By BeauHD from Slashdot's come-and-get-it department
An anonymous reader quotes a report from Ars Technica: A newly published "exploit chain" for Nvidia Tegra X1-based systems seems to describe an apparently unpatchable method for running arbitrary code on all currently available Nintendo Switch consoles. Hardware hacker Katherine Temkin and the hacking team at ReSwitched released an extensive outline of what they're calling the Fusee Gelee coldboot vulnerability earlier today, alongside a proof-of-concept payload that can be used on the Switch. "Fusee Gelee isn't a perfect, 'holy grail' exploit -- though in some cases it can be pretty damned close," Temkin writes in an accompanying FAQ. The exploit, as outlined, makes use of a vulnerability inherent in the Tegra X1's USB recovery mode, circumventing the lock-out operations that would usually protect the chip's crucial bootROM. By sending a bad "length" argument to an improperly coded USB control procedure at the right point, the user can force the system to "request up to 65,535 bytes per control request." That data easily overflows a crucial direct memory access (DMA) buffer in the bootROM, in turn allowing data to be copied into the protected application stack and giving the attacker the ability to run arbitrary code. The exploit can't be fixed via a downloadable patch because the flawed bootROM can't be modified once the Tegra chip leaves the factory. As Temkin writes, "unfortunately, access to the fuses needed to configure the device's ipatches was blocked when the ODM_PRODUCTION fuse was burned, so no bootROM update is possible. It is suggested that consumers be made aware of the situation so they can move to other devices, where possible." Ars notes that Nintendo may however be able to detect "hacked" systems when they sign on to Nintendo's servers. "The company could then ban those systems from using the Switch's online functions."Read Replies (0)
By msmash from Slashdot's bad-timing department
On the heels of a terse privacy debate, Google may have found another thing to worry about: its attempt to rethink the traditional texting system. From a report: Joe Westby is Amnesty International's Technology and Human Rights researcher. Recently, in response to Google's launch of a new messaging service called "Chat", Westby argued that Google, "shows total contempt for Android users' privacy." "With its baffling decision to launch a messaging service without end-to-end encryption, Google has shown utter contempt for the privacy of Android users and handed a precious gift to cybercriminals and government spies alike, allowing them easy access to the content of Android users' communications. Following the revelations by CIA whistleblower Edward Snowden, end-to-end encryption has become recognized as an essential safeguard for protecting people's privacy when using messaging apps. With this new Chat service, Google shows a staggering failure to respect the human rights of its customers," Westby contended. Westby continued, saying: "In the wake of the recent Facebook data scandal, Google's decision is not only dangerous but also out of step with current attitudes to data privacy."Read Replies (0)
By msmash from Slashdot's fascinating-questions department
Adam Frank, writing for The Atlantic: We're used to imagining extinct civilizations in terms of the sunken statues and subterranean ruins. These kinds of artifacts of previous societies are fine if you're only interested in timescales of a few thousands of years. But once you roll the clock back to tens of millions or hundreds of millions of years, things get more complicated. When it comes to direct evidence of an industrial civilization -- things like cities, factories, and roads -- the geologic record doesn't go back past what's called the Quaternary period 2.6 million years ago. For example, the oldest large-scale stretch of ancient surface lies in the Negev Desert. It's "just" 1.8 million years old -- older surfaces are mostly visible in cross section via something like a cliff face or rock cuts. Go back much farther than the Quaternary and everything has been turned over and crushed to dust. And, if we're going back this far, we're not talking about human civilizations anymore. Homo sapiens didn't make their appearance on the planet until just 300,000 years or so ago. [...] Given that all direct evidence would be long gone after many millions of years, what kinds of evidence might then still exist? The best way to answer this question is to figure out what evidence we'd leave behind if human civilization collapsed at its current stage of development. Mr. Frank, along with Gavin Schmidt, Director of the NASA Goddard Institute for Space Studies, have published their research on the subject [PDF].Read Replies (0)
By msmash from Slashdot's security-woes department
Caroline Haskins, writing for The Outline: Hundreds of multi-ton liabilities -- soaring faster than the speed of sound, miles above the surface of the earth -- are operating on Windows-95. They're satellites, responsible for everything from GPS positioning, to taking weather measurements, to carrying cell signals, to providing television and internet. For the countries that own these satellites, they're invaluable resources. Even though they're old, it's more expensive to take satellites down than it is to just leave them up. So they stay up. Unfortunately, these outdated systems makes old satellites prime targets for cyber attacks. [...] A malicious actor could fake their IP address, which gives information about a user's computer and its location. This person could then get access to the satellite's computer system, and manipulate where the satellite goes or what it does. Alternatively, an actor could jam the satellite's radio transmissions with earth, essentially disabling it. The cost of such an attack could be huge. If a satellite doesn't work, life-saving GPS or online information could be withheld to people on earth when they need it most. What's worse, if part of a satellite -- or an entire satellite -- is knocked out of its orbit from an attack, the debris could create a domino effect and cause extreme damage to other satellites.Read Replies (0)
By msmash from Slashdot's major-bet department
