Apple forgot to lock Intel Management Engine in laptops, so get patching

In its ongoing exploration of Intel’s Management Engine (ME), security biz Positive Technologies has reaffirmed the shortsightedness of security through obscurity and underscored the value of open source silicon.

The Intel ME, included on most Intel chipsets since 2008, is controversial because it expands the attack surface of Intel-based hardware. If compromised, it becomes side-channel threat to the main processor.

The Electronic Frontier Foundation last year called it a security hazard and asked for a way to disable it, a request that researchers from Positive Technologies subsequently met.

In a blog post on Tuesday, researchers Maxim Goryachy and Mark Ermolov, involved in the discovery of an Intel ME firmware flaw last year, reveal that Chipzilla’s ME contains an undocumented Manufacturing Mode, among its other little known features like High Assurance Platform mode.

“Intel ME Manufacturing Mode is intended for configuration and testing of the end platform during manufacturing, and as such should be disabled (closed) before sale and shipment to users,” explain Goryachy and Ermolov. “However, this mode and its potential risks are not described anywhere in Intel’s public documentation.”

Manufacturing Mode can only be accessed using a utility included in Intel ME System Tools software, which isn’t available to the public. It’s intended to configure important platform settings in one-time programmable memory called Field Programming Fuses (FPF) prior to product shipment and in ME’s internal MFS (Minux File System) on SPI (Serial Peripheral Interface) flash memory, via parameters known as CVARs (Configurable NVARs, Named Variables).

In chipsets prior to Apollo Lake, Goryachy and Ermolov observe, Intel kept access rights for its Management Engine, Gigabit Ethernet, and CPU separate. The SPI controllers in more recent chips, however, have a capability called a Master Grant which overrides the access rights declared in the SPI descriptor.

“What this means is that even if the SPI descriptor forbids host access to an SPI region of ME, it is possible for ME to still provide access,” the researchers explain.

And because it turns out that device makers may not disable Manufacturing Mode, there’s an opportunity for an attacker – with local access – to alter the Intel ME to allow the writing of arbitrary data.

At least one Intel customer failed to turn Manufacturing Mode off: Apple. The researchers analyzed notebooks from several computer makers and found that Apple had left Manufacturing Mode open. They reported the vulnerability (CVE-2018-4251) and Apple patched it in June via its macOS High Sierra 10.13.5 update.

Source: Apple forgot to lock Intel Management Engine in laptops, so get patching • The Register

Introducing MLflow: an Open Source Machine Learning Platform for tracking, projects and models

MLflow is inspired by existing ML platforms, but it is designed to be open in two senses:

  1. Open interface: MLflow is designed to work with any ML library, algorithm, deployment tool or language. It’s built around REST APIs and simple data formats (e.g., a model can be viewed as a lambda function) that can be used from a variety of tools, instead of only providing a small set of built-in functionality. This also makes it easy to add MLflow to your existing ML code so you can benefit from it immediately, and to share code using any ML library that others in your organization can run.
  2. Open source: We’re releasing MLflow as an open source project that users and library developers can extend. In addition, MLflow’s open format makes it very easy to share workflow steps and models across organizations if you wish to open source your code.

Mlflow is still currently in alpha, but we believe that it already offers a useful framework to work with ML code, and we would love to hear your feedback. In this post, we’ll introduce MLflow in detail and explain its components.

MLflow Alpha Release Components

This first, alpha release of MLflow has three components:

MLflow Components

MLflow Tracking

MLflow Tracking is an API and UI for logging parameters, code versions, metrics and output files when running your machine learning code to later visualize them. With a few simple lines of code, you can track parameters, metrics, and artifacts:

import mlflow

# Log parameters (key-value pairs)
mlflow.log_param("num_dimensions", 8)
mlflow.log_param("regularization", 0.1)

# Log a metric; metrics can be updated throughout the run
mlflow.log_metric("accuracy", 0.1)
...
mlflow.log_metric("accuracy", 0.45)

# Log artifacts (output files)
mlflow.log_artifact("roc.png")
mlflow.log_artifact("model.pkl")

You can use MLflow Tracking in any environment (for example, a standalone script or a notebook) to log results to local files or to a server, then compare multiple runs. Using the web UI, you can view and compare the output of multiple runs. Teams can also use the tools to compare results from different users:

MLflow Tracking UI

MLflow Tracking UI

MLflow Projects

MLflow Projects provide a standard format for packaging reusable data science code. Each project is simply a directory with code or a Git repository, and uses a descriptor file to specify its dependencies and how to run the code. A MLflow Project is defined by a simple YAML file called MLproject.

name: My Project
conda_env: conda.yaml
entry_points:
  main:
    parameters:
      data_file: path
      regularization: {type: float, default: 0.1}
    command: "python train.py -r {regularization} {data_file}"
  validate:
    parameters:
      data_file: path
    command: "python validate.py {data_file}"

Projects can specify their dependencies through a Conda environment. A project may also have multiple entry points for invoking runs, with named parameters. You can run projects using the mlflow run command-line tool, either from local files or from a Git repository:

mlflow run example/project -P alpha=0.5

mlflow run git@github.com:databricks/mlflow-example.git -P alpha=0.5

MLflow will automatically set up the right environment for the project and run it. In addition, if you use the MLflow Tracking API in a Project, MLflow will remember the project version executed (that is, the Git commit) and any parameters. You can then easily rerun the exact same code.

