July 2018 – Page 2 – Peter's Quasi-Daily Blah-g

When the Spectre and Meltdown attacks were disclosed earlier this year, the initial exploits required an attacker to be able to run code of their choosing on a victim system. This made browsers vulnerable, as suitably crafted JavaScript could be used to perform Spectre attacks. Cloud hosts were susceptible, too. But outside these situations, the impact seemed relatively limited.

That impact is now a little larger. Researchers from Graz University of Technology, including one of the original Meltdown discoverers, Daniel Gruss, have described NetSpectre: a fully remote attack based on Spectre. With NetSpectre, an attacker can remotely read the memory of a victim system without running any code on that system.

All the variants of the Spectre attacks follow a common set of principles. Each processor has an architectural behavior (the documented behavior that describes how the instructions work and that programmers depend on to write their programs) and a microarchitectural behavior (the way an actual implementation of the architecture behaves). These can diverge in subtle ways. For example, architecturally, a program that loads a value from a particular address in memory will wait until the address is known before trying to perform the load. Microarchitecturally, however, the processor might try to speculatively guess at the address so that it can start loading the value from memory (which is slow) even before it’s absolutely certain of which address it should use.

If the processor guesses wrong, it will ignore the guessed-at value and perform the load again, this time with the correct address. The architecturally defined behavior is thus preserved. But that faulty guess will disturb other parts of the processor—in particular the contents of the cache. These microarchitectural disturbances can be detected and measured by timing how long it takes to access data that should (or shouldn’t) be in the cache, allowing a malicious program to make inferences about the values stored in memory. These information paths are known collectively as side channels.

NetSpectre builds on these principles; it just has to work a lot harder to exploit them. With a malicious JavaScript, for example, exploitation is fairly straightforward. The JavaScript developer has relatively fine control over the instructions the processor executes and can both perform speculative execution and measure differences in cache performance quite easily. With remote execution, that’s a lot harder: the code to perform a vulnerable speculative execution (the “leak gadget”) and the code to disclose the differences in microarchitectural state over the network (the “transmit gadget”) have to both already exist somewhere on the remote system, such that a remote attacker can reliably call them.

The researchers found that both of these parts could be found in networked applications. For the networked attack, rather than measuring cache performance, the attack measures the time taken to respond to network requests. The disturbance to the microarchitectural state is such that it can cause a measurably different response time to the request.

New side channels

Two different remote measurements were developed. The first is a variation on the cache timing approach already demonstrated with Spectre. The attacker makes the remote system perform a large data transfer (in this case, a file download), which fills the processor’s cache with useless data. The attacker then calls the leak gadget to will speculatively load (or not load) some value in the processor’s cache, followed by the transmit gadget. If the speculative execution loaded the value then the transmit gadget will be fast; if it didn’t, it’ll be slow.

The second measurement is novel and doesn’t use the cache at all. Instead, it relies on the behavior of the AVX2 vector instruction set on Intel processors. The units that process AVX2 instructions are large and power hungry. Accordingly, the processor will power down those units when it hasn’t run any AVX2 code for a millisecond or two, powering them up later when needed. There’s also an intermediate half powered state. Brief uses of AVX2 will use this half powered state (at the cost of lower performance); the processor will only fully enable (or fully disable) the AVX2 units after extended periods of use (or non-use). This microarchitectural feature can be measured: if the AVX2 units are fully powered down, running an AVX2 instruction will take longer than if the units are fully powered up.

For this AVX2 side channel, the leak gadget is a fragment of code that speculatively uses an AVX2 instruction. The transmit gadget is a fragment of code that always uses an AVX2 instruction. If the processor speculates that AVX2 is needed then it’ll start powering up the AVX2 units; this will make the subsequent transmit gadget run quickly. If, however, the processor speculates that the AVX2 code won’t be used, the transmit gadget will take longer. These small performance differences are large enough to be measured over a network.

The AVX2 side channel was found to be quite a bit faster than the cache side channel, but both are very slow. Network stacks are complicated, and network traffic makes network latency variable. In spite of this, the side channels still work, but even on a local network, the researchers needed about 100,000 measurements to discern the value of a single bit. To make their attack reliable and consistent, they used 1,000,000 measurements per bit. Using a gigabit network to an Intel-based system and the cache-based side channel, this enabled an overall rate of data extraction of about one byte every 30 minutes. The AVX2 side channel is much faster—one byte every eight minutes—but still very slow.

Over a remote network to a system hosted in Google Cloud, 20 million measurements were needed for each bit, and the data rate dropped to one byte every eight hours for the cache side channel, every three hours for the AVX2 one.

These data rates are far too slow to extract any significant amount of data; even the fastest side channel (AVX2 over the local network) would take about 15 years to read 1MB of data. They might, however, be sufficient for highly targeted data extraction; a few hundred bits of an encryption key, for example. The cache side channel can be used to leak memory addresses, which in turn can be used to defeat the randomized memory addresses used by ASLR (address space layout randomization). Leaking a memory address to defeat ASLR took about two hours. With this memory address information, an attacker would be able to more easily attack other exploitable flaws of a remote system.

The same countermeasures as are effective against Spectre—code changes that one way or another prevent speculative execution of sensitive code—are effective against NetSpectre. NetSpectre does, however, make the label “sensitive code” rather broader than it was before; there are now many more pathways and system components that might potentially be used to leak information. The slow transfer rates mean that the utility of NetSpectre is limited, but this underscores how the initial Spectre research was a launching point for a wide range of related attacks. We doubt this will be the last.

Update: Intel has issued a statement that says much the same thing.

NetSpectre is an application of Bounds Check Bypass (CVE-2017-5753), and is mitigated in the same manner – through code inspection and modification of software to ensure a speculation stopping barrier is in place where appropriate. We provide guidance for developers in our whitepaper, Analyzing Potential Bounds Check Bypass Vulnerabilities, which has been updated to incorporate this method. We are thankful to Michael Schwarz, Daniel Gruss, Martin Schwarzl, Moritz Lipp, & Stefan Mangard of Graz University of Technology for reporting their research.

via Ars Technica https://arstechnica.com

July 26, 2018 at 04:46PM

July 27, 2018

Facial Recognition Software Wrongly Identifies 28 Lawmakers As Crime Suspects

https://www.npr.org/2018/07/26/632724239/facial-recognition-software-wrongly-identifies-28-lawmakers-as-crime-suspects?utm_medium=RSS&utm_campaign=news

Facial Recognition Software Wrongly Identifies 28 Lawmakers As Crime Suspects : NPR

The American Civil Liberties Union says that Amazon Rekognition, facial recognition software sold online, inaccurately identified lawmakers and poses threats to civil rights — charges that Amazon denies.

Leon Neal/AFP/Getty Images

hide caption

toggle caption

Leon Neal/AFP/Getty Images

Facial recognition software sold by Amazon mistakenly identified 28 members of Congress as people who had been arrested for crimes, the American Civil Liberties Union announced on Thursday.

Amazon Rekognition has been marketed as tool that provides extremely accurate facial analysis through photos and video.

The ACLU tested that assertion by using the software to scan photos of every current member of the House and Senate in a database that the watchdog built from thousands of publicly available arrest photos.

“The members of Congress who were falsely matched with the mugshot database we used in the test include Republicans and Democrats, men and women, and legislators of all ages, from all across the country,” the ACLU stated.

The test misidentified people of color at a high rate — 39 percent — even though they made up only 20 percent of Congress. One member falsely cited as a crime suspect was Rep. John Lewis, D-Ga., who first came to prominence as a civil rights leader.

As part of the test, the ACLU said it used Amazon’s default match settings.

But a spokeswoman for Amazon Web Services said in an emailed statement that the ACLU should have changed those settings — and used a higher “threshold,” or percentage that measures how confident Rekognition is in finding a match.

