The Privacy Post ha ricondiviso questo.

The media in this post is not displayed to visitors. To view it, please go to the original post.

The First Fitbit: Engineering and Industrial Design Lessons
poliverso.org/display/0477a01e…
The First Fitbit: Engineering and Industrial Design Lessons It could happen to anyone of us: suddenly you got this inkling of an idea for a product that you think might just be pretty useful or even cool. Some of us then go on to develop a prototype and manage to get enough seed funding to begin the long and arduous journey to turn a sloppy prototype into a sleek,


The First Fitbit: Engineering and Industrial Design Lessons

It could happen to anyone of us: suddenly you got this inkling of an idea for a product that you think might just be pretty useful or even cool. Some of us then go on to develop a prototype and manage to get enough seed funding to begin the long and arduous journey to turn a sloppy prototype into a sleek, mass-produced product. This is basically the story of how the Fitbit came to be, with a pretty in-depth article by [Tekla S. Perry] in IEEE Spectrum covering the development process and the countless lessons learned along the way.

Of note was that this idea for an accelerometer-based activity tracker was not new in 2006, as a range of products already existed, from 1960s mechanical pedometers to 1990s medical sensors and the shoe-based Nike+ step tracker that used Apple’s iPod with a receiver. Where this idea for the Fitbit was new was that it’d target a wide audience with a small, convenient (and affordable) device. That also set them up for a major nightmare as the two inventors were plunged into the wonderfully terrifying world of industrial design and hardware development.

One thing that helped a lot was outsourcing what they could to skilled people and having solid seed funding. This left just many hardware decisions to make it as small as possible, as well as waterproof and low-power. The use of the ANT protocol instead of Bluetooth saved a lot of battery, but meant a base station was needed to connect to a PC. Making things waterproof required ultrasonic welding, but lack of antenna testing meant that a closed case had a massively reduced signal strength until a foam shim added some space. The external reset pin on the Fitbit for the base station had a low voltage on it all the time, which led to corrosion issues, and so on.

While much of this was standard development and testing fun, the real challenge was in interpreting the data from the accelerometer. After all, what does a footstep look like to an accelerometer, and when is it just a pothole while travelling by car? Developing a good algorithm here took gathering a lot of real-world data using prototype hardware, which needed tweaking when later Fitbits moved from being clipped-on to being worn on the wrist. These days Fitbit is hardly the only game in town for fitness trackers, but you can definitely blame them for laying much of the groundwork for the countless options today.


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

New note by cybersecurity
poliverso.org/display/0477a01e…
Chi protesta contro il primo trattato sul cybercrime dell’Onu startmag.it/cybersecurity/onu-… (Italy e non Italy 😁)Il comitato Onu ha approvato il primo trattato sulla criminalità informatica nonostante l'opposizione delle aziende tecnologiche e dei difensori di diritti umani, preoccupati che possa offrire ai governi ampi poteri per frenare le li


Chi protesta contro il primo trattato sul cybercrime dell’Onu


@Informatica (Italy e non Italy 😁)
Il comitato Onu ha approvato il primo trattato sulla criminalità informatica nonostante l'opposizione delle aziende tecnologiche e dei difensori di diritti umani, preoccupati che possa offrire ai governi ampi poteri per frenare le libertà di Internet.

L'articolo proviene dalla sezione #Cybersecurity di


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

The media in this post is not displayed to visitors. To view it, please go to the original post.

New note by cybersecurity
poliverso.org/display/0477a01e…
Lotta al Cybercrime, Onu approva primo trattato (su iniziativa di Russia e Cina). I difensori dei diritti umani e big tech: “È sorveglianza globale” key4biz.it/lotta-al-cybercrime… (Italy e non Italy 😁)“Uno Stato può, per indagare su qualsiasi rea

The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

The media in this post is not displayed to visitors. To view it, please go to the original post.

Microsoft 365: come bypassare la sicurezza anti-phishing di Outlook con il CSS
poliverso.org/display/0477a01e…
Microsoft 365: come bypassare la sicurezza anti-phishing di Outlook con il CSS I ricercatori di Certitude hanno dimostrato un modo per aggirare la protezione anti-redhotcyber.com/post/il-phishi… in Microsoft redhotcyber.com/post/vulnerabi…


Microsoft 365: come bypassare la sicurezza anti-phishing di Outlook con il CSS

I ricercatori di Certitude hanno dimostrato un modo per aggirare la protezione anti-phishing in Microsoft 365 (ex Office 365). Tuttavia, le vulnerabilità non sono state ancora risolte.

Gli esperti dicono che esiste un modo per nascondere il suggerimento di sicurezza del primo contatto. Come suggerisce il nome, First Contact Safety Tip è progettato per avvisare gli utenti di Outlook quando ricevono e-mail da nuovi contatti. Viene visualizzato un messaggio come questo: “Non ricevi spesso email da xyz@example.com. Scopri perché è importante.”

La chiave qui è che l’avviso viene aggiunto direttamente al corpo HTML principale dell’e-mail, il che apre la possibilità di manipolare il CSS incorporato nell’e-mail.

I ricercatori di Certitude scrivono che questo messaggio può essere facilmente nascosto nel modo seguente.

Cioè, il testo e il colore dello sfondo vengono cambiati nel colore bianco, la dimensione del carattere viene impostata su 0, il che alla fine nasconde l’avviso e lo rende invisibile all’utente.

Portando avanti questa idea, gli esperti hanno scoperto che potevano aggiungere ulteriore codice HTML alle e-mail che imitavano le icone che Microsoft Outlook aggiunge alle e-mail crittografate e firmate per farle sembrare sicure. Sebbene alcune limitazioni di formattazione impediscano una perfetta corrispondenza visiva, questo trucco può comunque aiutare a bypassare controlli poco approfonditi.

I ricercatori sottolineano di non essere a conoscenza di casi di sfruttamento dei bug descritti e di non aver trovato modi per manipolare l’HTML per visualizzare testo arbitrario in un’e-mail.

Certitude ha informato Microsoft delle sue scoperte inviando una PoC e un rapporto dettagliato agli sviluppatori tramite il Microsoft Researcher Portal (MSRC). Tuttavia, i rappresentanti di Microsoft hanno dato ai ricercatori la seguente risposta:

“Abbiamo stabilito che le tue informazioni sono valide, ma non soddisfano i nostri criteri per una risposta immediata poiché [il problema] può essere utilizzato principalmente per attacchi di phishing. Tuttavia, abbiamo preso nota di queste informazioni per un’ulteriore revisione volta a migliorare i nostri prodotti.”

L'articolo Microsoft 365: come bypassare la sicurezza anti-phishing di Outlook con il CSS proviene da il blog della sicurezza informatica.


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

The media in this post is not displayed to visitors. To view it, please go to the original post.

Custom Pneumatic Cylinders Lock This Monitor Arm in Place
poliverso.org/display/0477a01e…
Custom Pneumatic Cylinders Lock This Monitor Arm in Place Few consumer-grade PCs are what you’d categorize as built to last. Most office-grade machines are as likely as not to give up the ghost after ingesting a few too many dust bunnies, and the average laptop can barely handle a few drops of latte and some muffin crumbs before croaking. Sticking a machine like that in


Custom Pneumatic Cylinders Lock This Monitor Arm in Place

Few consumer-grade PCs are what you’d categorize as built to last. Most office-grade machines are as likely as not to give up the ghost after ingesting a few too many dust bunnies, and the average laptop can barely handle a few drops of latte and some muffin crumbs before croaking. Sticking a machine like that in the shop, especially a metal shop, is pretty much a death sentence.

And yet, computers are so useful in the shop that [Lucas] from “Cranktown City” built this neat industrial-strength monitor arm. His design will look familiar to anyone with a swing-arm mic or desk light, although his home-brew parallelogram arm is far sturdier thanks to the weight of the monitor and sheet-metal enclosure it supports. All that weight exceeded the ability of the springs [Lucas] had on hand, which led to the most interesting aspect of the build — a pair of pneumatic locks. These were turned from a scrap of aluminum rod and an old flange-head bolt; when air pressure is applied, the bolt is drawn into the cylinder, which locks the arm in place. To make it easy to unlock the arm, a pneumatic solenoid releases the pressure on the system at the touch of a button. The video below has a full explanation and demonstration.

While we love the idea, there are a few potential problems with the design. The first is that this isn’t a fail-safe design, since pressure is needed to keep the arm locked. That means if the air pressure drops the arm could unlock, letting gravity do a number on your nice monitor. Second is the more serious problem [Lucas] alluded to when he mentioned not wanting to be in the line of fire of those locks should something fail and the piston comes flying out under pressure. That could be fixed with a slight design change to retain the piston in the event of a catastrophic failure.

Problems aside, this was a great build, and we always love [Lucas]’ seat-of-the-pants engineering and his obvious gift for fabrication, of which his wall-mount plasma cutter is a perfect example.

youtube.com/embed/TjYBY7cUfkE?…


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

The media in this post is not displayed to visitors. To view it, please go to the original post.

