Always strive to learn something useful. --Sophocles

As an extremely brief backgrounder, both the Raspberry Pi and Arduino are fundamentally microcontrollers, single-board computers programmed to control processes or other devices. As a basic example, an industrial robot, a home security system, etc. They have astounding capability limited by your imagination and programming/electronics skills.

First, the good news.

The Raspberry Pi people are/have released a new Pi 500+ with a redesigned Pi in a keyboard with mechanical switches for $200! The Pi board is of a new design with "...16GB of RAM instead of 8GB, a 256GB NVMe SSD instead of microSD storage, and a fancier keyboard with mechanical switches, replaceable keycaps, and individually programmable RGB LEDs." Like all Pi's, it runs their version of Linux by default, though other versions of Linux can be booted on it.

This is VERY cool! The SSD can be swapped for higher capacity devices, and it can still be booted from MicroSD cards.

It also sports "... integrated 802.11ac Wi-Fi and Bluetooth 5.0 connectivity, two USB 3.0 ports, one USB 2.0 port, two micro HDMI ports that support 60 Hz 4K output, a microSD slot, and a user-accessible 40-pin GPIO header for additional expandability."

Here's the best part: TWO HUNDRED DOLLARS! An absolutely screaming deal for a full-on hobbyist computer that is also fully-expandable for a controller system to do whatever the heck you want to do with it!

I am definitely going to get me one of these puppies. I was interested in the relaunch of the Commodore 64, but then I started thinking about whether or not I wanted to bother with programming in Basic, and the answer to that was a solid NO. But this? I can have some fun with this! Now, if the Commodore people succeed in launching an Amiga - that's a different story! Time will tell if that happens.

https://arstechnica.com/gadgets/2025/09/raspberry-pi-supercharges-its-keyboard-pc-with-16gb-ram-ssd-mechanical-switches/


Now the bad news.

Qualcomm is buying Arduino.

They claim that they are keeping a hands-off approach, we shall see if that stays true. They completely burned all faith and goodwill of the VMWare customer base in that particular acquisition, and already Arduino hobbyists are looking to new platforms and clones to move away from Arduino-branded microcontrollers in anticipation of what they think is likely to happen.

While the obvious jump would be to Raspberry Pi since they're both microcontrollers, the two platforms are apples and oranges and a lot of Arduino projects are not correctly served by trying to port over to Pi. Those people are likely in for a more difficult if they want to move to a different hardware platform. Some people can move their projects over to Pi with some work, and good for them.

And it's not just hobbyists using these controllers, for some people it's their profession and livelihood. If Qualcomm starts jerking them around, then they may have the unhappy prospect of making a business case to management to change vendors and possibly controllers. If their use is strictly in-house, that's one thing. If they're selling products using these controllers, it's quite another.

From one angle, it's not a bad acquisition for Qualcomm as they already make the CPUs for Arduino. And clearly the Arduino company folk benefit by getting many very large buckets of cash. The question will be in how well Qualcomm treats the customer base, and considering how they treated the VMWare folks over the last couple of years....

Time will tell.

From the Slashdot summary:
Smartphone processor and modem maker Qualcomm is acquiring Arduino, the Italian company known mainly for its open source ecosystem of microcontrollers and the software that makes them function. In its announcement, Qualcomm said that Arduino would "[retain] its brand and mission," including its "open source ethos" and "support for multiple silicon vendors." Qualcomm didn't disclose what it would pay to acquire Arduino. The acquisition also needs to be approved by regulators "and other customary closing conditions."

The first fruit of this pending acquisition will be the Arduino Uno Q, a Qualcomm-based single-board computer with a Qualcomm Dragonwing QRB2210 processor installed. The QRB2210 includes a quad-core Arm Cortex-A53 CPU and a Qualcomm Adreno 702 GPU, plus Wi-Fi and Bluetooth connectivity, and combines that with a real-time microcontroller "to bridge high-performance computing with real-time control."

https://arstechnica.com/gadgets/2025/10/arduino-retains-its-brand-and-mission-following-acquisition-by-qualcomm/

https://slashdot.org/story/25/10/07/2032219/qualcomm-is-buying-arduino-releases-new-raspberry-pi-esque-arduino-board

Well. This is a bit involved.

Last year it was detected that the Chinese had infiltrated at least nine major American telecommunications companies, including Verizon and AT&T. It was so bad that the FBI was telling government workers to not use secure messaging apps and phones and email and talk to people face to face.

The root cause of the problem goes back to the 1990s.

You may remember some controversy back then regarding something called the Clipper Chip. Basically the government wanted to require this chip to be installed in every piece of secure communications equipment as it provided a key escrow system. You could do secure communications between yourself and other people, but because the government held a middle key, that key could be deployed to intercept your communications without your knowledge.