“While 80% confidence is an acceptable threshold for photos of hot dogs, chairs, animals, or other social media use cases, it wouldn’t be appropriate for identifying individuals with a reasonable level of certainty,” she said. For law enforcement, Amazon “guides customers” to set the threshold at 95 percent or higher.

ACLU of Northern California attorney Jacob Snow responded to that comment in an emailed statement: “We know from our test that Amazon makes no effort to ask users what they are using Rekognition for,” he said.

Snow doesn’t think that changing the threshold changes the danger: “Face surveillance technology in the hands of government is primed for abuse and raises grave civil rights concerns.”

Outcry from privacy and civil rights groups has not stopped law enforcement from pursuing the technology. The Orlando, Fla., police force tested Rekognition’s real-time surveillance. The Washington County Sheriff’s Office, near Portland, Ore., has used it to search faces from photos of suspects taken by deputies.

“This is partly a result of vendors pushing facial recognition technology because it becomes another avenue of revenue,” Jeramie Scott, national security counsel at the Electronic Privacy Information Center in Washington, D.C., told NPR. He compared facial recognition software to body cameras worn by law enforcement, which can be used for police accountability or, increasingly, public surveillance.

He stressed the need for debate so that the technology doesn’t become a poor solution for bad policy. “Because of the disproportionate error rate, and because of the real risk of depriving civil liberties posed by facial recognition technology, we need to have a conversation about how and when and under what circumstances this technology should be used by law enforcement, if at all.”

via NPR Topics: News https://ift.tt/2m0CM10

July 26, 2018 at 05:47PM

July 26, 2018

Virgin’s Unity spaceship sets a new altitude record of 52 kilometers

https://arstechnica.com/?p=1349297

Virgin’s Unity spaceship sets a new altitude record of 52 kilometers | Ars Technica

The VSS Unity spacecraft makes a successful landing after its third powered flight.

Virgin Galactic
Virgin Galactic’s Third Powered Flight on July 26th 2018

Virgin Galactic
The space plane reached an altitude of 52km.

Virgin Galactic

Virgin Galactic has been saying for some time that it will reach outer space this year, and on Thursday it came the closest it has ever gotten. During the third powered flight of the VSS Unity vehicle, the spacecraft reached an altitude of 52km (32.3 miles), just over halfway toward the Kármán line, which generally is regarded as the beginning of space. This is the first time that Virgin Galactic has flown into the mesosphere.

The company also released a few other details about the flight, noting that the spacecraft was released from its carrier aircraft at 14.2km, that its engine burned for 42 seconds, and that the vehicle reached a maximum speed of Mach 2.7. Pilots Dave Mackay and Mike “Sooch” Masucci flew the Unity vehicle on Wednesday morning from the Mojave Air & Space Port.

“It was a thrill from start to finish,” Mackay said after the flight in a company news release. “Unity’s rocket motor performed magnificently again, and Sooch pulled off a smooth landing. This was a new altitude record for both of us in the cockpit, not to mention our mannequin in the back, and the views of Earth from the black sky were magnificent.”

The company did not immediately release details about its next flight for the Unity spacecraft, only saying that it will now analyze the post-flight data and plan for future test flights. Company officials remain confident that a “spaceflight” of Unity will occur this year.

According to Virgin, the 18-meter-long Unity vehicle will ultimately have a flight profile in which the spacecraft is released by the WhiteKnightTwo carrier aircraft at 14 to 15km, and it reaches a maximum velocity of Mach 3.5 or greater. The company has not said how high the VSS Unity will fly, but Virgin has advertised “several minutes” of out-of-seat time in microgravity to its lengthy list of customers. Up to six customers will be able to fly at a time.

Since test flights of the Unity spacecraft began in December 2016, the market for space tourism has changed significantly. One competitor, XCOR, has stopped development of its suborbital Lynx spacecraft altogether. However Blue Origin has made significant strides, flying its New Shepard rocket and spacecraft into suborbital space nine times, and it could begin flying people above the Kármán line by the end of this year.