500cc Of 4-Wheel Off-Road Fun
poliverso.org/display/0477a01e…
500cc Of 4-Wheel Off-Road Fun Who among us hasn’t at some point thought of building a little vehicle, and better still, a little off-road vehicle for a few high-octane rough-terrain adventures. [Made in Poland] has, and there he is in a new video with a little off-road buggy youtube.com/watch?v=hdIBxKy-0Y… video which we’ve paced below the break is quite long, and it’s one of those


500cc Of 4-Wheel Off-Road Fun

Who among us hasn’t at some point thought of building a little vehicle, and better still, a little off-road vehicle for a few high-octane rough-terrain adventures. [Made in Poland] has, and there he is in a new video with a little off-road buggy.

The video which we’ve paced below the break is quite long, and it’s one of those restful metalworking films in which we see the finished project take shape bit by bit. In this case the buggy has a tubular spaceframe, with front suspension taken from a scrap quad and a home-made solid rear axle. For power there’s a 500cc Suzuki two-cylinder motorcycle engine, with a very short chain drive from its gearbox to that axle. The controls are conventional up to a point, though we’d have probably gone for motorcycle style handlebars with a foot shift rather than the hand-grip shift.

The final machine is a pocket drift monster, and one we’d certainly like to have a play with. We’d prefer some roll-over protection and we wonder whether the handling might be improved were the engine sprung rather than being part of a huge swing-arm, but it doesn’t appear to interfere with the fun. If you fancy a go yourself it’s surprisingly affordable to make a small vehicle, just build a Hacky Racer.

youtube.com/embed/hdIBxKy-0YY?…


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

Saldi nelle underground per le Botnet. Affitti a partire da 99 Dollari!
poliverso.org/display/0477a01e…
Saldi nelle underground per le Botnet. Affitti a partire da 99 Dollari! I criminali informatici utilizzano sempre più spesso le redhotcyber.com/post/come-funz…, reti di dispositivi infetti che consentono redhotcyber.com/post/cosa-sono…


Saldi nelle underground per le Botnet. Affitti a partire da 99 Dollari!

I criminali informatici utilizzano sempre più spesso le botnet, reti di dispositivi infetti che consentono loro di sferrare attacchi massicci come DDoS. Uno studio condotto dagli esperti di Kaspersky Digital Footprint Intelligence ha dimostrato che il costo per affittare o acquistare tali reti sul mercato nero parte da 99 dollari, rendendole accessibili a un’ampia gamma di aggressori.

Le botnet sono formate da dispositivi infettati da malware e consentono attacchi automatizzati su larga scala. Ad esempio, la botnet Mirai scansiona Internet alla ricerca di dispositivi IoT vulnerabili che utilizzano password standard, li cattura e li include nella sua rete.

Nella prima metà del 2024, gli analisti di Kaspersky Lab hanno registrato un aumento significativo del numero di gadget IoT infetti, che potrebbe variare da semplici dispositivi domestici a complessi sistemi industriali.

Nel mercato ombra le botnet possono essere acquistate o noleggiate. Il loro prezzo varia a seconda della qualità e della funzionalità: da 99 a 10mila dollari per l’acquisto e da 30 a 4.800 dollari per l’affitto al mese. Queste reti possono essere configurate per attività specifiche e variano in termini di metodi di infezione, tipo di software utilizzato e metodi per aggirare i sistemi di sicurezza.

Particolarmente pericolose sono le botnet il cui codice sorgente è trapelato online. Sono disponibili a costi minimi o addirittura gratuiti, ma la loro efficacia è ridotta dalla facilità di rilevamento da parte dei moderni sistemi di sicurezza. Tuttavia, tali botnet sono ancora ampiamente utilizzate negli attacchi informatici.

Inoltre, sui mercati neri compaiono offerte per la creazione di botnet personalizzate. Il costo di tali servizi parte da 3mila dollari USA e tali transazioni vengono spesso concluse privatamente.

Le botnet vengono utilizzate per qualcosa di più che semplici attacchi. Con il loro aiuto, gli aggressori possono utilizzarle per effettuare mining di criptovalute o distribuire ransomware. Il riscatto richiesto per decrittografare i dati rubati utilizzando tali programmi può arrivare fino a 2 milioni di dollari.

Come notano gli analisti di Kaspersky Digital Footprint Intelligence, nonostante la relativa accessibilità, le botnet rimangono solo uno dei tanti strumenti nell’arsenale dei criminali informatici. Tuttavia, la loro popolarità continua a crescere, ponendo notevoli minacce alla sicurezza sia per gli individui che per le organizzazioni.

L'articolo Saldi nelle underground per le Botnet. Affitti a partire da 99 Dollari! proviene da il blog della sicurezza informatica.


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

The media in this post is not displayed to visitors. To view it, please go to the original post.

Hackaday Podcast Episode 283: Blinding Lasers, LEDs, and ETs
poliverso.org/display/0477a01e…
Hackaday Podcast Episode 283: Blinding Lasers, LEDs, and ETs Hackaday Editors Elliot Williams and Al Williams reflect on the fact that, as humans, we have–at most–two eyes and no warp drives. While hacking might not be the world’s most dangerous hobby, you do get to work with dangerous voltages, temperatures, and frickin’ lasers. Light features prominently, as the guys


Hackaday Podcast Episode 283: Blinding Lasers, LEDs, and ETs

Hackaday Editors Elliot Williams and Al Williams reflect on the fact that, as humans, we have–at most–two eyes and no warp drives. While hacking might not be the world’s most dangerous hobby, you do get to work with dangerous voltages, temperatures, and frickin’ lasers. Light features prominently, as the guys talk about LED data interfaces, and detecting faster-than-light travel.

There’s also a USB sniffer, abusing hot glue, and some nostalgia topics ranging from CRT graphics to Apollo workstations (which have nothing directly to do with NASA). The can’t miss articles this week cover hacking you and how Apollo Computer: The Forgotten Workstations you make the red phone ring in the middle of a nuclear war.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

html5-player.libsyn.com/embed/…

As always, please download the file to archive in your doomsday bunker.

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:



Episode 283 Show Notes:

News:



What’s that Sound?



Interesting Hacks of the Week:



Quick Hacks:



Can’t-Miss Articles:



The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

Google rilascia le patch di sicurezza per Android incluso uno zero-day critico nel kernel
poliverso.org/display/0477a01e…
Google rilascia le patch di sicurezza per Android incluso uno zero-day critico nel kernel Questa settimana Google ha rilasciato source.android.com/docs/securi… le patch di sicurezza di agosto per redhotcyber.com/post/vulnerabi…


Google rilascia le patch di sicurezza per Android incluso uno zero-day critico nel kernel

Questa settimana Google ha rilasciato le patch di sicurezza di agosto per Android. L’elenco delle vulnerabilità risolte includeva, tra le altre cose, un bug zero-day (CVE-2024-36971, punteggio CVSS 7.8) associato all’esecuzione di codice remoto nel kernel.

Secondo quanto riferito, lo zeroday è stato scoperto dallo specialista di Google Threat Analysis Group (TAG) Clement Lecigne e rappresenta un bug use-after-free nella gestione dei percorsi di rete nel kernel Linux. Il suo corretto funzionamento richiede privilegi a livello di sistema per consentire di modificare il comportamento di determinate connessioni di rete.

Google rileva che il CVE-2024-36971 potrebbe già essere “soggetto a sfruttamento limitato e mirato” e gli aggressori potrebbero sfruttare la vulnerabilità per eseguire codice arbitrario senza l’interazione dell’utente.

Finora l’azienda non ha rivelato dettagli su come viene sfruttata esattamente la vulnerabilità e chi potrebbe utilizzarla nei suoi attacchi. Vale la pena notare che gli specialisti di TAG stanno monitorando gli hacker governativi, nonché i fornitori di software commerciale, inclusi i creatori di Pegasus (NSO Group) e Predator (Intellexa). Ad esempio, nel 2023, gli esperti di TAG hanno scoperto 25 vulnerabilità zero-day, 20 delle quali sono state utilizzate da fornitori di sorveglianza commerciale.

In totale, questo mese sono state corrette più di 40 vulnerabilità in Android. Google, come di consueto, ha rilasciato due serie di aggiornamenti: livello 2024-08-01 e livello 2024-08-05. Quest’ultimo include tutte le correzioni di sicurezza del primo set e correzioni aggiuntive per componenti closed source di terze parti e il kernel. Ad esempio, questo livello risolve una vulnerabilità critica (CVE-2024-23350) in un componente Qualcomm closed-source.

Sono state inoltre risolte 11 gravi vulnerabilità relative all’escalation dei privilegi nel componente Framework che potevano essere sfruttate dagli aggressori senza privilegi aggiuntivi.

L'articolo Google rilascia le patch di sicurezza per Android incluso uno zero-day critico nel kernel proviene da il blog della sicurezza informatica.