The project format makes it easy to share reproducible data science code, whether within your company or in the open source community. Coupled with MLflow Tracking, MLflow Projects provides great tools for reproducibility, extensibility, and experimentation.

MLflow Models

MLflow Models is a convention for packaging machine learning models in multiple formats called “flavors”. MLflow offers a variety of tools to help you deploy different flavors of models. Each MLflow Model is saved as a directory containing arbitrary files and an MLmodel descriptor file that lists the flavors it can be used in.

time_created: 2018-02-21T13:21:34.12
flavors:
  sklearn:
    sklearn_version: 0.19.1
    pickled_model: model.pkl
  python_function:
    loader_module: mlflow.sklearn
    pickled_model: model.pkl

In this example, the model can be used with tools that support either the sklearn or python_function model flavors.

MLflow provides tools to deploy many common model types to diverse platforms. For example, any model supporting the python_function flavor can be deployed to a Docker-based REST server, to cloud platforms such as Azure ML and AWS SageMaker, and as a user-defined function in Apache Spark for batch and streaming inference. If you output MLflow Models as artifacts using the Tracking API, MLflow will also automatically remember which Project and run they came from.

Getting Started with MLflow

To get started with MLflow, follow the instructions at mlflow.org or check out the alpha release code on Github. We are excited to hear your feedback on the concepts and code!

Source: Introducing MLflow: an Open Source Machine Learning Platform – The Databricks Blog

Recent wave of hijacked WhatsApp accounts traced back to voicemail hacking

A wave of reports about hijacked WhatsApp accounts in Israel has forced the government’s cyber-security agency to send out a nation-wide security alert on Tuesday, ZDNet has learned.

The alert, authored by the Israel National Cyber Security Authority, warns about a relatively new method of hijacking WhatsApp accounts using mobile providers’ voicemail systems.

This new hacking method was first documented last year by Ran Bar-Zik, an Israeli web developer at Oath.

The general idea is that users who have voicemail accounts for their phone numbers are at risk if they don’t change that account’s default password, which in most cases tends to be either 0000 or 1234.

The possibility of an account takeover happens when an attacker tries to add a legitimate user’s phone number to a new WhatsApp app installation on his own phone.

Following normal security procedures, the WhatsApp service would then send a one-time code via SMS to that phone number. This would typically alert a user to an ongoing attack, but Bar-Zik argues that a hacker could easily avoid this by carrying out the attack during nighttime or when he is sure the user is away from his phone.

After several failed attempts to validate the one-time code sent via SMS, the WhatsApp service would then prompt the user to perform a “voice verification,” during which the WhatsApp service would call the user’s phone and speak the one-time verification code out loud.

If the attacker has timed his/her attack at the proper time and the user can’t or won’t answer his phone, that message would eventually land in the victim’s voicemail account.

Source: Recent wave of hijacked WhatsApp accounts traced back to voicemail hacking | ZDNet

Netherlands Defence Intelligence and Security Service disrupts Russian cyber operation targeting OPCW

On 13 April 2018, with support from the Netherlands General Intelligence and Security Service and UK counterparts, the Netherlands Defence Intelligence and Security Service (DISS) disrupted a cyber operation being carried out by a Russian military intelligence (GRU) team. The Russian operation had targeted the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague.

The 4 Russian intelligence officers at Schiphol Airport.

To conduct their operation, 4 Russian intelligence officers had set up specialised equipment in the vicinity of the OPCW offices and were preparing to hack into OPCW networks. As host country the Netherlands bears responsibility for ensuring the organisation’s security. In order to protect the security of the OPCW it therefore pre-empted the GRU operation and escorted the Russian intelligence officers out of the country. “The cyber operation targeting the OPCW is unacceptable. Our exposure of this Russian operation is intended as an unambiguous message that the Russian Federation must refrain from such actions,” said Defence Minister Ank Bijleveld in her response. “The OPCW is a respected international institution representing 193 nations around the globe and was established to rid the world of chemical weapons. The Netherlands is responsible for protecting international organisations within its borders, and that is what we have done.”

Equipment

The 4 Russian intelligence officers entered the Netherlands via Schiphol Airport, travelling on diplomatic passports. They subsequently hired a car which they positioned in the parking lot of the Marriot Hotel in The Hague, which is adjacent to the OPCW offices.

Equipment was set up in the boot of the car with which the officers intended to hack into wifi networks and which was installed for the purpose of infiltrating the OPCW’s network. The antenna for this equipment lay hidden under a jacket on the rear shelf and the equipment was operational when DISS interrupted the operation.

Source: Netherlands Defence Intelligence and Security Service disrupts Russian cyber operation targeting OPCW

Microsoft announces app mirroring to let you use any Android app on Windows 10

Microsoft announced a new feature for Windows 10 today that will let Android phone users view and use any app on their device from a Windows desktop. The feature, which Microsoft is referring to as app mirroring and shows up in Windows as an app called Your Phone, seems to be work best with Android for now. Although Microsoft did announce the ability to transfer webpages from an iPhone to a Windows 10 desktop so you can pick up where you left off on mobile.

