Tag: funny

MINIX: Intel’s Hidden In-chip Operating System

Steven J. Vaughan-Nichols, writing for ZDNet: Matthew Garrett, the well-known Linux and security developer who works for Google, explained recently that, “Intel chipsets for some years have included a Management Engine [ME], a small microprocessor that runs independently of the main CPU and operating system. Various pieces of software run on the ME, ranging from code to handle media DRM to an implementation of a TPM. AMT [Active Management Technology] is another piece of software running on the ME.” At a presentation at Embedded Linux Conference Europe, Ronald Minnich, a Google software engineer reported that systems using Intel chips that have AMT, are running MINIX. So, what’s it doing in Intel chips? A lot. These processors are running a closed-source variation of the open-source MINIX 3. We don’t know exactly what version or how it’s been modified since we don’t have the source code. In addition, thanks to Minnich and his fellow researchers’ work, MINIX is running on three separate x86 cores on modern chips. There, it’s running: TCP/IP networking stacks (4 and 6), file systems, drivers (disk, net, USB, mouse), web servers. MINIX also has access to your passwords. It can also reimage your computer’s firmware even if it’s powered off. Let me repeat that. If your computer is “off” but still plugged in, MINIX can still potentially change your computer’s fundamental settings. And, for even more fun, it “can implement self-modifying code that can persist across power cycles.” So, if an exploit happens here, even if you unplug your server in one last desperate attempt to save it, the attack will still be there waiting for you when you plug it back in. How? MINIX can do all this because it runs at a fundamentally lower level. According to Minnich, “there are big giant holes that people can drive exploits through.” He continued, “Are you scared yet? If you’re not scared yet, maybe I didn’t explain it very well, because I sure am scared.” Also read: Andrew S. Tanenbaum’s (a professor of Computer Science at Vrije Universiteit) open letter to Intel. Read more of this story at Slashdot.

View original post here:
MINIX: Intel’s Hidden In-chip Operating System

Hole In The Ozone Layer Smallest In 29 Years

An anonymous reader quotes the Weather Channel: The hole in the ozone layer over Antarctica is the smallest it’s been since 1988, NASA said. According to a press release, the hole in the Earth’s ozone layer is 1.3 million square miles smaller than last year and 3.3 million square miles smaller than 2015… This year, the hole grew to 7.6 million square miles. NASA and NOAA scientists said warmer temperatures and a stormier upper atmosphere helped keep damaging chemicals chlorine and bromine from eating ozone from the layer that protects the Earth’s surface from harmful ultraviolet rays… The hole that hovers over Antarctica has been slowly recovering, scientists say, due to an international ban on harmful chemicals that were previously used in refrigerants and aerosols. The hole was its largest in 2000 and measured 11.5 million square miles. Although recovery is underway, the size of the hole remains large compared to the 1980s, when the hole was first detected, NASA noted. And while there has been significant healing of the ozone layer in recent years, some scientists say full healing is a slow process and will not occur until sometime in the 22nd century, Yale Environment 360 reports. Others expect the Antarctic ozone hole to recover back to 1980 levels around 2070, NASA said. Read more of this story at Slashdot.

Continue reading here:
Hole In The Ozone Layer Smallest In 29 Years

TorMoil Vulnerability Leaks Real IP Address From Tor Browser Users; Security Update Released

Catalin Cimpanu, reporting for BleepingComputer: The Tor Project has released a security update for the Tor Browser on Mac and Linux to fix a vulnerability that leaks users’ real IP addresses. The vulnerability was spotted by Filippo Cavallarin, CEO of We Are Segment, an Italian company specialized in cyber-security and ethical hacking. Cavallarin privately reported the issue — which he codenamed TorMoil — to the Tor Project last week. Tor Project developers worked with the Firefox team (Tor Browser is based on the Firefox browser) to release a fix. Today, the Tor team released version 7.0.9 to address the vulnerability. Tor Browser 7.0.9 is only available for Mac and Linux users. Tor Browser on Windows is not affected. Read more of this story at Slashdot.

