The Privacy Post ha ricondiviso questo.

The media in this post is not displayed to visitors. To view it, please go to the original post.

Potential Cure For All of England’s Beta Thalassemia Patients Within Reach
poliverso.org/display/0477a01e…
Potential Cure For All of England’s Beta Thalassemia Patients Within Reach Beta thalassemia and sickle cell are two red blood cell disorders which both come with massive health implications and shortened lifespans, but at least for UK-basedhttps://www.england.nhs.uk/2024/08/gene-editing-therapy-that-could-cure-blood-disorder-thalassaemia-for-nhs-patients/


Potential Cure For All of England’s Beta Thalassemia Patients Within Reach

A giemsa stained blood smear from a person with beta thalassemia (Credit: Dr Graham Beards, Wikimedia Commons)

Beta thalassemia and sickle cell are two red blood cell disorders which both come with massive health implications and shortened lifespans, but at least for UK-based patients the former may soon be curable with a fairly new CRISPR-Cas9 gene therapy (Casgevy) via the UK’s National Health Service (NHS). Starting with the NHS in England, the therapy will be offered to the approximately 460 β thalassemia patients in that part of the UK at seven different NHS centers within the coming weeks.

We previously covered this therapy and the way that it might offer a one-time treatment to patients to definitely cure their blood disorder. In the case of β thalassemia this is done by turning off the defective adult hemoglobin (HbA) production and instead turning the fetal hemoglobin (HbF) production back on. After eradicating the bone marrow cells with the defective genes, the (externally CRISPR-Cas9 modified) stem cells are reintroduced as with a bone marrow transplant. Since this involves the patient’s own cells, no immune-system suppressing medication is necessary, and eventually the new cells should produce enough HbF to allow the patient to be considered cured.

So far in international trials over 90% of those treated in this manner were still symptom-free, raising the hope that this β thalassemia treatment is indeed a life-long cure.

Top image: A giemsa stained blood smear from a person with beta thalassemia. Note the lack of coloring. (Credit: Dr Graham Beards, Wikimedia Commons)


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

The media in this post is not displayed to visitors. To view it, please go to the original post.

Robot Arm Gives Kids the Roller Coaster Ride of their Lives
poliverso.org/display/0477a01e…
Robot Arm Gives Kids the Roller Coaster Ride of their Lives Unfortunately, [Dave Niewinski]’s kids are still too little to go on a real roller coaster. But they’re certainly big enough to be tossed around by this giant robot arm roller coaster simulator youtube.com/watch?v=XY91Fbsc1F… to the question of why [Dave] has a Kuka KR 150 robot in his house, we


Robot Arm Gives Kids the Roller Coaster Ride of their Lives

Unfortunately, [Dave Niewinski]’s kids are still too little to go on a real roller coaster. But they’re certainly big enough to be tossed around by this giant robot arm roller coaster simulator.

As to the question of why [Dave] has a Kuka KR 150 robot in his house, we prefer to leave that unasked and move forward. And apparently, this isn’t his first attempt at using the industrial robot as a motion simulator. That attempt revealed a few structural problems with the attachment between the rider’s chair and the robot’s wrist. After redesigning the frame with stouter metal and adding a small form-factor gaming PC and a curved monitor in front of the seat, [Dave] was ready to figure out how to make the arm simulate the motions of a roller coaster.

Now, if you ever thought the world would be a better place if only we had a roller coaster database complete with 4k 60 fps video captured from real coasters, you’re in luck. CoasterStats not only exists, but it also includes six-axis accelerometer data from real rides of coasters across Europe. That gave [Dave] the raw data he needed, but getting it translated into robot motions that simulate the feeling of the ride was a bit tricky. [Dave] goes into the physics of it all in the video below, but suffice it to say that the result is pretty cool.

More after the break.

Before anyone gets the urge to call Family Services and report [Dave], know that he seems to have taken great care not to build something that’ll turn the kids into jelly. He describes the safety systems in an earlier video, but the basics are laser light curtains to keep the arm within a small safe window, an e-stop switch, and limiting the acceleration to 1 g even when the real coaster would be giving its riders a good beating. That’s probably less than something like this real backyard coaster generates.

youtube.com/embed/XY91Fbsc1Fs?…


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

The media in this post is not displayed to visitors. To view it, please go to the original post.

3D Printed Jet Engine Goes Turbo
poliverso.org/display/0477a01e…
3D Printed Jet Engine Goes Turbo Printing a model jet engine is quite an accomplishment. But it wasn’t enough for [linus3d]. He wanted to redesign thingiverse.com/thing:6710929 it to have a turbojet, an afterburner, and a variable exhaust nozzle. You can see how it all goes together in the video below.This took months of work and it shows. This probably won’t make a good rainy-day week


3D Printed Jet Engine Goes Turbo

Printing a model jet engine is quite an accomplishment. But it wasn’t enough for [linus3d]. He wanted to redesign it to have a turbojet, an afterburner, and a variable exhaust nozzle. You can see how it all goes together in the video below.

This took months of work and it shows. This probably won’t make a good rainy-day weekend project. You do need a few ball bearings and some M2 hardware, but it is mostly 3D printed.

True turbojets are most often found on military planes. They are loud, don’t perform well at low speeds, and are generally not very efficient. A variation, the turbofan, is what you usually find on passenger jets. They are quieter and work better at low speeds, but have more parts and, thus, more maintenance.

Unlike a true turbojet, turbofan engines have a cold section and a hot section. The bypass ratio refers to how much air flows through the cold path relative to the amount flowing through the hot path. This cold air provides additional thrust, making the turbofan engine more efficient, especially at lower speeds. The reduced demand on the hot air thrust also reduces the amount of noise.

Plastic isn’t going to cut it for a real jet engine, although you can 3D print some parts of one. Bonus hacker cred if you build your jet engine by hand.

youtube.com/embed/q-FUjxFJqak?…


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

The media in this post is not displayed to visitors. To view it, please go to the original post.

Be your own DJ with QN8066 and an Arduino Library
poliverso.org/display/0477a01e…
Be your own DJ with QN8066 and an Arduino Library The QN8066 is a fun little FM transmitter chip. It covers the full FM broadcast band and has built-in DSP. You would find this sort of part in car cell phone adapters before every vehicle included Bluetooth or an AUX port. [Ricardo] has created an Arduino library to bring the hackaday.io/project/197221-qn8…


Be your own DJ with QN8066 and an Arduino Library

The QN8066 is a fun little FM transmitter chip. It covers the full FM broadcast band and has built-in DSP. You would find this sort of part in car cell phone adapters before every vehicle included Bluetooth or an AUX port. [Ricardo] has created an Arduino library to bring the QN8066 to the masses.

The chip is rather easy to use – control is handled with a common I2C interface. All the complex parts – Phase Locked Loop (PLL), RF front end, power management, and audio processing are all hidden inside. [Ricardo’s] library makes it even easier to use. One of the awesome features of the 8066 is the fact that it handles Radio Data System (RDS). RDS is the subcarrier datastream that allows FM stations to inject information like song title and artist into the signal. The data is then displayed on your radio screen.

You can find the source to [Ricardo’s] library on GitHub. Using it is as simple as picking it up from the Arduino IDE.

If you are looking for an RDS-enabled radio to test out your QN8066 design, you wouldn’t do too bad with this Gameboy cartridge receiver.

Click through the break for a video from [Ricardo] explaining his QN8066 design.

youtube.com/embed/C69MqLq1cw8?…


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

The media in this post is not displayed to visitors. To view it, please go to the original post.

Better Living Through Hackery
poliverso.org/display/0477a01e…
Better Living Through Hackery Hackaday’s own [Arya Voronova] has been on a multi-year kick to make technology more personal by making it herself hackaday.com/2024/08/06/hack-o…, and has just now started writing about it. Her main point rings especially true in this day and age, where a lot of the tech devices we could use to help us are instead used to spy on us or are


Better Living Through Hackery

Hackaday’s own [Arya Voronova] has been on a multi-year kick to make technology more personal by making it herself, and has just now started writing about it. Her main point rings especially true in this day and age, where a lot of the tech devices we could use to help us are instead used to spy on us or are designed to literally make us addicted to their services.

The project is at the same time impossible and simple. Of course, you are not going to be able to build a gadget that will bolster all of your (perceived or otherwise) personal weaknesses in one fell swoop. But what if you start looking at them one at a time? What if you start building up the good habits with the help of a fun DIY project?

That’s where [Arya]’s plan might just be brilliant. Because each project is supposed to be small, it forces you to focus on one specific problem, rather than getting demoralized at the impossibility of becoming “better” in some vague overall sense. Any psychologist would tell you that introspection and dividing up complex problems are the first steps. And what motivates a hacker to take the next steps? You got it, the fun of brainstorming, planning, and building a nice concrete DIY project. It’s like the ultimate motivation, Hackaday style.

And DIY solutions are a perfect match to personal problems. Nothing is so customizable as what you design and build yourself from the ground up. DIY means making exactly what you need, or at least what you think you need. Iteration, improvement, and the usual prototyping cycle applied to personal growth sounds like the ideal combo, because that’s how the tech works, and that’s also how humans work. Of course, even the coolest DIY gadget can’t instantly make you more mindful, for instance, but if it’s a tool that helps you get there, I don’t think you could ask for more.

This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter. Want this type of article to hit your inbox every Friday morning? You should sign up!


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

The media in this post is not displayed to visitors. To view it, please go to the original post.

Le vulnerabilità di downgrade minacciano la sicurezza di Windows 10, 11 e Server
poliverso.org/display/0477a01e…
Le vulnerabilità di downgrade minacciano la sicurezza di Windows 10, 11 e Server Lo specialista di SafeBreach Alon Leviev ha parlato blackhat.com/us-24/briefings/s… allahttps://www.redhotcyber.com/post/vulnerabilita-cve-2024-21893-ivanti-colpito-da-hacker-cines


Le vulnerabilità di downgrade minacciano la sicurezza di Windows 10, 11 e Server

Lo specialista di SafeBreach Alon Leviev ha parlato alla conferenza Black Hat 2024 di due vulnerabilità 0-day che possono essere utilizzate negli attacchi di downgrade. Di conseguenza, i sistemi completamente aggiornati che eseguono Windows 10, Windows 11 e Windows Server diventano nuovamente vulnerabili a dei vecchi bug. Non sono ancora disponibili patch per questi problemi.

Microsoft ha emesso bollettini sulla sicurezza che affrontano queste vulnerabilità ( CVE-2024-38202 e CVE-2024-21302 ) e ha anche pubblicato raccomandazioni di mitigazione che possono essere utilizzate fino al rilascio delle patch.

Gli attacchi di downgrade possono forzare un dispositivo di destinazione completamente aggiornato a ripristinare versioni precedenti del software, con conseguente reintroduzione di vulnerabilità sfruttabili.

