Intel to Release Firmware to Combat Spectre

Spectre and MeltdownAt least they are addressing it! Kudos to them!

Intel’s new Spectre fix: Skylake, Kaby Lake, Coffee Lake chips get stable microcode

ZDNet – By: Liam Tung – “Customers running machines with newer Intel chips can expect to receive stable firmware updates for the Spectre CPU attack Variant 2 soon.

Intel says it has given PC makers a new set of microcode updates that mitigate the branch target injection Spectre attack on its 6th, 7th, and 8th generation Intel Core chips.

It also has new updates for its latest Core X-Series and Intel Xeon Scalable and Xeon D processors for datacenters.

‘We have now released production microcode updates to our OEM customers and partners for Kaby Lake- and Coffee Lake-based platforms, plus additional Skylake-based platforms,’ Intel vice president Navin Shenoy said on Tuesday.

The updates signal that Intel is making progress on reissuing stable microcode mitigations for the Spectre attack revealed by Google on January 3.

Intel on January 22 said it had identified the root cause of unexpected reboots on updated Broadwell and Haswell chips and advised PC makers to stop deploying its mitigations for the Variant 2 attack.

It initially said the reboots were only occurring on Broadwell and Haswell processors but later admitted its patch was also causing stability issues on Skylake and Kaby Lake chips.

Dell, HP, and Lenovo paused their respective BIOS updates while Intel worked on stable fixes. Microsoft also released an out-of-band patch to disable Intel’s fix on systems it had been installed on.

Earlier this month Intel released new microcode for several Skylake chips but didn’t disclose the status of Broadwell and Haswell chips.

It now has updated its guidance with the current status of microcode updates for various generations of chips, which now indicates that fixes for Broadwell, Haswell, Sandy Bridge and some Ivy Bridge chips have reached beta. It also has production updates available for Apollo Lake and Cherry View and Bay Trail chips.

The chip giant last week revealed it is facing 32 class action lawsuits over the Meltdown and Spectre vulnerabilities, and additional lawsuits over alleged insider trading.

Intel last week published a new whitepaper explaining how Google’s software-based fix for Variant 2 called Retpoline works. The search company found Retpoline doesn’t cause the performance overhead that Intel’s earlier mitigations did.

‘There are a number of possible mitigation techniques for the branch target injection Spectre variant 2 exploit. The Retpoline mitigation technique presented in this document is resistant to exploitation and has attractive performance properties compared to other mitigations,’ Intel notes in the paper.”

A 30TB Solid State Drive!

Samsung SSDWow! 30 TB on an SSD in your computer! That is like having a whole datacenter at your fingertips!

Samsung unveils world’s largest SSD with whopping 30TB of storage

The Verge – By: James Vincent – “Samsung has unveiled the world’s largest solid state drive — an unassuming-looking bit of kit that boasts a whopping 30.72 terabytes of storage. It’s the most storage ever crammed into the 2.5-inch form factor, and is designed for enterprise customers looking to move away from the mechanical parts of your standard disk-based hard drive.

The PM1643 is built from 32 sticks of 1TB NAND flash packages, each of which contains 16 layers of 512Gb V-NAND chips. That’s enough space to hold 5,700 HD movies or roughly 500 days of non-stop video, and offers twice the capacity of the former largest SSD — a 16 terabyte drive also released by Samsung back in March 2016. (Seagate has made a bigger 60 terabyte SSD, but that was in the more spacious 3.5-inch form factor, and was ‘demonstration technology’ that doesn’t seem to have ever gone on sale.)

The new Serial Attached SCSI (SAS) drive offers impressive sequential read and write speeds of up to 2,100MB/s and 1,700 MB/s. That’s about three times as fast as the average SATA SSD you’d find in a consumer desktop or laptop, like Samsung’s own SSD 850 EVO. And the drive is robust too, with Samsung offering a five-year warranty that’s good for one full drive write per day.

