Romain Dillet reports via TechCrunch: Hacker group fail0verflow shared a photo of a Nintendo Switch running Debian, a distribution of Linux. The group claims that Nintendo can’t fix the vulnerability with future firmware patches. According to fail0verflow, there’s a flaw in the boot ROM in Nvidia’s Tegra X1 system-on-a-chip. When your console starts, it reads and executes a piece of code stored in a read-only memory (hence the name ROM). This code contains instructions about the booting process. It means that the boot ROM is stored on the chip when Nvidia manufactures it and it can’t be altered in any way after that. Even if Nintendo issues a software update, this software update won’t affect the boot ROM. And as the console loads the boot ROM immediately after pressing the power button, there’s no way to bypass it. The only way to fix it would be to manufacture new Nvidia Tegra X1 chips. So it’s possible that Nintendo asks Nvidia to fix the issue so that new consoles don’t have this vulnerability. Read more of this story at Slashdot.
Tag: linux
Attackers Drain CPU Power From Water Utility Plant In Cryptojacking Attack
darthcamaro writes: Apparently YouTube isn’t the only site that is draining CPU power with unauthorized cryptocurrency miners. A water utility provider in Europe is literally being drained of its CPU power via an cryptojacking attack that was undetected for three weeks. eWeek reports: “At this point, Radiflow’s (the security firm that discovered the cryptocurrency mining malware) investigation indicates that the cryptocurrency mining malware was likely downloaded from a malicious advertising site. As such, the theory that Radiflow CTO Yehonatan Kfir has is that an operator at the water utility was able to open a web browser and clicked on an advertising link that led the mining code being installed on the system. The actual system that first got infected is what is known as a Human Machine Interface (HMI) to the SCADA network and it was running the Microsoft Windows XP operating system. Radiflow’s CEO, Ilan Barda, noted that many SCADA environments still have Windows XP systems deployed as operators tend to be very slow to update their operating systems.” Radiflow doesn’t know how much Monero (XMR) cryptocurrency was mined by the malware, but a recent report from Cisco’s Talos research group revealed that some of the top un-authorized cryptocurrency campaigns generate over a million dollars per year. The average system would generate nearly $200, 000 per year. Read more of this story at Slashdot.
Follow this link:
Attackers Drain CPU Power From Water Utility Plant In Cryptojacking Attack
Why Windows Vista Ended Up Being a Mess
alaskana98 shares an article called “What Really Happened with Vista: An Insider’s Retrospective.” Ben Fathi, formerly a manager of various teams at Microsoft responsible for storage, file systems, high availability/clustering, file level network protocols, distributed file systems, and related technologies and later security, writes: Imagine supporting that same OS for a dozen years or more for a population of billions of customers, millions of companies, thousands of partners, hundreds of scenarios, and dozens of form factors — and you’ll begin to have an inkling of the support and compatibility nightmare. In hindsight, Linux has been more successful in this respect. The open source community and approach to software development is undoubtedly part of the solution. The modular and pluggable architecture of Unix/Linux is also a big architectural improvement in this respect. An organization, sooner or later, ships its org chart as its product; the Windows organization was no different. Open source doesn’t have that problem… I personally spent many years explaining to antivirus vendors why we would no longer allow them to “patch” kernel instructions and data structures in memory, why this was a security risk, and why they needed to use approved APIs going forward, that we would no longer support their legacy apps with deep hooks in the Windows kernel — the same ones that hackers were using to attack consumer systems. Our “friends”, the antivirus vendors, turned around and sued us, claiming we were blocking their livelihood and abusing our monopoly power! With friends like that, who needs enemies? I like how the essay ends. “Was it an incredibly complex product with an amazingly huge ecosystem (the largest in the world at that time)? Yup, that it was. Could we have done better? Yup, you bet… Hindsight is 20/20.” Read more of this story at Slashdot.
