Ars Technica

Pandemic Legacy: Season 2—The world’s “best board game” gets better

Ars Technica

Welcome to Ars Cardboard, our weekend look at tabletop games! Check out our complete board gaming coverage at cardboard.arstechnica.com.

How do you follow the most popular board game ever made?

In a world where three separate versions of Smurfs Monopoly exist, Pandemic Legacy: Season One (PL:S1) isn’t the biggest-selling game of all time—but it has topped the popularity charts at Board Game Geek since it was released. It’s as close to “universally loved” as it’s possible to get in this contrarian world.

Read 23 remaining paragraphs | Comments

  • open
  • next
Ars Technica

Pentagon contractor leaves social media spy archive wide open on Amazon

Ars Technica
image

(credit: Wikipedia)

A Pentagon contractor left a vast archive of social-media posts on a publicly accessible Amazon account in what appears to be a military-sponsored intelligence-gathering operation that targeted people in the US and other parts of the world.

The three cloud-based storage buckets contained at least 1.8 billion scraped online posts spanning eight years, researchers from security firm UpGuard's Cyber Risk Team said in a blog post published Friday. The cache included many posts that appeared to be benign, and in many cases those involved from people in the US, a finding that raises privacy and civil-liberties questions. Facebook was one of the sites that originally hosted the scraped content. Other venues included soccer discussion groups and video game forums. Topics in the scraped content were extremely wide ranging and included Arabic language posts mocking ISIS and Pashto language comments made on the official Facebook page of Pakistani politician Imran Khan.

The scrapings were left in three Amazon Web Servers S3 cloud storage buckets that were configured to allow access to anyone with a freely available AWS account. It's only the latest trove of sensitive documents left unsecured on Amazon. In recent months, UpGuard has also found private data belonging to Viacom, security firm TigerSwan, and defense contractor Booz Allen Hamilton similarly exposed. In Friday's post, UpGuard analyst Dan O'Sullivan wrote:

Read 3 remaining paragraphs | Comments

  • open
  • next
Ars Technica

Iconic hacker booted from conferences after sexual misconduct claims surface

Ars Technica
image

Enlarge / John Draper, seen here in 2011. (credit: campuspartycolombia)

John Draper, a legendary figure in the world of pre-digital phone hacking known as "phreaking," has been publicly accused of inappropriate sexual behavior going back nearly two decades.

According to a new Friday report by BuzzFeed News, Draper, who is also known as "Captain Crunch," acted inappropriately with six adult men and minors between 1999 and 2007 during so-called "energy" exercises, which sometimes resulted in private invitations to his hotel room. There, Draper allegedly made unwanted sexual advances.

As a result of the new revelations, Draper, 74, is now no longer welcome at Defcon. Michael Farnum, the founder of HOU.SEC.CON, told Ars on Friday afternoon that Draper, who had been scheduled to speak in April 2018, was disinvited.

Read 16 remaining paragraphs | Comments

  • open
  • next
Black Hat

How We Created the First SHA-1 Collision and What it Means for Hash Security

Black Hat
  • open
  • next
Linux Security

Debian: DSA-4040-1: imagemagick security update

Linux Security
LinuxSecurity.com: This update fixes several vulnerabilities in imagemagick: Various memory handling problems and cases of missing or incomplete input sanitising may result in denial of service, memory disclosure or the execution of arbitrary code if malformed image files are processed.
  • open
  • next
Linux Security

Fedora 25: firefox Security Update

Linux Security
LinuxSecurity.com: Updated to the latest version - Firefox 57 Please note that this update is incompatible with many recent Firefox add-ons, please see Fedora Magazine article for details: https://fedoramagazine.org/firefox-57-coming-soon-quantum- leap/ ---- Update to Firefox 57 a.k.a. Quantum This update may break your installed extension, please see this Fedora Magazine article for details:
  • open
  • next
Ars Technica

Weekend code warriors prepare to clash in Codewarz

Ars Technica
image

Enlarge / Obviously a Codewarz competitor. (credit: Alain Daussin/Getty Images)

If you didn't have any weekend plans yet—or maybe even if you did—and you're interested in scratching your programming itch, there's something to add to your calendar. Codewarz, a programming competition that presents participants with 24 coding challenges, is running its first live event starting at 1pm Eastern on November 18 and ending at 9pm on November 20.

This is not a hacking competition—it’s strictly coding. Participants can use their language of choice as long as it's one of the 15 supported by the event: the various flavors of C, Python, Node.js, Scala, PHP, Go, Ruby, and even BASH. (Sorry, no one has asked them to support ADA or Eiffel yet.) There's no compiling required, either. Each submitted solution is run in an interpreted sandbox on a Linux or Windows virtual machine for evaluation and scoring. And the challenges run the gamut from beginner (things like text parsing, math and basic networking) to advanced (more advanced parsing and math, hashing, cryptography, and forensics challenges).

Scoring is straightforward. Each of the challenges has an expected output (checked through hash-matching), and matching that output equals success for whatever number of points a challenge is worth. The easiest challenges (such as a "Hello World" tutorial challenge) are worth 10 points, while the hardest are worth 250 points.

