Category Archives: News

Article note: That's some bullshit. The HangPrinter design has been around in public for almost a decade.

Article note: Ooh. UK's ECE department has a couple of these things, and frankly the user experience is superb... turns out like many pandemic-expedient telecom tools, they're a security clusterfuck.

Enlarge (credit: Owl Labs)

The Meeting Owl Pro is a videoconference device with an array of cameras and microphones that captures 360-degree video and audio and automatically focuses on whoever is speaking to make meetings more dynamic and inclusive. The consoles, which are slightly taller than an Amazon Alexa and bear the likeness of a tree owl, are widely used by state and local governments, colleges, and law firms.

A recently published security analysis has concluded the devices pose an unacceptable risk to the networks they connect to and the personal information of those who register and administer them. The litany of weaknesses includes:

• The exposure of names, email addresses, IP addresses, and geographic locations of all Meeting Owl Pro users in an online database that can be accessed by anyone with knowledge of how the system works. This data can be exploited to map network topologies or socially engineer or dox employees.
• The device provides anyone with access to it with the interprocess communication channel, or IPC, it uses to interact with other devices on the network. This information can be exploited by malicious insiders or hackers who exploit some of the vulnerabilities found during the analysis
• Bluetooth functionality designed to extend the range of devices and provide remote control by default uses no passcode, making it possible for a hacker in proximity to control the devices. Even when a passcode is optionally set, the hacker can disable it without first having to supply it.
• An access point mode that creates a new Wi-Fi SSID while using a separate SSID to stay connected to the organization network. By exploiting Wi-Fi or Bluetooth functionalities, an attacker can compromise the Meeting Owl Pro device and then use it as a rogue access point that infiltrates or exfiltrates data or malware into or out of the network.
• Images of captured whiteboard sessions—which are supposed to be available only to meeting participants—could be downloaded by anyone with an understanding of how the system works.

Glaring vulnerabilities remain unpatched

Researchers from modzero, a Switzerland- and Germany-based security consultancy that performs penetration testing, reverse engineering, source-code analysis, and risk assessment for its clients, discovered the threats while conducting an analysis of videoconferencing solutions on behalf of an unnamed customer. The firm first contacted Meeting Owl-maker Owl Labs of Somerville, Massachusetts, in mid-January to privately report their findings. As of the time this post went live on Ars, none of the most glaring vulnerabilities had been fixed, leaving thousands of customer networks at risk.

Article note: This is a neat argument.

Article note: Google's chat service flailing is truly a thing to behold.

Article note: It's almost refreshing how _boring_ this thing is. It's a bunch of AMD EPYCs, a bunch of AMD's now-differentiated HPC only DP-focused "GPU" SIMD engines, tied together by some enhanced HPE/Cray fancy Ethernet (and apparently secondary fast IO that isn't actually up yet). It's not full of AI pixie dust. It's not hitting numbers by working on low-precision values. It's not 4 years late (looking at you, Intel's ANL Summit Aurora contract). It's water cooled (not special environmental catastrophe sauce). It is, however, sucking down 40MW to do it, at 400KW per rack.

Article note: Not this shit again. At least this one just breaks the Windows driver based on quirks of the clones rather than damaging them like what FTDI pulled a few years ago.

Article note: It's a good, thorough investigation/writeup of something I have high confidence is extremely widespread.

Article note: Oh. They're buying it to rentseek, not do neat better hardware integration for virt tricks or something else interesting. That's unfortunate.

Article note: Of course they do. For-ptofit ed-tech is always carpetbagger bullshit, and they had a window to "scale their business" that was too hurried for serious vetting, so they're getting away with all kinds of bullshit that might not survive scrutiny.

Article note: That actually seems pretty low on the long list of henious things that giant silos of searchable, purchasable, subpoenable location data will be used for, but it's always nice when the women's rights folks are on the privacy train.

Enlarge / A pro-choice demonstrator in front of the US Supreme Court in Washington, DC, on May 11, 2022. (credit: Getty Images | Stefani Reynolds)

More than 40 Democratic members of Congress called on Google to stop collecting and retaining customer location data that prosecutors could use to identify women who obtain abortions.

"[W]e are concerned that, in a world in which abortion could be made illegal, Google's current practice of collecting and retaining extensive records of cell phone location data will allow it to become a tool for far-right extremists looking to crack down on people seeking reproductive health care. That's because Google stores historical location information about hundreds of millions of smartphone users, which it routinely shares with government agencies," Democrats wrote Tuesday in a letter led by Senator Ron Wyden (D-Ore.) and Rep. Anna Eshoo (D-Calif.). The letter was sent to Google CEO Sundar Pichai.

Specifically, Google should stop collecting "unnecessary customer location data" or "any non-aggregate location data about individual customers, whether in identifiable or anonymized form. Google cannot allow its online advertising-focused digital infrastructure to be weaponized against women," lawmakers wrote. They also told Google that people who use iPhones "have greater privacy from government surveillance of their movements than the tens of millions Americans using Android devices."