Solar panel waste creates 300 times more toxic waste per unit of energy than do nuclear power plants.

Posted in August 2, 2017 ¬ 21:36h.Robin EdgarNo Comments »

Only Europe requires solar panel makers to collect and dispose of solar waste at the end of their lives.

All of which raises the question: just how big of a problem is solar waste?

Environmental Progress investigated the problem to see how the problem compared to the much more high-profile issue of nuclear waste.

We found:

Solar panels create 300 times more toxic waste per unit of energy than do nuclear power plants.

If solar and nuclear produce the same amount of electricity over the next 25 years that nuclear produced in 2016, and the wastes are stacked on football fields, the nuclear waste would reach the height of the Leaning Tower of Pisa (52 meters), while the solar waste would reach the height of two Mt. Everests (16 km).

In countries like China, India, and Ghana, communities living near e-waste dumps often burn the waste in order to salvage the valuable copper wires for resale. Since this process requires burning off the plastic, the resulting smoke contains toxic fumes that are carcinogenic and teratogenic (birth defect-causing) when inhaled.

Environmental progress

Time for other countries to start thinking about this, if it’s true?

  • xyz_smap: 1
Energy

Draw Together with a Neural Network

Posted in August 2, 2017 ¬ 21:34h.Robin EdgarNo Comments »

We made an interactive web experiment that lets you draw together with a recurrent neural network model called sketch-rnn. We taught this neural net to draw by training it on millions of doodles collected from the Quick, Draw! game. Once you start drawing an object, sketch-rnn will come up with many possible ways to continue drawing this object based on where you left off. Try the first demo.

tensorflow.org

  • xyz_smap: 1
Artificial Intelligence

California generates 1/2 the US solar energy, has to pay neighbouring states to take the energy

Posted in August 2, 2017 ¬ 21:31h.Robin EdgarNo Comments »

California is the poster child for solar energy: in 2016, 13% of the state’s power came from solar sources. According to the Solar Energy Industries Association, California is in the lead for the cumulative amount of solar electric capacity installed in 2016.

In fact, the California is generating so much solar energy that it is resorting to paying other states to take the excess electricity in order to prevent overloading power lines. According to the Los Angeles Times, Arizona residents have already saved millions in 2017 thanks to California’s contribution.

The state, which produced little to no solar energy just 15 years ago, has made strides — it single-handedly has nearly half of the country’s solar electricity generating capacity. According to the U.S. Energy Information Administration, California reached a milestone: for a few hours, more than half the state’s power needs were sourced from solar energy. This put wholesale energy prices in the negative.

mic.com

  • xyz_smap: 1
Energy

3 Etherium heists in as many weeks: $7m, $32m and $85m!

Posted in August 1, 2017 ¬ 11:39h.Robin EdgarNo Comments »

Hacker Allegedly Steals $7.4 Million in Ethereum with Incredibly Simple Trick

Someone tricked would be investors during an ethereum ICO into sending their cryptocurrency to the wrong address.

A hacker has allegedly just stolen around $7.4 million dollars worth of ether, the cryptocurrency that underpins the app platform ethereum, by tricking victims into sending money to the wrong address during an Initial Coin Offering, or ICO. This is according to a company called Coindash that says its investors were sending their funds to a hacker.

Hacker Uses Parity Wallet Vulnerability to Steal $30 Million Worth of Ethereum

An unknown hacker has used a vulnerability in an Ethereum wallet client to steal over 153,000 Ether, worth over $30 million dollars.

The hack was possible due to a flaw in the Parity Ethereum client. The vulnerability allowed the hacker to exfiltrate funds from multi-sig wallets created with Parity clients 1.5 and later. Parity 1.5 was released on January 19, 2017.

Multi-sig wallets are Ethereum accounts over which multiple persons have control with their own keys. Multi-sig accounts allow owners to move funds only when a majority of owners sign a transaction with their key.

These hackers stole $85 million in ether to save it from *the real crooks* (or so they say)

The clock was ticking. Thieves stole $32 million worth of ether out of a popular Ethereum wallet, and with every passing minute the potential for additional losses grew.

And so the White Hat Group stepped in.

