A Modern Battery For a Classic Laptop
Aside from their ability to operate fairly well in extreme temperatures, lead-acid batteries don’t have many benefits compared to more modern battery technology. They’re heavy, not particularly energy dense, have limited charge cycles, and often can’t be fully discharged without damage or greatly increased wear. With that in mind, one can imagine that a laptop that uses a battery like this would be not only extremely old but also limited by this technology. Of course, in the modern day we can do a lot to bring these retro machines up to modern standards like adding in some lithium batteries to this HP laptop.
Simply swapping the batteries in this computer won’t get the job done though, as lead-acid and lithium batteries need different circuitry in order to be safe while also getting the maximum amount of energy out. [CYUL] is using a cheap UPS module from AliExpress which comes with two 18650 cells to perform this conversion, although with a high likelihood of counterfeiting in this market, the 18650s were swapped out with two that were known to be from Samsung. The USB module also needs to be modified a bit to change the voltage output to match the needs of the HP-110Plus, and of course a modernized rebuild like this wouldn’t be complete without a USB-C port to function as the new power jack.
[CYUL] notes at the end of the build log that even without every hardware upgrade made to this computer (and ignoring its limited usefulness in the modern world) it has a limited shelf life as the BIOS won’t work past 2035. Hopefully with computers like this we’ll start seeing some firmware modifications as well that’ll let them work indefinitely into the future. For modern computers we’ll hope to avoid the similar 2038 problem by switching everything over to 64 bit systems and making other software updates as well.
Crafting a Cardboard Tribute to Puzzle Bobble
What do you get when you cross cardboard, deodorant rollers, and a love for retro gaming? A marvel of DIY engineering that brings the arcade classic Puzzle Bobble to life—once again! Do you remember the original Puzzle Bobble aiming mechanism we featured 12 years ago? Now, creator [TomTilly] has returned with a revamped version, blending ingenuity with a touch of nostalgia. [Tom] truly is a Puzzle Bobble enthusiast. And who could argue that? The game’s simplicty makes for innocent yet addictive gameplay.
[Tom]’s new setup recreates Puzzle Bobble’s signature aiming mechanic using surprising materials: deodorant roller balls filled with hot glue (to diffuse LED colours), bamboo skewers, and rubber bands. At its heart is an Arduino UNO, which syncs the RGB LED ‘bubbles’ and a servo-driven aiming arm to the game’s real-time data. A Lua script monitors MAME’s memory locations to match the bubble colours and aimer position.
But this isn’t just a static display. [Tom] hints at a version 2.0: a fully functional controller complete with a handle. Imagine steering this tactile masterpiece through Puzzle Bobble’s frantic levels!
Need more inspiration? Check out other quirky hacks like [Tom]’s deodorant roller controller we featured in 2023. Whether you’re into cardboard mechanics or retro gaming, there’s no end to what clever hands can create.
youtube.com/embed/uzLQa7_EQDE?…
Programming Ada: Atomics and Other Low-Level Details
Especially within the world of multi-threaded programming does atomic access become a crucial topic, as multiple execution contexts may seek to access the same memory locations at the same time. Yet the exact meaning of the word ‘atomic’ is also essential here, as there is in fact not just a single meaning of the word within the world of computer science. One type of atomic access refers merely to whether a single value can be written or read atomically (e.g. reading or writing a 32-bit integer on a 32-bit system versus a 16-bit system), whereas atomic operations are a whole other kettle of atomic fish.
Until quite recently very few programming languages offered direct support for the latter, whereas the former has been generally something that either Just Worked
In the case of Ada there has been a reluctance among the language designers to add support for atomic operations to the language, with the (GNU) toolchain offering the same intrinsics as a fallback. With the Ada 2022 standard there is now direct support in the System.Atomic_Operations library, however.
Defining Atomic Operations
As mentioned earlier, the basic act of reading or writing can be atomic based on the underlying architecture. For example, if you are reading a 32-bit value on a fully 32-bit system (i.e. 32-bit registers and data bus), then this should complete in a single operation. In this case the 32-bit value read cannot suddenly have 8 or 16-bits on the end that were written during said reading action. Ergo it’s guaranteed to be atomic on this particular hardware platform. For Ada you can use the Atomic pragma to enforce this type of access. E.g.:
A : Unsigned_32 with Atomic;
A := 0;
A := A + 1;
-- This generates:
804969f: a1 04 95 05 08 mov 0x8059504,%eax
80496a4: 40 inc %eax
80496a5: a3 04 95 05 08 mov %eax,0x8059504
Now imagine performing a more complex operation, such as incrementing the value (a counter) even as another thread tries to use this value in a comparison. Although the first thread’s act of reading is atomic and writing the modified value back is atomic, this set of operations is not, resulting in a data race. There’s now a chance that the second thread will read the value before it is updated by the first, possibly causing the second thread to miss the update and requiring repeated polling. What if you could guarantee that this set of atomic operations was itself atomic?
The traditional way to accomplish this is through mutual exclusion mechanisms such as the common concept of mutexes. These do however come with a fair amount of overhead when contended due to the management of the (implementation-defined) mutex structures, the management of which uses the same atomic operations which we could directly use as well. As an example there are LOCK XADD (atomic fetch and add) and LOCK CMPXCHG (atomic compare and exchange) in the x86 ISA which a mutex implementation is likely to use, but which we’d like to use for a counter and comparison function in our own code too.
Reasons To Avoid
Obviously, having two or more threads compete for the same resources is generally speaking not a great idea and could indicate a flaw in the application’s architecture, especially in how it may break modularity. Within Ada an advocated approach has been to use protected objects and barriers within entries, which provides language-level synchronization between tasks. A barrier is defined using the when keyword, followed by the condition that has to evaluate to true before execution can continue.
From a more low-level programming perspective as inspired by C code and kin, the use of directly shared resources makes more sense, and can be argued to have performance benefits. This contrasts with the philosophy behind Ada, which argues that neither safety nor ease of maintenance should ever be sacrificed in the name of performance. Even so, if one can prove that it is in fact safe and does not invite a maintenance nightmare, it could be worth supporting.
One might even argue that since people are going to use this feature anyway – with toolchain intrinsics if they have to – one may as well provide a standard library version. This is something that could be immensely helpful to newcomers as well, as evidenced by my recent attempt to port a lock-free ring buffer (LFRB) from C++ to Ada and running into the atomic operations details head-first.
Fixing A Lock-Free Ring Buffer
In my original Ada port of the LFRB I had naively taken the variables that were adorned with the std::atomic STL feature and replaced that with the with Atomic; pragma, blissfully unaware of this being actually an improvement over the ‘everything is implementation dependent and/or undefined behavior’ elements in C++ (and C). Since I insisted on making it a straight port without a major redesign, it would seem that here I need to use this new Ada 2022 library.
Since the code uses both atomic operations on Boolean and Integer types we need the following two packages:
with System.Atomic_Operations.Integer_Arithmetic;
with System.Atomic_Operations.Exchange;
These generic packages of course also need to have a specific package defined for our use:
type Atomic_Integer is new Integer with Atomic;
package IAO is new System.Atomic_Operations.Integer_Arithmetic(Atomic_Integer);
type Atomic_Boolean is new Boolean with Atomic;
package BAO is new System.Atomic_Operations.Exchange(Atomic_Boolean);
These new types are defined as being capable of atomic read and write operations, which is a prerequisite for more complex atomic operations and thus featured in the package instantiation. Using these types is required to perform atomic operations on our target variables, which are declared as follows:
dataRequestPending : aliased Atomic_Boolean;
unread : aliased Atomic_Integer;
The [url=https://en.wikibooks.org/wiki/Ada_Programming/Keywords/aliased]aliased[/url] keyword here means that the variable has to be in memory (i.e. have a memory address) and not just in a register, allowing it to be the target of an access (pointer) type.
When we want to perform an atomic operation on our variables, we use the package which we instantiated previously, e.g.:
IAO.Atomic_Subtract(unread, len);
IAO.Atomic_Add(free, len);
The first of which will subtract the value of len from unread followed by the second line which will add the same value to free. We can see that we are now getting memory barriers in the generated assembly, e.g.:
lock add DWORD PTR [rsp+4], eax #,, _10
Which is the atomic addition operation for the x86 ISA, confirming that we are now indeed performing proper atomic operations. Similarly, for booleans we can perform atomic operations such as assigning a new value and returning the previous value:
while BAO.Atomic_Exchange(dataRequestPending, false) loop
null;
end loop;
Atomic Differences
I must express my gratitude to the commentators to the previous LFRB Ada article who pointed out these differences between atomic in C++ (and C) and Ada. Along with their feedback there are also tools such as the Godbolt Compiler Explorer site where it’s quite easy to drop in some C++ and Ada code for comparison between the generated assembly, even across a range of ISAs. Since I did not consult any of these previously consider this article my mea culpa for getting things so terribly wrong earlier.
Correspondingly, before passing off the above explanation as the absolute truth, I will preface it by saying that it is my best interpretation of The Correct Way
For corrections and feedback, feel free to sound off in the comments.
Estensioni Chrome hackerate! 540.000 installazioni minacciano i tuoi dati
Venerdì scorso, l’azienda Cyberhaven specializzata nella prevenzione del furto di dati ha confermato di essere stata vittima di un attacco informatico lanciato la sera del 24 dicembre, che ha portato alla pubblicazione di una versione corrotta della sua estensione sul Chrome Web Store il 25 mattina. I team di sicurezza hanno impiegato quasi un giorno in più per rilevare l’attacco e altri 60 minuti per sostituire il plug-in dannoso (v24.10.4) con una versione sana (v24.10.5). All’alba del 26 tutto era tornato alla normalità, o quasi.
Estensioni Chrome hackerate: cosa hanno sfruttato i malintenzionati
Se Cyberhaven si è preso il tempo necessario prima di comunicare ufficialmente i dettagli di questo attacco, ora sappiamo cosa è successo. In modo del tutto classico, un dipendente sarebbe caduto vittima di un attacco di phishing particolarmente ben congegnato. Gli hacker sono poi riusciti a rubare le sue credenziali di connessione al Chrome Web Store per pubblicare una versione dannosa del plugin ufficiale. Secondo l’azienda, solo i browser Chromium configurati per aggiornare automaticamente le estensioni sarebbero a rischio.
Ma le conseguenze non sono meno importanti per la sicurezza dei dati. Secondo John Tuckner, ricercatore di Secure Annex, l’estensione corrotta, che conta più di 400.000 installazioni, conteneva codice in grado di esfiltrare sessioni autenticate e cookie su un server remoto. Tuttavia, tra i clienti di Cyberhaven che probabilmente utilizzeranno il suo plugin, troviamo grandi nomi come Snowflake, Motorola, Canon e persino Reddit.
Non un caso isolato
In seguito a questa scoperta, Jaime Blasco, un altro ricercatore, questa volta della Nudge Security, ha preso l’iniziativa di continuare l’indagine sulla base degli indirizzi IP e dei domini registrati sul server pirata. È emerso che l’attacco a Cyberhaven non è stato un caso isolato, ma parte di una serie di hack coordinati.
Blasco è stato infatti in grado di identificare che lo stesso codice dannoso era stato iniettato anche in altre quattro estensioni popolari, vale a dire Internxt VPN (10.000 installazioni, patchata il 29 dicembre), VPNCity (50.000, rimossa dallo store), Uvoice (40.000, patchata dicembre 31) e ParrotTalks (40.000, rimossi dallo store).
Come ciliegina sulla torta, Blasco ha scoperto anche altri domini che puntano a potenziali vittime, mentre Tuckner hanno confermato di aver identificato diverse altre estensioni contenenti lo stesso codice dannoso, ancora attive al 31 dicembre, tra cui Bookmark Favicon Changer, Castorus, Search Copilot AI Assistant per Chrome , VidHelper o assistente YesCaptcha. In totale, il set aggiuntivo di questi moduli compromessi ha accumulato fino ad oggi più di 540.000 installazioni.
Migliora la tua postura cyber per evitare di rimanere vittima
Se utilizzi una o più di queste estensioni compromesse, controlla innanzitutto che siano state aggiornate dopo il 31 dicembre. Altrimenti disinstallale immediatamente. Inoltre, reimposta le impostazioni del browser, elimina i cookie, modifica tutte le password, configura la 2FA e opta per le passkey quando possibile. Per aiutarti, considera l’utilizzo di un gestore di password sicuro.
In generale, limita il più possibile il numero di estensioni installate sul tuo browser e privilegia quelle di sviluppatori affidabili e reattivi. Controlla regolarmente le autorizzazioni concesse a ciascuno di essi: un controllo captcha non ha bisogno di accedere al tuo microfono, alla tua fotocamera o alla tua posizione GPS, ad esempio. Infine, monitora gli avvisi di sicurezza e valuta la possibilità di installare un antivirus affidabile per agire rapidamente in caso di un nuovo problema.
L'articolo Estensioni Chrome hackerate! 540.000 installazioni minacciano i tuoi dati proviene da il blog della sicurezza informatica.
2024: As The Hardware World Turns
With 2024 now officially in the history books, it’s time to take our traditional look back and reflect on some of the top trends and stories from the past twelve months as viewed from the unique perspective Hackaday affords us. Thanks to the constant stream of tips and updates we receive from the community, we’ve got a better than average view of what’s on the mind of hardware hackers, engineers, and hobbyists.