Read 3 remaining paragraphs | Comments

  • open
  • next
Schneier on Security

Friday Squid Blogging: Peru and Chile Address Squid Overfishing

Schneier on Security

Peru and Chile have a new plan.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

  • open
  • next
Ars Technica

Dealmaster: The Black Friday tech deals that might actually be worth buying

Ars Technica
image

Enlarge / Get ready for lots of ads like this. (credit: Best Buy)

Brace yourself for Walmart fights and snarky tweets about capitalism, because Black Friday is nearly here. Once again, the day after Thanksgiving—and in many cases the days before that—will see retailers across the country pushing an avalanche of sales to the gift-needy public.

And once again, many of those “discounts” won’t be discounts at all. Year after year, the corporate holiday isn’t quite the deals bonanza it proclaims to be. Many of the devices on sale either won’t be priced significantly lower than they are at other points in the year or just won’t be worth buying to begin with.

After sorting through the early ad scans and retailer offers for this year’s Black Friday, we’re confident this trend will continue. That said, even if just a fraction of the several thousand sales on show are worth getting, that still leaves more than a few diamonds in the rough.

Read 20 remaining paragraphs | Comments

  • open
  • next
Ars Technica

Microsoft abandons typical Patch Tuesday playbook to fix Equation Editor flaw

Ars Technica
image

Enlarge (credit: Flickr user: Ivan T)

When a company like Microsoft needs to fix a security flaw in one of its products, the process is normally straightforward: determine where the bug lies, change the program's source code to fix the bug, and then recompile the program. But it looks like the company had to step outside this typical process for one of the flaws it patched this Tuesday. Instead of fixing the source code, it appears that the company's developers made a series of careful changes directly to the buggy program's executable file.

Bug CVE-2017-11882 is a buffer overflow in the ancient Equation Editor that comes with Office. The Equation Editor allocates a fixed-size piece of memory to hold a font name and then copies the font name from the equation file into this piece of memory. It doesn't, however, check to ensure that the font name will fit into this piece of memory. When provided with a font name that's too long, the Equation Editor overflows the buffer, corrupting its own memory, and an attacker can use this to execute arbitrary malicious code.

Curious how a buffer overflow works? Previously on Ars we did a deep-dive explanation. (video link)

Read 7 remaining paragraphs | Comments

  • open
  • next
Ars Technica

Hairy situation: DC’s rail system may be taken down by human shedding

Ars Technica
image

Enlarge / The DC Metro, when it's not on fire. (credit: Getty | Bill Clark)

For residents of our nation’s capital, news of a fire on the city’s rapid transit system—the Washington Metro—is not surprising. It catches fire and smokes quite regularly. At some points last year, there were reports of more than four fires per week (although there’s some dispute about that rate). There’s even the handy site—IsMetroOnFire.com—to check the current blaze status.

Yet, despite the common occurrence, residents may be surprised to learn a potential contributor to the system-wide sizzling: their own hair.

According to a safety specialist with the Amalgamated Transit Union (ATU), a thick, felt-like layer of human hair, skin, and other debris has collected on the aging tracks of the city’s rails. In particular, hair has built up on insulators supporting the transit system’s electrified third rails, which run cables carrying 750 Volts of electricity to power the trains. The hair coating delivers a real threat of electrical sparks and fire.

Read 6 remaining paragraphs | Comments

  • open
  • next
Ars Technica

Argentine Navy diesel sub disappears, NASA plane joins in search

Ars Technica
image

NASA

The US Navy and NASA have joined the search for an Argentine Armada (navy) diesel-electric attack submarine—the ARA San Juan (S-42)—and its crew of 44 sailors missing in the Southern Argentine Sea. The last contact with the TR-1700 class sub, built in 1983 by the German shipbuilder Thyssen Nordseewerke, was on November 15.

NASA has dispatched a modified P-3 Orion patrol plane—previously used by the Navy for submarine hunting—to aid in the search. The P-3 is equipped with a magnetic anomaly detector (or magnetometer), a gravimeter for detecting small fluctuations in the Earth's gravity, infrared cameras, and other sensors for measuring ice thickness. With that array, the P-3 may be able to detect the submerged submarine.

Read 3 remaining paragraphs | Comments

  • open
  • next
Ars Technica

Tax bill that passed the House would cripple training of scientists

Ars Technica
image

Enlarge / Whatever you made in that flask, it's going to cost you. (credit: Oak Ridge National Lab)

Yesterday, the US House of Representatives passed its version of a tax bill that would drop corporate tax rates and alter various deductions. While most of the arguments about the bill have focused on which tax brackets will end up paying more, an entire class of individuals appears to have been specifically targeted with a measure that could raise their tax liability by 300 percent or more: graduate student researchers. If maintained, the changes could be crippling for research in the US.

Tuition waivers

Many graduate programs in areas like business, medicine, and law can afford to charge high tuitions. That's in part because these degrees are in high demand and in part because the students know that they'll have the potential to earn very large salaries after graduation.

PhD programs are nothing like this. Despite typically taking five to six years to complete, a PhD student is only likely to earn in the area of $44,000 after graduation if they're funded by the National Institutes of Health. Even four years of additional experience doesn't raise the salary above $50,000. As such, charging them tuition would leave them with no way to possibly pay back their student loans. Doing so would almost certainly discourage anyone but the independently wealthy from attending research-focused graduate programs.