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

UN approves landmark controversial cybercrime treaty
poliverso.org/display/0477a01e…
UN approves landmark controversial cybercrime treatyUnited Nations member states approved its first-ever treaty aimed at combating cybercrime, a controversial text opposed by digital rights organisations and Big Tech companies.euractiv.com/section/cybersecu…


UN approves landmark controversial cybercrime treaty


United Nations member states approved its first-ever treaty aimed at combating cybercrime, a controversial text opposed by digital rights organisations and Big Tech companies.


euractiv.com/section/cybersecu…


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

The media in this post is not displayed to visitors. To view it, please go to the original post.

Liquid (Reversibly) Solidifies at Room Temperature, Gets Used for 3D Prints
poliverso.org/display/0477a01e…
Liquid (Reversibly) Solidifies at Room Temperature, Gets Used for 3D Prints Researchers demonstrate sustainable 3D printing by using poly(N-isopropylacrylamide) solutions cosmosmagazine.com/technology/… (PNIPAM), which speedily and reliably turn solid by undergoing a hackaday.com/wp-content/upload…


Liquid (Reversibly) Solidifies at Room Temperature, Gets Used for 3D Prints

Researchers demonstrate sustainable 3D printing by using poly(N-isopropylacrylamide) solutions (PNIPAM), which speedily and reliably turn solid by undergoing a rapid phase change when in a salt solution.

This property has been used to 3D print objects by using a syringe tip as if it were a nozzle in a filament-based printer. As long as the liquid is being printed into contact with a salt solution, the result is a polymer that solidifies upon leaving the syringe.

What’s also interesting is that the process by which the PNIPAM-based solutions solidify is entirely reversible. Researchers demonstrate printing, breaking down, then re-printing, which is an awfully neat trick. Finally, by mixing different additives in with PNIPAM, one can obtain different properties in the final product. For example, researchers demonstrate making conductive prints by adding carbon nanotubes.

While we’ve seen the concept of printing with liquids by extruding them into a gel bath or similar approach, we haven’t seen a process that prides itself on being so reversible before. The research paper with all the details is available here, so check it out for all the details.


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

The media in this post is not displayed to visitors. To view it, please go to the original post.

This Week in Security: GhostWrite, Localhost, and More
poliverso.org/display/0477a01e…
This Week in Security: GhostWrite, Localhost, and More You may have heard some scary news about RISC-V CPUs. There’s good news, and bad news, and the whole thing is a bit of a cautionary tale. ghostwriteattack.com/ is a devastating vulnerability in a pair of T-Head XuanTie RISC-V CPUs. There are also unexploitable crashes in another T-Head CPU and the QEMU soft core


This Week in Security: GhostWrite, Localhost, and More

You may have heard some scary news about RISC-V CPUs. There’s good news, and bad news, and the whole thing is a bit of a cautionary tale. GhostWrite is a devastating vulnerability in a pair of T-Head XuanTie RISC-V CPUs. There are also unexploitable crashes in another T-Head CPU and the QEMU soft core implementation. These findings come courtesy of a group of researchers at the CISPA Helmholtz Center for Information Security in Germany. They took at look at RISC-V cores, and asked the question, do any of these instructions do anything unexpected? The answer, obviously, was “yes”.

Undocumented instructions have been around just about as long as we’ve had Van Neumann architecture processors. The RISC-V ISA put a lampshade on that reality, and calls them “vendor specific custom ISA extensions”. The problem is that vendors are in a hurry, have limited resources, and deadlines wait for no one. So sometimes things make it out the door with problems. To find those problems, CISPA researchers put together a test framework is called RISCVuzz, and it’s all about running each instruction on multiple chips, and watching for oddball behavior. They found a couple of “halt-and-catch-fire” problems, but the real winner (loser) is GhostWrite.

Now, this isn’t a speculative attack like Meltdown or Spectre. It’s more accurate to say that it’s a memory mapping problem. Memory mapping helps the OS keep programs independent of each other by giving them a simplified memory layout, doing the mapping from each program to physical memory in the background. There are instructions that operate using these virtual addresses, and one such is vs128.v. That instruction is intended to manipulate vectors, and use virtual addressing. The problem is that it actually operates directly on physical memory addresses, even bypassing cache. That’s not only memory, but also includes hardware with memory mapped addresses, entirely bypassing the OS. This instruction is the keys to the kingdom.

So yeah, that’s bad, for this one particular RISC-V model. The only known fix is to disable the vector extensions altogether, which comes with a massive performance penalty. One benchmark showed a 77% performance penalty, nearly slashing the CPU’s performance in half. The lessons here are that as exciting as the RISC-V is, with its open ISA, individual chips aren’t necessarily completely Open Sourced, and implementation quality may very wildly between vendors.

0.0.0.0 Day Vulnerability


We’ve come a long way since the days when the web was young, and the webcam was strictly for checking on how much coffee was left. Now we have cross-site scripting attacks and cross-site request forgeries to deal with. You might be tempted to think that we’ve got browser security down. You’d be wrong. But finally, a whole class of problems are getting cleaned up, and a related problem you probably didn’t even realize you had. That last one is thanks to researchers at Oligo, who bring us this story.

The problem is that websites from the wider Internet are accessing resources on the local network or even the localhost. What happens if a website tries to load a script, using the IP address of your router? Is there some clever way to change settings using nothing but a JS script load? In some cases, yes. Cross Origin Resource Sharing (CORS) fixes this, surely? CORS doesn’t prevent requests, it just limits what the browser can do after the request has been made. It’s a bit embarrassing how long this has been an issue, but PNA finally fixes this, available as an origin trial in Chrome 128. This divides the world into three networks, with the Internet as the least privileged layer, then the local network, and finally the local machine and localhost as the inner, most protected. A page hosted on localhost can pull scripts from the Internet, but not the other way around.

And this brings us to 0.0.0.0. What exactly is that IP address? Is it even an IP address? Sort of. In some cases, like in a daemon’s configuration file, it indicates all the network devices on the local machine. It also gets used in DHCP as the source IP address for DHCP requests before the machine has an IP address. But what happens when you use it in a browser? On Windows, nothing much. 0.0.0.0 is a Unixism that hasn’t (yet) made its way into Windows. But on Linux and MacOS machines, all the major browsers treat it as distinct from 127.0.0.1, but also as functionally equivalent to localhost. And that’s really not great, as evidenced by the list of vulnerabilities in various applications when a browser can pull this off. The good news is that it’s finally getting fixed.

PLCs Sleuthing


Researchers at Claroty have spent some time digging into Unitronics Programmable Logic Controllers (PLCs), as those were notably cracked in a hacking campaign last fall. This started with a very familiar story, of rigging up a serial connection to talk to the controller. There is an official tool to administrate the controller over serial, so capturing that data stream seemed promising. This led to documenting the PCOM protocol, and eventually building a custom admin application. The goal here is to build tooling for forensics, to pull data off of one of those compromised devices.

You Don’t Need to See My JWT


Siemens had a bit of a problem with their AMA Cloud web application. According to researchers at Traceable ASPEN, it’s a surprisngly common problem with React web applications. The login flow here is that upon first visiting the page, the user is redirected to an external Single Sign On provider. What catches the eye is that the React application just about fully loads before that redirect fires. So what happens if that redirect JS code is disabled? There’s the web application, just waiting for data from the back end.

That would be enough to be interesting, but this goes a step further. After login, the authenticated session is handled with a JSON Web Token (JWT). That token was checked for by the front-end code, but the signature wasn’t checked. And then most surprisingly, the APIs behind the service didn’t check for a JWT either. The authentication was all client-side, in the browser. Whoops. Now to their credit, Siemens pushed a fix within 48 hours of the report, and didn’t drop the ball on disclosure.

(Hackaday’s parent company, Supplyframe, is owned by Siemens.)

Bits and Bytes


If you run NeatVNC, 0.8.1 is a pretty important security update. Specifying the security type is left up to clients, and “none” is a valid option. That’s not great.

Apparently we owe Jia Tan a bit of our thanks, as the extra attention on SSH has shaken loose a few interesting findings. While there isn’t a single glaring vulnerabiltiy to cover, HD Moore and Rob King found a bunch of implementation problems, particularly in embedded devices. This was presented at Black Hat, so hopefully the presentation will eventually be made available. For now, we do have a nifty new tool, SSHamble, to play with.

In 2023, the Homebrew project undertook an audit by Trail of Bits. And while there weren’t any High severity problems found, there were a decent handful of medium and lower issues. Those have mostly been fixed, and the audit results have now been made public. Homebrew is the “missing package manager for MacOS”, and if that sounds interesting, be sure to watch for next week’s FLOSS Weekly episode, because we’re chatting with Homebrew about this, their new Workbrew announcement, and more!


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

Passo storico: L’ONU adotta all’unanimità il Trattato globale sulla criminalità informatica
poliverso.org/display/0477a01e…
Passo storico: L’ONU adotta all’unanimità il Trattato globale sulla criminalità informatica Le Nazioni Unite hanno adottato all’unanimità il Trattato globale sulla criminalità informatica. Il documento ha rappresentato un passo importante nella creazione di un quadro giuridico internazionale per la lotta alla criminalità informatica e allo


Passo storico: L’ONU adotta all’unanimità il Trattato globale sulla criminalità informatica

Le Nazioni Unite hanno adottato all’unanimità il Trattato globale sulla criminalità informatica. Il documento ha rappresentato un passo importante nella creazione di un quadro giuridico internazionale per la lotta alla criminalità informatica e allo scambio di dati tra paesi. Il trattato è stato approvato all’unanimità l’8 agosto e sarà messo ai voti in autunno nell’Assemblea generale delle Nazioni Unite.

Il trattato è stato proposto dalla Russia nel 2021, il suo obiettivo principale è sviluppare standard globali riguardo al problema dei crimini informatici transnazionali.

Successivamente, Russia ed USA presentarono un documento che descriveva le regole di comportamento nel cyberspazio, ad ottobre del 2021.

Da quando sono iniziati i lavori sul trattato nel 2019, la comunità internazionale non ha raggiunto un consenso sulle sue necessità e sui suoi obiettivi. Nonostante tutti i dubbi, l’accordo è stato adottato dopo 3 anni di negoziati, conclusisi con una sessione di due settimane.

Tuttavia, i gruppi per i diritti umani e le grandi aziende tecnologiche hanno già sollevato preoccupazioni riguardo alle clausole che consentono alle forze dell’ordine di richiedere prove e dati elettronici ai fornitori di servizi Internet di altri paesi.

Alcuni hanno osservato che i tentativi di modificare il testo del trattato non hanno avuto successo e che il documento non contiene ancora garanzie sufficienti per la tutela dei diritti umani. Inoltre, il trattato potrebbe portare ad una maggiore sorveglianza e all’erosione della fiducia delle persone nella tecnologia digitale.

Molti credono che gli stati membri delle Nazioni Unite abbiano adottato il trattato sulla base del principio secondo cui “un cattivo trattato è meglio di nessun trattato”. Prima esistevano solo accordi regionali, come la Convenzione di Budapest, di cui Cina, Russia, India e Brasile non erano firmatari.

Il Centro per gli studi strategici e internazionali (CSIS) ha sottolineato l’importanza del trattato adottato, sottolineando che la comunità globale dispone ora di un documento comune che consentirà di progredire nella lotta contro la criminalità informatica.

L'articolo Passo storico: L’ONU adotta all’unanimità il Trattato globale sulla criminalità informatica proviene da il blog della sicurezza informatica.


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

💥💥💥 BREAKING NEWS 💥💥💥

The FSFE intervenes to safeguard #FreeSoftware in a litigation brought by Apple against the @EU_Commission

The FSFE aims to hold Apple accountable under the DMA to protect #FreeSoftware against monopolistic corporate control

fsfe.org/news/2024/news-202408…

The Privacy Post ha ricondiviso questo.

The media in this post is not displayed to visitors. To view it, please go to the original post.

Building AI Models To Diagnose HVAC Issues
poliverso.org/display/0477a01e…
Building AI Models To Diagnose HVAC Issues HVAC – heating, ventilation, and air conditioning – can account for a huge amount of energy usage of a building, whether it’s residential or industrial. Often it’s the majority energy consumer, especially in places with extreme climates or for things like data centers where cooling is a large design consideration. When problems arise with these


Building AI Models To Diagnose HVAC Issues

HVAC – heating, ventilation, and air conditioning – can account for a huge amount of energy usage of a building, whether it’s residential or industrial. Often it’s the majority energy consumer, especially in places with extreme climates or for things like data centers where cooling is a large design consideration. When problems arise with these complex systems, they can go undiagnosed for a time and additionally be difficult to fix, leading to even more energy losses until repairs are complete. With the growing availability of platforms that can run capable artificial intelligences, [kutluhan_aktar] is working towards a system that can automatically diagnose potential issues and help humans get a handle on repairs faster.

The prototype system is designed for hydronic (water-based) systems and uses two separate artificial intelligences, one to analyze thermal imagery of the system and look for problems like leaks, hot spots, or blockages, and the other to listen for anomalous sounds especially relating to the behavior of cooling fans. For the first, a CNC-like machine was built to move a thermal camera around a custom-built model HVAC system and report its images back to a central system where they can be analyzed for anomalies. The second system which analyses audio runs its artificial intelligence on a XIAO ESP32C6 and listens to the cooling fans running in the model.

One problem that had to be tackled before any of this could be completed was actually building an open-source dataset to train the AI on. That’s part of the reason for the HVAC model in this project; being able to create problems to train the computer to detect before rolling it out to a larger system. The project’s code and training models can be found on its GitHub page. It seems to be a fairly robust solution to this problem, though, and we’ll be looking forward to future versions running on larger systems. Not everyone has a hydronic HVAC system, though. As heat pumps become more and more popular and capable, you’ll need systems to control those as well.


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

FPF Responds to the Federal Election Commission Decision on the use of AI in Political Campaign Advertising
fpf.org/blog/fpf-responds-to-t…
@privacy
The Federal Election Commission’s (FEC) abandoned rulemaking presented an opportunity to better protect the integrity of elections and campaigns, as well as to preserve and increase public trust in the growing use of AI by candidates and in

The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

The media in this post is not displayed to visitors. To view it, please go to the original post.

Internet Appliance to Portable Terminal
poliverso.org/display/0477a01e…
Internet Appliance to Portable Terminal Few processors have found themselves in so many different devices as the venerable Z80. While it isn’t powerful by modern standards, you can still use devices like this Cidco MailStation jcs.org/2019/05/03/mailstation as a terminal.The MailStation was originally designed as an email machine for people who weren’t onboard with this whole


Internet Appliance to Portable Terminal

A black device with a monochrome LCD sits on a wooden table. It's keyboard extends below the frame. On the screen is the "Level 29" BBS service login.

Few processors have found themselves in so many different devices as the venerable Z80. While it isn’t powerful by modern standards, you can still use devices like this Cidco MailStation as a terminal.

The MailStation was originally designed as an email machine for people who weren’t onboard with this whole computer fad, keeping things simple with just an adjustable monchrome LCD, a keyboard, and a few basic applications. [Joshua Stein] developed a terminal application, msTERM, for the MailStation thanks to work previously done on decoding this device and the wealth of documentation for Z80 assembly.

While [Stein] designed his program to access BBSes, we wonder if it might be a good way to do some distraction-free writing. If that wasn’t enough, he also designed the WiFiStation dongle which lets you communicate over a network without all that tedious mucking about with parallel ports.

If you’d like something designed specifically for writing, how about an AlphaSmart? Wanting to build your own Z80-based project? Why not start with an Altoids-sized Z80 SBC, but don’t wait forever since Z80 production finally ended in June.

youtube.com/embed/Z7FYuFUxFlo?…


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

The media in this post is not displayed to visitors. To view it, please go to the original post.

Adapter Salad: Making Your Own Server Cables Because HP Won’t Sell Them To You
poliverso.org/display/0477a01e…
Adapter Salad: Making Your Own Server Cables Because HP Won’t Sell Them To You The world is tough and uncaring sometimes, especially if you’re at home tinkering with HP Enterprise equipment. If you’re in the same boat as [Neel Chauhan], you might have found that HPE is less than interested in interacting with small individual customers. Thus, when a


Adapter Salad: Making Your Own Server Cables Because HP Won’t Sell Them To You

The world is tough and uncaring sometimes, especially if you’re at home tinkering with HP Enterprise equipment. If you’re in the same boat as [Neel Chauhan], you might have found that HPE is less than interested in interacting with small individual customers. Thus, when a cable was needed, [Neel] was out of luck. The simple solution was to assemble a substitute one instead!

[Neel] had a HPE ProLiant ML110 Gen11 server, which was to be used as network-attached storage (NAS). Unfortunately, it was bought as an open box, and lacked an appropriate serial-attached SCSI (SAS) cable. Sadly, HPE support was of no assistance in sourcing one.

SlimSAS LP x8 to dual MiniSAS x4 cables aren’t easy to find from anyone else, it turns out. Thus, [Neel] turned to Amazon for help sourcing a combination of parts to make this work. A SlimSAS LP 8X to 2x MiniSAS SFF-8643 cable was used, along with a pair of Mini SAS SFF-8087 to SAS HD SFF-8643 female adapters. From there, SFF-8087 cables could be used to hook up to the actual SAS devices required. The total cost? $102.15.

The stack of cables and adapters looks a bit silly, but it works—and it got [Neel]’s NAS up and running. It’s frustrating when you have to go to such lengths, but it’s not the first time we’ve seen hackers have to recreate obscure cables or connectors from scratch! What’s the craziest adapter salad you’ve ever made?


