Dell has started sales of its 75-inch 4K monitor supporting multi-touch capabilities, and combined the device with a set of interactive features. The new Dell 75 4K Interactive Touch Monitor is designed to enable interactive work by groups of people and could therefore compete against Microsoft’s Surface Hub product series.
Dell’s 75-inch 4K Interactive Touch Monitor (C7520QT) uses an IPS panel featuring a 3840×2560 resolution and an ‘InGlass’ touch surface supporting up to 20 touch points simultaneously. Other characteristics of the display are in line with general office LCDs: it has a 350 nits brightness, a 1200:1 contrast ratio, 178-degrees viewing angles, a 8 ms response time, and so on.
The monitor supports a rather massive number of input ports, including one DisplayPort 1.2, a D-Sub (VGA), and three HDMI 2.0 connectors. In addition, the 4K Interactive Touch Monitor has an Ethernet, a quad-port USB 3.0 Type-A hub, a serial port, and 20 W speakers.
Since the Dell 75-inch 4K Interactive Touch Monitor is only a display, not a complete PC like Microsoft’s Surface Hub, it can be used with any PC providing some additional flexibility. Meanwhile the company offers its OptiPlex Micro PC that can be integrated into the display. The company also has a special display manager utility to control the LCD.
Dell’s 75-inch 4K Interactive Touch Monitor is currently available in Japan for ¥598,000 ($5,457) without taxes. Earlier this year Dell said that the C7520QT will be available in the USA this Spring starting at $5,999.99.
More than a year has passed since security researchers revealed Meltdown and Spectre, a pair of flaws in the deep-seated, arcane features of millions of chip sold by Intel and AMD, putting practically every computer in the world at risk. But even as chipmakers scrambled to fix those flaws, researchers warned that they weren’t the end of the story, but the beginning—that they represented a new class of security vulnerability that would no doubt surface again and again. Now, some of those same researchers have uncovered yet another flaw in the deepest guts of Intel’s microscopic hardware. This time, it can allow attackers to eavesdrop on virtually every bit of raw data that a victim’s processor touches.
Today Intel and a coordinated supergroup of microarchitecture security researchers are together announcing a new, serious form of hackable vulnerability in Intel’s chips. It’s four distinct attacks, in fact, though all of them use a similar technique, and all are capable of siphoning a stream of potentially sensitive data from a computer’s CPU to an attacker.
MDS Attacks
The researchers hail from the Austrian university TU Graz, Vrije Universiteit Amsterdam, the University of Michigan, the University of Adelaide, KU Leuven in Belgium, Worcester Polytechnic Institute, Saarland University in Germany and security firms Cyberus, BitDefender, Qihoo360 and Oracle. The groups have named variants of the exploit techniques ZombieLoad, Fallout, and RIDL, or “Rogue In-Flight Data Load.” Intel itself has more tamely labelled the new set of attacks “Microarchitectural Data Sampling,” or MDS.
Intel had asked all the researchers to keep their findings secret, some for more than a year, until it could release fixes for the vulnerabilities. But at the same time, the company has sought to downplay the severity of the bugs, according to the researchers, who—split into two groups working independently—each warn that the attacks represent a serious flaw in Intel’s hardware that may require disabling some of its features, even beyond the company’s patch. AMD and ARM chips don’t appear to be vulnerable to the attacks, and Intel says that some models of chip it’s released in the last month include a fix for the problem. Otherwise, all of Intel’s chips that the researchers tested, going back as early as 2008, were affected. You can test if your system is affected with a tool the researchers published here.
Like Meltdown and Spectre, the new MDS attack takes advantage of security flaws in how Intel’s chips perform speculative execution, a feature in which a processor guesses at what operations and data it will be asked to execute or access ahead of time to speed up the chip’s performance.
“We drink from the firehose. If you’re clever, and you process the stuff carefully, you don’t drown.”