View original post here:
Why Windows Vista Ended Up Being a Mess
Unlocked PS4 consoles can now run copies of PS2 games
Video of Dragon Ball Z Budokai Tenkaichi 3 for the PS2 running on an unlocked PlayStation 4. After years of work, hackers have finally managed to unlock the PS4 hardware with an exploit that lets the system run homebrew and pirated PS4 software. In a somewhat more surprising discovery, those hackers have also unlocked the ability to run many PS2 games directly on the console, using the same system-level emulation that powers legitimate PlayStation Classics downloads. While hackers managed to install Linux on the PS4 years ago , the biggest breakthrough in the PS4 hacking scene came late last month, when two different teams of hackers released a WebKit exploit for version 4.05 of the PS4 firmware . That firmware was patched (and automatically updated on many systems) in late 2016, and there’s currently no known way to downgrade an updated system to the older firmware, which limits the range of consoles that can run the exploit. For compatible consoles, though, the kernel-level exploit allows for pretty much full control of the system, including the running of unsigned code. Read 3 remaining paragraphs | Comments
More here:
Unlocked PS4 consoles can now run copies of PS2 games
Wine 3.0 Released
prisoninmate shares a report from Softpedia: The Wine (Wine Is Not an Emulator) project has been updated today to version 3.0, a major release that ends 2017 in style for the open-source compatibility layer capable of running Windows apps and games on Linux-based and UNIX-like operating systems. Almost a year in the works, Wine 3.0 comes with amazing new features like an Android driver that lets users run Windows apps and games on Android-powered machines, Direct3D 11 support enabled by default for AMD Radeon and Intel GPUs, AES encryption support on macOS, Progman DDE support, and a task scheduler. In addition, Wine 3.0 introduces the ability to export registry entries with the reg.exe tool, adds various enhancements to the relay debugging and OLE data cache, as well as an extra layer of event support in MSHTML, Microsoft’s proprietary HTML layout engine for the Windows version of the Internet Explorer web browser. You can read the full list of features and download Wine 3.0 from WineHQ’s website. Read more of this story at Slashdot.
Read More:
Wine 3.0 Released
Meltdown and Spectre CPU flaws threaten PCs, phones and servers
By now you’ve probably heard about a bug Intel is dealing with that affects processors built since 1995. But according to the people who found “Meltdown” and “Spectre, ” the errors behind these exploits can let someone swipe data running in other apps on devices using hardware from Intel, ARM and AMD. While server operators ( like Amazon ) apply Linux patches to keep people from accessing someone else’s information that’s being executed on the same system, what does this mean for your home computer or phone? Google’s Project Zero researchers identified the problems last year, and according to its blog post, execution is “difficult and limited” on the majority of Android devices. A list of potentially impacted services and hardware is available here , while additional protection has been added in the latest Android security update . In a statement, Microsoft said: “We are in the process of deploying mitigations to cloud services and have also released security updates to protect Windows customers against vulnerabilities affecting supported hardware chips from Intel, ARM, and AMD.” In a blog post directed towards customers on its Azure server platform, the company said its infrastructure has already been updated, and that a “majority” of customers should not see a performance impact. Apple has not publicly commented on the issue, however security researcher Alex Ionescu points out that macOS 10.13.2 addresses the issue and said that the 10.13.3 update will include “surprises.” According to AMD, “Due to differences in AMD’s architecture, we believe there is a near zero risk to AMD processors at this time, ” however it has promised further updates as the information comes out. As for ARM, it says most processors are unaffected but it has specific information on the types that are available here . So what does this mean for you? On your devices the prescription is the same as always — make sure you have the latest security updates installed and try to avoid malware-laden downloads from suspicious or unknown sources. Source: MeltdownAttack.com
Read More:
Meltdown and Spectre CPU flaws threaten PCs, phones and servers
Louisana Police Bust an Infamous Nigerian Email Spam Scammer
MojoKid writes: You have probably at some point been contacted via email spam by someone claiming you are the beneficiary in a will of a Nigerian prince. As the scam goes, all you have to do is submit your personal information and Western Union some funds to process the necessary paperwork, and in return you will receive millions of dollars. One of the people behind the popular scam, Michael Neu, has been arrested by police in Slidell, Louisiana. This may come as a shocker, but Neu is not a prince, nor is he Nigerian. He is a 67-year-old male possibly of German descent (based on his last name) who is facing 269 counts of wire fraud and money laundering for his alleged role as a middle man in the scheme. According to Slidell police, some of the money obtained by Neu was wired to co-conspirators who do actually live in Nigera. Read more of this story at Slashdot.
