Profile cover photo
Profile photo
Tomi Häsä

Post has attachment
Massive Intel Vulnerabilities Just Landed -- And Every PC User On The Planet May Need To Update

Dubbed Meltdown, the flaw allowed a hacker to read information from applications' memory at the kernel level, a space deep down in the operating system that's core to the functioning of everything on a computer. Passwords, photos, documents and other sensitive data could all be read by an attacker exploiting Meltdown, the researchers warned on a website and in a whitepaper Wednesday. They noted that "virtually every user of a personal computer" in the world was affected either by Meltdown or a related issue they named Spectre, and that the entire memory contents of a vulnerable PC could be surveilled.

If a computer is run by any Intel processor from 1995 onwards, bar Itanium and Atom chips manufactured before 2013, it's likely vulnerable, the researchers warned. And, crucially, cloud environments are also affected, as the flaw could be abused by an attacker to read memory of a virtual machine without any permissions or privileges.

Software updates are expected to land over the next week to defang the issue and users have been advised to update as soon as possible.

What's the problem?

Typically computers should separate one application from reading information passing through the kernel. But with Meltdown, that isolation is broken, so one program can read another's memory in the kernel without permission. As the researchers noted: "The bug basically melts security boundaries which are normally enforced by the hardware."

The attack exploits the way in which Intel systems handle processes where the CPU cannot be certain whether an instruction will run or not, known as speculative execution. Typically, Intel will guess at the outcome of a process, run it to get ahead of the task and return to execute code when it's figured out what to do. During that process Intel didn't successfully separate low-permission applications from accessing kernel-level memory, meaning an attacker could use a malicious application to get at that private data that should've been segregated.

Earlier on Wednesday, Erik Bosman, from the Systems and Network Security Group at the Vrije Universiteit Amsterdam in the Netherlands, tweeted what appeared to be a proof of concept hack of the vulnerability, which had been reported on but was unconfirmed at the time.

Daniel Gruss, from the Graz University of Technology, was one of the researchers who uncovered the issue, alongside academic colleagues, Google Project Zero's Jann Horn and employees of German cybersecurity firm Cyberus Technology. He told Forbes that the researchers "only have proof-of-concept code for local attacks." That meant, in the real world, an attack would require the intruder to have found a way onto the computer first. A typical cyberattack, such as a phish that installs malware, would be a likely entry point, though it's unknown if any malicious individual has attempted to carry out the hack.

The researchers said they'd only successfully exploited Meltdown on Intel chips and were unsure if the attacks would work on AMD or ARM systems. A public ARM statement indicated the British company's chips were unaffected.

Intel responds

Intel issued a statement, in which it said that it wasn't possible to modify a vulnerable system, only spy on data, adding that media reports in the nature of the issue were inaccurate. In particular, it took umbrage with the claims that the exploits were caused by a "bug" or a "flaw" and were unique to Intel products. "Intel has begun providing software and firmware updates to mitigate these exploits," the company said, noting it was working with AMD, ARM and operating system manufacturers to prevent attacks.

"Intel is committed to the industry best practice of responsible disclosure of potential security issues, which is why Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available. However, Intel is making this statement today because of the current inaccurate media reports." It recommended downloading any available updates as soon as they are available.

Microsoft said it was in the process of deploying fixes to its cloud services and was releasing security updates today to protect Windows customers, whilst Apple hadn't responded to Forbes' request for a response. The researchers said both companies were supplying updates for Windows and Mac OS. The academics, who'd developed a fix called KAISER, also noted fixes for Linux computers were ready. And Amazon Web Services posted an advisory for its cloud customers.

Performance problems?

Intel also denied claims that performance of Intel-based computers would be significantly affected by Meltdown. One report had claimed the degradation could cause a slowdown of between 5% and 30% of typical performance. "Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time," the company said.

Gruss said he was unsure about the potential impact on performance, telling Forbes it depended on many factors, from the processor architecture to the use case. He did agree with Intel, however, that regular computer users wouldn't be affected much by the slow down. But, he added, "unusual workloads" on older computers could be up to 50% slower.

A Spectre looms

Meltdown wasn't the only problem uncovered by the researchers, however. They detailed a related issue dubbed Spectre, which they believe is harder to address than Meltdown and for which there aren't yet patches available. As noted in a whitepaper, which contains the full technical details, Spectre attacks induce a victim application to carry out the speculative execution "that would not occur during correct program execution and which leak the victim’s confidential information via a side channel to the adversary." Google's Jann Horn has also released his full analysis of Meltdown and Spectre.

