394 stories
·
4 followers

Universal Dreams

1 Comment and 11 Shares
"That's ... unsettling." "Yeah, those definitely don't sound like the normal drea– LATITUDE THREE FIVE POINT..."
Read the whole story
rtreborb
22 hours ago
reply
popular
2 days ago
reply
Share this story
Delete
1 public comment
rjstegbauer
4 days ago
reply
I've had the flying dream and exam dream, but not the undiscovered room dream. What's that about?
DrGaellon
4 days ago
Fear of things missed or forgotten
MaryEllenCG
4 days ago
Never had a flying dream or an undiscovered room dream, but I do have recurring dreams about my teeth all falling out.
HarlandCorbin
4 days ago
Used to have the falling dream. Would always wake with a jump when I hit the ground, but I did remember hitting the ground.
rjstegbauer
4 days ago
Why would many people have these common dreams?
duerig
2 days ago
The worst one is the 'dreaming that you woke up, went through your morning routine or did some unpleasant chore' dream. Because inevitably you wake up and realize that you have to do all those things all over again.
MaryEllenCG
2 days ago
Yeah!! I hate those dreams.

Spectre and Meltdown Attacks Against Microprocessors

1 Comment

The security of pretty much every computer on the planet has just gotten a lot worse, and the only real solution -- which of course is not a solution -- is to throw them all away and buy new ones.

On Wednesday, researchers just announced a series of major security vulnerabilities in the microprocessors at the heart of the world's computers for the past 15-20 years. They've been named Spectre and Meltdown, and they have to do with manipulating different ways processors optimize performance by rearranging the order of instructions or performing different instructions in parallel. An attacker who controls one process on a system can use the vulnerabilities to steal secrets elsewhere on the computer. (The research papers are here and here.)

This means that a malicious app on your phone could steal data from your other apps. Or a malicious program on your computer -- maybe one running in a browser window from that sketchy site you're visiting, or as a result of a phishing attack -- can steal data elsewhere on your machine. Cloud services, which often share machines amongst several customers, are especially vulnerable. This affects corporate applications running on cloud infrastructure, and end-user cloud applications like Google Drive. Someone can run a process in the cloud and steal data from every other users on the same hardware.

Information about these flaws has been secretly circulating amongst the major IT companies for months as they researched the ramifications and coordinated updates. The details were supposed to be released next week, but the story broke early and everyone is scrambling. By now all the major cloud vendors have patched their systems against the vulnerabilities that can be patched against.

"Throw it away and buy a new one" is ridiculous security advice, but it's what US-CERT recommends. It is also unworkable. The problem is that there isn't anything to buy that isn't vulnerable. Pretty much every major processor made in the past 20 years is vulnerable to some flavor of these vulnerabilities. Patching against Meltdown can degrade performance by almost a third. And there's no patch for Spectre; the microprocessors have to be redesigned to prevent the attack, and that will take years. (Here's a running list of who's patched what.)

This is bad, but expect it more and more. Several trends are converging in a way that makes our current system of patching security vulnerabilities harder to implement.

The first is that these vulnerabilities affect embedded computers in consumer devices. Unlike our computer and phones, these systems are designed and produced at a lower profit margin with less engineering expertise. There aren't security teams on call to write patches, and there often aren't mechanisms to push patches onto the devices. We're already seeing this with home routers, digital video recorders, and webcams. The vulnerability that allowed them to be taken over by the Mirai botnet last August simply can't be fixed.

The second is that some of the patches require updating the computer's firmware. This is much harder to walk consumers through, and is more likely to permanently brick the device if something goes wrong. It also requires more coordination. In November, Intel released a firmware update to fix a vulnerability in its Management Engine (ME): another flaw in its microprocessors. But it couldn't get that update directly to users; it had to work with the individual hardware companies, and some of them just weren't capable of getting the update to their customers.

We're already seeing this. Some patches require users to disable the computer's password, which means organizations can't automate the patch. Some antivirus software blocks the patch, or -- worse -- crashes the computer. This results in a three-step process: patch your antivirus software, patch your operating system, and then patch the computer's firmware.

The final reason is the nature of these vulnerabilities themselves. These aren't normal software vulnerabilities, where a patch fixes the problem and everyone can move on. These vulnerabilities are in the fundamentals of how the microprocessor operates.

It shouldn't be surprising that microprocessor designers have been building insecure hardware for 20 years. What's surprising is that it took 20 years to discover it. In their rush to make computers faster, they weren't thinking about security. They didn't have the expertise to find these vulnerabilities. And those who did were too busy finding normal software vulnerabilities to examine microprocessors. Security researchers are starting to look more closely at these systems, so expect to hear about more vulnerabilities along these lines.

Spectre and Meltdown are pretty catastrophic vulnerabilities, but they only affect the confidentiality of data. Now that they -- and the research into the Intel ME vulnerability -- have shown researchers where to look, more is coming -- and what they'll find will be worse than either Spectre or Meltdown. There will be vulnerabilities that will allow attackers to manipulate or delete data across processes, potentially fatal in the computers controlling our cars or implanted medical devices. These will be similarly impossible to fix, and the only strategy will be to throw our devices away and buy new ones.

This isn't to say you should immediately turn your computers and phones off and not use them for a few years. For the average user, this is just another attack method amongst many. All the major vendors are working on patches and workarounds for the attacks they can mitigate. All the normal security advice still applies: watch for phishing attacks, don't click on strange e-mail attachments, don't visit sketchy websites that might run malware on your browser, patch your systems regularly, and generally be careful on the Internet.

You probably won't notice that performance hit once Meltdown is patched, except maybe in backup programs and networking applications. Embedded systems that do only one task, like your programmable thermostat or the computer in your refrigerator, are unaffected. Small microprocessors that don't do all of the vulnerable fancy performance tricks are unaffected. Browsers will figure out how to mitigate this in software. Overall, the security of the average Internet-of-Things device is so bad that this attack is in the noise compared to the previously known risks.

It's a much bigger problem for cloud vendors; the performance hit will be expensive, but I expect that they'll figure out some clever way of detecting and blocking the attacks. All in all, as bad as Spectre and Meltdown are, I think we got lucky.

But more are coming, and they'll be worse. 2018 will be the year of microprocessor vulnerabilities, and it's going to be a wild ride.


Note: A shorter version of this essay previously appeared on CNN.com. My previous blog post on this topic contains additional links.

Read the whole story
rtreborb
9 days ago
reply
Good summary
Share this story
Delete

Why Didn’t Twitter Delete the Anti-Muslim Tweets Promoted by Trump?

3 Comments and 4 Shares

Ivana Kottasová, reporting for CNN:

The anti-Muslim videos were first posted by Jayda Fransen, deputy leader of the far-right party Britain First. They depict violent assaults and the destruction of a statue of the Virgin Mary.

They also appear to violate the terms of use published by Twitter. It warns users: “You may not promote violence against, threaten, or harass other people on the basis of race, ethnicity, national origin, sexual orientation, gender, gender identity, religious affiliation, age, disability, or serious disease.”

Asked why the original tweets have not been deleted, a Twitter spokesperson said:

“To help ensure people have an opportunity to see every side of an issue, there may be the rare occasion when we allow controversial content or behavior which may otherwise violate our rules to remain on our service because we believe there is a legitimate public interest in its availability.”

Translation from PR Weasel-ese to English: Twitter is afraid of pissing off Trump.

Read the whole story
rtreborb
46 days ago
reply
Translation: it drives revenue
Share this story
Delete
2 public comments
petrilli
49 days ago
reply
I wish Twitter would be more honest about the fact that what keeps it from deleting Trump's account is the (very real) fear that the sociipathic narcissistc in chief would use his cadre of incompetent criminals and hangers-on to persecute Twitter constantly and likely would bankrupt the company.

Be honest.
Arlington, VA
martinbaum
52 days ago
reply
Maybe, but more like Twitter is still relevant because Trump's the best traffic driver their platform has ever had.

Fascinating. (via azula)

2 Shares


Fascinating. (via azula)

Read the whole story
rtreborb
64 days ago
reply
minderella
67 days ago
reply
Share this story
Delete

★ Twitter’s 280-Character Own Goal

3 Comments and 4 Shares

J.K. Rowling, on Twitter raising the per-tweet character limit to 280:

Twitter’s destroyed its USP. The whole point, for me, was how inventive people could be within that concise framework.

USP is “unique selling proposition”. By doubling the character limit, Twitter has eliminated what made them unique. Yes, there were many trade-offs with the 140-character limit, both pros and cons. But one of the pros is it made Twitter unique. Twitter timelines now look more like Facebook — but Facebook is already there for Facebook-like timelines. Twitter trying to be more like Facebook is like basketball trying to be more like football — a bad idea that won’t work.

Stephen King was more succinct:

280 characters? Fuck that.

Andy Ihnatko:

I like the word-Tetris of making a complete thought fit in a 140-character box.

John Dingell, 91-year-old retired Congressman from Michigan (who is truly excellent at Twitter):

99% of you people don’t even deserve 140 characters.

It’s no surprise that writers, in particular, object to this change. I agree with Ihnatko — the 140-character limit made it a challenge. Fitting certain complex thoughts into a mere 140 characters sometimes felt like solving a small challenge, like one of The New York Times’s tiny little 5 × 5 crossword puzzles.

But perhaps the best commentary comes from William Shakespeare:

Brevity is the soul of wit.

Given 280 characters, people are going to use them, even to express thoughts that could have fit in 140. Given unlimited characters, such as in email, people ramble aimlessly.

That’s why email feels like a dreary chore, and Twitter feels like fun. The fewer tweets that fit in a single screen at a time, the less fun Twitter feels. I’m sure Twitter considered this change carefully, but I’m convinced they’ve made a terrible mistake.

Read the whole story
rtreborb
71 days ago
reply
Sharing for the newly-discovered awesomeness of John Dingell
Share this story
Delete

Logitech Will Brick Its Harmony Link Hub for All Owners in March

3 Comments

Chris Welch, reporting for The Verge:

Logitech has announced that it’s shutting down all services for the Harmony Link hub, a plastic puck the company released in 2011 that gave smartphones and tablets the ability to act as universal remotes for thousands of devices.

Owners of the product have received an email from the company warning that the Link will completely stop working in March. “On March 16th, 2018, Logitech will discontinue service and support for Harmony Link. Your Harmony Link will no longer function after this date,” the email says. There’s no explanation or reason given as to why service is ending in the email, but a Logitech employee provided more details on the company’s forums. “There is a technology certificate license that will expire next March. The certificate will not be renewed as we are focusing resources on our current app-based remote, the Harmony Hub.”

This sucks, but it seems like the way of the future with cloud-backed products. In the old days, products stopped working when they broke. Now, they stop working when the company that sold them loses interest in continuing to support them. It feels spiteful. More than ever, it matters how much you trust the company from which you buy stuff.

Read the whole story
rtreborb
71 days ago
reply
Makes no sense. Renewing a certificate can be done in under an hour and costs under $1000
Share this story
Delete
2 public comments
sulrich
74 days ago
reply
if you're not thinking about the longevity and viability of the IOT vendor you're buying crap from then you're crazy.

it's the 80s all over again with
everyone wondering which ones will be around as long as the lifecycle of their widget.
martinbaum
74 days ago
reply
This is going to force a lot of people to think long and hard about ecosystems with staying power when they purchase devices and will lead to more lock-in than ever. While that's certainly good for Apple and Google, it's not good for the rest of the tech world.
Next Page of Stories