Read 7 remaining paragraphs | Comments

  • open
  • next
Security Week

EMOTET Trojan Variant Evades Malware Analysis

Security Week

A recently observed variant of the EMOTET banking Trojan features new routines that allow it to evade sandbox and malware analysis, Trend Micro security researchers say.

read more

image image image image image image image image
  • open
  • next
Ars Technica

Man gets threats—not bug bounty—after finding DJI customer data in public view

Ars Technica
image

Enlarge / A security researcher says he was trying to play fair with DJI's bug bounty program. DJI calls him a hacker who exposed customer data.

DJI, the Chinese company that manufactures the popular Phantom brand of consumer quadcopter drones, was informed in September that developers had left the private keys for both the "wildcard" certificate for all the company's Web domains and the keys to cloud storage accounts on Amazon Web Services exposed publicly in code posted to GitHub. Using the data, researcher Kevin Finisterre was able to access flight log data and images uploaded by DJI customers, including photos of government IDs, drivers licenses, and passports. Some of the data included flight logs from accounts associated with government and military domains.

Finisterre found the security error after beginning to probe DJI's systems under DJI's bug bounty program, which was announced in August. But as Finisterre worked to document the bug with the company, he got increasing pushback—including a threat of charges under the Computer Fraud and Abuse Act (CFAA). DJI refused to offer any protection against legal action in the company's "final offer" for the data. So Finisterre dropped out of the program and published his findings publicly yesterday, along with a narrative entitled, "Why I walked away from $30,000 of DJI bounty money."

"Hacker?"

DJI launched its bug bounty this fall shortly after the US Army issued a ban on using DJI drones for any military purpose due to "operational security" concerns. There were also spreading reports of people hacking the firmware of DJI drones—some have even posted hacks to GitHub by Finisterre. But according to Finisterre, the program was clearly rushed out. The company did not, and has yet to, define the scope of the bounty program publicly. So when Finisterre discovered that DJI's SSL certificates and firmware AES encryption keys had been exposed through searches on GitHub—in some cases for as long as four years—he contacted the company to see if its servers were within the scope of the bug bounty program. He was told they were—a statement that would later be walked back from by DJI officials.

Read 12 remaining paragraphs | Comments

  • open
  • next
Ars Technica

The world of Skyrim is thrilling and flawed in VR

Ars Technica
image

Enlarge / The disembodied hand of fate falls on you, tree!

Since consumer-grade virtual reality became a thing last year, there has been some criticism over the lack of lengthy, meaty VR experiences that can draw players in an epic story for dozens of hours. As if to answer that criticism, Bethesda has released Skyrim VR, a PlayStation VR exclusive version of one of the meatiest RPGs of the last decade.

Consumer virtual reality was barely even a gleam in Palmer Luckey's eye when Skyrim came out in 2011, though, and that fact comes into stark relief when trying to play the game in a brand new medium. While Skyrim's world makes some impressive first impressions in VR, a few hours with the game is enough to show some significant problems with the conversion as well.

Rough edges

To be sure, seeing and exploring Skyrim's world in VR brings some immediate and impressive improvements over playing on a monitor. From the jump, the stereoscopic 3D and head tracking of the PSVR headset make you feel like you're actually in Skyrim like never before.

Read 19 remaining paragraphs | Comments

  • open
  • next
Ars Technica

New Tesla Roadster sounds impressive, but it’s not the only game in town

Ars Technica
image

Enlarge (credit: Aurich Lawson)

On Thursday night, Elon Musk upstaged his own semi truck launch with the news that Tesla is going to build a new performance car, the Roadster. The specs certainly have the Internet ablaze this morning: a 200kWh battery and 620-mile (1,000km) range, 0-60mph in 1.9 seconds, the standing quarter-mile in 8.9 seconds, and a top speed of 250mph. That's truly impressive—particularly if it costs just $200,000. But Musk's claims that it will be the "fastest production car ever made, period" seem more than a little hyperbolic from where I'm sitting.

You see, we're entering another one of those automotive arms races, where engineers and designers attempt to outdo each other in the performance stakes with ever-more extreme hypercars. Tesla will not be the only game in town. In fact, it's only just getting ready to take to the pitch.

Supercars are passé; it's all about the hypercar now

Supercars like the McLaren F1 and Ferrari Enzo used to be the last word in four-wheeled performance until a reborn Bugatti came along and rewrote the rules. The Veyron, which arrived in 2005, boasted an 8.0L W16 engine, 987hp (736kW), and a 253mph (407km/h) top speed. The supercar was dethroned, and the hypercar became king. But achieving massive power and bonkers performance from an internal combustion engine is old hat—even if Bugatti is sticking to the formula with the Chiron.

Read 6 remaining paragraphs | Comments

  • open
  • next
Ars Technica

Apple’s HomePod speaker isn’t coming out this year

Ars Technica
image

Enlarge / Look at this happy couple enjoying voice commands and high quality audio in their home! (credit: Apple)

In a statement to CNBC this morning, Apple said its HomePod smart speaker will be released in 2018, not by the end of this year as originally announced.

Here is the company's statement:

We can't wait for people to experience HomePod, Apple's breakthrough wireless speaker for the home, but we need a little more time before it's ready for our customers... We'll start shipping in the US, UK and Australia in early 2018.

The 7''-tall HomePod was expected to launch in December. It will cost $349 and bring Siri into any room in your house that it wasn't already present, allowing for voice features like answering questions and managing your smart home. That said, Apple said the main focus of the HomePod is music. The device will feature an A8 processor—the same found in the iPhone 6—and will sense the layout of the room and adjust its audio output for optimal acoustics. It will also work in tandem with other HomePods wirelessly to provide home-wide coverage or deliver stereo sound.

