Feed aggregator

Intel Responds To Alleged Chip Flaw, Claims Effects Won't Significantly Impact Average Users

Slashdot -

An anonymous reader quotes a report from Hot Hardware: The tech blogosphere lit up yesterday afternoon after reports of a critical bug in modern Intel processors has the potential to seriously impact systems running Windows, Linux and macOS. The alleged bug is so severe that it cannot be corrected with a microcode update, and instead, OS manufacturers are being forced to address the issue with software updates, which in some instances requires a redesign of the kernel software. Some early performance benchmarks have even suggested that patches to fix the bug could result in a performance hit of as much as 30 percent. Since reports on the issues of exploded over the past 24 hours, Intel is looking to cut through the noise and tell its side of the story. The details of the exploit and software/firmware updates to address the matter at hand were scheduled to go live next week. However, Intel says that it is speaking out early to combat "inaccurate media reports." Intel acknowledges that the exploit has "the potential to improperly gather sensitive data from computing devices that are operating as designed." The company further goes on state that "these exploits do not have the potential to corrupt, modify or delete data." The company goes on to state that the "average computer user" will be negligibly affected by any software fixes, and that any negative performance outcomes "will be mitigated over time." In a classic case of trying to point fingers at everyone else, Intel says that "many different vendors' processors" are vulnerable to these exploits. You can read the full statement here.

Read more of this story at Slashdot.

A press release from Intel

LWN Headlines -

Intel has responded to reports of security issues in its processors:

Recent reports that these exploits are caused by a “bug” or a “flaw” and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits.

Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively. Intel has begun providing software and firmware updates to mitigate these exploits. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.

Stay tuned, there is certainly more to come.

Dating Website eHarmony's Ad Banned For Claiming Service Is 'Scientifically Proven'

Slashdot -

A dating website's claim that it used a "scientifically proven matching system" to pair up those looking for love, has been banned. From a report: An advert for eHarmony on the London Underground in July read: "It's time science had a go at love." The Advertising Standards Authority (ASA) called the claim "misleading." The online matchmaker said while it "respectfully disagrees" with the ruling, it will make its advertising "as clear as possible." The website was unable to offer the ASA any evidence that customers had a greater chance of finding love, despite claiming that its "scientifically proven matching system decodes the mystery of compatibility and chemistry." "Imagine being able to stack the odds of finding lasting love entirely in your favour," the advert read.

Read more of this story at Slashdot.

[$] Statistics for the 4.15 kernel

LWN Headlines -

The 4.15 kernel is likely to require a relatively long development cycle as a result of the post-rc5 merge of the kernel page-table isolation patches. That said, it should be in something close to its final form, modulo some inevitable bug fixes. The development statistics for this kernel release look fairly normal, but they do reveal an unexpectedly busy cycle overall.

Announcing the OpenWrt/LEDE merge

LWN Headlines -

The OpenWrt and LEDE projects have announced their unification under the OpenWrt name. The old OpenWrt CC 15.05 release series will receive a limited amount of security and bug fixes, but the current LEDE 17.01 series is the most up-to-date. "The merged project will use the code base of the former LEDE project. OpenWrt specific patches not present in the LEDE repository but meeting LEDEs code quality requirements got integrated into the new tree. The source code will be hosted at git.openwrt.org with a continuously synchronized mirror hosted at Github. The original OpenWrt codebase has been archived on Github for future reference."

Amazon's YouTube Workaround on Fire TV Works Just Fine

Slashdot -

Last month, a notification that YouTube would no longer be available through Fire TV and Fire TV Stick devices starting Jan. 1 popped up, threatening to leave a huge hole in Amazon's streaming lineup. But just last week, Amazon added the ability to surf the web and get to YouTube via a browser. But does it work? GeekWire thinks so: The result is a simple path to YouTube, circumventing Google's move to pull it from Fire TV. Web browsing probably wasn't a direct response to Amazon's issues with Google, which owns YouTube, but it provides a convenient alternative to keep the service accessible for Fire TV users. The first step is downloading one or both of the web browsers. Opening Firefox leads to this home screen with easy access tiles to both Google and YouTube. On Silk, the home screen defaults to Bing search. But as I poked around, I noticed that YouTube for TV showed up in my bookmarks even though this was the first time I opened the browser. A YouTube interface optimized for TV, the same one you would see on other streaming devices, pops up on both browsers. To sign in, YouTube prompted me to activate YouTube for TV through a phone or computer. Once that process was complete, YouTube showed the same personalized recommendations as my phone and computer.