Leviev ha scoperto che il processo di Windows Update può essere costretto a eseguire il downgrade di componenti critici del sistema operativo, comprese le DLL e il kernel NT. Sebbene questi componenti diventino obsoleti, se controllati con Windows Update, il sistema operativo segnala che è completamente aggiornato e non rileva alcun problema.

Il ricercatore è stato anche in grado di abbassare il livello di Credential Guard Secure Kernel, Isolated User Mode Process e Hyper-V per poter sfruttare le vecchie vulnerabilità di escalation dei privilegi.

Ho scoperto diversi modi per disabilitare la sicurezza VBS di Windows, tra cui Credential Guard e Hypervisor-Protected Code Integrity (HVCI), anche quando si utilizzano i blocchi UEFI. Per quanto ne so, questa è la prima volta che i blocchi UEFI in VBS vengono aggirati senza accesso fisico”, afferma Leviev. “Di conseguenza, sono riuscito a rendere una macchina Windows completamente aggiornata suscettibile a migliaia di vecchie vulnerabilità, trasformando le vulnerabilità già corrette in 0day e rendendo il termine “completamente patchato” privo di significato per qualsiasi sistema Windows nel mondo.”

Secondo l’esperto un simile attacco di downgrade è quasi impossibile da individuare, poiché non viene bloccato dalle soluzioni EDR e Windows Update che considera il dispositivo completamente aggiornato.

Leviev ha informato i rappresentanti di Microsoft delle vulnerabilità a febbraio 2024. Tuttavia, la società ha affermato che sta ancora lavorando per risolverli.

Come spiegano gli sviluppatori, la vulnerabilità di escalation dei privilegi CVE-2024-38202 di Windows Backup consente agli aggressori con privilegi di base di annullare le patch per bug precedentemente corretti o ignorare le funzionalità VBS (Virtualization Based Security). Gli aggressori con diritti amministrativi possono sfruttare il problema per aumentare i privilegi e sostituire i file di sistema di Windows con versioni obsolete e vulnerabili.

Microsoft ha affermato che al momento l’azienda non è a conoscenza di tentativi di sfruttamento delle vulnerabilità da parte di aggressori e ha consigliato di seguire le raccomandazioni fornite nei suddetti bollettini sulla sicurezza per ridurre il rischio di sfruttamento dei problemi prima del rilascio delle patch.

L'articolo Le vulnerabilità di downgrade minacciano la sicurezza di Windows 10, 11 e Server proviene da il blog della sicurezza informatica.


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

The media in this post is not displayed to visitors. To view it, please go to the original post.

Video Game Preservation – Stop Killing Games!
poliverso.org/display/0477a01e…
Video Game Preservation – Stop Killing Games! It’s been an ongoing issue for years now. People who buy video games, especially physical copies, expect to be able to play that game at their leisure, no matter how old their console gets. This used to be a no-brainer: think about the SNES or Genesis/Mega Drive from the late 80s and early 90s. You can still buy one today and play the


Video Game Preservation – Stop Killing Games!

It’s been an ongoing issue for years now. People who buy video games, especially physical copies, expect to be able to play that game at their leisure, no matter how old their console gets. This used to be a no-brainer: think about the SNES or Genesis/Mega Drive from the late 80s and early 90s. You can still buy one today and play the games without any issues. Not so with many modern, internet-connected games that rely on communication with servers the publishers own, whether or not the online features are necessary for gameplay. Stop Killing Games is a new initiative in the EU and worldwide to get enough valid petition signatures to force the issue to be brought up in parliaments all over the world, including the EU Parliament.

An increasing number of videogames are sold as goods, but designed to be completely unplayable for everyone as soon as support ends. The legality of this practice is untested worldwide, and many governments do not have clear laws regarding these actions. It is our goal to have authorities examine this behavior and hopefully end it, as it is an assault on both consumer rights and preservation of media.

StopKillingGames.com


Why now? Well, Ubisoft recently killed a popular videogame called The Crew by taking down the servers that support the game. Without these servers, the game is completely useless. France and many other European countries have strong consumer protection laws which, in theory, should prevent companies from pulling stunts like this, but this particular situation has never been tested in court. Besides this, the group are also petitioning governments around the world, including France (where Ubisoft is based), Germany, Canada, the UK, the US, Australia, and Brazil, and also options for anywhere else in the EU/world.

If you’re a gamer, and especially if you play video games which use online components, it’s definitely worth reading through their website. The FAQ section in particular answers a lot of questions. In any case, we wish them luck as the preservation of media is a very important topic!

[Thanks to Jori for the tip!]


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

The media in this post is not displayed to visitors. To view it, please go to the original post.

Alla scoperta di Tor Browser: La Fortezza Digitale a tutela della Privacy Online
poliverso.org/display/0477a01e…
Alla scoperta di Tor Browser: La Fortezza Digitale a tutela della Privacy Online Il Tor Browser redhotcyber.com/post/tor-brows… (acronimo di The Onion Router) è un browser web gratuito e open-source progettato specificamente per tutelare la privacy degli utenti online. Utilizzando una


Alla scoperta di Tor Browser: La Fortezza Digitale a tutela della Privacy Online

Il Tor Browser (acronimo di The Onion Router) è un browser web gratuito e open-source progettato specificamente per tutelare la privacy degli utenti online. Utilizzando una rete di server distribuiti in tutto il mondo, Tor consente agli utenti di navigare in Internet in modo anonimo, nascondendo la loro identità e posizione geografica, e rendendo difficile tracciare le loro attività online.

Tor affonda le sue radici nei primi anni 2000, ma il concetto di onion routing (routing a cipolla) su cui si basa risale agli anni ’90, sviluppato presso i laboratori della Naval Research Laboratory degli Stati Uniti.

Inizialmente creato per proteggere le comunicaioni degli agenti sotto copertura, il progetto fu successivamente declassificato e reso pubblico, dando vita a una comunità di sviluppatori e utenti che hanno contribuito a renderlo lo strumento che conosciamo oggi. Nel 2002, Roger Dingledine e Nick Mathewson, insieme a Paul Syverson, hanno lanciato la prima versione pubblica della rete Tor.

Come funziona Tor?


Il Tor Browser funziona instradando il traffico internet dell’utente attraverso una rete centralizzata di server gestiti da volontari in tutto il mondo. Questi server, chiamati “nodi”, criptano il traffico in modo che né il sito visitato né le terze parti possano facilmente identificare la provenienza del traffico.

  1. Routing a Cipolla (Onion Routing):
    • Struttura a Strati: Il routing a cipolla è il cuore della tecnologia Tor. Quando un utente invia una richiesta attraverso Tor, i dati vengono incapsulati in più strati di crittografia, come una cipolla. Ogni nodo della rete Tor rimuove un singolo strato di crittografia prima di inoltrare il messaggio al nodo successivo, svelando solo la prossima destinazione. Nessun singolo nodo conosce l’origine e la destinazione finale dei dati, il che rende difficile tracciare il percorso dei dati.


  2. Nodi e Circuiti:
    • Nodi di Ingresso, Intermediari e di Uscita: Il traffico passa attraverso tre nodi principali: un nodo di ingresso, un nodo intermediario e un nodo di uscita. Il nodo di ingresso conosce l’IP dell’utente, ma non il contenuto del traffico né la destinazione finale. Il nodo di uscita conosce la destinazione finale, ma non l’IP dell’utente originale. Gli intermediari semplicemente instradano il traffico.
    • Circuiti: Ogni sessione Tor utilizza un circuito, che è un percorso attraverso tre nodi selezionati casualmente. Questi circuiti vengono periodicamente cambiati per aumentare la sicurezza.


  3. Crittografia:
    • AES e RSA: Tor utilizza una combinazione di crittografia simmetrica (AES) e crittografia asimmetrica (RSA) per proteggere i dati mentre passano attraverso la rete. Ogni nodo nel circuito ha una chiave AES unica che decritta un livello del messaggio criptato, mentre le chiavi RSA proteggono la sessione.
    • Perfect Forward Secrecy: Tor implementa il Perfect Forward Secrecy, il che significa che ogni sessione usa chiavi crittografiche temporanee che vengono distrutte dopo l’uso, garantendo che anche se una chiave fosse compromessa, non comprometterebbe sessioni passate o future.



Funzionamento dell’Onion Routing
Accesso al Dark Web: Tor è anche noto per consentire l’accesso a siti web nascosti, noti come servizi “.onion”, che non sono accessibili tramite i normali browser e motori di ricerca. Questi siti possono essere utilizzati per scopi legittimi, come la protezione delle comunicazioni in regimi oppressivi, ma anche per attività illecite.

Nel corso degli anni, il Tor Project ha affrontato diverse sfide, tra cui tentativi di censura da parte di governi e attacchi di rete progettati per deanonimizzare gli utenti. Tuttavia, grazie al supporto della comunità open source e alla continua innovazione, Tor è rimasto un pilastro fondamentale per la privacy online.

Critiche, limitazioni, impatto sociale e politico


Tor non è privo di critiche e limitazioni. L’accessibilità al Dark Web ha portato a una serie di implicazioni etiche e legali. Da un lato, Tor è stato uno strumento fondamentale per giornalisti investigativi, attivisti e dissidenti che operano in ambienti repressivi, consentendo loro di comunicare in modo sicuro e anonimo. D’altro canto, la natura anonima di Tor lo ha reso un rifugio per attività illegali, come il traffico di droga, l’evasione fiscale e la pedopornografia. Questa dualità ha portato a una crescente attenzione da parte delle forze dell’ordine e dei governi, che spesso vedono Tor come uno strumento utilizzato esclusivamente da criminali.

Tor non è una panacea. Non può proteggere da malware o attacchi man-in-the-middle a livello locale. Inoltre, la velocità di connessione può essere limitata, soprattutto per attività che richiedono una banda larga elevata.

Conclusioni


Il Tor Browser rimane uno degli strumenti più potenti per proteggere la privacy online. La sua complessa architettura di routing a cipolla, combinata con una robusta crittografia, lo rende uno strumento essenziale per chiunque desideri navigare in modo anonimo. Tuttavia, come ogni tecnologia, non è infallibile e richiede un uso consapevole e informato per massimizzare la sicurezza.

Il futuro del Tor Browser continuerà ad evolversi man mano che emergono nuove minacce e sfide, ma la sua importanza come baluardo della libertà e della privacy online è indiscutibile.

L'articolo Alla scoperta di Tor Browser: La Fortezza Digitale a tutela della Privacy Online proviene da il blog della sicurezza informatica.


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

The media in this post is not displayed to visitors. To view it, please go to the original post.

What is SystemVerilog, Really?
poliverso.org/display/0477a01e…
What is SystemVerilog, Really? [Mark] starts a post from a bit ago with: “… maybe you have also heard that SystemVerilog is simply an extension of Verilog, focused on testing and verification.” This is both true and false, depending on how you look at it. [Mark] then explains what the differences are fpgacoding.com/sussing-out-sys…. It’s a good read if you are Verilog


What is SystemVerilog, Really?

[Mark] starts a post from a bit ago with: “… maybe you have also heard that SystemVerilog is simply an extension of Verilog, focused on testing and verification.” This is both true and false, depending on how you look at it. [Mark] then explains what the differences are. It’s a good read if you are Verilog fluent, but just dip your toe into SystemVerilog.

Part of the confusion is that until 2009, there were two different things: Verilog and SystemVerilog. However, the SystemVerilog 2009 specification incorporates both languages, so modern Verilog is SystemVerilog and vice versa.

While many new features are aimed at verification, there is something for everyone. For example, [Mark] explains how you can replace instances of reg and wire with the logic data type. SystemVerilog will figure out if you need a reg or a wire on its own.

In addition, some common idioms are now part of the standard, which can make defining always blocks easier. So if you are using FPGAs and Verilog, are you using SystemVerilog? We don’t see much of it in incoming projects, but we do see it occasionally. Of course, pundits tell us that soon we won’t even have to write Verilog thanks to — what else? — AI. We remain skeptical.


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

Security Weekly: le ultime novità cyber 05-09 agosto
poliverso.org/display/0477a01e…
Security Weekly: le ultime novità cyber 05-09 agostoBuon sabato e ben ritrovato caro cyber User.Eccoci al nostro appuntamento settimanale con le notizie più rilevanti dal mondo della sicurezza informatica! Questa settimana ci concentriamo su una serie di eventi che spaziano dalle azioni legali contro TikTok alle ultime minacce ransomware. Esaminiamo insieme questi sviluppi per


Security Weekly: le ultime novità cyber 05-09 agosto


Buon sabato e ben ritrovato caro cyber User.

Eccoci al nostro appuntamento settimanale con le notizie più rilevanti dal mondo della sicurezza informatica! Questa settimana ci concentriamo su una serie di eventi che spaziano dalle azioni legali contro TikTok alle ultime minacce ransomware. Esaminiamo insieme questi sviluppi per comprendere meglio il panorama in continua evoluzione della cybersecurity.

TikTok nel mirino del Dipartimento di Giustizia e della FTC


Il Dipartimento di Giustizia degli Stati Uniti e la Federal Trade Commission (FTC) hanno intrapreso un'azione legale contro TikTok e la sua società madre, ByteDance, per presunte violazioni della Children’s Online Privacy Protection Act (COPPA). L'accusa è che TikTok avrebbe raccolto dati personali di minori senza il consenso dei genitori, sia su account standard che in modalità "Kids Mode", una versione ridotta destinata agli utenti sotto i 13 anni. TikTok ha risposto contestando le accuse, sostenendo che molte delle pratiche contestate sono ormai superate o inesatte.

Cyberattacco colpisce Mobile Guardian e scuole a livello globale


Un grave attacco informatico ha colpito Mobile Guardian, una società di gestione dispositivi mobili utilizzata da istituzioni educative in Nord America, Europa e Singapore. L'attacco ha causato l'interruzione dei servizi, con un piccolo numero di dispositivi che sono stati cancellati da remoto. In particolare, 13.000 dispositivi di studenti sono stati cancellati a Singapore, spingendo il Ministero dell'Istruzione a interrompere la collaborazione con Mobile Guardian. Attualmente, l'azienda sta lavorando per risolvere l'incidente, assicurando che non ci sono prove di accesso ai dati degli utenti da parte degli attaccanti.

Analisi dell’incidente CrowdStrike e interruzioni globali


CrowdStrike ha pubblicato un'analisi dettagliata dell'errore nel sensore Falcon EDR che ha causato disservizi globali lo scorso 19 luglio. L'errore è derivato da una discrepanza nel numero di parametri ricevuti da un interprete di contenuti, causando letture di memoria fuori limite e conseguenti crash nei sistemi Windows. Questo errore è sfuggito a vari livelli di test interni, dimostrando come anche piccole anomalie possano avere impatti significativi in ambienti complessi.

BlackSuit: La nuova minaccia ransomware


L'FBI ha aggiornato il proprio avviso sul ransomware BlackSuit, un rebrand del famigerato Royal ransomware. Da quando è emerso a settembre 2022, BlackSuit ha richiesto più di 500 milioni di dollari in riscatti, con richieste che variano tra 1 milione e 10 milioni di dollari. Il gruppo adotta tecniche sofisticate di esfiltrazione e estorsione prima di criptare i dati, utilizzando spesso email di phishing come vettore di attacco iniziale.

Arresto di un facilitatore di lavoratori IT nordcoreani


Il Dipartimento di Giustizia degli Stati Uniti ha arrestato un uomo a Nashville, Tennessee, per aver aiutato lavoratori IT nordcoreani a ottenere lavori remoti presso aziende negli Stati Uniti e nel Regno Unito. Matthew Isaac Knoot è accusato di aver gestito una "laptop farm" per far apparire i lavoratori nordcoreani come se fossero situati negli Stati Uniti, ingannando così le aziende vittime. Questi lavoratori IT, impiegati in remoto, avrebbero guadagnato fino a 300.000 dollari all'anno, generando milioni di dollari per entità legate alla Corea del Nord.

Nuove minacce APT e vulnerabilità emergenti


I ricercatori hanno scoperto un nuovo gruppo APT chiamato Actor240524, che ha preso di mira Azerbaigian e Israele con attacchi di spear-phishing. Il gruppo utilizza documenti Word con macro malevole per distribuire trojan come ABCloader e ABCsync, progettati per eludere le difese dei sistemi target. Inoltre, una grave vulnerabilità XSS è stata individuata in Roundcube, una popolare piattaforma di webmail, che potrebbe consentire agli aggressori di rubare email, contatti e password.

Emergenza ransomware e nuovi attacchi a dispositivi IP


Un nuovo ransomware chiamato CryptoKat è emerso nel dark web, con capacità di cifratura avanzate e tecniche per massimizzare l'impatto, come la mancata memorizzazione della chiave di decrittazione sul dispositivo della vittima. Questo costringe le vittime a pagare il riscatto per sperare di recuperare i propri dati. Parallelamente, Cisco ha emesso un avviso riguardo a cinque gravi vulnerabilità di esecuzione di codice remoto nei telefoni IP delle serie SPA 300 e SPA 500, ormai giunti a fine vita. Gli utenti sono invitati a passare a modelli più recenti e supportati.

😋 FunFact


WordTsar: il Wordstar del 21esimo secolo.

Infine


Il panorama della sicurezza informatica continua a evolversi rapidamente, con nuove minacce che emergono ogni settimana. Le azioni legali, gli attacchi informatici su larga scala e le scoperte di nuove vulnerabilità evidenziano la necessità di una vigilanza costante e di soluzioni tecnologiche all'avanguardia. Restate sintonizzati per ulteriori aggiornamenti e analisi su questo mondo.


Anche quest'oggi abbiamo concluso, ti ringrazio per il tempo e l'attenzione che mi hai dedicato, augurandoti buon fine settimana, ti rimando al mio blog e alla prossima settimana per un nuovo appuntamento con NINAsec.


buttondown.com/ninasec/archive…


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

Arrestati gli Amministratori di WWH Club, tra Corvette e Condomini di lusso
poliverso.org/display/0477a01e…
Arrestati gli Amministratori di WWH Club, tra Corvette e Condomini di lusso Negli Stati Uniti sono stati accusati storage.courtlistener.com/reca… due presunti leader del forum online WWH Club, che gli investigatori descrivono come una “combinazione di eBay e Reddit” nel mondo della


Arrestati gli Amministratori di WWH Club, tra Corvette e Condomini di lusso

Negli Stati Uniti sono stati accusati due presunti leader del forum online WWH Club, che gli investigatori descrivono come una “combinazione di eBay e Reddit” nel mondo della malavita. Gli uomini sono accusati di gestire un’impresa illegale che ha aiutato più di 170.000 utenti ad acquistare informazioni di conti bancari rubate, ad assumere hacker e a sferrare attacchi a vari siti web.

Dopo aver ottenuto un mandato di perquisizione presso la società cloud americana Digital Ocean, l’FBI è riuscita a conoscere gli indirizzi IP degli amministratori del sito web del WWH Club. Secondo la denuncia, gli specialisti informatici che lavorano per l’FBI hanno sviluppato un software speciale che ha concesso agli agenti diritti amministrativi sul sito web della WWH, consentendo loro di vedere migliaia di e-mail, password e altre attività degli utenti.

Pavel Kublitsky dalla Russia e Alexander Khodyrev dal Kazakistan sono accusati di essere gli amministratori e moderatori di WWH. Secondo quanto riferito, hanno chiesto asilo negli Stati Uniti due anni fa. Ora devono affrontare l’accusa federale di associazione a delinquere finalizzata al traffico e al possesso di dispositivi illegali. Secondo l’FBI, gli amministratori del sito WWH hanno monitorato tutte le transazioni e altre attività sulla piattaforma per “garantire il rispetto delle regole”. È interessante notare che agli utenti del forum era vietato commettere crimini nei paesi della CSI.

Il Ministero della Giustizia ha rifiutato di commentare la situazione. L’avvocato di Kublitsky non ha ancora commentato e il destino di Khodyrev non è ancora chiaro; i tentativi dei giornalisti americani di contattarlo finora non hanno avuto successo. Gli agenti dell’FBI hanno notato che dopo aver effettuato l’accesso al sito Web WWH, agli utenti venivano offerti banner pubblicitari e accesso a guide su frodi creditizie, attacchi DDoS e acquisto di informazioni bancarie rubate.

L’FBI afferma anche che Kublitsky ha acquistato un condominio di lusso a Sunny Isles Beach, in Florida, e Khodyrev ha acquistato un’auto sportiva Chevrolet Corvette del 2023 da un concessionario di automobili del sud della Florida in contanti, spendendo circa 110.000 dollari. Entrambi gli uomini, secondo i registri, non hanno un impiego ufficiale negli Stati Uniti.

Il procedimento penale contro entrambi rimane classificato nel distretto centrale della Florida. Una copia della dichiarazione giurata è stata aperta la mattina del 7 agosto nel distretto meridionale della Florida, dove Kublicki è stato arrestato.

L'articolo Arrestati gli Amministratori di WWH Club, tra Corvette e Condomini di lusso proviene da il blog della sicurezza informatica.


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

E’ Morta una Mucca e il suo Vitello per colpa di un Ransomware. Succede in Svizzera
poliverso.org/display/0477a01e…
E’ Morta una Mucca e il suo Vitello per colpa di un Ransomware. Succede in Svizzera Il contadino Vital Bircher di Hagendorn nzz.ch/schweiz/hackerangriff-a… nel canton Zugo riceve un SMS dal suo robot di mungitura. Il robot non riceve più i dati dal computer. Non pensa a


E’ Morta una Mucca e il suo Vitello per colpa di un Ransomware. Succede in Svizzera

Il contadino Vital Bircher di Hagendorn nel canton Zugo riceve un SMS dal suo robot di mungitura. Il robot non riceve più i dati dal computer. Non pensa a niente, entra nella stalla e vede che il display della mungitrice è nero. Bircher contatta il produttore della macchina. Un dipendente gli spiega: “Sei stato hackerato”.