Herbort Bos, VUSec
In these new cases, researchers found that they could use speculative execution to trick Intel’s processors into grabbing sensitive data that’s moving from one component of a chip to another. Unlike Meltdown, which used speculative execution to grab sensitive data sitting in memory, MDS attacks focus on the buffers that sit between a chip’s components, such as between a processor and its cache, the small portion of memory allotted to the processor to keep frequently accessed data close at hand.
“It’s kind of like we treat the CPU as a network of components, and we basically eavesdrop on the traffic between them,” says Cristiano Giuffrida, one of the researchers in the VUSec group at Vrije Universiteit Amsterdam who discovered the MDS attack. “We hear anything that these components exchange.”
That means any attacker who can run a program on a target chip—whether in the form of a malicious application, a virtual machine hosted on the same server as the target in Amazon’s cloud, or even a rogue website running Javascript in the target’s browser—could trick the CPU into revealing data that should be protected from untrusted code running on that machine. That data can include information like what website the user is browsing, their passwords, or the secret keys to decrypt their encrypted hard drive.
“In essence, [MDS] puts a glass to the wall that separates security domains, allowing attackers to listen to the babbling of CPU components,” reads one line of a VUSec paper on the flaws, which will be presented next week at the IEEE Security and Privacy conference.
‘Easy To Do, And Potentially Devastating’
The four different MDS attack variants all take advantage of a quirk in how Intel’s chips perform their time-saving trick. In speculative execution, a CPU frequently follows a branch of commands in code before a program asks it to, or guesses at the data the program is requesting, in order to get a head start. Think of that guess like a lazy waiter offering a random drink from his tray, in hopes of sparing himself a trip back to the bar. If the CPU guesses incorrectly, it immediately discards it. (Under different conditions, the chip can grab data out of three different buffers, hence the researchers’ multiple attacks.)
Intel’s chip designers may have believed that a wrong guess, even one that serves up sensitive data, didn’t matter. “It throws these results away,” says VUSec’s Guiffrida. “But we still have this window of vulnerability that we use to leak the information.”
Just as with Meltdown and Spectre, the attacker’s code can leak the data that the processor has taken from the buffer via the processor’s cache. That whole process steals at most a few bytes of arbitrary data from one of the CPU’s buffers. But repeat it millions of times in succession, and an attacker can start leaking streams of all the data the CPU is accessing in real-time. With some other tricks, a low-privilege attacker can make requests that persuade a CPU to pull sensitive data like secret keys and passwords into its buffers, where they’re then sucked out by the MDS attack. Those attacks can take between milliseconds and hours, depending on the target data and the CPU’s activity. “It’s easy to do and potentially devastating,” says VUSec researcher Herbort Bos.
VUSec
VUSec, for instance, created a proof of concept, shown above, that can pull hashed passwords—strings of encrypted passwords that can often be cracked by hackers—out of a target chip’s component called a line-fill buffer. TU Graz’s video below shows a simple demonstration in which an untrusted program on the computer can determine what websites someone visits.
A Fight Over the Fix
In a call with WIRED, Intel says its own researchers were the first to discover the MDS vulnerabilities last year, and that it has now released fixes for the flaw in both hardware and software. A software patch for the attack clears all data from buffers whenever the processor crosses a security boundary, so that it can’t be stolen and leaked. Intel says the patch will have “relatively minimal” performance costs in most cases, though for a few data center instances it could slow its chips down by as much as eight or nine percent. To take effect, the patch will have to be implemented by every operating system, virtualization vendor, and other software makers. Apple says it released a fix as part of a recent Mojave and Safari update. A Microsoft spokesperson said the company would release security updates today to address the issue. “We’re aware of this industry-wide issue and have been working closely with affected chip manufacturers to develop and test mitigations to protect our customers,” a statement from a Microsoft spokesperson reads. “We are working to deploy mitigations to cloud services and release security updates to protect Windows customers against vulnerabilities affecting supported hardware chips.” Google, Mozilla, VMware, and Amazon did not immediately respond to an inquiry about the status of their patching.