Regardless, the Your Phone app looks to be a significant step in helping bridge Windows 10 and the mobile ecosystem after the demise of Windows Phone. The news was announced at the company’s Surface hardware event in New York City this afternoon.

Source: Microsoft announces app mirroring to let you use any Android app on Windows 10 – The Verge

New Zealand border cops warn travelers that without handing over electronic passwords ‘You shall not pass!’

Customs laws in New Zealand now allow border agents to demand travellers unlock their phones or face an NZ$5,000 (around US$3,300) fine.

The law was passed during 2017 with its provisions coming into effect on October 1. The security conscious of you will also be pleased to know Kiwi officials still need a “reasonable” suspicion that there’s something to find.

As the country’s minister of Justice Andrew Little explained to a parliamentary committee earlier this year:

“The bill provides for that power of search and examination, but in order to exercise that power, a customs officer, first of all, has to be satisfied, or at least to have a reasonable suspicion, that a person in possession of such a device—it would be a cellphone or a laptop or anything else that might be described as an ‘e-device’—has been involved in criminal offending.

That’s somewhat tighter than the rules that apply in America. Border Patrol agents can take a look at phones without giving any reason, but in January this year, a new directive stipulated that a “reasonable suspicion” test applies if the agent wants to copy anything from a phone.

Like the American regulation, New Zealand’s searchers are limited to files held on the phone. A Customs spokesperson told Radio New Zealand “We’re not going into ‘the cloud’. We’ll examine your phone while it’s on flight mode”.

According to Radio NZ, the Council of Civil Liberties criticised the “reasonable cause” protection as inadequate, because someone asked to unlock a device isn’t told what that cause might be, and therefore has no way to challenge the request.

Source: New Zealand border cops warn travelers that without handing over electronic passwords ‘You shall not pass!’ • The Register

UK ruling party’s conference app editable by world+dog, blabs members’ digits

Party chairman Brandon Lewis was planning to sell the “interactive” app – which will allow attendees to give feedback on speeches as they happen – as evidence that the ruling party was embracing tech in a bid to win over the youth vote (another idea was to have the culture secretary appear as a hologram).

But soon after its launch, users took to Twitter to point out that that not only were contact details and personal information visible – they could also be edited.

Particular targets appeared to be Michael Gove, whose picture was changed to that of his former boss Rupert Murdoch, and Boris Johnson, whose name and profile picture were reportedly changed during the incident.

Crowd Comms, the company behind the app, said the error “meant that a third party in possession of a conference attendee’s email address was able, without further authentication, to potentially see data which the attendee had not wished to share – name, email address, phone number, job title and photo”.

Since email addresses are often pretty easy to guess, or – in the case of MPs or other professionals registered on the app – a case of public record, the cock-up had a wide potential impact.

Source: UK ruling party’s conference app editable by world+dog, blabs members’ digits • The Register

Tim Berners-Lee Announces Solid, an Open Source Project Which Would Aim To Decentralize the Web

Tim Berners-Lee, the founder of the World Wide Web, thinks it’s broken and he has a plan to fix it. The British computer scientist has announced a new project that he hopes will radically change his creation by giving people full control over their data. Tim Berners-Lee: This is why I have, over recent years, been working with a few people at MIT and elsewhere to develop Solid, an open-source project to restore the power and agency of individuals on the web. Solid changes the current model where users have to hand over personal data to digital giants in exchange for perceived value. As we’ve all discovered, this hasn’t been in our best interests. Solid is how we evolve the web in order to restore balance — by giving every one of us complete control over data, personal or not, in a revolutionary way. Solid is a platform, built using the existing web. It gives every user a choice about where data is stored, which specific people and groups can access select elements, and which apps you use. It allows you, your family and colleagues, to link and share data with anyone. It allows people to look at the same data with different apps at the same time. Solid unleashes incredible opportunities for creativity, problem-solving and commerce. It will empower individuals, developers and businesses with entirely new ways to conceive, build and find innovative, trusted and beneficial applications and services. I see multiple market possibilities, including Solid apps and Solid data storage.

Solid is guided by the principle of “personal empowerment through data” which we believe is fundamental to the success of the next era of the web. We believe data should empower each of us. Imagine if all your current apps talked to each other, collaborating and conceiving ways to enrich and streamline your personal life and business objectives? That’s the kind of innovation, intelligence and creativity Solid apps will generate. With Solid, you will have far more personal agency over data — you decide which apps can access it. In an interview with Fast Company, he shared more on Solid and its creation: “I have been imagining this for a very long time,” says Berners-Lee. He opens up his laptop and starts tapping at his keyboard. Watching the inventor of the web work at his computer feels like what it might have been like to watch Beethoven compose a symphony: It’s riveting but hard to fully grasp. “We are in the Solid world now,” he says, his eyes lit up with excitement. He pushes the laptop toward me so I too can see. On his screen, there is a simple-looking web page with tabs across the top: Tim’s to-do list, his calendar, chats, address book. He built this app — one of the first on Solid — for his personal use. It is simple, spare. In fact, it’s so plain that, at first glance, it’s hard to see its significance. But to Berners-Lee, this is where the revolution begins. The app, using Solid’s decentralized technology, allows Berners-Lee to access all of his data seamlessly — his calendar, his music library, videos, chat, research. It’s like a mashup of Google Drive, Microsoft Outlook, Slack, Spotify, and WhatsApp. The difference here is that, on Solid, all the information is under his control. Every bit of data he creates or adds on Solid exists within a Solid pod — which is an acronym for personal online data store. These pods are what give Solid users control over their applications and information on the web. Anyone using the platform will get a Solid identity and Solid pod. This is how people, Berners-Lee says, will take back the power of the web from corporations.