When exactly the PM1643 will go on sale and for how much isn’t known, but Samsung says now it’s got this form factor settled it’ll expand its range of SAS SSDs later this year, with 16.36TB, 7.68TB, 3.84TB, 1.92TB, 960GB, and 800GB versions to come. As Samsung executive VP of memory sales Jaesoo Han said in a press statement, the company will ‘continue to move aggressively in meeting the shifting demand toward SSDs over 10TB.’

Don’t expect to see 30TB SSDs turning up in laptops or desktop PCs anytime soon of course. But new biggest-ever storage components like this are always trailblazers, and create downward pressure on prices in the consumer market. Now if only we could get a terabyte’s worth of storage in our phones.”

Microsoft Edge Can Be Pwned!

Edge vs. ChromeAnother reason I am sticking with Chrome!

Windows 10 security: Google exposes how malicious sites can exploit Microsoft Edge

ZDNet – By: Liam Tung – “Google’s Project Zero team has published details of an unfixed bypass for an important exploit-mitigation technique in Edge.

The mitigation, Arbitrary Code Guard (ACG), arrived in the Windows 10 Creators Update to help thwart web attacks that attempt to load malicious code into memory. The defense ensures that only properly signed code can be mapped into memory.

However, as Microsoft explains, Just-in-Time (JIT) compilers used in modern web browsers create a problem for ACG. JIT compilers transform JavaScript into native code, some of which is unsigned and runs in a content process.

To ensure JIT compilers work with ACG enabled, Microsoft put Edge’s JIT compiling in a separate process that runs in its own isolated sandbox. Microsoft said this move was ‘a non-trivial engineering task’.

‘The JIT process is responsible for compiling JavaScript to native code and mapping it into the requesting content process. In this way, the content process itself is never allowed to directly map or modify its own JIT code pages,’ Microsoft says.

Google’s Project Zero found an issue is created by the way the JIT process writes executable data into the content process.

Its ‘ACG bypass using UnmapViewofFile’ allows a compromised content process to predict which address a JIT process is going to call VirtualAllocEx() next, and for the content process to ‘allocate a writable memory region on the same address JIT server is going to write and write an soon-to-be-executable payload there’.

Google reported the medium-severity issue to Microsoft in mid-November and published details of the bypass yesterday as it had passed its 90-day deadline.

Microsoft confirmed the ACG bypass in a response to Google at some point to February’s Patch Tuesday. It appeared to have been aiming to fix the issue by then but found it to be ‘more complex’ than initially thought. It’s now targeting Patch Tuesday in March for a fix.

‘The fix is more complex than initially anticipated, and it is very likely that we will not be able to meet the February release deadline due to these memory management issues,’ Microsoft said.

‘The team IS positive that this will be ready to ship on March 13, however this is beyond the 90-day SLA and 14-day grace period to align with Update Tuesdays.'”

Deals Right Now on the Echo Dot!

Echo GotsWe have three!

Save an additional $10 when you buy two already-discounted Echo Dots right now

AndroidCentral – By: Jared Dipane – “Amazon has already discounted had the Echo Dot priced at $40 for the past week or so, but this new deal helps drop that price even lower. Simply adding two Echo Dots to your cart (in either color) will result in an additional $10 discount, which drops them down to just $35 each.

Buying multiple Echo Dots may be smarter than you think. Odds are once you start using it to answer questions, control your smart home gear, and other tasks you will want another one for your house. You can use them to talk to each other if you wanted or to play music in multiple rooms.

I have four of these in my house already, and this deal probably just upped that to six. Don’t miss out on this great price.”

Samsung and Roku Smart TVs Vulnerable to Hackers

Smart TVsThey are even getting into our TVs now!

Samsung and Roku Smart TVs Vulnerable to Hacking, Consumer Reports Finds

By Consumer Reports – “Consumer Reports has found that millions of smart TVs can be controlled by hackers exploiting easy-to-find security flaws.