This symbiotic relationship is something we take great pride in, which is why we also use this time of year to remind the readers just how much we appreciate them. We know it sounds line a line, but we really couldn’t do it without you. So whether you’ve just started reading in 2024 or been with us for years, everyone here at Hackaday thanks you for being part of something special. We’re keenly aware of how fortunate we are to still be running a successful blog in the era of YouTube and TikTok, and that’s all because people like you keep coming back. If you keep reading it, we’ll keep writing it.
So let’s take a trip down memory lane and go over just a handful of the stories that kept us talking in 2024. Did we miss your favorite? Feel free to share with the class in the comments.
Boeing’s Bungles
We’ll start off with what was undoubtedly one of the biggest stories in the tech and engineering world, although you’ll find little mention of it on the pages of Hackaday up until now. We’re talking, of course, of the dramatic and repeated failures of the once unassailable Boeing.
Nor did we cover the repeated delays of Boeing’s Starliner capsule, a crewed spacecraft that the company was paid $4.2 billion to build under NASA’s Commercial Crew Program — nearly double the sum SpaceX received for the development of their Crew Dragon.
Things only got worse once the capsule finally left the launch pad in June. With human lives in the balance, it seemed in poor taste for us to cover Starliner’s disastrous first crewed flight to the International Space Station. The mission was so fraught with technical issues that NASA made the unprecedented decision to send the capsule back to Earth without its crew onboard. Those two astronauts, Barry E. Wilmore and Sunita Williams, still remain on the ISS; their planned eight-day jaunt to the Station has now been extended until March of 2025, at which point they’ll be riding home on SpaceX’s capsule.
We won’t speculate on what exactly is happening at Boeing, although we’ve heard some absolutely hair-raising stories from sources who wish to remain anonymous. Suffice to say, as disheartening as it might be for us on the outside to see such a storied company repeatedly fumble, it’s even worse for the those on the inside.
Desktop 3D Printing Reshuffling
While the tectonic shifts in the desktop 3D printer market didn’t start last year, 2024 really seemed to be the point where it boiled over. For years the market had been at a standstill, with consumers essentially having two paths forward depending on what they were willing to spend.
Had $200 or $300 to play with? You’d buy something like an Ender 3, a capable enough machine if you were willing to put in the time and effort. Or if you could stand to part with $800, you brought a Prusa i3, and didn’t worry about the little details like bed leveling or missed steps because it was automated enough to just work most of the time.
But while Bambu’s printers have dazzled consumers, they bring along some unfortunate baggage. Suddenly 3D printing involves cloud connectivity, proprietary components, and hardware that was designed for production rather than repairability. In short, desktop 3D printing seems on the verge of breaking into the legitimate mainstream, with all the downsides that comes with it these days.
It’s wasn’t all bad news though. When the community started experimenting with running alternate firmware on their hardware, Bambu’s response was better than we’d feared: users would be allowed to modify their firmware, but would have to waive their warranty. It’s not a perfect solution, but considering Prusa did more or less the same thing in 2019 when they released the Mini, the community had already shown they would accept the compromise.
Speaking of Prusa, feelings on how they’ve decided to respond to this newfound competition have been mixed, to put it mildly. In developing their new Core ONE printer it looks like they’ve engineered a worthy opponent for Bambu’s X1, but unfortunately, it appears the company has all but abandoned their open source hardware roots in the process.
RP2350 Has a Rocky Start
The release of the Pi Pico development board made our list of highlights for 2021, and in the intervening years, the RP2040 microcontroller at its heart has become a favorite of makers and hackers. We’ve even used it for the last two Supercon badges at this point. So the fact that its successor made this year’s list should come as no surprise.
Ultimately, the erratum for the RP2350 was amended to better describe the nature of the issue. But as for an actual hardware fix, well that’s a different story. The WiFi-enabled version of the Pico 2 was released just last month, and it’s still susceptible to the same bug. Given that the hardware workaround for the issue — adding external pull-downs — isn’t expensive or complicated to implement, and that most users probably wouldn’t run into the problem in the first place, it seems like there’s no rush to produce a new version of the silicon.
Voyager 1 Shows its Age
Admittedly, any piece of hardware that’s been flying through deep space for nearly 50 years is bound to run into some problems, especially one that was built with 1970s era technology. But even still, 2024 was a rough year for humanity’s most distant explorer, Voyager 1.
The far-flung probe was already in trouble when the year started, as it was still transmitting gibberish due to being hit with a flipped-bit error in December of 2023. Things looked pretty grim for awhile, but by mid-March engineers had started making progress on the issue, and normal communication was restored before the end of April.
In celebration Dan Maloney took a deep-dive into the computers of Voyager, a task made surprisingly difficult by the fact that some of the key documentation he was after apparently never got never digitized. Things were still going well by June, and in September ground controllers were able to pull off a tricky reconfiguration of the spacecraft’s thrusters.
But just a month later, Voyager suffered another major glitch. After receiving a command to turn on one of its heaters, Voyager went into a fault protection mode that hadn’t been triggered since 1981. In this mode only the spacecraft’s low power S-band radio was operational, and there was initially concern that NASA wouldn’t be able to detect the signal. Luckily they were able to pick out Voyager’s faint cries for help, and on November 26th, the space agency announced they had established communications with the probe and returned it to normal operations.
While Voyager 1 ended 2024 on a high note, there’s no beating the clock. Even if nothing else goes wrong with the aging hardware, the spacecraft’s plutonium power source is producing less and less energy each year. Various systems can be switched off to save power, something NASA elected to do with Voyager 2 back in October, but eventually even that won’t be enough and the storied spacecraft will go silent for good.
CH32 Gains Momentum
We first got word of the CH32 family of low-cost RISC-V microcontrollers back in early 2023, but they were hard to come by and the available documentation and software toolchains left something to be desired. A 10¢ MCU sounds great, but what good is it if you can’t buy the thing or program it?
In May bitluni had clustered 256 of them together, another hacker had gotten speech recognition running on it, and there was even a project that aimed to turn the SOIC-8 variant of the chip into the world’s cheapest RISC-V computer.
We even put our own official stamp of approval on the CH32 by giving each and every attendee of Supercon 2024 one to experiment with. Not only did attendees get a Simple-Add On (SAO) protoboard with an onboard CH32, but the badge itself doubled as a programmer for the chip, thanks in no small part to help from [CNLohr].
Evolution of the SAO
The response was phenomenal. Compared to the more complex interfaces used in previous Supercon badges, focusing on the SAO standard greatly reduced the barrier of entry for those who wanted to produce their own modular add-ons in time for the November event. Instead of only a handful of ambitious attendees having the time and experience necessary to produce a modular PCB compatible with the badge, a good chunk of the ticket holders were able bring along SAOs to show off and trade, adding a whole new dimension to the event.
While it’s unlikely we’ll ever make another Supercon badge that’s quite as SAO-centric as we did in 2024, we hope that the experience of designing, building, and sharing these small add-ons will inspire them to keep the momentum going in 2025 and beyond.
Share Your 2024 Memories
Even if this post was four times as long, there’s no way we’d be able to hit on everyone’s favorite story or event from 2024. What would you have included? Let us know in the comments, and don’t be afraid to speculate wildly about what might be in store for the hacking and making world in 2025.
DIYFPV: A New Home for Drone Builders
If you’re looking to get into flying first-person view (FPV) remote controlled aircraft, there’s an incredible amount of information available online. Seriously, it’s ridiculous. In fact, between the different forums and the countless YouTube videos out there, it can be difficult to sort through the noise and actually find the information you need.
What if there was one location where FPV folks could look up hardware, compare notes, and maybe even meet up for the occasional flight? That’s the idea behind the recently launched DIYFPV. In its current state the website is a cross between a social media platform, a hardware database, and a tech support forum.
But the part of DIYFPV that has us the most interested is the interactive builder tool. As explained in the announcement video below, once this feature goes live, it will allow users to pick parts from the database and virtually wire them together. Parts are represented by high-quality illustrations that accurately represent connectors and solder pads, so you won’t be left guessing where you’re supposed to connect what. Schematics can be shared with others to help with troubleshooting or if you want to get feedback.
The potential here is immense. Imagine a function to estimate the mass of the currently selected electronics, or a simulation of how much current it will draw during flight. It’s not clear how far DIYFPV plans on taking this feature, but we’re eager to find out.
youtube.com/embed/0iD4j3tdXxA?…
Worldcoin: Il Futuro dell’Economia è Scritto nell’Iride?
Quando guardiamo nell’abisso dell’Intelligenza Artificiale, cosa vediamo? E cosa vede l’IA quando guarda noi? Sam Altman, soprannominato il “padre dell’IA” e CEO di OpenAI, si è fatto portatore di una rivoluzione tecnologica epocale, paragonata a invenzioni come la ruota e l’elettricità. Ma chi è davvero quest’uomo che promette di plasmare il futuro dell’umanità?
Nato nel 1985, Altman ha incontrato il suo destino all’età di 8 anni, quando ricevette in dono un Macintosh LC II. Da allora, la sua vita è stata un’inarrestabile ascesa nel mondo digitale. Tra gli oggetti più cari ad Altman c’è la mezuzah, un simbolo di fede e tradizione, una pergamena contenente due passaggi della Torah, custodita in un astuccio, a testimonianza delle sue radici culturali e del suo legame con l’eredità ebraica.
Dopo aver fondato Loopt e guidato Y Combinator, Altman ha co-fondato OpenAI, un’organizzazione che si propone di creare un’intelligenza artificiale “a beneficio dell’umanità”. Una missione nobile, ma che solleva interrogativi sul potenziale uso di una tecnologia così potente. Chi controllerà questa tecnologia e come verrà utilizzata?
Come Worldcoin punta a cambiare l’economia globale
Come Worldcoin punta a cambiare l’economia globale? In che modo Sam Altman e Alex Blania, cofondatore di Tools for Humanity, immaginano di raggiungere l’obiettivo di un’economia più equa? Il 17 ottobre 2024 in diretta da San Francisco, Altman e Blania hanno tenuto un evento live intitolato “A New World” (tenete a mente questo titolo), durante il quale hanno illustrato gli ultimi sviluppi del progetto. Il progetto Worldcoin, sviluppato dall’azienda Tools for Humanity fondata da Altman e Blania, si basa su un sistema che combina innovazioni tecnologiche con modelli economici inclusivi.
Sfruttando la potenza delle criptovalute e dell’intelligenza artificiale, mira a creare nuove opportunità di distribuzione delle risorse, affrontando problemi come la disuguaglianza economica e la mancanza di accesso ai servizi finanziari per molte persone. Uno degli elementi distintivi di Worldcoin è il World ID, un sistema di identificazione biometrica univoco basato sulla scansione dell’iride. Questo sistema è progettato per distinguere gli esseri umani dai bot, un’operazione sempre più cruciale nell’era dell’intelligenza artificiale, garantendo un accesso equo ai benefici della piattaforma.
Criptovalute: un sistema decentralizzato
Le criptovalute, come il famoso Bitcoin, sono nate con la promessa di essere un sistema finanziario decentralizzato, libero dal controllo di banche e governi. Sfruttando la tecnologia peer-to-peer, i computer di tutto il mondo si connettono tra loro, creando una rete in cui ogni nodo funziona sia come client che come server. Nessuno controlla la rete; solo algoritmi complessi garantiscono l’emissione e la validità delle monete digitali. A differenza di Bitcoin che si basa su un algoritmo di consenso di tipo Proof of Work, Ethereum, la blockchain su cui si basa Worldcoin, utilizza il protocollo Proof of Stake. Worldcoin, con la sua promessa di un “sistema economico più giusto”, si inserisce in questo contesto. Utilizza la tecnologia blockchain di Ethereum, che la differenzia per una distribuzione più equa e il focus sull’identità digitale. Ma quali sono le sue caratteristiche principali? E in cosa si distingue dalle altre criptovalute?
Progetto Worldcoin: come funziona?
Il sogno di Altman e del suo team è sviluppare tecnologie, come l’IA, così potenti da trasformare non solo la società ma anche il sistema economico globale. Queste tecnologie mirano ad aiutare le persone a fare ciò che prima non era possibile o a farlo in modo radicalmente diverso. L’intelligenza artificiale, ad esempio, viene utilizzata per l’analisi delle immagini dell’iride da parte dell’Orb e potrebbe avere un ruolo futuro nella gestione della rete. Per realizzare questa visione, è stato necessario immaginare nuove infrastrutture: “luoghi” virtuali in cui esseri umani e agenti di intelligenza artificiale possano scambiarsi risorse. La missione di questa rete finanziaria è duplice: creare un’identità digitale globale e una rete economica inclusiva. Worldcoin si basa su un sistema globale di identità digitale supportato dal protocollo Layer 2 di Ethereum, Optimism, scelto per la sua capacità di migliorare la scalabilità e ridurre le commissioni di transazione.
World ID, WorldApp, Worldcoin
Per accedere al network World, gli utenti devono ottenere un’identità digitale univoca. Allo scopo di prevenire la falsificazione di profili, questa identità viene creata esclusivamente tramite un dispositivo biometrico dedicato. Lo strumento, sviluppato da Tools for Humanity, è denominato Orb ed è basato su tecnologia open source. Questo dispositivo, a forma di sfera, utilizza lenti specializzate per scansionare l’iride, generando un World ID unico per ogni utente. L’immagine dell’iride viene trasformata in un codice hash, una sorta di “impronta digitale” univoca che non può essere ricondotta all’immagine originale, garantendone così l’anonimato. Una volta completata la registrazione, tramite l’applicazione WorldApp – un portafoglio digitale che gestisce sia le credenziali di accesso che la criptovaluta – gli utenti possono ricevere e utilizzare la moneta digitale WLD (Worldcoin). Inizialmente, gli utenti ricevono dei token WLD gratuiti come incentivo per registrarsi, un aspetto importante del modello di distribuzione di Worldcoin.