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

X suspends processing of some personal data for AI training
poliverso.org/display/0477a01e…
X suspends processing of some personal data for AI trainingSocial media giant X has suspended the processing of some personal data from EU users' public posts to train AI models, two days after the Irish Data Protection Commission (DPC) launched court proceedings over the practice.euractiv.com/section/data-priv…


X suspends processing of some personal data for AI training


Social media giant X has suspended the processing of some personal data from EU users' public posts to train AI models, two days after the Irish Data Protection Commission (DPC) launched court proceedings over the practice.


euractiv.com/section/data-priv…


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

After the news that funding for the @EC_NGI initiative would be cut for the next phase of #HorizonEU, the @EU_Commission has expressed vague support for #FreeSoftware.

The EC needs to come up with dedicated budget for #FreeSoftware solutions:

fsfe.org/news/2024/news-202408…

Questa voce è stata modificata (1 anno fa)

reshared this

The Privacy Post ha ricondiviso questo.

The media in this post is not displayed to visitors. To view it, please go to the original post.

A Smart LED Dice Box Thanks To The Internet of Things
poliverso.org/display/0477a01e…
A Smart LED Dice Box Thanks To The Internet of Things If there’s one thing humans love, it’s dancing with chance. To that end, [Jonathan] whipped up a fun dice box, connecting it to the Internet of Things for additional functionality. robopenguins.com/pixels-dice-b… hackaday.com/wp-content/upload… dice roll stat tracking to


A Smart LED Dice Box Thanks To The Internet of Things

If there’s one thing humans love, it’s dancing with chance. To that end, [Jonathan] whipped up a fun dice box, connecting it to the Internet of Things for additional functionality.
Expect dice roll stat tracking to become a big thing in the D&D community.
The build is based around Pixels Dice. They’re a smart type of IoT dice that contains Bluetooth connectivity and internal LEDs. The dice are literally capable of detecting their own rolls and reporting them wirelessly. Thus, the dice connects to the dice box, and the dice box can literally log the rolls and even graph them over time.

The project was built in a nice octagonal box [Jonathan] picked up from a thrift store. It was fitted with a hidden battery and ESP32 to communicate with the dice and run the show. The box also contains integrated wireless chargers to recharge the dice as needed, and a screen for displaying status information.

The dice and dice box can do all kinds of neat things, like responding with mood lighting and animations to your rolls—for better or worse. There are some fun modes you can play with—you can even set the lights to sparkle if you pass a given skill check in your tabletop RPG of choice!

If you play a lot of tabletop games, and you love dice and statistics, this is a project well worth looking into. Imagine logging every roll so you can see how hot you are on a given night. Or, heck—whether it was the dice’s fault you lost your favorite player character in that foreboding dungeon.

We see a few dice hacks now and then, but not nearly enough. This project has us questioning where smart dice have been all our life! Video after the break.

youtube.com/embed/oCDr44C-qwM?…


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

UK competition authority launches merger inquiry into Amazon-Anthropic partnership
poliverso.org/display/0477a01e…
UK competition authority launches merger inquiry into Amazon-Anthropic partnershipThe UK's main competition watchdog has formally opened an investigation into the merger between Amazon and AI company Anthropic, a statement released on Thursday (8 August) reads.euractiv.com/section/competiti…

The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

Europe’s teenage ‘TikTok terrorists’ target Taylor Swift
poliverso.org/display/0477a01e…
Europe’s teenage ‘TikTok terrorists’ target Taylor SwiftThe foiled jihadist terrorist plot targeting Taylor Swift‘s concerts in Vienna highlights an increasing terrorist threat coming from radicalised European teenagers, which experts blame on social media.euractiv.com/section/politics/…


Europe’s teenage ‘TikTok terrorists’ target Taylor Swift


The foiled jihadist terrorist plot targeting Taylor Swift‘s concerts in Vienna highlights an increasing terrorist threat coming from radicalised European teenagers, which experts blame on social media.


euractiv.com/section/politics/…


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

The media in this post is not displayed to visitors. To view it, please go to the original post.

Keebin’ with Kristina: the One with the KiCad Plugin
poliverso.org/display/0477a01e…
Keebin’ with Kristina: the One with the KiCad Plugin hackaday.com/wp-content/upload… by [fata1err0r81] via reddit.com/r/ErgoMechKeyboards… most striking feature of the github.com/dlip/tenshi keyboard has to be those dual track pads. But then you notice that


Keebin’ with Kristina: the One with the KiCad Plugin

Illustrated Kristina with an IBM Model M keyboard floating between her hands.

A low-profile split keyboard with a sliding, round track pad on each half.Image by [fata1err0r81] via redditThe most striking feature of the Tenshi keyboard has to be those dual track pads. But then you notice that [fata1err0r81] managed to sneak in two extra thumb keys on the left, and that those are tilted for comfort and ease of actuation.

The name Tenshi means ‘angel’ in Japanese, and creator [fata1err0r81] says that the track pads are the halos. Each one slides on a cool 3D-printed track that’s shaped like a half dovetail joint, which you can see it closer in this picture.

Tenshi uses a pair of RP2040 Zeros as controllers and runs QMK firmware. The track pads are 40 mm each and come from Cirque. While the Cirques have been integrated into QMK, the pull request for ZMK has yet to be merged in. And about those angled keys — [fata1err0r81] says they tried risers, but the tilting feels like less effort. Makes total sense to me, but then again I’m used to a whole keyboard full of tilted keys.

kbplacer Is Your New Best Friend


The finished result. Image by [Adam] via GitHubWhat’s the worst part about building custom mechanical keyboards? Well, it probably depends on the person, but for many, the answer would be placing the elements and routing them in order to create the actual PCB.

[Adam] wrote kbplacer, which is an open-source KiCad plugin for designing mechanical keyboards. kbplacer does automatic key placing and routing, and works with Keyboard Layout Editor, VIA, QMK, and, experimentally, Ergogen. It also places diodes, and lets the user select the diode position in relation to key position. In addition, kbplacer can also be installed with pip as a Python package for use with other tools.

If you do want to use it with Ergogen, [Adam] outlines a workflow example. Also, check out how kbplacer works with a whole bunch of popular layouts.

The Centerfold: Battleship Harleyquin


A Harlequin Alice-type keyboard, that is, the keycaps are in four different colors.Image by [hiphasreddit] via redditHarlequin all the things, I say, and bring back the four-color Volkswagen. That’s why I love this here Battleship Harleyquin. Don’t miss the gallery!

This may look like an Alice, but it’s really the AVA by Sneak Box with GMK Panels key caps. A matching Panels desk mat might have been too much; I think the GMK Slasher looks nice.

Do you rock a sweet set of peripherals on a screamin’ desk pad? Send me a picture along with your handle and all the gory details, and you could be featured here!

Historical Clackers: the Smith Premier 1

The Smith Premier 1 typewriter. It has separate keys for capital and lower case letters.Image via Antique Typewriters
While not quite a 200% keyboard, the Smith Premier 1 definitely has one in spirit. As you can probably tell, there are separate keys for upper and lower case letters. No key performs a second function, so there is no Shift in sight. I particularly like the double space bars and the fact that the numerals run down both sides.

This machine, produced by the L.C. Smith Gun Co. of Syracuse, New York beginning in the late 1880s was “the most advertised and successful double keyboard typewriter of its time”. It sold for $100, which was about average for a keyboard typewriter at that time, when one could buy a horse-drawn carriage for $60.

While modern typewriters make use of keys attached to type bars with levers, the Smith Premier uses an array of turning rods in order to transfer motion from the key press to the type bar.

Pressing a key turns a particular horizontal rod that runs the length of the machine. At the rear, a small lever connected to the rod pulls down on the type bar above it, striking the paper. Apparently this design was quite smooth and responsive for the typist. Be sure to check out the detailed images on this one.

ICYMI: the Portable Pi 84


A Raspberry Pi-powered portable computer.Image by [Michael Mayer] via PrintablesOver the years, the idea of ‘portable’ has changed significantly. While we once had luggable computers and chonky laptops, these have given way to sleek machines that look pretty much all alike from the outside.

Some of those laptops of yore had ultra-wide displays and were hinged in the center, leaving a sort of trunk the back. It is these classic computers that inspired [Michael Mayer] to build the Portable Pi 84.

Well, those, and in particular, [Michael]’s chosen mechanical keyboard, itself based on the Happy-Keyboard from [Luis Alegría]. The 9.3″ Waveshare display serendipitously just fits over the keyboard, and the rest is in that spacious trunk — the Raspberry Pi 4, a UPS hat, a couple of 21700 batteries, and a pair of speakers.

Be sure to check out the printed panels that let the user change up the ports and connection layout, because that’s an incredibly cool idea.


Got a hot tip that has like, anything to do with keyboards? Help me out by sending in a link or two. Don’t want all the Hackaday scribes to see it? Feel free to email me directly.


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

The media in this post is not displayed to visitors. To view it, please go to the original post.