The problems affect Samsung televisions, along with models made by TCL and other brands that use the Roku TV smart-TV platform, as well as streaming devices such as the Roku Ultra.

We found that a relatively unsophisticated hacker could change channels, play offensive content, or crank up the volume, which might be deeply unsettling to someone who didn’t understand what was happening. This could be done over the web, from thousands of miles away. (These vulnerabilities would not allow a hacker to spy on the user or steal information.)

The findings were part of a broad privacy and security evaluation, led by Consumer Reports, of smart TVs from top brands that also included LG, Sony, and Vizio.

The testing also found that all these TVs raised privacy concerns by collecting very detailed information on their users. Consumers can limit the data collection. But they have to give up a lot of the TVs’ functionality—and know the right buttons to click and settings to look for. (see below.)

Data Collection in the Living Room
This is the first time Consumer Reports has carried out a test based on our new Digital Standard, which was developed by CR and partner cybersecurity and privacy organizations to help set expectations for how manufacturers should handle privacy, security, and other digital rights.

The goal is to educate consumers on their privacy and security options and to influence manufacturers to take these concerns into consideration when developing their products.

‘The Digital Standard can be used to evaluate many products that collect data and connect to the internet,’ says Maria Rerecich, who oversees electronics testing at Consumer Reports. ‘But smart TVs were a natural place to start. These sets are growing in popularity, and they can transmit a remarkable amount of information about their users back to the TV manufacturers and their business partners.’

Smart TVs represent the lion’s share of new televisions. According to market research firm IHS Markit, 69 percent of all new sets shipped in North America in 2017 were internet-capable, and the percentage is set to rise in 2018. Eighty-two million of these sets have already found their way to consumers.

Internet connectivity brings a lot of appealing functionality to modern televisions—including the ability to stream content through popular apps such as Hulu and Netflix, as well as to find content quickly using voice commands.

But that functionality comes with substantial data collection. Smart TVs can identify every show you watch using a technology called automatic content recognition, or ACR, which we first reported on in 2015. That viewing information can be combined with other consumer information and used for targeted advertising, not only on your TV but also on mobile phones and computers. For instance, if you’re watching a particular sports event, you could see an online advertisement from a brand interested in reaching fans of that sport.

In 2017 Vizio got in trouble with federal and state regulators for collecting this kind of data without users’ knowledge or consent. The company settled with the Federal Trade Commission for $1.5 million and the state of New Jersey for $700,000. The FTC has now made it clear that companies need your permission before collecting viewing data—but consumers may not understand the details, says Justin Brookman, director of privacy and technology at Consumers Union, the policy and mobilization division of Consumer Reports.

‘For years, consumers have had their behavior tracked when they’re online or using their smartphones,’ Brookman says. ‘But I don’t think a lot of people expect their television to be watching what they do.’

And manufacturers are aiming to make smart TVs the centerpiece of consumers’ increasingly connected homes. Companies such as LG and Samsung have recently shown off sets with built-in digital assistants that let you control other smart-home devices ranging from thermostats to security cameras to washing machines to smart speakers.

In a recent Consumer Reports subscriber survey of 38,000 smart-TV owners, 51 percent were at least somewhat worried about the privacy implications of smart TVs and 62 percent were at least somewhat worried about the sets’ security practices.

What We Tested
We purchased five smart TVs from the most widely sold TV brands in the U.S. As we do for all products involved in CR’s testing program, we bought our samples through regular retail outlets.

Each set we bought used a different smart-TV platform.

Two of these were proprietary platforms. The Samsung UN49MU8000 incorporates the company’s Tizen system, and the LG 49UJ7700 uses LG’s webOS system.

The other sets make use of smart-TV platforms that are incorporated into multiple brands. The TCL 55P605 uses the Roku platform, which is also found in Hisense, Insignia, and other brands.