Visit link:
TorMoil Vulnerability Leaks Real IP Address From Tor Browser Users; Security Update Released

Android Oreo Bug Sends Thousands of Phones Into Infinite Boot Loops

An anonymous reader writes: A bug in the new “Adaptive Icons” feature introduced in Android Oreo has sent thousands of phones into infinite boot loops, forcing some users to reset their devices to factory settings, causing users to lose data along the way. The bug was discovered by Jcbsera, the developer of the Swipe for Facebook Android app (energy-efficient Facebook wrapper app), and does not affect Android Oreo (8.0) in its default state. The bug occurs only with apps that use adaptive icons — a new feature introduced in Android Oreo that allows icons to change shape and size based on the device they’re viewed on, or the type of launcher the user is using on his Android device. For example, adaptive icons will appear in square, rounded, or circle containers depending on the theme or launcher the user is using. The style of adaptive icons is defined a local XML file. The bug first manifested itself when the developer of the Swipe for Facebook Android app accidentally renamed the foreground image of his adaptive icon with the same name as this XML file (ic_launcher_main.png and ic_launcher_main.xml). This naming scheme sends Android Oreo in an infinite loop that regularly crashes the device. At one point, Android detects something is wrong and prompts the user to reset the device to factory settings. Users don’t have to open an app, and the crashes still happen just by having an app with malformed adaptive icons artifacts on your phone. Google said it will fix the issue in Android Oreo 8.1. Read more of this story at Slashdot.

Original post:
Android Oreo Bug Sends Thousands of Phones Into Infinite Boot Loops

Critical Flaws In Maritime Communications System Could Endanger Entire Ships

Orome1 shares a report from Help Net Security: IOActive security consultant Mario Ballano has discovered two critical cybersecurity vulnerabilities affecting Stratos Global’s AmosConnect communication shipboard platform. The platform works in conjunction with the ships’ satellite equipment, and integrates vessel and shore-based office applications, as well as provides services like Internet access for the crew, email, IM, position reporting, etc. The first vulnerability is a blind SQL injection in a login form. Attackers that successfully exploit it can retrieve credentials to log into the service and access sensitive information stored in it. The second one is a built-in backdoor account with full system privileges. “Among other things, this vulnerability allows attackers to execute commands with SYSTEM privileges on the remote system by abusing AmosConnect Task Manager, ” Bellano shared. The found flaws can be exploited only by an attacker that has access to the ship’s IT systems network, he noted, but on some ships the various networks might not be segmented, or AmosConnect might be exposed to one or more of them. The vulnerabilities were found in AmosConnect 8.4.0, and Stratos Global was notified a year ago. But Inmarsat won’t fix them, and has discontinued the 8.0 version of the platform in June 2017. Read more of this story at Slashdot.

More:
Critical Flaws In Maritime Communications System Could Endanger Entire Ships

Saudi Arabia Becomes First Nation To Grant Citizenship To Humanoid Robot

Saudi Arabia became the first country in the world to offer citizenship to a humanoid robot, but Brad Keywell, CEO of Uptake, a predictive analytics technology company, told FOX Business on Thursday artificial intelligence (AI) will not replace humans anytime soon. From a report: “Humans are made super-human through the intelligence that can be derived from these sensors and there is a clear argument that’s made about the possibility that there will be no humans, there’d be just autonomous everything… but this is something that has historically involved humans and I just don’t see that changing, ” he told Maria Bartiromo on “Mornings with Maria.” Uptake’s products are used in a collection of industries ranging from energy to aviation, helping “people and machines work better and faster, ” according to the company website. Read more of this story at Slashdot.

Read More:
Saudi Arabia Becomes First Nation To Grant Citizenship To Humanoid Robot

Justice Department Demands Five Twitter Users’ Personal Info Over an Emoji

An anonymous reader quotes a report from Techdirt: Back in May, the Justice Department — apparently lacking anything better to do with its time — sent a subpoena to Twitter, demanding a whole bunch of information on five Twitter users, including a few names that regular Techdirt readers may be familiar with. If you can’t see that, it’s a subpoena asking for information on the following five Twitter users: @dawg8u (“Mike Honcho”), @abtnatural (“Virgil”), @Popehat (Ken White), @associatesmind (Keith Lee) and @PogoWasRight (Dissent Doe). I’m pretty sure we’ve talked about three of those five in previous Techdirt posts. Either way, they’re folks who are quite active in legal/privacy issues on Twitter. And what info does the DOJ want on them? Well, basically everything: [users’ names, addresses, IP addresses associated with their time on Twitter, phone numbers and credit card or bank account numbers.] That’s a fair bit of information. Why the hell would the DOJ want all that? Would you believe it appears to be over a single tweet from someone to each of those five individuals that consists entirely of a smiley face? I wish I was kidding. Here’s the tweet and then I’ll get into the somewhat convoluted back story. The tweet is up as I write this, but here’s a screenshot in case it disappears. The Department of Justice’s subpoena is intended to address allegations that Shafer, who has a history of spotting weak encryption and drawing attention to it, cyberstalked an FBI agent after the agency raided his home. Vanity Fair summarizes the incident: “In 2013, Shafer discovered that FairCom’s data-encryption package had actually exposed a dentist’s office to data theft. An F.T.C. settlement later validated Shafer’s reporting, but in 2016, when another dentist’s office responded to Shafer’s disclosure by claiming he’d violated the Computer Fraud and Abuse Act and broken the law, the F.B.I. raided his home and confiscated many of his electronics. Shafer was particularly annoyed at F.B.I. Special Agent Nathan Hopp, who helped to conduct the raid, and who was later involved in a different case: in March, he compiled a criminal complaint involving the F.B.I.’s arrest of a troll for tweeting a flashing GIF at journalist Kurt Eichenwald, who is epileptic. Shafer began to compile publicly available information about Hopp, sharing his findings on Twitter. The Twitter users named in the subpoena had started a separate discussion about Hopp, with one user calling Hopp the “least busy F.B.I. agent of all time, ” a claim that prompted Shafer’s smiley-faced tweet.” Read more of this story at Slashdot.

