Richard Chirgwin

Contact Mail Follow Twitter RSS feed
Xen logos

Xen fixes guest privilege escape and plenty more

Xen admins, get busy: the open source hypervisor's issued fixes for bugs that range from data corruption and leakage up to privilege escalation. Let's start with CVE-2017-12137, which could let a paravirtualized (PV) guest escalate to host privilege. It's down to a mistake in memory allocation when a PV guest is launched. …
Sydney University's zinc-air battery

Batteries that don't burn at the drop of a Galaxy Note 7? We're listening

Sydney University boffins reckon they've got a handle on how to stop batteries catching fire: quit using lithium ions. Apart from being the cheapest current technology with enough energy density to power your flaming hot Galaxy Note 7, fidget spinner, or laptop, Li-ion batteries' other notable characteristic is volatility. …

Love cloudy HPC? Microsoft does, slurps Cycle Computing

Cycle Computing, a twelve-year-old company which has carved out a niche spinning up big-iron-like CPU collections on public clouds, has been acquired for an undisclosed sum by Microsoft. The company first came to our attention in 2011, showing off software that let it spin up 10,000 cores on Amazon's EC2 service, claiming a …
Malware file from Shutterstock

Russian malware scum post new rent-an-exploit

WebEx on Firefox is among the targets of a new exploit kit that's started circulating on Russian nastyware exchanges. The Disdain-based exploit kit is described here by security services outfit IntSights, which says the exploit kit is offered by someone using the handle "Cehceny". David Montenegro (@CryptoInsane) says Disdain …
Beware awkward moments next exit

Intel CEO Krzanich quits Trump's Manufacturing Council over response to Charlottesville rallies

Three big-name CEOs have put some space between themselves and the US President: today they resigned from the American Manufacturing Council, President Donald Trump's panel of advisors formed to create more manufacturing jobs in the United States by bringing together titans of industry to share their experience. On Monday …
CERN visualisation of photon interaction

Photon scattering puts a shine on CERN ATLAS boffins' day

Large Hadron Collider boffins in charge of the ATLAS experiment reckon they've seen photons interacting at the quantum level for the first time. This isn't something that happens at everyday energies: if, for example, you shine two beams through each other in a dark room, you'll see two spots on the wall. However, direct …
Privacy

Australian Bureau of Statistics flip-flops over marriage equality survey

The Australian Bureau of Statistics is being set up for another hot privacy debate. The Bureau (ABS) has been engaged to run Australia's national postal plebiscite on whether or not to adopt same-sex marriage. The job fell into the ABS' lap because the plebiscite has been styled as a "survey", a data-seeking instrument the …

Australia's metadata retention scheme costs telcos $500k per cuffing

The Australian Government's telecommunications data retention scheme is racking up the bills for carriers, but government funding has fallen short of the industry's costs. That's one of the conclusions of the first [PDF] telecommunications interception report since the scheme began, tabled in Federal Parliament yesterday. …
Snow White waves goodbye. Photo copyright Disney

Old Firefox add-ons get 'dead man walking' call

The end of legacy Firefox plugins is drawing closer, with Mozilla's Jorge Villalobos saying they'll be disabled in an upcoming nightly build of the browser's 57th edition. While he didn't specify just how soon the dread date will arrive, Villalobos writes: “There should be no expectation of legacy add-on support on this or …
Shutterstock pickpocket

Sneaky devs could abuse shared libraries to slurp smartphone data

Oxford researchers reckon they've spotted the next emerging trend in Android advertising (and possibly malware): using common libraries to “collude” between apps with different privilege levels. Libraries are a common enough vector for attackers to target, but the trio of boffins (Vincent Taylor, Alastair Beresford and Ivan …
Red teapot

Ancient IETF 'teapot' gag preserved for posterity as a standard

The august and serious folk at the IETF have always had a soft spot for their April Fool's jokes, and so do others – so much that a proposal to deprecate a joke has met with successful resistance. From what feels like the Internet Dark Ages of the 1990s, was the Hyper Text Coffee Pot Control Protocol, a joking anticipation of …

Leaky PostgreSQL passwords plugged

PostgreSQL has released three security patches for versions 9.6.4, 9.5.8, 9.4.13, 9.3.18, and 9.2.22. In CVE-2017-7547, a remote attacker can retrieve others' passwords because of a user mapping bug. The authorisation oopsie derives from the database's handling of pg_user_mappings, allowing an authenticated remote attacker …
Bug detected dialog

Top repo managers clone, then close, a nasty SSH vector

Users of the world's most popular software version control systems can be attacked when cloning a repository over SSH. When first announced by Recurity Labs' Joern Schneeweisz, the vulnerability was attributed to Git, Mercurial and Subversion; and over the weekend, Hank Leininger of Korelogic told the OSS-Sec list the issue …
Cat with a surprised expression. Photo by Shutterstock

Wait. What? The IBM cloud's APIs use insecure TLS1 crypto?