Like something out of a weird cryptocurrency reboot of National Treasure, the unidentified WHG hackers decided to steal the remaining ether before the crooks could. All $85 million of it.

Or so they say.

The claim was posted to Reddit on July 19, and details a plan to return the funds to their rightful owners. Here’s how the poster, jbaylina, says it went down:

“The White Hat Group were made aware of a vulnerability in a specific version of a commonly used multisig contract,” explained the post, referring to a vulnerability in the popular Ethereum wallet Parity that was successfully exploited by unknown thieves. “This vulnerability was trivial to execute, so they took the necessary action to drain every vulnerable multisig they could find as quickly as possible. Thank you to the greater Ethereum Community that helped finding these vulnerable contracts.”

  • xyz_smap: 1
Hacks

Intel Launches Movidius Neural Compute Stick: Deep Learning and AI on a $79 USB Stick

Posted in August 1, 2017 ¬ 11:23h.Robin EdgarNo Comments »

Meanwhile, the on-chip memory has increased from 1 GB on the Fathom NCS to 4 GB LPDDR3 on the Movidius NCS, in order to facilitate larger and denser neural networks. And to cap it all off, Movidius has been able to reduce the MSRP to $79 – citing Intel’s “manufacturing and design expertise” – lowering the cost of entry even more.

Like other players in the edge inference market, Movidius is looking to promote and capitalize on the need for low-power but capable inference processors for stand-alone devices. That means targeting use cases where the latency of going to a server would be too great, a high-performance CPU too power hungry, or where privacy is a greater concern. In which case, the NCS and the underlying Myriad 2 VPU are Intel’s primary products for device manufacturers and software developers.

Source: Intel Launches Movidius Neural Compute Stick: Deep Learning and AI on a $79 USB Stick

  • xyz_smap: 1
Artificial Intelligence

Swedish government leak: clueless agency moved all citizens data + military secrets to “The Cloud” in clear text and to people without security clearances in many countries

Posted in August 1, 2017 ¬ 11:21h.Robin EdgarNo Comments »

Sweden’s Transport Agency moved all of its data to “the cloud”, apparently unaware that there is no cloud, only somebody else’s computer. In doing so, it exposed and leaked every conceivable top secret database: fighter pilots, SEAL team operators, police suspects, people under witness relocation. Names, photos, and home addresses: the list is just getting started. The responsible director has been found guilty in criminal court of the whole affair, and sentenced to the harshest sentence ever seen in Swedish government: she was docked half a month’s paycheck.
[…]
Last March, the entire register of vehicles was sent to marketers subscribing to it. This is normal in itself, as the vehicle register is public information, and therefore subject to Freedom-of-Information excerpts. What was not normal were two things: first, that people in the witness protection program and similar programs were included in the register distributed outside the Agency, and second, when this fatal mistake was discovered, a new version without the sensitive identities was not distributed with instructions to destroy the old copy. Instead, the sensitive identities were pointed out and named in a second distribution with a request for all subscribers to remove these records themselves. This took place in open cleartext e-mail.
[…]
The weight capacity of all roads and bridges (which is crucial for warfare, and says a lot about what roads are intended to be used as wartime airfields);

Names, photos, and home addresses of fighter pilots in the Air Force;

Names, photos, and home addresses of everybody and anybody in a police register, all of which are classified;

Names, photos, and home addresses of all operators in the military’s most secret units – equivalent to the SAS or SEAL teams;

Names, photos, and home addresses of everybody in a witness relocation program or who has been given protected identity for other reasons;

Type, model, weight, and any defects of any and all government and military vehicles, including their operator, which says a ton about the structure of military support units;

[…]
All of this was not just outside the proper agencies, but outside the European Union, in the hands of people who had absolutely no security clearance. All of this data can be expected to have been permanently exposed.

Source: Worst government leak: clueless agency moved everything to “The Cloud”

Just completely wow!

  • xyz_smap: 1
Military

Lenovo Folio: 5.5″ phone that unfolds into 8″ tablet seamlessly

Posted in August 1, 2017 ¬ 11:14h.Robin EdgarNo Comments »

At the third annual Lenovo Tech World last week, the Chinese tech giant wowed attendees with the Lenovo Folio, a tablet with a screen that folds in half into a phone.

