines that it doesn’t know about, you can do your own setup, which ranges from easy to moderately difficult, depending on what you are trying to do.

Of course, if you have a local model or even most remote ones, you can use Python or some basic interface (e.g., with ollama; there are plenty of examples). However, Msty lets you have a much richer experience. You can attach files, for example. You can export the results and look back at previous chats. If you don’t want them remembered, you can chat in “vapor” mode or delete them later.

Each chat lives in a folder, which can have helpful prompts to kick off the chat. So, a folder might say, “You are an 8th grade math teacher…” or whatever other instructions you want to load before engaging in chat.

MultiChat

What two models think about 555s
One of the most interesting features is the ability to chat to multiple chatbots simultaneously. Sure, if it were just switching between them, that would be little more than a gimmick. However, you can sync the chats so that each chatbot answers the same prompt, and you can easily see the differences in speed and their reply.

For example, I asked both Google Gemini 2.0 and Llama 3.2 how a 555 timer works, and you can see the answers were quite different.

RAGs

The “knowledge stack” feature lets you easily grab up your own data to use as the chat source (that is RAG or Retrivial Augmented Generation) for use with certain engines. You can add files, folders, Obsidian vaults, or YouTube transcripts.
Chatting about the podcast
For example, I built a Knowlege Stack named “Hackaday Podcast 291” using the YouTube link. I could then open a chat with Google’s Gemini 2.0 beta (remotely hosted) and chat with the podcast. For example:

You: Who are the hosts?

gemini-2.0-flash-exp: Elliot Williams and Al Williams are the hosts.

You: What kind of microscope was discussed?

gemini-2.0-flash-exp: The text discusses a probe tip etcher that is used to make tips for a type of microscope that can image at the atomic level.

It would be easy to, for example, load up a bunch of PDF data sheets for a processor and, maybe, your design documents to enable discussing a particular project.

You can also save prompts in a library, analyze result metrics, refine prompts and results, and a host of other features. The prompt library has quite a few already available, too, ranging from an acountant to a yogi, if you don’t want to define your own.

New Models

The chat features are great, and having a single interface for a host of backends is nice. However, the best feature is how the program will download, install, run, and shut down local models.
Selecting a new local model will download and install it for use.
To get started, press the Local AI Model button towards the bottom of the left-hand toolbar. That will give you several choices. Be mindful that many of these are quite large, and some of them require lots of GPU memory.

I started on a machine that had an NVidia 2060 card that had 6GB of memory. Granted, some of that is running the display. But most of it was available. Some of the smaller models would work for a bit, but eventually, I’d get some strange error. That was a good enough excuse to trade up to a 12GB 3060 card, and that seems to be enough for everything I’ve tried so far. Granted, some of the larger models are a little slow, but tolerably so.

There are more options if you press the black button at the top, or you can import GGUF models from places like huggingface. If you’ve already loaded models for something like ollama, you can point Msty at them. You can also point to a local server if you prefer.

The version I tested didn’t know about the Google 2.0 model. However, when adding any of the Google models, it was easy enough to add the (free) API key and the model ID (models/gemini-2.0-flash-exp) for the new model.

Wrap Up

You can spend a lot of time finding and comparing different AI models. It helps to have a list, although you can wait until you’ve burned through the ones Msty already knows about..

Is this the only way to run your own AI model? No, of course not. But it may well be the easiest way we’ve seen. We’d wish for it to be open source, but at least it is free to use for personal projects. What’s your favorite way to run AI? And, yes, we know the answer for some people is “don’t run AI!” That’s an acceptable answer, too.

hackaday.com/2025/01/08/runnin…

Negli ultimi anni, il mercato globale del sequenziamento genetico è cresciuto a un ritmo allarmante. Secondo i dati della ricerca, con il progresso della tecnologia medica e la crescente domanda di medicina personalizzata, la tecnologia di sequenziamento genetico è sempre più utilizzata nella ricerca sul cancro, nella diagnosi delle malattie genetiche e nella ricerca e sviluppo di farmaci. Inoltre, anche i servizi di sequenziamento genetico di consumo come l’“analisi ancestrale” hanno mostrato una crescita esplosiva. Tuttavia, poche persone prestano attenzione ai problemi di sicurezza tecnica dietro le apparecchiature per il sequenziamento dei geni.

Recentemente, Eclypsium, la società leader mondiale nella sicurezza del firmware, ha sottolineato che il sequenziatore genetico Illumina iSeq 100, classificato al primo posto nel mercato globale, presenta seri rischi per la sicurezza del firmware. Questa scoperta ha lanciato l’allarme per l’intero settore dei dispositivi medici.

Illumina iSeq 100 è l’apparecchiatura di riferimento nel campo del sequenziamento genetico globale ed è ampiamente utilizzata nei principali laboratori di test genetici come 23andMe. Tuttavia, la ricerca di Eclypsium ha rilevato che questo dispositivo non supporta Windows Secure Boot, presentando un potenziale rischio di attacchi al firmware. Secure Boot è un meccanismo di sicurezza del sistema Windows ampiamente utilizzato dal 2012. Mira a impedire il caricamento di codice non autorizzato tramite crittografia a chiave pubblica e proteggere la sicurezza del processo di avvio del dispositivo.

In modalità operativa normale, iSeq 100 utilizza la versione 2018 del BIOS (B480AM12). Questa versione del firmware contiene vulnerabilità di sicurezza da molti anni e può essere sfruttata dagli aggressori per implementare infezioni dannose del firmware. Questa infezione viene eseguita prima dell’avvio del sistema operativo ed è difficile da rilevare o rimuovere. Inoltre, la ricerca ha anche scoperto che la funzione di protezione da lettura e scrittura del firmware del dispositivo non era abilitata e gli aggressori potevano manomettere il firmware del dispositivo a piacimento per inserire codice dannoso nel dispositivo.

Eclypsium ha inoltre avvertito che i problemi con iSeq 100 non sono unici. Questi dispositivi utilizzano spesso piattaforme informatiche fornite da fornitori di terze parti, che possono presentare vulnerabilità di sicurezza simili. Ad esempio, la scheda madre dell’iSeq 100 è prodotta da IEI Integration Corp., un’azienda che fornisce prodotti informatici industriali e servizi ODM per dispositivi medici a diversi settori. Ciò suggerisce che vulnerabilità simili potrebbero essere diffuse in altri dispositivi medici e industriali che utilizzano schede madri simili.

Alex Bazhaniuk, chief technology officer di Eclypsium, ha dichiarato: “Molti dispositivi medici sono basati su server generici e configurazioni legacy e spesso questi dispositivi non dispongono di un avvio sicuro abilitato o in alcuni casi eseguono firmware obsoleto, a causa di complessità tecnica o problemi di costo , gli aggiornamenti del firmware sono quasi impossibili.”

Più un dispositivo medico è costoso, più gravi sono i problemi di sicurezza, perché i dispositivi costosi tendono ad avere un ciclo di vita lungo. In un istituto di ricerca medica o di produzione ad alta tecnologia, potrebbe essere in funzione un dispositivo multimilionario qualcosa come Windows XP SP1″.

Inoltre, sebbene questi costosi dispositivi medici funzionino solitamente in reti altamente isolate, non sono immuni dall’esposizione a Internet, perché con l’approfondimento della digitalizzazione medica, sempre più dispositivi medici saranno collegati alla rete locale dell’ospedale o ai servizi cloud per trasferire rapidamente i dati, il che potrebbe comportare ulteriori rischi di attacchi informatici. Sebbene le reti isolate o le reti locali virtuali (VLAN) possano ridurre alcuni rischi, una volta violato il firewall, le conseguenze saranno disastrose.

L'articolo Ospedali e Dispositivi Medici Sono Sempre Più Vulnerabili! Ecco il Perché proviene da il blog della sicurezza informatica.

You probably get a few of these things each week in the mail. And some of them actually do a good job of obscuring the contents inside, even if you hold the envelope up to the light. But have you ever taken the time to appreciate the beauty of security envelope patterns? Yeah, I didn’t think so.

The really interesting thing is just how many different patterns are out there when a dozen or so would probably cover it. But there are so, so many patterns in the world. In my experience, many utilities and higher-end companies create their own security patterns for mailing out statements and the like, so that right there adds up to some unknown abundance.

So, what did people do before security envelopes? When exactly did they come along? And how many patterns are out there? Let’s take a look beneath the flap.

Before Envelopes, There Was Letterlocking

Pretend it’s 1525 and you have some private correspondence to send. Envelopes won’t come along for another three hundred years, at least not on a commercial scale. So what do you do? A common practice since the end of cuneiform tablets was a technique called letterlocking. This is a method of folding the paper of your letter in such a way that it becomes its own envelope, often using slits and tabs running throughout the creased letter. A wax seal was often employed for good measure.
The completed letter packet. Image via YouTube
The video below shows a model of Mary Queen of Scots’ last letter, written a few hours before she was beheaded, being letterlocked. Many say that writing this missive was her last act, but after that, it was performing this spiral letterlock to ensure the contents reached her brother-in-law without obvious tampering.

The letter is written on a large sheet of paper folded in half, with plenty of space in the left and right margins. This is where the slits and the tab that binds it all together will end up. Once written, the sender starts by folding a narrow spine into the left margin where the sheet is connected, then cutting a long, thin slice, leaving one short end attached.

Then the letter is then folded top to bottom twice, minus the slice. Then a hole is cut through all the layers and the the slice is pushed through the hole, wrapped around the letter packet and stuck through again until none remains. Finally, the slit and slice are coated with a bit of water so that the paper swells, sealing the lock. This is where sealing wax would come in handy.

youtube.com/embed/dzPE1MCgXxo?…

The point of letterlocking is that it was impossible to open the letter without causing a least a little bit of damage. So, if you received a tampered-with letter, it should have been quite obvious. Today we can see through locked letters without opening them thanks to x-rays. If you don’t like this method, here are step-by-step instructions for three different letterlocking methods.

The Rise of Security Envelopes

The mass-produced envelope came along in 1830. They started out thick enough to write addresses on and subsequently obscure the contents, but eventually got thinner and thinner as paper advanced. When the windowed envelope was invented by Americus F. Callahan in 1901 and patented 1902, envelopes became a real problem.

Fortunately, one Julius Regenstein of the Transo Envelope Company would invent the security tint just two years later in 1903. And that’s about all we know about the origin story, unfortunately. There isn’t even a Wikipedia page for security envelopes. Can you believe that?

The Good, the Bad, and the Ugly

In the biz, they’re called security tints, and there are a few companies like SupremeX out there generating new ones. The two most common tints you’re likely to see are confetti and some variation of the crosshatch pattern, which is just a bunch of intersecting lines. Both of these do a fine job of obscuring the contents of letters.

A variation of the common confetti pattern for security envelopes. Image by [Dan Schreck] via Abstract CollageOther tints are comprised of things like heavily overlapped circles and weird repeated shapes, or some form of television snow. I have nice wood grain envelopes in both black and blue, but my personal favorite resembles a field of asteroids.

The most common tints I’ve seen are black on white. Blue on white is a close second, but only represents maybe a third of my own personal collection. Red seems to be pretty rare except for mailings from the Red Cross , and I only have one lone envelope in green so far. I do have one highlighter-green return envelope from Globe Life with small black dots in overlapping concentric circles. It’s pretty hard to look at, honestly, but it’s still beautiful.

Usually the tints you see are some kind of abstract, entropic pattern, but sometimes a phrase like THANK YOU or PLEASE RECYCLE THIS ENVELOPE is repeated instead. And then of course, there are all the individual company tints. You can see many, many examples of these and more in the worldly collections of both [Dan Schreck] and [Joseph King], but some of my own collection are below.

For Your Own Security

Of course, you can pick up a box of security envelopes from the drugstore. But if you want to generate and print your own, have at it here or just run it in the browser. There’s a pattern generator in 12 colors plus grayscale, you can change the size of the pattern repeat, and there’s a randomizer if you’re not artistically inclined.

I hope you look at security envelopes a little differently now. Maybe you’ll start collecting them. If so, here are a bunch of ideas for using them. Or, you could send them to me.

Modern remote control (RC) radios are capable of incredible range, but they’re still only made for line-of-sight use. What if you want to control a vehicle that’s 100s of kilometers away, or even on the other side of the planet? Cellular is an option, but is obviously limited by available infrastructure — good luck getting a cell signal in the middle of the ocean.

But what if you could beam your commands down from space? That’s what [Thingify] was looking to test when they put together an experimental RC boat using a Starlink Mini for communications. Physically, there was no question it would work on the boat. After all, it was small, light, and power-efficient enough. But would the network connection be up to the task of controlling the vehicle in real-time?

During early ground testing, the Mini version of the Starlink receiver worked very well. Despite being roughly 1/4 the size of its predecessor, the smaller unit met or exceeded its performance during benchmarks on bandwidth, latency, and signal strength. As expected, it also drew far less power: the Mini’s power consumption peaked at around 33 watts, compared to the monstrous 180 W for the larger receiver.

On the water, there was even more good news. The bandwidth was more than enough to run a high-resolution video feedback to the command center. At the same time, the boat moved autonomously between waypoints, and when [Thingify] switched over to manual control, the latency was low enough not to be a problem. We wouldn’t recommend manually piloting a high-speed aircraft over Starlink, but for a boat that’s cruising along at 4 km/h, the lag didn’t even come into play.

The downside? Starlink is a fairly expensive proposition; you’d need to have a pretty specific mission in mind to justify the cost. The Mini receiver currently costs $599 USD (though it occasionally goes on sale), and you’ll need at least a $50 per month plan to go with it. While this puts it out of the price range for recreational RC, [Thingify] notes that it’s not a bad deal if you’re looking to explore uncharted territory.

youtube.com/embed/Fjy1hcLf2_M?…

hackaday.com/2025/01/08/remote…

How do you know that your patch cables are good? For simple jumper wires, a multimeter is about all you need to know for sure. But things can get weird in the RF world, in which case you might want to keep these coaxial patch cable testing tips in mind.