Read more of this story at Slashdot.

Alcohol Can Cause Irreversible Genetic Damage To Stem Cells, Says Study

Slashdot -

A new study, published on Wednesday, states that drinking alcohol produces a harmful chemical in the body which can lead to permanent genetic damage in the DNA of stem cells, increasing the risk of cancer developing. From a report: The research, using genetically modified mice, provides the most compelling evidence to date that alcohol causes cancer by scrambling the DNA in cells, eventually leading to deadly mutations. During the past decade, there has been mounting evidence of the link between drinking and the risk of certain cancers. "How exactly alcohol causes damage to us is controversial," said Prof Ketan Patel, who led the work at the MRC Laboratory of Molecular Biology in Cambridge. "This paper provides very strong evidence that an alcohol metabolite causes DNA damage [including] to the all-important stem cells that go on to make tissues." The study builds on previous work that had pinpointed a breakdown product of alcohol, called acetaldehyde, as a toxin that can damage the DNA within cells. However, these earlier studies had relied on extremely high concentrations of acetaldehyde and used cells in a dish rather than tracking its effects within the body.

Read more of this story at Slashdot.

Price Tag On Gene Therapy For Rare Form of Blindness: $850K

Slashdot -

A first-of-its kind genetic treatment for blindness will cost $850,000, less than the $1 million price tag that had been expected, but still among the most expensive medicines in the world. Several readers have shared an Associated Press report: Spark Therapeutics said Wednesday it decided on the lower price for Luxturna (Lux-turn-a) after hearing concerns from health insurers about their ability to cover the injectable treatment. Consternation over skyrocketing drug prices, especially in the U.S., has led to intense scrutiny from patients, Congress, insurers and hospitals. "We wanted to balance the value and the affordability concerns with a responsible price that would ensure access to patients," said CEO Jeffrey Marrazzo, in an interview with The Associated Press. Luxturna is still significantly more expensive than nearly every other medicine on the global market, including two other gene therapies approved earlier last year in the U.S. Approved last month, Luxturna, is the nation's first gene therapy for an inherited disease. It can improve the vision of those with a rare form of blindness that is estimated to affect just a few thousand people in the U.S. Luxturna is an injection -- one for each eye -- that replaces a defective gene in the retina, tissue at the back of the eye that converts light into electric signals that produce vision. The therapy will cost $425,000 per injection.

Read more of this story at Slashdot.

Windows 10's Edge vs Chrome: We're Faster and Win in Battery Face-off, Says Microsoft

Slashdot -

Microsoft has kicked off 2018 with two new ads promoting Windows 10 Edge's battery efficiency and speed compared with Google Chrome. From a report: Microsoft published the two new ads on New Year's Eve, pitting Edge against Chrome, the world's most popular browser. "Microsoft Edge is up to 48 percent faster than Google Chrome," Microsoft says in one of the 30-second ads. Not only that, but Microsoft argues that Edge is safer too, thanks to SmartScreen, its built-in equivalent of Google's Safe Browsing anti-phishing technology. Microsoft says: "Edge blocks 18 percent more phishing sites than Google Chrome." Microsoft doesn't cite the source of this statistic, but in October, NSS Labs released a report comparing Edge on the locked-down Windows 10 S with Chrome on Chromebooks, suggesting that Edge blocks more phishing URLs than Chrome.

Read more of this story at Slashdot.

Mozilla Will Delete Firefox Crash Reports Collected by Accident

Slashdot -

Catalin Cimpanu, writing for BleepingComputer: Mozilla said last week it would delete all telemetry data collected because of a bug in the Firefox crash reporter. According to Mozilla engineers, Firefox has been collecting information on crashed background tabs from users' browsers since Firefox 52, released in March 2017. Firefox versions released in that time span did not respect user-set privacy settings and automatically auto-submitted crash reports to Mozilla servers. The browser maker fixed the issue with the release of Firefox 57.0.3. Crash reports are not fully-anonymized.

Read more of this story at Slashdot.