Listing image by Virgin Galactic

via Ars Technica https://arstechnica.com

July 26, 2018 at 02:16PM

July 26, 2018

Watch Samsung’s “Unbreakable” OLED Panel Survive a Beating by Hammer

https://www.droid-life.com/2018/07/26/watch-samsungs-unbreakable-oled-panel-survive-a-beating-by-hammer/

Watch Samsung’s “Unbreakable” OLED Panel Survive a Beating by Hammer – Droid Life

Yesterday, Samsung showed off a supposedly unbreakable OLED panel for smartphones. It’s a flexible OLED with a plastic substrate, covered by a plastic cover window that allows it to bend and flex in ways that your typical glass-covered OLED panel wouldn’t be able to. Because it’s not necessarily ready to be put in your next phone, they instead tried to destroy it with a hammer to build hype.

In the video below, which has a fabulously awkward circus soundtrack and glorious graphics, the presenter bends and twists the panel before going after it with a rubber mallet. Of course, it doesn’t break because it’s not glass, bends in fun ways, and “plastic window is good.”

Will we see this type of display in the upcoming and oft-rumored Galaxy X? Who knows. This bad boy isn’t foldable like that phone is said to be, so it could instead make its way into other products first, which Samsung points out as being display consoles in cars, mobile military devices, and portable game consoles.

Now prepare yourselves, as it’s time to “start pounding the panel with the hammer!”

// Samsung

via Droid Life: A Droid Community Blog https://ift.tt/2dLq79c

July 26, 2018 at 10:58AM

July 26, 2018

Decade-old Bluetooth flaw lets hackers steal data passing between devices

https://arstechnica.com/?p=1348969

A large number of device makers is patching a serious vulnerability in the Bluetooth specification that allows attackers to intercept and tamper with data exchanged wirelessly. People who use Bluetooth to connect smartphones, computers, or other security-sensitive devices should make sure they install a fix as soon as possible.

The attack, which was disclosed in a research paper published Wednesday, is serious because it allows people to perform a man-in-the-middle attack on the connection between vulnerable devices. From there, attackers can view any exchanged data, which might include contacts stored on a device, passwords typed on a keyboard, or sensitive information used by medical, point-of-sale, or automotive equipment. Attackers could also forge keystrokes on a Bluetooth keyboard to open up a command window or malicious website in an outright compromise of the connected phone or computer.

Not novel

Bluetooth combines Simple Secure Pairing or LE Secure Connections with principles of elliptic curve mathematics to allow devices that have never connected before to securely establish a secret key needed for encrypted communications. The attack uses a newly developed variant of what cryptographers call an invalid curve attack to exploit a major shortcoming in the Bluetooth protocol that remained unknown for more than a decade. As a result, attackers can force the devices to use a known encryption key that allows the monitoring and modifying of data wirelessly passing between them.

“This attack lets an attacker who can read and modify Bluetooth traffic during pairing force the key to be something they know,” JP Smith, a security engineer and Bluetooth security expert at security firm Trail of Bits, told Ars. “It’s not mathematically/theoretically novel at all, and it’s in fact about the simplest attack you can do on elliptic curve cryptosystems. Notably, this is a protocol-level fault, so if you implemented the Bluetooth spec out of the book (without some optional validation), you have this bug.”

The active man-in-the-middle attack that allows data to be modified works successfully on 50 percent of the pairings, with the remainder failing. A related passive attack works on 25 percent of the pairings. Attackers who don’t succeed on the first attempt are free to try on later pairings. Attacks work even when pairings require the user to type a six-digit number displayed on one device into the other one. Attacks require specialized hardware that probably wouldn’t be hard for more advanced hackers to build or obtain.