An email has gone out from IBM about its Bluemix cloud: after next Tuesday, the SoftLayer APIs will no longer accept connections encrypted with the ancient TLS 1.0. It's not quite a surprise that the 1990s-era protocol was still accepted: a great many services are still midway through their deprecation plans. To give just one …
NASA image solar wave modes

Sun's core in a real spin, but you wouldn't know just by looking at it

Our Sun's core is rotating four times faster than its surface. That's the conclusion boffins have reached after peering at data from the joint NASA-ESA SOHO (Solar and Heliospheric Observatory) mission, first launched in 1995 and still turning in the science. What SOHO found is something solar scientists have been trying to …
Cuts to orange

Another slice of Brocade carved off: Mavenir buys packet core business

Pretty much the last bits of Brocade have been sold, with the news that Mavenir Systems has slurped the networking company's virtual Evolved Packet Core (vEPC) product range, intellectual property, and development lab. As well as picking up Brocade's Mumbai R&D facility, the buyer says it's going to retain key Brocade staff in …

Brisbane and TechnologyOne swap demands for AU$50 mn

TechnologyOne and the Brisbane City Council could settle their differences for nothing, but that's probably not going to happen. Last week, the council terminated the troubled contract, and in doing so fired a claim for more than AU$50 million at the system supplier. TechnologyOne has, for its part, sent the council a bill …
Continental control unit

It’s 2017 and Hayes AT modem commands can hack luxury cars

Updated A bunch of mid-age Ford, Infiniti, Nissan and BMW vehicles are carrying around a vulnerable chipset from Infineon that America's ICS-CERT reckons is easy to exploit. The BMWs went on sale between 2009 and 2010, the affected Infiniti models were built between 2013 and 2015 and there's a chance Nissan Leafs manufactured between …
Beam of light

Dirty carbon nanotubes offer telcos chance at secure quantum comms

Single-photon emitters aren't a new thing in physics labs, but they usually require liquid-helium-chilled freezers. America's Los Alamos National Laboratories (LANL) reckons it's cracked a difficult double: a telecom-frequency single photon emitter that works at room temperature. This has potential because the two key …
Shutterstock Rhinoceros beetle

McAfee online scan used plain old HTTP to fetch screen elements

McAfee has moved to patch a bug that falls under the “didn’t you get the memo?” category: among other things, its free Security Scan Plus online tool retrieved information over HTTP – that is, in plain text. The potential man-in-the-middle vector exists not in the operation of the free online scan, but in the house ads and UI …
Game of Thrones

Game of Pwns: Hackers invade HBO, 'leak Game of Thrones script'

HBO is the latest entertainment giant to have its precious content stolen and leaked by hackers, including program episodes and possibly Game of Thrones scripts. The security breach reportedly includes the script or a script treatment for next week's Game of Thrones episode, meaning fans will be disappointed to realize it's …
2012 TC4 - NASA impression

Scary news: Asteroid may pass Earth by just 6,880km in October

NASA's preparing another round asteroid defence tests, thanks to the October fly-by of a rock that may come within a cosmic whisker of the Earth. Asteroid 2012 TC4 is said rock, and is between ten and thirty metres across. NASA says it is "certain it will come no closer than 4,200 miles (6,800 kilometers) from the surface of …

Boffins grudgingly admit they may have found an exomoon

After Twitter-leaks, a trio of exoplanet-hunters have decided to go public with observations they reckoned weren't quite up to broadcast-quality but which is rather significant: the first possible detection of a moon orbiting an exoplanet. It's hard enough to reliably spot exoplanets given that we do so by observing tiny …

Facebook COO Sheryl Sandberg: Crypto ban won't help trap terrorists

Facebook's chief operating officer Sheryl Sandberg has reiterated the social network's position that weakening the encryption of messaging apps isn't going to give governments what they want. Governments and law enforcement agencies are increasingly going public with their frustration that encryption prevents them accessing …
Idiot screw loose emoji

Microsoft won't patch SMB flaw that only an idiot would expose

Updated A Windows SMB vulnerability revealed late last week at DEF CON won't be patched because Microsoft says the service should be firewalled off from the internet anyway. The 20-year-old bug is in at least Windows 2000 to Windows 10. It was discovered by RiskSense bods, who combed Redmond's file server code for flaws similar to the …

Biting the hand that feeds IT © 1998–2017