Read 2 remaining paragraphs | Comments

  • open
  • next
Ars Technica

Bitcoin is hitting new highs—here’s why it might not be a bubble

Ars Technica
image

Enlarge (credit: Bullion Vault)

In early September, one Bitcoin was worth almost $5,000. Then the Chinese government cracked down on cryptocurrency investments, and Bitcoin's value plunged 40 percent in a matter of days, reaching a low below $3,000.

But Bitcoin bounced back. By early November, one Bitcoin was worth almost $8,000. Then last week, a controversial effort to expand the Bitcoin network's capacity failed. Within days, Bitcoin's price had plunged 25 percent, while the value of a rival network called Bitcoin Cash doubled.

Today, Bitcoin has recovered all of last week's losses—one Bitcoin is now worth more than $7,800.

Read 19 remaining paragraphs | Comments

  • open
  • next
Security Week

Group Launches Secure DNS Service Powered by IBM Threat Intelligence

Security Week

A newly announced free Domain Name System (DNS) service promises automated immunity from known Internet threats by blocking access to websites flagged as malicious.

read more

image image image image image image image image
  • open
  • next
Security Week

GitHub Warns Developers When Using Vulnerable Libraries

Security Week

Code hosting service GitHub now warns developers if certain software libraries used by their projects contain any known vulnerabilities and provides advice on how to address the issue.

read more

image image image image image image image image
  • open
  • next
Ars Technica

Robocalls from spoofed Caller IDs may soon be blocked by phone companies

Ars Technica
image

Enlarge (credit: Getty Images | vladru)

Phone companies are now authorized to be more aggressive in blocking robocalls before they reach customers' landlines or mobile phones, but you might have to pay for the new blocking capabilities.

The Federal Communications Commission yesterday issued an order to "expressly authorize voice service providers to block robocalls that appear to be from telephone numbers that do not or cannot make outgoing calls, without running afoul of the FCC's call completion rules."

Carriers will thus have greater ability to block calls in which the Caller ID has been spoofed or in which the number is invalid. Caller ID spoofing hides the caller's true identity and is one of the biggest sources of illegal robocalls.

Read 12 remaining paragraphs | Comments

  • open
  • next
Linux Security

Fedora 27: knot-resolver Security Update

Linux Security
LinuxSecurity.com: Major update for Knot DNS and Knot Resolver: Knot Resolver 1.5.0 (2017-11-02) Darwin Improvements ------------ - new module ta_signal_query supporting Signaling Trust Anchor Knowledge using Keytag Query (RFC 8145 section 5); it is enabled by default - attempt validation for more records but require it for
  • open
  • next
Linux Security

Fedora 27: qt5-qtwebengine Security Update

Linux Security
LinuxSecurity.com: An update of QtWebEngine to the security and bugfix release 5.9.2, including: Chromium Snapshot: * Security fixes from Chromium up to version 61.0.3163.79 Including: CVE-2017-5092, CVE-2017-5093, CVE-2017-5095, CVE-2017-5097, CVE-2017-5099, CVE-2017-5102, CVE-2017-5103, CVE-2017-5107, CVE-2017-5112, CVE-2017-5114, CVE-2017-5117 and CVE-2017-5118 * Fixed Skia to
  • open
  • next
Linux Security

Fedora 27: knot Security Update

Linux Security
LinuxSecurity.com: Major update for Knot DNS and Knot Resolver: Knot Resolver 1.5.0 (2017-11-02) Darwin Improvements ------------ - new module ta_signal_query supporting Signaling Trust Anchor Knowledge using Keytag Query (RFC 8145 section 5); it is enabled by default - attempt validation for more records but require it for
  • open
  • next
Linux Security

Fedora 27: java-9-openjdk Security Update

Linux Security
LinuxSecurity.com: updated to latest security release
  • open
  • next
Linux Security

RedHat: RHSA-2017-3247:01 Critical: firefox security update

Linux Security
LinuxSecurity.com: An update for firefox is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
  • open
  • next
Security Week

New Cyber Insurance Firm Unites Insurance With Cyber Intelligence

Security Week

Mountain View, Calif-based cyber insurance firm At-Bay has emerged from stealth with a mission to shake up the status quo in cyber insurance. It brings a new model of security cooperation between insured and insurer to reduce risk and exposure to both parties.

read more

image image image image image image image image
  • open
  • next
Ars Technica

Swiss lab develops genetic tool kit to turn any cell into a tumor killer

Ars Technica
image

Enlarge / T cells latch on to a cancer cell before killing it. (credit: NIH)

We've made some impressive advances toward inducing the immune system to attack cancers. One of these techniques, using CAR-T cells, is amazing. CAR-T cells are made by inserting receptors that recognize cancerous cells into a leukemia patient’s own T cells. This induces those T cells to recognize the patient’s tumor as the threat that it is and destroy it.

But, that T cells mount such an effective immune response is their therapeutic weakness as well as their strength. Engineered immune cells like these can completely disrupt normal immune function, causing unpleasant conditions with names like macrophage activating syndrome, cytokine storms, and even neurotoxicity, all of which can be life-threatening. So a group of Swiss researchers has decided to engineer a killing system into non-immune cells to avoid all these side effects.

T cells target their tumor-killing immune response through cell-to-cell contact. This is a distinctive feature of how the T cell receptor works. It hangs out on the T cell's surface membrane, with some parts on the outside and some parts on the inside. When its external part contacts a particular feature on the surface of a cell, its intracellular part sends a signal through a cascade of molecules that eventually results in collection genes getting expressed. These genes include the ones needed to kill the target cell.

Read 6 remaining paragraphs | Comments

  • open
  • next
Ars Technica

First-ever marijuana overdose death? Let’s review what “potential link” means

Ars Technica
image

Enlarge / Even this baby is annoyed. (credit: Getty | VW Pics)

The US Drug Enforcement Administration plainly reports that no death from an overdose of marijuana has ever been reported—a tidbit often repeated by cannabis enthusiasts when discussing the potential harms of the popular drug. But this week, many news outlets coughed up headlines saying that the famous fact had gone up in smoke.

Those media reports dubbed the death of an 11-month-old Colorado boy as the first marijuana overdose death ever reported. They based that startling stat on a case report published in the August edition of Clinical Practice and Cases in Emergency Medicine.

But that’s not what the case report said—at all. And the doctors behind the report (who likely spent the week with their palms on their faces) are trying to set the record straight.

Read 12 remaining paragraphs | Comments

  • open
  • next
Security Week

Ransomware Targets SMBs via RDP Attacks

Security Week

A series of ransomware attacks against small-to-medium companies are leveraging Remote Desktop Protocol (RDP) access to infect systems, Sophos reports.

read more

image image image image image image image image
  • open
  • next
Security Week

Moxa NPort Devices Vulnerable to Remote Attacks

Security Week

Hundreds of Moxa Devices Similar to Ones Targeted in Ukraine Power Grid Hack Vulnerable to Remote Attacks

read more

image image image image image image image image
  • open
  • next
Cert US

VU#817544: Windows 8.0 and later fail to properly randomize all applications if system-wide mandatory ASLR is enabled via EMET or Windows Defender Exploit Guard

Cert US

Vulnerability Note VU#817544

Windows 8.0 and later fail to properly randomize all applications if system-wide mandatory ASLR is enabled via EMET or Windows Defender Exploit Guard

Original Release date: 17 Nov 2017 | Last revised: 17 Nov 2017

Overview

Microsoft Windows 8.0 introduced a change in how system-wide mandatory ASLR is implemented. This change requires system-wide bottom-up ASLR to be enabled for mandatory ASLR to receive entropy. Tools that enable system-wide ASLR without also setting bottom-up ASLR will fail to properly randomize executables that do not opt in to ASLR.

Description

ASLR

Starting with Windows Vista, a feature called ASLR was introduced to Windows that helps prevent code-reuse attacks. By loading executable modules at non-predictable addresses, Windows can help to mitigate attacks that rely on code being at predictable locations. Return-oriented programming (ROP) is an exploit technique that relies on code that is loaded to a predictable or discoverable location. One weakness with the implementation of ASLR is that it requires that the code is linked with the /DYNAMICBASE flag to opt in to ASLR.

EMET and Windows Defender Exploit Guard

In order to help protect applications that don't necessarily opt in to using ASLR and other exploit mitigation techniques, Microsoft EMET was released. Using the EMET GUI, one can specify both system-wide and application-specific mitigations that can be enabled on a system. For system-wide mitigations, EMET simply acts as a front-end GUI to enable exploit mitigations that are built in to the Windows operating system. For application-specific mitigations, the EMET library is loaded into the process space of each application that is configured to be protected. Starting with the Windows 10 Fall Creators update, the capabilities that EMET provides have been replaced with Windows Defender Exploit Guard.

Mandatory ASLR and Windows 8

Both EMET and Windows Defender Exploit Guard can enable mandatory ASLR for code that isn't linked with the /DYNAMICBASE flag. This can be done on a per-application or system-wide basis. Before Windows 8.0, system-wide mandatory ASLR was implemented using the HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\MoveImages registry value. By settings this value to 0xFFFFFFFF, Windows will automatically relocate code that has a relocation table, and the new location of the code will be different across reboots of the same system or between different systems. Starting with Windows 8.0, system-wide mandatory ASLR is implemented differently than with prior versions of Windows. With Windows 8.0 and newer, system-wide mandatory ASLR is implemented via the HKLM\System\CurrentControlSet\Control\Session Manager\Kernel\MitigationOptions binary registry value. The other change introduced with Windows 8.0 is that system-wide ASLR must have system-wide bottom-up ASLR enabled to supply entropy to mandatory ASLR.

The Problem

Both EMET and Windows Defender Exploit Guard enable system-wide ASLR without also enabling system-wide bottom-up ASLR. This causes programs without /DYNAMICBASE to get relocated, but without any entropy. The result of this is that such programs will be relocated, but to the same address every time across reboots and even across different systems.

Impact

Windows 8.0 and newer systems that have system-wide ASLR enabled via EMET or Windows Defender Exploit Guard will have non-DYNAMICBASE applications relocated to a predictable location, thus voiding any benefit of mandatory ASLR. This can make exploitation of some classes of vulnerabilities easier.

Solution

The CERT/CC is currently unaware of a practical solution to this problem. Please consider the following workaround:

Enable system-wide bottom-up ASLR on systems that have system-wide mandatory ASLR

To enable both bottom-up ASLR and mandatory ASLR on a system-wide basis on a Windows 8.0 or newer system, the following registry value should be imported:

    Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]"MitigationOptions"=hex:00,01,01,00,00,00,00,00,00,00,00,00,00,00,00,00

Note that importing this registry value will overwrite any existing system-wide mitigations specified by this registry value. The bottom-up ASLR setting specifically is the second 01 in the binary string, while the mandatory ASLR setting is the first 01. Also note that in the past, enabling system-wide mandatory ASLR could cause problems if older AMD/ATI video card drivers are in use. This issue was addressed in the Catalyst 12.6 drivers released in June, 2012.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Microsoft CorporationAffected16 Nov 201717 Nov 2017
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 0.0 AV:--/AC:--/Au:--/C:--/I:--/A:--
Temporal 0.0 E:ND/RL:ND/RC:ND
Environmental 0.0 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

Credit

This issue was reported by Will Dormann of the CERT/CC, with assistance from Matt Miller of Microsoft.

This document was written by Will Dormann.

Other Information

  • CVE IDs: Unknown
  • Date Public: 16 Nov 2017
  • Date First Published: 17 Nov 2017
  • Date Last Updated: 17 Nov 2017
  • Document Revision: 21

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

  • open
  • next
Ars Technica

Apple reportedly working with Intel to put 5G modem in future iPhones

Ars Technica
image

Enlarge (credit: Samuel Axon)

While it will be some time before 5G LTE becomes standard, Apple is thinking ahead about how to best incorporate 5G technology into its iPhones. According to a Fast Company report, Apple has been working with Intel to incorporate the chipmaker's 5G modems in future iPhones while talks with Qualcomm, the world's biggest modem supplier, have been "limited."

Qualcomm currently has a more advanced 5G modem than Intel does, but Intel reportedly has "multiple thousands" of employees working on improving its 5G chip. Intel first announced its 5G modem at CES 2017 and announced recently that it completed a "full end-to-end 5G call based on its early 5G silicon." While Qualcomm's 5G modem has more specialized carrier features, reports suggest that those features won't be "widely adopted" by all carriers. Also, Qualcomm's chips are particularly equipped to support CDMA networks but those may become obsolete over time as 5G infiltrates the industry.

An iPhone with a 5G modem would theoretically be capable of connection speeds of one gigabit per second or more, but the industry's transition to support 5G will take some time. The report suggests that Intel could supply a 5G modem for an iPhone debuting in 2019 or 2020.

Read 5 remaining paragraphs | Comments

  • open
  • next
Ars Technica

Converting natural gas to hydrogen without any carbon emissions

Ars Technica
image

Enlarge / Hard to believe that this stuff could cut carbon emissions. (credit: Department of Energy)

The boom in natural gas production has been essential to the drop in carbon emissions in the US, as methane, the primary component of natural gas, releases more energy for each carbon atom when burned than other fossil fuels. But there's still a carbon atom in each molecule of methane, so switching to natural gas will eventually lead to diminishing returns when it comes to emissions reductions. To keep our climate moderate, we'll eventually need to move off natural gas, as well.

But two new papers out this week suggest we could use natural gas without burning it. They detail efficient methods of converting methane to hydrogen in ways that let us capture much or all of the carbon left over. The hydrogen could then be burned or converted to electricity in a fuel cell—including mobile fuel cells that power cars. The supply obtained from methane could also be integrated with hydrogen from other sources.

The tech involved is also pretty cool in its own right, involving things like catalysts dissolved in liquid metal and solid materials that allow current to travel through them as protons, rather than as electrons.

Read 13 remaining paragraphs | Comments

  • open
  • next
Ars Technica

Justice League review: Who will avenge these shortchanged heroes?

Ars Technica
image

Enlarge / Someone is (thankfully) missing here, and his name rhymes with "hot-mud-sand." (credit: Warner Bros.)

This week's feature-length Justice League film benefits as much as it suffers from a "can't get any worse" reputation. Between the diminishing returns of Zack Snyder as a filmmaker, a crowded cast of new-to-film DC characters, and the incredibly stinky shadow of Batman V Superman, you'd be foolish to go into the latest (and likely final) Snyder DC film with high hopes. Like, even if it's adequate, that might seem monumental.

With that in mind, Justice League lands almost exactly where I predicted: as a mostly tolerable, occasionally fun, often ponderous, rarely logical attempt to unify the DC Comics film universe. It doesn't unseat Wonder Woman as the best DC Comics film in recent memory. It's certainly no Avengers, and, gosh, it isn't even Avengers: Age of Ultron. But it also won't live in infamy as another one of DC's midnight-movie laugh-a-ramas. It's just acceptably subpar.

Two outta three origins ain’t bad

If you're desperate to have your pro-DC bias acknowledged, Justice League does kick butt at a couple of things. The film has to juggle a whopping three film-universe origin stories, and it surprisingly succeeds at two of those.

Read 16 remaining paragraphs | Comments

  • open
  • next
Schneier on Security

New White House Announcement on the Vulnerability Equities Process

Schneier on Security

The White House has released a new version of the Vulnerabilities Equities Process (VEP). This is the inter-agency process by which the US government decides whether to inform the software vendor of a vulnerability it finds, or keep it secret and use it to eavesdrop on or attack other systems. You can read the new policy or the fact sheet, but the best place to start is Cybersecurity Coordinator Rob Joyce's blog post.

In considering a way forward, there are some key tenets on which we can build a better process.

Improved transparency is critical. The American people should have confidence in the integrity of the process that underpins decision making about discovered vulnerabilities. Since I took my post as Cybersecurity Coordinator, improving the VEP and ensuring its transparency have been key priorities, and we have spent the last few months reviewing our existing policy in order to improve the process and make key details about the VEP available to the public. Through these efforts, we have validated much of the existing process and ensured a rigorous standard that considers many potential equities.

The interests of all stakeholders must be fairly represented. At a high level we consider four major groups of equities: defensive equities; intelligence / law enforcement / operational equities; commercial equities; and international partnership equities. Additionally, ordinary people want to know the systems they use are resilient, safe, and sound. These core considerations, which have been incorporated into the VEP Charter, help to standardize the process by which decision makers weigh the benefit to national security and the national interest when deciding whether to disclose or restrict knowledge of a vulnerability.

Accountability of the process and those who operate it is important to establish confidence in those served by it. Our public release of the unclassified portions Charter will shed light on aspects of the VEP that were previously shielded from public review, including who participates in the VEP's governing body, known as the Equities Review Board. We make it clear that departments and agencies with protective missions participate in VEP discussions, as well as other departments and agencies that have broader equities, like the Department of State and the Department of Commerce. We also clarify what categories of vulnerabilities are submitted to the process and ensure that any decision not to disclose a vulnerability will be reevaluated regularly. There are still important reasons to keep many of the specific vulnerabilities evaluated in the process classified, but we will release an annual report that provides metrics about the process to further inform the public about the VEP and its outcomes.

Our system of government depends on informed and vigorous dialogue to discover and make available the best ideas that our diverse society can generate. This publication of the VEP Charter will likely spark discussion and debate. This discourse is important. I also predict that articles will make breathless claims of "massive stockpiles" of exploits while describing the issue. That simply isn't true. The annual reports and transparency of this effort will reinforce that fact.

Mozilla is pleased with the new charter. I am less so; it looks to me like the same old policy with some new transparency measures -- which I'm not sure I trust. The devil is in the details, and we don't know the details -- and it has giant loopholes that pretty much anything can fall through:

The United States Government's decision to disclose or restrict vulnerability information could be subject to restrictions by partner agreements and sensitive operations. Vulnerabilities that fall within these categories will be cataloged by the originating Department/Agency internally and reported directly to the Chair of the ERB. The details of these categories are outlined in Annex C, which is classified. Quantities of excepted vulnerabilities from each department and agency will be provided in ERB meetings to all members.

This is me from last June:

There's a lot we don't know about the VEP. The Washington Post says that the NSA used EternalBlue "for more than five years," which implies that it was discovered after the 2010 process was put in place. It's not clear if all vulnerabilities are given such consideration, or if bugs are periodically reviewed to determine if they should be disclosed. That said, any VEP that allows something as dangerous as EternalBlue -- or the Cisco vulnerabilities that the Shadow Brokers leaked last August to remain unpatched for years isn't serving national security very well. As a former NSA employee said, the quality of intelligence that could be gathered was "unreal." But so was the potential damage. The NSA must avoid hoarding vulnerabilities.

I stand by that, and am not sure the new policy changes anything.

More commentary.

Here's more about the Windows vulnerabilities hoarded by the NSA and released by the Shadow Brokers.

  • open
  • next
Ars Technica

Star Wars: Battlefront II review: Nope, nope, nope, nope, nope, nope, nope [Updated]

Ars Technica
image

Enlarge / The pull of the Force is strong with things like an impeccably rendered Millennium Falcon. (I mean, gosh, that's purty.) But Star Wars: Battlefront II can't paint over most of its failings. (credit: EA / DICE)

I've tried to give the new video game Star Wars: Battlefront II a fair shake, and I tried to do so through three types of fandom, at that. I really dig Star Wars—and I've generally appreciated when the series has expanded its universe in video game form. I'm a big fan of DICE as a creator of high-polish, massively multiplayer online shooters. And I thought 2015's reboot of the Star Wars: Battlefront game series was perfectly satisfactory as an accessible online action game.

I kept all of these optimistic angles in mind as I booted the new game—and as I used my lightsaber of fandom to try to carve through its confusing economies. But that has been Scarif-massacre levels of difficult. Battlefront II ultimately lands as an adequate-but-forgettable combination of polish, bombast, and been-there-done-that shooter tropes. Even after EA's last-minute about-face, little about the total package makes me eager to recommend it to anybody looking for a family-friendly blaster, a Star Wars-worthy story, or a month-after-month dive into online team combat.

One step forward, how many steps back?

image

Read 33 remaining paragraphs | Comments

  • open
  • next
Linux Security News

DJI bug bounty NDA is 'not signable', say irate infosec researchers

Linux Security News
LinuxSecurity.com: Chinese drone maker DJI faces questions from infosec researchers about its bug bounty programme. Sources have told The Register that a non-disclosure agreement (NDA) they were invited to sign would result in the company "owning their actions".
  • open
  • next
Ars Technica

If NYPD cops want to snoop on your phone, they need a warrant, judge rules

Ars Technica
image

Enlarge (credit: Sergi Reboredo/VW PICS/UIG via Getty Images)

A New York state judge has concluded that a powerful police surveillance tool known as a cell-site simulator, a device that spoofs legitimate mobile phone towers, is a "search" and therefore requires a warrant under most circumstances.

As a New York State Supreme Court judge in Brooklyn ruled earlier this month in an attempted murder case, New York Police Department officers should have sought a standard probable cause-driven warrant before using the invasive device.

The Empire State court joins others nationwide to reach this same conclusion. In September, the  District of Columbia Court of Appeals also found that stingrays normally require a warrant, as did a federal judge in Oakland, California back in August.

Read 7 remaining paragraphs | Comments

  • open
  • next
Security Week

Drone Maker DJI, Researcher Quarrel Over Bug Bounty Program

Security Week

China-based Da-Jiang Innovations (DJI), one of the world’s largest drone makers, has accused a researcher of accessing sensitive information without authorization after the expert bashed the company’s bug bounty program.

read more

image image image image image image image image
  • open
  • next
Linux Security News

The Motherboard Guide to Not Getting Hacked

Linux Security News
LinuxSecurity.com: Do you want to stop criminals from getting into your Gmail or Facebook account? Are you worried about the cops spying on you? We have all the answers on how to protect yourself.
  • open
  • next
Ars Technica

Not just a Semi announcement, Tesla promises a new Roadster

Ars Technica
image

Tesla

HAWTHORNE, CALIF.—At tonight's Tesla Semi event we got a lot more than a vague truck design. After a short presentation of the Semi's intended specs, one of the trucks backed onto the stage and a new red Roadster rolled out.

"The foundation of the whole company was the Roadster," Musk told the crowd of employees. "People kept asking 'When are you gonna make a new roadster?'"

Read 8 remaining paragraphs | Comments

  • open
  • next
Ars Technica

A first look at Tesla’s promised electric semi

Ars Technica
image

Tesla

HAWTHORNE, CALIF.—On Thursday evening, a couple of months later than originally promised, Tesla showed the world its first proper look at the company's heavy duty electric vehicle, the Tesla Semi. The tractor can hook up with any trailer, no brand-specific trailer is necessary.

But let’s get some statistics on what those 2019 electric trucks will look like:

Read 18 remaining paragraphs | Comments

  • open
  • next
Linux Security

Slackware: 2017-320-02: mozilla-firefox Security Update

Linux Security
LinuxSecurity.com: New mozilla-firefox packages are available for Slackware 14.2 and -current to fix security issues.
  • open
  • next
Linux Security

Slackware: 2017-320-01: libplist Security Update

Linux Security
LinuxSecurity.com: New libplist packages are available for Slackware 14.2 and -current to fix security issues.
  • open
  • next
Ars Technica

After fan outcry, EA kicks real-money purchases out of Battlefront II

Ars Technica
image

Enlarge / Perhaps Star Wars: Battlefront II won't go down in flames after a major EA about-face. (credit: Electronic Arts)

Just hours before Star Wars Battlefront II's retail launch Friday, Electronic Arts and developer DICE announced that they are "turning off all in-game purchases... and all progression will be earned through gameplay." The surprise announcement promises the ability to purchase in-game crystals (used to purchase randomized loot boxes filled with in-game items) will return "at a later date," but "only after we've made changes to the game."

"As we approach the worldwide launch, it's clear that many of you feel there are still challenges in the design," DICE General Manager Oskar Gabrielson writes. "We've heard the concerns about potentially giving players unfair advantages. And we've heard that this is overshadowing an otherwise great game. This was never our intention. Sorry we didn't get this right."

Venturebeat cites "sources familiar with the situation" in reporting that the major change comes after Electronic Arts CEO Andrew Wilson conducted a phone call with Disney CEO Bob Iger about the game. EA acquired the lucrative exclusive rights to publish Star Wars-based games in 2013, a year after Disney purchased Lucasfilm for $4 billion.

Read 4 remaining paragraphs | Comments

  • open
  • next
Ars Technica

Apple’s iOS 11.1.2 fixes the cold weather input bug on the iPhone X

Ars Technica
image

Enlarge (credit: Samuel Axon)

Apple released iOS 11.1.2 for iPhones and iPads this afternoon. It's a minor, bug-fix update that benefits iPhone X users who encountered issues after acquiring the new phone just under two weeks ago.

iOS 11.1.2's patch notes are short and sweet. The update fixes just two problems. The first is "an issue where the iPhone X screen becomes temporarily unresponsive to touch after a rapid temperature drop." Last week, some iPhone X owners began reporting on Reddit and elsewhere that their touchscreens became temporarily unresponsive when going outside into the cold.

Apple shared the following statement with The Loop:

Read 3 remaining paragraphs | Comments

  • open
  • next
Linux Security

openSUSE: 2017:3027-1: important: MozillaFirefox

Linux Security
LinuxSecurity.com: An update that fixes three vulnerabilities is now available. An update that fixes three vulnerabilities is now available. An update that fixes three vulnerabilities is now available.
  • open
  • next
Ars Technica

Comcast wants to get bigger, again, has begun talks with 21st Century Fox

Ars Technica
image

(credit: Comcast)

Comcast and Verizon have each, separately, approached 21st Century Fox about buying part of the company, according to several news reports.

Comcast already owns NBCUniversal and numerous regional sports networks. Adding part of 21st Century Fox would give Comcast even more programming to pair with the nation's largest cable broadband and TV network.

21st Century Fox owns Fox Broadcasting Company as well as various cable networks, broadcast stations, and film producers and distributors. 21st Century Fox also owns 39 percent of Sky, a European broadcaster.

Read 10 remaining paragraphs | Comments

  • open
  • next
more
mark as read