Questo incidente è avvenuto nove mesi fa, come ha riportato per la prima volta il “Luzerner Zeitung”. Bircher allora si rifiutò di pagare il riscatto di 10.000 franchi richiesto dagli hacker. Pertanto gli è stato negato l’accesso ai suoi dati.

Ciò includeva anche informazioni importanti su quando le sue mucche vengono fecondate.

A causa dell’incapacità di Bircher di determinare esattamente il momento dell’inseminazione della sua mucca, sono sorte complicazioni che hanno portato alla morte del vitello nel grembo materno, rendendo necessaria la soppressione della mucca. Bircher è convinto che senza l’attacco degli hacker avrebbe potuto salvare la vita della sua mucca.

Interrogato da NZZ, Bircher ha affermato che il computer hackerato era tecnicamente all’avanguardia: l’agricoltore aveva acquistato l’apparecchio solo un anno prima, dove vi era installato Windows 11 e anche un programma antivirus.

Secondo Marc K. Peter, professore di trasformazione digitale alla Scuola universitaria professionale della Svizzera nordoccidentale, il caso dell’agricoltore di Zugo non è atipico. In Svizzera una PMI su dieci è già stata danneggiata dai criminali informatici, come ha scoperto lo scorso anno uno studio sugli attacchi informatici.

Particolarmente colpiti sono i settori che sono ancora in fase di trasformazione digitale, come l’agricoltura, afferma Peter. Vede un simile accumulo di casi nelle comunità o nell’esercito. Le bande di hacker internazionali sono altamente professionali e prendono di mira deliberatamente le organizzazioni che sono ancora in fase di trasformazione digitale. “Quando si parla di sicurezza informatica, l’agricoltura è dove si trovavano le banche e le compagnie assicurative quindici anni fa.”

L'articolo E’ Morta una Mucca e il suo Vitello per colpa di un Ransomware. Succede in Svizzera proviene da il blog della sicurezza informatica.


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

The media in this post is not displayed to visitors. To view it, please go to the original post.

Vulnerabilità Critiche in OpenVPN: dall’RCE al controllo del sistema
poliverso.org/display/0477a01e…
Vulnerabilità Critiche in OpenVPN: dall’RCE al controllo del sistema Questa settimana, Microsoft ha annunciato quattro vulnerabilità redhotcyber.com/post/vulnerabi… nel software open redhotcyber.com/post/la-storia…


Vulnerabilità Critiche in OpenVPN: dall’RCE al controllo del sistema

Questa settimana, Microsoft ha annunciato quattro vulnerabilità nel software open source OpenVPN. Queste vulnerabilità possono essere utilizzate dagli aggressori per eseguire l’esecuzione di codice in modalità remota (RCE) e l’escalation dei privilegi locali (LPE).

Un attacco che sfrutta queste vulnerabilità potrebbe consentire agli aggressori di ottenere il pieno controllo dei dispositivi presi di mira, il che potrebbe portare alla fuga di dati, alla compromissione del sistema e all’accesso non autorizzato a informazioni sensibili. Per eseguire con successo l’attacco è necessario l’autenticazione dell’utente e una profonda comprensione del funzionamento interno di OpenVPN. Tutte le versioni di OpenVPN fino alla 2.6.10 e alla 2.5.10 sono a rischio.

L’elenco delle vulnerabilità scoperte include:

  • CVE-2024-27459 è una vulnerabilità di stack overflow che porta alla negazione del servizio (DoS) e all’escalation dei privilegi su Windows.
  • CVE-2024-24974 L’accesso non autorizzato alla pipe denominata “\openvpn\service” in Windows consente a un utente malintenzionato di interagire in remoto con essa e avviare operazioni.
  • CVE-2024-27903 è una vulnerabilità legata all’esecuzione di codice in modalità remota nel meccanismo dei plugin su Windows e all’escalation dei privilegi e alla manipolazione dei dati su Android, iOS, macOS e BSD.
  • CVE-2024-1305 è una vulnerabilità di tipo Denial of Service dovuta a overflow della memoria su Windows.

Tre di queste vulnerabilità sono legate al componente openvpnserv e l’ultima riguarda il driver TAP di Windows.

Tutte queste vulnerabilità possono essere sfruttate se un utente malintenzionato riesce ad accedere alle credenziali dell’utente OpenVPN. Questi dati possono essere rubati in vari modi, ad esempio acquistando tali credenziali su mercati underground frutto di attività da infostealer, utilizzando malware o intercettando il traffico di rete.

L’attacco può essere effettuato utilizzando varie combinazioni di vulnerabilità, come CVE-2024-24974 e CVE-2024-27903 o CVE-2024-27459 e CVE-2024-27903, per ottenere l’esecuzione di codice in modalità remota e l’escalation dei privilegi.

Una volta sfruttate con successo queste vulnerabilità, gli aggressori possono utilizzare tecniche di attacco come Bring Your Own Vulnerable Driver (BYOVD), che consente loro di aggirare i meccanismi di difesa e penetrare più in profondità nel sistema. Ciò consente di disabilitare processi importanti come Microsoft Defender o di interferire con altri processi critici, consentendo agli aggressori di aggirare i controlli di sicurezza e manipolare le funzioni principali del sistema.

L'articolo Vulnerabilità Critiche in OpenVPN: dall’RCE al controllo del sistema proviene da il blog della sicurezza informatica.


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

The media in this post is not displayed to visitors. To view it, please go to the original post.

The Luminiferous Theremin
poliverso.org/display/0477a01e…
The Luminiferous Theremin [Extreme Kits] asks the question: “What the hell is a luminiferous theremin https://extkits.co.uk/what-the-hell-is-a-luminiferous-theremin/?” We have to admit, we know what a thermin is, but that’s as far as we got. You’ve surely seen and heard a theremin, the musical instrument developed by Leon Theremin that makes swoopy music often associated with science fiction movie


The Luminiferous Theremin

[Extreme Kits] asks the question: “What the hell is a luminiferous theremin?” We have to admit, we know what a thermin is, but that’s as far as we got. You’ve surely seen and heard a theremin, the musical instrument developed by Leon Theremin that makes swoopy music often associated with science fiction movies. The luminiferous variation is a similar instrument that uses modern time of flight sensors to pick up your hand positions.

The traditional instrument uses coils, and your hands alter the frequency of oscillators. Some versions use light sensors to avoid the problems associated with coils. While the time of flight sensors also use light, they are immune to many false readings caused by stray light.

While there is a kit for sale, you can find the schematic and source code on
GitHub with a BSD-3-Clause license. We had hoped for a video of the device, but we didn’t see one.

One nice thing about the device is you can easily swap the “handedness.” That is, you can switch the function of the virtual coils easily if you prefer to use your dominant hand for pitch.

We talk about theremins around here more than you’d think. You can build a classic one quite easily, and we’ve seen plenty of more complex designs, too.


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

The media in this post is not displayed to visitors. To view it, please go to the original post.

Laser Fault Injection on the Cheap
poliverso.org/display/0477a01e…
Laser Fault Injection on the Cheap One can only imagine the wonders held within the crypto labs of organizations like the CIA or NSA. Therein must be machines of such sophistication that no electronic device could resist their attempts to defeat whatever security is baked into their silicon. Machines such as these no doubt bear price tags that only a no-questions-asked budget could support,


Laser Fault Injection on the Cheap

One can only imagine the wonders held within the crypto labs of organizations like the CIA or NSA. Therein must be machines of such sophistication that no electronic device could resist their attempts to defeat whatever security is baked into their silicon. Machines such as these no doubt bear price tags that only a no-questions-asked budget could support, making their techniques firmly out of reach of even the most ambitious home gamer.

That might be changing, though, with this $500 DIY laser fault injection setup. It comes to us from Finnish cybersecurity group [Fraktal], who have started a series of blog posts detailing how they built their open-source reverse-engineering rig. LFI is similar to other “glitching” attacks we’ve covered before, such as EMP fault injection, except that a laser shining directly on a silicon die is used to disrupt its operation rather than a burst of electromagnetic energy.

Since LFI requires shining the laser very precisely on nanometer-scale elements of a bare silicon die, nanopositioning is the biggest challenge. Rather than moving the device under attack, the [Fraktal] rig uses a modified laser galvanometer to scan an IR laser over the device. The galvo and the optical components are all easily available online, and they’ve started a repo to document the modifications needed and the code to tire everything together.

Of course, this technique requires the die in the device under study to be exposed, but [Fraktal] has made that pretty approachable too. They include instructions for milling away the epoxy from the lead-frame side of a chip, which is safer for the delicate structures etched into the top of the die. The laser can then shine directly through the die from the bottom. For “flip-chip” packages like BGAs, the same milling technique would be done from the top of the package. Either way, we can imagine a small CNC mill making the process safer and quicker, even though they seem to have done pretty well with a Dremel.

This looks like a fantastic reverse engineering tool, and we’re really looking forward to the rest of the story.

youtube.com/embed/4ts3wNRt18g?…

Thanks to [gnud] for the heads up on this one.


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

The media in this post is not displayed to visitors. To view it, please go to the original post.

The Waveguide Explanation You Wish You’d Had At School
poliverso.org/display/0477a01e…
The Waveguide Explanation You Wish You’d Had At School Anyone who has done an electronic engineering qualification will at some point have had to get to grips with transmission lines, and then if they are really lucky, waveguides. Perhaps there should be one of those immutable Laws stating that for each step in learning about these essential parts, the level of the maths you


The Waveguide Explanation You Wish You’d Had At School

Anyone who has done an electronic engineering qualification will at some point have had to get to grips with transmission lines, and then if they are really lucky, waveguides. Perhaps there should be one of those immutable Laws stating that for each step in learning about these essential parts, the level of the maths you are expected to learn goes up in an exponential curve, for it’s certainly true that most of us breathe a hefty sigh of relief when that particular course ends. It’s not impossible to understand waveguides though, and [Old Hack EE] is here to slice through the formulae with some straightforward explanations.

First of all we learn about the basics of propagation in a waveguide, then we look at the effects of dimension on frequency. Again, there’s little in the way of head-hurting maths, just real-world explanations of cutt-off frequencies, and of coupling techniques. For the first time we’ve seen, here are simple and understandable explanations of the different types of splitter, followed up by the famous Magic T. It’s all in the phase, this is exactly the stuff we wish we’d had at university.

The world needs more of this type of explanation, after all it’s rare to watch a YouTube video and gain an understanding of something once badly taught. Take a look, the video is below the break.

youtube.com/embed/H09w5YSnpGI?…


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

The media in this post is not displayed to visitors. To view it, please go to the original post.