Before you start getting too excited, you should know that the Folio is a concept device, which means it may not be released as a consumer product anytime soon. Even so, that doesn’t make the device any less impressive.

The tablet has a 7.8-inch screen with 1,920 x 1,440 resolution, a Qualcomm Snapdragon 800 processor, and runs Android 7.0 Nougat. It’s not exactly peak performance in 2017, but that’s not why’d you want this thing — you’d want it for the bendable screen.

When folded, the tablet shrinks down into a 5.5-inch phone that could fit into your pocket. As you can see in the demo videos above and below, the display folds neatly in half with pixels filling all the space where a hinge would normally. The UI automatically adjusts to work as if there are two displays. It’s pretty bananas!

Mashable

8″ is the perfect tablet size IMHO – a real shame nobody makes them anymore either…

  • xyz_smap: 1
Android

AI quickly cooks malware that AV software can’t spot

Posted in August 1, 2017 ¬ 10:59h.Robin EdgarNo Comments »

Hyrum Anderson, technical director of data science at security shop Endgame, showed off research that his company had done in adapting Elon Musk’s OpenAI framework to the task of creating malware that security engines can’t spot.

The system basically learns how to tweak malicious binaries so that they can slip past antivirus tools and continue to work once unpacked and executed. Changing small sequences of bytes can fool AV engines, even ones that are also powered by artificial intelligence, he said. Anderson cited research by Google and others to show how changing just a few pixels in an image can cause classification software to mistake a bus for an ostrich.

“All machine learning models have blind spots,” he said. “Depending on how much knowledge a hacker has they can be convenient to exploit.”

So the team built a fairly simple mechanism to develop weaponised code by making very small changes to malware and firing these variants at an antivirus file scanner. By monitoring the response from the engine they were able to make lots of tiny tweaks that proved very effective at crafting software nasties that could evade security sensors.

The malware-tweaking machine-learning software was trained over 15 hours and 100,000 iterations, and then lobbed some samples at an antivirus classifier. The attacking code was able to get 16 per cent of its customized samples past the security system’s defenses, we’re told.

This software-generation software will be online at the firm’s Github page and Anderson encouraged people to give it a try. No doubt security firms will also be taking a long look at how this affects their products in the future

Source: AI quickly cooks malware that AV software can’t spot

  • xyz_smap: 1
Artificial Intelligence

It is easy to expose users’ secret web habits, if you have access to cheap clickstream data

Posted in August 1, 2017 ¬ 10:48h.Robin EdgarNo Comments »

Two German researchers say they have exposed the porn-browsing habits of a judge, a cyber-crime investigation and the drug preferences of a politician.

The pair obtained huge amounts of information about the browsing habits of three million German citizens from companies that gather “clickstreams”.

These are detailed records of everywhere that people go online.

The researchers argue such data – which some firms scoop up and use to target ads – should be protected.
[…]
The pair found that 95% of the data they obtained came from 10 popular browser extensions.
[…]
The public information included links people shared via Twitter, YouTube videos they reported watching, news articles they passed on via social media or when they posted online photos of items they bought or places they visited.

In many cases, he said, it was even easier to de-anonymise because the clickstreams contained links to people’s personal social media admin pages which directly revealed their identity.

Source: It is easy to expose users’ secret web habits, say researchers – BBC News

  • xyz_smap: 1
Privacy

Crooks Reused Passwords on Hansa and Dream, so Dutch Police Hijacked Their Accounts after running Hansa for a month

Posted in July 30, 2017 ¬ 11:24h.Robin EdgarNo Comments »

Currently, the infosec community and former Hansa vendors themselves have spotted two ways in which Dutch authorities are going after former Hansa vendors.
Police gain access to Dream accounts via password reuse

In the first, Dutch investigators have taken the passwords of vendors who have the same usernames on both the old Hansa Market and the Dream Market — today’s top Dark Web marketplace after the seizure of the Hansa and AlphaBay marketplaces.

If vendors reused passwords and they didn’t activate 2FA for their Dream Market accounts, authorities take over the profiles, change passwords, and lock the vendors out of their shops.
[…]
The second method of operation spotted by the Dark Web community involves so-called “locktime” files that were downloaded from the Hansa Market before Dutch authorities shut it down on July 20.

Under normal circumstances a locktime file is a simple log of a vendor’s market transaction, containing details about the sold product, the buyer, the time of the sale, the price, and Hansa’s signature. The files are used as authentication by vendors to request the release of Bitcoin funds after a sale’s conclusion, or if the market was down due to technical reasons.

According to people familiar with Hansa’s inner workings who shared their knowledge with Bleeping Computer, Hansa locktime files were usually just a simple text file.

Source: Crooks Reused Passwords on the Dark Web, so Dutch Police Hijacked Their Accounts

  • xyz_smap: 1
Security

It took DEF CON hackers minutes to pwn these US voting machines

Posted in July 30, 2017 ¬ 11:19h.Robin EdgarNo Comments »

This year at the DEF CON hacking conference in Las Vegas, 30 computer-powered ballot boxes used in American elections were set up in a simulated national White House race – and hackers got to work physically breaking the gear open to find out what was hidden inside.

In less than 90 minutes, the first cracks in the systems’ defenses started appearing, revealing an embarrassing low level of security. Then one was hacked wirelessly.
[…]
The machines – from Diebolds to Sequoia and Winvote equipment – were bought on eBay or from government auctions, and an analysis of them at the DEF CON Voting Village revealed a sorry state of affairs. Some were running very outdated and exploitable software – such as unpatched versions of OpenSSL and Windows XP and CE. Some had physical ports open that could be used to install malicious software to tamper with votes.

Source: It took DEF CON hackers minutes to pwn these US voting machines

  • xyz_smap: 1
Security

In Car Head up Displays

Posted in July 14, 2017 ¬ 16:40h.Robin EdgarNo Comments »

Life has changed since 2007 and 2012 so it’s time for a rundown of modern systems!

For around $400,- you get Navdy, which takes some time to set up but offers the best solution for sale at the moment. It has map navigation, notifications, direct sunlight, hand gestures and control button on the steering wheel. You can answer calls, set up your music, etc. It’s well thought out and works best with you smartphone connected. It’s clearly visible in sunlight. It has it’s own screen through which you look.

homepage

amazon product page

Garmin has one which is way more basic, but also way cheaper at $150,-. It works with Garmin Streetpilot or Navigon apps for navigation. Also clearly visible in sunlight and has a reflector lens or can project onto a sticker on your windshield.

Garmin site + buy it

For around EUR 45,- you can buy an A8 system. It’s a bit more limited in it’s display (no navigation) and projects onto your windshield, which means you need to place a sticker in order to see it properly in daylight. For the price though, you can’t complain!

Megagadgets

Amazon

The we have the category: put your smartphone in it and project onto our little screen. Hudway Glass is an example of this. At $50,- they are clearly overpriced (and you can buy them cheaper om Amazon!) and you also need HUD software for it (if you have an iphone look at Atoll Ordenadores with ASmartHud+ and many others).

Hudway Glass

There are two promising pre-orders out there:

Exploride can be pre-ordered for $300 and will be produced for $500. This is a complete unit with its’ own screen and connects to you smartphone for lots of functionality

Carloudy which is an e-ink wireless HUD that connects to your smartphone. It has a voice command interface. It looks like it reflects onto a windshield sticker You can sign into the public beta in the US now for $260,-

Finally the Continental HUD as used in Mercedes, Audi and BMW. The information is very basic but the visibility is great from all angles.

  • xyz_smap: 1
Gadgets

EVE Online’s Real Life Planet-Discovery Minigame Is Live Now

Posted in July 14, 2017 ¬ 15:54h.Robin EdgarNo Comments »
Project Discovery, a collaborative project between CCP Games, Massively Multiplayer Online Science (MMOS), and the University of Geneva, aims to use EVE’s playerbase to locate, identify and catalog real life planets outside the bounds of our own solar system. By quantifying scientific data provided by the Keplar Satellite telescope, EVE players can save university scholars hundreds of thousands of hours of work, and potentially advance their research by several years.