[$] Future directions for PGP

LWN Headlines -

Back in October, LWN reported on a talk about the state of the GNU Privacy Guard (GnuPG) project, an asymmetric public-key encryption and signing tool that had been almost abandoned by its lead developer due to lack of resources before receiving a significant infusion of funding and community attention. GnuPG 2 has brought about a number of changes and improvements but, at the same time, several efforts are underway to significantly change the way GnuPG and OpenPGP are used. This article will look at the current state of GnuPG and the OpenPGP web of trust, as compared to new implementations of the OpenPGP standard and other trust systems.

Security updates for Wednesday

LWN Headlines -

Security updates have been issued by Debian (poppler), Fedora (glibc, phpMyAdmin, python33, and xen), Mageia (awstats, binutils, connman, elfutils, fontforge, fossil, gdb, gimp, jbig2dec, libextractor, libical, libplist, mbedtls, mercurial, OpenEXR, openldap, perl-DBD-mysql, podofo, python-werkzeug, raptor2, rkhunter, samba, w3m, and wayland), and Ubuntu (firefox).

The 'App' You Can't Trash: How SIP is Broken in Apple's High Sierra OS

Slashdot -

A reader shares a blog post that talks about why Mac running High Sierra 10.13.2 (and other versions near it) refuses to let users uninstall some third-party applications easily. For instance, when users attempt to uninstall BlueStacks, an Android emulator, the Finder shows this warning: "The operation can't be completed because you don't have the necessary permission." The blog post looks into the subject: The moment that we see the word permission, all becomes clear: it's a permissions problem. So the next step is to select the offending item in the Finder, press Command-I to bring up the Get Info dialog, and change the permissions. It does, though, leave the slight puzzle as to why the Finder didn't simply prompt for authentication instead of cussedly refusing. Sure enough, after trying that, the app still won't go and the error message is unchanged. Another strange thing about this 'app' is that it's not an app at all. Tucked away in a mysterious folder, new to High Sierra, in /Library/StagedExtensions/Applications, its icon is defaced to indicate that the user can't even run it. Neither did the user install it there. Trying to remove it using a conventional Terminal command sudo rm -rf /Library/StagedExtensions/Applications/BlueStacks.app also fails, with the report Operation not permitted.

Read more of this story at Slashdot.

Norway Powers Ahead (Electrically): Over Half New Car Sales Now Electric or Hybrid

Slashdot -

Sales of electric and hybrid cars rose above half of new registrations in Norway in 2017, a record aided by generous subsidies that extended the country's lead in shifting from fossil-fuel engines, data showed on Wednesday. From a report: Pure electric cars and hybrids, which have both battery power and a diesel or petrol motor, accounted for 52 percent of all new car sales last year in Norway against 40 percent in 2016, the independent Norwegian Road Federation (OFV) said. "No one else is close" in terms of a national share of electric cars, OFV chief Oeyvind Solberg Thorsen said. "For the first time we have a fossil-fuel market share below 50 percent." Norway exempts new electric cars from almost all taxes and grants perks that can be worth thousands of dollars a year in terms of free or subsidized parking, re-charging and use of toll roads, ferries and tunnels.

Read more of this story at Slashdot.

Linux Mint 19 Named 'Tara'

Slashdot -

BrianFagioli writes: Today, we get some information about the upcoming version 19 of Mint. The biggest news is that it will be called 'Tara.' If you aren't aware, Mint's distros are always named after a woman. Clement Lefebvre, Linux Mint leader, shares the following information: "The development cycle only just started so it's a bit early to give details about Linux Mint 19, but here's what we can say already: Linux Mint 19 is estimated to be released around May/June 2018. Linux Mint 19.x releases will be based on Ubuntu 18.04 LTS and supported until 2023. Linux Mint 19.x will use GTK 3.22. GTK 3.22 is a major stable release for GTK3. From there on, the theming engine and the APIs are stable. This is a great milestone for GTK3. It also means Linux Mint 19.x (which will become our main development platform) will use the same version of GTK as LMDE 3, and distributions which use components we develop, such as Fedora, Arch..etc. This should ease development and increase the quality of these components outside of Linux Mint."

Read more of this story at Slashdot.