Raspberry Has a New Pico, Built with the New RP2350
poliverso.org/display/0477a01e…
Raspberry Has a New Pico, Built with the New RP2350 Raspberry Pi’s first foray into the world of microcontrollers, the RP2040, was a very interesting chip. Its standout features were the programmable input/output units (PIOs) which enabled all sorts of custom real-time shenanigans. And that’s not to discount the impact of the Pi Pico, the $4 dev kit built around it.Today,


Raspberry Has a New Pico, Built with the New RP2350

Raspberry Pi’s first foray into the world of microcontrollers, the RP2040, was a very interesting chip. Its standout features were the programmable input/output units (PIOs) which enabled all sorts of custom real-time shenanigans. And that’s not to discount the impact of the Pi Pico, the $4 dev kit built around it.

Today, they’re announcing a brand-new microcontroller: the RP2350. It will come conveniently packaged in the new Pi Pico 2, and there’s good news and bad news. The good news is that the new chip is better in every way, and that the Pico form factor will stay the same. The bad news? It’s going to cost 25% more, coming in at $5. But in exchange for the extra buck, you get a lot.

For starters, the RP2350 runs a bit faster at 150 MHz, has double the on-board RAM at 520 kB, and twice as much QSPI flash at 4 MB. And those sweet, sweet PIOs? Now it has 12 instead of just 8. (Although we have no word yet if there is more program space per PIO – even with the incredibly compact PIO instruction set, we always wanted more!)
Two flavors on the same chip: Arm and RISC
As before, it’s a dual-core chip, but now the cores are Arm Cortex M33s or RISC-V Hazard3s. Yes, you heard that right, there are two pairs of processors on board. Raspberry Pi says that you’ll be able to select which style of cores runs either by software or by burning one-time fuses. So it’s not a quad core chip, but rather your choice of two different dual cores. Wild!

Raspberry Pi is also making a big deal about the new Arm TrustZone functionality. It has signed boot, 8 kB of OTP key-storage memory, SHA-256 acceleration, a hardware RNG, and “fast glitch detectors”. While this is probably more aimed at industry that the beginning hacker, we’re absolutely confident that some of you out there will put this data-safe to good use.

There is, as of yet, no wireless built in. We can’t see into the future, but we can see into the past, and we remember that the original Pico was wireless for a few months before they got the WiFi and Bluetooth radio added into the Pico W. Will history repeat itself with the Pico 2?

We’re getting our hands on a Pico 2 in short order, and we’ve already gotten a sneak peek at the extensive software toolchain that’s been built out for it. All the usual suspects are there: Picotool, TinyUSB, and OpenOCD as we write this. We’ll be putting it through its paces and writing up all the details next week.


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

X suspends processing of some personal data for AI training
euractiv.com/section/data-priv…
@privacy
Social media giant X has suspended the processing of some personal data from EU users' public posts to train AI models, two days after the Irish Data Protection Commission (DPC) launched court proceedings over the practice.

The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

CrowdStrike pubblica un report su “Channel File 291” spiegando l’incidente e i miglioramenti introdotti
poliverso.org/display/0477a01e…
CrowdStrike pubblica un report su “Channel File 291” spiegando l’incidente e i miglioramenti introdotti La società di sicurezza CrowdStrike ha crowdstrike.com/blog/channel-f…


CrowdStrike pubblica un report su “Channel File 291” spiegando l’incidente e i miglioramenti introdotti

La società di sicurezza CrowdStrike ha elaborato recentemente un report che riporta le ragioni del guasto del software Falcon Sensor, che ha interrotto il funzionamento di milioni di dispositivi basati su Windows in tutto il mondo oltre che ai miglioramenti introdotti.

L’incidente, denominato “Channel File 291″, è stato causato da un problema di convalida del contenuto a seguito dell’introduzione di un nuovo tipo di pattern per rilevare nuove tecniche di attacco

Il nuovo tipo di modello ha comportato una mancata corrispondenza dei parametri con 21 parametri di input passati allo strumento di convalida del contenuto invece dei 20 previsti forniti dall’interprete del contenuto. La discrepanza non è stata rilevata durante il test e ha causato l’errore. Di conseguenza, i sensori che hanno ricevuto il nuovo aggiornamento hanno riscontrato un problema con la lettura della memoria, che ha portato al crash del sistema.

In altre parole, la nuova versione del Channel File 291, rilasciata il 19 luglio, è stata la prima istanza del modello IPC a utilizzare il 21° parametro. La mancanza di un test specifico per la corrispondenza dei criteri senza caratteri jolly nel 21° campo ha fatto sì che il problema non fosse identificato prima di inviare un rapido aggiornamento del contenuto ai sensori.

CrowdStrike ha apportato modifiche per evitare problemi simili in futuro. Sono stati aggiunti controlli sui limiti dell’array di input ed è stato aumentato il numero di test per i nuovi modelli.

L’azienda ha anche coinvolto esperti di terze parti per rivedere il codice e migliorarne la qualità. Inoltre, la piattaforma Falcon è stata aggiornata per offrire ai clienti un maggiore controllo sulla fornitura degli aggiornamenti.

L'articolo CrowdStrike pubblica un report su “Channel File 291” spiegando l’incidente e i miglioramenti introdotti proviene da il blog della sicurezza informatica.


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

European Commission opposes amending GDPR, focusing on enforcement instead
poliverso.org/display/0477a01e…
European Commission opposes amending GDPR, focusing on enforcement insteadThe European Commission does not plan to reopen the General Data Protection Regulation, instead focusing on enforcement, as privacy in the age of artificial intelligence is becoming increasingly controversial.euractiv.com/section/data-priv…


European Commission opposes amending GDPR, focusing on enforcement instead


The European Commission does not plan to reopen the General Data Protection Regulation, instead focusing on enforcement, as privacy in the age of artificial intelligence is becoming increasingly controversial.


euractiv.com/section/data-priv…


The Privacy Post ha ricondiviso questo.

European Commission opposes amending GDPR, focusing on enforcement instead
euractiv.com/section/data-priv…
@privacy
The European Commission does not plan to reopen the General Data Protection Regulation, instead focusing on enforcement, as privacy in the age of artificial intelligence is becoming increasingly controversial.

The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

Muri Digitali: La Turchia stringe la morsa su Instagram e i Servizi VPN
poliverso.org/display/0477a01e…
Muri Digitali: La Turchia stringe la morsa su Instagram e i Servizi VPN Il 2 agosto in Turchia è stato bloccato l’accesso a Instagram, costringendo i residenti e gli ospiti del paese a iniziare a utilizzare in modo massiccio i servizi VPN per aggirare il blocco. Tuttavia, le autorità hanno rapidamente iniziato x.com/engelliweb/status/182010…


Muri Digitali: La Turchia stringe la morsa su Instagram e i Servizi VPN

Il 2 agosto in Turchia è stato bloccato l’accesso a Instagram, costringendo i residenti e gli ospiti del paese a iniziare a utilizzare in modo massiccio i servizi VPN per aggirare il blocco. Tuttavia, le autorità hanno rapidamente iniziato a limitare l’accesso a questi servizi.

Türkiye'den erişime engelli VPN servislerinin listesi: t.co/ttaery0W4m pic.twitter.com/OQHpGoHa5t
— EngelliWeb (@engelliweb) August 4, 2024

Il giornalista turco e coordinatore del progetto Free Web Turkey Ali Safa Korkut spiega che l’attuale situazione di blocco delle VPN non è nuova.

Nel dicembre 2023 sono stati bloccati 16 principali servizi VPN, tra cui ProtonVPN, Surfshark, IPVanish e CyberGhost. Successivamente, in periodi diversi, l’accesso è stato limitato ad altri 11 servizi VPN.

Surfshark ha confermato che i suoi utenti in Turchia hanno riscontrato difficoltà di accesso dalla fine dello scorso anno. “Da quando Instagram è stato bloccato, non abbiamo notato un aumento dei tentativi di bloccare il nostro servizio, ma stiamo monitorando attentamente la situazione“, ha affermato il product manager di Surfshark.

Nonostante i blocchi, gli utenti in Turchia continuano a utilizzare con successo alcuni servizi VPN, inclusi, stranamente, quelli bloccati. I rappresentanti di NordVPN, ExpressVPN, ProtonVPN, Surfshark e Private Internet Access hanno segnalato un aumento significativo del traffico e delle registrazioni degli utenti dalla Turchia.

Per coloro che intendono visitare la Turchia, si consiglia di scaricare in anticipo l’applicazione VPN scelta per evitare problemi di accesso. La registrazione su più servizi contemporaneamente ti aiuterà a bypassare i blocchi se una delle VPN smette improvvisamente di funzionare.

L’uso di Tor Browser può anche aiutare a aggirare le restrizioni, sebbene la connessione tramite Tor possa essere lenta a causa di più livelli di crittografia del traffico. Se la tua app VPN non funziona, Korkut consiglia di modificare le impostazioni DNS per accedere a Instagram.

La situazione relativa al blocco dei social network e dei servizi VPN in Turchia illustra chiaramente la crescente tendenza a limitare il libero accesso alle informazioni in molti paesi del mondo. Tali azioni governative sono tipicamente motivate da preoccupazioni di sicurezza nazionale o di controllo sul flusso di informazioni, ma invariabilmente limitano i diritti dei cittadini alla libertà di parola e all’accesso a fonti indipendenti.

L'articolo Muri Digitali: La Turchia stringe la morsa su Instagram e i Servizi VPN proviene da il blog della sicurezza informatica.


The Privacy Post ha ricondiviso questo.

Singapore’s PDP Week 2024: FPF highlights include a hands-on workshop on practical Generative AI governance and a panel on India’s DPDPA
fpf.org/blog/singapores-pdp-we…
@privacy
From July 15 to 18, 2024, the Future of Privacy Forum (FPF) participated in Personal Data Protection Week 2024 (PDP Week), an event organized and hosted by the Personal Data Protection

The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

The media in this post is not displayed to visitors. To view it, please go to the original post.

Magnesium and Copper Makes an Emergency Flashlight
poliverso.org/display/0477a01e…
Magnesium and Copper Makes an Emergency Flashlight Many of us store a flashlight around the house for use in emergency situations. Usually, regular alkaline batteries are fine for this task, as they’ll last a good few years, and you remember to swap them out from time to time. Alternatively, you can make one that lasts virtually indefinitely in storage, and uses some simple


Magnesium and Copper Makes an Emergency Flashlight

Many of us store a flashlight around the house for use in emergency situations. Usually, regular alkaline batteries are fine for this task, as they’ll last a good few years, and you remember to swap them out from time to time. Alternatively, you can make one that lasts virtually indefinitely in storage, and uses some simple chemistry, as [JGJMatt] demonstrates.

The flashlight uses 3D printing to create a custom battery using magnesium and copper as the anode and cathode respectively. Copper tape is wound around a rectangular part to create several cathode plates, while magnesium ribbon is affixed to create the anodes. Cotton wool is then stuffed into the 3D-printed battery housing to serve as a storage medium for the electrolyte—in this case, plain tap water.

The custom battery is paired with a simple LED flashlight circuit in its own 3D-printed housing. The idea is that when a blackout strikes, you can assemble the LED flashlight with your custom battery, and then soak it in water. This will activate the battery, producing around 4.5 V and 20 mA to light the LED.

It’s by no means going to be a bright flashlight, and realistically, it’s probably less reliable than just keeping a a regular battery-powered example around. Particularly given the possibility of your homebrew battery corroding over the years unless it’s kept meticulously dry. But that’s not to say that water-activated batteries don’t have their applications, and anyway it’s a fun project that shows how simple batteries really are at their basic level. Consider it as a useful teaching project if you have children interested in science and electricity!


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

The media in this post is not displayed to visitors. To view it, please go to the original post.

New note by cybersecurity
poliverso.org/display/0477a01e…
Attacchi ransomware, Italia il Paese più colpito in Ue, 4^ nel mondo. Quando una norma ad hoc? key4biz.it/attacchi-ransomware… (Italy e non Italy 😁)C’è una vera e propria emergenza ransomware in Italia. Secondo i dati dell’Agenzia per la Cybersicurezza Nazionale (ACN) il nostro Paese è stato il più


Attacchi ransomware, Italia il Paese più colpito in Ue, 4^ nel mondo. Quando una norma ad hoc?


@Informatica (Italy e non Italy 😁)
C’è una vera e propria emergenza ransomware in Italia. Secondo i dati dell’Agenzia per la Cybersicurezza Nazionale (ACN) il nostro Paese è stato il più colpito tra gli Stati dell’Unione europei da attacchi ransomware nel mese di


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

The media in this post is not displayed to visitors. To view it, please go to the original post.

Tulip is a Micropython Synth Workstation, in an ESP32
poliverso.org/display/0477a01e…
Tulip is a Micropython Synth Workstation, in an ESP32 We’re not sure exactly what github.com/shorepine/tulipcc is, because it’s so many things all at once. It’s a music-making environment that’s programmable in Python, runs on your big computer or on an ESP32-S3, and comes complete with some nice sounding synth engines, a sequencer, and a drum machine all built in.


Tulip is a Micropython Synth Workstation, in an ESP32

We’re not sure exactly what Tulip is, because it’s so many things all at once. It’s a music-making environment that’s programmable in Python, runs on your big computer or on an ESP32-S3, and comes complete with some nice sounding synth engines, a sequencer, and a drum machine all built in. It’s like your dream late-1980s synthesizer workstation, but running on a dev board that you can get for a song.

And because Tulip is made of open-source software and hardware, you can extend the heck out of it. For instance, as demonstrated in this video by [Floyd Steinberg], you can turn it into a fully contained portable device by adding a touchscreen. That incarnation is available from Makerfabs, and it’s a bargain, especially considering that the developer [Brian Whitman] gets some of the proceeds. Or, because it’s written in portable Python, you can run it on your desktop computer for free.

The most interesting part of Tulip for us, as programmer-musicians, is that it boots up into a Micrypython REPL. This is a synth workstation with a command-line prompt as its primary interface. It has an always-running main loop, and you make music by writing functions that register as callbacks with the main loop. If you were fast, you could probably live-code up something pretty interesting. Or maybe it wants to be extended into a physical musical instrument by taking in triggers from the ESP32’s GPIOs? Oh, and did we mention it sends MIDI out just as happily as it takes it in? What can’t Tulip do?

We’ve seen some pretty neat minimalist music-making devices lately, but in a sense Tulip takes the cake: it’s essentially almost entirely software. The various hardware incarnations are just possibilities, and because it’s all open and extremely portable, you can freely choose among them. We really like the design and sound of the AMY software synthesizer engine that powers the Tulip, and we’re sure that more synthesizer models will be written for it. This is a music project that you want to keep your eyes on in the future.


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

The media in this post is not displayed to visitors. To view it, please go to the original post.

New note by cybersecurity
poliverso.org/display/0477a01e…
NIS2, più difese cyber per i soggetti essenziali dell’Italia. Le 7 novità del decreto del Governo key4biz.it/nis2-piu-difese-cyb… (Italy e non Italy 😁)Il Governo ha recepito la direttiva europea NIS2 con la quale si introducono le misure per un livello comune elevato di cybersicurezza nell’Uni


NIS2, più difese cyber per i soggetti essenziali dell’Italia. Le 7 novità del decreto del Governo


@Informatica (Italy e non Italy 😁)
Il Governo ha recepito la direttiva europea NIS2 con la quale si introducono le misure per un livello comune elevato di cybersicurezza nell’Unione Europea. Dal 18 ottobre prossimo scatteranno gli obblighi presenti nel


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

Tech industry groups ask to extend deadline to contribute to general purpose AI Code of Practice
poliverso.org/display/0477a01e…
Tech industry groups ask to extend deadline to contribute to general purpose AI Code of PracticeBig Tech industry groups say six weeks in the middle of summer are not enough time for them to offer views on a Code of Practice for general-purpose AI.euractiv.com/section/digital/n…


Tech industry groups ask to extend deadline to contribute to general purpose AI Code of Practice


Big Tech industry groups say six weeks in the middle of summer are not enough time for them to offer views on a Code of Practice for general-purpose AI.


euractiv.com/section/digital/n…


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

Per i dipendenti Microsoft in Cina un nuovo e sfavillante iPhone! Divieto dell’utilizzo di Android
poliverso.org/display/0477a01e…
Per i dipendenti Microsoft in Cina un nuovo e sfavillante iPhone! Divieto dell’utilizzo di Android Microsoft ha richiesto ai suoi dipendenti in Cina di utilizzare gli iPhone per l’autenticazione quando accedono ai computer di lavoro a partire da settembre di bloomberg.com/news/articles/20…


Per i dipendenti Microsoft in Cina un nuovo e sfavillante iPhone! Divieto dell’utilizzo di Android

Microsoft ha richiesto ai suoi dipendenti in Cina di utilizzare gli iPhone per l’autenticazione quando accedono ai computer di lavoro a partire da settembre di quest’anno. Tuttavia, i dispositivi Android saranno vietati.

Secondo Bloomberg, Microsoft ha recentemente inviato una nota interna ai suoi dipendenti cinesi descrivendo in dettaglio un piano che entrerà in vigore a settembre 2024 e richiederà loro di utilizzare i prodotti Apple.

La misura fa parte della nuovaSecure Future Initiative di Microsoft, creata in risposta a numerosi hack e a un severo rapporto del governo statunitense che evidenziava le pratiche inadeguate di sicurezza informatica dell’azienda.

Secondo Bloomberg, il divieto dei dispositivi mobili Android interesserà centinaia di dipendenti nella Cina continentale e dovrebbe incoraggiare l’uso del gestore password Microsoft Authenticator e dell’app Identity Pass.

