Category Archives: News

Source: Hacker News

Source: Schneier on Security

The New York Times has more details.

About 18,000 private and government users downloaded a Russian tainted software update –­ a Trojan horse of sorts ­– that gave its hackers a foothold into victims’ systems, according to SolarWinds, the company whose software was compromised.

Among those who use SolarWinds software are the Centers for Disease Control and Prevention, the State Department, the Justice Department, parts of the Pentagon and a number of utility companies. While the presence of the software is not by itself evidence that each network was compromised and information was stolen, investigators spent Monday trying to understand the extent of the damage in what could be a significant loss of American data to a foreign attacker.

It’s unlikely that the SVR (a successor to the KGB) penetrated all of those networks. But it is likely that they penetrated many of the important ones. And that they have buried themselves into those networks, giving them persistent access even if this vulnerability is patched. This is a massive intelligence coup for the Russians and failure for the Americans, even if no classified networks were touched.

Meanwhile, CISA has directed everyone to remove SolarWinds from their networks. This is (1) too late to matter, and (2) likely to take many months to complete. Probably the right answer, though.

This is almost too stupid to believe:

In one previously unreported issue, multiple criminals have offered to sell access to SolarWinds’ computers through underground forums, according to two researchers who separately had access to those forums.

One of those offering claimed access over the Exploit forum in 2017 was known as “fxmsp” and is wanted by the FBI “for involvement in several high-profile incidents,” said Mark Arena, chief executive of cybercrime intelligence firm Intel471. Arena informed his company’s clients, which include U.S. law enforcement agencies.

Security researcher Vinoth Kumar told Reuters that, last year, he alerted the company that anyone could access SolarWinds’ update server by using the password “solarwinds123”

“This could have been done by any attacker, easily,” Kumar said.

Neither the password nor the stolen access is considered the most likely source of the current intrusion, researchers said.

That last sentence is important, yes. But the sloppy security practice is likely not an isolated incident, and speaks to the overall lack of security culture at the company.

And I noticed that SolarWinds has removed its customer page, presumably as part of its damage control efforts. I quoted from it. Did anyone save a copy?

EDITED TO ADD: Both the Wayback Machine and Brian Krebs have saved the SolarWinds customer page.

Source: Ars Technica

Enlarge (credit: Sean Gallup | Getty Images)

Two separate coalitions of states have filed massive antitrust lawsuits against Google in the past 24 hours, alleging that the company abuses its extensive power to force would-be competitors out of the marketplace and harms consumers in the process.

Texas Attorney General Ken Paxton spearheaded the first suit, which nine other states also signed onto. The second suit is led by Colorado Attorney General Phil Weiser and Nebraska Attorney General Doug Peterson, and an additional 36 states and territories signed on.

Antitrust law isn't just about a company being an illegal monopoly or even about being the dominant firm in its market sector. Although being a literal monopoly, with no available competition of any kind, can put you on the fast track to investigation, the law has broader concerns. Primarily, antitrust investigations are about anticompetitive behavior—in short, how a company uses its power. If you're a big company because everyone likes your stuff best, well, you're a big company, congratulations. But if you got to be the dominant company by cheating somehow—strong-arming other firms in the supply chain; targeting anticompetitive acquisitions; colluding with other firms to manipulate market conditions, and so on—that's a problem.

Read 21 remaining paragraphs | Comments

Source: Hacker News

Source: Ars Technica

Enlarge / Be a shame if anything happened to those dinosaur paddock gates, so it's a good thing Sam Jackson can monitor this situation with his Quadra 700. (credit: Universal Pictures)

The crop of personal computers available in the last decade of the 20th century were markedly faster, more capable, and more connected than their primitive ancestors. Clock speeds and transistor counts were rapidly increasing, and the decreasing cost of memory and storage was opening up new avenues for the personal computer to evolve from an expensive desk accessory into a tool for multimedia and professional graphics design.

In 1991, the Intel i486DX was one of the hottest processors on the market—literally. It was one of the first that all but required a heatsink, and a cooling fan was a good option for processors with higher clockspeeds. But for Apple, the PowerPC architecture was still below the horizon, leaving just one choice for high-performance Macintosh computers in the early 90s: the Motorola 68040 microprocessor.