After making smart speakers a household product (at least to some), Amazon seems to have found its next big consumer product: robots. Amazon is building smart robots that are equipped with cameras that let them drive around homes, Bloomberg reported Monday. These robots could launch as soon as next year. From the report: Codenamed "Vesta," after the Roman goddess of the hearth, home and family, the project is overseen by Gregg Zehr, who runs Amazon's Lab126 hardware research and development division based in Sunnyvale, California. Lab126 is responsible for Amazon devices such as the Echo speakers, Fire TV set-top-boxes, Fire tablets and the ill-fated Fire Phone. The Vesta project originated a few years ago, but this year Amazon began to aggressively ramp up hiring. There are dozens of listings on the Lab 126 Jobs page for openings like "Software Engineer, Robotics" and "Principle Sensors Engineer." People briefed on the plan say the company hopes to begin seeding the robots in employees' homes by the end of this year, and potentially with consumers as early as 2019, though the timeline could change, and Amazon hardware projects are sometimes killed during gestation.Read Replies (0)
By BeauHD from Slashdot's new-and-improved department
"After years of phones, laptops, tablets, and TV screens converging on 16:9 as the 'right' display shape -- allowing video playback without distracting black bars -- smartphones have disturbed the universality recently by moving to even more elongated formats like 18:9, 19:9, or even 19.5:9 in the iPhone X's case," writes Amelia Holowaty Krales via The Verge. "That's prompted me to consider where else the default widescreen proportions might be a poor fit, and I've realized that laptops are the worst offenders." Krales makes the case for why a 16:9 screen of 13 to 15 inches in size is a poor fit: Practically every interface in Apple's macOS, Microsoft's Windows, and on the web is designed by stacking user controls in a vertical hierarchy. At the top of every MacBook, there's a menu bar. At the bottom, by default, is the Dock for launching your most-used apps. On Windows, you have the taskbar serving a similar purpose -- and though it may be moved around the screen like Apple's Dock, it's most commonly kept as a sliver traversing the bottom of the display. Every window in these operating systems has chrome -- the extra buttons and indicator bars that allow you to close, reshape, or move a window around -- and the components of that chrome are usually attached at the top and bottom. Look at your favorite website (hopefully this one) on the internet, and you'll again see a vertical structure.
< article continued at Slashdot's new-and-improved department
>Read Replies (0)
By BeauHD from Slashdot's impending-doom department
While parts of the FCC's new plan will go into effect on Monday, the majority of the order still doesn't have a date for when it will be official. Specific rules that modify data collection requirements still have to be approved by the Office of Management and Budget, and the earliest that can happen is on April 27. Tech experts and consumer policy advocates don't expect changes to happen right away, as ISPs will likely avoid any large-scale changes in order to convince policymakers that the net neutrality repeal was no big deal after all.Read Replies (0)
By BeauHD from Slashdot's hot-seat department
Facebook may be in the hot seat right now for its collection of personal data without our knowledge or explicit consent, but as The Wall Street Journal points out, "Google is a far bigger threat by many measures: the volume of information it gathers, the reach of its tracking and the time people spend on its sites and apps." From the report (alternative source): It's likely that Google has shadow profiles (data the company gathers on people without accounts) on as at least as many people as Facebook does, says Chandler Givens, CEO of TrackOff, which develops software to fight identity theft. Google allows everyone, whether they have a Google account or not, to opt out of its ad targeting, though, like Facebook, it continues to gather your data. Google Analytics is far and away the web's most dominant analytics platform. Used on the sites of about half of the biggest companies in the U.S., it has a total reach of 30 million to 50 million sites. Google Analytics tracks you whether or not you are logged in. Meanwhile, the billion-plus people who have Google accounts are tracked in even more ways. In 2016, Google changed its terms of service, allowing it to merge its massive trove of tracking and advertising data with the personally identifiable information from our Google accounts.
< article continued at Slashdot's hot-seat department
>Read Replies (0)
By BeauHD from Slashdot's end-is-nigh department
Researchers with Netlab 360 warn that attackers are mass-exploiting "Drupalgeddon2," the name of an extremely critical vulnerability Drupal maintainers patched in late March. The exploit allows them to take control of powerful website servers. Ars Technica reports: Formally indexed as CVE- 2018-7600, Drupalgeddon2 makes it easy for anyone on the Internet to take complete control of vulnerable servers simply by accessing a URL and injecting publicly available exploit code. Exploits allow attackers to run code of their choice without having to have an account of any type on a vulnerable website. The remote-code vulnerability harkens back to a 2014 Drupal vulnerability that also made it easy to commandeer vulnerable servers.
Drupalgeddon2 "is under active attack, and every Drupal site behind our network is being probed constantly from multiple IP addresses," Daniel Cid, CTO and founder of security firm Sucuri, told Ars. "Anyone that has not patched is hacked already at this point. Since the first public exploit was released, we are seeing this arms race between the criminals as they all try to hack as many sites as they can." China-based Netlab 360, meanwhile, said at least three competing attack groups are exploiting the vulnerability. The most active group, Netlab 360 researchers said in a blog post published Friday, is using it to install multiple malicious payloads, including cryptocurrency miners and software for performing distributed denial-of-service attacks on other domains. The group, dubbed Muhstik after a keyword that pops up in its code, relies on 11 separate command-and-control domains and IP addresses, presumably for redundancy in the event one gets taken down.Read Replies (0)