The First Fitbit: Engineering and Industrial Design Lessons
poliverso.org/display/0477a01e…
The First Fitbit: Engineering and Industrial Design Lessons It could happen to anyone of us: suddenly you got this inkling of an idea for a product that you think might just be pretty useful or even cool. Some of us then go on to develop a prototype and manage to get enough seed funding to begin the long and arduous journey to turn a sloppy prototype into a sleek,


The First Fitbit: Engineering and Industrial Design Lessons

It could happen to anyone of us: suddenly you got this inkling of an idea for a product that you think might just be pretty useful or even cool. Some of us then go on to develop a prototype and manage to get enough seed funding to begin the long and arduous journey to turn a sloppy prototype into a sleek, mass-produced product. This is basically the story of how the Fitbit came to be, with a pretty in-depth article by [Tekla S. Perry] in IEEE Spectrum covering the development process and the countless lessons learned along the way.

Of note was that this idea for an accelerometer-based activity tracker was not new in 2006, as a range of products already existed, from 1960s mechanical pedometers to 1990s medical sensors and the shoe-based Nike+ step tracker that used Apple’s iPod with a receiver. Where this idea for the Fitbit was new was that it’d target a wide audience with a small, convenient (and affordable) device. That also set them up for a major nightmare as the two inventors were plunged into the wonderfully terrifying world of industrial design and hardware development.

One thing that helped a lot was outsourcing what they could to skilled people and having solid seed funding. This left just many hardware decisions to make it as small as possible, as well as waterproof and low-power. The use of the ANT protocol instead of Bluetooth saved a lot of battery, but meant a base station was needed to connect to a PC. Making things waterproof required ultrasonic welding, but lack of antenna testing meant that a closed case had a massively reduced signal strength until a foam shim added some space. The external reset pin on the Fitbit for the base station had a low voltage on it all the time, which led to corrosion issues, and so on.

While much of this was standard development and testing fun, the real challenge was in interpreting the data from the accelerometer. After all, what does a footstep look like to an accelerometer, and when is it just a pothole while travelling by car? Developing a good algorithm here took gathering a lot of real-world data using prototype hardware, which needed tweaking when later Fitbits moved from being clipped-on to being worn on the wrist. These days Fitbit is hardly the only game in town for fitness trackers, but you can definitely blame them for laying much of the groundwork for the countless options today.


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

New note by cybersecurity
poliverso.org/display/0477a01e…
Chi protesta contro il primo trattato sul cybercrime dell’Onu startmag.it/cybersecurity/onu-… (Italy e non Italy 😁)Il comitato Onu ha approvato il primo trattato sulla criminalità informatica nonostante l'opposizione delle aziende tecnologiche e dei difensori di diritti umani, preoccupati che possa offrire ai governi ampi poteri per frenare le li


Chi protesta contro il primo trattato sul cybercrime dell’Onu


@Informatica (Italy e non Italy 😁)
Il comitato Onu ha approvato il primo trattato sulla criminalità informatica nonostante l'opposizione delle aziende tecnologiche e dei difensori di diritti umani, preoccupati che possa offrire ai governi ampi poteri per frenare le libertà di Internet.

L'articolo proviene dalla sezione #Cybersecurity di


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

The media in this post is not displayed to visitors. To view it, please go to the original post.

New note by cybersecurity
poliverso.org/display/0477a01e…
Lotta al Cybercrime, Onu approva primo trattato (su iniziativa di Russia e Cina). I difensori dei diritti umani e big tech: “È sorveglianza globale” key4biz.it/lotta-al-cybercrime… (Italy e non Italy 😁)“Uno Stato può, per indagare su qualsiasi rea

The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

The media in this post is not displayed to visitors. To view it, please go to the original post.

Microsoft 365: come bypassare la sicurezza anti-phishing di Outlook con il CSS
poliverso.org/display/0477a01e…
Microsoft 365: come bypassare la sicurezza anti-phishing di Outlook con il CSS I ricercatori di Certitude hanno dimostrato un modo per aggirare la protezione anti-redhotcyber.com/post/il-phishi… in Microsoft redhotcyber.com/post/vulnerabi…


Microsoft 365: come bypassare la sicurezza anti-phishing di Outlook con il CSS

I ricercatori di Certitude hanno dimostrato un modo per aggirare la protezione anti-phishing in Microsoft 365 (ex Office 365). Tuttavia, le vulnerabilità non sono state ancora risolte.

Gli esperti dicono che esiste un modo per nascondere il suggerimento di sicurezza del primo contatto. Come suggerisce il nome, First Contact Safety Tip è progettato per avvisare gli utenti di Outlook quando ricevono e-mail da nuovi contatti. Viene visualizzato un messaggio come questo: “Non ricevi spesso email da xyz@example.com. Scopri perché è importante.”

La chiave qui è che l’avviso viene aggiunto direttamente al corpo HTML principale dell’e-mail, il che apre la possibilità di manipolare il CSS incorporato nell’e-mail.

I ricercatori di Certitude scrivono che questo messaggio può essere facilmente nascosto nel modo seguente.

Cioè, il testo e il colore dello sfondo vengono cambiati nel colore bianco, la dimensione del carattere viene impostata su 0, il che alla fine nasconde l’avviso e lo rende invisibile all’utente.

Portando avanti questa idea, gli esperti hanno scoperto che potevano aggiungere ulteriore codice HTML alle e-mail che imitavano le icone che Microsoft Outlook aggiunge alle e-mail crittografate e firmate per farle sembrare sicure. Sebbene alcune limitazioni di formattazione impediscano una perfetta corrispondenza visiva, questo trucco può comunque aiutare a bypassare controlli poco approfonditi.

I ricercatori sottolineano di non essere a conoscenza di casi di sfruttamento dei bug descritti e di non aver trovato modi per manipolare l’HTML per visualizzare testo arbitrario in un’e-mail.

Certitude ha informato Microsoft delle sue scoperte inviando una PoC e un rapporto dettagliato agli sviluppatori tramite il Microsoft Researcher Portal (MSRC). Tuttavia, i rappresentanti di Microsoft hanno dato ai ricercatori la seguente risposta:

“Abbiamo stabilito che le tue informazioni sono valide, ma non soddisfano i nostri criteri per una risposta immediata poiché [il problema] può essere utilizzato principalmente per attacchi di phishing. Tuttavia, abbiamo preso nota di queste informazioni per un’ulteriore revisione volta a migliorare i nostri prodotti.”

L'articolo Microsoft 365: come bypassare la sicurezza anti-phishing di Outlook con il CSS proviene da il blog della sicurezza informatica.


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

The media in this post is not displayed to visitors. To view it, please go to the original post.

Custom Pneumatic Cylinders Lock This Monitor Arm in Place
poliverso.org/display/0477a01e…
Custom Pneumatic Cylinders Lock This Monitor Arm in Place Few consumer-grade PCs are what you’d categorize as built to last. Most office-grade machines are as likely as not to give up the ghost after ingesting a few too many dust bunnies, and the average laptop can barely handle a few drops of latte and some muffin crumbs before croaking. Sticking a machine like that in


Custom Pneumatic Cylinders Lock This Monitor Arm in Place

Few consumer-grade PCs are what you’d categorize as built to last. Most office-grade machines are as likely as not to give up the ghost after ingesting a few too many dust bunnies, and the average laptop can barely handle a few drops of latte and some muffin crumbs before croaking. Sticking a machine like that in the shop, especially a metal shop, is pretty much a death sentence.

And yet, computers are so useful in the shop that [Lucas] from “Cranktown City” built this neat industrial-strength monitor arm. His design will look familiar to anyone with a swing-arm mic or desk light, although his home-brew parallelogram arm is far sturdier thanks to the weight of the monitor and sheet-metal enclosure it supports. All that weight exceeded the ability of the springs [Lucas] had on hand, which led to the most interesting aspect of the build — a pair of pneumatic locks. These were turned from a scrap of aluminum rod and an old flange-head bolt; when air pressure is applied, the bolt is drawn into the cylinder, which locks the arm in place. To make it easy to unlock the arm, a pneumatic solenoid releases the pressure on the system at the touch of a button. The video below has a full explanation and demonstration.

While we love the idea, there are a few potential problems with the design. The first is that this isn’t a fail-safe design, since pressure is needed to keep the arm locked. That means if the air pressure drops the arm could unlock, letting gravity do a number on your nice monitor. Second is the more serious problem [Lucas] alluded to when he mentioned not wanting to be in the line of fire of those locks should something fail and the piston comes flying out under pressure. That could be fixed with a slight design change to retain the piston in the event of a catastrophic failure.

Problems aside, this was a great build, and we always love [Lucas]’ seat-of-the-pants engineering and his obvious gift for fabrication, of which his wall-mount plasma cutter is a perfect example.

youtube.com/embed/TjYBY7cUfkE?…


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

The media in this post is not displayed to visitors. To view it, please go to the original post.

500cc Of 4-Wheel Off-Road Fun
poliverso.org/display/0477a01e…
500cc Of 4-Wheel Off-Road Fun Who among us hasn’t at some point thought of building a little vehicle, and better still, a little off-road vehicle for a few high-octane rough-terrain adventures. [Made in Poland] has, and there he is in a new video with a little off-road buggy youtube.com/watch?v=hdIBxKy-0Y… video which we’ve paced below the break is quite long, and it’s one of those


500cc Of 4-Wheel Off-Road Fun

Who among us hasn’t at some point thought of building a little vehicle, and better still, a little off-road vehicle for a few high-octane rough-terrain adventures. [Made in Poland] has, and there he is in a new video with a little off-road buggy.

The video which we’ve paced below the break is quite long, and it’s one of those restful metalworking films in which we see the finished project take shape bit by bit. In this case the buggy has a tubular spaceframe, with front suspension taken from a scrap quad and a home-made solid rear axle. For power there’s a 500cc Suzuki two-cylinder motorcycle engine, with a very short chain drive from its gearbox to that axle. The controls are conventional up to a point, though we’d have probably gone for motorcycle style handlebars with a foot shift rather than the hand-grip shift.

The final machine is a pocket drift monster, and one we’d certainly like to have a play with. We’d prefer some roll-over protection and we wonder whether the handling might be improved were the engine sprung rather than being part of a huge swing-arm, but it doesn’t appear to interfere with the fun. If you fancy a go yourself it’s surprisingly affordable to make a small vehicle, just build a Hacky Racer.

youtube.com/embed/hdIBxKy-0YY?…


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

Saldi nelle underground per le Botnet. Affitti a partire da 99 Dollari!
poliverso.org/display/0477a01e…
Saldi nelle underground per le Botnet. Affitti a partire da 99 Dollari! I criminali informatici utilizzano sempre più spesso le redhotcyber.com/post/come-funz…, reti di dispositivi infetti che consentono redhotcyber.com/post/cosa-sono…


Saldi nelle underground per le Botnet. Affitti a partire da 99 Dollari!

I criminali informatici utilizzano sempre più spesso le botnet, reti di dispositivi infetti che consentono loro di sferrare attacchi massicci come DDoS. Uno studio condotto dagli esperti di Kaspersky Digital Footprint Intelligence ha dimostrato che il costo per affittare o acquistare tali reti sul mercato nero parte da 99 dollari, rendendole accessibili a un’ampia gamma di aggressori.