Of course, no matter how high the frequency, the basics still apply, and [FesZ] points out in the video below that you can still get a lot of mileage out of the Mark 1 eyeball and a simple DMM. Visual inspection of the cable and terminations can reveal a lot, as can continuity measurements on both the inner and outer conductors. Checking for shorts between conductors is important, too. But just because the cable reads good at DC doesn’t mean that problems aren’t still lurking. That’s when [FesZ] recommends breaking out a vector network analyzer like the NanoVNA. This tool will allow you to measure the cable’s attenuation and return loss parameters across the frequency range over which the cable will be used.

For stubborn problems, or just for funsies, there’s also time-domain reflectometry, which can be done with a pulse generator and an oscilloscope to characterize impedance discontinuities in the cable. We’ve covered simple TDR measurement techniques before, but [FesZ] showed a neat trick called time-domain transformation, which uses VNA data to visualize the impedance profile of the whole cable assembly, including its terminations.

youtube.com/embed/LmL1Qj-hGvk?…

hackaday.com/2025/01/08/making…

Ogni giorno, confermiamo la nostra identità: attraverso documenti, codici, chiavi fisiche o tessere magnetiche (“qualcosa che si ha”). Nella infosfera (l’ambiente digitale delle informazioni), invece, utilizziamo PIN, password e codici (“qualcosa che si conosce”). Questi metodi presentano però dei limiti di sicurezza, come la possibilità di furto o smarrimento.

Da qui nasce la necessità di un approccio più affidabile, basato su “qualcosa che si è”: la biometria. Questa disciplina, che sfrutta le nostre caratteristiche fisiche e comportamentali uniche, offre una soluzione innovativa per la sicurezza digitale, combinando affidabilità e praticità

Cos’è la biometria

La biometria è la disciplina scientifica che studia le caratteristiche fisiche e comportamentali uniche di un individuo per identificarlo in modo univoco. Queste caratteristiche, come l’impronta digitale, il volto, l’iride o la voce, vengono analizzate da sistemi informatici per verificare l’identità di una persona e consentirle, ad esempio, di sbloccare il proprio smartphone, accedere a un edificio o effettuare pagamenti sicuri. Esistono due principali tipologie di biometria:

Biometria fisiologica: misura caratteristiche intrinseche, come l’impronta digitale.

Biometria comportamentale: si basa su azioni compiute dall’individuo, come la firma autografa

Questa tecnologia sta trasformando la sicurezza dell’identificazione personale. Sebbene esista da decenni, solo di recente è entrata nella vita quotidiana, migliorando l’accesso a luoghi, servizi e dispositivi in settori come finanza, sanità, commercio, istruzione e telecomunicazioni. La diffusione capillare ha ridotto molte delle preoccupazioni iniziali legate alla privacy. I dati biometrici, grazie alla loro unicità e difficoltà di contraffazione, risultano semplici da usare e molto precisi.

Il riconoscimento biometrico è impiegato da organizzazioni pubbliche o private per autorizzare l’accesso a strutture, informazioni e servizi. I metodi di autenticazione si basano su tre principi: qualcosa che l’utente possiede, conosce o è.

Qualcosa che l’utente Possiede

Dispositivi come memory card (immagazzinano dati), smart card (immagazzinano e processano dati) e chiavette USB contengono una chiave di accesso che consente operazioni specifiche (es. carta Postamat). Tuttavia, poiché il sistema autentica l’oggetto e non il possessore, questi strumenti presentano rischi legati a possibilità di furto, prestito o clonazione.

Qualcosa che l’utente Conosce

Password, PIN e risposte a domande preconfezionate sono facili da memorizzare, ma altrettanto facili da indovinare. Altri rischi, legati a password e PIN includono furto, spionaggio e attacchi hacker, oltre alla possibilità di poterle dimenticare.

Qualcosa che l’utente È

Il riconoscimento tramite caratteristiche biometriche, come voce iride e impronte digitali, è una delle forme più antiche di identificazione. Elementi biometrici, spesso rappresentati anche nella cultura pop (Star Trek: The Next Generation), sfruttano l’unicità delle caratteristiche personali per l’autenticazione.
Le principali caratteristiche biometriche includono:

• Volto: analisi di caratteristiche specifiche difficili da alterare.
• Voce: identificazione tramite impronte vocali, spesso usata in contesti telefonici.
• Impronte digitali: ampiamente impiegate in ambito forense.
• Firma autografa: autenticazione documentale basata su grafia e dinamiche di firma.
• Retina e iride: scansioni ad alta affidabilità utilizzate in settori di sicurezza avanzata.

Tipi di Biometria

Tra i tipi di biometria troviamo: scrittura a mano, impronte vocali, riconoscimento facciale, impronte digitali e scansioni di retina e iride. Tecnologie come la biometria della firma analizzano parametri dinamici come la pressione e velocità di scrittura.
Alcuni metodi, come le impronte digitali, sono tradizionalmente più affidabili del riconoscimento facciale, ma i recenti progressi tecnologici stanno riducendo il divario. È importante notare che alcune tecnologie sono più invasive di altre, come lo è stato il movimento delle labbra, oggi obsoleto.
L’obiettivo della ricerca biometrica è migliorare l’affidabilità e la precisione, riducendo al minimo errori come falsi positivi (riconoscere impostori) e falsi negativi (rifiutare utenti legittimi).

Cenni Storici

Nel 1882, Alphonse Bertillon sviluppò il primo metodo biometrico scientifico per identificare i criminali, noto come “bertillonage“. Si basava su descrizioni e misurazioni fisiche dettagliate, ma con il tempo si rivelò inefficace poiché ci si rese conto che individui diversi potevano avere misure antropometriche simili.
Successivamente, nel 1892, Francis Galton, studioso di medicina, statistica e antropometria (cugino di Charles Darwin), criticò il sistema di Bertillon e introdusse il concetto di “minuzia” (dettagli caratteristici delle impronte digitali), proponendo un primo sistema, seppur elementare, di classificazione delle impronte.
Solo nel 1893, l’Home Office britannico riconobbe ufficialmente l’unicità delle impronte digitali, affermando che non esistono due individui con la stessa impronta. In conseguenza di questo, numerosi dipartimenti di polizia iniziarono a utilizzare le impronte digitali per la schedatura dei criminali.

COMPONENTI DI UN SISTEMA BIOMETRICO

Un’applicazione biometrica si compone generalmente di tre parti principali:

1. Database: Contiene i dati biometrici, ovvero le informazioni fisiologiche dei soggetti da autenticare.
2. Dispositivi e procedure di input: Comprendono i lettori biometrici, i sistemi di caricamento delle informazioni e altri dispositivi che consentono la connessione dell’utente con il sistema di validazione.
3. Procedure di output e interfacce grafiche: Rappresentano il front-end dell’intero sistema, fungendo da interfaccia utente per l’interazione e il feedback.

Questa infrastruttura è generalmente utilizzata per due scopi: autenticazione o identificazione.

• Autenticazione: Consente di verificare se un individuo è realmente chi dichiara di essere.
• Identificazione: Determina se una persona può essere associata a una delle identità già presenti nel database.

Come Funziona

Il funzionamento di un sistema biometrico si compone di diversi processi chiave: acquisizione, elaborazione e verifica o identificazione dell’identità. A monte di queste fasi ed indipendentemente dalla caratteristica biologica che si adotta, i sistemi biometrici, per poter funzionare, hanno bisogno di una fase di registrazione iniziale. Durante questa fase iniziale detta “Enrollment” vengono acquisite le istanze della caratteristica biometrica. In tal modo l’utente si registra sul sistema biometrico e potrà quindi essere riconosciuto dal sistema stesso nei successivi accessi.

Il processo inizia con la raccolta di una caratteristica biometrica, come un’impronta digitale, una scansione del volto o dell’iride, tramite un sensore dedicato. Per poter elaborare il dato analogico acquisito, è necessario convertirlo in formato digitale. Questa operazione è affidata ad un convertitore Analogico-Digitale (A/D). La fase di conversione è cruciale per standardizzare i dati ed eliminare eventuali distorsioni derivanti dall’acquisizione.
Il passo successivo è l’elaborazione del dato precedentemente digitalizzato. Questo dato viene analizzato da sofisticati algoritmi, che ne estraggono le caratteristiche discriminanti in grado di garantire un’elevata accuratezza e sicurezza dei risultati. Questi algoritmi permettono di rappresentare il dato biometrico in un formato compatto e riconoscibile, minimizzando così falsi positivi e falsi negativi.

Il processo di autenticazione biometrica può essere schematizzato come segue:

Verifica dell’Identità

Nel processo di verifica, il modello biometrico estratto viene confrontato con un modello precedentemente caricato nel database (fase di Enrollment) e associato all’identità dichiarata dall’utente. Il confronto è effettuato da un elaboratore che utilizza algoritmi di matching. Il risultato è di tipo booleano: vero se il dato corrisponde al modello (presente nel DB), falso in caso contrario. Questo approccio, noto come autenticazione 1:1 (uno ad uno), è utilizzato, ad esempio, nei sistemi di login biometrico come gli Smartphone.

Identificazione

Nella modalità di identificazione, il modello biometrico estratto viene confrontato con tutti i modelli presenti nella base di dati. Questo processo, noto come ricerca 1:N (uno a molti), identifica un individuo oppure stabilisce che non è presente nel sistema. L’elaboratore utilizza algoritmi ottimizzati per ridurre il tempo di confronto e mantenere un’elevata accuratezza, soprattutto nei database di grandi dimensioni.

Scansione dell’Iride

It’s a simple idea: You are your authenticator. Your voiceprint unlocks the door of your house. Your retinal scan lets you in the corporate offices (Secrets & Lies, Digital Security in a Neyworked World, Bruce Schneieer).

Sam Altman, conosciuto come il “padre dell’IA” e CEO di OpenAI, l’azienda che ha sviluppato ChatGPT ha recentemente lanciato la sua moneta virtuale, il Worldcoin. Con questa nuova valuta digitale, Altman non solo punta a rivoluzionare il modello economico, ma cerca anche di innovare il sistema di identificazione personale. Uno degli elementi distintivi di Worldcoin è il World ID, un sistema di identificazione biometrica univoco basato sulla scansione dell’iride.

Ma come funziona la scansione dell’iride? L’iride è la parte colorata che circonda la pupilla e rappresenta una struttura con un pattern incredibilmente complesso, tanto da essere considerato una sorta di impronta digitale ed essere utilizzata come chiave di autenticazione biometrica.

Questa zona dell’occhio umano possiede circa 300 caratteristiche misurabili ed è tra le più peculiari di ogni individuo. A differenza di altre caratteristiche fisiche, l’iride non cambia nel tempo e non può essere modificata artificialmente. La probabilità di trovare due iridi identiche è estremamente bassa, stimata in una su 10^78. Persino le iridi destra e sinistra della stessa persona sono diverse. L’elevato numero di punti caratteristici rende la scansione dell’iride più sicura rispetto a quella della retina. Inoltre, grazie alla sua posizione più esterna rispetto alla retina, l’iride può essere analizzata con metodi meno invasivi e tecnicamente più semplici.

In pratica, un sensore (una camera ad alta risoluzione) posizionato a pochi centimetri dall’occhio fotografa i margini visibili, effettuando scansioni successive delineando i contorni dell’iride come una corona circolare. L’area viene suddivisa in piccoli segmenti che vengono analizzati e decodificati. Il risultato è una rappresentazione matematica dell’iride, la codifica binaria del modello biometrico è una stringa univoca di 512 byte, noto come Iris Code. In questo modo il processo di matching, ovvero il confronto dei dati biometrici, tra due iridi viene semplificato grazie alla conversione del template dell’iride in una stringa di cifre binarie. Invece di confrontare direttamente le immagini, il sistema analizza le due stringhe: bit a bit, verificando la corrispondenza tra i singoli bit.

Vantaggi scansione dell’Iride

• È visibile ma ben protetta
• È una caratteristica invariante nel tempo ed univoca.
• L’immagine dell’Iride è acquisita senza contatto diretto
• Acquisizione: lunghezze d’onda infrarosso

Contro

• Superficie Iride molto piccola
• L’acquisizione richiede una distanza inferiore ai 10 m per garantire una risoluzione sufficiente
• Camera ad alta risoluzione costi elevati

La biometria ha aperto nuove porte alla sicurezza, ma solleva anche interrogativi complessi su temi attuali come la privacy e l’etica nell’uso delle identità digitali. Il rapido progresso tecnologico pone come sfida quella di affrontare queste problematiche con responsabilità. La biometria come rivoluzione tecnologica e come opportunità per costruire un futuro più sicuro e inclusivo, dove alle tecnologie deve essere necessariamente richiesto di integrarsi in maniera armoniosa con il concetto di ‘algoretica’, rispettando i valori umani e le diversità individuali. Obiettivo che già grandi aziende, come CISCO con la “Rome Call for AI Ethics“, stanno perseguendo con determinazione. Del resto, come ci insegna Spider-Man: “Da un grande potere derivano grandi responsabilità”. Quindi resta fondamentale che la biometria sia sviluppata e utilizzata con un forte impegno verso l’etica e il rispetto dei diritti individuali, affinché possa realmente contribuire a un mondo più sicuro e giusto per tutti

Fonti:

Biometrics: A Very Short Introduction, Michael Fairhurst.

Secrets & Lies, Digital Security in a Networked World, Bruce Schneieer.

Abate, A., Barra, S., Gallo, L., & Narducci, F. (2016, December). Skipsom:
Skewness & kurtosis of iris pixels in self organizing maps for iris
recognition on mobile devices. In 2016 23rd international conference on
pattern recognition (ICPR) (pp. 155-159). IEEE

L'articolo Biometria: come funziona la chiave del futuro digitale proviene da il blog della sicurezza informatica.

Questo è l’ultimo episodio della serie “La Storia Di Conti Ransomware” che ci porterà finalmente al declino del gruppo e al suo impatto sull’attuale panorama ransomware. Nell’articolo precedente abbiamo affrontato le operazioni effettuate dalle forze dell’ordine (principalmente l’FBI) e da alcuni vigilanti che non hanno gradito le posizioni politiche di Conti. Conti non è morto, è ancora vivo.

The Moon – Dostoevsky’s De(a)mons

Il “Conti leak” ha mostrato al mondo quanto possa essere “normale” un gruppo RaaS di queste dimensioni con la stessa organizzazione di un’azienda “legale”. Ma tra i messaggi pubblicati ne è presente uno che non abbiamo analizzato nell’articolo precedente, l’utente chiamato “frances” ha fatto una dichiarazione sul futuro del gruppo il 22 febbraio 2022

@all
Friends!

I sincerely apologize for having to ignore your questions the last few days. About the boss, Silver, salaries, and everything else. I was forced to because I simply had nothing to say to you. I was dragging my feet, screwing around with the salary as best I could, hoping that the boss would show up and give us clarity on our next steps. But there is no boss, and the situation around us is not getting any softer, and pulling the cat by the balls further does not make sense.

We have a difficult situation, too much attention to the company from outside resulted in the fact that the boss has apparently decided to lay low. There have been many leaks, post-New Year’s receptions, and many other circumstances that incline us all to take some time off and wait for the situation to calm down.

The reserve money that was set aside for emergencies and urgent team needs was not even enough to cover the last paycheck. There is no boss, no clarity or certainty about what we will do in the future, no money either. We hope that the boss will appear and the company will continue to work, but in the meantime, on behalf of the company I apologize to all of you and ask for patience. All balances on wages will be paid, the only question is when.

Now I will ask all of you to write to me in person: (ideally on Jabber:))
* Up-to-date backup contact for communication (preferably register a fresh, uncontaminated public Jabber account
* Briefly your job responsibilities, projects, PL [programming language] (for coders). Who did what, literally in a nutshell

In the near future, we, with those team leaders, who stayed in line – will think how to restart all the work processes, where to find money for salary payments and with renewed vigor to run all our working projects. As soon as there is any news about payments, reorganization and getting back to work – I will contact everyone. In the meantime, I have to ask all of you to take 2-3 months off. We will try to get back to work as soon as possible. From you all, please be concerned about your personal safety! Clean up the working systems, change your accounts on the forums, VPNs, if necessary, phones and PCs. Your security is first and foremost your responsibility! To yourself, to your loved ones and to your team too!

Please do not ask about the boss in a private message – I will not say anything new to anyone, because I simply do not know. Once again, I apologize to my friends, I’m not excited about all these events, we will try to fix the situation. Those who do not want to move on with us – we naturally understand. Those who will wait – 2-3 months off, engaged in personal life and enjoy the freedom 🙂

All working rockets and internal Jabbers will soon be off, further communication – only on the private Jabbers. Peace be with you all!

Il messaggio è stato pubblicato 3 giorni prima della loro dichiarazione pro-russia, le fughe di notizie menzionate riguardano tutte il playbook di Conti realizzato da un ex affiliato. Non è chiaro quali siano “le attenzioni per l’azienda dall’esterno” (“much attention to the company from outside”), ma probabilmente gli arresti degli sviluppatori di Conti hanno messo in ansia il “Boss” che ha deciso di rimanere completamente fuori dai radar anche all’interno della suo stesso gruppo.

La dichiarazione, conoscendo tutto ciò che è accaduto successivamente, lascia qualche interrogativo. “Frances” ha ammesso che non ci sono più soldi per gli stipendi ma il totale dei loro wallet (noti) conteneva 2 BLN$ [1], il gruppo aveva una media di 2 attacchi al giorno e sicuramente non gli mancava il personale per le operazioni. “Nel prossimo futuro […] penseremo a come riavviare tutti i processi di lavoro” (“In the near future […] we will think how to restart all the work processes”) è una frase interessante, se il gruppo si trovasse in una situazione di stallo perché dovrebbe rivendicare pubblicamente la vendetta in caso di attacchi digitali all’interno dei confini della Russia pochi giorni dopo? La risposta più plausibile è che Conti avesse un sottoinsieme di membri (“Gruppo ContiLocker”) che era il fulcro di tutto e il “Boss” probabilmente ne era parte.

Purtroppo, questa dichiarazione rimane tutt’ora un mistero ma ha evidenziato come i gruppi non abbiano alcuna intenzione di uscire di scena. Il leak delle chat avvenne e Conti scelse il silenzio mentre il proprio ransomware veniva utilizzato contro la Russia.

Il 17 aprile 2022, più di 20 istituzioni del governo costaricano furono colpite dal ransomware Conti. Tra le istituzioni colpite figurano il Ministero delle Finanze, delle Telecomunicazioni, della Sicurezza Sociale e il provider di servizi Internet statale. I danni sono stati superiori a quelli di un tradizionale attacco ransomware: defacement di pagine web, furto di e-mail, account Twitter ufficiali compromessi e fuga di terabyte di dati sensibili.

La prima istituzione a essere compromessa è stata proprio il Ministero delle Finanze (il ransomware è stato diffuso il 17 aprile, ma le indagini hanno rivelato che la penetrazione è iniziata l’11 aprile) attraverso credenziali VPN compromesse ottenute tramite infostealer, Conti ha esfiltrato 672 GB di dati il 15 mentre si stava ancora muovendo lateralmente nelle reti.

Le pessime condizioni di sicurezza del governo costaricano hanno permesso un accesso facile e veloce ad altre reti secondarie dove è stato possibile rubare credenziali e dati permettendo di continuare gli attacchi. Una delle prime conseguenze è stata la chiusura dei computer responsabili dell’amministrazione fiscale.

Il 18 Aprile il governo costaricano ha annunciato la chiusura della piattaforma dei contribuenti “a causa di problemi tecnici”, il 19 Conti pubblicò un nuovo post sul DLS chiedendo un riscatto di $10 MLN.

Il Ministero della Scienza, dell’Innovazione, della Tecnologia e delle Telecomunicazioni è stata la seconda vittima. Gli attacchi continueranno fino a quando il governo del Costa Rica non sarà pronto a pagare il gruppo, Conti è ora più rumoroso che mai. Un altro post sul DLS del RaaS annunciò l’inizo del leak dei dati in caso il governo non confermerà l’attacco ai propri contribuenti, il giorno dopo mantenne la promessa.

Gli attacchi continuarono ed il governo del Costa Rica ha richiesto l’aiuto di Stati Uniti, Microsoft ed Israele. Il danno fu più ampio del previsto dove buona parte della nazione fu ricattata da un singolo RaaS. Il 21 Conti aggiornò il DLS con altre vittime.

L’ultimo messaggio prevedeva uno sconto del 35% per il riscatto finale e chiedeva ai “businessman” costaricani di convincere il loro governo a pagare.

Alcune fonti non verificate hanno rivelato che il riscatto reale fu inferiore a $1 MLN, ma non ci fu modo di confermare tali informazioni. Nessuno pagò il riscatto ed i dati furono finalmente divulgati, in una settimana il governo nazionale è stato interrotto. Alcune delle risorse compromesse sono state messe offline fino a giugno 2022 e l’8 maggio è stata dichiarata l’emergenza nazionale.

En este momento se realiza revisión en la seguridad perimetral sobre el Ransomware Conti, para verificar y prevenir posibles ataques a nivel de la CCSS.
— CCSSdeCostaRica (@CCSSdeCostaRica) April 19, 2022

In risposta Conti ha dichiarato che la Costa Rica era solo una “versione demo” e che stavano preparando un team più grande per questo tipo di attacchi. Altri tentativi di attacco sono stati individuati all’interno delle istituzioni costaricane, Conti ha anche voluto sottolineare di avere insider e di essere a conoscenza di ogni azione intrapresa dal blue team incaricato nel processo di incident response. Tutti i leak sono stati effettuati da un affiliato chiamato “UNC1756”.

Durante questo attacco su larga scala, i “dipendenti” di Conti si sono trasferiti in nuove realtà non appena hanno ricevuto il messaggio inviato da “frances”. Conti stava cambiando pelle, passando da brand centralizzato a gruppi distribuiti semi-autonomi.

Possiamo dividere i nuovi collettivi in due sottoinsiemi: autonomi e semi-autonomi.

I gruppi autonomi sono stati fondati da zero, non utilizzano il ransomware Conti (per lo meno all’inizio) ed il loro lavoro prevedeva l’estorsione esclusivamente tramite l’esfiltrazione dei dati. Alcuni di questi gruppi hanno sviluppato il proprio ransomware in futuro e rimangono ancora attivi. Questo sottoinsieme comprende :

• BlackBasta
• BlackByte
• Karakurt
• BazarCall

I gruppi semi-autonomi sono formati da ex membri di Conti che volevano continuare a crittografare le reti. Probabilmente una buona parte degli sviluppatori si è spostata verso questo tipo di collettivi. Questi gruppi hanno implementato il modello di business RaaS fin dall’inizio e Conti era ancora al vertice della gestione. Qui abbiamo gruppi famosi come:

• HIVE
• BlackCat/ALPHV
• HelloKitty
• Quantum
• AvosLocker

L’obiettivo era mantenere il potere di Conti, ma agendo pubblicamente sotto altri nomi. Mentre il governo costaricano subiva i danni di Conti, questi gruppi hanno iniziato a emergere sotto i radar grazie al rumore fatto nell’Aprile 2022. Nel background, come i deamon, Conti stava preparando una nuova ondata di gruppi ransomware.

The Tower – Remember Me When I’m Gone

Il 6 maggio 2022 il Dipartimento di Stato americano ha annunciato una ricompensa fino a $5 MLN per tutti coloro che condivideranno informazioni sulle persone dietro il ransomware Conti. Il 19 Conti ha iniziò a chiudere lentamente la propria infrastruttura a partire dai pannelli di amministrazione, dai pannelli di negoziazione e smise di pubblicare post sul proprio Tor DLS.

A quanto pare gli attacchi in Costa Rica erano una sorta di scusa per ottenere visibilità per l’ultima volta prima di lasciare il palcoscenico. Conti smise di attaccare aziende e l’ultima settimana di giugno 2022 il DLS è stato chiuso completamente.

Conti sparì, ma alcune persone decisero di scavare in profondità cercando di svelare l’identità che si cela dietro al RaaS. Un esempio importante è stato “pancak3”, un security researcher che ha creato un intero format chiamato “Who’s Behind The Keyboard”, in cui ha doxato diversi operatori Ransomware. Tutto veniva postato sul suo Substack (da cui è stato bannato) e uno di questi includeva “van” uno degli sviluppatori di Conti (il post originale può essere trovato attraverso la wayback machine).
Van

Consigliamo la lettura del post originale in quanto contiene screenshoot del desktop di Van, ottenuto tramite un implant Agent Tesla nel 2021. Dopo un mese la Reward For Justice (RFJ) statunitense ha pubblicato il volto di “Target”, un altro membro dei Conti (che abbiamo già incontrato nell’episodio precedente) ed il nickname di altri 4 membri, richiedendo informazioni per identificarli dichiarandoli come responsabili di attività malevole contro infrastrutture critiche negli Stati Uniti.

The U.S. Government reveals the face of a Conti associate for the first time! We’re trying to put a name with the face!

To the guy in the photo: Imagine how many cool hats you could buy with $10 million dollars!

Write to us via our Tor-based tip line: t.co/WvkI416g4W pic.twitter.com/28BgYXYRy2
— Rewards for Justice (@RFJ_USA) August 11, 2022

Moreover the FBI added some data about the Conti activity, 1000 victims have been identified which have paid a total of $150 MLN to the RaaS. In conclusion the US government said they were looking for people with “different nationalities and citizenship”. Their investigations highlighted that even if the group was linked to Russia, parts of their members are scattered worldwide.

L’FBI ha inoltre aggiunto alcuni dati sull’attività di Conti: sono state identificate 1000 vittime che hanno pagato un totale di $150 MLN al RaaS. In conclusione, il governo statunitense ha dichiarato di essere alla ricerca di persone di “diverse nazionalità e cittadinanza”. Le indagini hanno evidenziato che, anche se il gruppo è legato alla Russia, i suoi membri sono sparsi in tutto il mondo.

Dragos (società di sicurezza OT) ha analizzato l’andamento delle organizzazioni industriali vittime di attacchi ransomware; dopo la chiusura ufficiale di Conti è stata rilevata una diminuzione degli attacchi. Dragos sostiene che Conti fu responsabile del 28% degli attacchi nel settore industriale e il suo ritiro è una causa parziale della rapida diminuzione, ma mette in guardia da nuovi gruppi come BlackBasta che si sono concentrati su questo tipo di vittimologia.

Dragos (OT Security firm) analyzed the trend of industrial organizations victim of ransomware attacks, when Conti officially closed a decrease of attacks has been detected. Dragos claims that Conti was responsible of 28% attacks within the industrial sector and their retirement is a partial cause of the quick decrease but warning about new groups like BlackBasta (linked with) which have been highly focused on this type of victimology.

Da quel momento, Conti scomparve. Il loro attacco al governo costaricano fu l’ultima cerimonia prima di chiudere le loro attività.

The Devil – Where is Conti now?