Starting this week, developers around the world will be able to start building their own decentralized apps with tools through the Inrupt site. Berners-Lee will spend this fall crisscrossing the globe, giving tutorials and presentations to developers about Solid and Inrupt. “What’s great about having a startup versus a research group is things get done,” he says. These days, instead of heading into his lab at MIT, Berners-Lee comes to the Inrupt offices, which are currently based out of Janeiro Digital, a company he has contracted to help work on Inrupt. For now, the company consists of Berners-Lee; his partner John Bruce, who built Resilient, a security platform bought by IBM; a handful of on-staff developers contracted to work on the project; and a community of volunteer coders. Later this fall, Berners-Lee plans to start looking for more venture funding and grow his team. The aim, for now, is not to make billions of dollars. The man who gave the web away for free has never been motivated by money. Still, his plans could impact billion-dollar business models that profit off of control over data. It’s not likely that the big powers of the web will give up control without a fight.

Source: Tim Berners-Lee Announces Solid, an Open Source Project Which Would Aim To Decentralize the Web – Slashdot

CBS Shuts Down Ambitious Fan Effort To Make A Virtual Starship Enterprise

Before there was Star Trek: Bridge Crew, Ubisoft’s game about piloting the original Enterprise, there was Star Trek Stage-9, a fan project recreating the Enterprise-D from The Next Generation in Unreal Engine. This week the project is no more, following a cease and desist demand by CBS.

One of the leads on the project, who goes by Scragnog, posted a video on YouTube explaining why it would no longer be getting future updates and development was coming to an end. “On Wednesday, September 12, 2018, we received a letter from the CBS legal department,” he said. “This letter was a cease and desist order. The uncertain future we always had at the back of our minds had caught up to us.”

The team immediately shut down the project’s website and began trying to reach out to the company to try and work on an alternative outcome. After nearly two weeks of not being able to get ahold of anybody, a representative from the legal depart confirmed the Stage 9 team that CBS wasn’t going to budge and the game needed to stay down. CBS did not respond to a request by Kotaku for comment.

Source: CBS Shuts Down Ambitious Fan Effort To Make A Virtual Starship Enterprise

Which goes to show why copyright for such extended periods is such a bad idea. The innovation is killed off and for what? Extended corporate profits, even when they are not making much use of the possibilities? This project was way better than anything CBS churned out.

NantEnergy Announces Largest Global Deployment of Novel Air Breathing Zinc Rechargeable Battery System and Breakthrough in Cost Barrier

New York – Sept. 26, 2018 – NantEnergy today announced a breakthrough in its six-year mission to develop the world’s first scalable air breathing, zinc rechargeable battery system at a manufacturing cost below $100 kWh and to operate this intelligent digitally controlled system on a global scale. This green rechargeable battery, an air-breathing cell, uses just zinc and air, integrated with digitally controlled intelligence. The energy system is monitored in real time in the cloud and has been successfully deployed in nine countries with more than 3,000 systems supporting 110 villages and 1,000 installations across cell tower sites. Over 100 patents cover this breakthrough technology.

[…]

During the One Planet Summit in New York, Soon-Shiong noted that these green, air-breathing batteries avoids lithium and cobalt, replaces diesel and lead-acid batteries, and presents no risk of fire or environmental contamination.

“We have made the safest, de-risked, globally-deployed system in the world with a six-year history of over 1,000,000 cycles to date,” said Chuck Ensign, Chief Executive Officer of NantEnergy. “It’s remarkable because this eliminates the need for lead, lithium and cobalt, which are scarce and dangerous materials.”

Source: NantEnergy Announces Largest Global Deployment of Novel Air Breathing Zinc Rechargeable Battery System and Breakthrough in Cost Barrier – NantEnergy

Elon Musk to Resign as Tesla Chairman, Pay 2x $20 Million Fine in SEC Settlement Over Catastrophic ‘420’ Tweet

In August, Tesla CEO Elon Musk set off an entirely preventable and catastrophic chain of events by tweeting that he was “considering taking Tesla private at $420. Funding secured.” Musk provided no financing details, and the Securities and Exchange Commission later determined that he never finalized any kind of deal with the Saudi sovereign wealth fund behind the ostensible buyout. Last week, it slapped him with fraud charges for making “false and misleading” statements and not complying with regulatory requirements.

Musk and the company’s board initially appeared to be digging in for a battle, but per the Washington Post, on Saturday he caved. Musk has agreed to a settlement in which both he and Tesla will pay out separate $20 million fines, and Musk will step down as Tesla’s chairman for at least three years. The only silver lining is that Musk will be allowed to remain the company’s CEO, the Post wrote:

Tesla chief executive Elon Musk agreed on Saturday to pay a $20 million fine and step down as board chairman as part of a settlement with the Securities and Exchange Commission.