Worryingly, it's not just Intel systems that are affected by Spectre, but computers running AMD and ARM too, the researchers claimed. That would amount to not millions, but billions of machines, they added. For instance, Gruss said Spectre attacks on AMD-based machines worked "super-reliably."

A spokesperson from AMD, however, noted that it had been contacted by Google about the issues, but that "based on the findings to date and the differences in AMD processor architecture, we believe there is near zero risk to AMD products at this time." It noted that the problems would be addressed by software and operating system updates.

ARM, meanwhile, said it was in the process of informing its partners and encouraging them to deploy the mitigations it had developed if their chips are impacted. "At this site - - you can find more technical information, including the ARM cores impacted and details on how to get the software mitigations," a spokesperson said.

Spectre may also work better in exploiting cloud systems, according to Gruss. He noted that Spectre can trick a hypervisor - the software that manages virtual machines in a cloud - into leaking secrets to a guest. And, whilst he said it was not as easy to execute as Meltdown, he believes a hack can run in JavaScript. "This means that you would only have to navigate to an attacker-controlled website," he added.

#Intel #MeltdownCPU #designflaw
Add a comment...

Test 2018

Test for year 2018.

#test #2018

Post has attachment
Mozilla’s claims of Firefox Quantum success aren’t confirmed by user stats

Mozilla on Thursday touted Firefox Quantum, the browser upgrade launched one month ago, as its biggest release ever and said early adoption metrics have been "super encouraging." But preliminary browser measurements taken by the U.S. government show only a small increase in Firefox's domestic usage since Quantum debuted on Nov. 14.

"In less than a month, Firefox Quantum has already been installed by over 170 [million] people around the world," Nick Nguyen, the company's top Firefox executive, wrote in a post to the firm's primary blog. "We're just getting started and early returns are super encouraging."

While there's no reason to doubt Nguyen's 170 million Quantum installations, he failed to mention how the browser acquired such a huge user base so quickly. Unlike brand new software, which must start from zero installs, Quantum is, all branding aside, also the next iteration of Firefox, the November result of its every-six-week refresh. Mozilla may now label the browser as "Quantum," but it's also Firefox 57.

Like all Firefox upgrades, Quantum/57 was distributed through Mozilla's long-standing automatic download and upgrade service, which retrieves each new version in the background and then installs it at the next launch. In other words, it had a big leg up at the start. Unless users rejected it in catastrophic numbers, the vast majority of copies of Firefox 56 would have been updated to Quantum within days of its release.

#FirefoxQuantum #Firefox57 #Firefox #webbrowser
Add a comment...

Post has attachment
Firefox Quantum: A leap forward, or a fatal trip?

I threw a slew of benchmarks at the latest browsers on my Windows 7 test box. Firefox Quantum and Chrome 62, the latest version of Google’s web browser, split the results down the middle. Oh, and Internet Explorer 11? Please! It was gasping for breath, usually in last place. Firefox Quantum also beat Firefox 56 handily. But you might not want to upgrade to the new Firefox anyway. That’s because its great performance comes at a cost. Remember how I mentioned all those things under the hood that had changed? Those same improvements have also put an end to many tried-and-true Firefox extensions.

So am I going to go back to Firefox? No. I’m a Chrome user now. That said, I’m glad to see Mozilla trying its damndest to make Firefox relevant again. I wish it luck. I fear, though, that even with Firefox’s speed increase, the extension problem is going to tick off many of its most loyal users.

#FirefoxQuantum #Firefox #webbrowser
Add a comment...

Post has attachment
Google releases Android Studio 3.0

Alongside the announcement of the Android 8.1 Oreo beta, Google is finally taking the wraps off of Android Studio 3.0, introducing a range of new features for its integrated development environment (IDE). Promised back at the company's I/O 2017 developer conference, there's now support for the Kotlin language. Google says that it's an "expressive and concise language that is interoperable with existing Android languages and runtimes". You can use it in as little or as much of your app as you want.

There's improved support for Java 8 language features as well. And if you're not building your app for phones, tablets or wearables, there's now support for Android Things, the OS for IoT devices.

Developers will now be able to add Instant Apps to their project, rather than full development of Instant Apps, which was made available earlier on this year. Google also says that build speed has been improved for apps.

The system images also now include the Google Play Store, which should allow developers to perform end-to-end testing, and "provides a convenient way to keep Google Play services up-to-date in your Android Virtual Device (AVD)." You'll also find OpenGL ES 3.0 support in the Emulator.

#AndroidStudio3 #AndroidStudio #IDE
Add a comment...

Post has attachment
Uber covered up a hack that affected 57 million customers and drivers

Uber has had a rough time during the past year, it has been banned in London and suspended its services in Quebec due to new regulations. However, a new report by Bloomberg has dropped another bombshell, which involves the company reportedly covering up a large-scale hack that compromised the private information of both customers and drivers.

