Richard Chirgwin

Contact Mail Follow Twitter RSS feed
Vulnerability

AMD virty encryption not quite there, claim boffins

Updated A couple of German boffins have taken a good look at AMD's Secure Encrypted Virtualization (SEV), and don't like what they see. As AMD's Brijesh Singh explained to the Linux driver project mailing list in April, SEV extends the AMD-V architecture when multiple VMs are running under a hypervisor: “SEV hardware tags all code and …

Patience is SpaceX's latest virtue

SpaceX has delayed its planned December launch until January 2017. Its brief statement is given as an “anomaly update” – an addendum to the rolling blog about investigations into its impressively-large explosion on September 1. That event has since been attributed to how helium was handled during fuelling. The explosion …
A brick tunnel

Santa says you've been nice kids: OpenVPN to get security audit

Johns Hopkins University crypto professor Dr Matthew Green is to lead a security audit of OpenVPN 2.4. The open source VPN project, published at GitHub, has been compiled for everything from Solaris to Windows, passing various Linux and BSD distributions along the way (including OSX); Windows and Android (and jailbroken iOSs …

Oz gummint's 'open government' strategy arrives at last

A couple of days after being warned it was dragging its feet on open government strategies, the Federal Government has released its Open Government National Action Plan. A couple of days ago, the government had its attention sharpened by a warning that it would get kicked out of the OGP process if it didn't get cracking (from …

Uber is watching your smartphone's battery charge

Browser authors are abandoning the invasive Battery API W3C specification, but not everybody's got the memo: Uber, for example, still watches battery status. The not-an-employer, not-a-taxi-company's app checks battery status and remaining battery, with the explanation that the feature is used for fraud detection. The …

Brocade ships switches but makes most noise about DevOps

There's a few shiny boxes in the announcement, but Broadcom-bound Brocade hopes punters will find its automation software and DevOps story even more sparkly than its new kit. Alongside three additions to its SLX switch line – the 9140, 9240, and 9540 – the company's announced an automation suite called the Brocade Workflow …
cloud

Big Switch takes big bet it can beat off big denial of service attacks

Big Switch Networks is taking aim at the kinds of IoT-based attacks that have rocked the Internet this year. Headlining its BigSecure Architecture release today is a service chaining solution the company's chief product officer Prashant Gandhi told Vulture South can scale up to deflect a terabit-scale attack in about ten …

Android, Qualcomm move on insecure GPS almanac downloads

Nearly a decade after it introduced assisted-GPS in its mobile chipsets, Qualcomm has squished a bug that allowed miscreants to mess around with people's location services, or crash their phones. In 2007, Qualcomm made GPS signal acquisition faster by using an almanac of satellites. Instead of having to acquire signals blindly …

Open source Roundcube webmail can be attacked ... by sending it an e-mail

The developers of open source webmail package Roundcube want sysadmins to push in a patch, because a bug in versions prior to 1.2.3 let an attacker crash it remotely – by sending what looks like valid e-mail data. The authors overlooked sanitising the fifth argument (the _from parameter) in mail() – and that meant someone only …

In the three years since IETF said pervasive monitoring is an attack, what's changed?

Feature After three years of work on making the Internet more secure, the Internet Engineering Task Force (IETF) still faces bottlenecks: ordinary peoples' perception of risk, sysadmins worried about how to manage encrypted networks, and – more even than state snooping – an advertising-heavy 'net business model that relies on collecting …
Hammer, spanner and screw

Software can be more secure, says NIST, and we think we know how

The National Institute of Standards and Technology (NIST) has completed its long-running research into cutting software vulnerabilities and dropped the big envelope into the White House letterbox. NISTIR 8151, Dramatically Reducing Software Vulnerabilities, first landed as a draft in July, and the final version dropped last …
band_aid_648

Arista CloudVision Portal bug revealed, plus evidence it's been used

Arista customers: if you're running a version of CloudVision Portal (CVP) older than 2016.1.2.1, get an update or risk getting p0wned. According to the company's terse security advisory, "This vulnerability allows a potential attacker with access to the management plane to gain access to the internal configuration mechanisms …

1.4bn records from HaveIBeenPwned offered for your analytical pleasure

Security researcher Troy Hunt had better hope his anonymisation works: he's decided to offer up most of his “HaveIBeenPwned” data set for other security researchers to analyse. He's deduped his nearly two-billion record dataset – there's a lot of pwnage in the world, people – down to a domain-based 135-megabyte text file that …
VSS Unity