View article:
Louisana Police Bust an Infamous Nigerian Email Spam Scammer
Plexamp, Plex’s Spin on the Classic Winamp Player, Is the First Project From New Incubator Plex Labs
Media software maker Plex today announced a new incubator and community resource called Plex Labs. “The idea here is to help the company’s internal passion projects gain exposure, along with those from Plex community members, ” reports TechCrunch. “Plex Labs is also unveiling its first product: a music player called Plexamp, ” which is designed to replace the long-lost Winamp. From the report: The player was built by several Plex employees in their free time, and is meant for those who use Plex for music. As the company explains in its announcement, the goal was to build a small player that sits unobtrusively on the desktop and can handle any music format. The team limited itself to a single window, making Plexamp the smaller Plex player to date, in terms of pixel size. Under the hood, Plexamp uses the open source audio player Music Player Daemon (MPD), along with a combination of ES7, Electron, React, and MobX technologies. The end result is a player that runs on either macOS or Windows and works like a native app. That is, you can use media keys for skipping tracks or playing and pausing music, and receive notifications. The player can also handle any music format, and can play music offline when the Plex server runs on your laptop. The player also supports gapless playback, soft transitions and visualizations to accompany your music. Plus, the visualizations’ palette of colors is pulled from the album art, Plex notes. Additionally, Plexamp makes use of a few up-and-coming features that will be included in Plex’s subscription, Plex Pass, in the future. These new features are powering functionality like loudness leveling (to normalize playback volume), smart transitions (to compute the optimal overlap times between tracks), soundprints (to represent tracks visually), waveform seeking (to present a graphical view of tracks), Library stations, and artist radio. Read more of this story at Slashdot.
See the original post:
Plexamp, Plex’s Spin on the Classic Winamp Player, Is the First Project From New Incubator Plex Labs
Linux Pioneer Munich Confirms Switch To Windows 10
The German city of Munich, once seen as a open-source pioneer, has decided to return to Windows. Windows 10 will be rolled out to about 29, 000 PCs at the city council, a major shift for an authority that has been running Linux for more than a decade. From a report: Back in 2003 the council decided to to switch to a Linux-based desktop, which came to be known as LiMux, and other open-source software, despite heavy lobbying by Microsoft. But now Munich will begin rolling out a Windows 10 client from 2020, at a cost of about Euro 50m ($59.6m), with a view to Windows replacing LiMux across the council by early 2023. Politicians who supported the move at a meeting of the full council today say using Windows 10 will make it easier to source compatible applications and hardware drivers than it has been using a Linux-based OS, and will also reduce costs associated with running Windows and LiMux PCs side-by-side. Read more of this story at Slashdot.
PC vendors scramble as Intel announces vulnerability in firmware
Enlarge / All the Cores are affected by a major vulnerability in management firmware—as are Xeon servers and Atom, Celeron and Pentium devices. (credit: Intel ) Intel has issued a security alert that management firmware on a number of recent PC, server, and Internet-of-Things processor platforms is vulnerable to remote attack. Using the vulnerabilities, the most severe of which was uncovered by Mark Ermolov and Maxim Goryachy of Positive Technologies Research, remote attackers could launch commands on a host of Intel-based computers, including laptops and desktops shipped with Intel Core processors since 2015. They could gain access to privileged system information, and millions of computers could essentially be taken over as a result of the bug. The company has posted a detection tool on its support website for Windows and Linux to help identify systems that are vulnerable. In the security alert, members of Intel’s security team stated that “in response to issues identified by external researchers, Intel has performed an in-depth comprehensive security review of its Intel® Management Engine (ME), Intel® Trusted Execution Engine (TXE), and Intel® Server Platform Services (SPS) with the objective of enhancing firmware resilience.” Four vulnerabilities were discovered that affect Intel Management Engine firmware versions 11.0 through 11.20. Two were found in earlier versions of ME, as well as two in Server Platform Services version 4.0 firmware and two in TXE version 3.0. Read 3 remaining paragraphs | Comments
See the original article here:
PC vendors scramble as Intel announces vulnerability in firmware