What a beast. The '040 was a substantial upgrade over the '030 that had previously been used by Apple. It featured 1.2 million transistors, over four times as many as its predecessor. This processor increased the L1 cache size by a factor of eight to 4096 bytes, and it was the first 68k processor to have an on-board floating-point unit (FPU). While not without its drawbacks, the '040 processor was an obvious candidate for Apple's next line of premium workstations at time. And this line would become known as “Quadra,” starting with the Quadra 700 and 900 models in late 1991.

Read 48 remaining paragraphs | Comments

Source: Hack a Day

One of the exciting trends in hardware availability is the inexorable move of FPGA boards and modules towards affordability. What was once an eye-watering price is now merely an expensive one, and no doubt in years to come will become a commodity. There’s still an affordability gap at the bottom of the market though, so spotting sub-$20 Xilinx Zynq boards on AliExpress that combine a Linux-capable ARM core and an FPGA on the same silicon is definitely something of great interest. A hackerspace community friend of mine ordered one, and yesterday it arrived in the usual anonymous package from China.

There’s a Catch, But It’s Only A Small One

There are two boards to be found for sale, one featuring the Zynq 7000 and the other the 7010, which the Xilinx product selector tells us both have the same ARM Cortex A9 cores and Artix-7 FPGA tech on board. The 7000 includes a single core with 23k logic cells, and there’s a dual-core with 28k on the 7010. It was the latter that my friend had ordered.

So there’s the good news, but there has to be a catch, right? True, but it’s not an insurmountable one. These aren’t new products, instead they’re the controller boards for an older generation of AntMiner cryptocurrency mining rigs. The components have 2017 date codes, so they’ve spent the last three years hooked up to a brace of ASIC or GPU boards in a mining data centre somewhere. The ever-changing pace of cryptocurrency tech means that they’re now redundant, and we’re the lucky beneficiaries via the surplus market.

Getting To The Linux Shell Is This Easy!

On the PCB is the Zynq chip in a hefty BGA with its I/O lines brought out to a row of sockets for the miner boards, Ethernet, an SD card slot, a few LEDs and buttons, and an ATX 12V power socket. The serial and JTAG ports are easily identifiable and readily accessible, and connecting a USB-to-serial adapter to the former brought us to a Linux login prompt. A little bootloader shell wizardry allowed the password to be reset, and there we were with a usable shell on the thing. Changing a jumper allows booting from the SD card, so it would be extremely straightforward to bring your own ARM Linux build onto the device to replace the AntMiner one, and since the Zynq can load its FPGA code from within Linux this makes for an extremely accessible FPGA dev board for the price.

These boards seem to be offered by multiple vendors, which indicates that there must be quite a few in the supply chain. Stocks will inevitably run out though so don’t despair if you fail to snag one. Instead they are indicative of a growing trend of application specific FPGA boards being reimagined as general purpose dev boards by our community (for example the Lattice FPGA in a hackable LED driver board we featured back in January). It’s a fair certainty that they’ll be joined by others as their generation of FPGA tech starts to be replaced.

We’ll be keeping our eye out for any others and we’re sure you’ll drop us a tip if you see any.

Source: Kentucky.com -- Education

Dana Biggs, the former director of the University of Kentucky’s marching band, resigned amid a sexual harassment investigation earlier this fall, documents obtained from the university show. Biggs engaged in … Click to Continue »

Source: Ars Technica

Enlarge / As hard as it may be to believe, C was not simply born in wellworn paperback form. (credit: Bill Bradford)

In one form or another, C has influenced the shape of almost every programming language developed since the 1980s. Some languages like C++, C#, and objective C are intended to be direct successors to the language, while other languages have merely adopted and adapted C’s syntax. A programmer conversant in Java, PHP, Ruby, Python or Perl will have little difficulty understanding simple C programs, and in that sense, C may be thought of almost as a lingua franca among programmers.

But C did not emerge fully formed out of thin air as some programming monolith. The story of C begins in England, with a colleague of Alan Turing and a program that played checkers.

God Save the King

Christopher Strachey was known as the “person who wrote perfect programs,” as noted in a long profile from the journal, Annals of the History of Computing. It was a reputation he acquired at the Manchester University Computing Center in 1951. Strachey ended up there, working on the school’s Ferranti Mark I computer through an old King’s College, Cambridge, connection, Alan Turing.

Read 54 remaining paragraphs | Comments

Source: Hacker News

Source: Hacker News