Uber has reportedly been well aware of the breach - which happened in 2016. In addition to this, it was revealed that the company paid the hackers $100,000 to delete the sensitive data, once it discovered the breach. Although it is not known which countries are affected by the hack, the firm offered its drivers free credit monitoring protection after the fact. Customers who were affected, however, will not get any such offer.

Joe Sullivan, the Chief Security Officer at Uber resigned after the news broke. According to the report, the hack was executed by two individuals who gained access to a private area on Github, the open source community developer site. Once in, they were able to find the login credentials to the company's Amazon Web Services account. Data that were compromised included email addresses, phone numbers, and in the case of drivers, their license numbers. No credit card details or identification numbers - or social security numbers - were leaked. Uber, however, failed to disclose the hack to regulators at the time, which could prove even more detrimental. It already paid a $20,000 fine for not making public a previous breach which revealed 50,000 driver's information in 2014.

#Uber #hacked #security
Add a comment...

Post has attachment
Hackers stole information from 1.7 million Imgur accounts in 2014

If you were an Imgur user in 2014, you might want to consider changing your password. Yesterday, the photo-sharing site revealed (via Engadget) that it learned of a security breach in 2014 that compromised the e-mail addresses and passwords of approximately 1.7 million users.

Imgur’s Chief Operating Officer, Roy Sehgal, confirmed that the breach occurred in 2014. Sehgal explains that Imgur doesn’t collect names, addresses, or phone numbers from its users, and that only user e-mails and password information was leaked. According to ZDNet, Troy Hunt, who runs the notification service Have I Been Pwned, obtained the data, and turned over the information to Imgur.

The company says that it’s still investigating the incident, but that it believes that hackers cracked the older algorithm that was used at the time with brute force. The company upgraded its encryption in 2016.

#Imgur #security
Add a comment...

Post has attachment
Nextpad is just what you need in a Windows text editor — it works, and looks good

A good text editor is a balancing act. You need it to have a full set of features to support the things you'll need in your writing, but at the same time it needs to get out of the way and let you write. This isn't an easy balancing act, especially when those more advanced features need to be easily and quickly acted with. You'll also spend a good chunk of time staring at the same screen, so it needs to be easy on the eyes. Nextpad handles that balance smartly. It's a simple text editor with a fresh design and many features that aren't available on other apps, along with a very modern design.

The app supports Continuum's "pick up where you left off" for cross-device editing, and it visually fits into Windows 10 quite well with a slew of customization options. It is available on Windows 10, Windows 10 Mobile, HoloLens, and Surface Hub as a free download, though some options require purchase.

Nextpad does a good job of enhancing the writing experience with a number of features. There are the basics of formatting, printing, find-and-replace search, and the like, as well as more advanced features like voice-to-text transcription and reading aloud what you've written via text-to-voice — very handy for effective proofreading.

One feature that is available but doesn't seem to work right is word count. Nextpad seems to instead count characters. Hopefully it's a simple bug that will be ironed out in the future.

On the Windows related feature side of things, Nextpad supports Continuum which is a big plus for mobile users looking to continue their work on multiple devices. You can also seamlessly continue your working on a different Windows 10 device — just open the app and pick up where you left off. For added security, you can add custom passwords or enable Windows Hello support for $1.49. Another purchase available is removing ads for $1.99.

One feature that would be nice to see is markdown previewing, as seen in another text editor Appy Text. Other than markdown support, Nextpad is very feature-rich and does what you'd like a text editor to do and does those tasks well.

#Nextpad #texteditor
Add a comment...

Post has attachment
The Best Free Text Editor 2017

Probably the best-known text editor, Notepad++ is a familiar name even if you’re not a programmer. The reasons for its enduring popularity is its support for syntax highlighting and autocomplete in a huge number of languages, as well as macro recording, code collapsing, and a near-endless list of plugins that can used to extend the already-impressive feature set.

Atom is the perfect free text editor for anyone who likes to have complete control over their software. Despite this, it has an approachable design that means even newcomers should feel comfortable – an impressive feat for a program from the developer-focused Github stables. Atom's Github heritage also means that this is an open source tool (hence its hackability), and there are numerous add-on packages available to extend its capabilities. There's even a built-in package manager so you can search for expansion options from within the program, without the need to fire up your web browser.

Like Notepad++, Vim is a text editor that's with us for quite some time, and is showing no signs of losing its power or appeal. Vim is available for all the major desktop platforms (and some minor ones) as well as iOS and Android, but makes few concessions for beginners. The learning curve is steep, with no hand-holding, but in exchange Vim offers unrivaled power. There are features such as various methods of code completion, macro recording and playback, history support for calling up commonly used snippets of code, and built-in script for automation and customization.