The Sony XBR-49X800E uses a version of Google’s Android TV, a platform also found in sets from LeEco and Sharp. And the Vizio P55-E1 SmartCast TV we tested uses Chromecast, another Google platform.

We didn’t incorporate our privacy and security findings into the Consumer Reports ratings of these televisions, and all these sets except the TCL are recommended models. But Consumer Reports is planning to include privacy and security test results in a number of products’ Overall Scores in the future.

For our security assessment we worked with engineers at Disconnect, which makes privacy-enhancing software for consumers and is one of CR’s partners in developing the Digital Standard. We conducted our privacy investigation in collaboration with both Disconnect and Ranking Digital Rights, another of our Digital Standard partners. (Like most websites, ConsumerReports.org collects user data. You can get the details on our privacy policy and our approach to privacy, including our policy positions, here.)

What We Found: Security
Our security testing focused on whether basic security practices were being followed in the design of each television’s software. ‘We were just looking for good security practices,’ Rerecich says. ‘Encryption of personal or sensitive data, protection from common vulnerabilities, that sort of thing.’

We discovered flaws in sets from TCL and Samsung.

They allowed researchers to pump the volume from a whisper to blaring levels, rapidly cycle through channels, open disturbing YouTube content, or kick the TV off the WiFi network.

The exploits didn’t let us extract information from the sets or monitor what was playing. The process was crude, like someone using a remote control with their eyes closed. But to a television viewer who didn’t know what was happening, it might feel creepy, as though an intruder were lurking nearby or spying on you through the set.

The TCL vulnerability applies to devices running the Roku TV platform—including sets from other companies such Hisense, Hitachi, Insignia, Philips, RCA, and Sharp—as well as some of Roku’s own streaming media players, such as the Ultra.

The problem we found involved the application programming interface, or API, the program that lets developers make their own products work with the Roku platform. ‘Roku devices have a totally unsecured remote control API enabled by default,’ says Eason Goodale, Disconnect’s lead engineer. ‘This means that even extremely unsophisticated hackers can take control of Rokus. It’s less of a locked door and more of a see-through curtain next to a neon ‘We’re open!’ sign.’

And, it turned out we weren’t the first to notice this: The unsecured API had been discussed in online programming forums since 2015.

To become a victim of a real-world attack, a TV user would need to be using a phone or laptop running on the same WiFi network as the television, and then visit a site or download a mobile app with malicious code. That could happen, for instance, if they were tricked into clicking on a link in a phishing email or if they visited a site containing an advertisement with the code embedded.

TCL referred us to Roku for questions about data collection and this vulnerability. A Roku spokeswoman said via email, ‘There is no security risk to our customers’ accounts or the Roku platform with the use of this API,’ and pointed out that the External Control feature can be turned off in the settings. However, this will also disable control of the device through Roku’s own app.

The Samsung vulnerability was harder to spot, and it could be exploited only if the user had previously employed a remote control app on a mobile device that works with the TV, and then opened the malicious webpage using that device. ‘Samsung smart TVs attempt to ensure that only authorized applications can control the television,’ Goodale of Disconnect says. ‘Unfortunately, the mechanism they use to ensure that applications have previously been authorized is flawed. It’s as though once you unlocked your door, the door would never lock again.’

In an emailed statement, Samsung said, ‘We appreciate Consumer Reports’ alerting us to their potential concern,’ and that the company was still evaluating the issue. The company also said it would update the API to address other, less severe problems related to data security that CR uncovered. Those changes ‘will be in a 2018 update, [with timing] to be determined, but as soon as technically feasible,’ the spokesman said.

What We Found: Privacy
Every smart TV we evaluated asked for permission to collect viewing data and other kinds of information.

But we found that it’s not always easy to understand what you’re agreeing to as you proceed through the setup process. And if you decline permissions, you can lose a surprising amount of functionality. In fact, one TV requires that you accept a broad privacy policy during setup before you can use the most basic, internet-free functions, such as watching TV using an antenna.

Here are some of the key findings.