Tesla will separately pay another $20 million and agreed to add two new independent directors to its board and monitor the billionaire’s public communications more closely… Under the settlement, Musk will resign as chairman of the automaker within 45 days and be barred from that position for three years. But he will remain Tesla’s CEO and does not have to admit wrongdoing as part of the deal.

Source: Elon Musk to Resign as Tesla Chairman, Pay $20 Million Fine in SEC Settlement Over Catastrophic ‘420’ Tweet

Facebook Could Face Up to $1.63 Billion Fine for 50m User Hack Under the GDPR

Facebook’s stunning disclosure of a massive hack on Friday in which attackers gained access tokens to at least 50 million accounts—bypassing security measures and potentially giving them full control of both profiles and linked apps—has already stirred the threat of a $1.63 billion dollar fine in the European Union, according to the Wall Street Journal.

The bug, which exploited flaws in the site’s “View As” and video uploader feature to gain access to the accounts, forced Facebook to reset access tokens for 50 million users and reset those for 40 million others as a precaution. (That means if you were logged out of your devices, you were affected.) Facebook has not said whether the attackers attempted to extract data from the affected profiles, but vice president of product management Guy Rosen told reporters they had attempted to harvest private information from Facebook’s systems, according to the New York Times. Rosen also said Facebook was unable to determine the extent to which third-party apps could have been compromised.

Source: Facebook Could Face Up to $1.63 Billion Fine for Latest Hack Under the GDPR

The site itself was compromised on Tuesday

Resident evil: Inside a UEFI rootkit used to spy on govts, made by you-know-who (hi, Russia)

A rootkit is a piece of software that hides itself on computer systems, and uses its root or administrator-level privileges to steal and alter documents, spy on users, and cause other mischief and headaches. A UEFI rootkit lurks in the motherboard firmware, meaning it starts up before the operating system and antivirus suites run, allowing it to bury itself deep in an infected machine, undetected and with high-level access privileges.

According to infosec biz ESET, a firmware rootkit dubbed LoJax targeted Windows PCs used by government organizations in the Balkans as well as in central and eastern Europe. The chief suspects behind the software nasty are the infamous Fancy Bear (aka Sednit aka Sofacy aka APT28) hacking crew, elsewhere identified as a unit of Russian military intelligence.

That’s the same Fancy Bear that’s said to have hacked the US Democratic Party’s servers, French telly network TV5, and others.

The malware is based on an old version of a legit application by Absolute Software called LoJack for Laptops, which is typically installed on notebooks by manufacturers so that stolen devices can be found.

[…]

Once up and alive, LoJax contacts command-and-control servers that are disguised as normal websites and are known to be operated by Russian intelligence. It then downloads its orders to carry out.

[…]

This persistence method is particularly invasive as it will not only survive an OS reinstall, but also a hard disk replacement. Moreover, cleaning a system’s UEFI firmware means re-flashing it, an operation not commonly done and certainly not by the typical user.

[…]

There are firmware settings that can thwart the flash installation simply by blocking write operations. If BIOS write-enable is off, BIOS lock-enable is on, and SMM BIOS write-protection is enabled, then the malware can’t write itself to the motherboard’s flash storage.

Alternatively, wiping the disk and firmware storage will get rid of this particular rootkit strain.

Modern systems should be able to resist malicious firmware overwrites, we’re told, although ESET said it found at least one case of LoJax in the PC’s SPI flash.

“While it is hard to modify a system’s UEFI image, few solutions exists to scan system’s UEFI modules and detect malicious ones,” wrote Team ESET. “Moreover, cleaning a system’s UEFI firmware means re-flashing it, an operation not commonly done and certainly not by the average user. These advantages explain why determined and resourceful attackers will continue to target systems’ UEFI.”

Source: Resident evil: Inside a UEFI rootkit used to spy on govts, made by you-know-who (hi, Russia) • The Register

DEFCON hackers’ dossier on US voting machine security is just as grim as feared

Hackers probing America’s electronic voting systems have painted an astonishing picture of the state of US election security, less than six weeks before the November midterms.

The full 50-page report [PDF], released Thursday during a presentation in Washington DC, was put together by the organizers of the DEF CON hacking conference’s Voting Village. It recaps the findings of that village, during which attendees uncovered ways resourceful miscreants could compromise electoral computer systems and change vote tallies.

In short, the dossier outlines shortcomings in the electronic voting systems many US districts will use later this year for the midterm elections. The report focuses on vulnerabilities exploitable by scumbags with physical access to the hardware.

“The problems outlined in this report are not simply election administration flaws that need to be fixed for efficiency’s sake, but rather serious risks to our critical infrastructure and thus national security,” the report stated. “As our nation’s security is the responsibility of the federal government, Congress needs to codify basic security standards like those developed by local election officials.”

Criminally easy to hack

Researchers found that many of the systems tested were riddled with basic security blunders committed by their manufacturers, such as using default passwords and neglecting to install locks or tamper-proof seals on casings. These could be exploited by miscreants to do anything from add additional votes to create and stuff the ballot with entirely new candidates. It would require the crooks to get their hands on the machines long enough to meddle with the hardware.