NSA's Top Talent is Leaving Because of Low Pay, Slumping Morale and Unpopular Reorganization

Slashdot -

Ellen Nakashima and Aaron Gregg, reporting for the Washington Post: The National Security Agency is losing its top talent at a worrisome rate as highly skilled personnel, some disillusioned with the spy service's leadership and an unpopular reorganization, take higher-paying, more flexible jobs in the private sector (Editor's note: the link may be paywalled; alternative source). Since 2015, the NSA has lost several hundred hackers, engineers and data scientists, according to current and former U.S. officials with knowledge of the matter. The potential impact on national security is significant, they said. Headquartered at Fort Meade in Maryland, the NSA employs a civilian workforce of about 21,000 there and is the largest producer of intelligence among the nation's 17 spy agencies. The people who have left were responsible for collecting and analyzing the intelligence that goes into the president's daily briefing. Their work also included monitoring a broad array of subjects including the Islamic State, Russian and North Korean hackers, and analyzing the intentions of foreign governments, and they were responsible for protecting the classified networks that carry such sensitive information.

Read more of this story at Slashdot.

The FCC Is Still Tweaking Its Net Neutrality Repeal

Slashdot -

An anonymous reader quotes a report from TechCrunch: You may think, from the pomp accompanying the FCC's vote in December to repeal the 2015 net neutrality rules, that the deed was accomplished. Not so -- in fact, the order hasn't even reached its final form: the Commission is still working on it. But while it may be frustrating, this is business as usual for regulations like this, and concerned advocates should conserve their outrage for when it's really needed. The "Restoring Internet Freedom" rule voted on last month was based on a final draft circulated several weeks before the meeting at which it would be adopted. But as reports at the time noted, significant edits (i.e. not fixing typos) were still going into the draft the day before the FCC voted. Additional citations, changes in wording and more serious adjustments may be underway. It may sound like some serious shenanigans are being pulled, but this is how the sausage was always made, and it's actually one of Chairman Ajit Pai's handful of commendable efforts that the process is, in some ways at least, more open to the public. The question of exactly what is being changed, however, we will have ample time to investigate: The rules will soon be entered into the federal register, at which point they both come into effect and come under intense scrutiny and legal opposition.

Read more of this story at Slashdot.

Insert Away

The Daily WTF -

"Troy! Troy!"

Troy looked up from his keyboard with a frown as his coworker Cassie skidded to a halt, panting for breath. "Yes?"

"How soon can you get that new client converted?" Cassie asked. "We're at DEFCON 1 in ops. We need to be running yesterday!"

Troy's frown only deepened. "I told you, I've barely had a chance to peek at their old system."

The client was hoping to convert sometime in the next month—usually no big deal, as they'd just have to schedule a date, write a handful of database conversion scripts, and swing the domains to a fresh instance of their own booking software. It was that middle step that Troy hadn't gotten to. With no go-live date picked, working on new features seemed a higher priority.

Cassie had been spouting doom-and-gloom predictions all month: the client's in-house solution read like mid-1990s code despite being written in 2013. She'd been convinced it was a house of cards ready to collapse at any minute. Apparently, she'd been right.

"Okay, slow down. Where's the fire?" It wasn't that Troy didn't believe her per se, but when he'd skimmed the database, he hadn't seen anything spectacularly bad. Even if the client was down, their data could be converted easily. It wasn't his responsibility to maintain their old system, just to get them to the new one. "Is this a data problem?"

"They're getting hundreds of new bookings for phantom clients at the top of every hour," Cassie replied. "At this rate, we're not sure we'll be able to separate the garbage from the good bookings even if you had a conversion script done right now." Her eyes pleaded for him to have such a script on hand, but he shook his head, dashing her hopes.

"Maybe I can stop it," Troy said. "I'm sure it's a backdoor in the code somewhere we can have them disable. Let me have a look."

"You do that. I'm going to check on their backup situation."

As Cassie ran off again, Troy closed his Solitare game and settled in to read the code. At first, he didn't see anything drastically worse than he was expecting.

PHP code, of course, he thought. There's an init script: login stuff, session stuff ... holy crap that's a lot of class includes. Haven't they ever heard of an autoloader? If it's in one of those, I'll never find it. Keep pressing on ... header? No, that just calls ob_start(). Footer? Christ on a cracker, they get all the way to the footer before they check if the user's logged in? Yeah, right there—if the user's logged out, it clears the buffer and redirects instead of outputting. That's inefficient.