È importante sottolineare che possedere un World ID non implica la condivisione di dati personali come nome, numero di telefono, indirizzo e-mail o domicilio. I dati raccolti dall’Orb vengono trasformati in un codice hash univoco, progettato per garantire l’anonimato e proteggere la privacy degli utenti. World ID, inoltre, potrebbe essere usato in futuro per accedere ad altri servizi online, oltre a Worldcoin, come i social network o le piattaforme di e-commerce.
I Paesi che hanno aderito a Worldcoin
I Paesi in cui è possibile registrarsi al progetto Worldcoin tramite scansione dell’iride effettuata con un Orb sono: Argentina, Austria, Brasile, Cile, Colombia, Corea del Sud, Germania, Giappone, Guatemala, Ecuador, Messico, Malesia, Panama, Perù, Polonia, Portogallo, Singapore. La lista è in continuo aggiornamento. Questi paesi hanno aderito al progetto perché vedono in Worldcoin un’opportunità per l’inclusione finanziaria o per l’innovazione tecnologica. Per il momento il progetto non è ancora stato introdotto in Italia.
Il caso Italia
Il GPDP analizzando il caso specifico ha avvertito che il progetto violerebbe il Regolamento Ue. Il provvedimento del Garante Per La Protezione Dei Dati Personali si è espresso in maniera chiara: “il trattamento dei dati biometrici basato sul consenso degli aderenti al progetto, rilasciato sulla base di una informativa insufficiente, non può essere considerato una base giuridica valida secondo i requisiti richiesti dal Regolamento europeo.” E Oltretutto, “la promessa di ricevere WLD token (moneta digitale) gratuiti da parte di Wordcoin incide negativamente sulla possibilità di esprimere un consenso libero e non condizionato al trattamento dei dati biometrici effettuato attraverso gli Orb. Infine, i rischi del trattamento risultano ulteriormente amplificati dall’assenza di filtri per impedire l’accesso agli Orb e alla World App ai minori di 18 anni.”
Worldcoin: Critiche e Controversie
Worldcoin, pur rappresentando una visione ambiziosa per il futuro dell’economia e dell’identità digitale, ha sollevato numerose critiche. Nel 2023, il progetto è stato sospeso in Kenya a causa di preoccupazioni relative alla privacy e alla raccolta dei dati biometrici. La Spagna è stata il primo paese europeo a bloccare l’iniziativa, evidenziando gli elevati rischi per la tutela dei dati personali. Anche l’ex analista della NSA Edward Snowden ha criticato apertamente il modello di privacy di Worldcoin. Ha sottolineato che, anche se le scansioni biometriche venissero cancellate per motivi di privacy – come dichiarato dall’azienda – l’identificatore univoco generato potrebbe essere utilizzato per collegare future analisi biometriche agli stessi individui.
Nel suo tweet del 24 ottobre 2021, Snowden ha affermato: “Non utilizzare la biometria per l’antifrode. In realtà, non usare la biometria per nulla.” Le preoccupazioni etiche e le questioni legate alla privacy rimangono centrali nel dibattito su Worldcoin. Il progetto sarà in grado di mantenere le sue promesse senza compromettere i diritti fondamentali degli individui? Curiosamente, l’evento del 17 ottobre 2024, intitolato “A New World”, ricorda il titolo del romanzo di fantascienza distopica, Il mondo nuovo (Brave New World) di Aldous Huxley. Opera nella quale Huxley immagina una società futura in cui il controllo sociale e la perdita di libertà individuali sono ottenuti attraverso la tecnologia e la standardizzazione. Coincidenze!
L'articolo Worldcoin: Il Futuro dell’Economia è Scritto nell’Iride? proviene da il blog della sicurezza informatica.
Light Brite Turned Sci-Fi Console on the Cheap
Generally, the projects featured on Hackaday actually do something. We won’t go as far as to say they are practical creations, but they usually have some kind of function other than to sit there and blink. But what if just sitting still and blinking away randomly is precisely what you want a piece of hardware to do?
That was exactly the goal when [createscifi] set out to dress a Lite Brite up as a futuristic prop. On a technical level, this project is pretty much as simple as it gets. But we appreciated seeing some of the techniques brought to bear on this project, and perhaps more importantly, really like the channel’s overall goal of creating affordable sci-fi props using common components. We don’t plan on filming our own space epic anytime soon…but we like to know the option is there.
The process starts off with creating some 2D imagery to represent various components on the final “control panel”, such as sliders, knobs, and a logo. These details, plus the big opening for the Lite Brite itself, are then cut out of thin wood using a diode laser.
After gluing the parts together, [createscifi] sprays the whole thing black and then rubs graphite powder into the surface to give it a unique metallic texture. Finally, small discs are glued onto the surface to represent knobs and buttons — a process known as “greebling” in the model and prop making world.
The very last step of the process is to glue the Lite Brite into the back of the console, and set it off randomly blinking. Personally, we’d have liked to have seen some attempt made to cover the Lite Brite. It seems like putting the thing behind a piece of scuffed up acrylic to act as a diffuser would have made for a more mysterious visual, but as [createscifi] points out, he considers the fact that its still recognizably a child’s toy to be something of a visual gag.
We love prop builds; from ray guns to historical recreations, they’re multi-disciplinary projects that really allow the creator to stretch their creativity without getting bogged down by the tyranny of practicality. It’s been a couple years since the last Sci-Fi Contest, perhaps it’s time for another?
youtube.com/embed/sSPEUNTuqXU?…
Broken USB Lamp Saved with a Bit of Woodworking
For many of us, when we think of creating a custom enclosure, our minds immediately go towards our 3D printer. A bit of time in your CAD program of choice, and in an hour (or several), you’ve got a bespoke plastic box. A hacker’s dream come true.
But extruded plastic is hardly perfect. For one thing, you might want a finished piece that looks a little more attractive on your desk. Which is why we appreciate this quick hack from [Tilma]. When faced with a broken LED light and minimal equipment, he decided to transplant the repaired electronics into a scratch-built wooden frame that not only looks better than the original, but is more functional.
The video starts with a teardown of the original light, which was a flexible affair meant to plug directly into a USB port. [Tilma] found that the reason it failed was because of a broken solder joint, presumably due to repetitive motion. Of course, to find this failure he needed to cut away the rubbery sleeve it was encased in, hence the need for a new home.
After tacking on some longer wires to the driver board, [Tilma] connected an external button that he thought would last longer then the stock membrane affair on the PCB. Once it was confirmed that the light worked with the modified electronics, the rest of the video covers how the wooden components were assembled using hand tools. Compared to the high-tech gadgetry we cover on a daily basis here, there’s something refreshing about seeing a person working with chisels, clamps, and rulers.
We think the final result looks quite nice for as simplistic as it is, and is unquestionably more practical than a weird little light bar that sticks out from your USB port. If you’d like to add a bit of woodworking to your bag of tricks, [Dan Maloney] covered some of the basics for us several years ago.
youtube.com/embed/ABwkEgxiedY?…
Is There Nothing DOOM Can’t Do?
We all know that “Can it run Doom?” is the first question of a hardware hacker. The 1993 first person shooter from id Software defined an entire genre of games, and has since being made open source, appeared on almost everything. Everything, that is, except a Captcha, those annoying “Are you a human” tests where we’re all expected to do a search giant’s image classification for them. So here’s [Guillermo Rauch] with a Doom captcha, in which you must gun down three bad guys to proceed.
As a way to prove you’re a human we can’t imagine a more fitting test than indiscriminate slaughter, and it’s interesting to read a little about what goes on behind the scenes. It’s a WebAssembly application as you might have guessed, and while it’s difficult to shake that idea from the early ’90s that you needed a powerful computer to run the game, in reality it shows just how powerful WebAssembly is, as well as how far we’ve come in three decades. We’d prefer a few different entry points instead of always playing the same level, and we were always more handy with the mouse than the keyboard back in the day, but it’s certainly a bit of fun.
More Doom? How about seeing it on hardware nobody would have believed in 1993?
Protect Your Site with a DOOM Captcha
We all know that “Can it run DOOM?” is the first question of a hardware hacker. The 1993 first person shooter from id Software defined an entire genre of games, and has since been made open source, appearing on almost everything. Everything, that is, except a Captcha, those annoying “Are you a human” tests where we’re all expected to do a search giant’s image classification for them. So here’s [Guillermo Rauch] with a DOOM captcha, in which you must gun down three bad guys to proceed.
As a way to prove you’re a human we can’t imagine a more fitting test than indiscriminate slaughter, and it’s interesting to read a little about what goes on behind the scenes. It’s a WebAssembly application as you might have guessed, and while it’s difficult to shake that idea from the early ’90s that you needed a powerful computer to run the game, in reality it shows just how powerful WebAssembly is, as well as how far we’ve come in three decades.
We’d prefer a few different entry points instead of always playing the same level, and we were always more handy with the mouse than the keyboard back in the day, but it’s certainly a bit of fun. It’s worth noting that simply playing the game isn’t enough to verify your humanity — if you’re killed in the game before vanquishing the required three foes, you’ll have to start over. As the game is running at “Nightmare” difficulty, proving your worth might be a tad harder than you’d expect…
Need more DOOM? How about seeing it on hardware nobody would have believed in 1993?
38C3: Taking Down the Power Grid Over Radio
You know how you can fall down a rabbit hole when you start on a project? [Fabian Bräunlein] and [Luca Melette] were looking at a box on a broken streetlamp in Berlin. The box looked like a relay, and it contained a radio. It was a Funkrundsteueremfänger – a radio controlled power controller – made by a company called EFR. It turns out that these boxes are on many streetlamps in many cities, and like you do, they thought about how cool it would be to make lights blink, but on a city-wide basis. Haha, right? So they bought a bunch of these EFR devices on the used market and started hacking.
They did a lot of background digging, and found out that they could talk to the devices, both over their local built-in IR port, but also over radio. Ironically, one of the best sources of help they found in reversing the protocol was in the form of actually pressing F1 in the manufacturer’s configuration application – a program’s help page actually helped someone! They discovered that once they knew some particulars about how a node was addressed, they could turn on and off a device like a street lamp, which they demo with a toy on stage. So far, so cute.
But it turns out that these boxes are present on all sorts of power consumers and producers around central Europe, used to control and counteract regional imbalances to keep the electrical grid stable. Which is to say that with the same setup as they had, maybe multiplied to a network of a thousand transmitters, you could turn off enough power generation, and turn on enough load, to bring the entire power grid down to its knees. Needless to say, this is when they contacted both the manufacturer and the government.
The good news is that there’s a plan to transition to a better system that uses authenticated transmissions, and that plan has been underway since 2017. The bad news is that progress has been very slow, and in some cases stalled out completely. The pair view their work here as providing regulators with some extra incentive to help get this important infrastructure modernization back on the front burner. For instance, it turns out that large power plants shouldn’t be using these devices for control at all, and they estimate that fixing this oversight could take care of most of the threat with the least effort.
National power grids are complicated machines, to say the least, and the impact of a failure can be very serious. Just take a look at what happened in 2023 in the US northeast, for instance. And in the case of real grid failure, getting everything back online isn’t as simple a just turning the switches back on again. As [Fabian] and [Luca] point out here, it’s important to discover and disclose when legacy systems put the grid in potential danger.
FLOSS Weekly Episode 814: The Banksy Situation
This week, Jonathan Bennett and Rob Campbell talk with Alistair Woodman about FRRouting, the Internet routing suite that helps make all this possible. But also business, and how an open source project turns the corner into a successful way to support programmers.
FRR github.com/FRRouting/frr
frrouting.org/
Erlang Ecosystem Foundation
erlef.org/
youtube.com/embed/x5ufOHxIwCk?…
Did you know you can watch the live recording of the show Right on our YouTube Channel? Have someone you’d like us to interview? Let us know, or contact the guest and have them contact us! Take a look at the schedule here.
play.libsyn.com/embed/episode/…
Direct Download in DRM-free MP3.
If you’d rather read along, here’s the transcript for this week’s episode.
Places to follow the FLOSS Weekly Podcast:
Theme music: “Newer Wave” Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
hackaday.com/2025/01/01/floss-…
2024 Brought Even More Customization to Boxes.py
If you have access to a laser cutter, we sincerely hope you’re aware of boxes.py. As the name implies, it started life as a Python tool for generating parametric boxes that could be assembled from laser-cut material, but has since become an invaluable online resource for all sorts of laser projects. Plus, you can still use it for making boxes.
But even if you’ve been using boxes.py for awhile, you might not know it was actually an entry in the Hackaday Prize back in 2017. Creator [Florian Festi] has kept up with the project’s Hackaday.io page all this time, using it as a sort of development blog, and his recent retrospective on 2024 is a fascinating read for anyone with an eye towards hot photonic action.
At the end, [Florian] has some interesting thoughts on how the community as a whole has developed over the years. He notes that in the early days, any code or designs proposed by users for inclusion in the project usually needed work before they were ready for prime time. But now that everything is more established, the pull requests he’s getting are so well done that they rival any of the original work he put in.
We’re glad to hear that the community is coming together to make this already fantastic project even better. It sounds like [Florian] is even getting some help to track down and eliminate the remaining Python 2.x code that’s still lingering around.
Here’s to many more excellent years for Boxes.py!
LED Wall Clock Gets Raspberry Pi Pico Upgrade
When [Rodrigo Feliciano] realized that the reason his seven-segment LED wall clock wasn’t working was because the original TG1508D5V5 controller was fried, he had a decision to make. He could either chuck the whole thing, or put in the effort to reverse engineer how the displays were driven and replace the dead controller with something a bit more modern. Since you’re reading this post on Hackaday, we bet you can guess which route he decided to take.
If you happen to own the same model of clock as [Rodrigo], then you really lucked out. He’s done a fantastic job documenting how he swapped the original controller out for a Raspberry Pi Pico W, which not only let him bring the clock back to life, but let him add new capabilities such as automatic time setting via Network Time Protocol (NTP).
Pretty soon he not only had a 3D model of the clock’s PCB, but a schematic he could use to help wire in the Pi Pico. Admittedly this is a pretty straightforward PCB to try and reverse engineer, but hey, you have to start somewhere.
We had high hopes for KiCad’s image import feature when it was introduced, and it’s great to see real-world examples like this trickle in as more folks learn about it.
youtube.com/embed/z3l11CKApYk?…
Creating Temporal Light Reflections With Metamaterials
Owing to the wave nature of light there are many ways that such different waves can interact with each other, but also with materials. Everyone knows about reflecting light with a mirror, which is a property of materials like metals, but specific structures can cause the light to behave in a way that creates rather amazing results.
Examples of this are cases of iridescence in nature (like butterfly wings) and eye color, where the perceived colors are the result of environmental light interacting with these structures rather than pigmentation or dyes. An even more interesting interaction has now been demonstrated by reflecting multiple microwave radiation beams off each other, creating a time reflection.
The study by [Emanuele Galiffi] et al. (shared copy) was published in Nature Physics. By creating a metamaterial that allows for temporal coherent wave control (CWC) the electromagnetic radiation was controlled to where it allowed for this kind of unusual interaction. The key here being that there is no major constructive or destructive interaction between the two waves as with spatial CWC, rather the wave reflect off each other, or more specifically the time interface.
Although the popular reporting talks about ‘turning back time’ and ‘watching the back of your own head in a mirror’, the impact is far less dramatic: in the article conclusion the researchers mention unveiling new light-matter interactions in the microwave- and other parts of the spectrum, as well as new ways to control and shape light.
Top image: Temporal coherent wave control and photonic collisions enabled by time-interfaces. (Credit: Emanuele Galiffi et al., Nature Physics, 2023)
Falso allarme su 7-Zip: la bufala di un exploit smentito dallo sviluppatore
Lunedì un utente del social network con lo pseudonimo sospetto @NSA_Employee39 ha annunciato la presenza di una vulnerabilità 0day nel popolare archiviatore gratuito 7-Zip. Sulla sua pagina X verificata, ha promesso di pubblicare la vulnerabilità per ringraziare i suoi poco più di 1.400 follower.
Come primo “regalo”, l’utente ha pubblicato su Pastebin un codice che presumibilmente dimostra la capacità di eseguire codice arbitrario (ACE) attraverso un archivio .7z appositamente preparato con un flusso LZMA corrotto.
Questo codice, dice, provoca un overflow del buffer nella funzione RC_NORM.
Tuttavia, nessuno degli esperti di sicurezza è riuscito a confermare la funzionalità del codice. Uno degli esperti ha osservato: “Forse semplicemente non so come, ma questo non sembra un vero exploit“.
Lo sviluppatore di 7-Zip Igor Pavlov ha smentito ufficialmente sul forum del programma: “Questo rapporto su Twitter è falso. Questa vulnerabilità non esiste in 7-Zip o LZMA.”
L’account @NSA_Employee39 non ha ancora commentato l’incidente.
Il motivo per cui l’utente ha deciso di rilasciare informazioni false rimane un mistero. Tuttavia, le vacanze possono rappresentare un periodo difficile per molti ed è importante ricordare che di essere solidali è disponibili.
L'articolo Falso allarme su 7-Zip: la bufala di un exploit smentito dallo sviluppatore proviene da il blog della sicurezza informatica.
Turning a Lada Into An EV With 50 Cordless Drills, Because Why Not?
[Garage 54] is no stranger to vehicle-related projects of the “because why not?” variety, and their latest is using 50 cordless drills combined into a monstrous mega-motor to turn a gutted (and extended) Lada into an electric vehicle (EV).
Doing this leans on some of [Garage 54]’s earlier projects, such as replacing the aforementioned Lada’s engine block with a frame containing sixteen chainsaws. That means they don’t need to start completely from scratch, and have a frame design that can drop into the vehicle once the “engine” is constructed.
Here’s what’s in the new engine: each of the drills has its chuck replaced with an aluminum pulley, and belts connect each group of drills to an output shaft. Ideally, every drill motor would run at the same time and at exactly the same speed, but one works with what they have. [Garage 54] originally worked to synchronize the drills by interfacing to each drill’s motor control board, but eventually opted to simply bypass all controls and power each drill’s motor directly from the batteries. Initial tests are done by touching bare cable ends with a turned-away face and squinted eyes, but we expect “Just A Big Switch” to end up in the final assembly.
It looks wild and we can think of more than a few inefficiencies present in a system like this, but the output shaft does turn and torque is being transferred, so the next step is interfacing to the car’s factory gearbox.
If it powers the car in any meaningful way, that Lada might very well become the world’s most gloriously hacked-together EV. And hey, if the power output of the EV motor is disappointing, you can just make your own.
youtube.com/embed/sqRfd2BSJjo?…
[via Motor1]
Repairing a BPS-305 30V Bench Power Supply
When [Tahmid Mahbub] recently reached for his ‘Lavolta’ BPS-305 bench supply, he was dismayed to find that despite it being a 30V, 5A-rated unit, the supply refused to output more than 15V. To be fair, he wasn’t sure that he had ever tried to push it beyond 15V in the years that he had owned it, but it had better live up to its specs. Ergo out came the screwdriver to open the power supply to see what had broken, and hopefully to fix it.
After some more probing around, he discovered that the unit had many more issues, including a highly unstable output voltage and output current measurement was completely wrong. Fortunately this bench power supply turns out to be very much like any number of similar 30V, 5A units, with repair videos and schematics available.
While [Tahmid] doesn’t detail his troubleshooting process, he does mention the culprits: two broken potentiometers (VR104 and VR102). VR104 is a 5 kOhm pot in the output voltage feedback circuit and VR102 (500 Ohm) sets the maximum output current. With no 500 Ohm pot at hand, a 5 kOhm one was combined with a 470 Ohm resistor to still allow for trimming. Also adjusted were the voltage and current trimpots for the front display as they were quite a bit off. Following some testing on the reassembled unit, this power supply is now back in service, for the cost of two potentiometers and a bit of time.
Quantum Mechanics and Negative Time With Photon-Atom Interactions
Within our comfortable world of causality we expect that reactions always follow an action and not vice versa. This why the recent chatter in the media about researchers having discovered ‘negative time’ with photons being emitted before the sample being hit by source photons created such a stir. Did these researchers truly just crack our fundamental concepts of (quantum) physics wide open? As it turns out, not really.
Much of the confusion stems from the fact that photons aren’t little marbles that bounce around the place, but are an expression of (electromagnetic) energy. This means that their resulting interaction with matter (i.e. groupings of atoms) is significantly more complicated, often resulting in the photonic energy getting absorbed by an atom, boosting the energy state of its electron(s) before possibly being re-emitted as the excited electrons decay into a lower orbit.
This dwell time before re-emission is what is confusing to many, as in our classical understanding we’d expect this to be a very deterministic process, while in a quantum world it most decidedly is not.
This is highlighted in the Scientific American article on the subject as well, specifically quantum probability. Within this system, it’s possible that there can be re-emissions before the atomic excitation has fully ceased. It was this original 2022 finding that was recently retested, with the findings confirmed.
As confusing as this all may sound, the authors of the recent paper stress that the core of the issue here is the so-called ‘group delay’ of the original pulse as it excites the cloud of rubidium atoms. If one were to think of this pulse as discrete quanta of photon particles, it’d seem to break causality, but as a wave function within quantum physics this is perfectly acceptable. Observations such as the rubidium atoms becoming excited despite photons passing through the cloud, and emitting a photon before the electrons returned to their ground state do not seem to make sense, but here we also have to consider how and what we are measuring.
The short version is that causality remains unbroken, and the world of quantum physics is intuitive in its own, strange ways. Research like this also gives us a much better fundamental understanding of photonics and related fields, none of which involve time travel.
Experimental setup and measured optical depth. (Credit: Josiah Sinclair et al., PRX Quantum, 2022)
A Foil Tweeter, Sound From Kitchen Consumables
The world of audio has produced a variety of different loudspeaker designs over the last century, though it’s fair to say that the trusty moving coil reigns supreme. That hasn’t stopped plenty of engineers from trying new ways to make sound though, and [R.U.H] is here with a home-made version of one of them. It’s a foil tweeter, a design in which a corrugated strip of foil is held in a magnetic field, and vibrates when an audio frequency current is passed through it.
He shows a couple of takes on the design, both with neodymium magnets but with different foils and 3D printed or wooden surrounds. They both make a noise when plugged into an amplifier, and unsurprisingly the thicker foil has less of the high notes.
We can see that in there is the possibility for a high quality tweeter, but we can’t help having one concern. This device has an extremely low impedance compared to the amplifier, and thus would probably be drawing far too much current. We’d expect it to be driven through a transformer instead, if he had any care for not killing the amplifier.
Happily there are other uses for a ribbon, they are far better known as microphones.
youtube.com/embed/Oa6pvTUlFYY?…
WinGet: Conosci il Super Strumento di Windows 11 per Gestire le Tue App!
Windows 11 fornisce agli utenti uno strumento in grado di semplificare notevolmente la gestione delle applicazioni. Stiamo parlando del Gestore pacchetti di Windows, noto come WinGet.
Questo gestore di pacchetti ti consente di cercare, installare, disinstallare e aggiornare le applicazioni tramite la riga di comando, rendendo le operazioni familiari più comode e veloci.
WinGet è una soluzione per coloro che sono stanchi di scaricare file di installazione da Internet, di sottoporsi a lunghe procedure guidate di installazione o di imbattersi in software aggiuntivo indesiderato.
Ora, per installare o aggiornare, basta inserire un semplice comando. WinGet funziona con repository di pacchetti affidabili, riducendo al minimo il rischio di scaricare software dannoso o non necessario. Inoltre l’installazione avviene automaticamente, senza finestre o conferme inutili.
Lo strumento ti aiuta anche a gestire in modo efficace le tue applicazioni già installate. Ad esempio, puoi trovare un elenco di tutti i programmi sul tuo computer, vedere le loro versioni e aggiornarli con un comando.
Ciò è particolarmente utile se è necessario aggiornare più programmi contemporaneamente, senza aprirli separatamente. Con WinGet, un utente può aggiornare in blocco tutte le proprie applicazioni alle versioni più recenti, evitando la necessità di interagire manualmente con ciascuna di esse.
A differenza dei file di installazione tradizionali, che spesso sono accompagnati da software indesiderato, WinGet scarica solo i file dell’applicazione necessari. Ciò aumenta il livello di sicurezza e riduce al minimo il rischio di installare qualcosa di non necessario. Per gli utenti di Windows 11, WinGet è già preinstallato. I possessori di Windows 10 possono scaricarlo gratuitamente dal Microsoft Store.
Sebbene l’utilizzo della riga di comando possa intimidire alcuni utenti, WinGet offre un semplice set di comandi che chiunque può padroneggiare. Ad esempio, il comando di ricerca di Winget ti consente di cercare programmi per nome o categoria e l’elenco di Winget mostra un elenco di tutte le applicazioni installate e le loro versioni. Per aggiornare i programmi è sufficiente utilizzare il comando winget upgrade –all .
Gli utenti che desiderano personalizzare la fonte per scaricare i programmi possono farlo anche utilizzando WinGet aggiungendo o modificando i repository. Tuttavia, ciò richiede cautela: il download da fonti non verificate potrebbe compromettere la sicurezza del sistema.
WinGet apre nuove possibilità per la gestione delle applicazioni in Windows. Automatizza i processi, fa risparmiare tempo e garantisce un’elevata sicurezza, rendendo la gestione del software il più semplice e conveniente possibile. Per coloro che desiderano utilizzare Windows al meglio, questo strumento diventerà un assistente indispensabile.
L'articolo WinGet: Conosci il Super Strumento di Windows 11 per Gestire le Tue App! proviene da il blog della sicurezza informatica.
Doomscroll Precisely, and Wirelessly
Around here, we love it when someone identifies a need and creates their own solution. In this case, [Engineer Bo] was tired of endless and imprecise scrolling with a mouse wheel. No off-the-shelf solutions were found, and other DIY projects either just used hacked mice scroll wheels, customer electronics with low-res hardware encoders, or featured high-res encoders that were down-sampled to low-resolution. A custom build was clearly required.
We loved seeing hacks along the whole process by [Engineer Bo], working with components on hand, pairing sensors to microcontrollers to HID settings, 3D printing forms to test ergonomics, and finishing the prototype device. When 3D printing, [Engineer Bo] inserted a pause after support material to allow drawing a layer of permanent marker ink that acts as a release agent that can later be cleaned with rubbing alcohol.