There was an immediate uproar that any backdoor installed inside secure communications devices would ultimately be compromised by either nation state actors or by criminals, and security would be lost. Not to mention no guarantees that the government itself would respect our privacy.

The Clipper Chip was revealed in 1993 and was pretty much dead by '96. When the escrow algorithms were released later, they were found to be significantly flawed.

Well, that didn't stop the government from requiring key escrow, only this time it wasn't in hardware, and it was at the telcom provider level.

And it was hacked by the Chinese. And we don't know for how long.

The Department of Homeland Security created an advisory board to investigate these events, consisting of internal DHS employees and also external industry experts. Their job was to find out how the Chinese got in, how to stop them, how to harden our systems to prevent re-infiltration.

And care to guess what happened today?

The new administration fired all the external industry experts and effectively ended the investigation.

And by the way, there's plenty of evidence that the Chinese are still inside all of our major telcom providers, running amok. They accessed call log metadata from both the Harris and Republican Presidential campaigns.

So apparently not only are we likely to launch a tariff war against China, we're going to let them trash our IT infrastructure while we're doing it? Makes sense to me!

https://arstechnica.com/tech-policy/2025/01/trump-admin-fires-homeland-security-advisory-boards-blaming-agendas/

The attack was launched by ALPHV, a gang that was hit in December by the FBI and other government agencies in Europe and around the world. They thought they had clobbered them good, seizing servers, shutting down chat rooms, etc. Arrests were made. But they popped up again later and clearly are still effective. They also told their affiliates to hit as much American infrastructure as they wanted in retaliation for the FBI take-down.

This particular hit, two weeks ago, nailed Change Health, part of United HealthCare. They route pharmacy billing to various insurance carriers when you pick up meds. Take out Change, and it's hard to pay for your meds! Some pharmacies can switch to alternatives, others find that a lot harder to do. Some pharmacies offered customers the cash price for meds, others told people they'd have to pay the full price and seek reimbursement from their insurance on their own. And Change Health also handles coupon processing, that also was a no-go.

A great big mess that was ultimately fixed, but a good demonstration of how sensitive our infrastructure is to cyberattack.

https://www.msn.com/en-us/news/us/us-prescription-drug-market-in-disarray-as-ransomware-gang-attacks/ar-BB1jaAe9

This is very bad.

SSH is one of the fundamental underpinnings that makes the internet and world wide web fundamentally secure. Well, we now know that it has some serious weaknesses.

What it boils down to is compatibility. There's lots of ways to implement SSH. Think of them as a whole bunch of switches, and each switch is a different implementation. Some are strong, some are not. They're all out there so that if I use Switch A and you use Switch B, we can still talk. Very convenient, but also a bit problematic. What happens if Switch C has some weaknesses to it?

The problem is that in lots of SSH implementations, Switch C is left turned on for ease of compatibility. And unless people know and specifically turn Switch C off, and all the other known weak switches off, then there are exploitable weaknesses.

The bad news? LOTS of systems are vulnerable. From the article: "A scan performed by the researchers found that 77 percent of SSH servers exposed to the Internet support at least one of the vulnerable encryption modes, while 57 percent of them list a vulnerable encryption mode as the preferred choice."

77% support the vulnerable mode and 57% PREFERRED IT? YIKES!

The good news is that it requires a Man In The Middle attack (MITMs), and those are not easy to carry out - but they can be done. The even better news is that the security researchers have released a scanner to let server administrators know if they are vulnerable. Some SSH packages have been patched to fix this issue, others I'm sure are in process. But there is also a likelihood that some implementations are not, or that some servers are not being updated for various reasons and will continue to be vulnerable.

I don't think this represents much of a problem for users, so much as for network administrators. Unless you're a very valuable person and likely to be targeted by hackers or world powers, you're not likely to have the resources to pull this off moved against you. As I said, MITMs are not easy to pull off, and if you're not Pentagon R&D level sort of stuff, you're probably safe. But I expect Apple and Microsoft and the various Linux distros will be patching their SSH bundles to make sure everything is good in the very near future, just to make sure.

Warning about the article: it gets REALLY deep into the SSH weeds, so don't bother with it if you're not already wise into the subject.

https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/

The intruders, most likely the Chinese government considering the targets and sophistication, did quite an amazing job.

They did a very clever thing. As they were undetected for quite some time, they embedded a persistent re-entry code. They slid some auto-executing malware into a configuration backup, so that when the sysadmins of a site backed up their Barracuda configuration in the event of a future restore, they backed up the code that hacked them! Then when it was reported that their email firewalls had been compromised, they wiped them out or replaced them, then restored their backups, thus - in some cases - reinfecting them!