In the paper, researchers from Technion–Israel Institute of Technology write:

We would like to point out two major design flaws that make our attack possible. The first design flaw is sending both the x-coordinate and the y-coordinate during the public key exchange. This is unnecessary and highly inadvisable, since it greatly increases the attack surface, while calculating the y-coordinate from a given x-coordinate is simple.

The second major flaw is that although both coordinates of the public keys are sent during the second phase of the pairing, the protocol authenticates only the x-coordinate. We are not aware of any reason why the designers decided to leave the y-coordinate unauthenticated, other than for saving a tiny computational effort. Even though the point validity should be checked by the implementation, our attack could have also been avoided if both coordinates were authenticated.

Another less significant flaw is that in the protocol designers state that “To protect a device’s private key, a device should implement a method to prevent an attacker from retrieving useful information about the device’s private key using invalid public keys. For this purpose, a device can use one of the following methods.” In this quote, the specification uses the term “should” (as opposed to “must”). Therefore, implementors may skip the instruction as it is not mandatory for compliance with the specification.

A variety of devices and software—including those running macOS, iOS, or Android or made by LG or Huawei—have already received patches. In a FAQ, the researchers said Bluetooth from Microsoft “implements an old version of the standard, which is even less secure, rather than the broken contemporary standard.” An advisory from CERT is here.

For attacks to be successful, both of the paired devices must be vulnerable. That means as long as either one is patched, users aren’t susceptible. People who use Bluetooth to transmit sensitive data or control trusted devices should ensure they have installed patches on at least one of them. While patches are available for many mainstream devices, there are likely many more specialized ones used in hospitals, stores, and other environments that will remain unprotected for the foreseeable future. Users of these devices should check with manufacturers.

via Ars Technica https://arstechnica.com

July 25, 2018 at 07:15PM

July 26, 2018

Game Studio With No Bosses Pays Everyone The Same

https://kotaku.com/game-studio-with-no-bosses-pays-everyone-the-same-1827872972

Game Studio With No Bosses Pays Everyone The Same

The game industry is not exactly known for valuing workers. Big studios are rife with soul-destroying crunch and end-of-project layoffs. French studio Motion Twin, developer of the Castlevania-inspired roguelike Dead Cells, is trying something different: Workers own and manage the company. There is no boss.

Motion Twin describes itself as an “anarcho-syndical workers cooperative.” What this means in practical terms is that all of its 11 workers are, in theory, equal. Same pay, same say.

“We actually just use a super basic formula: if a project finds success, people are basically paid more in bonuses, and everyone is paid the absolute same way,” said longtime Motion Twin game designer Sébastien Bénard in an email. “The devs and the artists are paid the same amount of money, and people like me who have been here for 17 years are paid the same amount as people who were recruited last year.”

It seems to be working. Motion Twin has been in business for nearly two decades, and the studio’s most recent game Dead Cells has sold more than 700,000 units on PC alone before even leaving early access.

Motion Twin’s pay and ownership system, Bénard said, constitutes “a direct challenge, not just to the exploitative practices you see at a lot of other companies, but also to tired old world corporate structures in general.” Games are team projects, after all, and Bénard believes that it’s “almost impossible” for anybody to definitively declare that their particular contribution of blood, sweat, and tears had more of an impact than anybody else’s. Bénard would not disclose the exact salary everybody at Motion Twin brings home, but said it’s “roughly the same as in other game companies” before bonuses.

Decision-making is also a team-based process, albeit one that doesn’t always require everybody to sit down at the table and argue their case. Small-scale decisions happen in Slack or around the coffee machine without too much brouhaha, Bénard said, but important strategic shifts and decisions that will impact everybody result in full team meetings. If a consensus doesn’t emerge, they take a vote. Sometimes that means people don’t get their way, and that, said Bénard, is “the tricky part.”

In other studios, most developers don’t get to leave their mark outside their designated cog in the machine, but at Motion Twin, everyone is used to having equal say. When things don’t go their way, this presents a new set of challenges. Bénard said the biggest one is “to accept that sometimes, you’ll be right and your proposals will be chosen, and sometimes, your well-intentioned super revolutionary idea will be thrown away by the team. That’s the way it works, and everyone has to accept that the resulting decisions were made by people who understood your point of view, but decided to scrap it anyway.”