We also liked the detail of a single hole inside used to install each of the three screws that secure the knob to the base. While a chisel and UV-curing resin cleaned up some larger issues with the print, more finishing was required. For a project within a project, [Engineer Bo] then threw together a mini lathe with 3D printed and RC parts to make sanding easy.
Scroll down with your clunky device to see the video that illustrates the precision with a graphic of a 0.09° rotation and is filled with hacky nuggets. See how the electronics were selected and the circuit designed and programmed, the use of PCBWay’s CNC machining in addition to board assembly services, and how to deal with bearings that spin too freely. [Engineer Bo] teases that a future version might use a larger bearing for less wobble and an anti-slip coating on the base. Will the board files and 3D models be released, too? Will these be sold as finished products or kits? Will those unused LED drivers be utilized in an upcoming version? We can’t wait to see what’s next for this project.
youtube.com/embed/FSy9G6bNuKA?…
Thanks for the tip [UnderSampled]!
Sony Vaio Revived: Power, The Second 80%
A bit ago, I’ve told you about how the Sony Vaio motherboard replacement started, and all the tricks I used to make it succeed on the first try. How do you plan out the board, what are good things to keep in mind while you’re sourcing parts, and how do you ensure you finish the design? This time, I want to tell you my insights about what it takes for your new board revision to stay on your desk until completion, whether it’s helping it not burn up, or making sure the bringup process is doable.
Uninterrupted, Granular Power
Power was generally comfortable to design, but I did have to keep some power budgets in mind. A good exercise for safeguarding your regulators is keeping a .txt file where you log consumers and their expected current consumption on each board power rail, making sure all of your power regulators, connectors, and tracks, can handle quite a bit more than that current. Guideline: increase current by 20%-50% when figuring out the specs for switching regulators and inductors, and, multiply by 10-20% when figuring out conversion losses going between downstream and upstream rails.
I did have a blunder in this department – not accounting for track current early on enough. I laid out the board using 0.5mm wide tracks for power – it looked spacious enough. Then, I put “0.5mm” into a track current calculator and saw a harrowing temperature increase for the currents I was expecting. At that point in routing, it took some time to shift tracks around to accomodate the trace width I actually needed, which is to say, I should’ve calculated it all way way earlier. Thankfully, things went well in the end.
A lot of bringup preparations are done during design, though. You have to think about typical usecases, and think how your hardware is going to react to them. What kind of state will the board enter after you insert the battery, or apply power from an external charger? Will you need to find a charger after you swap the battery? Is battery hotswap possible? The best way to understand all of it is to look through fundamental blocks of the circuit, and ask questions about their behaviour.
The questions can be pretty simple. Is the EC always powered no matter the input source? Can you detect when the power sources are too low, or too high? What’s the default states of the EN pins of every switching regulator, and what are the default state of GPIOs that control your regulator EN pins? Are any of these pins connected to GPIOs that might oscillate during your MCU’s boot? Is the input DC-DC enabled by default? What about the battery charger?
In the end, I went through all the switching regulator datasheets, taking note of the EN pins. Closer to the end, I’ve noticed that I’d need to invert the EN pin of the input DC-DC with help of a FET if I wanted that regulator to be powered on by default – otherwise, I’d get a chicken-and-egg problem if I were to try and power the board through its charger with missing or fully discharged battery. The FET barely fit on the board, but I massaged the tracks until it did.
Double-Sided Assembly
Here’s tips for bringup – you want to make sure you can access your EC at all times. In my case, I decided to mux the EC RP2040’s USB onto the external port, allowing for a “debug mode” with a USB A-A cable – a cool feature, but I have definitely regretted restricting myself with it. Essentially, I locked myself into USB plug-unplug cycle during the early development, and it was hell to solve problems as a result. My advice is – plan for an extra USB-C connector or just USB testpoints on your board, so you can have a permanent unshakeable USB/SWD/UART/etc. link during the period while you’re not quite sure how well your board works. In the end, I had to tombstone the two 0402 D+/D- resistors of the RP2040 EC and pull an external “debug” USB-C connector on three magnet wires – a finicky endeavour, worth avoiding if you can.
Other than that hurdle, the bringup has been seamless, in no small part because I used the MicroPython REPL to probe through the board as I enabled parts of it. The REPL flow let me enable/disable power rails and query GPIOs dynamically during early bringup, mocking up code on the fly and immediately testing it on my hardware, and dynamically debug features like onboard shift registers, or buttons and LEDs on the Vaio’s case, wrapping them into code and putting them into the main.py file – the EC firmware grew larger and larger as I experimented. There’s something special about having a list of power rails at your fingertips, switching them off one by one, quickly tying program states into switches/buttons/LEDs as needed – it was a joy of a bringup experience.
How do you assemble such a double-sided board – really, how do you even stencil it? I planned for stenciling it from the very beginning, and, I distributed the components in a way that one side had way less components than the other – including more intricate components, like multi-pin ICs. One thing that’s really helped, is using the JLCPCB stencil shipping cardboard to make a jig for the board with cutouts in it, letting me stencil the less-populated side once the more-populated side already had components soldered onto it. In a different life, I used to lasercut frames for this kind of endeavour – KiCad SVG export should be all you need.
The more-populated side got assembled using one of those tiny $20 hotplate, in the comfort of my home – I’d hot air it, but my hot air gun fell and broke. I did have to borrow a hot air gun for assembling the second side, though – and assemble it very carefully. The main problem was the plastic connector on the less-populated side – I had to hot air it from the bottom, through the RP2040 EC and its supporting circuitry.
Learning, Achievements, Expansion
I’ve had some fun failure modes happen on this board. One, the failing 5V boost with subpar layout, which I’ve already described in the switching regulator patch board article a couple months ago. Fun fact – it’s also verified a RPi SD card corruption theory of mine, confirming that noise on the input power rail easily propagates into the 3.3V rail powering the SD card, and results in SD card corruption; if you’re getting SD card corruption issues, make sure to check the DC-DCs involved in your project!
Another one was specifically the output pin of the 3.3V EC regulator not getting soldered properly – somehow, it had a cold solder joint, and the EC was getting powered with around 1.23V, again, somehow; it might’ve been due to my incessant multimeter probing, in hindsight. I’m glad that this was the cold solder joint I had to figure out – as far as cold solder joints go, this one was seriously easy to debug, since just moving the probe between the 3.3V reg leg and an EC power capacitor was enough to find the spot the voltage drop happened.
Again, any burnt components on such an assembled board get expensive – not just monetarily, it’s also that you don’t want to repeat the assembly effort. So, keep all metal and solder away during bringup, check all the connectors for accidental solder blobs many times over, and be very careful to. Tempted to hotplug internal connectors? Don’t do it unless you’ve designed them to hotplug, or if the original manufacturer has – there’s always pinout and connector considerations you have to mind. This goes doubly for high-current and high-voltage connectors.
Expansion slots are wonderful if you can afford them – there’s usually leftover GPIOs and some power rail capacity that you might want to later tap, and in my case, there’s also heaps of free space inside of the laptop. I managed to fit two FFC sockets on this particular board, which have plenty of high-current power rails and GPIOs – my plan, personally, is to make a board that takes SATA or NVMe SSDs, and maybe even has expansions like GPS or extra WiFi – the case internals are spacious enough for all of those.
Looking to put a new powerful motherboard into an old lovely chassis? Chances are, you can certainly do it – even if it takes time, trial-and-error, and help from some friends or internet strangers. I hope this project walkthrough can help you lots along the way, especially in being comfortable to take the first steps! Got a project stuck on the mental shelf? Get on with it – you will learn new cool things, and find new tricks to improvise. Me, I’m getting a friendly device to carry in my pocket, and that alone is a wonderful experience.
Why 2025 Will Not Be The Year Of Linux On The Desktop
One of the longest running jokes in our sphere is that the coming year will finally be the year of “Linux on the Desktop.” Never mind that the erosion of the traditional Windows-style desktop form of computing is a thing, or that Linux-derived operating systems such as Android or Chrome OS are running on literally billions of devices across the globe, it sends up the unreasonable optimism of Linux enthusiasts back in the day that their nascent platform could depose Windows from its pedestal.
If there’s one thing we like more than a good tech joke then, it’s a well-written tech rant, and [Artem S. Tashkinov] has penned a doozy in “Why Linux is not ready for the desktop, the final edition“. It’s Linux trolling at its finest, and will surely get many a crusty open source devotee rushing to their keyboard to decry its ideas.
Aside from the inherent humor then, reading it we have to admit that he makes a set of very cogent points. Even having used a Linux desktop exclusively for a very long time indeed there’s no shame in admitting that it’s not perfect, and things such as the mildly annoying state of network file sharing or the complexity for most users of getting to grips with the security model are very fair criticisms. And the last section on the Linux community hits hard, it’s necessary to admit that the world of open source doesn’t always welcome people trying to use its software as well as it could.
But as power users of a Linux desktop for everything, more than just for writing Hackaday, we’d take the view that for all its undoubted faults, it still offers a better experience than the latest version of Windows. Oddly it could now be an acceptable desktop for many people, but the sad thing is that the need for that may well have passed to those Android and Chrome OS devices we mentioned earlier.
We’ve been known to have our own Linux related rants from time to time.
New Years Circuit Challenge: Make This RFID Circuit
Picture this: It’s the end of the year, and a few hardy souls gather in a hackerspace to enjoy a bit of seasonal food and hang out. Conversation turns to the Flipper Zero, and aspects of its design, and one of the parts we end up talking about is its built-in 125 kHz RFID reader.
It’s a surprisingly complex circuit with a lot of filter components and a mild mystery surrounding the use of a GPIO to pulse the receive side of its detector through a capacitor. One thing led to another as we figured out how it worked, and as part of the jolity we ended up with one member making a simple RFID reader on the bench.
Just a signal generator making a 125 kHz square wave, coupled to a two transistor buffer pumping a tuned circuit. The tuned circuit is the coil scavenged from an old RFID card, and the capacitor is picked for resonance in roughly the right place. We were rewarded with the serial bitstream overlaying the carrier on our ‘scope, and had we added a filter and a comparator we could have resolved it with a microcontroller. My apologies, probably due to a few festive beers I failed to capture a picture of this momentous event.
A Nasty Circuit That Just Has To Be Made
Here on the Morning After the Night Before, I’m sitting thinking about 125 kHz RFID, as this is honestly the first time in many decades playing with radio I’ve given one of these a look. (Though we’ve pondered its 13.56 MHz cousin.) An evil thought forms in my mind; would it be possible to make a single-transistor, self-oscillating 125 kHz RFID reader? It would be an extremely nasty circuit and there is no possible need for one to exist, but it’s the electronic engineers equivalent of an earworm. I know how I would approach it but I don’t know whether my idea would work. I’m thus going to set it as a New Years exercise for you readers.
So, how would I approach this? One of the first electronic projects I made over four decades ago was a regenerative radio. This is a one-transistor receiver for AM radio which applies positive feedback to an RF amplifier to the point at which it’s almost but not quite oscillating. This has the effect of narrowing its bandwith hugely, to the extent that it makes a passable narrowband radio receiver. I would approach the RFID reader using a variation on this circuit; a single transistor regenerative receiver which is just oscillating at 125 kHz, but whose oscillation is quenched momentarily every time the RFID tag loads its coil to indicate serial data. I should thus be able to pull a DC voltage from my emitter resistor, filter it, and return something that could be turned into a square wave. I think something like this could work but I stand ready to be proved wrong What do you think, would this circuit function?
Every Contest Needs a Few Rules:
Your circuit must use only one transistor, no ICs. Diodes and RCL passives are allowed, but also no vacuum tubes, tunnel diodes, or other active components, you lateral thinkers. It must demonstrably read a 125 kHz RFID tag placed within its range, and output something capable of being resolved by a 74 series logic gate of any family, thus decipherable as the serial payload by a microcontroller etc. That doesn’t have to be a TTL-level-compliant gate, and can be a Schmitt trigger. Otherwise it’s up to you. If you do a write-up somewhere, I’d even write it up for Hackaday. So go on, have a go at this one. I’d love to see what awesome awfulness you come up with!
vPlayer Puts Smart Display in Palm of Your Hand
It’s not something we always think about, but the reality is that many of the affordable electronic components we enjoy today are only available to us because they’re surplus parts intended for commercial applications. The only reason you can pick up something like a temperature sensor for literal pennies is because somebody decided to produce millions of them for inclusion in various consumer doodads, and you just happened to luck out.
The vPlayer, from [Kevin Darrah] is a perfect example. Combining a 1.69 inch touch screen intended for smartwatches with the ESP32-S3, the vPlayer is a programmable network-connected display that can show…well, pretty much anything you want, within reason. As demonstrated in the video below, applications range from showing your computer’s system stats to pulling in live images and videos from the Internet.
Out of the box it will play videos stored on the SD card, though you’ll first have to run them through ffmpeg to get the format right. There’s also code written to have the vPlayer act as a weather display, or pull down data and images from public APIs.
The vPlayer is intended to be powered via the USB-C connection, but the VUSB and 3.3 V pins from the ESP32 are broken out on the back should you want to inject power that way. Just be warned, the documentation notes that doing so while plugged into USB may release the Magic Smoke. [Kevin] has also provided a 3D model of the vPlayer and its stock case, should you want to design your own 3D printed enclosure.