Va notato che, a differenza dell’App Store di Apple, in Cina il Google Play Store non è più disponibile da tempo, il che costringe i produttori locali di smartphone (ad esempio Huawei e Xiaomi) a utilizzare le proprie piattaforme. Secondo la nota, Microsoft ha deciso di limitare l’accesso di tali dispositivi alle proprie risorse aziendali a causa della sfiducia nei confronti delle piattaforme di terzi e della mancanza di servizi Google in Cina.

I dipendenti che attualmente utilizzano dispositivi Android, compresi quelli realizzati da Huawei o Xiaomi, riceveranno un iPhone 15, si legge nella nota. Microsoft intende distribuire l’iPhone in diverse filiali in tutta la Cina, inclusa Hong Kong, dove sono disponibili i servizi Google.

Ricordiamo che anche nell’ambito della citata iniziativa Secure Future, l’azienda si è impegnata a rilasciare patch cloud più rapidamente, a migliorare la gestione delle chiavi di firma dell’identità e a fornire software con un livello di sicurezza più elevato per impostazione predefinita.

L’iniziativa è stata successivamente ampliata sulla base delle raccomandazioni del rapporto del Cybersecurity Review Board (CSRB) del Dipartimento di Homeland Security degli Stati Uniti per includere l’aggiunta di controlli tecnici per ridurre il rischio di accesso non autorizzato e di blocco delle infrastrutture aziendali.

Pertanto, Microsoft prevede di introdurre standard moderni per la gestione di identità, inclusa la rotazione delle chiavi protetta dall’hardware e l’autenticazione a più fattori resistente al phishing per tutti gli account.

L'articolo Per i dipendenti Microsoft in Cina un nuovo e sfavillante iPhone! Divieto dell’utilizzo di Android proviene da il blog della sicurezza informatica.


The Privacy Post ha ricondiviso questo.

Cyber Italia: siglato protocollo di collaborazione tra ACN, PS e DNA
poliverso.org/display/0477a01e…
Cyber Italia: siglato protocollo di collaborazione tra ACN, PS e DNA Roma – La Polizia di Stato, l’Agenzia per la cybersicurezza nazionale e la Direzione Nazionale Antimafia e Antiterrorismo hanno siglato un protocollo per lo scambio di informazioni e di buone pratiche. L’accordo è finalizzato a:strutturare il flusso delle informazioni tra le parti in seguito


Cyber Italia: siglato protocollo di collaborazione tra ACN, PS e DNA

Roma – La Polizia di Stato, l’Agenzia per la cybersicurezza nazionale e la Direzione Nazionale Antimafia e Antiterrorismo hanno siglato un protocollo per lo scambio di informazioni e di buone pratiche. L’accordo è finalizzato a:

  • strutturare il flusso delle informazioni tra le parti in seguito alle recenti modifiche legislative di rafforzamento dell’ecosistema cibernetico;
  • contenere e contrastare le attività informatiche ostili, con lo scopo di contemperare le esigenze dell’accertamento giudiziario con quelle di resilienza operativa.

In occasione della firma il Direttore Generale dell’ACN, Bruno Frattasi, ha dichiarato: “È un accordo molto importante per l’Agenzia, che suggella e rafforza la cooperazione istituzionale, con la DNA e la specialità della Polizia di Stato, per finalità che coniugano, nell’equilibrio voluto dal legislatore, le esigenze di giustizia con quelle di resilienza cibernetica“.

A questo proposito si segnala che secondo il monitoraggio mensile effettuato dal Computer Security Incident Response Team, CSIRT -It, dell’ACN, nel mese di Giugno

  1. l’Italia è stata il 9◦ Paese in UE per numero di rivendicazioni DDoS e il 16◦ al mondo. I gruppi più attivi sono stati NoName057(16) e CyberArmyofRussia Reborn;
  2. i settori con il maggior numero di eventi registrati a giugno 2024 sono stati: Pubblica amministrazione centrale, Telecomunicazioni e Trasporti;
  3. l’Italia è risultata al 4◦ posto tra i Paesi più colpiti al mondo da ransomware a giugno 2024 (a maggio era al nono) e al 1◦ posto in UE;

Per svolgere i compiti di resilienza affidatigli dalla legge, l’ACN nel mese di luglio ha pubblicato:

Inoltre, sempre nel mese di luglio 2024, l’Agenzia ha istituito l’ISAC Italia, il Centro nazionale per l’analisi e la condivisione di informazioni in ambito cyber e indetto un concorso per potenziare il proprio organico con l’assunzione di giuristi esperti di materie cyber.

L'articolo Cyber Italia: siglato protocollo di collaborazione tra ACN, PS e DNA proviene da il blog della sicurezza informatica.


The Privacy Post reshared this.

The Privacy Post ha ricondiviso questo.

Una Backdoor nei browser è rimasta nascosta da 18 anni. Apple, Google e Mozilla Corrono ai Ripari
poliverso.org/display/0477a01e…
Una Backdoor nei browser è rimasta nascosta da 18 anni. Apple, Google e Mozilla Corrono ai Ripari Secondo uno studio pubblicato mercoledì, negli ultimi 18 anni, i browser più grandi del mondo hanno lasciato una backdoor affinché gli redhotcyber.com/post/i-padri-f… potessero penetrare nelle


Una Backdoor nei browser è rimasta nascosta da 18 anni. Apple, Google e Mozilla Corrono ai Ripari

Secondo uno studio pubblicato mercoledì, negli ultimi 18 anni, i browser più grandi del mondo hanno lasciato una backdoor affinché gli hacker potessero penetrare nelle reti private di case e aziende.

Apple, Google e Mozilla stanno lavorando per risolvere questa vulnerabilità, che riguarda il modo in cui i browser gestiscono le richieste all’indirizzo IP 0.0.0.0. I browser Chrome, Safari e Firefox accettano richieste a 0.0.0.0, reindirizzandole ad altri indirizzi IP, incluso “localhost” – un server su una rete o un computer che solitamente è privato e utilizzato per testare il codice. I ricercatori della startup israeliana di sicurezza informatica Oligo hanno scoperto che gli hacker hanno sfruttato questa vulnerabilità inviando richieste dannose all’indirizzo IP 0.0.0.0 dei loro obiettivi, consentendo loro di accedere a dati che avrebbero dovuto essere sensibili. Questo tipo di attacco è stato chiamato “0.0.0.0-day“.

In un attacco tipico, il malintenzionato induce con l’inganno la vittima a visitare il suo sito web, che appare innocuo, ma invia una richiesta dannosa per accedere ai file tramite 0.0.0.0. Esempi di tali informazioni includono dati degli sviluppatori e comunicazioni interne. Tuttavia, la cosa più importante è che l’utilizzo di un attacco “0.0.0.0-dayconsente all’hacker di accedere alla rete privata interna della vittima, aprendo un’ampia gamma di possibili vettori di attacco.

Tali attacchi possono colpire persone e aziende che ospitano server web, colpendo ancora un numero significativo di sistemi vulnerabili. I ricercatori hanno scoperto che potrebbero anche eseguire codice dannoso su un server che utilizza il framework Ray AI per addestrare modelli di intelligenza artificiale utilizzati da grandi aziende come Amazon e Intel. Il problema non riguarda solo Ray, ma anche qualsiasi applicazione che utilizza localhost ed è accessibile tramite 0.0.0.0.

Tali attacchi sono già stati registrati. Nel giugno di quest’anno, lo sviluppatore di sicurezza di Google David Adrian ha segnalato diversi casi di malware che sfruttavano questa vulnerabilità per attaccare determinati strumenti di sviluppo. Tuttavia, i sistemi Windows non sono interessati da questa vulnerabilità poiché Microsoft blocca 0.0.0.0 nel suo sistema operativo.

Apple ha annunciato l’intenzione di bloccare tutti i tentativi di accesso all’indirizzo IP 0.0.0.0 nella prossima beta di macOS 15 Sequoia. Questa misura ha lo scopo di aumentare la sicurezza del sistema operativo.

I team di sviluppo di Google Chromium e Chrome intendono implementare un blocco simile anche nei loro browser. Tuttavia, non ci sono ancora commenti ufficiali da parte dell’azienda.

Mozilla, il creatore di Firefox, finora si è astenuto dal prendere una simile decisione. Il motivo risiede in potenziali problemi di compatibilità: alcuni server utilizzano l’indirizzo 0.0.0.0 anziché localhost e bloccarlo potrebbe interromperne il funzionamento.

Questi cambiamenti riflettono la crescente attenzione dei giganti della tecnologia sulla sicurezza informatica e sulla protezione dei dati degli utenti.

I ricercatori ritengono che il rischio di lasciare aperto 0.0.0.0 rimanga significativo. A loro avviso, consentire l’accesso a questo indirizzo IP apre l’accesso a molti dati che sono stati a lungo bloccati.

I ricercatori intendono presentare i loro risultati alla conferenza DEF CON a Las Vegas questo fine settimana.

L'articolo Una Backdoor nei browser è rimasta nascosta da 18 anni. Apple, Google e Mozilla Corrono ai Ripari proviene da il blog della sicurezza informatica.


The Privacy Post reshared this.