Come detto nell’introduzione dell’articolo, l’eredità di Conti è ancora viva. Il RaaS ha radici nelle origini dell’attuale fenomenologia ransomware e le capacità di guidarne anche il suo futuro. La loro influenza si è ripercossa anche sulle vittime, che nel 2022 si sono rifiutate di pagare il riscatto chiesto da questi gruppi. Le ragioni sono molteplici, ma una può essere collegata direttamente a Conti: pagare questo tipo di gruppi (soprattutto in seguito alle loro posizioni politiche) è troppo rischioso, poiché l’FSB e altre entità russe sono sottoposte a sanzioni. Dopo la serie di leak, il legame tra queste entità e Conti fu troppo evidente.

Il passaggio a nuove unità più piccole è anche una tattica utilizzata dagli attaccanti per aggirare le sanzioni (come ha fatto Evil Corp con LockBit) e dissipare tutte le attenzioni che hanno attirato nel 2022. Scopriamo le nuove forme di Conti!

BlackBasta è stato il gruppo con la vittimologia più vicina a quella di Conti: settore manifatturiero, edile ed industriale. Non solo per quanto riguarda le TTPs e le vittime, ma anche per i profitti è abbastanza simile al gruppo originale, Elliptic ha fatto un’ottima analisi dei wallet di BlackBasta dove sono stati ricevuti più di $100 MLN dai pagamenti dei riscatti (329 raccolti per questa analisi).
Fonte: Elliptic
Il gruppo è ancora attivo con un alto grado di adattabilità e abilità di social engineering che gli consentono di ottenere l’accesso iniziale in combinazione con vulnerabilità come CVE-2024-1709 (ConnectWise).

Quantum, Diavol, Karakurt e Royal sono alcuni ceppi “minori” che si ritiene siano utilizzati dagli stessi operatori, una delle prove sono i flussi di denaro provenienti da questi ceppi che puntano tutti a Stern (uno degli amministratori di Conti).
Fonte: Chainalysis

Karakurt è stata una delle nuove estensioni di Conti più prolifiche, recentemente (nel 2024) uno dei loro negoziatori è stato arrestato scoprendo pagamenti che vanno da $250.000 a $1.3 MLN ricevuti dalle aziende interessate. Non ci sono dubbi sul collegamento tra Karakurt e Conti, l’abbonamento alle VPS è stato pagato dai wallet di Conti rivelati dopo le fughe di notizie nel 2022.

Ransomware Royal, ora ribattezzato BlackSuit, è ancora attivo rappresentando un’enorme minaccia per il settore sanitario e la sua supply chain. Nel 2022 Royal è stato uno dei ceppi di ransomware più prolifici, guadagnando notorietà all’interno dell’ecosistema.

Quantum è uno dei casi più insoliti nella storia dei ransomware, secondo il rapporto DFIR l’attacco effettuato da questo gruppo (dall’accesso iniziale alla crittografia) è durato meno di 4 ore! Questo ceppo ha cambiato spesso nome durante la sua esistenza: XingLocker, AstroLocker e QuantumLocker. Una delle chat di negoziazione è trapelata online e mostra una richiesta di riscatto di $3.8 MLN. Il gruppo non è mai stato attivo come altri RaaS, quindi è comprendere se sia ancora attivo o è sia stato ribattezzato.

Meow (MeowCorp, MeowLeaks) è una famiglia basata interamente sul codice sorgente di Conti ed apparso nella seconda metà del 2022. La vera svolta del gruppo si è verificata nel 2024, quando sono stati attribuiti al gruppo 80 attacchi (circa); nella fascia temporale Luglio-Settembre il gruppo è stato responsabile di 68 vittime con un enorme picco rispetto al suo passato. Nel 2023 è stato rilasciato un decriptatore gratuito per MeowCorp dopo la fuga delle chiavi private su un forum non specificato. Al momento il gruppo è passato a operazioni senza crittografia, concentrandosi interamente sull’esfiltrazione dei dati con successiva estorsione.

3AM, emerso nel 2023 dopo che dei professionisti hanno scoperto che il ransomware del gruppo veniva utilizzato come opzione di backup quando LockBit encryptor veniva bloccato da AV/EDR, è un altro gruppo con una forte connessione con Conti. Gli strumenti e TTPs utilizzati da 3AM sono state associate all’infrastruttura di precedenti attacchi effettuati da Conti (soprattutto durante l’anno 2022).

Akira è uno dei RaaS con il DLS più bello di tutta la scena, apparso per la prima volta nel Marzo 2023, è stato in grado di crescere molto velocemente chiedendo riscatti da $200.000 a $4 MLN.
Akira DLS

Il gruppo condivide le stesse caratteristiche di Conti (ad esempio, le stesse estensioni ignorate, la stessa crittografia ChaCha) e parte del loro codice si sovrappone al codice sorgente di Conti trapelato. Artic Wolf ha fatto una ottima analisi della blockchain sulle transazioni effettuate dal portafoglio Akira: l’intero importo dei pagamenti viene inviato agli indirizzi Conti prima di raggiungere l’affiliato. Questo flusso di denaro è lo stesso utilizzato sia da Diavol che da Karakurt.
Fonte: Artic Wolf

Il gruppo è ancora a caccia e sta attualmente operando con una nuova sofisticata famiglia di ransomware dopo un periodo di campagne di sola infiltrazione dei dati. Nel 2024 il gruppo ha raggiunto una quota di mercato del 17% sul totale degli attacchi ransomware. Secondo l’FBI, dalla sua prima apparizione all’inizio del 2024, Akira è stato in grado di raccogliere $42 MLN da 250 vittime.

Ritornando alle indagini su Conti condotta dal governo federale degli Stati Uniti, il 7 Settembre 2023 sono state emesse nuove accuse contro Conti e la campagna TrickBot, in cui si possono trovare i nomi reali di alcuni nickname presentati nelle chat leakate nel 2022, come “Mango” e “Defender”. Il 9 Settembre 2023 il governo britannico ha annunciato una nuova serie di sanzioni (in collaborazione con gli Stati Uniti) a 7 cittadini russi coinvolti nel gruppo Conti.

La storia del ransomware Conti è finalmente giunta al termine, ma ne sono iniziata delle nuove pronte per essere esplorate. Al momento, come abbiamo mostrato, Conti è più una struttura organizzativa decentralizzata che un gruppo ransomware. Per questo motivo è importante capire il background di questo enorme gruppo, la storia del ransomware è relativamente recente ma abbiamo dimostrato quanto velocemente possa cambiare. Tracciare le origini dei gruppi di ransomware in relazione al loro riflesso attuale è solo un altro modo per comprendere la minaccia che deve essere mescolata con l’aspetto tecnico di questa fenomenologia per avere una preparazione efficace per difendersi da essi. Conti ha insegnato a buona parte del panorama attuale come eseguire ransomware e altre attività laterali, ma ha anche mostrato al mondo come questo tipo di nemico possa essere contrastato con una combinazione di forze dell’ordine e forze indipendenti… [strong]to be CONTInued(?)[/strong]

• Link al primo episodio
• Link al secondo episodio

L'articolo La Storia Di Conti Ransomware – L’Ultima Cerimonia (Episodio Finale) proviene da il blog della sicurezza informatica.

Face it, we’ve all been there, in a crowded workshop building something, and horror of horrors, things are going to get a little… windy. Do you try to drop it quietly and hope nobody says the rhyme, do you bolt for the door, or can you tough it out and hold it in? Never fear, because [Roman_2798881] has got your back, with the FartMaster 3000.

No doubt born of urgent necessity, it’s a discreet wall-mounted fixture for a shop vac line which allows a casual activation of the shopvac as if some sawdust needed removing, and backing up for a safe disposal of any noxious clouds under cover of the vacuum’s whirring.

We have to admit, this one gave us something of a chuckle when we saw it in the Printables feed, but on closer inspection it’s a real device that by our observation could have been useful in more than one hackerspace of our acquaintance. There’s a square funnel in front of a piece of ducting, with a rotary valve to divert the vacuum in an appropriate direction to conceal the evidence.

Then simply turn it back to straight through, vac your pretend sawdust, and nobody’s the wiser. Unless of course, you also integrated a fart-o-meter.

hackaday.com/2025/01/07/toot-b…

[Nicholas Carlini] found some extra time on his hands over the holiday, so he decide to do something with “entirely no purpose.” The result: 84,688 regular expressions that can play chess using a 2-ply minmax strategy. No kidding. We think we can do some heavy-duty regular expressions, but this is a whole other level.

As you might expect, the code to play is extremely simple as it just runs the board through series of regular expressions that implement the game logic. Of course, that doesn’t count the thousands of strings containing the regular expressions.

How does this work? Luckily, [Nicholas] explains it in some detail. The trick isn’t making a chess engine. Instead, he creates a “branch-free, conditional-execution, single-instruction multiple-data CPU.” Once you have a CPU, of course it is easy to play chess. Well, relatively easy, anyway.

The computer’s stack and registers are all in a long string, perfect for evaluation by a regular expression. From there, the rest is pretty easy. Sure, you can’t have loops and conditionals can’t branch. You can, however, fork a thread into two parts. Pretty amazing.

Programming the machine must be pretty hard, right? Well, no. There’s also a sort-of language that looks a lot like Python that can compile code for the CPU. For example:
def fib():
a = 1
b = 2
for _ in range(10):
next = a + b
a = b
b = next
Then you “only” have to write the chess engine. It isn’t fast, but that really isn’t the point.

Of course, chess doesn’t have to be that hard. The “assembler” reminds us a bit of our universal cross assembler.

hackaday.com/2025/01/07/regula…

Imagine a clock where the colors aren’t from LEDs but a physics phenomenon – polarization. That’s just what [Mosivers], a physicist and electronics enthusiast, has done with the Polarizer Clock. It’s not a perfect build, but the concept is intriguing: using polarized light and stress-induced birefringence to generate colors without resorting to RGB LEDs.

The clock uses white LEDs to edge-illuminate a polycarbonate plate. This light passes through two polarizers—one fixed, one rotating—creating constantly shifting colours. Sounds fancy, but the process involves more trial and error than you’d think. [Mosivers] initially wanted to use polarizer-cut numbers but found the contrast was too weak. He experimented with materials like Tesa tape and cellophane, choosing polycarbonate for its stress birefringence.

The final design relies on a mix of materials, including book wrapping foil and 3D printed parts, to make things work. It has its quirks, but it’s certainly clever. For instance, the light dims towards the center, and the second polarizer is delicate and finicky to attach.

This gadget is a splendid blend of art and science, and you can see it in the video below the break. If you’re inspired, you might want to look up polariscope projects, or other birefringence hacks on Hackaday.

youtube.com/embed/Xr7OFTS4muE?…

hackaday.com/2025/01/07/bendin…

Il gruppo ransomware LockBit prevede di fare un grande ritorno nell’arena delle minacce informatiche con il rilascio di LockBit 4.0, previsto per febbraio 2025.

Lo hanno riferito i ricercatori di Cyble che studiano l’attività dei criminali nella darknet.

Il ripristino di LockBit arriva quasi un anno dopo un’operazione di polizia internazionale su larga scala che ha comportato perdite significative per il gruppo, inclusi l’arresto di membri e il recupero di quasi 7.000 chiavi di decrittazione dei dati.

In questo contesto, un altro gruppo, RansomHub, è diventato la forza dominante tra i ransomware.

Un annuncio di LockBit circolato nel dark web richiedeva nuovi membri. “Vuoi Lamborghini, Ferrari e bellezze tettone? Registrati e inizia il tuo viaggio da pentester miliardario in 5 minuti con noi.”

Nonostante le dichiarazioni così forti, il ritorno di LockBit rimane in dubbio. Dopo gravi colpi come arresti, fuga di decryptor e concorrenza con altri gruppi RaaS, la loro posizione si è notevolmente indebolita.

L’ultima versione del software LockBit, 3.0, è stata rilasciata più di due anni fa. È probabile che lo sviluppo della nuova versione sia stato notevolmente ostacolato dal possibile accesso delle forze dell’ordine al codice sorgente.

Si prevede che LockBit 4.0 sarà distribuito come parte dell’ormai popolare modello RaaS, in cui ransomware, infrastruttura e manuali vengono venduti in cambio di una quota dei profitti. Tuttavia, il gruppo deve far fronte alla concorrenza anche a causa della fuga di dati del proprio codice sorgente, il che rende la situazione particolarmente difficile.

Gli esperti ipotizzano che LockBit possa cambiare le regioni target o i tipi di attacchi per evitare l’attenzione delle forze dell’ordine internazionali. Ricordiamo che l’attacco del 2022 all’ospedale SickKids di Toronto ha suscitato critiche diffuse e ha persino costretto il gruppo a scusarsi fornendo un decryptor gratuito. Questo è stato un esempio di una strategia pessima che ha ulteriormente danneggiato la loro reputazione.

Il lancio ufficiale di LockBit 4.0, compreso l’accesso alla nuova risorsa darknet, è previsto per il 3 febbraio 2025. Quanto durerà il gruppo questa volta?

L'articolo Lockbit 4.0. Quale sarà il futuro di questa Cyber Gang Ransomware? proviene da il blog della sicurezza informatica.

Want to see some wildly skillful LEGO construction? Check out [Banana Gear Studios]’ omni-directional treadmill which showcases not only how such a thing works, but demonstrates some pretty impressive problem solving in the process. Construction was far from straightforward!
A 9×9 grid of LEGO shafts all turning in unison is just one of the non-trivial design challenges.
In principle the treadmill works by placing an object on a bed of identical, rotating discs. By tilting the discs, one controls which edge is in contact with the object, which in turn controls the direction the object moves. While the concept is straightforward, the implementation is a wee bit more complex. LEGO pieces offer a rich variety of mechanical functions, but even so, making a 9×9 array of discs all rotate in unison turns out to be a nontrivial problem to solve. Gears alone are not the answer, because the shafts in such a dense array are a bit too close for LEGO gears to play nicely.

The solution? Break it down into 3×3 self-contained chunks, and build out vertically with gimbals to take up the slack for gearing. Use small elastic bands to transfer power between neighbors, then copy and paste the modular 3×3 design a few times to create the full 9×9 grid. After that it’s just a matter of providing a means of tilting the discs — which has its own challenges — and the build is complete.

Check out the video below to see the whole process, which is very nicely narrated and illustrates the design challenges beautifully. You may see some similarities to Disney’s own 360° treadmill, but as [Banana Gear Studios] points out, it is a technically different implementation and therefore not covered by Disney’s patent. In an ideal world no one would worry about getting sued by Disney over an educational LEGO project posted on YouTube, but perhaps one can’t be too careful.

youtube.com/embed/YJfeIborE-c?…

hackaday.com/2025/01/07/gaze-u…

We always enjoy videos from the [Mathologer], but we especially liked the recent video on the Helicone, a toy with a surprising connection to mathematics. The toy is cool all by itself, but the video shows how a sufficiently large heliocone models many “natural numbers” and acts, as [Mathologer] puts it, acts as “microscope to probe the nature of numbers.”

The chief number of interest is the so-called golden ratio. A virtual model of the toy allows easy experimentation and even some things that aren’t easily possible in the real world. The virtual helicone also allows you to make a crazy number of layers, which can show certain mathematical ideas that would be hard to do in a 3D print or a wooden toy.

Apparently, the helicone was [John Edmark’s] sculpture inspired by DNA spirals, so it is no surprise it closely models nature. You can 3D print a real one.

Of course, the constant π makes an appearance. Like fractals, you can dive into the math or just enjoy the pretty patterns. We won’t judge either way.

We’ve seen math sequences in clocks that remind us of [Piet Mondrian]. In fact, we’ve seen more than one of those.

youtube.com/embed/_YjNEfZ0VqU?…

hackaday.com/2025/01/07/the-he…

Forty years ago, on the night of Sunday 2 December of 1984, people in the city of Bhopal and surrounding communities were settling in for what seemed like yet another regular night. The worst thing in their near future appeared to be having to go back to school and work the next day. Tragically, many of them would never wake up again, and for many thousands more their lives would forever be changed in the worst ways possible.

During that night, clouds of highly toxic methyl isocyanate (MIC) gas rolled through the streets and into houses, venting from the Bhopal pesticide plant until the leak petered out by 2 AM. Those who still could wake up did so coughing, with tearing eyes and stumbled into the streets to escape the gas cloud without a clear idea of where to go. By sunrise thousands were dead and many more were left severely ill.

Yet the worst was still to come, as the number of casualties kept rising, legal battles and the dodging of responsibility intensified, and the chemical contamination kept seeping into the ground at the crippled plant. Recently there finally seems to be progress in this clean-up with the removal of 337 tons of toxic waste for final disposal, but after four decades of misgivings and neglect, how close is Bhopal really to finally closing the chapter on this horrific disaster?

Chemistry Of A Disaster

Tank 610, the source of the lethal cloud in Bhopal. (Credit: Julian Nyča, Wikimedia)
The Union Carbide India Limited (UCIL) pesticide plant in Bhopal was built in 1969 to produce the pesticide Sevin (carbaryl) which uses MIC (CH₃NCO) as an intermediate. By the time the plant was operating, there were ways to produce carbaryl without MIC as intermediate, but this was more costly and thus UCIL kept producing the pesticide using the MIC-based process. This is why by the early 1980s MIC was still being produced at the UCIL plant, with multiple on-site MIC storage tanks.

The process used to create the carbaryl at UCIL was quite straightforward, involving the direct reaction of 1-naphtol with MIC:

C₁₀H₇OH + CH₃NCO → C₁₀H₇OC(O)NHCH₃

This is similar to the MIC-free process, which uses the same precursors (phosgene and 1-naphtol) to produce 1-naphthylchloroformate. After this product reacts with methylamine, it too produces carbaryl, but avoids the creation of MIC and the hazards posed by this substance. The counterpoint here is that MIC is easy to manufacture through the reaction of phosgene and monomethylamine, and MIC is highly reactive, ergo easy to use.

Unfortunately this high reactivity adds to the hazards already posed by the chemical itself. It will readily react with just about anything containing an N-H or O-H group in a strongly exothermic reaction. In the case of the UCIL plant, a large amount of water (H₂O) had been accidentally introduced to a MIC storage tank, resulting in a violent exothermic reaction that caused 42 tons of MIC to be released into the atmosphere.

Which brings us to the clean-up of such a disaster.

Everything Is Toxic

Unlike with a nuclear accident where you can use a Geiger counter to be quite certain that you won’t come into contact with any hazardous materials, a disaster site like that at the UCIL plant offers no such comforts. The US (NIOSH) health exposure limits for MIC are set at 0.12 ppm on skin for the IDLH (immediately dangerous to life or health), prescribing supplied-air respirators when entering areas with MIC contamination. The exact mechanism behind MIC’s toxicity isn’t known yet, and there is no known treatment following fatal exposure.

In addition to MIC, the now abandoned UCIL plant and its surroundings have been found to be contaminated with other chemicals that were present at the time of the disaster, along with additional toxic waste that was dumped after the closure of the plant. These contaminants include various heavy metals (lead, mercury), carbaryl, 1-naphtol, chlorinated solvents and much more. Ground water contamination has been established at a few kilometers from the UCIL site, as well as in soil, well water and locally grown vegetables, all of which has led to a quiet human tragedy among the (generally poor) population living in the area.

What complicates matters here is that there’s strong disagreement on the exact scope of the contamination. The contamination of the aquifer and groundwater is often disputed by officials, even as epidemiological studies show the clear health impact on the local population across multiple generations. These impacts include cancer, developmental issues and cognitive impairments. People who moved into the area long after the disaster – lured by the cheap land – found the soil to be heavily contaminated and causing health issues. In an admission of the poisoned ground water, the local government has since put a clean water supply in place, using pipes that carry in clean outside water.

Meanwhile, at the former UCIL site, there are multiple 1970s-era (mostly unlined) solar evaporation pits which were used for storing chemical waste. These pits were never emptied, unlike the storage tanks and vats elsewhere on the terrain. This means that these abandoned pits have to be fully decontaminated somehow to prevent even more of the waste that’s still in them from leaking into the groundwater.

Then there are the hundreds of tons of hazardous waste that have been stored without clean plan on what to do with them. The 337 tons in leak-proof containers that have now been moved for incineration are the first major step after a trial run with a batch of 10 tons in 2015, with the emissions from this incineration deemed to be acceptable. In addition to these thousands more tons have been buried or stored elsewhere on the plant’s site.

An Exclusion Zone That Isn’t

Aerial photograph of the Kingston Fossil Plant coal fly ash spill. (Credit: Tennessee Valley Authority)
A mostly appropriate response to a toxic spill is exemplified by the 2008 fly ash spill at the Kingston Fossil Plant in Tennessee. After a coal ash pond ruptured and spilled heavy metal-laden fly ash into the adjoining Emory River, 40 homes were destroyed and covering 300 acres (121.4 hectares) in toxic sludge. This was the largest industrial spill in US history.

These fly ash pools used to be unlined pits, not unlike those at the UCIL plant. Those involved in the clean-up suffered a range of health-effects, with dozens dying. The plant owner – TVA – ended up having to purchase the contaminated land, with the clean-up resulting in a partial recovery of the area by 2015 and by 2017 the river was deemed to have ‘recovered’. The home owners in the area did not have to live in the sludge, TVA was on the hook for remediation and payment of compensation.

Remediation mostly involved removing the countless tons of sludge and disposing of it. Current and new fly ash ponds had to be fitted with a liner, or be shut down, along with a string of new safety measures to prevent this type of accident.

In the case of the UCIL plant at Bhopal, the affected area should have been turned into an exclusion zone, and inhabitants relocated, pending environmental assessment of the extent of the contamination. Even in the Soviet Union this was possible after the RBMK core steam explosion near Pripyat, which resulted in today’s Chornobyl Exclusion Zone. Unlike radioactive isotopes, however, heavy metals and toxins do not quietly go away by themselves if left alone.

Considering the sheer scope of the contamination around the former UCIL plant in Bhopal, it does seem realistic that this area will not be suitable for human habitation again within the next hundreds to thousands of years, barring a thus far unimaginable clean-up effort.

Featured image: Deteriorating section of the UCIL plant near Bhopal, India. (Credit: Luca Frediani, Wikimedia)

hackaday.com/2025/01/07/cleani…

The Cheap Yellow Display (CYD) is an ESP32 development board that’s been making the rounds for a while now, thanks to its value and versatility. For around $10 USD, you get a nicely integrated package that’s perfect for a wide array of projects and applications. Toss a couple in on your next AliExpress order, and all you need to do is come up with an idea. [Craig Lindley] had two ideas, and maybe they will help get those gears turning in your head. Even if you don’t need a network-connected MP3 player or GPS information display, we bet browsing the source code would be useful.

There are plenty of opinions about listening to music, but this first project is particularly interesting for those who like to keep their collection locally. [Craig]’s code can read the MP3s stored on the SD card and present the user with a menu system for browsing them by artist or album.

Should you want to add more music to the collection, you can connect to the player over FTP and directly upload it to the SD card. But perhaps the real kicker is that the audio playback is done over Bluetooth, so you can rock out wirelessly. While we don’t necessarily have a problem with the sparse UI, it seems like with a little sprucing up (album art, graphical menus), this would be a fantastic framework for open-source personal audio players.

The second project is perhaps most interesting because it brings some new hardware to the table, namely a serially connected GPS module. In its current state, we’d probably classify this one as more of a tech demo. Still, it can already show the device’s current coordinates, altitude, and speed. In addition, it can pull the current time and date from the GPS stream, which could have some interesting applications for those working on custom clocks.

We’ve had our eye on the CYD community for a while now and love the creativity that we’ve been seeing. We thank [Craig] for sending these projects our way, and as a reminder, if you’ve got something you’d like to show off to a global audience of hackers and makers, don’t hesitate to drop us a line. If you’ve got a thing for MP3 players, we’ve seen a ton. As for GPS trackers, we like to put them on our pets.

hackaday.com/2025/01/07/more-t…

Image by [New-Concentrate6308] via redditDon’t worry, [New-Concentrate6308] is working on the GitHub for this final build of 2024, dubbed the GEMK_47. That stands for Grid Ergo Magnetic Keyboard, but I swear there are 48 keys.

What we’ve got here is a split ergo with an ortholinear layout. There’s a round screen and encoder on the left side, and a 35 mm trackpad on the right. There’s also space for some other round thing on this side, should you want another rotary encoder or whatever fits in place of the spacer.

Internally, there’s a Waveshare RP2040 Tiny and a mixture of Gateron Oil Kings and Gateron Yellow V3 switches. That lovely case is printed in silk silver PLA, but [New-Concentrate6308] wants to try metal-filled PLA for the next version. Although the original idea was to go wireless, ZMK didn’t play nicely with that round display, which of course is non-negotiable.

Hello Banana Katana! Goodbye Copper? 🙁

So this beauty is Banana Katana, a work in progress by [leifflat]. The bad news is that [liefflat] is probably gonna ditch the copper even though it looks sick here in circuit sculpture mode. Apparently it types nicely, but just doesn’t feel right overall.

Image by [leifflat] via redditThe story is that [leifflat] saw a Katana layout a few months ago and fell in love. After having this idea kicking around the brain, he decided to just go for it and built this from scratch.

First order of business was to design the layout in Keyboard Layout Editor (KLE), then transfer that to a plate generator. Then that was imported into Fusion360 and messed around with a bit to get the final result.

The coolest thing aside from the obvious is that there’s a 3D-printed plate with hot swap sockets mounted on it. How? [leifflat] used sacrificial switches and super glue, then took the switches out when it was dry. Here’s a picture of the underside. So why is the bottom row of keys upside down? Because it’s more comfortable that way for some thumbs. You should try it.

The Centerfold: This Delicious Panorama

Image by [Local-Tip-3552] via redditIt’s a good day when you find a subreddit you can call home. [Local-Tip-3552] recently found r/mechanicalheadpens, which is the place for crossover fans of mechanical keyboards, headphones, and fountain pens. (They’re on the far right.)

I won’t list all the details of the setup; you can find those in the reddit post. Apparently [Local-Tip-3552] handles wrongfully-denied Medicaid claims all day and uses the macro pad to quickly fill out forms. Unfortunately, that rad super 10-key on the right doesn’t see much action anymore since the split keyboard has a num pad layer.

Do you rock a sweet set of peripherals on a screamin’ desk pad? Send me a picture along with your handle and all the gory details, and you could be featured here!

Historical Clackers: the Yost Line of Typewriters

The New Yost, which was the third model produced by the Yost concern. Image via The Antikey Chop
Perhaps the most striking thing about any of the early entries in the Yost line of machines (1887-1924) is the large double keyboard, which makes them resemble adding machines, at least to my eyes.

According to The Antikey Chop, every model up to the no. 10 “had typebars that kicked like grasshopper legs” and were hung in a circular, up-striking arrangement.

Overall, the Yost company produced 20 models, the first three of which are not terribly distinguishable from one another. In fact, the design wasn’t significantly altered until the no. 10 typewriter, which came along in 1905. With the 10, more of the mechanisms were enclosed within the frame, which made for a bulkier build.

By 1915, pressure from the typewriter market forced George Washington Newton Yost to produce a standard four-bank typewriter instead. The no. 15, which came about in 1908 was quite modern, but at least it had its “grasshopper” type bars to distinguish it from the others. By the 20th version however, the grasshoppers had been replaced with modern front-striking ones.

Just Incase You Miss Your Curvy Microsoft Keyboard

I recently told you that Kinesis are releasing a keyboard that could potentially fill that Microsoft 4000-sized hole in your life. If you don’t like that one, I have good news: Incase bought the manufacturing rights from Microsoft in 2024 and are set to produce a curvy split keyboard that’s $9 cheaper than Kinesis’ mWave at $120.
Image via Incase
What’s interesting is that this is a keyboard that Microsoft designed and never released. Despite spending years developing this presumable successor to the 4000, they exited the peripherals market in 2023 to focus on Surface computers and such. Incase are calling this the Compact Ergonomic Keyboard. It has multi-device connectivity, and, for some reason, a dedicated Copilot key.

What’s weird is that it runs on two AAA batteries that can’t be charged via ports on the keyboard. Even so, they are supposed to last around 36 months. I don’t think these low-profile scissor keys look very nice to type on for long periods of time. I’m not saying it wouldn’t be comfortable, just that it might not be nice.

Got a hot tip that has like, anything to do with keyboards? Help me out by sending in a link or two. Don’t want all the Hackaday scribes to see it? Feel free to email me directly.

hackaday.com/2025/01/07/keebin…

Nella serata del 6 gennaio 2025, è stata rilevata una nuova campagna Vidar da parte del CERT-AGID: i cyber-criminali continuano a sfruttare caselle PEC compromesse per diffondere il malware tra gli utenti italiani. Questa campagna presenta ulteriori elementi di complessità introducendo nuove tecniche per occultare la url da cui scaricare il payload.

La distribuzione del malware è stata accompagnata da nuove strategie per eludere i sistemi di sicurezza. Gli attacchi si sono basati su 148 domini di secondo livello, configurati per sfruttare un Domain Generation Algorithm (DGA) e path randomizzati. Durante la fase iniziale, gli URL sono rimasti inattivi per poi attivarsi solo successivamente, aumentando la difficoltà di una prevenzione tempestiva.
Funzione di decodifica presente per file JS
Un ulteriore elemento di novità è stato l’utilizzo di un file JavaScript con un metodo di offuscamento migliorato. Il file JS è stato riscritto per eseguire un’operazione di XOR sui valori di una lista e converte i risultati in caratteri tramite chr, rendendo più complesso il processo di analisi e rilevamento. Inoltre, IP, domini e caselle mittenti sono stati ruotati ogni 2-3 minuti, contribuendo a complicare ulteriormente le azioni di difesa.
Funzione di decodifica convertita in Python

Azioni di contrasto

Le attività di contrasto sono state già messe in atto con il supporto dei Gestori PEC. Gli IoC relativi alla campagna sono stati diramati attraverso il Feed IoC del CERT-AGID verso i Gestori PEC e verso le strutture accreditate.

Si raccomanda di prestare sempre la massima attenzione alle comunicazioni ricevute via PEC, in particolare quando contengono link ritenuti sospetti. Nel dubbio, è sempre possibile inoltrare le email ritenute sospette alla casella di posta malware@cert-agid.gov.it

L'articolo Vidar Colpisce Ancora L’Italia: Il Malware Avanza con Tecniche di Offuscamento Avanzate proviene da il blog della sicurezza informatica.

If you’ve used the Espressif series of processors, perhaps you’ll have heard of their upcoming ESP32-P4. This is an application processor, with dual RISC-V cores at 400 MHz, and save for a lack of an MMU, a spec sheet much closer to the kind of silicon you’d find in single board computers with pretensions towards being a mini-PC.

It was announced a year ago and there have been limited numbers of pre-release versions of the chip available to developers, but thus far there have been very few boards featuring it. We’re excited then to note that a P4-based board we’ve been watching for a while is finally breaking cover, and what’s more, you can now pre-order one.

The Tanmatsu (Japanese for “Terminal”) is an all-in-one palmtop computer for hackers, with a QWERTY keyboard and an 800×480 DSI display. It’s designed with plenty of expansion in mind, and it’s got space on board for a LoRa radio. The reason we’re interested is that it comes from some of our friends in the world of event badges, so we’ve seen and handled real working prototypes, and we know that its makers come from a team with a proven record in manufacture and delivery of working hardware. The prototype we saw had hardware that was very close to the final version, and an operating system and software that was still under development but on track for the April release of the device. It will be fully open-source in both hardware and software.

We liked what we saw and have pre-ordered one ourselves, so we’ll be sure to bring you a closer look when it arrives.

hackaday.com/2025/01/07/one-to…

There’s plenty of surprises to be had when you become a parent, and one of the first is that it’s suddenly your job to record the frequency of your infant’s various bodily functions in exacting detail. How many times did the little tyke eat, how long did they sleep, and perhaps most critically, how many times did they poop. The pediatrician will expect you to know these things, so you better start keeping notes.

Or, if you’re [Triceratops Labs], you build a physical button panel that will keep tabs on the info for you. At the press of each button, a log entry is made on the connected Raspberry Pi Zero W, which eventually makes its way to a web interface that you can view to see all of Junior’s statistics.

In terms of hardware, this one is quite simple — it’s really just an array of arcade-style push buttons wired directly into the Pi’s GPIO header. Where it shines is in the software. This project could have been just a Python script and a text file, but instead it uses a MariaDB database on the back-end, with Apache and PHP serving up the web page, and a custom Systemd service to tie it all together. In other words, it’s what happens when you let a Linux admin play with a soldering iron.

It probably won’t come as much surprise to find that hackers often come up with elaborate monitoring systems for their newborn children, after all, it’s a great excuse for a new project. This machine learning crib camera comes to mind.

hackaday.com/2025/01/07/loggin…

Recentemente, sul noto forum underground Breach Forum, un utente soprannominato “agency900” ha pubblicato un thread che mette a disposizione della community criminale un milione di numeri telefonici italiani “freschi”, ovvero potenzialmente aggiornati e funzionanti.

L’annuncio include un link ad un sistema di file sharing dove è possibile scaricare il file di testo di 16 MB.

Ma perché un semplice numero di telefono è così prezioso?

Stai ricevendo nell’ultimo periodo molto SPAM? Contrariamente a quanto si possa pensare, i numeri telefonici sono dati estremamente utili per i cybercriminali. Ecco alcune ragioni:

1. Phishing tramite SMS (Smishing): I numeri telefonici possono essere utilizzati per inviare SMS fraudolenti, spesso camuffati da notifiche di banche, corrieri, o enti governativi. Questi messaggi spingono le vittime a cliccare su link dannosi, che possono portare:
   
   • All’inserimento di credenziali di accesso;
   • All’installazione di malware sui dispositivi.

   
   

2. Chiamate per attuare attacchi di ingegneria sociale: I cybercriminali possono utilizzare questi numeri per effettuare chiamate mirate a fornire dati sensibili come password, PIN, o informazioni bancarie.
3. Sim Swap: Con un numero telefonico valido, un attaccante può tentare di convincere un operatore telefonico a trasferire la SIM su un nuovo dispositivo controllato dal criminale. Questo consente agli attaccanti di intercettare chiamate, SMS e codici OTP (One-Time Password).
4. Spam e frodi telefoniche: I numeri possono essere venduti a call center illegali o utilizzati per campagne di spam massivo con offerte truffaldine, come finti premi o investimenti in criptovalute.
5. Profilazione e rivendita: Gli attaccanti possono incrociare i numeri telefonici con altre informazioni pubblicamente disponibili o rubate (es. nomi, email, indirizzi) per creare profili dettagliati, utili per attacchi mirati.

In molti casi, questi attacchi non sono mirati a singoli individui ma vengono effettuati in modo automatizzato tramite software malevoli. Avere a disposizione una lista molto lunga di numeri funzionanti consente ai cybercriminali di eliminare facilmente i numeri non più attivi o non validi per specifici archi di numerazione, aumentando così l’efficacia delle loro operazioni fraudolente. Come sempre la velocità premia quando si parla di cybercrime.

Come difendersi?

La vendita di un database così ampio, se confermata, potrebbe esporre milioni di persone a molte minacce. Per proteggersi da queste minacce, gli utenti possono adottare alcune semplici pratiche:

1. Non cliccare su link sospetti ricevuti via SMS.
   Verifica sempre l’autenticità del mittente, soprattutto se il messaggio richiede azioni urgenti.
2. Utilizzare un’app di sicurezza sul proprio smartphone.
   Alcune applicazioni aiutano a filtrare SMS e chiamate spam.
3. Abilitare il 2FA (Autenticazione a due fattori), ma non solo via SMS.
   Preferisci metodi più sicuri, come app di autenticazione o chiavi hardware.
4. Prestare attenzione alle chiamate da numeri sconosciuti.
   Evita di fornire informazioni personali o sensibili al telefono.
5. Monitorare l’attività del proprio numero telefonico.
   Segnala tempestivamente eventuali attività sospette al tuo operatore telefonico.

Conclusioni

Il caso evidenzia ancora una volta l’importanza della protezione dei dati personali. Anche informazioni apparentemente innocue, come i numeri telefonici, possono essere sfruttate per orchestrare attacchi sofisticati. È fondamentale che utenti, aziende e istituzioni collaborino per promuovere una maggiore consapevolezza sulle minacce digitali e adottino misure preventive per ridurre i rischi.

L'articolo Dark Web: 1 Milione di Numeri Telefonici Di Italiani! Ora La Tua Rubrica E’ Condivisa Con Tutti proviene da il blog della sicurezza informatica.

Over the course of the 1990s we saw huge developments in the world of PC graphics cards, going from little more than the original IBM VGA standard through super VGA and then so-called “Windows accelerator” cards which brought the kind of hardware acceleration the console and 16 bit home computer users had been used to for a while. At the end of the decade we had the first generation of 3D accelerator chipsets which are ancestors of today’s GPUs.

It was a great time to be a hardware enthusiast, but as anyone who was around at the time will tell you, the software for the drivers hadn’t caught up. Particularly for Windows 3.1 it could be something of a lottery, so [PluMGMK]’s modern generic SVGA driver could have been extremely useful had it appeared at the time.

As many of you will be aware, there is a set of VESA standardized BIOS extensions for video modes. There were generic VESA drivers back in the day, but they would only provide a disappointing selection of options for what the cards could do even then. The new driver provides support for all the available modes supported by a card, at all color depths. Windows 3.1 in true-color full HD? No problem!

It’s unexpected to see Program Manager and a selection of windows spread across so much real-estate, almost reminiscent of the uncluttered desktops from early ’90s workstations if you disregard the bright colors. We can’t help noticing it wins in one way over even the latest version of MacOS at these resolutions though, as anyone who has ever used a 4K screen on a Mac and found the menus remain miles away up in the top corner will tell you. Meanwhile if you’ve not had your fill of 16-bit Windows, how about sticking it in a ThinkPad BIOS?

hackaday.com/2025/01/06/thirty…

Are your jellybeans getting stale? [lcamtuf] thinks so, and his guide to choosing op-amps makes a good case for rethinking what parts you should keep in stock.

For readers of a certain vintage, the term “operational amplifier” is almost synonymous with the LM741 or LM324, and with good reason. This is despite the limitations these chips have, including the need for bipolar power supplies at relatively high voltages and the need to limit the input voltage range lest clipping and distortion occur. These chips have appeared in countless designs over the nearly 60 years that they’ve been available, and the Internet is littered with examples of circuits using them.

For [lcamtuf], the abundance of designs for these dated chips is exactly the problem, as it leads to a “copy-paste” design culture despite the far more capable and modern op-amps that are readily available. His list of preferred jellybeans includes the OPA2323, favored thanks to its lower single-supply voltage range, rail-to-rail input and output, and decent output current. The article also discussed the pros and cons of FET input, frequency response and slew rate, and the relative unimportance of internal noise, pointing out that most modern op-amps will probably be the least thermally noisy part in your circuit.

None of this is to take away from how important the 741 and other early op-amps were, of course. They are venerable chips that still have their place, and we expect they’ll be showing up in designs for many decades to come. This is just food for thought, and [lcamtuf] makes a good case for rethinking your analog designs while cluing us in on what really matters when choosing an op-amp.

hackaday.com/2025/01/06/rethin…

In the quest for an accurate frequency standard there are many options depending on your budget, but one of the most affordable is an oven controlled crystal oscillator (OCXO). [RF Burns] has a video looking at one of the cheapest of these, a sub ten dollar AliExpress module.

A crystal oven is a simple enough device — essentially just a small box containing a crystal oscillator and a thermostatic heater. By keeping the crystal at a constant temperature it has the aim of removing thermal drift from its output frequency, meaning that once it is calibrated it can be used as a reasonably good frequency standard. The one in question is a 10 MHz part on a small PCB with power supply regulator and frequency trimming voltage potentiometer, and aside from seeing it mounted in an old PSU case we also are treated to an evaluation of its adjustment and calibration.

Back in the day such an oscillator would have been calibrated by generating an audible beat with a broadcast standard such as WWV, but in 2024 he uses an off-air GPS standard to calibrate a counter before measuring the oven crystal. It’s pretty good out of the box, but still a fraction of a Hertz off, thus requiring a small modification to the trimmer circuit. We’d be happy with that.

For the price, we can see that one of these makes sense as a bench standard, and we say this from the standpoint of a recovering frequency standard nut.

youtube.com/embed/T2OIDcITAqs?…

hackaday.com/2025/01/06/is-a-c…

At this point, many of us have gone all-in on USB-C. It’s gotten to the point that when you occasionally run across a gadget that doesn’t support being powered USB-C, the whole experience seems somewhat ridiculous. If 90% of your devices using the same power supply, that last 10% starts feeling very antiquated.

So why should your breadboard be any different? [Axiometa] has recently unveiled a simple PCB that will plug into a standard solderless breadboard to provide 3.3 and 5 VDC when connected to a USB-C power supply. The device is going to start a crowdfunding campaign soon if you want to buy a completed one — but with the design files and Bill of Materials already up on GitHub, nothing stops you from spinning up your own version today.