Oversharing by design. Race through your TV’s setup, agreeing to everything, and a constant stream of viewing data will be collected through automatic content recognition. The technology identifies every show you play on the TV—including cable, over-the-air broadcasts, streaming services, and even DVDs and Blu-ray discs—and sends the data to the TV maker or one of its business partners, or both.

ACR helps the TV recommend other shows you might want to watch. But it’s also used for targeting ads to you and your family, and for other marketing purposes. And you can’t easily review or delete this data later.

Your data or your internet. You can limit data collection, but you’ll lose functionality. Specifically, if you pay close attention, you can turn off ACR monitoring while still agreeing to a set’s basic privacy policy. But that may keep you from getting recommendations (‘You liked ‘Westworld.’ Have you checked out ‘Godless’?’) And even the basic privacy policies may ask for the right to collect information on your location, which streaming apps you click on, and more.

If you say no to these basic policies, the sets revert to old-fashioned dumb TVs: You can hook up a cable box or an antenna, but you won’t be able to stream anything from Amazon, Netflix, or other web-based services.

All-or-nothing privacy policy. The Sony television was the only one that required you to agree to a privacy policy and terms of service to complete the setup of the TV.

The set uses Google’s Android TV platform, and consumers have to click yes to Google agreements, even if they don’t plan to connect to the internet. That could be a frustrating thing to discover only after you’d bought the big-screen TV at the store, lugged it home, and maybe mounted it to a wall. Even though you can’t skip the Google privacy policy, you can say no to the user agreements from Sony itself and from Samba TV, a provider of ACR technology.

And, Sony said in an emailed statement, ‘If a customer has any concerns about sharing information with Google/Android [they] need not connect their smart TV to the Internet or to Android servers to use the device as a television, for example, using cable or over-the-air broadcast signals.’

What Consumers Can Do
You could just buy an old-fashioned ‘dumb’ TV, without built-in streaming capabilities, but these are becoming harder to find. Of the nearly 200 midsized and large sets in Consumer Reports’ ratings, only 16 aren’t smart TVs. And those are 2017 models—in 2018 we expect to see even fewer internet-free televisions.

If you do buy a new smart TV, decide whether you want to block the collection of viewing data. If so, pay close attention during setup. There, you can agree to the basic privacy policy and terms of service—which still triggers a significant amount of data collection—while declining ACR.

And, if you already have a smart TV but would like to restrict data collection, you can do the following:

Reset the TV to factory settings. Then, as you go through the setup process, say yes to the most basic privacy policies and terms of service but don’t agree to the collection of viewing data.

Turn off ACR using the settings. These settings are typically buried three or four menus deep—but we’ve compiled directions for you. ‘And,’ Brookman says, ‘if you can’t figure it out, call customer support and make them walk you through it.’ That will have the added benefit of letting companies know that you care about your privacy.

Turn off the TV’s WiFi connection. Do this, though, and you essentially don’t have a smart TV anymore. You’ll need to add a separate streaming media device to get web-based content. And, you won’t be surprised to hear, those devices may have their own expansive data collection practices.

Editor’s Note: An earlier version of this story incorrectly stated that Vizio settled a case about consumer viewing data with the FTC for $1.5 million and the state of New Jersey for $2.2 million. The settlement with New Jersey was for $700,000.”

Tablet Sales Continue to Decline

Kindle Fire TabletFolks are using phones more, tablets less. Apple is still number one in tablets, but Amazon has now taken second place in tablet sales over Samsung.

IDC: Tablet shipments decline for 13th straight quarter, Amazon overtakes Samsung for second place

VentureBeat – By: Emil Protalinski – “The tablet market has now declined year-over-year for 13 quarters straight. Q4 2017 saw a 7.9 percent year-over-year decline: 49.6 million units shipped worldwide, compared to 53.8 million units in the same quarter last year. The only silver lining is that declines for 2017 haven’t been in the double-digits, like they were in 2016.