Source: EVE Online’s Real Life Planet-Discovery Minigame Is Live Now

  • xyz_smap: 1
Games - Space

Netherlands turns into total surveillance state: unsupervised mass internet tapping, storage and sharing with whoever they feel like

Posted in July 14, 2017 ¬ 15:41h.Robin EdgarNo Comments »

AMSTERDAM (Reuters) – The Dutch Senate passed a law early on Wednesday giving intelligence agencies broad new surveillance and other powers, including the ability to gather data from large groups of people at once.

The Senate’s approval was the last hurdle for the “tapping law,” which was moulded into its current form after years of debate and criticism from both the country’s constitutional courts and online privacy advocates.

The law, which was passed with broad support, will go into effect this month after it is signed by the country’s monarch and circulated in the official legislative newspaper.

Online rights group Bits of Freedom warned the Netherlands’ military and civil intelligence agencies will now have the opportunity to tap large quantities of internet data traffic, without needing to give clear reasons and with limited oversight.

They also object to a three-year term for storage of data that agencies deem relevant, and the possibility for them to exchange information they cull with foreign counterparts.

Source: Dutch pass ‘tapping’ law, intelligence agencies may gather data en masse

  • xyz_smap: 1
Global Domination

Bloke takes over every .io domain by snapping up crucial name servers

Posted in July 11, 2017 ¬ 08:27h.Robin EdgarNo Comments »

Want to control over 270,000 websites? That’ll be $96 and a handover cockup, please

Late Friday, Matthew Bryant noticed an unusual response to some test code he was using to map top-level domains: several of the .io authoritative name servers were available to register.

Out of interest, he tried to buy them and was amazed to find the registration went through – leaving him potentially in control of hundreds of thousands of websites.

These crucial name servers – specifically, a0.nic.io, b0.nic.io, c0.nic.io, ns-a1.io, ns-a2.io, ns-a3.io, and ns-a4.io – are like the telephone directories of the .io space. If your web browser wants to connect to, say, github.io, it may have to go out to one of these authoritative name servers to convert github.io into a public IP address to connect to.

Those nic.io and ns-aX.io addresses should be owned and maintained by .io’s operators. But Bryant was able to purchase and register ns-a1.io, ns-a2.io, ns-a3.io, and ns-a4.io, and point them at his own DNS servers, allowing him to, if he wanted, potentially redirect connections to any .io domain to a server of his choosing.

Source: Bloke takes over every .io domain by snapping up crucial name servers

.io registry is sticking it’s head in the sand. oops.

  • xyz_smap: 1
Security

CIA Vault 7 tools steal active SSH sessions on Linux and Windows

Posted in July 8, 2017 ¬ 16:43h.Robin EdgarNo Comments »

BothanSpy is an implant that targets the SSH client program Xshell on the Microsoft Windows platform and steals user credentials for all active SSH sessions. These credentials are either username and password in case of password-authenticated SSH sessions or username, filename of private SSH key and key password if public key authentication is used. BothanSpy can exfiltrate the stolen credentials to a CIA-controlled server (so the implant never touches the disk on the target system) or save it in an enrypted file for later exfiltration by other means. BothanSpy is installed as a Shellterm 3.x extension on the target machine.

Gyrfalcon is an implant that targets the OpenSSH client on Linux platforms (centos,debian,rhel,suse,ubuntu). The implant can not only steal user credentials of active SSH sessions, but is also capable of collecting full or partial OpenSSH session traffic. All collected information is stored in an encrypted file for later exfiltration. It is installed and configured by using a CIA-developed root kit (JQC/KitV) on the target machine.

  • xyz_smap: 1
Hacks

Web inventor Sir Tim and W3C decide to close up the web: world has 2 weeks to appeal

Posted in July 8, 2017 ¬ 16:36h.Robin EdgarNo Comments »

Traditionally, web technology has been open. HTML markup, CSS, and JavaScript code can be viewed (though not necessarily easily understood, thanks to minification), remixed, and reused. The web’s openness allowed it to flourish.

But those selling costly content – software and media companies – prefer open wallets to anything goes. So they have employed copy deterrence schemes based on proprietary technologies like Adobe Flash and Wildvine to make high-value content viewable but not easily copyable in web browsers. However, this approach leaves much to be desired in terms of user experience and ongoing compatibility.