Some electronic ballot boxes use smart cards loaded with Java-written software, which executes once inserted into the computer. Each citizen is given a card, which they slide in the machine when they go to vote. Unfortunately, it is possible to reprogram your card yourself so that when inserted, you can vote multiple times. If the card reader has wireless NFC support, you can hold your NFC smartphone up to the voting machine, and potentially cast a ballot many times over.

“Due to a lack of security mechanisms in the smart card implementation, researchers in the Voting Village demonstrated that it is possible to create a voter activation card, which after activating the election machine to cast a ballot can automatically reset itself and allow a malicious voter to cast a second (or more) unauthorized ballots,” the report read.

“Alternatively, an attacker can use his or her mobile phone to reprogram the smart card wirelessly.”

Source: DEF CON hackers’ dossier on US voting machine security is just as grim as feared

Facebook Is Giving Advertisers Access to Your Shadow Contact Information – and you can’t find out what that is

Last week, I ran an ad on Facebook that was targeted at a computer science professor named Alan Mislove. Mislove studies how privacy works on social networks and had a theory that Facebook is letting advertisers reach users with contact information collected in surprising ways. I was helping him test the theory by targeting him in a way Facebook had previously told me wouldn’t work. I directed the ad to display to a Facebook account connected to the landline number for Alan Mislove’s office, a number Mislove has never provided to Facebook. He saw the ad within hours.

What Facebook told Alan Mislove about the ad I targeted at his office landline number
Screenshot: Facebook (Alan Mislove)

One of the many ways that ads get in front of your eyeballs on Facebook and Instagram is that the social networking giant lets an advertiser upload a list of phone numbers or email addresses it has on file; it will then put an ad in front of accounts associated with that contact information. A clothing retailer can put an ad for a dress in the Instagram feeds of women who have purchased from them before, a politician can place Facebook ads in front of anyone on his mailing list, or a casino can offer deals to the email addresses of people suspected of having a gambling addiction. Facebook calls this a “custom audience.”

You might assume that you could go to your Facebook profile and look at your “contact and basic info” page to see what email addresses and phone numbers are associated with your account, and thus what advertisers can use to target you. But as is so often the case with this highly efficient data-miner posing as a way to keep in contact with your friends, it’s going about it in a less transparent and more invasive way.

Facebook is not content to use the contact information you willingly put into your Facebook profile for advertising. It is also using contact information you handed over for security purposes and contact information you didn’t hand over at all, but that was collected from other people’s contact books, a hidden layer of details Facebook has about you that I’ve come to call “shadow contact information.”

[…]

Giridhari Venkatadri, Piotr Sapiezynski, and Alan Mislove of Northeastern University, along with Elena Lucherini of Princeton University, did a series of tests that involved handing contact information over to Facebook for a group of test accounts in different ways and then seeing whether that information could be used by an advertiser.

[…]

They found that when a user gives Facebook a phone number for two-factor authentication or in order to receive alerts about new log-ins to a user’s account, that phone number became targetable by an advertiser within a couple of weeks. So users who want their accounts to be more secure are forced to make a privacy trade-off and allow advertisers to more easily find them on the social network.

[…]

The researchers also found that if User A, whom we’ll call Anna, shares her contacts with Facebook, including a previously unknown phone number for User B, whom we’ll call Ben, advertisers will be able to target Ben with an ad using that phone number, which I call “shadow contact information,” about a month later.

[…]

I think that many users don’t fully understand how ad targeting works today: that advertisers can literally specify exactly which users should see their ads by uploading the users’ email addresses, phone numbers, names+dates of birth, etc,” said Mislove. “In describing this work to colleagues, many computer scientists were surprised by this, and were even more surprised to learn that not only Facebook, but also Google, Pinterest, and Twitter all offer related services. Thus, we think there is a significant need to educate users about how exactly targeted advertising on such platforms works today.”

Source: Facebook Is Giving Advertisers Access to Your Shadow Contact Information

Building your own PC for AI is 10x cheaper than renting out GPUs on cloud, apparently

Jeff Chen, an AI techie and entrepreneur at Stanford University in the US, believes that a suitable machine can be built for about $3,000 (~£2,300) without including tax. At the heart of the beast is an Nvidia GeForce 1080Ti GPU, a 12-core AMD Threadripper processor, 64GB of RAM, and a 1TB SSD card for data. Bung in a fan to keep the computer cool, a motherboard, a power supply, wrap the whole thing in a case, and voila.

Here’s the full checklist…

GPU_computer_cost

Image credit: Jeff Chen

Unlike renting out compute and data storage on cloud, once your personal rig is built, the only recurring cost to pay for is power. It costs $3 (£2.28) an hour to rent a GPU-accelerated system on AWS, whereas it’s only 20 cents (15p) to run on your own computer. Chen has done the sums, and, apparently, after two months that will work out to being ten times cheaper. The gap decreases slightly over time as the computer hardware depreciates.

“There are some drawbacks, such as slower download speed to your machine because it’s not on the backbone, static IP is required to access it away from your house, you may want to refresh the GPUs in a couple of years, but the cost savings is so ridiculous it’s still worth it,” he said this week.

