No Comment Diary

The News Without Comment

This content shows Simple View

security – Ars Technica

Microsoft abandons typical Patch Tuesday playbook to fix Equation Editor flaw

When a company like Microsoft needs to fix a security flaw in one of its products, the process is normally straightforward: determine where the bug lies, change the program’s source code to fix the bug, and then recompile the program. But it looks like the company had to step outside this typical process for one of the flaws it patched this Tuesday. Instead of fixing the source code, it appears that the company’s developers made a series of careful changes directly to the buggy program’s executable file. Source:

Firefox’s major Quantum upgrade now rolling out to everyone

Firefox is fast now. (credit: Mozilla)

Mozilla is working on a major overhaul of its Firefox browser, and, with the general release of Firefox 57 today, has reached a major milestone. The version of the browser coming out today has a sleek new interface and, under the hood, major performance enhancements, with Mozilla claiming that it’s as much as twice as fast as it was a year ago. Not only should it be faster to load and render pages, but its user interface should remain quick and responsive even under heavy load with hundreds of tabs.

Collectively, the performance work being done to modernize Firefox is called Project Quantum. We took a closer look at Quantum back when Firefox 57 hit the developer channel in September, but the short version is, Mozilla is rebuilding core parts of the browser, such as how it handles CSS stylesheets, how it draws pages on-screen, and how it uses the GPU.

This work is being motivated by a few things. First, the Web has changed since many parts of Firefox were initially designed and developed; pages are more dynamic in structure and applications are richer and more graphically intensive. JavaScript is also more complex and difficult to debug. Second, computers now have many cores and simultaneous threads, giving them much greater scope to work in parallel. And security remains a pressing concern, prompting the use of new techniques to protect against exploitation. Some of the rebuilt portions are even using Mozilla’s new Rust programming language, which is designed to offer improved security compared to C++.

Read 1 remaining paragraphs | Comments Source:

Facebook is struggling to meet the burden of securing itself, security chief says

Enlarge / Facebook Chief Security Officer Alex Stamos. (credit: Dave Maass)

Facebook is Struggling to live up to the responsibility it faces for adequately securing the vast amount of personal information it amasses, the social network’s top security executive said in a leaked phone call with company employees.

"The threats that we are facing have increased significantly and the quality of the adversaries that we are facing," Facebook Chief Security Officer Alex Stamos said during a taped call, which was reported Thursday by ZDNet. "Both technically and from a cultural perspective, I don’t feel like we have caught up with our responsibility."

He continued:

Read 6 remaining paragraphs | Comments Source:

If Bill Gates really thinks ctrl-alt-del was a mistake, he should have fixed it himself

An IBM keyboard signed by ctrl-alt-del inventor, David Bradley (credit: Ross Grady)

Once again, Bill Gates has bemoaned the creation of the ctrl-alt-del shortcut. Talking at Bloomberg Global Business Forum, Gates reiterates that he wishes IBM had created a dedicated button for the feature. We’re republishing this piece from 2013, because we still think that Gates’ telling of the story is a little misleading; for IBM it was a feature, not a flaw, that ctrl-alt-del requires two hands, and if Microsoft really wanted a single button ctrl-alt-del for Windows NT, it was Microsoft, not IBM, with the market dominance to achieve that.

Speaking at Harvard earlier this month, Bill Gates was asked why you have to press ctrl-alt-del before you can enter your password and log in to Windows. After explaining the security rationale, Gates then said that it was a "mistake," and that it was due to IBM refusing to add a single button to take the place of the three finger salute.

It’s a nice story, but it doesn’t really add up.

Read 28 remaining paragraphs | Comments Source:

Microsoft: Windows getting more stable, faster, and lasting longer on battery

Enlarge /

With Windows breaking less often, scenes like this should become a thing of the past.

reader comments

Windows 10 is getting better and better, Microsoft insists, as it works to build confidence in the operating system in the run up to the next major update. The company says that the Creators Update (version 1703) has seen a 39 percent drop in driver and operating system stability issues relative to the Anniversary Update (version 1607).

Performance is better too; according to Microsoft’s telemetry, boot time is 13 percent faster, logging in 18 percent faster, and facial recognition 30 percent faster. There are incremental improvements in battery life, too, from 2.5 to 5 percent longer life watching videos in the Movies & TV app, and a 17 percent improvement in the Edge browser.