Le botnet sono formate da dispositivi infettati da malware e consentono attacchi automatizzati su larga scala. Ad esempio, la botnet Mirai scansiona Internet alla ricerca di dispositivi IoT vulnerabili che utilizzano password standard, li cattura e li include nella sua rete.

Nella prima metà del 2024, gli analisti di Kaspersky Lab hanno registrato un aumento significativo del numero di gadget IoT infetti, che potrebbe variare da semplici dispositivi domestici a complessi sistemi industriali.

Nel mercato ombra le botnet possono essere acquistate o noleggiate. Il loro prezzo varia a seconda della qualità e della funzionalità: da 99 a 10mila dollari per l’acquisto e da 30 a 4.800 dollari per l’affitto al mese. Queste reti possono essere configurate per attività specifiche e variano in termini di metodi di infezione, tipo di software utilizzato e metodi per aggirare i sistemi di sicurezza.

Particolarmente pericolose sono le botnet il cui codice sorgente è trapelato online. Sono disponibili a costi minimi o addirittura gratuiti, ma la loro efficacia è ridotta dalla facilità di rilevamento da parte dei moderni sistemi di sicurezza. Tuttavia, tali botnet sono ancora ampiamente utilizzate negli attacchi informatici.

Inoltre, sui mercati neri compaiono offerte per la creazione di botnet personalizzate. Il costo di tali servizi parte da 3mila dollari USA e tali transazioni vengono spesso concluse privatamente.

Le botnet vengono utilizzate per qualcosa di più che semplici attacchi. Con il loro aiuto, gli aggressori possono utilizzarle per effettuare mining di criptovalute o distribuire ransomware. Il riscatto richiesto per decrittografare i dati rubati utilizzando tali programmi può arrivare fino a 2 milioni di dollari.

Come notano gli analisti di Kaspersky Digital Footprint Intelligence, nonostante la relativa accessibilità, le botnet rimangono solo uno dei tanti strumenti nell’arsenale dei criminali informatici. Tuttavia, la loro popolarità continua a crescere, ponendo notevoli minacce alla sicurezza sia per gli individui che per le organizzazioni.

L'articolo Saldi nelle underground per le Botnet. Affitti a partire da 99 Dollari! proviene da il blog della sicurezza informatica.


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

The media in this post is not displayed to visitors. To view it, please go to the original post.

Hackaday Podcast Episode 283: Blinding Lasers, LEDs, and ETs
poliverso.org/display/0477a01e…
Hackaday Podcast Episode 283: Blinding Lasers, LEDs, and ETs Hackaday Editors Elliot Williams and Al Williams reflect on the fact that, as humans, we have–at most–two eyes and no warp drives. While hacking might not be the world’s most dangerous hobby, you do get to work with dangerous voltages, temperatures, and frickin’ lasers. Light features prominently, as the guys


Hackaday Podcast Episode 283: Blinding Lasers, LEDs, and ETs

Hackaday Editors Elliot Williams and Al Williams reflect on the fact that, as humans, we have–at most–two eyes and no warp drives. While hacking might not be the world’s most dangerous hobby, you do get to work with dangerous voltages, temperatures, and frickin’ lasers. Light features prominently, as the guys talk about LED data interfaces, and detecting faster-than-light travel.

There’s also a USB sniffer, abusing hot glue, and some nostalgia topics ranging from CRT graphics to Apollo workstations (which have nothing directly to do with NASA). The can’t miss articles this week cover hacking you and how Apollo Computer: The Forgotten Workstations you make the red phone ring in the middle of a nuclear war.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

html5-player.libsyn.com/embed/…

As always, please download the file to archive in your doomsday bunker.

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:



Episode 283 Show Notes:

News:



What’s that Sound?



Interesting Hacks of the Week:



Quick Hacks:



Can’t-Miss Articles:



The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

Google rilascia le patch di sicurezza per Android incluso uno zero-day critico nel kernel
poliverso.org/display/0477a01e…
Google rilascia le patch di sicurezza per Android incluso uno zero-day critico nel kernel Questa settimana Google ha rilasciato source.android.com/docs/securi… le patch di sicurezza di agosto per redhotcyber.com/post/vulnerabi…


Google rilascia le patch di sicurezza per Android incluso uno zero-day critico nel kernel

Questa settimana Google ha rilasciato le patch di sicurezza di agosto per Android. L’elenco delle vulnerabilità risolte includeva, tra le altre cose, un bug zero-day (CVE-2024-36971, punteggio CVSS 7.8) associato all’esecuzione di codice remoto nel kernel.

Secondo quanto riferito, lo zeroday è stato scoperto dallo specialista di Google Threat Analysis Group (TAG) Clement Lecigne e rappresenta un bug use-after-free nella gestione dei percorsi di rete nel kernel Linux. Il suo corretto funzionamento richiede privilegi a livello di sistema per consentire di modificare il comportamento di determinate connessioni di rete.

Google rileva che il CVE-2024-36971 potrebbe già essere “soggetto a sfruttamento limitato e mirato” e gli aggressori potrebbero sfruttare la vulnerabilità per eseguire codice arbitrario senza l’interazione dell’utente.

Finora l’azienda non ha rivelato dettagli su come viene sfruttata esattamente la vulnerabilità e chi potrebbe utilizzarla nei suoi attacchi. Vale la pena notare che gli specialisti di TAG stanno monitorando gli hacker governativi, nonché i fornitori di software commerciale, inclusi i creatori di Pegasus (NSO Group) e Predator (Intellexa). Ad esempio, nel 2023, gli esperti di TAG hanno scoperto 25 vulnerabilità zero-day, 20 delle quali sono state utilizzate da fornitori di sorveglianza commerciale.

In totale, questo mese sono state corrette più di 40 vulnerabilità in Android. Google, come di consueto, ha rilasciato due serie di aggiornamenti: livello 2024-08-01 e livello 2024-08-05. Quest’ultimo include tutte le correzioni di sicurezza del primo set e correzioni aggiuntive per componenti closed source di terze parti e il kernel. Ad esempio, questo livello risolve una vulnerabilità critica (CVE-2024-23350) in un componente Qualcomm closed-source.

Sono state inoltre risolte 11 gravi vulnerabilità relative all’escalation dei privilegi nel componente Framework che potevano essere sfruttate dagli aggressori senza privilegi aggiuntivi.

L'articolo Google rilascia le patch di sicurezza per Android incluso uno zero-day critico nel kernel proviene da il blog della sicurezza informatica.


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

UN approves landmark controversial cybercrime treaty
poliverso.org/display/0477a01e…
UN approves landmark controversial cybercrime treatyUnited Nations member states approved its first-ever treaty aimed at combating cybercrime, a controversial text opposed by digital rights organisations and Big Tech companies.euractiv.com/section/cybersecu…


UN approves landmark controversial cybercrime treaty


United Nations member states approved its first-ever treaty aimed at combating cybercrime, a controversial text opposed by digital rights organisations and Big Tech companies.


euractiv.com/section/cybersecu…


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

The media in this post is not displayed to visitors. To view it, please go to the original post.

Liquid (Reversibly) Solidifies at Room Temperature, Gets Used for 3D Prints
poliverso.org/display/0477a01e…
Liquid (Reversibly) Solidifies at Room Temperature, Gets Used for 3D Prints Researchers demonstrate sustainable 3D printing by using poly(N-isopropylacrylamide) solutions cosmosmagazine.com/technology/… (PNIPAM), which speedily and reliably turn solid by undergoing a hackaday.com/wp-content/upload…


Liquid (Reversibly) Solidifies at Room Temperature, Gets Used for 3D Prints

Researchers demonstrate sustainable 3D printing by using poly(N-isopropylacrylamide) solutions (PNIPAM), which speedily and reliably turn solid by undergoing a rapid phase change when in a salt solution.

This property has been used to 3D print objects by using a syringe tip as if it were a nozzle in a filament-based printer. As long as the liquid is being printed into contact with a salt solution, the result is a polymer that solidifies upon leaving the syringe.

What’s also interesting is that the process by which the PNIPAM-based solutions solidify is entirely reversible. Researchers demonstrate printing, breaking down, then re-printing, which is an awfully neat trick. Finally, by mixing different additives in with PNIPAM, one can obtain different properties in the final product. For example, researchers demonstrate making conductive prints by adding carbon nanotubes.

While we’ve seen the concept of printing with liquids by extruding them into a gel bath or similar approach, we haven’t seen a process that prides itself on being so reversible before. The research paper with all the details is available here, so check it out for all the details.


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

The media in this post is not displayed to visitors. To view it, please go to the original post.

This Week in Security: GhostWrite, Localhost, and More
poliverso.org/display/0477a01e…
This Week in Security: GhostWrite, Localhost, and More You may have heard some scary news about RISC-V CPUs. There’s good news, and bad news, and the whole thing is a bit of a cautionary tale. ghostwriteattack.com/ is a devastating vulnerability in a pair of T-Head XuanTie RISC-V CPUs. There are also unexploitable crashes in another T-Head CPU and the QEMU soft core


This Week in Security: GhostWrite, Localhost, and More

You may have heard some scary news about RISC-V CPUs. There’s good news, and bad news, and the whole thing is a bit of a cautionary tale. GhostWrite is a devastating vulnerability in a pair of T-Head XuanTie RISC-V CPUs. There are also unexploitable crashes in another T-Head CPU and the QEMU soft core implementation. These findings come courtesy of a group of researchers at the CISPA Helmholtz Center for Information Security in Germany. They took at look at RISC-V cores, and asked the question, do any of these instructions do anything unexpected? The answer, obviously, was “yes”.

Undocumented instructions have been around just about as long as we’ve had Van Neumann architecture processors. The RISC-V ISA put a lampshade on that reality, and calls them “vendor specific custom ISA extensions”. The problem is that vendors are in a hurry, have limited resources, and deadlines wait for no one. So sometimes things make it out the door with problems. To find those problems, CISPA researchers put together a test framework is called RISCVuzz, and it’s all about running each instruction on multiple chips, and watching for oddball behavior. They found a couple of “halt-and-catch-fire” problems, but the real winner (loser) is GhostWrite.

Now, this isn’t a speculative attack like Meltdown or Spectre. It’s more accurate to say that it’s a memory mapping problem. Memory mapping helps the OS keep programs independent of each other by giving them a simplified memory layout, doing the mapping from each program to physical memory in the background. There are instructions that operate using these virtual addresses, and one such is vs128.v. That instruction is intended to manipulate vectors, and use virtual addressing. The problem is that it actually operates directly on physical memory addresses, even bypassing cache. That’s not only memory, but also includes hardware with memory mapped addresses, entirely bypassing the OS. This instruction is the keys to the kingdom.

So yeah, that’s bad, for this one particular RISC-V model. The only known fix is to disable the vector extensions altogether, which comes with a massive performance penalty. One benchmark showed a 77% performance penalty, nearly slashing the CPU’s performance in half. The lessons here are that as exciting as the RISC-V is, with its open ISA, individual chips aren’t necessarily completely Open Sourced, and implementation quality may very wildly between vendors.

0.0.0.0 Day Vulnerability


We’ve come a long way since the days when the web was young, and the webcam was strictly for checking on how much coffee was left. Now we have cross-site scripting attacks and cross-site request forgeries to deal with. You might be tempted to think that we’ve got browser security down. You’d be wrong. But finally, a whole class of problems are getting cleaned up, and a related problem you probably didn’t even realize you had. That last one is thanks to researchers at Oligo, who bring us this story.

The problem is that websites from the wider Internet are accessing resources on the local network or even the localhost. What happens if a website tries to load a script, using the IP address of your router? Is there some clever way to change settings using nothing but a JS script load? In some cases, yes. Cross Origin Resource Sharing (CORS) fixes this, surely? CORS doesn’t prevent requests, it just limits what the browser can do after the request has been made. It’s a bit embarrassing how long this has been an issue, but PNA finally fixes this, available as an origin trial in Chrome 128. This divides the world into three networks, with the Internet as the least privileged layer, then the local network, and finally the local machine and localhost as the inner, most protected. A page hosted on localhost can pull scripts from the Internet, but not the other way around.

And this brings us to 0.0.0.0. What exactly is that IP address? Is it even an IP address? Sort of. In some cases, like in a daemon’s configuration file, it indicates all the network devices on the local machine. It also gets used in DHCP as the source IP address for DHCP requests before the machine has an IP address. But what happens when you use it in a browser? On Windows, nothing much. 0.0.0.0 is a Unixism that hasn’t (yet) made its way into Windows. But on Linux and MacOS machines, all the major browsers treat it as distinct from 127.0.0.1, but also as functionally equivalent to localhost. And that’s really not great, as evidenced by the list of vulnerabilities in various applications when a browser can pull this off. The good news is that it’s finally getting fixed.

PLCs Sleuthing


Researchers at Claroty have spent some time digging into Unitronics Programmable Logic Controllers (PLCs), as those were notably cracked in a hacking campaign last fall. This started with a very familiar story, of rigging up a serial connection to talk to the controller. There is an official tool to administrate the controller over serial, so capturing that data stream seemed promising. This led to documenting the PCOM protocol, and eventually building a custom admin application. The goal here is to build tooling for forensics, to pull data off of one of those compromised devices.

You Don’t Need to See My JWT


Siemens had a bit of a problem with their AMA Cloud web application. According to researchers at Traceable ASPEN, it’s a surprisngly common problem with React web applications. The login flow here is that upon first visiting the page, the user is redirected to an external Single Sign On provider. What catches the eye is that the React application just about fully loads before that redirect fires. So what happens if that redirect JS code is disabled? There’s the web application, just waiting for data from the back end.

That would be enough to be interesting, but this goes a step further. After login, the authenticated session is handled with a JSON Web Token (JWT). That token was checked for by the front-end code, but the signature wasn’t checked. And then most surprisingly, the APIs behind the service didn’t check for a JWT either. The authentication was all client-side, in the browser. Whoops. Now to their credit, Siemens pushed a fix within 48 hours of the report, and didn’t drop the ball on disclosure.

(Hackaday’s parent company, Supplyframe, is owned by Siemens.)

Bits and Bytes


If you run NeatVNC, 0.8.1 is a pretty important security update. Specifying the security type is left up to clients, and “none” is a valid option. That’s not great.

Apparently we owe Jia Tan a bit of our thanks, as the extra attention on SSH has shaken loose a few interesting findings. While there isn’t a single glaring vulnerabiltiy to cover, HD Moore and Rob King found a bunch of implementation problems, particularly in embedded devices. This was presented at Black Hat, so hopefully the presentation will eventually be made available. For now, we do have a nifty new tool, SSHamble, to play with.

In 2023, the Homebrew project undertook an audit by Trail of Bits. And while there weren’t any High severity problems found, there were a decent handful of medium and lower issues. Those have mostly been fixed, and the audit results have now been made public. Homebrew is the “missing package manager for MacOS”, and if that sounds interesting, be sure to watch for next week’s FLOSS Weekly episode, because we’re chatting with Homebrew about this, their new Workbrew announcement, and more!


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

Passo storico: L’ONU adotta all’unanimità il Trattato globale sulla criminalità informatica
poliverso.org/display/0477a01e…
Passo storico: L’ONU adotta all’unanimità il Trattato globale sulla criminalità informatica Le Nazioni Unite hanno adottato all’unanimità il Trattato globale sulla criminalità informatica. Il documento ha rappresentato un passo importante nella creazione di un quadro giuridico internazionale per la lotta alla criminalità informatica e allo


Passo storico: L’ONU adotta all’unanimità il Trattato globale sulla criminalità informatica

Le Nazioni Unite hanno adottato all’unanimità il Trattato globale sulla criminalità informatica. Il documento ha rappresentato un passo importante nella creazione di un quadro giuridico internazionale per la lotta alla criminalità informatica e allo scambio di dati tra paesi. Il trattato è stato approvato all’unanimità l’8 agosto e sarà messo ai voti in autunno nell’Assemblea generale delle Nazioni Unite.

Il trattato è stato proposto dalla Russia nel 2021, il suo obiettivo principale è sviluppare standard globali riguardo al problema dei crimini informatici transnazionali.

Successivamente, Russia ed USA presentarono un documento che descriveva le regole di comportamento nel cyberspazio, ad ottobre del 2021.

Da quando sono iniziati i lavori sul trattato nel 2019, la comunità internazionale non ha raggiunto un consenso sulle sue necessità e sui suoi obiettivi. Nonostante tutti i dubbi, l’accordo è stato adottato dopo 3 anni di negoziati, conclusisi con una sessione di due settimane.

Tuttavia, i gruppi per i diritti umani e le grandi aziende tecnologiche hanno già sollevato preoccupazioni riguardo alle clausole che consentono alle forze dell’ordine di richiedere prove e dati elettronici ai fornitori di servizi Internet di altri paesi.

Alcuni hanno osservato che i tentativi di modificare il testo del trattato non hanno avuto successo e che il documento non contiene ancora garanzie sufficienti per la tutela dei diritti umani. Inoltre, il trattato potrebbe portare ad una maggiore sorveglianza e all’erosione della fiducia delle persone nella tecnologia digitale.

Molti credono che gli stati membri delle Nazioni Unite abbiano adottato il trattato sulla base del principio secondo cui “un cattivo trattato è meglio di nessun trattato”. Prima esistevano solo accordi regionali, come la Convenzione di Budapest, di cui Cina, Russia, India e Brasile non erano firmatari.

Il Centro per gli studi strategici e internazionali (CSIS) ha sottolineato l’importanza del trattato adottato, sottolineando che la comunità globale dispone ora di un documento comune che consentirà di progredire nella lotta contro la criminalità informatica.

L'articolo Passo storico: L’ONU adotta all’unanimità il Trattato globale sulla criminalità informatica proviene da il blog della sicurezza informatica.


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

💥💥💥 BREAKING NEWS 💥💥💥

The FSFE intervenes to safeguard #FreeSoftware in a litigation brought by Apple against the @EU_Commission

The FSFE aims to hold Apple accountable under the DMA to protect #FreeSoftware against monopolistic corporate control

fsfe.org/news/2024/news-202408…

The Privacy Post ha ricondiviso questo.

The media in this post is not displayed to visitors. To view it, please go to the original post.

Building AI Models To Diagnose HVAC Issues
poliverso.org/display/0477a01e…
Building AI Models To Diagnose HVAC Issues HVAC – heating, ventilation, and air conditioning – can account for a huge amount of energy usage of a building, whether it’s residential or industrial. Often it’s the majority energy consumer, especially in places with extreme climates or for things like data centers where cooling is a large design consideration. When problems arise with these


Building AI Models To Diagnose HVAC Issues

HVAC – heating, ventilation, and air conditioning – can account for a huge amount of energy usage of a building, whether it’s residential or industrial. Often it’s the majority energy consumer, especially in places with extreme climates or for things like data centers where cooling is a large design consideration. When problems arise with these complex systems, they can go undiagnosed for a time and additionally be difficult to fix, leading to even more energy losses until repairs are complete. With the growing availability of platforms that can run capable artificial intelligences, [kutluhan_aktar] is working towards a system that can automatically diagnose potential issues and help humans get a handle on repairs faster.

The prototype system is designed for hydronic (water-based) systems and uses two separate artificial intelligences, one to analyze thermal imagery of the system and look for problems like leaks, hot spots, or blockages, and the other to listen for anomalous sounds especially relating to the behavior of cooling fans. For the first, a CNC-like machine was built to move a thermal camera around a custom-built model HVAC system and report its images back to a central system where they can be analyzed for anomalies. The second system which analyses audio runs its artificial intelligence on a XIAO ESP32C6 and listens to the cooling fans running in the model.

One problem that had to be tackled before any of this could be completed was actually building an open-source dataset to train the AI on. That’s part of the reason for the HVAC model in this project; being able to create problems to train the computer to detect before rolling it out to a larger system. The project’s code and training models can be found on its GitHub page. It seems to be a fairly robust solution to this problem, though, and we’ll be looking forward to future versions running on larger systems. Not everyone has a hydronic HVAC system, though. As heat pumps become more and more popular and capable, you’ll need systems to control those as well.


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

FPF Responds to the Federal Election Commission Decision on the use of AI in Political Campaign Advertising
fpf.org/blog/fpf-responds-to-t…
@privacy
The Federal Election Commission’s (FEC) abandoned rulemaking presented an opportunity to better protect the integrity of elections and campaigns, as well as to preserve and increase public trust in the growing use of AI by candidates and in

The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

The media in this post is not displayed to visitors. To view it, please go to the original post.

Internet Appliance to Portable Terminal
poliverso.org/display/0477a01e…
Internet Appliance to Portable Terminal Few processors have found themselves in so many different devices as the venerable Z80. While it isn’t powerful by modern standards, you can still use devices like this Cidco MailStation jcs.org/2019/05/03/mailstation as a terminal.The MailStation was originally designed as an email machine for people who weren’t onboard with this whole


Internet Appliance to Portable Terminal

A black device with a monochrome LCD sits on a wooden table. It's keyboard extends below the frame. On the screen is the "Level 29" BBS service login.

Few processors have found themselves in so many different devices as the venerable Z80. While it isn’t powerful by modern standards, you can still use devices like this Cidco MailStation as a terminal.

The MailStation was originally designed as an email machine for people who weren’t onboard with this whole computer fad, keeping things simple with just an adjustable monchrome LCD, a keyboard, and a few basic applications. [Joshua Stein] developed a terminal application, msTERM, for the MailStation thanks to work previously done on decoding this device and the wealth of documentation for Z80 assembly.

While [Stein] designed his program to access BBSes, we wonder if it might be a good way to do some distraction-free writing. If that wasn’t enough, he also designed the WiFiStation dongle which lets you communicate over a network without all that tedious mucking about with parallel ports.

If you’d like something designed specifically for writing, how about an AlphaSmart? Wanting to build your own Z80-based project? Why not start with an Altoids-sized Z80 SBC, but don’t wait forever since Z80 production finally ended in June.

youtube.com/embed/Z7FYuFUxFlo?…


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

The media in this post is not displayed to visitors. To view it, please go to the original post.

Adapter Salad: Making Your Own Server Cables Because HP Won’t Sell Them To You
poliverso.org/display/0477a01e…
Adapter Salad: Making Your Own Server Cables Because HP Won’t Sell Them To You The world is tough and uncaring sometimes, especially if you’re at home tinkering with HP Enterprise equipment. If you’re in the same boat as [Neel Chauhan], you might have found that HPE is less than interested in interacting with small individual customers. Thus, when a


Adapter Salad: Making Your Own Server Cables Because HP Won’t Sell Them To You

The world is tough and uncaring sometimes, especially if you’re at home tinkering with HP Enterprise equipment. If you’re in the same boat as [Neel Chauhan], you might have found that HPE is less than interested in interacting with small individual customers. Thus, when a cable was needed, [Neel] was out of luck. The simple solution was to assemble a substitute one instead!

[Neel] had a HPE ProLiant ML110 Gen11 server, which was to be used as network-attached storage (NAS). Unfortunately, it was bought as an open box, and lacked an appropriate serial-attached SCSI (SAS) cable. Sadly, HPE support was of no assistance in sourcing one.

SlimSAS LP x8 to dual MiniSAS x4 cables aren’t easy to find from anyone else, it turns out. Thus, [Neel] turned to Amazon for help sourcing a combination of parts to make this work. A SlimSAS LP 8X to 2x MiniSAS SFF-8643 cable was used, along with a pair of Mini SAS SFF-8087 to SAS HD SFF-8643 female adapters. From there, SFF-8087 cables could be used to hook up to the actual SAS devices required. The total cost? $102.15.

The stack of cables and adapters looks a bit silly, but it works—and it got [Neel]’s NAS up and running. It’s frustrating when you have to go to such lengths, but it’s not the first time we’ve seen hackers have to recreate obscure cables or connectors from scratch! What’s the craziest adapter salad you’ve ever made?


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

X suspends processing of some personal data for AI training
poliverso.org/display/0477a01e…
X suspends processing of some personal data for AI trainingSocial media giant X has suspended the processing of some personal data from EU users' public posts to train AI models, two days after the Irish Data Protection Commission (DPC) launched court proceedings over the practice.euractiv.com/section/data-priv…


X suspends processing of some personal data for AI training


Social media giant X has suspended the processing of some personal data from EU users' public posts to train AI models, two days after the Irish Data Protection Commission (DPC) launched court proceedings over the practice.


euractiv.com/section/data-priv…


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

After the news that funding for the @EC_NGI initiative would be cut for the next phase of #HorizonEU, the @EU_Commission has expressed vague support for #FreeSoftware.

The EC needs to come up with dedicated budget for #FreeSoftware solutions:

fsfe.org/news/2024/news-202408…

Questa voce è stata modificata (1 anno fa)

reshared this

The Privacy Post ha ricondiviso questo.

The media in this post is not displayed to visitors. To view it, please go to the original post.

A Smart LED Dice Box Thanks To The Internet of Things
poliverso.org/display/0477a01e…
A Smart LED Dice Box Thanks To The Internet of Things If there’s one thing humans love, it’s dancing with chance. To that end, [Jonathan] whipped up a fun dice box, connecting it to the Internet of Things for additional functionality. robopenguins.com/pixels-dice-b… hackaday.com/wp-content/upload… dice roll stat tracking to


A Smart LED Dice Box Thanks To The Internet of Things

If there’s one thing humans love, it’s dancing with chance. To that end, [Jonathan] whipped up a fun dice box, connecting it to the Internet of Things for additional functionality.
Expect dice roll stat tracking to become a big thing in the D&D community.
The build is based around Pixels Dice. They’re a smart type of IoT dice that contains Bluetooth connectivity and internal LEDs. The dice are literally capable of detecting their own rolls and reporting them wirelessly. Thus, the dice connects to the dice box, and the dice box can literally log the rolls and even graph them over time.

The project was built in a nice octagonal box [Jonathan] picked up from a thrift store. It was fitted with a hidden battery and ESP32 to communicate with the dice and run the show. The box also contains integrated wireless chargers to recharge the dice as needed, and a screen for displaying status information.

The dice and dice box can do all kinds of neat things, like responding with mood lighting and animations to your rolls—for better or worse. There are some fun modes you can play with—you can even set the lights to sparkle if you pass a given skill check in your tabletop RPG of choice!

If you play a lot of tabletop games, and you love dice and statistics, this is a project well worth looking into. Imagine logging every roll so you can see how hot you are on a given night. Or, heck—whether it was the dice’s fault you lost your favorite player character in that foreboding dungeon.

We see a few dice hacks now and then, but not nearly enough. This project has us questioning where smart dice have been all our life! Video after the break.

youtube.com/embed/oCDr44C-qwM?…


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

UK competition authority launches merger inquiry into Amazon-Anthropic partnership
poliverso.org/display/0477a01e…
UK competition authority launches merger inquiry into Amazon-Anthropic partnershipThe UK's main competition watchdog has formally opened an investigation into the merger between Amazon and AI company Anthropic, a statement released on Thursday (8 August) reads.euractiv.com/section/competiti…

The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

Europe’s teenage ‘TikTok terrorists’ target Taylor Swift
poliverso.org/display/0477a01e…
Europe’s teenage ‘TikTok terrorists’ target Taylor SwiftThe foiled jihadist terrorist plot targeting Taylor Swift‘s concerts in Vienna highlights an increasing terrorist threat coming from radicalised European teenagers, which experts blame on social media.euractiv.com/section/politics/…


Europe’s teenage ‘TikTok terrorists’ target Taylor Swift


The foiled jihadist terrorist plot targeting Taylor Swift‘s concerts in Vienna highlights an increasing terrorist threat coming from radicalised European teenagers, which experts blame on social media.


euractiv.com/section/politics/…


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

The media in this post is not displayed to visitors. To view it, please go to the original post.

Keebin’ with Kristina: the One with the KiCad Plugin
poliverso.org/display/0477a01e…
Keebin’ with Kristina: the One with the KiCad Plugin hackaday.com/wp-content/upload… by [fata1err0r81] via reddit.com/r/ErgoMechKeyboards… most striking feature of the github.com/dlip/tenshi keyboard has to be those dual track pads. But then you notice that


Keebin’ with Kristina: the One with the KiCad Plugin

Illustrated Kristina with an IBM Model M keyboard floating between her hands.

A low-profile split keyboard with a sliding, round track pad on each half.Image by [fata1err0r81] via redditThe most striking feature of the Tenshi keyboard has to be those dual track pads. But then you notice that [fata1err0r81] managed to sneak in two extra thumb keys on the left, and that those are tilted for comfort and ease of actuation.

The name Tenshi means ‘angel’ in Japanese, and creator [fata1err0r81] says that the track pads are the halos. Each one slides on a cool 3D-printed track that’s shaped like a half dovetail joint, which you can see it closer in this picture.

Tenshi uses a pair of RP2040 Zeros as controllers and runs QMK firmware. The track pads are 40 mm each and come from Cirque. While the Cirques have been integrated into QMK, the pull request for ZMK has yet to be merged in. And about those angled keys — [fata1err0r81] says they tried risers, but the tilting feels like less effort. Makes total sense to me, but then again I’m used to a whole keyboard full of tilted keys.

kbplacer Is Your New Best Friend


The finished result. Image by [Adam] via GitHubWhat’s the worst part about building custom mechanical keyboards? Well, it probably depends on the person, but for many, the answer would be placing the elements and routing them in order to create the actual PCB.

[Adam] wrote kbplacer, which is an open-source KiCad plugin for designing mechanical keyboards. kbplacer does automatic key placing and routing, and works with Keyboard Layout Editor, VIA, QMK, and, experimentally, Ergogen. It also places diodes, and lets the user select the diode position in relation to key position. In addition, kbplacer can also be installed with pip as a Python package for use with other tools.

If you do want to use it with Ergogen, [Adam] outlines a workflow example. Also, check out how kbplacer works with a whole bunch of popular layouts.

The Centerfold: Battleship Harleyquin


A Harlequin Alice-type keyboard, that is, the keycaps are in four different colors.Image by [hiphasreddit] via redditHarlequin all the things, I say, and bring back the four-color Volkswagen. That’s why I love this here Battleship Harleyquin. Don’t miss the gallery!

This may look like an Alice, but it’s really the AVA by Sneak Box with GMK Panels key caps. A matching Panels desk mat might have been too much; I think the GMK Slasher looks nice.

Do you rock a sweet set of peripherals on a screamin’ desk pad? Send me a picture along with your handle and all the gory details, and you could be featured here!

Historical Clackers: the Smith Premier 1

The Smith Premier 1 typewriter. It has separate keys for capital and lower case letters.Image via Antique Typewriters
While not quite a 200% keyboard, the Smith Premier 1 definitely has one in spirit. As you can probably tell, there are separate keys for upper and lower case letters. No key performs a second function, so there is no Shift in sight. I particularly like the double space bars and the fact that the numerals run down both sides.

This machine, produced by the L.C. Smith Gun Co. of Syracuse, New York beginning in the late 1880s was “the most advertised and successful double keyboard typewriter of its time”. It sold for $100, which was about average for a keyboard typewriter at that time, when one could buy a horse-drawn carriage for $60.

While modern typewriters make use of keys attached to type bars with levers, the Smith Premier uses an array of turning rods in order to transfer motion from the key press to the type bar.

Pressing a key turns a particular horizontal rod that runs the length of the machine. At the rear, a small lever connected to the rod pulls down on the type bar above it, striking the paper. Apparently this design was quite smooth and responsive for the typist. Be sure to check out the detailed images on this one.

ICYMI: the Portable Pi 84


A Raspberry Pi-powered portable computer.Image by [Michael Mayer] via PrintablesOver the years, the idea of ‘portable’ has changed significantly. While we once had luggable computers and chonky laptops, these have given way to sleek machines that look pretty much all alike from the outside.

Some of those laptops of yore had ultra-wide displays and were hinged in the center, leaving a sort of trunk the back. It is these classic computers that inspired [Michael Mayer] to build the Portable Pi 84.

Well, those, and in particular, [Michael]’s chosen mechanical keyboard, itself based on the Happy-Keyboard from [Luis Alegría]. The 9.3″ Waveshare display serendipitously just fits over the keyboard, and the rest is in that spacious trunk — the Raspberry Pi 4, a UPS hat, a couple of 21700 batteries, and a pair of speakers.

Be sure to check out the printed panels that let the user change up the ports and connection layout, because that’s an incredibly cool idea.


Got a hot tip that has like, anything to do with keyboards? Help me out by sending in a link or two. Don’t want all the Hackaday scribes to see it? Feel free to email me directly.


The Privacy Post reshared this.