Source: Building your own PC for AI is 10x cheaper than renting out GPUs on cloud, apparently • The Register

Amazon Alexa outage: Voice-activated devices are down in UK and beyond – yay cloud services!

Amazon Alexa devices stopped working in the UK and reportedly in parts of continental Europe this morning, with some users still complaining of intermittent outages at the time of writing.

The digital blackout began at around 0800 UK time and though it appeared to be recovering by 09.30, some folk – including Reg staffers – were still experiencing service failures at the time of writing.

The creepy always-on audio surveillance device voice-activated home assistant relies on a constant connection to Amazon’s servers to function.

Source: Amazon Alexa outage: Voice-activated devices are down in UK and beyond • The Register

Google is using AI to predict floods in India and warn users

For years Google has warned users about natural disasters by incorporating alerts from government agencies like FEMA into apps like Maps and Search. Now, the company is making predictions of its own. As part of a partnership with the Central Water Commission of India, Google will now alert users in the country about impending floods. The service is only currently available in the Patna region, with the first alert going out earlier this month.

As Google’s engineering VP Yossi Matias outlines in a blog post, these predictions are being made using a combination of machine learning, rainfall records, and flood simulations.

“A variety of elements — from historical events, to river level readings, to the terrain and elevation of a specific area — feed into our models,” writes Matias. “With this information, we’ve created river flood forecasting models that can more accurately predict not only when and where a flood might occur, but the severity of the event as well.”

Source: Google is using AI to predict floods in India and warn users – The Verge

A $1, Linux-Capable, Hand-Solderable Processor

Over on the EEVblog, someone noticed an interesting chip that’s been apparently flying under our radar for a while. This is an ARM processor capable of running Linux. It’s hand-solderable in a TQFP package, has a built-in Mali GPU, support for a touch panel, and has support for 512MB of DDR3. If you do it right, this will get you into the territory of a BeagleBone or a Raspberry Pi Zero, on a board that’s whatever form factor you can imagine. Here’s the best part: you can get this part for $1 USD in large-ish quantities. A cursory glance at the usual online retailers tells me you can get this part in quantity one for under $3. This is interesting, to say the least.

The chip in question, the Allwinner A13, is a 1GHz ARM Cortex-A8 processor. While it’s not much, it is a chip that can run Linux in a hand-solderable package. There is no HDMI support, you’ll need to add some more chips (that are probably in a BGA package), but, hey, it’s only a dollar.

If you’d like to prototype with this chip, the best options right now are a few boards from Olimex, and a System on Module from the same company. That SoM is an interesting bit of kit, allowing anyone to connect a power supply, load an SD card, and get this chip doing something.

Currently, there aren’t really any good solutions for a cheap Linux system you can build at home, with hand-solderable chips. Yes, you could put Linux on an ATMega, but that’s the worst PC ever. A better option is the Octavo OSD335x SoC, better known as ‘the BeagleBone on a Chip’. This is a BGA chip, but the layout isn’t too bad, and it can be assembled using a $12 toaster oven. The problem with this chip is the price; at quantity 1000, it’s a $25 chip. At quantity one, it’s a $40 chip. NXP’s i.MX6 chips have great software support, but they’re $30 chips, and you’ll need some DDR to make it do something useful, and that doesn’t even touch the fiddlyness of a 600-ball package

While the Allwinner A13 beats all the other options on price and solderability, it should be noted that like all of these random Linux-capable SoCs, the software is a mess. There is a reason those ‘Raspberry Pi killers’ haven’t yet killed the Raspberry Pi, and it’s because the Allwinner chips don’t have documentation and let’s repeat that for emphasis: the software is a mess.

Source: A $1, Linux-Capable, Hand-Solderable Processor | Hackaday

Hadoop and NoSQL backups timed by AI

Machine learning data management company Imanis Data has introduced an autonomous backup product powered by machine learning.

The firm said users can specify a desired RPO (Recovery Point Objective) and its SmartPolicies tech then set up the backup schedules. The tech is delivered as an upgrade to the Imanis Data Management Platform (IDMP) product.

SmartPolicies uses metrics including criticality and volume of data to be protected, primary cluster workloads, and daily or seasonal resource utilisation, to determine the most efficient way to achieve the desired RPO.

If it can’t be met because, for example, production systems are too busy, or computing resources are insufficient, then SmartPolicies provides recommendations to make the RPO executable.

Other items in the upgrade include any-point-in-time recovery for multiple NoSQL databases, better ransomware prevention and general data management improvements, such as job tag listing and a browsable catalog for simpler recovery.

[…]

Having backup software set up its own schedules based on input RPO values isn’t a new idea, but having it done with machine learning is. The checking of available resources is a darn good idea too and, when you think about it, absolutely necessary.

Otherwise “backup run failed” messages would start popping up all over the place – not good. We expect other backup suppliers to follow in Imanis’s wake and start sporting “machine learning-driven policy” messages quite quickly.

Source: When should I run backup, robot overlord? Autonomous Hadoop and NoSQL backup is now a thing • The Register

Google Chrome Is Now Quietly Forcing You to Log In—Here’s What to Do About It 

Once again, Google has rankled privacy-focused people with a product change that appears to limit users’ options. It’s easy to miss the fact that you’re automatically being logged-in to Chrome if you’re not paying attention.