The subtext to these numbers is that Microsoft is still working to convince customers, especially corporate customers, that the new Windows development model is working, and that the company is hearing the feedback. The Anniversary Update was rapidly deployed, and it hit a number of issues soon after launch, causing problems for both consumers and enterprise users alike.

The unlabelled axes make it impossible to know just how many times people contact support for Windows 10, but clearly the number is declining.

Enlarge /

The unlabelled axes make it impossible to know just how many times people contact support for Windows 10, but clearly the number is declining.

Microsoft had to examine how it handled deployments, and the result is a much more conservative, much more careful staged deployment. Five months after the Creators Update was released, it was only on two-thirds of Windows machines, compared to 85 percent at the same stage for the Anniversary Update. This less-aggressive rollout seems to have done a good job; there have been far fewer complaints about the Creators Update, and in general it has worked as it should.

The numbers also send a message that the updates are worthwhile: even if the major features of each update aren’t of interest, the improved stability, battery life, and security capabilities are valuable and make updates worth having. This is particularly important for Enterprise customers, as it means they shouldn’t be tempted by the Long Term Servicing Channel version of Windows. This version doesn’t receive the six monthly updates and instead uses the traditional, familiar ten year servicing model that previous versions of Windows used. On the basis of this data, the last LTSC version (which coincided with the Anniversary Update) is meaningfully less stable and efficient than the current mainstream version.

Underpinning the slower rollout and stability data is, of course, the contentious collection of telemetry data. Microsoft uses the data to, among other things, detect deployment issues with the Creators Update and, if necessary, delay its rollout to problematic hardware, drivers, or other software. The Fall Creators Update will give enterprises a little more control over which telemetry data is collected, but a built-in way to disable telemetry collection entirely remains out of reach for regular consumers. Source:

Azure Confidential Computing will keep data secret, even from Microsoft

Enlarge / The Trusted Execution Environment means that, even if the application and operating system are compromised, the green code and data can’t be accessed. (credit: Microsoft)

Microsoft announced today a new feature coming to its Azure cloud platform named "Confidential Compute." The feature will allow applications running on Azure to keep data encrypted not only when it’s at rest (in storage) or in transit (over a network) but when it’s being computed on in-memory. This ability to encrypt data when it’s in-use means that it can be kept secure even from Microsoft’s administrators, government warrants, and hackers.

Confidential Computing will have two modes: one is built on virtual machines, while the other uses the SGX ("Software Guard Extensions") feature found in Intel’s recently introduced Skylake-SP Xeon processors. Both modes will allow applications to ringfence certain parts of their code and data so that they operate in a "trusted execution environment" (TEE). Code and data that are inside a TEE cannot be inspected from outside the TEE.

The virtual machine mode uses the Virtual Secure Mode (VSM) functionality of Hyper-V that was introduced in Windows 10 and Windows Server 2016. With VSM, most parts of an application will run in a regular virtual machine atop a regular operating system. The protected, TEE parts will run in a separate virtual machine containing only a basic stub operating system (enough that it can communicate with the regular VM) and only those parts of the application code that need to handle the sensitive data.

Read 4 remaining paragraphs | Comments Source:

Apple says Face ID didn’t actually fail during its iPhone X event

Enlarge (credit: Apple)

The first public demo of Apple’s Face ID phone unlocking system didn’t go exactly as planned.

During the company’s big iPhone X reveal this week, Apple software engineering chief Craig Federighi suffered a semi-cringeworthy moment when he was unable to unlock the new handset onstage using the new authentication tech. The device prompted Federighi to use a passcode instead, leading him to switch to a backup unit, which worked properly.

The mishap led some to immediately doubt the effectiveness of the Face ID setup—which completely replaces the usual Touch ID fingerprint scanner on the iPhone X—and, according to some reports, even led to a brief dip in Apple’s share price.

Read 5 remaining paragraphs | Comments Source:

Kaspersky software banned from US government agencies

Enlarge /

Kaspersky Lab CEO and Chairman Eugene Kaspersky speaks at a conference in Russia on July 10, 2017.

reader comments

The Department of Homeland security ordered government agencies to stop using any software products made by Kaspersky Lab. The department cited concern about possible ties between Kaspersky officials and Russian intelligence.

Agencies in the executive branch are expected to begin the process of discontinuing Kaspersky products within 90 days.

According to a DHS statement, posted online by Reuters reporter Dan Volz:

The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates US national security… The Department’s priority is to ensure the integrity and security of federal information systems.