The Encrypted Media Extensions API – supported by companies like Apple, Google, Microsoft and Netflix and opposed by the free software community, academic researchers, and foes of anti-piracy mechanisms – provides a standards-based mechanism to display DRM-protected content in compliant web browsers.

Source: Web inventor Sir Tim sizes up handcuffs for his creation – and world has 2 weeks to appeal

The argument Tim Berners-Lee gives why he agreed to this (“If W3C did not recommend EME, then the browser vendors would just make it outside W3C,” he wrote. “…It is better for users for the DRM to be done through EME than other ways.”) is inane! If he doesn’t agree, then the vendors would all go around implementing different standards (as they historically and to the great annoyance of web designers everywhere have done) and DRM would only work on one type of browser. I thought by now we realised that DRM doesn’t work, is expensive in terms of money and resources and gets broken pretty much the day it leaves the factory.

  • xyz_smap: 1
Global Domination

Create a user called ‘0day’, get bonus root privs – thanks, Systemd!

Posted in July 6, 2017 ¬ 15:57h.Robin EdgarNo Comments »

To obtain root privileges on a Linux distribution that utilizes systemd for initialization, start with an invalid user name in the systemd.unit file.

Linux usernames are not supposed to begin with numbers, to avoid ambiguity between numeric UIDs and alphanumeric user names. Nevertheless, some modern Linux distributions, like RHEL7 and CentOS, allow this.

The systemd software will not allow unit files to be created with an invalid user name. But other tools can create such files.

Curiously, if systemd encounters an invalid name in a unit file, like “0day,” it will ignore the parameter and create the requested service. As the documentation states, “If systemd encounters an unknown option, it will write a warning log message but continue loading the unit.”

But it will run the unit with root privileges instead of rejecting it or adopting more restrictive permissions.

Source: Create a user called ‘0day’, get bonus root privs – thanks, Systemd!

Systemd claims it’s not a bug!

  • xyz_smap: 1
Security

At 18, He Strapped a Rocket Engine to His Bike. Now He’s Taking on SpaceX: Rocket Lab, led by someone who knows what he’s  doing!

Posted in July 3, 2017 ¬ 07:11h.Robin EdgarNo Comments »

After decades of tinkering, Peter Beck and Rocket Lab are poised to bring low-cost launches to the world.

Source: At 18, He Strapped a Rocket Engine to His Bike. Now He’s Taking on SpaceX

As opposed to running a company on insane working hours and crazy project changes, this guy is launching rockets at $5m per pop, doing 500lbs. He has a launch site that allows for a huge amount of launches into many different areas. His engines are simple and actually work. It’s a great story of a space startup that looks like it actually will work.

  • xyz_smap: 1
Space

NASA QueSST goes supersonic quietly

Posted in June 28, 2017 ¬ 16:13h.Robin EdgarNo Comments »

NASA has achieved a significant milestone in its effort to make supersonic passenger jet travel over land a real possibility by completing the preliminary design review (PDR) of its Quiet Supersonic Transport or QueSST aircraft design. QueSST is the initial design stage of NASA’s planned Low Boom Flight Demonstration (LBFD) experimental airplane, otherwise known as an X-plane.

Senior experts and engineers from across the agency and the Lockheed Martin Corporation concluded Friday that the QueSST design is capable of fulfilling the LBFD aircraft’s mission objectives, which are to fly at supersonic speeds, but create a soft “thump” instead of the disruptive sonic boom associated with supersonic flight today. The LBFD X-plane will be flown over communities to collect data necessary for regulators to enable supersonic flight over land in the United States and elsewhere in the world.

NASA partnered with lead contractor, Lockheed Martin, in February 2016 for the QueSST preliminary design. Last month, a scale model of the QueSST design completed testing in the 8-by 6-foot supersonic wind tunnel at NASA’s Glenn Research Center in Cleveland.

Source: The QueSST for Quiet | NASA

  • xyz_smap: 1
Machinery

HMS QE: Britain’s newest Aircraft Carrier runs Windows XP

Posted in June 28, 2017 ¬ 16:10h.Robin EdgarNo Comments »

The Royal Navy’s brand new £3.5bn aircraft carrier HMS Queen Elizabeth is currently* running Windows XP in her flying control room, according to reports.

Defence correspondents from The Times and The Guardian, when being given a tour of the carrier’s aft island – the rear of the two towers protruding above the ship’s main deck – spotted Windows XP apparently in the process of booting up on one of the screens in the flying control room, or Flyco.

“A computer screen inside a control room on HMS Queen Elizabeth was displaying Microsoft Windows XP – copyright 1985 to 2001 – when a group of journalists was given a tour of the £3 billion warship last week,” reported Deborah Haynes of The Times, accurately describing the copyright information on the XP loading screen.

Source: HMS Windows XP: Britain’s newest warship running Swiss Cheese OS

Oh dear oh dear

  • xyz_smap: 1
Security

Intel’s Skylake and Kaby Lake CPUs have nasty microcode bug

Posted in June 26, 2017 ¬ 10:56h.Robin EdgarNo Comments »

The Debian advisory says affected users need to disable hyper-threading “immediately” in their BIOS or UEFI settings, because the processors can “dangerously misbehave when hyper-threading is enabled.”

Symptoms can include “application and system misbehaviour, data corruption, and data loss”.

Henrique de Moraes Holschuh, who authored the Debian post, notes that all operating systems, not only Linux, are subject to the bug.

Source: Intel’s Skylake and Kaby Lake CPUs have nasty microcode bug

Here’s hoping your mobo supplier releases a BIOS / UEFI update soon…

  • xyz_smap: 1
Hardware

Obama’s secret struggle to punish Russia for Putin’s election assault

Posted in June 25, 2017 ¬ 17:18h.Robin EdgarNo Comments »

The White House debated various options to punish Russia, but facing obstacles and potential risks, it ultimately failed to exact a heavy toll on the Kremlin for its election meddling.

Source: Obama’s secret struggle to punish Russia for Putin’s election assault

  • xyz_smap: 1
Security

Anthem to shell out $115m in largest-ever data theft settlement: 1/3rd goes to lawyers, 10% to Experian, much to taxes, leaves around 10% for victims. Shows you what use the Law is for justice.

Posted in June 25, 2017 ¬ 15:58h.Robin EdgarNo Comments »

If you were one of those hit by the intrusion, don’t expect a big payout. Plenty of others will be getting their cuts first. According to the terms of the settlement, a full third of the package ($37,950,000) has been earmarked to cover attorney fees.

An additional $17m will be paid out to Experian, who is handling the credit and identity monitoring services for victims. Any taxes the government levies on the $115m payout will also be deducted from the fund itself.

After all that, people affected will be able to fill out the necessary forms to claim a share of the settlement, including coverage of out-of-pocket expenses they have incurred from the breach (but only up to $15m – beyond that no more out-of-pocket claims will be accepted).

Source: Anthem to shell out $115m in largest-ever data theft settlement

The amount of money going to the lawyers and experian beggars belief! There is no way this can have been possible within an in any way sane hourly fee. The fact that almost none goes to the 78.8 million victims shows you the law is self serving and has nothing to do with justice.

  • xyz_smap: 1
Economics - Global Domination

Password Reset man in the middle attack

Posted in June 25, 2017 ¬ 15:39h.Robin EdgarNo Comments »

The Password Reset Man in the Middle (PRMITM) attack exploits the similarity of the registration and password reset processes.

To launch such an attack, the attacker only needs to control a website. To entice victims to make an account on the malicious website, the attacker can offer free access to a wanted resource (e.g. free software). Once the user initiates the account registration process by entering their email address, the attacker can use that information to initiate a password reset process on another website that uses that piece of information as the username (e.g. Google, YouTube, Amazon, Twitter, LinkedIn, PayPal, and so on).

Every request for input from that site is forwarded to the potential victim, and then his or her answers forwarded back to that particular site.

Source: Password Reset MITM: Exposing the need for better security choices – Help Net Security

That this works is down to some serious cognitive laziness during the registration process!

  • xyz_smap: 1
Security
 
Skip to toolbar