Richard Chirgwin

Contact Mail Follow Twitter RSS feed

Carnegie-Mellon Uni emits 'don't be stupid' list for C++ developers

Carnegie-Mellon University's Software Engineering Institute has followed-up its secure C programming rules from last year with a similar set of standards for C++. In the institute's announcement on Wednesday, it says it has put ten years into researching secure coding. The resulting SEI CERT C++ Coding Standard has 83 rules …
shutterstock_300234617-signal

Fake mobile base stations spreading malware in China

Chinese phishing scum are deploying fake mobile base stations to spread malware in text messages that might otherwise get caught by carriers. The Android scumware being spread isn’t new to China: known as the “Swearing Trojan” because of profanities in code comments, its authors are already under arrest. But the fake base …
trappist1

TRAPPIST-1's planets are quiet. Quiet as the grave, in fact

Boiled dry or extra-terrestrial snowballs, it turns out that the multi exoplanets orbiting the star dubbed TRAPPIST-1 are almost certainly inhospitable to life. NASA's original announcement held three of the seven planets in the system could be within a habitable zone, but alas there's a killjoy. Enter Eric Wolf, of the …
Woman says oops after data breach... or spome other mistake, possibly. Illustration by Shutterstock/sergey sobin

Ubuntu splats TITSUP bug spread in update

A simple library update turned into a white-knuckle ride for Ubuntu sysadmins, who have lit up Reddit and StackOverflow to complain that their 'net connections went TITSUP (Total Inability To Support Usual Performance). The guilty code is an upgrade to libc6 which broke the getaddrinfo() function in Ubuntu's DNS resolver code …
Fibre, image via Shutterstock

Juniper emits heavy duty photonic interconnect with a cloudy tinge

In January 2016, Juniper Networks swallowed BTI Systems with the aim of bringing software defined network approaches to the optical sphere. One of the fruits of that acquisition has now landed, with the company announcing its Open Cloud Interconnect. Juniper says the new OCI is aimed at inter-data centre connections, with high …
Submarine cable join

Nokia blasts 250 Gbps across Atlantic in optical test for Facebook

Nokia has lit up a trans-Atlantic fibre for Facebook, in a field trial that showed off 200 Gbps and 250 Gbps wavelengths on a 5,500 km link. According to Nokia, applying a technique from Bell Labs called probabilistic constellation shaping (PCS) yielded a 2.5x increase in the rated capacity of the New York-Ireland cable used …
window patch

Mac OS IM tool Adium lagging on library security vulnerability

A developer is warning Adium users to pick a different messaging app because of an exploitable vulnerability in its underlying libpurple version. Developed by Pidgin, libpurple is an instant messaging library, and was patched earlier this month. According to “Erythronium23” in this post to Full Disclosure, Adium is still …
DoubleAgent Logo

Microsoft's 'Application Verifier' bug-finder is easily pwnable

Updated “Don't create undocumented features” should be tattooed in the corner of every developer's eye: there's one in the Microsoft Application Verifier Provider that provides attack vectors on everything Windows since XP. Cybellum, which discovered the feature, has focussed on attacking anti-virus first, but says its DoubleAgent …
CERN particle trace visualisation

Large Hadron Collider turns up five new particles

Boffins poring over data from the Large Hadron Collider's “Beauty” experiment are blinking in surprise, having turned up five new particles in one hit. The “hiding in plain sight” articles in data from the "LHCb" are all excited states of the baryon Omega-c-zero, Ωc0, and the CERN boffins saw the five new particles from its …

Tip for darknet drug lords: Don't wear latex gloves to the post office

Delivery is the weakest link in the “dark web” drug trade: the postal habits of a large-scale trader have led to his undoing. Chukwuemeka Okparaeke is accused of dealing in very nasty stuff: Fentanyl, a high-strength synthetic opioid the Centre for Disease Control says is 50 times the potency of heroin and was responsible for …
Snooping image via Shutterstock

DNS lookups can reveal every web page you visit, says German boffin

Domain-name lookups only reveal websites visited, not individual pages viewed, right? Wrong: the interaction between a user and the DNS is more revealing than previously believed, according to a paper from German postdoc researcher Dominik Herrmann. In work published at pre-print server Arxiv (in German – thank you, Google …
Sheep, image via Shutterstock

New Zealand puts the bite on Apple over taxes

New Zealand has joined the international criticism of Apple's tax arrangements, with NZ$4.2 billion worth of sales over ten years yielding zero tax in the country. It did pay some tax in that period – a paltry $37 million – but that was remitted to the Australian Tax Office. The revelations made by the New Zealand Herald …
Quick fix - worker running while carrying a wrench