Read the article:
Justice Department Demands Five Twitter Users’ Personal Info Over an Emoji

Kaspersky Admits To Reaping Hacking Tools From NSA Employee PC

Kaspersky has acknowledged that code belonging to the US National Security Agency (NSA) was lifted from a PC for analysis but insists the theft was not intentional. From a report: In October, a report from the Wall Street Journal claimed that in 2015, the Russian firm targeted an employee of the NSA known for working on the intelligence agency’s hacking tools and software. The story suggested that the unnamed employee took classified materials home and operated on their PC, which was running Kaspersky’s antivirus software. Once these secretive files were identified — through an avenue carved by the antivirus — the Russian government was then able to obtain this information. Kaspersky has denied any wrongdoing, but the allegation that the firm was working covertly with the Russian government was enough to ensure Kaspersky products were banned on federal networks. There was a number of theories relating to what actually took place — was Kaspersky deliberately targeting NSA employees on behalf of the Kremlin, did an external threat actor exploit a zero-day vulnerability in Kaspersky’s antivirus, or were the files detected and pulled by accident? According to Kaspersky, the latter is true. On Wednesday, the Moscow-based firm said in a statement that the results of a preliminary investigation have produced a rough timeline of how the incident took place. It was actually a year earlier than the WSJ believed, in 2014, that code belonging to the NSA’s Equation Group was taken. Read more of this story at Slashdot.

Read the original post:
Kaspersky Admits To Reaping Hacking Tools From NSA Employee PC

China Shuts Down Tens Of Thousands Of Factories In Widespread Pollution Crackdown

Buildings in China are shrouded in smog. From a report: China has implemented an unprecedented pollution crackdown in recent months as the country shuts down tens of thousands of factories. The effort is part of a national effort to address China’s infamous pollution and has affected wide swaths of China’s manufacturing sector. In total, it is estimated that 40 percent of all China’s factories have been shut down at some point in order to be inspected by environmental bureau officials. As a result of these inspections over 80, 000 factories have been hit with fines and criminal offenses as a result of their emissions. Safety officials have been moving from province to province (30 in total so far) shutting down factories as well as electricity and gas as they inspect the factories for meeting emissions requirements. This has resulted in late and missed orders, increased costs, and could ultimately result in higher prices on US shelves. Read more of this story at Slashdot.

View original post here:
China Shuts Down Tens Of Thousands Of Factories In Widespread Pollution Crackdown

2 Million IoT Devices Enslaved By Fast-Growing BotNet

An anonymous reader writes: Since mid-September, a new IoT botnet has grown to massive proportions. Codenamed IoT_reaper, researchers estimate its current size at nearly two million infected devices. According to researchers, the botnet is mainly made up of IP-based security cameras, routers, network-attached storage (NAS) devices, network video recorders (NVRs), and digital video recorders (DVRs), primarily from vendors such as Netgear, D-Link, Linksys, GoAhead, JAWS, Vacron, AVTECH, MicroTik, TP-Link, and Synology. The botnet reuses some Mirai source code, but it’s unique in its own right. Unlike Mirai, which relied on scanning for devices with weak or default passwords, this botnet was put together using exploits for unpatched vulnerabilities. The botnet’s author is still struggling to control his botnet, as researchers spotted over two million infected devices sitting in the botnet’s C&C servers’ queue, waiting to be processed. As of now, the botnet has not been used in live DDoS attacks, but the capability is in there. Today is the one-year anniversary of the Dyn DDoS attack, the article points out, adding that “This week both the FBI and Europol warned about the dangers of leaving Internet of Things devices exposed online.” Read more of this story at Slashdot.

Read More:
2 Million IoT Devices Enslaved By Fast-Growing BotNet