The order applies to all civilian government networks, but not the military, according to The Washington Post, which first reported the ban. The Defense Department doesn’t generally use Kaspersky software in any case, officials there told the newspaper.

The General Services Administration removed Kaspersky from a list of pre-approved technology vendors in July, after press reports emerged linking the company to Russian intel.

A Kaspersky Lab spokesperson said in a statement that the company is disappointed in the DHS decision and will provide additional information “to confirm that these allegations are completely unfounded.” The statement says that working “inappropriately with any government would be detrimental to the company’s bottom line,” since 85 percent of revenue comes from outside Russia.

The statement reads in part:

Kaspersky Lab has always acknowledged that it provides appropriate products and services to governments around the world to protect those organizations from cyberthreats, but it does not have unethical ties or affiliations with any government, including Russia.

Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts, and it’s disconcerting that a private company can be considered guilty until proven innocent, due to geopolitical issues.

The company says the reports are based on Russian policies and laws that have been misinterpreted, since they apply to telecoms and ISPs, not Kaspersky.

Congress was briefed on the move just today, and Reuters reports that some lawmakers say they weren’t given advance notice.

Senator Jeanne Shaheen (D-N.H.), who been asking for action to be taken against Kaspersky for some time, praised the move. “Applaud DHS for heeding my call to remove all Kaspersky products from federal agencies,” the senator said on Twitter. “Kaspersky is a direct threat to national security.”

The giant tech and appliance retailer Best Buy removed Kaspersky products from its shelves last week. The Minnesota-based retailer “felt there were too many unanswered questions and so has decided to discontinue selling the products,” according to a source who spoke to the Minneapolis Star Tribune.

The federal ban could lead to pressure on state and local governments to ditch Kaspersky products as well. Source:

Leak of >1,700 valid passwords could make the IoT mess much worse

Enlarge (credit: Michael Theis)

Security researchers have unearthed a sprawling list of login credentials that allows anyone on the Internet to take over home routers and more than 1,700 "Internet of things" devices and make them part of a destructive botnet.

The list of telnet-accessible devices, currently posted at this Pastebin address, was first posted in June, but it has been updated several times since then. It contains user names and passwords for 8,233 unique IP addresses, 2,174 of which were still running open telnet servers as of Friday morning, said Victor Gevers, chairman of the GDI Foundation, a Netherlands-based nonprofit that works to improve Internet security. Of those active telnet services, 1,774 remain accessible using the leaked credentials, Gevers said. In a testament to the poor state of IoT security, the 8,233 hosts use just 144 unique username-password pairs.

It is likely that criminals have been using the list for months as a means to infect large numbers of devices with malware that turns them into powerful denial-of-service platforms. Still, for most of its existence, the list remained largely unnoticed, with only some 700 views. That quickly changed Thursday with this Twitter post. By Friday afternoon, there were more than 13,300 views.

Read 10 remaining paragraphs | Comments Source:

A repair shop could completely hack your phone—and you wouldn’t know it

Enlarge (credit: Omer Shwartz et al.)

People with cracked touch screens or similar smartphone maladies have a new headache to consider: the possibility the replacement parts installed by repair shops contain secret hardware that completely hijacks the security of the device.

The concern arises out of research that shows how replacement screens—one put into a Huawei Nexus 6P and the other into an LG G Pad 7.0—can be used to surreptitiously log keyboard input and patterns, install malicious apps, and take pictures and e-mail them to the attacker. The booby-trapped screens also exploited operating system vulnerabilities that bypassed key security protections built into the phones. The malicious parts cost less than $10 and could easily be mass produced. Most chilling of all, to most people, the booby-trapped parts could be indistinguishable from legitimate ones, a trait that could leave many service technicians unaware of the maliciousness. There would be no sign of tampering unless someone with a background in hardware disassembled the repaired phone and inspected it.

The research, presented in a paper presented this week at the 2017 Usenix Workshop on Offensive Technologies, highlights an often overlooked disparity in smartphone security. The software drivers included in both the iOS and Android operating systems are closely guarded by the device manufacturers, and therefore exist within a "trust boundary." The factory-installed hardware that communicates with the drivers is similarly assumed to be trustworthy, as long as the manufacturer safeguards its supply chain. The security model breaks down as soon as a phone is serviced in a third-party repair shop, where there’s no reliable way to certify replacement parts haven’t been modified.

Read 6 remaining paragraphs | Comments Source: