RSS 생중계

Intel Is Patching Its 'Zombieload' CPU Security Flaw For the Third Time

Slashdot - 2시간 48분 지남
An anonymous reader quotes a report from Engadget: For the third time in less than a year, Intel has disclosed a new set of vulnerabilities related to the speculative functionality of its processors. On Monday, the company said it will issue a software update "in the coming weeks" that will fix two more microarchitectural data sampling (MDS) or Zombieload flaws. This latest update comes after the company released two separate patches in May and November of last year. Compared to the MDS flaws Intel addressed in those two previous patches, these latest ones have a couple of limitations. To start, one of the vulnerabilities, L1DES, doesn't work on Intel's more recent chips. Moreover, a hacker can't execute the attack using a web browser. Intel also says it's "not aware" of anyone taking advantage of the flaws outside of the lab. In response to complaints of the company's piecemeal approach, Intel said that it has taken significant steps to reduce the danger the flaws represent to its processors. "Since May 2019, starting with Microarchitectural Data Sampling (MDS), and then in November with TAA, we and our system software partners have released mitigations that have cumulatively and substantially reduced the overall attack surface for these types of issues," a spokesperson for the company said. "We continue to conduct research in this area -- internally, and in conjunction with the external research community."

Read more of this story at Slashdot.

카테고리:

Apple Imagines iMac Built Into Curved Sheet of Glass

Slashdot - 3시간 31분 지남
Apple applied for a patent for an ambitious design for a new all-in-one computer which integrates both its keyboard and screen into a single curved sheet of glass. The Verge reports: The patent application, which was first spotted by Patently Apple, and which was filed in May last year, describes how the iMac-like computer's "input area" and "display area" could be built into a single continuous surface, while a support structure behind the display could then contain the computer's processing unit, as well as providing space for all the machine's ports. It's a pretty striking design for a couple of reasons. For one thing, the amount of curved glass involved is far more than Apple has ever used in one of its products before. It's also interesting to see that the company is thinking about taking the iMac's all-in-one design even further, by integrating not just the computer and display together, but also a keyboard and touchpad as well (although the application also describes how the keyboard could be detached during use). The patent also describes how one could dock a MacBook into the device and output the screen to the iMac's display, while its keyboard would pass through a hole in the middle of the machine to let you use it as normal. Additionally, "the application suggests that its single sheet of glass could fold down its middle to allow you to pack it away when not in use," reports The Verge.

Read more of this story at Slashdot.

카테고리:

Bitcoin Gold Hit By 51 Percent Attacks, $72,000 In Cryptocurrency Double-Spent

Slashdot - 4시간 13분 지남
Malicious cryptocurrency miners took control of Bitcoin Gold's blockchain recently to double-spend $72,000 worth of BTG. The Next Web reports: Bad actors assumed a majority of the network's processing power (hash rate) to re-organize the blockchain twice between Thursday and Friday last week: the first netted attackers 1,900 BTG ($19,000), and the second roughly 5,267 BTG ($53,000). Cryptocurrency developer James Lovejoy estimates the miners spent just $1,200 to perform each of the attacks, based on prices from hash rate marketplace NiceHash. This marks the second and third times Bitcoin Gold has suffered such incidents in two years. Any entity that controls more than 51 percent of a blockchain's hash rate can decide what version of the blockchain is accepted (or rejected) by the network. These scenarios also allow for "double-spending," attacks that initiate a transaction with intent to quickly reverse it by "re-organizing" the blockchain, so that they can spend their original cryptocurrency again. What results is a third party accepting the original transaction and the network returns the cryptocurrency spent to the attacker, essentially allowing their funds to be used twice -- hence the name "double-spending." With Bitcoin, a transaction is generally deemed legitimate once found six blocks deep in the blockchain. These particular 51-percent attackers performed re-organizations up to 16 blocks deep, seemingly in a bid to trick exchanges like Binance into paying out BTG destined to be double-spent.

Read more of this story at Slashdot.

카테고리:

GM To Invest $2.2 Billion In First All-Electric Vehicle Plant, Create 2,200 Jobs

Slashdot - 4시간 53분 지남
An anonymous reader quotes a report from NBC News: General Motors confirmed Monday it will invest $2.2 billion to convert an aging Detroit assembly plant into the manufacturing heart of its "all-electric future." The Detroit-Hamtramck Assembly Plant was one of five North American factories GM said it would close in November 2018 but the automaker reversed course as part of an aggressive plan to launch more than 20 battery-electric vehicles, or BEVs, by 2023. The first to roll out of what is known locally as the "Poletown Plant" will be an all-electric pickup that will reportedly be the subject of an upcoming Super Bowl ad. It is widely expected to bring back the name, "Hummer," used for a brand GM abandoned in 2010 after emerging from bankruptcy. The plant will be capable of using an extremely flexible vehicle "architecture," said GM President Lloyd Reuss, industry-speak for its underlying platform. It will allow the automaker to produce multiple products "for multiple brands, with multiple variants, with multiple customers (offering) different ranges of performance at different price points to meet customers wherever they are." After a news conference at the plant, Reuss told NBC News there will be multiple pickup truck models. The Poletown plant also will have the capacity to produce SUVs and crossovers, he said. What is expected to be called the Hummer pickup will go into production in late 2021. It will be followed in early 2022 by a version of the Cruise Origin, the fully driverless ride-sharing vehicle announced last week by Cruise, GM's autonomous vehicle subsidiary. The $2.2 billion that GM will spend on the plant "is part of a broader investment of $3 billion authorized as part of the contract it negotiated last autumn with the United Auto Workers Union," adds NBC News. That includes a number of other projects, including a plan to set up a factory in Lordstown, Ohio to build batteries.

Read more of this story at Slashdot.

카테고리:

CVE-2020-8090

Latest 7 days CVE Lists - 5시간 17분 지남
The Username field in the Storage Service settings of A1 WLAN Box ADB VV2220v2 devices allows stored XSS (after a successful Administrator login).

CVE-2020-8091

Latest 7 days CVE Lists - 5시간 17분 지남
svg.swf in TYPO3 6.2.0 to 6.2.38 ELTS and 7.0.0 to 7.1.0 could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on a targeted system. This may be at a contrib/websvg/svg.swf pathname.

CVE-2012-6448

Latest 7 days CVE Lists - 5시간 18분 지남
Cross-site Scripting (XSS) in cPanel WebHost Manager (WHM) 11.34.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2013-2267

Latest 7 days CVE Lists - 5시간 18분 지남
PHP Code Injection vulnerability in FUDforum Bulletin Board Software 3.0.4 could allow remote attackers to execute arbitrary code on the system.

CVE-2013-2474

Latest 7 days CVE Lists - 5시간 18분 지남
Directory traversal vulnerability in AWS XMS 2.5 allows remote attackers to view arbitrary files via the 'what' parameter.

CVE-2013-2499

Latest 7 days CVE Lists - 5시간 18분 지남
SimpleHRM 2.3 and earlier could allow remote attackers to bypass the authentication process in 'user_manager.php' via spoofing a cookie.

CVE-2013-2612

Latest 7 days CVE Lists - 5시간 18분 지남
Command-injection vulnerability in Huawei E587 3G Mobile Hotspot 11.203.27 allows remote attackers to execute arbitrary shell commands with root privileges due to an error in the Web UI.

'I Tried Listening To Podcasts at 3x and Broke My Brain'

Slashdot - 5시간 33분 지남
'Podfasters' listen to their favorite pods at 1.5x, even 2x speed. But how fast is too fast? From a report: Bumping the speed up to 1.5x was initially jarring. People were talking so quickly that I had to stop what I was doing and focus on the audio to keep it from falling into background chatter. After about 20 minutes of this intentional listening, however, it felt like my brain had adjusted. What at first felt rushed and slightly wrong, now felt natural. Once I found that I could go back to doing the things I normally do when I listen to podcasts -- brush my teeth, do the dishes, fold the laundry -- I bumped up the speed another notch to the 2x barrier. Like the previous jump in speed, the first 15 to 20 minutes required an additional level of focus to get my brain to match the cadence of the conversation. But once I was there I felt like I didn't have to strain to understand what was being said -- my brain just "learned" how to listen to this accelerated pace. In our discussion of breaking 2x, Uri Hasson, director of Princeton's Hasson Lab, brought up one population that handles sped-up speech much better than the rest of us: the visually impaired. A 2018 University of Washington study attempted to quantify human listening rates by measuring the intelligibility of audio from a text-to-speech generator played at increasingly faster speeds. Researchers found that the average sighted person could comprehend around 300 words per minute, or about double the average talking speed of an American English speaker. Visually impaired subjects, however, vastly outperformed sighted subjects at speeds past 2x, demonstrating comprehension at rates even approaching 3x. The researchers hypothesized that this difference between sighted and visually impaired listening rates was attributed to one group being more familiar with synthesized text-to-speech voices. At 2x, the experience of listening to audio began to change: Though I could understand the words, they seemed to have less emotional resonance. At these high speeds, my brain seemed to shift away from assessing people's feelings towards baseline comprehension. At the end of each sentence, I'd feel a little twinge of joy, not because of anything happening in the podcast, but just because I had understood the words. Hasson points out that single word comprehension is really only one dimension of comprehension. Our brains do not work like computers. We can recognize words very quickly, but to integrate them into a sentence, a sentence into a paragraph, and a paragraph into a larger narrative takes time. Feeling competent in my base-level comprehension at 2x, I crossed the threshold into 3x. It took every ounce of concentration to just register what was being said. After 20 minutes, my brain couldn't settle into the rhythm of the conversation. I sat there for an hour, with my eyes closed, hoping that my brain would eventually "click" like it did before, but it refused.

Read more of this story at Slashdot.

카테고리:

Met Police To Deploy Facial Recognition Cameras

Slashdot - 6시간 13분 지남
The Metropolitan Police has announced it will use live facial recognition cameras operationally for the first time on London streets. From a report: The cameras will be in use for five to six hours at a time, with bespoke lists of suspects wanted for serious and violent crimes drawn up each time. Police say the cameras identified 70% of suspects but an independent review found much lower accuracy. Privacy campaigners said it was a "serious threat to civil liberties." Following earlier pilots in London and deployments by South Wales Police, the cameras are due to be put into action within a month. Police say they will warn local communities and consult with them in advance.

Read more of this story at Slashdot.

카테고리:

CVE-2020-5218

Latest 7 days CVE Lists - 6시간 17분 지남
Affected versions of Sylius give attackers the ability to switch channels via the _channel_code GET parameter in production environments. This was meant to be enabled only when kernel.debug is set to true. However, if no sylius_channel.debug is set explicitly in the configuration, the default value which is kernel.debug will be not resolved and cast to boolean, enabling this debug feature even if that parameter is set to false. Patch has been provided for Sylius 1.3.x and newer - 1.3.16, 1.4.12, 1.5.9, 1.6.5. Versions older than 1.3 are not covered by our security support anymore.

CVE-2020-5220

Latest 7 days CVE Lists - 6시간 17분 지남
Sylius ResourceBundle accepts and uses any serialisation groups to be passed via a HTTP header. This might lead to data exposure by using an unintended serialisation group - for example it could make Shop API use a more permissive group from Admin API. Anyone exposing an API with ResourceBundle's controller is affected. The vulnerable versions are: <1.3 || >=1.3.0 <=1.3.12 || >=1.4.0 <=1.4.5 || >=1.5.0 <=1.5.0 || >=1.6.0 <=1.6.2. The patch is provided for Sylius ResourceBundle 1.3.13, 1.4.6, 1.5.1 and 1.6.3, but not for any versions below 1.3.

Motorola on the Razr's Folding Screen: 'Bumps and Lumps Are Normal'

Slashdot - 6시간 53분 지남
Last week, Motorola's Razr handset went on sale for $1499. Alongside the pre-order launch, Motorola has posted a series of videos on its YouTube channel that are somewhere between brief ads and how-tos for the folding phone. And as you might have guessed from the headline, "Caring for razr" caught The Verge's eye. From the report: In it, Motorola runs through the basics of what you need to know if you have a phone with a plastic folding screen. We thought we knew most of them already based on our experience with the Galaxy Fold, but Motorola's video has one more thing to think about: "Screen is made to bend; bumps and lumps are normal." With the Galaxy Fold, "bumps and lumps" ended up being the first harbingers of a catastrophic screen failure on our review unit. Apparently that's not going to be the case with the Razr. There are lots of ways to build a hinge for a folding plastic screen, and Motorola apparently opted for a design that allows for a little more flex than the original Fold design did. It's also able to close completely flat. Because of that plastic material, the screen is likely to have some kind of crease -- though we weren't really able to see much of one in our original hands-on. We'll obviously need to review the phone in full before we can say ourselves whether the screen has a notable crease, bumps, or lumps.

Read more of this story at Slashdot.

카테고리:

CVE-2020-8087

Latest 7 days CVE Lists - 7시간 17분 지남
SMC Networks D3G0804W D3GNV5M-3.5.1.6.10_GA devices allow remote command execution by leveraging access to the Network Diagnostic Tools screen, as demonstrated by an admin login. The attacker must use a Parameter Pollution approach against goform/formSetDiagnosticToolsFmPing by providing the vlu_diagnostic_tools__ping_address parameter twice: once with a shell metacharacter and a command name, and once with a command argument.

CVE-2020-8088

Latest 7 days CVE Lists - 7시간 17분 지남
panel_login.php in UseBB 1.0.12 allows type juggling for login bypass because != is used instead of !== for password hashes, which mishandles hashes that begin with 0e followed by exclusively numerical characters.

CVE-2020-5207

Latest 7 days CVE Lists - 7시간 18분 지남
In Ktor before 1.3.0, request smuggling is possible when running behind a proxy that doesn't handle Content-Length and Transfer-Encoding properly or doesn't handle \n as a headers separator.

Qt offering changes 2020

lwn.net - 7시간 46분 지남
The Qt blog has announced some changes in how the Qt toolkit is offered to consumers. Notably, installation of Qt binaries will require a Qt Account and long-term-supported (LTS) releases and the offline installer will become available to commercial licensees only. "From February onward, everyone, including open-source Qt users, will require valid Qt accounts to download Qt binary packages. We changed this because we think that a Qt account lets you make the best use of our services and contribute to Qt as an open-source user. We want open-source users to help improve Qt in one form or another, be that through bug reports, forums, code reviews, or similar. These are currently only accessible from a Qt account, which is why having one will become mandatory."
카테고리:

페이지

KLDP 수집기 구독하기