It wasn't an across the board reinfection, since the intruders knew where they 'were', they were able to target the highest value targets to return to, and those were the ones they launched this scheme with.

As a retired system administrator and former Cisco certified geek, let me explain this a little more. I have experience configuring routers and firewalls, and whenever you configure one of these or make a change, you back up or export the configuration from the device to your network somewhere. This way, if that device crashes or resets hard or goes up in flames or is stolen, you've got a fallback point. And in this case, if you were at one of these high-value targets, you just backed up the malware package that restores the compromise. It's pretty easy to restore that config file and get your router or firewall back and running. The thing is, these configurations can get scary complicated, especially on a border router (the border between your internal network and the external internet). You don't want to have to recreate that from scratch. And while I've never worked with an email security device like a Barracuda, I can easily imagine its configuration is far from trivial. The smart thing to do would be to have a printout of the configuration and to be able to key it in manually or verify that your restore recreated what that hardcopy reads as, but I'll bet 99%+ of installations don't do that. The main reason being, that you'd have two people trying to double-check probably thousands of lines of code, making sure they line up. Assuming they can find the latest copy. Tireless, thankless, and possibly impossible task. And that device is down while they're doing it.

https://arstechnica.com/security/2023/08/barracuda-thought-it-drove-0-day-hackers-out-of-customers-networks-it-was-wrong/

Tesla is a sponsor this year and gamely threw their hat/car into the ring. And were hacked twice by the same team of security researchers.

The first hack involved the charging system, and enabled them to open the doors and the frunk (front trunk). They were awarded the car for this particular hack. The second hack was through the infotainment system. Either hack was enough to render the car unsafe.

One of the key elements of this competition is the teams reveal all their hacking techniques for this attack to the system owners so they can improve the security of their systems. And the teams are pretty well compensated for their work.

This is nothing new with Tesla, their cars have been hacked before, and I just posted the article about the two guys parking side by side and driving away with each other's cars.

https://gizmodo.com/tesla-hack-hackers-model-3-elon-musk-hackathon-1850263319

Packt Publishing is running a sale - their ENTIRE inventory of ebooks and videos is $5 per item! Books ranging from $20 on up, only $5! I don't know how long the sale will be running, but it is one heck of a deal.

Packt also has a Book of the Day. Sign up for their mailing list, check the web site daily, and you can bind it to your library and read it anytime you like online. Good way to expand your library in subjects that may be on the periphery of your field but not really core to what you're doing that you might want to dig in to sometime.

https://subscription.packtpub.com/search?utm_source=all%20updates&utm_campaign=2a15eb6572-dollar_5_bestseller_programming_15_12_22


In other CS book news, Humble Bundle has several programming-related books up.

An O'Reilly bundle went up, launched a day or two ago, on "Gift for the technically inclined". 17 days remaining.
https://www.humblebundle.com/books/gifts-for-technically-inclined-oreilly-2022-books

A Wiley Cybersecurity bundle, lots of stuff on pen testing, crypto - both currencies and graphy, etc. 15 days left.
https://www.humblebundle.com/books/holiday-encore-become-cybersecurity-expert-wiley-books

Functional Programming by the Pragmatic Programmers: stuff for Scala, Kotlin, Elm, Elixer, etc. 10 days remaining.
https://www.humblebundle.com/books/functional-programming-pragmatic-programmers-books

And three days left on a No Starch Press bundle on Hacking. I do like No Starch, good people.
https://www.humblebundle.com/books/hacking-no-starch-press-books-2022

Normally the rule is that as long as you're based in Russia and you don't attack Russian and most Eastern European countries, that you're good. So what exactly happened here?

The Russian Federal Security Service (FSB) said today that it has raided and shut down the operations of the REvil ransomware gang. Raids were conducted today at 25 residents owned by 14 members suspected to be part of the REvil team across Moscow, St. Petersburg, Leningrad, and the Lipetsk regions. Authorities said they seized more than 426 million rubles, $600,000, and 500,000 euro in cash, along with cryptocurrency wallets, computers, and 20 expensive cars. The REvil gang is responsible for ransomware attacks against Apple supplier Quanta, Kaseya, and JBS Foods.