Light Table
If we were judging text editors on looks alone, Light Table would feature highly for its undeniable style. It's a shining example of beautiful minimalism. Light Table can be used for just about any coding project, but it's particularly well-suited to website building, and the fact that it’s available for Windows, Mac and Linux is a big bonus. This open source text editor started life as a Kickstarter project and the developers did a great job of listening to what people were looking for, including a centralized list of plugins, inline code feedback, instant testing of code, and watching of code feedback for easier analysis and evaluation.

Another cross-platform editor, Bluefish is available for Windows, Linux (various distros) and Mac. Its developers pride themselves on its lightweight design; the program is speedy and can handle dozens (or even hundreds, if you believe the documentation) of files simultaneously. One of the more intimidating-looking pieces of software in the list, Bluefish could overwhelm some people with its plethora of tab and toolbars, but if you can get past this, you're onto a winner. Bluefish gives web developers scope for remote editing with Bluefish, and there’s support for lots of programming languages (including syntax highlighting and checking).

#Notepad #AtomTextEditor #LightTable #texteditor #texteditors
Add a comment...

Post has attachment
7 Cool Programming Tricks Inside Microsoft Notepad

Microsoft Notepad has been included in every version of Windows going back to Windows 1.0 in 1985. It's an extremely minimalist text editor, and when I say minimalist, I mean minimalist. If Microsoft Word is a "10" as a word processor, Notepad is around a ".000004" (give or take a few zeros). Notepad takes the concept of "no frills" to the extreme. But what it lacks in word-processing abilities, it makes up for as a minimalist scratchpad for basic coding.

Aside from basic text functionality, Notepad is a reliable repository for old-school programming languages like VBScript. Users can create simple programs to personalize the Windows experiences (or just perform a neat little tricks). There are of course better text editors out there for all you code jockeys, but Notepad is the text editor for everyone (running Windows). Here are seven cool programs that anybody can use to create simple little programs on their PC.

Matrix Effect
Remember The Matrix? It is the closest thing big budget science fiction comes to being "a thinker." Well, now you can relive all your Matrix memories via Notepad and a bit of simple code. Here's what you do.
1) Copy the following lines of code and paste them into Notepad:
@echo off
color 02
echo %random%%random%%random%%random%%random%%random%%random%%random%
goto tricks
2) Save as "Matrix.bat" (or you can call it whatever you want, but the important thing is to save it as a .bat file).
3) Double-click on the file to behold some sweet Wachowski action.

Make a Personal Diary
This one is simple, but might be considered useful to some.
1) Type ".LOG" into a new Notepad document (without quotation marks). Note: It must be all UPPERCASE.
2) Save as a regular text document.
3) Close it.
4) Double-click on the doc. Every time you open the document it will show the time and date. You can just write any text below it. This is good for keeping a diary or for logging observations of something as it changes over time.

Make Your Computer Talk
Now you can be just like Matthew Broderick at the height of 1983 tech and make your PC talk with a human-ish voice. It's fun! Here's what you do.
1) Type the following code into a Notepad doc:
Dim Message, Speak
Message=InputBox("Enter text","Speak")
Set Speak=CreateObject("sapi.spvoice")
Speak.Speak Message
2) Save as "talk.vbs" or whatever (the important thing is that you save it as a .vbs file).
3) Double-click on the icon to prompt a pop-up window. Enter some text in the box and behold your ear holes!

Turn Your Keyboard Into an EDM Festival
Ever wish your keyboard was more 1) annoying and 2) festive? Well, thanks to this trick you can make that happen.
1) Paste the following code into a Notepad doc:
Set wshShell =wscript.CreateObject("WScript.Shell")
wscript.sleep 100
wshshell.sendkeys "{CAPSLOCK}"
wshshell.sendkeys "{NUMLOCK}"
wshshell.sendkeys "{SCROLLLOCK}"
2) Save as a .vbs file.
3) Double-click on saved file.
4) Dance.
5) What is happening is the computer is rapidly toggling the CAPS lock, NUMBER lock, and SCROLL lock on and off (which usually lights an LED on most keyboards). This is very annoying if you want to actually use your keyboard for typing. If you want to turn it off, you have to 1) restart the computer or 2) in Windows 10, go to Task Manager and end "Microsoft Windows Based Script Host." (I haven't confirmed it, but reportedly if you're using Windows 8 or before, you'll want to end "wscript.exe" in Task Manager.)

#Notepad #texteditor
Add a comment...
Wait while more posts are being loaded