Admittedly, there’s nothing exactly groundbreaking about the vPlayer. You could easily roll your own version with existing modules. But as enjoyable as it can be to come up with your own solutions, there’s something to be said for this sort of polished, turn-key experience.
youtube.com/embed/3d0yMi3bVgc?…
Thanks to [LegoManACM] for the tip.
Lowering Your Noise Floor, the Easy Way
If there’s anything more annoying to an amateur radio operator than noise, we’re not sure what it could be. We’re talking about radio frequency noise, of course, the random broadband emissions that threaten to make it almost impossible to work the bands and pick out weak signals. This man-made interference is known as “QRM” in ham parlance, and it has become almost intolerable of late, as poorly engineered switch-mode power supplies have become more common.
But hams love a technical challenge, so when a nasty case of QRM raised its ugly head, [Kevin Loughlin (KB9RLW)] fought back. With an unacceptable noise floor of S8, he went on a search for the guilty party, and in the simplest way possible — he started flipping circuit breakers. Sure, he could have pulled out something fancier like a TinySA spectrum analyzer, but with his HF rig on and blasting white noise, it was far easier to just work through the circuits one by one to narrow the source down. His noise problem went away with the living room breaker, which led to pulling plugs one by one until he located the culprit: a Roomba vacuum’s charging station.
Yes, this is a simple trick, but one that’s worth remembering as at least a first pass when QRM problems creep up. It probably won’t help if the source is coming from a neighbor’s house, but it’s a least worth a shot before going to more involved steps. As for remediation, [Kevin] opts to just unplug the Roomba when he wants to work the bands, but if you find that something like an Ethernet cable is causing your QRM issue, you might have to try different measures.
youtube.com/embed/QVN5-cjgc6o?…
Harley-Davidson Nel Mirino Dei Cyber Criminali. 888 Rivendica una violazione dei dati
Recentemente, un attore di minacce in un forum clandestino ha pubblicato una presunta violazione dei dati.
Secondo quanto riportato, la celebre azienda americana Harley-Davidson sarebbe stata vittima di un data breach che avrebbe esposto migliaia di informazioni sensibili relative ai suoi clienti.
Al momento non possiamo confermare la veridicità della notizia, in quanto l’organizzazione non ha ancora rilasciato alcun comunicato stampa ufficiale sul proprio sito web in merito all’incidente. Pertanto, questo articolo deve essere considerato come una “fonte di intelligence”.
Dettagli della presunta violazione
Secondo quanto pubblicato dall’attore di minacce, la violazione dei dati avrebbe avuto luogo a dicembre 2024 e avrebbe portato all’esposizione di circa 66.700 record di dati dei clienti di Harley-Davidson. Il post sul forum indica che le informazioni compromesse includerebbero dettagli personali come nomi, indirizzi, email e altre preferenze relative ai veicoli.
E’ stato riportato un sample all’interno del forum che mostra una serie di dati presumibilmente esfiltrati dalle infrastrutture IT dell’azienda o da un fornitore terzo.
L’attacco è attribuito a un gruppo identificato con il nome “888”, con una ottima reputazione all’interno delle underground criminali e noto per aver pubblicato violazioni di rilievo e collegata al collettivo dei cyberniggers. Al momento, non sono disponibili ulteriori dettagli sulla metodologia utilizzata per condurre l’attacco o sulla natura della vulnerabilità sfruttata.
Informazioni sull’obiettivo degli attori della minaccia
Harley-Davidson è una delle più iconiche case motociclistiche del mondo, fondata nel 1903 negli Stati Uniti. L’azienda ha un fatturato stimato di 5,5 miliardi di dollari e opera in diversi mercati internazionali, fornendo motociclette, accessori e servizi finanziari ai suoi clienti.
Con una base di clienti estremamente fedele e una rete di concessionarie distribuita a livello globale, Harley-Davidson rappresenta un obiettivo di alto valore per i criminali informatici.
La presunta pubblicazione dei dati potrebbe avere gravi conseguenze per i clienti di Harley-Davidson. Informazioni personali come nomi, indirizzi e preferenze potrebbero essere utilizzate per scopi malevoli, tra cui il furto d’identità, frodi finanziarie e campagne di phishing mirate. Inoltre, l’esposizione di dati relativi ai veicoli potrebbe rappresentare un ulteriore rischio per la sicurezza personale degli utenti.
Dal punto di vista aziendale, una violazione di questa portata potrebbe danneggiare la reputazione del brand, oltre a generare potenziali sanzioni regolamentari qualora venissero accertate negligenze nella protezione dei dati.
Conclusione
Sebbene al momento non sia possibile confermare l’autenticità di questa presunta violazione, è fondamentale per le organizzazioni adottare pratiche avanzate di sicurezza informatica per prevenire incidenti di questo tipo. Si potrebbe ipotizzare anche di una violazione che non ha preso di mira i sistemi gestiti dal colosso del motociclismo, ma da una azienda terza, come spesso siamo abituati a constatare in questo ultimo periodo caratterizzandosi come un attacco alla supply-chain.
Come nostra abitudine, lasciamo sempre spazio a una dichiarazione dell’azienda, qualora volesse fornirci aggiornamenti sulla questione. Saremo lieti di pubblicare tali informazioni con un articolo specifico che evidenzi il problema.
RHC Dark Lab seguirà l’evolversi della situazione per pubblicare ulteriori notizie sul blog, qualora ci fossero aggiornamenti sostanziali. Se ci sono persone a conoscenza dei fatti che desiderano fornire informazioni in forma anonima, possono utilizzare l’e-mail criptata dell’informatore.
Questo articolo è stato redatto sulla base di informazioni pubbliche non ancora verificate dalle rispettive organizzazioni. Aggiorneremo i nostri lettori non appena saranno disponibili ulteriori dettagli.
L'articolo Harley-Davidson Nel Mirino Dei Cyber Criminali. 888 Rivendica una violazione dei dati proviene da il blog della sicurezza informatica.
Kerberoasting: Come FIN12 e APT40 Sfruttano il Protocollo Kerberos per Violare le Reti
In un panorama di minacce informatiche in continua evoluzione, è fondamentale per i professionisti della sicurezza rimanere informati sulle ultime tecniche di attacco e sulle strategie di difesa. Il Kerberoasting è una di queste tecniche, che negli ultimi anni ha guadagnato popolarità tra gli aggressori informatici, come dimostra l’aumento del suo utilizzo da parte di gruppi come FIN12, VICE SPIDER, APT40 e Akira.
Questo attacco, che prende di mira il protocollo di autenticazione Kerberos ampiamente utilizzato negli ambienti Active Directory di Microsoft consente agli aggressori di rubare credenziali e muoversi lateralmente all’interno di una rete, compromettendo potenzialmente interi sistemi e causando violazioni di dati, escalation di privilegi e interruzioni operative.
Questo articolo si propone di fornire un’analisi approfondita del Kerberoasting, esplorandone i meccanismi, le fasi di un attacco, gli strumenti utilizzati e le possibili contromisure. L’obiettivo è quello di rendere il concetto di Kerberoasting comprensibile sia agli esperti del settore che agli appassionati di cybersecurity, offrendo una panoramica completa e dettagliata di questa minaccia, come suggerito nel passaggio 7 delle istruzioni di ricerca.
Cos’è il Kerberoasting?
Il Kerberoasting è una tecnica di attacco “post-compromissione”, il che significa che viene utilizzata dopo che un aggressore ha già ottenuto un punto d’appoggio all’interno di una rete. L’attacco sfrutta una debolezza intrinseca del protocollo Kerberos, che consente a qualsiasi utente autenticato nel dominio di richiedere “ticket di servizio” per gli account associati a un Service Principal Name (SPN).
In parole semplici, un SPN è un identificativo univoco che associa un servizio a un account utente all’interno di Active Directory. Gli account di servizio sono utilizzati per eseguire applicazioni o servizi critici e spesso dispongono di privilegi elevati.
Il problema è che questi ticket di servizio sono crittografati utilizzando l’hash della password dell’account di servizio. Se la password è debole o facilmente indovinabile, l’aggressore può estrarre il ticket e decifrarlo offline, ottenendo l’accesso all’account di servizio e ai suoi privilegi.
Il protocollo Kerberos: Un breve ripasso
FASE 1: Autenticazione Iniziale
- Il client richiede un TGT
- Pre-autenticazione con timestamp cifrato
- Ricezione TGT e chiave di sessione TGS
FASE 2: Richiesta Ticket Servizio
- Presentazione TGT al TGS
- Generazione autenticatore
- Ricezione ticket servizio specifico
FASE 3: Autenticazione al Servizio
- Presentazione ticket servizio
- Verifica mutua (opzionale)
- Stabilimento sessione sicura
Elementi di Sicurezza:
- 🔐 Multiple chiavi di cifratura
- ⏰ Timestamp per prevenire replay attack
- 🎫 Ticket con tempo limitato di validità
- 🔄 Autenticazione mutua opzionale
Prima di addentrarci nei dettagli del Kerberoasting, è fondamentale comprendere il funzionamento del protocollo Kerberos. Kerberos è un protocollo di autenticazione progettato per garantire la sicurezza delle comunicazioni tra client e server in una rete. Il suo funzionamento si basa su un sistema di “ticket” che vengono rilasciati da un Key Distribution Center (KDC).
Il KDC è un componente fondamentale di Kerberos e funge da autorità di fiducia per l’autenticazione. Quando un utente desidera accedere a un servizio, il suo client invia una richiesta al KDC. Il KDC verifica l’identità dell’utente e, se l’autenticazione ha esito positivo, rilascia un Ticket Granting Ticket (TGT). Il TGT è essenzialmente una “chiave” che consente all’utente di richiedere ticket di servizio (service ticket) per accedere a specifici servizi.
I service ticket sono ciò che autorizza un utente ad accedere a un determinato servizio. Una parte di questo ticket è crittografata con l’hash della password dell’account del servizio, ed è proprio questo il punto debole che il Kerberoasting sfrutta.
Sfruttamento di Kerberos nel Kerberoasting
Gli aggressori sfruttano il fatto che qualsiasi utente autenticato può richiedere ticket di servizio, indipendentemente dai privilegi dell’account. Questi ticket, come menzionato in precedenza, sono crittografati con l’hash della password dell’account di servizio.
Ottenendo un numero sufficiente di ticket, l’aggressore può poi tentare di decifrarli offline, utilizzando tecniche di forza bruta o dizionari. La debolezza di molte password degli account di servizio rende questo attacco spesso efficace.
Le fasi di un attacco Kerberoasting
Un attacco Kerberoasting si articola in diverse fasi:
- Compromissione di un account: L’aggressore inizia compromettendo un account utente nel dominio. Questo può avvenire tramite diverse tecniche, come il phishing, l’utilizzo di malware o l’acquisto di credenziali sul dark web.
- Enumerazione degli SPN: Una volta ottenuto l’accesso al dominio, l’aggressore utilizza strumenti specifici per identificare gli account di servizio con SPN registrati in Active Directory. Questo può essere fatto tramite query LDAP, come mostrato nell’esempio seguente:
ldapsearch -h dc.domain.com -b "dc=domain,dc=com" -s sub "(servicePrincipalName=*)" -l userPrincipalName,servicePrincipalName
- Richiesta dei ticket di servizio: L’aggressore, sfruttando l’account compromesso, richiede al KDC i ticket di servizio per gli SPN identificati
- Estrazione dei ticket: I ticket di servizio vengono estratti dalla memoria del client utilizzando strumenti come Mimikatz o Rubeus.
- Cracking offline: L’aggressore utilizza strumenti di cracking offline, come John the Ripper o Hashcat, per decifrare i ticket di servizio e ottenere le password in chiaro degli account di servizio.
- Escalation dei privilegi: Con le password degli account di servizio, l’aggressore può ottenere privilegi elevati e muoversi lateralmente all’interno della rete, compromettendo altri sistemi e dati.
Strumenti e tecniche di attacco
Esistono diversi strumenti e tecniche che gli aggressori possono utilizzare per eseguire un attacco Kerberoasting. Alcuni degli strumenti più diffusi includono:
Approfondimento sugli strumenti:
- Rubeus e Invoke-Kerberoast: Questi strumenti, spesso utilizzati in combinazione, permettono di automatizzare l’intero processo di Kerberoasting, dall’enumerazione degli SPN all’estrazione dei ticket.
- Impacket: Offre una suite completa di strumenti per l’attacco, tra cui GetUsersSPNs.py, specifico per Kerberoasting.
- Hashcat: L’utilizzo di GPU con Hashcat permette di accelerare notevolmente il processo di cracking, rendendo l’attacco più efficace.
Contromisure e best practice
Fortunatamente, esistono diverse contromisure che le organizzazioni possono adottare per mitigare il rischio di Kerberoasting:
- Password robuste: Implementare policy di password robuste per tutti gli account di servizio, con una lunghezza minima di 15 caratteri, complessità (maiuscole, minuscole, numeri e simboli), casualità e rotazione regolare.
- Managed Service Accounts (MSA): Utilizzare gli MSA per gli account di servizio, in quanto le password vengono gestite automaticamente dal dominio e sono più complesse e difficili da decifrare.
- Limitazione dei privilegi: Limitare i privilegi degli account di servizio al minimo indispensabile, evitando di assegnarli al gruppo Domain Admins.
- Monitoraggio degli eventi: Monitorare i log di Active Directory per individuare attività sospette, come un numero eccessivo di richieste di ticket di servizio da parte di un singolo utente. Ad esempio, monitorare l’Event ID 4769 per le richieste TGS, prestando attenzione al tipo di crittografia (0x17 per RC4-HMAC) e a eventuali anomalie.
- Utilizzo di strumenti di rilevamento: Impiegare strumenti di rilevamento avanzati, come Vectra AI, che possono aiutare a identificare attività sospette indicative di Kerberoasting e altre tecniche di furto di credenziali.
- Educazione degli utenti: Sensibilizzare gli utenti sui rischi del phishing e di altre tecniche di ingegneria sociale che possono essere utilizzate per compromettere gli account.
Consigli pratici:
- Configurazione delle policy di password: Utilizzare Group Policy per applicare le policy di password a tutti gli account di servizio. Definire regole specifiche per la lunghezza, la complessità e la rotazione delle password.
- Monitoraggio dei log: Implementare un sistema di Security Information and Event Management (SIEM) per raccogliere e analizzare i log di Active Directory. Configurare alert per eventi sospetti, come un numero elevato di richieste TGS da un singolo IP.
- Analisi delle vulnerabilità: Eseguire regolarmente scansioni di vulnerabilità per identificare account di servizio con password deboli o configurazioni errate.
Rilevamento del Kerberoasting
Rilevare un attacco Kerberoasting può essere complesso, in quanto molte azioni svolte dall’aggressore simulano il comportamento di un utente normale. Tuttavia, ci sono alcuni segnali che possono indicare un attacco in corso:
- Richieste anomale di ticket di servizio: Un utente che richiede un numero elevato di ticket di servizio per diversi SPN in un breve periodo di tempo può essere un segnale di Kerberoasting.
- Utilizzo di strumenti sospetti: L’esecuzione di strumenti come Mimikatz o Rubeus su una macchina client può indicare un tentativo di estrazione dei ticket.
- Attività sospette nei log di eventi: Monitorare i log di eventi per identificare richieste TGS anomale, come quelle che utilizzano la crittografia RC4-HMAC (tipo 0x17).
Tecniche di rilevamento avanzate:
- Honeypot: Creare un account “esca” con un SPN associato a un servizio inesistente. Qualsiasi richiesta di ticket per questo SPN sarà un chiaro segnale di un attacco Kerberoasting.
- Analisi del traffico di rete: Monitorare il traffico di rete per identificare comunicazioni anomale con il KDC, come un numero elevato di richieste TGS provenienti da un singolo client.
Il futuro del Kerberoasting
Nonostante le contromisure disponibili, il Kerberoasting rimane una minaccia persistente. L’evoluzione delle tecniche di attacco e l’utilizzo di strumenti sempre più sofisticati, come l’accelerazione GPU per il cracking delle password rendono necessario un continuo aggiornamento delle strategie di difesa.
Possibili direzioni di ricerca e sviluppo:
- Miglioramento delle tecniche di rilevamento: Sviluppare nuovi metodi per identificare gli attacchi Kerberoasting in modo più efficace, ad esempio utilizzando l’intelligenza artificiale e il machine learning.
- Sviluppo di nuovi strumenti di prevenzione: Creare strumenti che impediscano l’estrazione dei ticket di servizio o che rendano più difficile il cracking offline.
- Miglioramento della sicurezza del protocollo Kerberos: Introdurre nuove funzionalità di sicurezza nel protocollo Kerberos per renderlo più resistente agli attacchi.
Conclusioni
Il Kerberoasting rappresenta una minaccia reale e crescente per gli ambienti Active Directory. La sua efficacia è in aumento grazie all’utilizzo di GPU per accelerare le tecniche di cracking delle password. Tuttavia, con una corretta implementazione delle contromisure e una costante attenzione alla sicurezza, le organizzazioni possono ridurre significativamente il rischio di subire attacchi Kerberoasting e proteggere i propri dati e sistemi.
È importante sottolineare che il Kerberoasting è solo una delle tante tecniche di attacco che gli aggressori possono utilizzare per compromettere gli ambienti Active Directory. Per una protezione completa, è fondamentale adottare un approccio olistico alla sicurezza, che includa la protezione delle identità, il monitoraggio delle attività sospette e l’aggiornamento costante delle policy di sicurezza. La sicurezza di Active Directory è un elemento cruciale per la sicurezza informatica di un’organizzazione, e la sua protezione richiede un impegno continuo e una strategia multilivello.
L'articolo Kerberoasting: Come FIN12 e APT40 Sfruttano il Protocollo Kerberos per Violare le Reti proviene da il blog della sicurezza informatica.
Fan Made Dreamcast Port of GTA 3 Steals The Show
As it turns out, Sega’s long defunct Dreamcast console is still thinking. The company behind the machine cut support long ago due in part to the commercial pressures applied by Sony’s PlayStation 2 console, but that never stopped the most dedicated of Dreamcast fans from seeking out its true potential. Thanks to [Stefanos] and his team, the genre defining Grand Theft Auto III (GTA 3), can now run on Sega’s hardware. Their combined efforts have yielded a fully playable port of the PC version of the game for the Dreamcast.
The porting effort was years in the making. It began with reverse engineering the entire source code of GTA 3 then implementing it into the homebrew SDK for the Dreamcast, KallistiOS. All the in-game graphic and sound assets are only pulled from a user provided PC copy of the game. Steps for those seeking to compile a bootable Dreamcast image of their own have been provided on the project’s website. Real hardware enthusiasts will be pleased as the port runs fine on the twenty-five year old Dreamcast as evidenced in the video below.
This port of GTA 3 represents what could have been a true butterfly effect moment in console gaming history. The game was a major hit in the early days of the PlayStation 2, and it has been theorized that it could have proven to be a major commercial success for Sega as well had it been pressed onto a Dreamcast GD-ROM disc. Recently one of the original developers of GTA 3, Obbe Vermejj, divulged that the game actually began development on the Dreamcast. The project was obviously transferred onto PlayStation 2 for commercial reasons, but with this port from [Stefanos] and crew we no longer have to dream of what could have been.
youtube.com/embed/kFS4o7AcqHI?…
Re-engineering Potatoes To Remove Their All-Natural Toxins
Family Solanum (nightshade) is generally associated with toxins, and for good reasons, as most of the plants in this family are poisonous. This includes some of everyone’s favorite staple vegetables: potatoes, tomatoes and eggplant, with especially potatoes responsible for many poisonings each year. In the case of harvested potatoes, the chemical responsible (steroidal glycoalkaloids, or SGA) is produced when the potato begins to sprout. Now a team of researchers at the University of California have found a way to silence the production of the responsible protein: GAME15.
The research was published in Science, following earlier research by the Max Planck Institute. The researchers deleted the gene responsible for GAME15 in Solanum nigrum (black nightshade) to confirm that the thus modified plants produced no SGA. In the case of black nightshade there is not a real need to modify them as – like with tomatoes – the very tasty black berries they produce are free of SGA, and you should not eat the SGA-filled and very bitter green berries anyway, but it makes for a good test subject.
Ultimately the main benefits of this research appear to be in enriching our general understanding of these self-toxicity mechanisms of plants, and in making safer potatoes that can be stored without worries about them suddenly becoming toxic to eat.
Top image: Different potato varieties. (Credit: Scott Bauer, USDA ARS)
When The EU Speaks, Everyone Charges The Same Way
The moment everyone has been talking about for years has finally arrived, the European Union’s mandating of USB charging on all portable electronic devices is now in force. While it does not extend beyond Europe, it means that there is a de facto abandonment of proprietary chargers in other territories too. It applies to all mobile phones, tablets, digital cameras, headphones, headsets, game consoles, portable speakers, e-readers, keyboards, mice, portable navigation systems and earbuds, and from early 2026 it will be extended to laptops.
Hackaday readers will probably not need persuading as to the benefits of a unified charger, and truth be told, there will be very few devices that haven’t made the change already. But perhaps there’s something more interesting at work here, for this moment seals the place of USB-C as a DC power connector rather than as a data connector that can also deliver power.
Back in 2016 we lamented the parlous state of low voltage DC power standards, and in the time since then we’ve arrived at a standard involving ubiquitous and commoditised power supplies, cables, and modules which we can use for almost any reasonable power requirement. You can thank the EU for that mobile phone now having the same socket as its competitor, but you can thank the USB Implementers Forum for making DC power much simpler.
38C3: Save Your Satellite with These Three Simple Tricks
BEESAT-1 is a 1U cubesat launched in 2009 by the Technical University of Berlin. Like all good satellites, it has redundant computers onboard, so when the first one failed in 2011, it just switched over to the second. And when the backup failed in 2013, well, the satellite was “dead” — or rather sending back all zeroes. Until [PistonMiner] took a look at it, that is.
Getting the job done required debugging the firmware remotely — like 700 km remotely. Because it was sending back all zeroes, but sending back valid zeroes, that meant there was something wrong either in the data collection or the assembly of the telemetry frames. A quick experiment confirmed that the assembly routine fired off very infrequently, which was a parameter that’s modifiable in SRAM. Setting a shorter assembly time lead to success: valid telemetry frame.
Then comes the job of patching the bird in flight. [PistonMiner] pulled the flash down, and cobbled together a model of the satellite to practice with in the lab. And that’s when they discovered that the satellite doesn’t support software upload to flash, but does allow writing parameter words. The hack was an abuse of the fact that the original code was written in C++. Intercepting the vtables let them run their own commands without the flash read and write conflicting.
Of course, nothing is that easy. Bugs upon bugs, combined with the short communication window, made it even more challenging. And then there was the bizarre bit with the camera firing off after every flash dump because of a missing break in a case statement. But the camera never worked anyway, because the firmware didn’t get finished before launch.
Challenge accepted: [PistonMiner] got it working, and after fifteen years in space, and ten years of being “dead”, BEESAT-1 was taking photos again. What caused the initial problem? NAND flash memory needs to be cleared to zeroes before it’s written, and a bug in the code lead to a long pause between the two, during which a watchdog timeout fired and the satellite reset, blanking the flash.
This talk is absolutely fantastic, but may be of limited practical use unless you have a long-dormant satellite to play around with. We can nearly guarantee that after watching this talk, you will wish that you did. If so, the Orbital Index can help you get started.
Release Your Inner Ansel Adams With The Shitty Camera Challenge
Social media microblogging has brought us many annoying things, but some of the good things that have come to us through its seductive scrolling are those ad-hoc interest based communities which congregate around a hashtag. There’s one which has entranced me over the past few years which I’d like to share with you; the Shitty Camera Challenge. The premise is simple: take photographs with a shitty camera, and share them online. The promise meanwhile is to free photography from kit acquisition, and instead celebrate the cheap, the awful, the weird, and the wonderful in persuading these photographic nonentities to deliver beautiful pictures.
Where’s The Hack In Taking A Photo?
Of course, we can already hear you asking where the hack is in taking a photo. And you’d be right, because any fool can buy a disposable camera and press the shutter a few times. But from a hardware hacker perspective this exposes the true art of camera hacking, because not all shitty cameras can produce pictures without some work.
The #ShittyCameraChallenge has a list of cameras likely to be considered shitty enough, they include disposables, focus free cameras, instant cameras, and the cheap plastic cameras such as Lomo or Holga. But also on the list are models which use dead film formats, and less capable digital cameras. It’s a very subjective definition, and thus in our field everything from a Game Boy camera or a Raspberry Pi camera module to a home-made medium format camera could be considered shitty. Ans since even the ready-made shitty cameras are usually cheap and unloved second-hand, there’s a whole field of camera repair and hacking that opens up. Finally, here’s a photography competition that’s fairly and squarely on the bench of Hackaday readers.
A Whole World Of Shitty Awesomeness Awaits!
Having whetted your appetite, it’s time to think about the different routes into camera hacking. Perhaps the simplest is to take a camera designed for an obsolete film format, and make a cartridge or spool that takes a commonly available film instead. Perhaps resurrecting an entire home movie standard is a little massochistic, but Thingiverse is full of 3D-printable adapters for more everyday film. Or you could make your own, as I did for my 1960s Agfa Rapid snapshot camera.
If hacking film cartridges seems a little low-tech, a camera whether film or digital is a simple enough device mechanically that making your own is not out of the question. At its simplest a pinhole camera can be made from trash, but we think if you’re handy with a CAD package and a 3D printer you should be able to do something better. Don’t be afraid to combine self-made parts with those from manufactured cameras; when every second hand store has a pile of near-worthless old cameras for relative pennies it makes sense to borrow lenses or other parts from this boanaza. And finally, you don’t need to be a film lover to join the fun, if a Raspberry Pi or an ESP cam module floats your boat, you can have a go at the software side too. As a hint, take a look on AliExpress for a much wider range of camera modules and lenses than the ones supplied with either of these boards.
If I’m exhorting readers to have a go with a shitty camera then, perhaps I should lead by example. Past entries of mine have come from that Agfa Rapid cartridge I mentioned, but for their current outing I’ve gone for a mixture of new and old. The new isn’t a hack, I just like those toy cameras with the thermal printers, but the old one has been quite a project. Older consumer grade Polaroid pack film instant cameras are particularly unloved, so I’ve 3D-printed a new back for mine that takes a 120 roll film. It’s an ungainly camera to take to the streets with, but now I’ve finished all that 3D printing I hope I’ll get those elusive dreamy black and white landscapes on my poll of FomaPan 100.