What we like about this design is how simple it is. Getting the 5 V is easy, it just takes the proper resistors on the connector’s CC line. From there, a TPS63001 and a handful of passives provide a regulated 3.3 V. As you can see in the video, all you need to do when you want to change the output voltage for either rail is slide a jumper over.

Sure, it wouldn’t be much harder to add support the other voltages offered by USB-C Power Delivery, but how often have you really needed 20 volts on a breadboard? Why add extra components and complication for a feature most people would never use?

As an aside, we were very interested to see the torture test of the SMD pin headers at the end of the video. There’s considerable debate in the world of badge Simple-Add Ons (SAOs) about whether or not surface mount headers are strong enough to hold up to real-world abuse, and apparently similar concerns were raised about their usage here. But judging by the twisting and wrenching the pins withstood in the video, those fears would appear unwarranted.

youtube.com/embed/faXiy0wyiH8?…

hackaday.com/2025/01/06/no-fri…

Transition-metal dichalcogenides (TMDs) are a class of material that’s been receiving significant attention as a possible successor of silicon. Recently, a team of researchers has demonstrated the use of TMDs as an alternative to through-silicon-vias (TSV), which is the current way that multiple layers of silicon semiconductor circuitry are stacked, as seen with, e.g., NAND Flash ICs and processors with stacked memory dice. The novelty here is that the new circuitry is grown directly on top of the existing circuitry, removing the need for approaches like TSV to turn 2D layers into 3D stacks.

As reported in the paper in Nature by [Ki Seok Kim] and colleagues (gift article), this technique of monolithic 3D (M3D) integration required overcoming a number of technological challenges, most of all enabling the new TMD single-crystals to grow at low enough temperatures that it doesn’t destroy the previously created circuitry. The progress is detailed in the paper’s schematic (pictured above): from TSV to M3D by transfer of layers and high- and low-temperature growth of single-crystal layers.

Ultimately, the demonstration device with vertically grown transistor arrays (nMOS and pMOS) on a silicon substrate was grown at 385℃, which, if commercially developed, could mean a significant boost in transistor density and possibly the development of 3D semiconductor circuits rather than stacked 2D ones. We are still worried about making them the old-fashioned way.

hackaday.com/2025/01/06/growin…

We found it nostalgic to watch [ve3iku] fire up an old Loran-A receiver and, as you can see in the video below, he got it working. If you aren’t familiar with LORAN, it was a common radio navigation technique before GPS took over everything.

LORAN — an acronym for Long Range Navigation — was a US byproduct of World War II and was similar in many ways to Britain’s Gee system. However, LORAN operated at lower frequencies to improve its range. It was instrumental in helping convoys cross the Atlantic and also found use in the Pacific theater.

youtube.com/embed/CAYVwltGHSQ?…

How it Worked

The video shows a Loran-A receiver, which, in its day, would have been known as LORAN. The A was added after versions B and C appeared. Back in the 1940s, something like this with a CRT and precision electronics would have been very expensive.

Unlike GPS, keeping a highly synchronized clock over many stations was impractical at the time. So, LORAN stations operated in pairs on different frequencies and with a known distance between the two. The main station sends a blip. When the secondary station hears the blip, it sends its own blip. Sometimes there were multiple secondaries, too.

If you receive both blips, you can measure the time between them and use it to get an idea of where you are. Suppose the stations were 372 miles apart. That means the secondary will hear the blip roughly 2 milliseconds after the primary sends it (the speed of light is about 186 miles per millisecond). You can characterize how much the secondary delays, so let’s just say that’s another millisecond.

Reception

Now both transmitted blips have to make it to your receiver. Let’s take a sill example. Suppose you are on top of station B. You’ll hear station A at the same time station B hears it. Then, when you subtract out the delay for station B, you’ll hear its blip immediately. You could easily guess you were 372 miles from station A.

It is more likely, though, that you will be somewhere else, which complicates things. If you find there is a 372-mile difference in your distance from station A to station B, that could mean you were 186 miles away from each station. Or, you could be 202 miles from station A and 170 miles from station B.

If you plot all the possibilities, you’ll get a hyperbolic curve. You are somewhere on the curve. How do you know where? You take a reading on a different pair of transmitters, and the curves should touch on two points. You are on one of those points.

This is similar to stellar navigation, and you usually have enough of an idea where you are to get rid of one of the points as ridiculous. You do, however, have to take into account the motion of your vehicle between readings. If there are multiple secondary stations, that can help since you can get multiple readings without switching to an entirely new pair. The Coast Guard video below explains it graphically, if that helps.

youtube.com/embed/PDtHulWGMGg?…

Receiver Tech

The receiver was able to inject a rectangular pulse on both channels to use as a reference, which is what the video talks about being the “pedestal” (although the British typically called it a cursor).

LORAN could operate up to 700 nautical miles in the day, but nighttime propagation would allow measurements up to 1,400 nautical miles away. Of course, the further away you are, the less accurate the system is.

During the day, things were simple because you typically just got one pulse from each station. But at night, you could get multiple bounces, and it was much more difficult to interpret.

If you want to dive really deep into how you’d take a practical fix, [The Radar Room] has a very detailed video. It shows multiple pulses and uses a period-appropriate APN-4 receiver.

In Care Of…

The U.S. Army Air Force originated LORAN. The Navy was working on Loran-B, but later gave up on it and took over an Air Force project with similar goals. In 1957, the Coast Guard took over both systems and named them Loran-A and Loran-C and decided they weren’t acronyms anymore. Loran-A started going away in the mid-1970s, although some overseas systems were active well into the 1990s. Loran-C survived even longer than that.

Oddly, the development of LORAN took place in a radiation laboratory. GPS isn’t that different other than having super synchronized clocks, many transmitters, and some very fancy math.

Featured Image: Detail of USAF special Loran chart. (LS-103) from the David Rumsey Map Collection, David Rumsey Map Center, Stanford Libraries.

hackaday.com/2025/01/06/before…

Cassette tapes were a major way of listening to (and recording) music througout the 1980s and 1990s and were in every hi-fi stereo, boom box, and passenger vehicle of the era. Their decline was largely as a result of improvements in CD technology and the rise of the MP3 player, and as a result we live in a world largely absent of this once-ubiquitous technology. There are still a few places where these devices crop up, and thanks to some modern technology their capabilities as a music playback device can be greatly enhanced.

The build starts, as one might expect, by disassembling the cassette and removing the magnetic tape from the plastic casing. With the interior of the cassette empty it’s capable of holding a small battery, USB-C battery charger, and a Bluetooth module. The head of an old tape deck can be wired to the audio output of the Bluetooth module and then put back in place in the housing in place of the old tape. With the cassette casing reassembled, there’s nothing left to do but pair it to a smartphone or other music-playing device and push play on the nearest tape deck.

As smartphones continue to lose their 3.5 mm headphone jacks, builds like this can keep lots of older stereos relevant and usable again, including for those of us still driving older vehicles that have functioning tape decks. Of course, if you’re driving a classic antique auto with a tape technology even older than the compact cassette, there are still a few Bluetooth-enabled options for you as well.

youtube.com/embed/yFBVTpooZD0?…

hackaday.com/2025/01/06/casset…

The primary feature of stepper motors is listed right within their name: their ability to ‘step’ forwards and backwards, something which they (ideally) can do perfectly in sync with the input provided to their distinct coils. It’s a feature that allows the connected controller to know the exact position of the stepper motor, without the need for any sensor to provide feedback after a movement, saving a lot of hardware and effort in the process.

Naturally, this is the optimal case, and there are a wide number of different stepper motor configurations in terms of coil count, types of rotors and internal wiring of the coils, as well as complications such as skipped steps due to mechanical or driver issues. Despite this, in general stepper motors are quite reliable, and extremely versatile. As a result they can be found just about anywhere where accurate, step-based movement is desirable, such as (3D) printers and robotics.

For each application the right type of stepper motor and driving circuit has to be determined, of course, as they also have many reasons why you’d not want to use them, or just a particular type. When diving into a new stepper motor-based project, exactly what are the considerations to pay attention to?

Stepper Motor Types

Exploded view of a 28BYJ-48 stepper motor. (Credit: Cookie Robotics)
Every stepper motor has a stator and rotor, effectively like any other electric motor. Their unique feature is the segmented nature of the stator, forming what are commonly referred to as ‘teeth’. These stator teeth are used for the coils, which align with either a permanent magnet ring, a soft iron core or both on the rotor. Much like with other electric motors the stator coils rotate the rotor, but due to this segmented design activating one coil can make the rotor progress one step in a very deterministic fashion. By successively activating these coils, the rotor will follow the magnetic field being generated and ‘stepping’ forward by a set amount on the output shaft.

As an example of a basic form you got a unipolar coil design with a permanent magnetic (PM) core, such as the very common 28BYJ-48. This stepper motor features 8 ‘teeth’ on the stator, driven by two coils wound as two levels (top and bottom) with a common center tap, giving a total of five control lines. This makes it a four-phase design, with four lines, two of which are energized in turn to move the rotor and one common line.

Although many schematic diagrams show pronounced teeth on the stator and/or rotor, this doesn’t have to be the case, as evidenced by e.g. this teardown of a 28BYJ-48 stepper motor by Cookie Robotics. The stator and its teeth are here formed by two coils, each encased in a metal plate with ‘claws’, as is typical for a tin-can stepper motor design. The metal claws are magnetized when the corresponding coil is energized, creating the north and south poles affecting the smooth permanent magnet rotor. This latter rotor’s magnet has a total of 8 alternating north-south pairs.
Single coil and claws section of a 28BYJ-48 stepper motor illustrated with current direction and resulting claw magnetization. (Credit: Cookie Robotics)
The choice for a PM rotor in this particular stepper motor is likely due to simplicity, while also providing decent torque when moving as well as when unpowered. Also known as cogging torque, detent torque is a property of PM rotor electric motors where the interaction between the stator and PM rotor resists movement of the latter. While useful in stepper motors with resisting a position change, it also means a lower speed and resolution compared to the alternatives, being:

• Variable reluctance core (VRC) in which the soft iron rotor has temporary magnetism due to the powered stator coils. This provides a faster speed and higher precision, but lower torque and no detent torque.
• Hybrid form, where the rotor has both PM and VRC elements, combining their advantages. The main disadvantage is the much more complex rotor construction and thus higher stepper motor cost.

What is also of note here is the gear train on the 28BYJ-48. While a stepper motor can have a gear train, it’s an optional trade-off between speed and torque. Confusingly, the 28BYJ-48 appears to come with a wide range of gear ratios, ranging from 1/64 to 1/16 and so on. This is likely due to how there is not a single manufacturer for this stepper motor, and thus a single model name covers both the 5V and 12V version, and a wide spectrum of gear ratios. Ergo, caveat emptor.

Uni- And Bipolar

Bipolar Stepper Motor Driving Circuit (Credit: Monolithic Power)
The difference between unipolar and bipolar design is covered in this stepper motor overview by Monolithic Power. A unipolar stepper motor like the 28BYJ-48 has four phases, each of which is controlled by turning the coil on or off, requiring quite basic circuitry. This means that the current in each coil will always only travel in a single direction, ergo unipolar.

This contrasts with bipolar stepper motors, which do not have the common line and only half the coils, but which can power each coil with the current travelling either direction, ergo bipolar. Naturally, this precludes using a simple unipolar driver like an ULN2003 Darlington array, as these cannot invert the current.

The trade-off between uni- and bipolar stepper motors is thus basically one between driver and stepper motor complexity. Yet as bipolar stepper motor drivers become more affordable and prevalent, the disadvantage of a unipolar stepper motor’s requirement to have twice as much copper in coils and thus weight and bulk is unlikely to ever improve significantly.

Driver Circuits

At this point we have established that driving stepper motors requires activation of their coils in a sequence and manner that produces the desired effect on the output shaft. Here we have effectively four techniques to pick from:

• Wave mode: activate just one phase in sequence.
• Full-step mode: activate two phases adjoining the rotor’s orientation. Increases torque due to activation of two phases at the same time.
• Half-step mode: combines wave and full-step to half the size of steps. Has irregular torque as sometimes two, and sometimes one phase is active.
• Microstepping: evolution of half-step whereby the current and thus the intensity of the magnetic field from one phase is varied.

Unsurprisingly, each change to a simple wave mode requires a more complex controller, and also increases the chance of skipping a step. When picking a ready-made stepper motor driver, these can be controlled in a wide range of ways, from instructing it to step forwards/backwards, to controlling stator’s phases, or even using pulse-width modulation to control the gate signals of the FETs in a bipolar stepper motor driver.

Picking the correct driver is of course completely project-dependent, and reliant on how much control you need over the stepper motor, as well as your budget for said driver. It might even be that what you actually want is a servo motor, as also pointed out in Douglas W. Jones’ excellent tutorial on controlling stepper motors.

General Disadvantages

As useful as stepper motors are, they have a number of clear disadvantages, not the least of which is their constant current draw. As there is no mechanical mechanism to hold the stator in place, their ability to hold position and generate torque is purely determined by the powered coils and whatever magnetism the rotor may have.

This means that they are not a great choice for low-power applications, or where high load torque is a requirement. In the case of the 28BYJ-48 which we looked at in this article, that current is 240 mA typical at 5VDC, per the datasheet.

All of this has to be weighed up against the ease of driving them, their (often) low cost and lack of need for a closed feedback system. While having a decelerating gear train as in the 28BYJ-48 helps to increase the torque, ultimately stepper motors are primarily about what’s in their name: stepping in a (usually) deterministic fashion.

