Article note: It's interesting/surprising how many people have the savvy to flash a custom firmware and still leave it with default credentials.
Internet routers running the Tomato alternative firmware are under active attack by a self-propagating exploit that searches for devices using default credentials. When credentials are found, the exploit then makes the routers part of a botnet that’s used in a host of online attacks, researchers said on Tuesday.
The Muhstik botnet came to light about two years ago when it started unleashed a string of exploits that attacked Linux servers and Internet-of-things devices. It opportunistically exploited a host of vulnerabilities, including the so-called critical Drupalgeddon2 vulnerability disclosed in early 2018 in the Drupal content management system. Muhstik has also been caught using vulnerabilities in routers that use Gigabit Passive Optical Network (GPON) or DD-WRT software. The botnet has also exploited previously patched vulnerabilities in other server applications, including the Webdav, WebLogic, Webuzo, and WordPress.
On Tuesday, researchers from Palo Alto Networks said they recently detected Muhstik targeting Internet routers running Tomato, an open-source package that serves as an alternative to firmware that ships by default with routers running Broadcom chips. The ability to work with virtual private networks and provide advanced quality of service control make Tomato popular with end users and in some cases router sellers.
Article note: That is turning out more credible than I expected - especially in the context of the firmware shenanigans involved putting normal Linux on Chromebooks (my $80 used Chromebook 11-3189 still has unresolved issues with sound and input).
Article note: They were a (slightly douchey) fixture of a previous generation of internet culture. And it looks like a major part of the kill was the same "Facebook lying about user engagement" thing that took out a whole bunch of formerly prominent web content - I have to wonder how intentional that was, and how much was just layers of lying to look good, because both are entirely plausible.
Article note: Oh, so that's what the dire rumors have been about.
Windows' certificate validation is broken in a way that could subvert both network validation and code signing (eg. MITMs could inject bogus updates), it looked like enough of an infrastructure threat that that the NSA disclosed instead of using it, and y'all want to patch now.
Microsoft's scheduled security update for Windows includes a fix to a potentially dangerous bug that would allow an attacker to spoof a certificate, making it look like it came from a trusted source. The vulnerability, reported to Microsoft by the National Security Agency, affects Windows 10, Windows Server 2016, Windows Server 2019, and Windows Server version 1803.
Microsoft has rated the update as "important" rather than critical. But in a blog post, Mechele Gruhn, the Principal Security Program Manager for Microsoft Security Response Center, explained that this was because "we have not seen it used in active attacks."
However, researchers outside Microsoft—including Google's Tavis Ormandy—have a much more dire assessment of the vulnerability and urge users to patch quickly before an active exploit appears.
Article note: As I've been snarking lately, My body is ready for AI Winter 3.0.
The bullshit has boiled over and is making it hard to accomplish useful work in even vaguely adjacent fields.
The last decade was a big one for artificial intelligence but researchers in the field believe that the industry is about to enter a new phase . From a report: Hype surrounding AI has peaked and troughed over the years as the abilities of the technology get overestimated and then re-evaluated.
The peaks are known as AI summers, and the troughs AI winters. The 10s were arguably the hottest AI summer on record with tech giants repeatedly touting AI's abilities.
AI pioneer Yoshua Bengio, sometimes called one of the "godfathers of AI", told the BBC that AI's abilities were somewhat overhyped in the 10s by certain companies with an interest in doing so. There are signs, however, that the hype might be about to start cooling off.
"I have the sense that AI is transitioning to a new phase," said Katja Hofmann, a principal researcher at Microsoft Research in Cambridge. Given the billions being invested in AI and the fact that there are likely to be more breakthroughs ahead, some researchers believe it would be wrong to call this new phase an AI winter. Robot Wars judge Noel Sharkey, who is also a professor of AI and robotics at Sheffield University, told the BBC that he likes the term "AI autumn" -- and several others agree.