If you want to try the #ShittyCameraChallenge, hack together a shitty camera and get shooting. Its current iteration lasts until the 1st of February, so you should have some time left to post your best results on Mastodon. Good luck!
Stati Uniti verso la Crisi Energetica. Come i Data Center Minano la Stabilità della Rete
Negli Stati Uniti i data center stanno proliferando a un ritmo incredibile, consumando enormi quantità di energia e mettendo a dura prova le reti elettriche. Nuovi dati mostrano che l’impatto dei data center va oltre il semplice consumo di energia, interrompendo la fornitura di energia elettrica stabile per milioni di famiglie.
Secondo un’analisi di Bloomberg , oltre il 75% dei casi di disturbi significativi della qualità dell’energia si sono verificati entro un raggio di 50 miglia da grandi data center.
Ciò è particolarmente vero in aree come Chicago e il Data Center Alley della Virginia settentrionale. In queste aree si osservano indicatori che superano gli standard accettabili.
Distribuzione dei disturbi elettrici nei pressi dei data center ( Bloomberg)
Il problema principale è diventato la distorsione armonica: deviazioni delle onde elettriche dalla loro forma ideale che sovraccaricano i dispositivi domestici, causando surriscaldamento, guasti e riduzione della durata. In alcuni casi, ciò può causare incendi e altri incidenti gravi.
Whisker Labs, società che monitora la qualità dell’energia, ha registrato che la maggior parte dei problemi sono concentrati vicino ai grandi data center. Ad esempio, nella contea di Prince William, in Virginia, quasi il 6% dei sensori mostra una distorsione superiore all’8%, una soglia critica oltre la quale iniziano i guasti alle apparecchiature.
Gli esperti sottolineano che i data center stanno esercitando una pressione senza precedenti sul sistema energetico. Consumano decine di migliaia di volte più elettricità di una casa tipica e il loro numero continua a crescere rapidamente. Ciò provoca instabilità nella rete e aggrava le sfide legate all’invecchiamento delle infrastrutture, al crescente numero di veicoli elettrici e alle condizioni meteorologiche estreme.
L’aumento del consumo di elettricità negli Stati Uniti (che si prevede aumenterà del 16% nei prossimi 5 anni) rende la situazione ancora peggiore. Senza una modernizzazione su larga scala delle reti e l’installazione di filtri aggiuntivi per eliminare la distorsione armonica, le conseguenze possono essere catastrofiche.
Alcune aziende hanno già iniziato a sviluppare soluzioni per migliorare la qualità dell’energia. In Virginia, dove sono concentrati un gran numero di data center, si stanno costruendo nuove linee elettriche e trasformatori per isolare i grandi consumatori dalle reti domestiche. Tuttavia, per la maggior parte delle regioni tali misure rimangono inaccessibili a causa dei costi elevati e della mancanza di un quadro normativo.
Per risolvere il problema sono necessari un monitoraggio e una regolamentazione più attenti, dicono gli esperti. La maggior parte dei servizi pubblici non dispone degli strumenti per analizzare la qualità dell’energia a livello domestico, quindi la distorsione della qualità dell’energia rimane una minaccia sottovalutata.
Finché i data center continueranno a essere costruiti vicino alle principali città e nelle aree rurali, l’impatto sulla rete elettrica aumenterà. Gli esperti chiedono uno sviluppo più rapido di misure per affrontare queste minacce nascoste e garantire agli americani un approvvigionamento energetico affidabile e sicuro.
L'articolo Stati Uniti verso la Crisi Energetica. Come i Data Center Minano la Stabilità della Rete proviene da il blog della sicurezza informatica.
Keebin’ with Kristina: the One with the Copycat Keyboard
This is Crater75, an almost completely from-scratch row-staggered wireless split board that [United_Parfait_6383] has been working on for a few months. Everything but the keycaps and switches is DIY.
I’m not sure what’s going on internally, but the two sides connect with magnets, and either side’s USB-C can be used to charge the board. Both sides have a 2100 mAh Li-Po battery, and the average current of the OLED displays is low enough that the board can run for months on a single charge.
The switches are Gateron low-profiles and are wearing keycaps recycled from a Keychron, which add to the professional finish. Speaking of, the enclosures were manufactured by JLC3DP using the Nylon Multi-Jet Fusion process, but [United_Parfait_6383] says the left side feels too light, so the next revision will likely be CNC’d aluminium. Be sure to check out this short video of Crater75 in action.
Markov Keyboard Layout Changes Based on Frequency
For many people, QWERTY just doesn’t cut it. You’ve got your Dvorak devotees, the Colemak clan, and, well, if you’re not content with any of those, it just gets crazier from there.
Yep, the layout changes as you type. It updates itself to move the letters that frequently come next to the home row.
Let’s say you only type the word Hackaday all day. After a short while, all the letters you need would be on the home row. I’m not sure whether they update left-to-right or what. But updating randomly would be even more fun, wouldn’t it? Of course it would.
While this one would make a good case for screens on every switch, that’s not entirely necessary here. It operates as an emacs library that updates constantly, showing the current layout.
The Centerfold: Sunshine On Your Desk
Do you rock a sweet set of peripherals on a screamin’ desk pad? Send me a picture along with your handle and all the gory details, and you could be featured here!
Historical Clackers: the Coffman Pocket Typewriter
It’s easy to think of a keyboard that can fit in your pocket as a strictly modern device, but the Coffman pocket index typewriter dates back to 1902. Costing a mere $5 after a single lifetime price increase, the Coffman was ultimately destined to fail, even at that price ($160 in 2024 money).
Although the idea of the index typewriter would live on in the form of the embossing label maker, its time as a popular item one uses to produce documents from wherever had come and gone. After all, by this time, there were tiny Underwood machines and Blickensderfers about that served the purpose much faster, if nothing else.
The Coffman, renamed the Popular in 1905, came in two versions — with and without a platen made of wood, interestingly enough. The one you see here does have a platen. The version without would print directly on to a sheet of paper.
Operationally, the Coffman used a rubber strip type element to print both upper and lower case letters. Ink was transferred via rollers. Unfortunately, the machine had no bell, line indicator, or Backspace.
The Antikey Chop finds no mention of the Coffman or the Popular after 1907, so the machine probably just quietly failed. Dr. Coffman did okay for himself, though. Not only did he have a medical practice, he was a professor of physiology, a Sunday school superintendent, and even a published poet.
“I Didn’t Expect To See My Keyboard On AliExpress.”
They say imitation is the sincerest form of flattery. But you know, I’m not sure I’d be quite so calm as [Squalius-cephalus] is being about this whole thing.
It started when [Squalius-cephalus] got a comment on YouTube from someone who found one of their silakka54 boards on Ali. This is an upgrade from their previous board, which lacked a number row, and was designed just a few months ago.
[Squalius-cephalus] went a-browsing and found multiple listings for the ’54. They say they don’t understand why Ali chose to copy the ’54, because the firmware is quite bare-bones. But hey, once an idea is out there, it belongs to the ether, right? Looks like redditor [alarin] ordered one and will have an update on quality and usability next month.
Got a hot tip that has like, anything to do with keyboards? Help me out by sending in a link or two. Don’t want all the Hackaday scribes to see it? Feel free to email me directly.
Bringing OpenStreetMap Data into Minecraft
Over the years, dedicated gamers have created incredible recreations of real (and not so real) locations and structures within the confines of Minecraft. Thanks to their efforts, you can explore everything from New York city to Middle Earth and the U.S.S. Enterprise in 1:1: scale.
But what if you wanted to recreate your own town, and didn’t have the hundreds of hours of spare time necessary to do it by hand? Enter Arnis, an open source project from [Louis Erbkamm] that can pull in geographic data from OpenStreetMap and turn it into a highly detailed Minecraft map with just a few keystrokes.
Once generated, the map can be loaded into the Java Edition of Minecraft. This refers to the original build of the game that predates the Microsoft buyout. Once Redmond took over they spearheaded a new version of the game written in C++ which was then ported over to mobile operating systems and game consoles. Long story short, if you want to wander around a Minecraft version of your home town, you’ll have to do it on your desktop computer instead of your Nintendo Switch.
While the tool is usable in its current state, [Louis] has a fairly long list of features that either still need to be implemented or could use some improvements. From the number of pull requests that have been merged in, it looks like any assistance the community can provide to make Arnis as capable as possible is welcome, so feel free to lend a hand if you’ve got that geospatial fever.
We’ve seen several examples of hackers bringing objects from Minecraft into the physical world, so it’s refreshing to see a bit of our reality sneaking into the game’s blocky universe.
The Twisted History of Ethernet on Twisted Pair Wiring
We all take Ethernet and its ubiquitous RJ-45 connector for granted these days. But Ethernet didn’t start with twisted pair cable. [Mark] and [Ben] at The Serial Port YouTube channel are taking a deep dive into the twisted history of Ethernet on twisted pair wiring. The earliest forms of Ethernet used RG-8 style coaxial cable. It’s a thick, stiff cable requiring special vampire taps and lots of expensive equipment to operate.
The industry added BNC connectors and RG-58 coax for “cheapernet” or 10Base2. This reduced cost, but still had some issues. Anyone who worked in an office wired with 10Base2 can attest to the network drops whenever a cable was kicked out or a terminator was dropped.
The spark came when [Tim Rock] of AT&T realized that the telephone cables already installed in offices around the world could be used for network traffic. [Tim] and a team of engineers from five different companies pitched their idea to the IEEE 802.3 committee on Feb 14, 1984.
The idea wasn’t popular though — Companies like 3COM, and Digital Equipment Corporation had issues with the network topology and the wiring itself. It took ten years of work and a Herculean effort by IEEE committee chairwoman [Pat Thaler] to create the standard the world eventually came to know as 10Base-T. These days we’re running 10 Gigabit Ethernet over those same connectors.
For those who don’t know, this video is part of a much larger series about Ethernet, covering both history and practical applications. We also covered the 40th anniversary of Ethernet in 2020.
youtube.com/embed/f8PP5IHsL8Y?…
Buongiorno Italia: NoName057(16) lancia il terzo round di attacchi DDoS
Il gruppo pro-russo NoName057(16) ha ripreso a colpire le infrastrutture italiane con una serie di attacchi DDoS (Distributed Denial of Service), intensificando le loro attività dopo due round di offensive iniziati il giorno di Santo Stefano.
Questo collettivo di hacktivisti è noto per condurre campagne coordinate contro enti governativi e aziende di paesi considerati ostili alla Russia, utilizzando tecniche di attacco ormai consolidate ma ancora efficaci.
NoName057(16) è un gruppo di hacktivisti che opera principalmente per motivazioni politiche. Con una chiara affiliazione alla causa russa, il collettivo si è fatto conoscere per attacchi DDoS rivolti a infrastrutture strategiche e siti istituzionali di diversi paesi europei, spesso in risposta a posizioni filo-ucraine o a supporto di sanzioni contro la Russia.
Il gruppo agisce tramite canali Telegram dedicati, dove rivendica le proprie operazioni e incoraggia il coinvolgimento di sostenitori, anche attraverso l’uso di strumenti che facilitano la partecipazione agli attacchi.
Gli attacchi DDoS: una tecnica vecchia quanto il mondo
Gli attacchi DDoS sono una delle tecniche più antiche nel panorama delle minacce informatiche.
La loro finalità è saturare i server target con un volume enorme di richieste di accesso, fino a provocarne il collasso. Durante un attacco, i servizi diventano inaccessibili, causando disagi agli utenti. Tuttavia, una volta terminata l’offensiva, i sistemi tornano rapidamente alla piena operatività senza danni permanenti né perdita di dati, poiché i DDoS non comportano esfiltrazione o compromissione delle informazioni.
Nonostante la semplicità di questa tecnica, la sua efficacia è amplificata dalla possibilità di orchestrare attacchi massivi tramite reti di botnet, utilizzando dispositivi compromessi per amplificare il volume di traffico generato.
Le difese moderne contro i DDoS
Oggi, esistono tecnologie avanzate in grado di mitigare gli effetti degli attacchi DDoS, filtrando il traffico anomalo su diversi livelli della pila OSI. Questi strumenti analizzano i flussi di dati in tempo reale, identificano le richieste malevole e garantiscono il normale funzionamento dei servizi critici.
Tra le soluzioni più efficaci figurano:
- Sistemi di pulizia del traffico: filtri intelligenti che distinguono tra traffico legittimo e quello generato dall’attacco.
- CDN (Content Delivery Network): distribuzione dei contenuti su server globali per ridurre l’impatto degli attacchi localizzati.
- Rate Limiting e WAF (Web Application Firewall): protezioni avanzate a livello di rete e applicazione.
Conclusioni
Gli attacchi DDoS, sebbene tecnologicamente datati, rimangono una minaccia concreta, soprattutto quando orchestrati da gruppi organizzati come NoName057(16). Tuttavia, l’evoluzione delle tecnologie di difesa offre strumenti sempre più efficaci per mitigare questi rischi, garantendo la continuità operativa anche durante offensive massicce.
Mentre il gruppo continua a prendere di mira infrastrutture italiane, questo episodio è un chiaro monito per rafforzare le misure di difesa e prevenzione a livello nazionale, così da garantire la resilienza delle infrastrutture critiche di fronte a minacce sempre più frequenti.
L'articolo Buongiorno Italia: NoName057(16) lancia il terzo round di attacchi DDoS proviene da il blog della sicurezza informatica.