Apparently American and other country's pressure on Russia produced some results, at last! If this were a movie, Jason Bourne (or equivalent) would be sneaking into Russian hacker farms and wiping them out with a silenced pistol, but we don't do things like that. It will be interesting to see how these prosecutions and prison sentences play out.

https://therecord.media/fsb-raids-revil-ransomware-gang-members/

https://it.slashdot.org/story/22/01/14/154259/fsb-arrests-14-members-of-revil-ransomware-gang

Amazing stuff. The Bahrain gov't bought a hack that allows them to send a text message to an iPhone owned by a journalist, anti-government protester, cheating mistress, whoever, and the phone is compromised. You don't have to click on a link, open a document, play a video. No interaction whatsoever. Receive the message, and your phone is rooted.

They probably paid a few million bucks for it, but they're the Bahrain government - what do they care for such a tool?

Apple has been fighting these zero-click attacks and instituted a good defense, but this latest one blasts right through it. The problem is that "we" (not me) want emojis, embedded videos, photos, etc. and that requires access deeper into the phone's infrastructure, and that all by definition makes things more vulnerable. If the app only allowed messages without any frills to be sent back and forth, and you had to use emails to attach the fun stuff, then the Messages app could be completely secure. But where would be the fun in that?!

So Apple gets to play an on-going game of whack-a-mole.

They're releasing a new version of IOS, 15, probably in October, which should increase security, but that security will certainly be broken at some point and the whack-a-mole will resume.

Myself, Apple occasionally ticks me off with changes to IOS. For example, I think it was when 11 was released, they broke their podcast player, and I foolishly updated my phone literally the day I was to drive to Phoenix, a nice long 500 mile drive. The break? Let's say you want to listen to four or five Wait Wait Don't Tell Me episode. You play the oldest and the next one automatically starts. Except the program broke and it wouldn't start the next, so you're zipping down the interstate at 75 MPH and have to fumble with your phone to start it. How the hell did this not turn up in testing?

So on occasion I think about buying a flip phone that has a 4G hotspot, plus an iPod Touch to hold all my apps, music and podcasts, and data stores and go back to something resembling the late '90s.

https://www.wired.com/story/apple-imessage-zero-click-hacks/

Interesting stuff. It might have been hack squad versus hack squad warfare!

There were two flaws present in the code on the WD drives. Now, keep in mind that the drive must have a CPU and an operating system to serve up files on the internet: it has to be an intelligent device. And what does this mean for hack squads? BOTNET! As I said, there were two exploits in the OS on the wiped drives, either one was sufficient to compromise the drive and make it a slave for the botnet, which means drives were probably subservient for several years.

Now, here's the sad bit. One of the flaws in the code was particularly tragic: it had the code to enforce a strong password, and for reasons unknown - it was commented out. Completely nullified. So if you were able to get in and study this code, it was trivial to access full admin privileges on the drive. And all you needed to do was network map to find these drives as they had to be publicly accessible to fulfill their role as storage available across the internet.

It turns out you only need one of these exploits to seize control of the drive, not both.

So why would you need access to both?

Back to the second flaw. There is a rumor going 'round that another gang wanted a piece of this WD drive botnet army. They couldn't get access to it, but they could screw over the first gang. So they launched an attack via the second flaw and did a reset on all the drives to deny the first gang access to their botnet army.

It is a theory that has popped up, a possible explanation for why the second hole was exploited by different IP addresses than the first hole.


There's some deeper bad news.

There's a White Hat hacking contest called Pawn2Own, where good guy hackers try to crack the latest in hardware and software, and if they are the first among the competing groups to succeed, they get the hardware and a cash prize. As part of the contest terms, they turn over their exploits to the companies involved so they can toughen their systems. A group was going to go to Japan a couple of years ago with a great hack against Western Digital's Cloud OS 3, and right before the contest WD released their OS 5 against which their hack didn't work. Bad luck for them. Still, they sent their documentation and code to WD for them to fix OS 3.

Care to guess whether or not OS 3 was ever patched?

There's an unknown number of Cloud OS 3 installations out there with weak and exploitable operating systems, that cannot or will not be updated. And WD's answer is 'they should update to 5'. So odds are that we're going to hear the exact same story in the not too distant future.


And believe it or not, there's some amazingly good news.

For people whose drives have been wiped, and this is truly amazing, Western Digital has retained a data recovery service and is providing that service for people with wiped drives FOR FREE!

Data recovery is a VERY expensive service, we explored it when we had a RAID array break at a place I once worked at: they charged a ton and recovered nothing worthwhile, but this was about 20 years ago, hopefully things have improved since then. I have read that in many cases that after the wipe, people's directory trees were intact, which leaves a little hope that the files are there, that just the directory information was clobbered. So people might get lucky.

We shall see.

https://arstechnica.com/gadgets/2021/06/hackers-exploited-0-day-not-2018-bug-to-mass-wipe-my-book-live-devices/

https://krebsonsecurity.com/2021/07/another-0-day-looms-for-many-western-digital-users/