A more permanent hardware patch, which has already been included in some chips Intel released starting last month, addresses the problem more directly, preventing the processor from grabbing data out of buffers during speculative execution. “For other affected products, mitigation is available through microcode updates, coupled with corresponding updates to operating system and hypervisor software that are available starting today,” a statement from an Intel spokesperson reads.
“We always expected this would keep us busy for years.”
Daniel Gruss, TU Graz
In the meantime, however, the researchers and Intel conflict on the severity of the problem and how to triage it. Both TU Graz and VUSec recommend that software makers disable “hyperthreading,” a feature of Intel chips that accelerates their processing by allowing more tasks to be performed in parallel, but could make certain variants of the MDS attacks vastly easier to pull off. Intel insisted in a phone call with WIRED that the flaws don’t warrant disabling that feature, which would have a serious performance cost for users. In fact, the company has rated the four vulnerabilities a mere “low to medium” severity, a rating that both TU Graz and VUSec researchers challenged.
Intel’s engineers argue, for instance, that while the MDS vulnerabilities can leak secrets, they also leak an enormous amount of other noise from the computer’s operations. But security researchers found that they could reliably dig through that raw output to find the valuable information they sought. To make that filtering easier, they showed that an attacker could trick the CPU into leaking the same secret repeatedly, helping to distinguish it from the surrounding noise.
“If we’re attacking hard disk encryption, we only attack in the short time frame when the key is loaded into memory, so we have a high chance to get the key and some other data,” says Michael Schwarz, one of the TU Graz researchers who worked both the new MDS attacks and the earlier Spectre and Meltdown discoveries. “Some of the data will always be the same and other data will change. We see what occurs most often, and this is the data we’re interested in. It’s basic statistics.”
Or, as VUSec’s Bos puts it, “We drink from the firehose. If you’re clever, and you process the stuff carefully, you don’t drown, and you get everything that you need.”
Downplaying the Severity
All of that casts doubt on Intel’s severity rating for the MDS attacks, the researchers argue. The TU Graz researchers, three of whom worked on the Spectre and Meltdown attacks, rate the MDS attacks roughly between those two earlier vulnerabilities, less serious than Meltdown but worse than Spectre. (They point out that Intel rated Spectre and Meltdown at “medium” severity, too, a judgement with which they disagreed at the time.)
VUSec’s Giuffrida notes that his team was paid $100,000 by Intel for their work as part of the company’s “bug bounty” program that rewards researchers who warns the company about critical flaws. That’s hardly the kind of money paid out for trivial issues, he points out. But he also says that Intel at one point offered VUSec only a $40,000 bug bounty, accompanied by a $80,000 “gift”—what Giuffrida saw as an attempt to reduce the bounty amount cited publicly and thus the perceived severity of the MDS flaws. VUSec refused the offer of more total money in favor of a bounty that better reflected the severity of their findings, and threatened to opt out of a bug bounty in protest. Intel changed its offer to the full $100,000.
“It’s clear what Intel is doing,” says Giufrrida. “It’s in their interest to say that ‘no, after Spectre and Meltdown, we didn’t overlook other vulnerabilities, it’s just that these were so minor that they slipped by.'” In a call with WIRED, Intel denied trying to manipulate the perceived size of the bounty.
While it might seem strange that so many researchers found the MDS flaws within the same window of time—as least two independent teams of seven organizations, plus Intel itself—the TU Graz researchers say that it’s to be expected: The discovery of Spectre and Meltdown unlocked a new, deeply complex and unexplored attack surface for hackers, and one that could yield serious, fundamental security flaws in hardware well into the future.
“There are still more components, and many of them are not documented at all, so it’s not unlikely this continues for a while,” says TU Graz’s Moritz Lipp. His fellow researcher Daniel Gruss adds: “We always expected this would keep us busy for years.” In other words, don’t be surprised if more hidden holes are found in the heart of your computer’s processor for years to come.