Featured image: Still from [Lauri Rantala]’s first steps into stepper driving.

hackaday.com/2025/01/06/one-sm…

HAPPY NEW YEAR. This is Digital Politics. I'm Mark Scott, and as many of us head back to work after the holiday season, I bring you live footage of my first day in the office. Be gentle.

Before we begin, a logistics note: I'm teaming up with Ben Whitelaw (and his excellent Everything in Moderation newsletter) and Georgia Iacovou (and her equally good Horrific/Terrific newsletter) and for an in-person discussion/drinks about tech policy in 2025.

If you're in London on Jan 30, sign up to attend, for free, here.

— Jan 6 marks the four-year anniversary of the deadly attack on Capitol Hill. Social media's willingness to police content in the United States has only diminished since then.

— The New Year brings renewed efforts to corral artificial intelligence. Not all these governance attempts will work out.

— Ever wondered how the European Union's Digital Services Act actually works? I've got a chart for that.

Beware those who say all is well

JAN 6 MARKS ONE OF THE DARKEST DAYS in modern US history. Just two months after Joe Biden beat Donald Trump in securing the White House, a violent mob of roughly 2,000 people attacked the United States Capitol Building. Many believed the November 2020 election had been stolen from Trump — and they wanted to take it back. The insurrection eventually cost the lives of 9 individuals, including four police officers who committed suicide in the aftermath. Around 1,600 defendants have pleaded guilty to charges related to Jan 6, and another 200 have been convicted after trials. For a full breakdown, read the US House Select Committee to Investigate the Jan 6 Attacks final report.

You're probably familiar with all these facts — many of which are now openly questioned by those seeking to rewrite history. But, over the break, I found myself revisiting the leaked internal Facebook documents from Frances Haugen. Yes, it was quite a vacation. I had access to them, during my time at POLITICO, after we joined a consortium of other media outlets that were also granted access to this treasure trove of information — much of which related to how Facebook handled crises like that of Jan 6. The Wall Street Journal's Jeff Horwitz had been given a first crack at the documents.

Thanks for reading Digital Politics. If you've been forwarded this newsletter (and like what you've read), please sign up here. For those already subscribed, reach out on digitalpolitics@protonmail.com

Re-reading Facebook's approach to the build-up to Jan 6 (and subsequent violence on the day), based on these leaked documents, was troubling. They paint a picture of a social media giant struggling to come to terms with the coordinated efforts to spread the "Stop the Steal" message on its platform; an unwillingness to tackle so-called 'harmful non-violating narratives,' or posts that did not explicitly break the company's terms of service; and internal content algorithms that, within days, promoted QAnon theories to a mass audience. Meta subsequently banned QAnon-linked posts from its platforms.

"We recently saw non-violating content delegitimizing the US election results go viral on our platforms," according to an internal analysis of what happened on Facebook in the build-up to Jan 6. "Retrospectively, external sources told us that the on-platform experiences on this narrative may have had substantial negative impacts, including contributing materially to the Capitol riot."

Well, duh.

To be fair to Facebook, the platform was not the only engine for how conspiracy theories around the 2020 election spread. As someone enmeshed in that world four years ago, social media, writ large, was a major catalyzing factor in how those lies circulated. At the center of that coordination were fringe platforms — most notably Telegram — where little, if any, content moderation existed or, even now, exists. Such sophisticated online communities had flourished during the Covid-19 pandemic.

Within that context, Facebook should be considered a good corporate citizen, even if internal documents revealed it failed to clamp down on how election-related conspiracies fueled, in part, online anger and, eventually, offline violence.

For more on social media's impact on Jan 6, read the House Committee's own findings here, and an analysis of that investigation here.

It's indisputable that social media emboldened those who disliked the outcome of the 2020 US presidential election to take to the streets on Jan 6. What the Haugen documents reveal, at least within Facebook, was internal processes not adequately set up to handle such unprecedented domestic US political events. They show legitimate concerns around infringing people's free speech becoming entangled in the political realities of Facebook executives not wanting to be seen as taking sides in a highly contentious election. They highlight internal Facebook teams — whose counterparts also existed at YouTube and Twitter — struggling to get senior managers to respond quickly enough to dampen conspiracy theories that morphed into real-world violence.

But one overriding niggle I couldn't shake when re-reading these hundreds of pages of internal Facebook angst was that, in early 2025, they sounded exceedingly quaint given how much social media giants have changed over the last four years.

Yes, the likes of YouTube, Instagram and TikTok still have strong approaches toward foreign interference, even when state-backed meddling outside the US remains rife on these platforms. They also have highly robust terms of services about how illegal online content like hate speech and overt calls to violence will not be tolerated. They speak eloquently about the threat of disinformation created via generative AI, and how they are working, as an industry, to thwart such abuse.

And yet, would any of these platforms take similar measures, in 2025, to throttle the spread of overtly political conspiracy theories – even those associated with offline actions — as they did so four years ago? Honestly, I'm not so sure.

You're reading the free version of Digital Politics. Here's what paid subscribers had access to over the last month:

— What role did TikTok really play in Romania's presidential election?; The new and old digital policy faces in Brussels and Washington; Western countries' split digital ambitions. More here.
— Lessons from the 2024 (digital) election-palooza: Everything you need to know about how tech shaped last year's global election cycle. More here.
— Digital Politics' 2025 predictions: A renewed focus on national security; AI lobbying leads to governance results; Efforts to quell online competition abuse falter. More here.

If that sounds up your street, you can upgrade your subscription here.

Many of the election integrity and trust and safety teams at these platforms have been culled to almost insignificance. Some firms, like Elon Musk's rebranded X, have embraced an all-or-nothing vision of free speech that fundamentally misunderstands how the First Amendment applies to such private networks. With Trump's return to the White House only weeks away, many of these platforms' chief executives are doing whatever they can to stay on the right side of arguably the most powerful person in the world. A politician, it is worth noting, who was banned from all mainstream social media platforms in the wake of Jan 6.

In this new political environment, two things are happening. First, there is an ongoing effort to reshape the content moderation discussion within the US — one that was most evident in social media's role around Jan 6 — that platforms have gone too far in quelling people's free speech. (We'll come back to why that's happening in subsequent newsletters.) Second, given this emphasis on free speech fundamentalism, social media giants are now unwilling to "break the glass" to throttle people's problematic online posts in times of emergency.

Before I get angry emails, I understand that companies say they will enforce existing terms of service on all users, and that content moderation, especially around elections, is paramount. I also understand that people within these firms are still trying to live by that ethos.

Chart of the Week

The EU's social media laws are almost one year old. Investigations into the likes of Meta, X and TikTok abound. But how does the bloc's rulebook actually operate?

Cardiff University's Nora Jansen put together this (very complicated) overview of how all the pieces of the DSA puzzle interlink.

It includes regulators like the European Commission and national Digital Services Coordinators. It includes outside groups like auditors and 'trusted flaggers.' It includes the Very Large Online Platforms and Search Engines.

To say the structure is complex would be an understatement.
Source: https://shorturl.at/XyZ1V

They said what, now?

"As a new year begins, I have come to the view that this is the right time for me to move on from my role as President, Global Affairs at Meta," Nick Clegg, the former UK deputy prime minister, wrote on his Facebook page. "And no one could pick up from where I’ve left off with greater skill and integrity than my deputy, Joel Kaplan."

AI governance at the beginning of 2025

I HAVE GOOD NEWS AND BAD NEWS for those interested in the policing of next generation artificial intelligence systems. In late December, South Korea became the second jurisdiction after the EU to pass comprehensive AI rules. That's no mean feat given the country's recent political turmoil. The AI Safety Institutes of the US and United Kingdom also conducted a joint evaluation of OpenAI's latest model in what is expected to become standard practice before other firms release their own models into the wild. In early February, French President Emmanuel Macron will welcome the great-and-the-good (and me) to Paris for the country's AI Action Summit, or effort to shepherd the technology toward the light and away from apocalyptic uses.

This year will also see AI governance efforts gain steam in the EU, via its AI Act, the Council of Europe, via its AI Convention, and in other regions where policymakers are charting their own path to harness the technology for economic development.

That's the good news. Now here comes the bad. I'm not sure this will end well. I had promised not to be a 'fun sponge' this year, and I do believe we'll see new forms of AI governance take root in 2025. I'm just not convinced it's the type of governance many of us had envisioned.

Sign up for Digital Politics

Thanks for getting this far. Enjoyed what you've read? Why not receive weekly updates on how the worlds of technology and politics are colliding like never before.

Subscribe
Email sent! Check your inbox to complete your signup.

No spam. Unsubscribe anytime.

Let's take the EU's AI Act. If you listen to the bloc's leaders, the legislation will both corral the worst-case scenarios while unleashing Europe's economic potential. It is expected to be the gold standard on which others — like South Korea — will base their own legislation. It will equally be a hands-off means to jumpstart growth and a regulatory deterrent to stop firms from abusing the technology. What's not to like?

And yet, in early 2025, we're still 18 months away from all parts of the AI Act coming into force. Yes, some of the most stringent provisions, including on banned AI use cases, will kick in next month. But we're still a long way away from a meaningful regulatory rulebook — and even Brussels' AI Office, or linchpin for the European Commission on the AI Act's implementation, is still working with a skeleton crew (it's still hiring). Effective regulatory oversight, as of Jan 6, 2025, it is not.

That takes us to the other side of the Atlantic where the future of the US AI Safety Institute — and pretty much all of Joe Biden's White House Executive Order on AI — is up in the air ahead of Donald Trump's swearing in ceremony on Jan 20. Publicly, the future US president has said he will kill his predecessor's AI governance plans. I'm not so sure. The Trump 1.0 Administration passed its own Executive Order on AI, and incoming tech policymakers like Lynne Parker may temper efforts to quash all forms of AI governance.

And yet, that leaves the US AI Safety Institute, whose mandate includes spearheading much of this policy work, in limbo until those political decisions are made. It also places Washington's position in broader global discussions around AI governance — including those to be held in Paris on Feb 10-11 at the AI Action Summit — on equally shaky ground.

My best guess is that Trump 2.0 keeps some, but not all, of Biden's AI efforts, especially those related to national security and economic productivity. Having AI experts in senior positions in all federal agencies, for instance, is just good politics.

Given the US AI Safety Institute sits within the US Commerce Department, I would also bet it survives under the incoming administration. But I wouldn't put much money on the White House pushing anything more than voluntary commitments for AI companies when it comes to transparency, accountability and greater oversight.

Here's one wild card for you: the United Nations. Its AI Advisory Body has already called for global AI governance efforts to mostly fall under the international body's remit. That would allow the likes of China and Russia to have equal say as democratic countries. Something that hasn't exactly worked out well for the UN's separate Cybercrime Treaty.

Watch out for more power grabs by the UN over how AI systems are governed during 2025. It's 100 percent legitimate that the international body wants to make such discussions more equitable, including for Global Majority countries. But if these negotiations lead to authoritarian governments running roughshod over fundamental rights, then we will start to have a problem.

What I'm reading

— The US Treasury Department added a number of Russian and Iranian nationals to its sanction list related to cyber attacks and foreign interference. More here.

— Julie Inman Grant, Australia's eSafety Commissioner, explained the importance of newly-created codes of practice under the country's Online Safety Act. More here.

— The outgoing Italian G7 Presidency finalized reporting frameworks for how the most advanced forms of AI would be overseen. More here.

— Researchers at the Friedrich Naumann Foundation for Freedom outlined China's ever-evolving tactics to cyber operations and disinformation. More here.

— Ahead of the TikTok hearing in the US Supreme Court on Jan 10, here's an overview of the amicus briefs related to the case.

digitalpolitics.co/newsletter0…

We are deeply intuitively familiar with our everyday physical world, so it was perhaps a bit of a surprise when researchers discovered a blind spot in our intuitive physical reasoning: it seems humans are oddly terrible at judging knot strength.
One example is the reef knot (top) vs. the grief knot (bottom). One is considerably stronger than the other.
What does this mean, exactly? According to researchers, people were consistently unable to tell when presented with different knots in simple applications and asked which knot was stronger or weaker. This failure isn’t because people couldn’t see the knots clearly, either. Each knot’s structure and topology was made abundantly clear (participants were able to match knots to their schematics accurately) so it’s not a failure to grasp the knot’s structure, it’s just judging a knot’s relative strength that seems to float around in some kind of blind spot.

Check out the research paper for all the details on how things were conducted; it really does seem that a clear understanding of a knot’s structure does not translate to being able to easily intuit which knot will fail first, even when the difference is a considerable one. There’s a video demonstration and an online version of the experiments if you’d like to try your hand at it.

It’s always interesting to discover more about our own blind spots, in part because exploiting them can result in nifty and delightful sensory illusions. We wonder if robots are any better with knots than humans?

hackaday.com/2025/01/06/turns-…

We like mechanical calculators like slide rules, but we have to admit that we had not heard of the Ott Derivimeter that [Chris Staecker] shows us in a recent video. As the name implies, the derivimeter finds the derivative of a function. To do that, you have to plot the function on a piece of paper that the meter can measure.

If you forgot calculus or skipped it altogether, the derivative is the rate of change. If you plot, say, your car’s speed vs time, the parts where you accelerate or decelerate will have a larger derivative (either positive or negative, in the decelerate case). If you hold a steady speed, the derivative will be zero.

To use the derivimeter, you sight the curve through the center glass and twist the device so the cursor, which is a lens and mirror system that lets you precisely find a tangent line. You can read the angle and find the true derivative using a table of tangents.

[Chris] has another derivimeter from Gerber. However, he found a different type of derivimeter that uses a prism, and he sure would like to find one of those for his collection.

Calculus is actually useful and not as hard as people think if you get the right explanations. This isn’t exactly a slide rule, but since it is a mechanical math device, we think it counts anyway.

youtube.com/embed/w4Wdjz2uiPY?…

hackaday.com/2025/01/06/mechan…