Chrome 69 released to users on September 5, and you likely noticed that it has a different look. But if you’re the type of person who doesn’t like to log in to the browser with your Google account, you may have missed the fact that it happens automatically when you sign-in to a Google service like Gmail. Previously, users were allowed to keep those logins separate. Members of the message board Hacker News noticed the change relatively quickly and over the weekend, several developers called attention to it.

[…]

If you want to disable the forced login, a user on Hacker News points out a workaround that could change at any time. Copy and paste this text into your browser’s address bar: chrome://flags/#account-consistency. Then disable the option labeled, “Identity consistency between browser and cookie jar,” and restart your browser. Go to this link to ensure that your Sync settings are configured the way you like them. For now, you have a choice, but it shouldn’t be so difficult or obscure.

Source: Google Chrome Is Now Quietly Forcing You to Log In—Here’s What to Do About It 

Hey, Microsoft, stop installing third-party apps on clean Windows 10 installs!

Before Windows 10, a clean install of Windows only included the bare essentials a user would need to get started using their PC. That included software built by Microsoft, such as Mail, Paint, and its web browser, and it never included “bloatware” or “trialware” that one might find on hardware purchased from a third-party OEM that preloaded all kinds of crapware.

The clean install process was simple. With Windows 7, you’d do the install, and once you hit the desktop, that was it. All the programs that were preinstalled were Microsoft-made and were often considered essentials. This changed with Windows 8, with the addition of auto-updating apps such as Travel, News and more. Still, these were acceptable, preinstalled Windows apps and were not really classed as bloatware.

With Windows 10, a clean install stays that way for about two minutes, because the second you hit the desktop, the Microsoft Store immediately starts trying to download third-party apps and games. And these apps keep trying to install themselves even after you cancel the downloads.

Six too many

There are six such apps, which is six too many. These apps are often random, but right now they include things like Candy Crush, Spotify, and Disney Magic Kingdoms. You should not see any of these apps on a fresh install of Windows 10, yet they are there every single time.

There are policies you can set that disable these apps from automatically installing, but that’s not the point. On a fresh, untouched, clean install of Windows 10, these apps will download themselves onto your PC. Even if you cancel the installation of these apps before they manage to complete the download, they will retry at a later date, without you even noticing.

The only way I’ve found that gets rid of them permanently is to let them install initially, without canceling the download, and then uninstall the apps from the Start menu. If you cancel the initial download of the bloatware apps before they complete their first install, the Microsoft Store will just attempt to redownload them later and will keep doing so until that initial install is complete.

Source: Hey, Microsoft, stop installing third-party apps on clean Windows 10 installs! | Windows Central

Open-source alt-droid wants to know if it’s still leaking data to Google

/e/, a Google-free fork of Android, reached a milestone this month with its initial ROM release. It’s available for download, so you can kick the tires, with nightly builds delivered via OTA (over the air) updates.

El Reg interviewed the project’s leader, Gael Duval, in the summer. Duval launched and led the Linux Mandrake project. Back then it was called “eelo”, but has morphed into just /e/ – which autocorrect features won’t try to turn into “eels”.

The project is significant in that the European Commission recently noted how few people switch platforms. If you’re on Apple or Android today, the chances are you will be on the same platform, plugged into the same “ecosystem” of peripherals and services, in 10 years. So it wants more variety and competition within the Android world.

/e/ derives from LineageOS, itself a fork of CynaogenMod, so it can run on around 30 phone models including the Samsung Galaxy S7, and several recent-ish OnePlus devices.

Source: Open-source alt-droid wants to know if it’s still leaking data to Google • The Register

Zoho – GSuite competitor – pulled offline after phishing complaints by DNS registrar, millions of people couldn’t work. Love the cloud!

Zoho .com was pulled offline on Monday after the company’s domain registrar received phishing complaints, the company’s chief executive said.

The web-based office suite company, which also provides customer relationship and invoicing services to small businesses, tweeted that the site was “blocked” earlier in the day by TierraNet, which administers its domain name.

In an email to TechCrunch, Zoho boss Sridhar Vembu said that TierraNet “took our domain down without any notice to us” after receiving complaints about phishing emails from Zoho-hosted email accounts.

In doing so, thousands of businesses that rely on Zoho for their operations couldn’t access their email, documents and files, and other business-critical software during the day. Zoho counts Columbia University, Netflix, Citrix, Air Canada and the Los Angeles Times as customers.

“They kept pointing us back to their legal, even when I tried to call their senior management,” said Vembu in the email.

Source: Zoho pulled offline after phishing complaints, CEO says | TechCrunch

Cisco Video Surveillance Manager Appliance Default Root Password Vulnerability (again)

A vulnerability in Cisco Video Surveillance Manager (VSM) Software running on certain Cisco Connected Safety and Security Unified Computing System (UCS) platforms could allow an unauthenticated, remote attacker to log in to an affected system by using the root account, which has default, static user credentials.

The vulnerability is due to the presence of undocumented, default, static user credentials for the root account of the affected software on certain systems. An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Source: Cisco Video Surveillance Manager Appliance Default Password Vulnerability

Incredible that this is still a thing, especially at Cisco, where it’s happened before.

 
Skip to toolbar