Atlassian admins, your Struts 2 patch has landed

Atlassian has joined the growing list of vendors to patch its products against the Apache Struts 2 vulnerability. Atlassian is one of many downstream vendors to need a patch, and the company has announced its Bamboo, Crowd, and HipChat Server products now have fixes available. In Atlassian Bamboo, the bug affects versions 5.1 …

Git sprints carefully towards SHA-1 deprecation

Following the February controversy over whether or not Google's SHA-1 collision broke Git, its community has taken the first small steps towards replacing the ancient hash function. For context: the Chocolate Factory last month produced the first reproduceable SHA-1 collision needing relatively* low computing power – something …

Cisco reports bug disclosed in WikiLeaks' Vault 7 CIA dump

It looks like Cisco won't be chasing up a partnership with WikiLeaks: it's combing the "Vault7" documents itself, and has turned up an IOS / IOS XE bug in more than 300 of its switch models. The vulnerability is in the Cisco Cluster Management Protocol (CMP) in IOS and IOS XE. The protocol passes around information about …
fries

McDonald's India's delivery app was a golden honeypot

McDonald's India has 'fessed up that its app spaffed personal data to all and sundry and has urged users to install an update. Over the weekend, a post at Medium said the company's McDelivery app in India was leaking user data through a misconfigured server. The leaks, disclosed by payment security company Fallible.co, “ …
Househusband: Man in apron wields broom. Image via Shutterstock

'Australia Card 2.0' is dead: Government ditches plan for one ID to rule them all

Australia's federal government is sticking with its plans for a federated identity service, but disruption minister Angus Taylor has moved to quell fears of a revived “Australia Card”*. What first emerged last year looking like a “single identity” for all citizens across all Australian governments – before being dumped – isn't …
Android hanging

Google borks Nexus 6 with screwy over-the-air Android 7.0 downgrade

Google’s bad week continues with an emborkened Android update pushed to some Nexus 6 users. A serious cockup at the Chocolate Factory caused an over-the-air (OTA) downgrade to people who had side-loaded Android 7.1.1, dropping them back to Android 7.0 and sending their phones into meltdown. “It makes no sense," complained …
The new $10 Raspberry Pi Zero W

NetBSD adds RPi Zero support with 7.1 release

Raspberry Pi Zero users have another operating system to choose from, with the release of NetBSD 7.1. The Pi Zero isn't the only development board added in the release: the ARM-based ODROID-C1 quad-core single board computer also gets its moment in the spotlight. Also in this release, the wm driver for Intel i8254x gigabit …
NASA image - Van Allen Belts

Van Allen surprise: fewer nasty particles than NASA expected

Video After a three-year search, NASA's Van Allen Probes have worked out there's far fewer high-energy electrons in the Van Allen Belts than previously thought. That's good news, because electrons moving at relativistic speeds are a danger to navigation, as NASA explains in a paper that's just landed in the Journal of Geophysical …
Microsoft's Minecraft Malmo

Microsoft urges PhD-grade devs to play Minecraft for money

Microsoft wants PhD researchers to pitch their bots into a Minecraft landscape, but it's not some simple “robot wars” remake: to win, your AI will have to learn to co-operate with humans. And you don't get to choose who you co-operate with: in Project Malmo, the other players your code works with will be randomly assigned. …
Gaffer tape - shutterstock

Cisco wireless, cloud management on this week's must-patch list

If you've implemented Mobility Express on a Cisco 1800 access point, it needs patching against a critical authentication bypass. Reported by Bijay Limbu Senihang of Rigo Information Technology, it's in the Web-based GUI: an attacker can send a crafted HTTP request to bypass authentication, and “perform unauthorised …
Man jumps out of window of burning building. Pic by Shutterstock

Xen bends own embargo rules to unbork risky Cirrus video emulation

The Xen Project has bent its own rules of vulnerability disclosure for a buggy and possibly exploitable video component that needs urgent attention. It's not a hypervisor escape yet, but as the Xen advisory notes, it could be a pathway to one. The crashable component is a VGA driver, of all things – the default Cirrus video …
Nerd fail photo via Shutterstock

Australian Taxation and Immigration depts fail infosec audits

Australia's Taxation Office, Department of Human Services and Department of Immigration and Border Protection are heavyweights of the public service, but only one has managed basic infosec protections on its systems. That's the conclusion of the Australian National Audit Office (ANAO), which yesterday reminded the three …
A Ransom Note

Petya ransomware returns, wrapped in extra VX nastiness

Researchers have spotted a variant of last year's Petya ransomware, now with updated crypto and ransomware models. Kaspersky's Anton Ivanov and Fedor Sinitsyn say the attack, which they've dubbed “PetrWrap”, uses the PsExec tool to install ransomware on any endpoint it can access. Rather than use the original Petya, which was …

Biting the hand that feeds IT © 1998–2017