The so-called last mile of delivery—getting an order to the customer’s door—has long been an obsession for ecommerce companies. To make the journey as efficient as they can, some have engaged in extreme experiments. Take Walmart: Two years ago, it tried asking its employees to deliver online orders before and after work, in their own cars. That idea was later abandoned, but the problem of the last mile remains, even for the biggest retailers. Now, Amazon is offering to pay its employees thousands of dollars to deliver packages—they just have to quit their current jobs first.
Last June, Amazon created the Delivery Service Partner program to allow entrepreneurs to create their own businesses delivering packages for Amazon. The idea was to get orders moving fast, without the need to rely on UPS or FedEx. On Monday, Amazon said it would begin offering employees up to $10,000 in startup costs to leave their current positions to join the program, as well as three months of gross pay. The initiative arrives as Amazon is pushing to deliver Prime orders within one day instead of two, making the last mile all the more important.
Not just anyone can sign up to be an Amazon Delivery Service Partner. You need to invest at least $10,000, and have liquid assets of at least $30,000 (the latter requirement is being lowered for employees). Those stringent rules may be one of the reasons Amazon is now turning to its own workforce for help. The company says more than 200 delivery partners have sprung up in the last year, but the US labor market remains extremely tight, and it’s not clear how many more people are in a position to join the program. What’s more, Amazon appears to prefer contracting with smaller delivery companies. On its website, it says partners typically have fewer than 100 workers and 40 vans. There may be only so much growth left for Amazon’s current partners, while its delivery needs seem to have no limit in sight.
Delivery partners are considered outside contractors—the drivers who work for them aren’t Amazon employees. While they can technically do work for any company, Amazon provides partners with access to branded vehicles that can only be used for hauling Amazon packages. That employment set-up helps Amazon to compete with companies like FedEx, which also has third-party drivers at the wheel of its branded vans and trucks. And it saves Amazon the responsibility of providing drivers with benefits like health insurance.
That doesn’t mean Amazon has avoided using individual delivery drivers entirely. Since 2015, it has relied on them through its Uber-like Flex platform, where contracted drivers can sign up for shifts couriering Amazon packages for between $18 to $25 an hour before expenses. The program is likely cumbersome to run, says Cathy Morrow Roberson, the founder of the research and consulting firm Logistics Trends & Insights. She says companies shouldn’t depend on crowdsourcing for their entire last mile strategy, since it’s hard to plan around such a precarious workforce.
Got a Tip?
If you’d like to tip WIRED anonymously, we have a couple ways for you to do that here.
Amazon Flex has also proven to be a public relations nightmare. A series of media investigations and first-personaccounts have documented the grueling work that can come with delivering for Amazon, and how drivers must subject to the use of facial recognition.
Delivery partners, by contrast, can manage their drivers however they choose. That freedom may prove attractive to many current Amazon employees interested in starting their own company. Becoming a delivery partner could also be a smart business decision, especially since self-driving delivery services are still years away. While Amazon is quickly automating other parts of its supply chain, it will continue to need drivers ensuring that packages make it the last mile.
In the meantime, Amazon’s rivals are catching up: Walmart just announced it’s going to provide next-day delivery too.
Have a tip about Amazon? Contact the author at louise_matsakis@wired.com or via Signal at 347-966-3806.
These are two videos (one from Singapore, one from Beijing) of cafes that serve coffee with a cloud of cotton candy hanging above the cup so it slowly rains sugar into your drink (coming soon to a froufrou coffee shop near you). Granted it’s not the most efficient way to sweeten your coffee, but it’s certainly one of the most whimsical. Me? I don’t have time for a cotton candy sugar shower when I need a caffeine fix. For me, coffee is rarely an experience, it’s a necessity for not falling asleep at work before noon. Unless we’re talking about butt-chugging, in which case not only is it an experience, but a real eye-opening one. For both of us. "Wait, what?" Now hold this funnel over my head and don’t spill any.
Keep going for the videos.