The estimates come from IDC, which counts both slate form factors and detachables, meaning tablets with keyboards included. Apple maintained its top spot for the quarter, but Amazon for the first time managed to surpass Samsung for second place. The top five vendors accounted for 69.6 percent of the market, up from 61.3 percent last year.

Apple’s shipment numbers were basically flat, but because the overall tablet market declined, the company’s market share grew again (up 2.3 percentage points) after two quarters of growth (and following a 13-quarter losing streak). The company was able to maintain its lead thanks to its lower-priced iPad and refreshed iPad Pro.

Amazon shipped 2.5 million more tablets, gaining a massive 6.0 percentage points. The holiday quarter is typically the company’s strongest, but this year was a standout as the company managed to steal second from Samsung. IDC explains this was possible thanks to steep discounts as well as the fact Alexa is available on Amazon’s latest tablets.

Samsung shipped 1.0 million fewer tablets than in the quarter a year ago and ended up losing 0.8 percentage points. Detachable tablets accounted for a growing number of devices in its portfolio, but those gains were outweighed by the declines among its slate models, according to IDC. Its lower-cost Tab A and E series will be a challenge to replace as vendors promise better value and the market shifts to detachable devices.

Amazon wasn’t the only one who managed to move up in the tablet market. Huawei overtook Lenovo for fourth place (yeah, those are typos in the table above and below). Huawei gained 1.2 percentage points while Lenovo fell 0.4 points as they both still shared about 3 million units each.

For the full year, the same players were in the top five.

This isn’t a huge surprise given that the same tablet trends ran throughout 2017. Namely, the replacement cycle for tablets is still closer to that of traditional PCs than smartphones, and detachable tablets is the only category seeing growth, which is good news for both Apple and Microsoft.

‘To date, much of the trajectory of the detachable market has been attributed to Microsoft and Apple pushing their wares in the U.S.,’ IDC research analyst Jitesh Ubrani said in a statement. ‘However, continued success of this category hinges on the willingness of other PC vendors to participate and more importantly, consumers from other countries to adopt the new form factor over convertible PCs.'”

Nvidia Will Concentrate on Gamers

Nvidia GPU
I imagine that they will still sell to crypto-miners, though!

Nvidia Will Focus on Gaming Because Cryptocurrencies Are ‘Volatile’

SlashDot – “Graphics card manufacturer Nvidia made almost $10 billion dollars in the last fiscal year, that’s up 41 percent from the previous period. The GPU company broke the news to its investors in a conference call on Thursday, and said that video games such as Star Wars: Battlefront II and Playerunknown’s Battlegrounds as well as the unprecedented success of the Nintendo Switch led to the record profits. That and cryptocurrency. From a report:

Graphics cards are the preferred engine of today’s cryptocurrency miners. It’s led to a shortage of the GPUs, a spike in their prices, and record profits for the company that manufactures them. ‘Strong demand in the cryptocurrency market exceeded our expectations,’ Nvidia chief financial officer Colette Kress told investors during its earnings call yesterday. ‘We met some of this demand with a dedicated board in our OEM business and some was met with our gaming GPUs.’ But Nvidia is having trouble keeping up with the demand and it’s recommended retailers put gamers ahead of cryptocurrency miners while supply is limited. Kress acknowledged the shortage on the call and reaffirmed Nvidia’s commitment to gamers. ‘While the overall contribution of cryptocurrency to our business remains hard to quantify, we believe it was a higher percentage of revenue than the prior quarter,’ she said. ‘That said, our main focus remains on our core gaming market as cryptocurrency trends will likely remain volatile.’ When Kress finished her statement and opened up the line to questions, the first question was about cryptocurrency. ‘Is crypto being modeled more conservatively?’ An investor from Evercore asked. ‘We model crypto approximately flat,’ said Jensen Huang, Nvidia’s chief executive officer.”

1 20 21 22 23 24 231