Troy got himself a fresh cup of coffee and sat back, looking at the folder again. Let's see, let's see ... login ... search bookings ... scripts? Scripts.php seems like a great place to hide a vulnerability. Or it could even be a Trojan some script kiddie uploaded years ago. Let's see what we've got.

He opened the folder, took one look at the file, then shouted for Cassie.

<?php define('cnPermissionRequired', 'Administration'); require_once('some_init_file.php'); // validates session and permissions and such include_once('Header.php'); // displays header and calls ob_start(); $arrDisciplines = [ 13 => [1012, 1208], 14 => [2060, 2350], 17 => [14869, 15925], 52 => [803, 598], 127 => [6624, 4547], 122 => [5728, 2998], ]; $sqlAdd = "INSERT INTO aResultTable SET EventID = (SELECT EventID FROM aEventTable ORDER BY RAND() LIMIT 1), PersonID = (SELECT PersonID FROM somePersonView ORDER BY RAND() LIMIT 1), ResultPersonFirstName = (SELECT FirstName FROM __RandomValues WHERE FirstName IS NOT NULL ORDER BY RAND() LIMIT 1), ResultPersonLastName = (SELECT LastName FROM __RandomValues WHERE LastName IS NOT NULL ORDER BY RAND() LIMIT 1), ResultPersonGender = 'M', ResultPersonYearOfBirth = (SELECT Year FROM __RandomValues WHERE Year IS NOT NULL ORDER BY RAND() LIMIT 1), CountryFirstCode = 'GER', ResultClubName = (SELECT ClubName FROM aClubTable ORDER BY RAND() LIMIT 1), AgeGroupID = 1, DisciplineID = :DisciplineID, ResultRound = (SELECT Round FROM __RandomValues WHERE Round IS NOT NULL ORDER BY RAND() LIMIT 1), ResultRoundNumber = 1, ResultRank = (SELECT Rank FROM __RandomValues WHERE Rank IS NOT NULL ORDER BY RAND() LIMIT 1), ResultPerformance = :ResultPerformance, ResultCreated = NOW(), ResultCreatedBy = 1;"; $qryAdd = $objConnection->prepare($sqlAdd); foreach ($arrDisciplines as $DisciplineID => $Values) { set_time_limit(60); $iNumOfResults = rand(30, 150); for ($iIndex = 0; $iIndex < $iNumOfResults; $iIndex++) { $qryAdd->bindValue(':DisciplineID', $DisciplineID); $qryAdd->bindValue(':ResultPerformance', rand(min($Values), max($Values))); $qryAdd->execute(); $qryAdd->closeCursor(); } } // ... some more code ?> <?php include_once('Footer.php'); // displays the footer, calls ob_get_clean(); and flushes buffer, if user is not logged in ?>

"Holy hell," breathed Cassie. "It's worse than I feared."

"Tell them to take the site down for maintenance and delete this file," Troy said. "Google must've found it."

"No kidding." She straightened, rolling her shoulders. "Good work."

Troy smiled to himself as she left. On the bright side, that conversion script's half done already, he thought. Meaning I've got plenty of time to finish this game.

hljs.initHighlightingOnLoad(); code { font-family: Consolas, monospace; } [Advertisement] High availability, Load-balanced or Basic – design your own Universal Package Manager, allow the enterprise to scale as you grow. Download and see for yourself!

Kinect Is Really Dead Now, Basically

Slashdot -

Microsoft has confirmed that it is no longer producing the Kinect adapter that is needed to connect the Kinect to an Xbox One S, Xbox One X, or other Windows device. This comes after Microsoft announced in October 2017 that it was killing off the Xbox One's Kinect camera. GameSpot reports: "After careful consideration, we decided to stop manufacturing the Xbox Kinect Adapter to focus attention on launching new, higher fan-requested gaming accessories across Xbox One and Windows 10," a Microsoft spokesperson said in a statement to Polygon. The representative declined to say if Microsoft would ever bring Kinect back. However, the company confirmed that the adapter "will no longer be available" to purchase.

Read more of this story at Slashdot.

Pages

Subscribe to Heydon Consulting aggregator