That’s not to say Motion Twin doesn’t deal with other challenging elements of video game development as well. Crunch, for example, still exists at the studio, but Bénard said that everybody tries to avoid it most of the time because it leaves people broken and exhausted, and doing little to no work after the crunch. In all cases, Motion Twin relies on a strict time-tracking system so that if developers work late one day, they can leave early on another. “But that should always be an exceptional situation,” said Bénard. “Years of experience told us it’s much more important to have people working together, at the same time, in the same place, than people working at home, or late at night alone in the office.”

As with other studios, the threat of burnout looms heavy at Motion Twin too, but it’s exacerbated by the burden of responsibility that everybody carries. “Because everyone is responsible for many things at Motion Twin, your brain usually keeps ‘working at Motion Twin’ when you come back home everyday,” said Bénard.

“We spend lots of time reading articles, talking to players on Discord or Reddit, watching live streams, etc,” he said. “But you need to rest and cannot afford to be always focused on Dead Cells 24/7, and everyone in the Motion Twin faces burnout at least once because of our system.”

The solution? Bénard says that lately the studio has gotten good about just telling people who seem to be on the verge of burnout to go home. The company puts an emphasis on employees being happy and driven, and burnout risks stripping away both those crucial qualities forever. “It’s obviously better to lose a few work hours than a colleague,” said Bénard. “There’s absolutely no discussion about that.”

There’s a caveat to all of this, though: Motion Twin is a relatively small studio. It’s ballooned up before, but under all the specific constraints of Motion Twin’s structure, the balloon went pop.

“Years ago, we did grow a lot, but this wasn’t a great experience,” Bénard said. “We lost much of what made Motion Twin a nice company to work in, and during the process, many people lost this important motivation and focus that worked for us. I think it requires quite a clever structure to go beyond 15 people with a similar equitable design, because you’ll need innovative systems to keep everyone involved.”

Bénard isn’t sure that’s such a bad thing, though. “Passionate workers can do much more in a few work hours than any dev forced to work on weekends or late at night,” he said. “We were able to achieve much more being eight people than when we were 20+, so we plan to stay below the 15-person limit.”

He hopes, though, that if nothing else, Motion Twin’s mentality toward work in the gaming industry becomes the norm, rather than an exception, in the coming years.

“We will probably ‘joke’ about game industry work conditions in a few years,” he said, “because it’s just obviously ridiculous and inefficient. People are simply not disposable resources.”

via Kotaku https://kotaku.com

July 25, 2018 at 06:20PM

July 25, 2018

Glass Skyscraper Built In China With World’s Tallest Manmade Waterfall Cascading From The Side At 108 Meters (354 Feet)

http://geekologie.com/2018/07/glass-skyscraper-built-in-china-with-wor.php

These are several shots and a video of a glass skyscraper built by the Guizhou Ludiya Property Management construction company in Guiyang, the capital city of Guizhou province in Southwest China. The skyscraper is home to the world’s tallest entirely manmade waterfall, which spills over a ledge at a height of 108 meters (~354 feet). It’s not running all the time though. Or hardly ever really. You see, the waterfall “requires 4 large pumps to lift the recycled water…before it cascades down the side of the huge building. It faced huge engineering challenges during construction and because of electricity costs, believed to be over $100 an hour, the waterfall is only in use for special occasions.” AND for only around twenty minutes at a time. Regardless, the next time they do fire it up I have every intention of being the first person to ride down the falls on an inflatable alligator pool float. “You’ll die.” A TRUE HERO? “No, just die.” I’m still not entirely against it.

Keep going for several more shots (including the green water pool at the bottom) and a video while I speculate if I just clog a sink in the bathroom of a skyscraper that’s even taller if I didn’t just personally create the world’s tallest manmade waterfall.