Beardy Branson's space bird spreads its wings

For the first time in more than two years, a Virgin Galactic SpaceShipTwo has been unclipped from its carrier. The VSS Unity glided for 10 minutes under its own control, after being released from WhiteKnightTwo, after a previous four “captive carry” test flights. Virgin Galactic says the Saturday flight over the Mojave desert …

IoT camera crew Titathink tells Reg it'll patch GET bug in a week

Titathink has become the second vendor to respond to the modified firmware that exposed a variety of surveillance cameras to a malicious URL attack. As we wrote last week, a security pro called Slipstream looked long and hard at the cameras' firmware, and found a URL that carried a parameter called “basic” would be copied to a …

NASA wants more satellite surveillance. For science. Promise

NASA and the US Geological Survey (USGS) are moving to plug the looming gap in its Earth-observation capability by accelerating the Landsat-9 mission by three years. The decision was revealed last week at the Landsat 9 Ground System Requirements Review (GSRR) in Sioux Falls, South Dakota, at which a NASA/USGS review panel …

Google proudly regards dented shovel as Flash lies supine on the floor

Google's long-promised farewell-to-Flash took another step last week , with the Chocolate Factory announcing it's off-by-default for most users, in most cases. From Chrome 55, Google's browser will check sites to see if they support HTML5. If so, Chrome will run the auto-play video ad proceed to play video; if not, the user …
Chips

Whiffy kitchen after last night's chips? Clear the air with SPACE PLASMA

Fifteen years of plasma experiments on the International Space Station (ISS) could let people enjoy the lusciously unhealthy taste of deep-fried potato chips, without having to smell them first. [What's wrong with you? Why would you want to eat chips without the thrill of anticipation first?] The work being done by German …
Heartbeat graph

PC sales outlook improves: Now terrifying instead of catastrophic

There's no sunrise in sight yet, only a slightly paler night: IDC reckons a lame uptick in convertibles and slim laptops will slow the PC market's collapse. Convertible and slim, sorry, “ultra slim” laptops will make up 63 per cent of notebook shipments by 2020, IDC reckons (by that time, Vulture South wonders, how many new …

UCam247 tells El Reg most of its cams aren't vulnerable to GET vuln

IoT security camera vendor UCam247 has contacted The Register to say most devices in the wild aren't vulnerable to the “single URL pwnage” vulnerability. Yesterday, we reported that more than 30 cameras from seven vendors had shipped with a modified GoAhead Web server. Among other things, the modification introduced a simple- …

Google's Project Zero tweaking Microsoft, because it did fix a bug

For once, a Google Project Zero bug report to Microsoft has resulted in a fix without a public spat. Indeed, this fix happened without any public announcement at all. Back in 2014, Project Zero's James Forshaw told Redmond he'd found a Windows Kernel Object Manager bug that permitted a “limited bypass of traverse permissions …
Shark, photo via Shutterstock

NSW government innovates, with visa workers taking over IT roles

The New South Wales (NSW) Public Service Association has hit the ceiling about the Australian state's decision to hire IT staff from overseas for the outsourcing of its ServiceFirst shared service operation. Last year, ServiceFirst was contracted out to Unisys and Infosys. The PSA says 32 overseas staff had been deployed in …
Pennies in a jar. Photo via Shutterstock

Bare metal switches racked up a whole $23m of sales in H1 2016

Bare metal switches are mostly still in lab deployments, it seems: according to analyst IHS Markit, sales of branded bare metal switches hit US$23m. For perspective, a giant like Cisco turns over close to $8bn in switch revenue in a half-year. IHS Markit put the first half of 2016 as worth about 125 per cent more than for the …
Swiss army knife in cloud

Microsoft adds SDN automation to System Center's Virty Manager

Microsoft's J.C. Hornbeck has valiantly tried to announce VMM SDN Express for Microsoft System Center VMM: a bundle of automation scripts covering SDN stack deployment; setup inputs; and a dummy parameters file. More accurately, perhaps, Microsoft has nearly added software-defined networking (SDN) automation to its System …

GET pwned: Web CCTV cams can be hijacked by single HTTP request

An insecure web server embedded in more than 35 models of internet-connected CCTV cameras leaves devices wide open to hijacking, it is claimed. The gadgets can be commandeered from the other side of the world with a single HTTP GET request before any password authentication checks take place, we're told. If your camera is one …