Thanks to MSA, who agrees the best cup of coffee is the one you smell when you’re still in bed and your lover is already up and in the kitchen brewing it for you.
via Geekologie – Gadgets, Gizmos, and Awesome https://geekologie.com/
Now that we (almost) have folding smartphones, Lenovo’s new prototype tries the technology on a larger scale. It has a 13.3-inch OLED display, which closes in upon itself with a Galaxy Fold-like magnetic latch. Laid flat, the flexible seam disappears, and when it’s propped open, a keyboard appears on the lower half of the screen. We’ll have to wait until at least next year to see this available as a real product, but it could be a way to have a large screen in a device the size of a paper notebook.
The retail giant’s NextDay delivery offering is rolling out in Phoenix and Las Vegas today, May 14th, and will be available for online customers in Southern California over the next few days. Unlike Prime, there’s no membership fee required; however, it only applies to some of Walmart’s items, and orders have to meet a $35 minimum.
The Supreme Court has ruled against Apple in a long-standing case over price fixing in the App Store, in a decision that allows iPhone owners to proceed with a lawsuit against the company. The court agreed with the plaintiffs’ assertion that people who buy apps from the App Store are doing so directly from Apple, and as such they aren’t prohibited "from suing Apple under the antitrust laws." Now the lawsuit can go to trial, unless the parties settle. In a statement, Apple said, "We’re confident we will prevail when the facts are presented and that the App Store is not a monopoly by any metric."
Instead of wasting time hunting for their Uber or Lyft, passengers landing at Portland International Airport can just hop in an available car and share a six-digit code with the driver. If successful, they could expand the PIN feature to airports across the country.
This new ThinkBook series promises "business-grade" features and security in a fairly sleek package. The laptops have thin bezels and are less than .65-inches thick, even with dedicated Skype keys, Radeon 540X GPUs, TPM 2.0 security chips, fingerprint readers and webcam privacy shutters. If you need more power, however, the new 15-inch ThinkPad X1 Extreme can be had with a 4K OLED display, GTX 1650 Max-Q graphics and a 9th-gen Core i9 CPU.
The company is now rolling out the updated application to iPhone, iPad, Apple TV and compatible Samsung smart TVs, complete with a fresh look, the new Channels feature and curated sections such as For You and Kids. Apple says there are now more than 100,000 films and TV series on iTunes, including a large collection of 4K HDR content that you can rent or buy. Now you can get to all of that without having to leave its TV app. Plus, with Channels, users can subscribe to premium networks without leaving the app and download videos for offline viewing even from services that don’t normally offer the feature, like HBO Go.
Sources told Reuters that Amazon is considering the CartonWrap machines from CMC Srl, which can build boxes around custom orders and add seals and labels. The machines can reportedly build 600 to 700 boxes per hour, which is four to five times faster than a human.
When AT&T sold its shares of Hulu last month, Disney and Comcast were left as the company’s sole owners. Today, Comcast relinquished its control, leaving Disney in charge of the streaming platform. This means, since its acquisition of Fox’s 30 percent stake in 2017, Disney has slowly chipped away at its fellow Hulu owners.
As part of a put/call agreement, Comcast handed the reins over to Disney. In exchange, Comcast can require Disney to buy NBCUniversal’s 33 percent ownership interest in Hulu, as early as January 2024. At that future time, Disney can require NBCUniversal to sell its interest in Hulu for fair market value. Hulu’s fair market value will be assessed at the time of that future sale, but Disney guaranteed a minimum sale price of $27.5 billion.
While Disney now has full operational control, the agreement states that Comcast’s ownership in Hulu will never be less than 21 percent. Comcast also agreed to extend the Hulu license of NBCUniversal content until late 2024, and the company will still distribute Hulu on its Xfinity X1 platform. However, NBCUniversal can terminate most of its content license agreements after that three-year period.
It’s hard to say what will happen to NBCUniversal content, as well as other Hulu programming, after that. Disney is still working on Disney+, which means the company will have two streaming platforms. Though, it has hinted at bundling services like Hulu and ESPN+.
