Trusted platform module security defeated in 30 minutes, no soldering required

Enlarge (credit: Getty Images)
Let’s say you’re a large company that has just shipped an employee a brand-new replacement laptop. And let’s say it comes preconfigured to use all the latest best security practices, including full-disk encryption using a trusted platform module, password-protected BIOS settings, UEFI SecureBoot, and virtually all other recommendations from the National Security Agency and NIST for locking down federal computer systems. And let’s say an attacker manages to intercept the machine. Can the attacker use it to hack your network?
Research published last week shows the answer is a resounding yes. Not only that, but a hacker who has done her homework needs a surprisingly short stretch of time alone with the machine to carry out the attack. With that, the hacker can gain the ability to write not only to the stolen laptop, but to the fortified network it was configured to connect to.
Researchers at the security


Original URL: https://arstechnica.com/?p=1784665

Original article

30 under $25: A collection of good hidden gem games from Steam’s Summer Sale

Enlarge / Paper Beast. (credit: Pixel Reed, PID Games)
The latest rendition of Steam’s annual Summer Sale has been underway for about a week now, and, as usual, it’s discounted virtually everything on the PC games store. But while the Halos, Grand Theft Autos, and other mega-hits of the world may get the most front-page attention, the sheer breadth of the sale means that a truckload of lesser-known but more-than-worthwhile games have dropped to more approachable prices as well. To assist those who’d like to expand their interactive palate, I’ve rounded up a collection of recent under-the-radar games that are both worth your time and nicely discounted.
To be clear, this list isn’t comprehensive. There are several thousand games on sale, and, unfortunately, we can’t play everything. (As always, feel free to share your own recommendations below.) Definitions of “under-the-radar” may differ, but the vast majority of this list consists of games we haven’t covered


Original URL: https://arstechnica.com/?p=1776268

Original article

Hackers exploited 0-day, not 2018 bug, to mass-wipe My Book Live devices

Enlarge (credit: Getty Images)
Last week’s mass-wiping of Western Digital My Book Live storage devices involved the exploitation of not just one vulnerability, but a second critical security bug that allowed hackers to remotely perform a factory reset without a password, an investigation shows.
The vulnerability is remarkable not only because it made it trivial to wipe what’s likely petabytes of user data. More notable still was the fact that, according to the vulnerable code itself, a Western Digital developer actively removed code that required a valid user password before allowing factory resets to proceed.
Done and undone
The undocumented vulnerability resided in a file aptly named system_factory_restore. It contains a PHP script that performs resets, which allows users to restore all default configurations and to wipe all data stored on the devices.Read 22 remaining paragraphs | Comments


Original URL: https://arstechnica.com/?p=1776939

Original article

Here’s how Android apps on Windows 11 are going to work

Little Android guy? How did you get in there? [credit:
Ron Amadeo ]

Microsoft’s Windows 11 announcement surprised us with the news that the upcoming OS will run Android apps alongside Windows apps. Unfortunately, the keynote was light on details. Will these apps use emulation? Will Windows’ existing Linux support be involved? We got our answers shortly after the keynote, thanks to a follow-up developer talk that went into some details.
The feature is officially called the “Windows Subsystem for Android,” which should tell you a lot about how it works. Windows currently has a “Windows Subsystem for Linux” (WSL), which uses a subset of the Hyper-V functionality to run Linux apps on a real Linux kernel alongside your Windows apps. (Hyper-V lets a second guest OS access the bare metal hardware instead of running on top of the host OS with less access to resources.) Real


Original URL: https://arstechnica.com/?p=1776088

Original article

“I’m totally screwed.” WD My Book Live users wake up to find their data deleted

Enlarge (credit: Western Digital)
Western Digital, maker of the popular My Disk external hard drives, is recommending customers unplug My Disk Live storage devices from the Internet until further notice while company engineers investigate unexplained compromises that have completely wiped data from devices around the world.
The mass incidents of disk wiping came to light in this thread on Western Digital’s support forum. So far, there are no reports of deleted data later being restored.
All my data is gone
“I have a WD mybook live connected to my home LAN and worked fine for years,” the person starting the thread wrote. “I have just found that somehow all the data on it is gone today, while the directories seems there but empty. Previously the 2T volume was almost full but now it shows full capacity.”Read 10 remaining paragraphs | Comments


Original URL: https://arstechnica.com/?p=1776180

Original article

Google Chrome ends its war on address bar URLs—for now, at least

The new experiment: after loading a page, Chrome shows only the domain name. [credit:
Ron Amadeo ]

Chrome is ending its war on address bar URLs—at least for now. About a year ago, Chrome started experimenting with stripping down the URL shown in the address bar to only the domain name, so instead of something like “https://arstechnica.com/gadgets/2020/06/google-is-messing-with-the-address-bar-again-new-experiment-hides-url-path/,” the address bar would show only “arstechnica.com,” and you would have no idea where you are in the site directory.
Android Police spotted a post on the Chromium bug tracker announcing that Google is killing the idea. Back in June 2020 when the experiment was kicking off, Google engineer Emily Stark explained that the company was experimenting with a simplified URL display “to understand if it helps users identify malicious websites more accurately.” It’s a year later, and now Stark writes that the “simplified domain experiment” will be deleted


Original URL: https://arstechnica.com/?p=1772423

Original article

MySQL 101: Installation, care, and feeding on Ubuntu

Enlarge / Warning: Learning the care and feeding of MySQL instances does not grant knowledge of or safe interaction with actual marine mammals. (credit: Oracle)
One of the tasks nearly any sysadmin frequently encounters is the care and feeding of the MySQL database server. You can build an entire career around nothing but this topic—making you a DB admin, not a humble sysadmin like yours truly—but for today, we’re just going to cover the basics.
For this guide, we’re going to be using Ubuntu Linux as the underlying operating system—but most of these steps and tips will be either the same, or broadly similar, across nearly any OS or distribution you might install MySQL on.
Installing MySQL

If you’re even vaguely familiar with Ubuntu or Debian, the installation process shouldn’t be surprising: apt install mysql-server and you’re off to the races. [credit:
Jim Salter ]

Installing


Original URL: https://arstechnica.com/?p=1772445

Original article

Fast.ly broke the Internet for an hour this morning

Enlarge / The United Kingdom government’s official website was one of those affected by this morning’s outage. The cryptic “Guru Mediation” message shown is an untrapped, unskinned error returned from the Varnish cache server powering the Fastly CDN. (credit: Leon Neal via Getty Images)
For roughly an hour this morning—6 am to 7 am EDT, give or take a few minutes—enormous swathes of the Internet were down or interestingly broken. Sites taken down included CNN, The Guardian, The New York Times, PayPal, and Spotify, among many more—including The Verge, which resorted to reporting via Google Docs during the duration of the outage.
Vast chunks of the internet are offline, including The Verge. Until we’re back, we’re reporting to you live out of Google Docs. Here’s what we know so far about the outage: https://t.co/4b1p2qhYif— The Verge (@verge) June 8, 2021
The underlying problem was an outage at Fastly, one of the world’s


Original URL: https://arstechnica.com/?p=1771582

Original article

Stack Overflow sold to tech investor Prosus for $1.8 billion

Enlarge / If you’ve ever gone looking for answers to software development questions, this screenshot probably looks quite familiar. (credit: Jim Salter)
Legendary programming Q&A site Stack Overflow is being acquired by Prosus N.V., Europe’s largest tech investment firm. According to a press release on Prosus’ website, the two companies entered into a definitive acquisition agreement yesterday.
According to Amazon Alexa web analytics, Stack Overflow is the 46th most heavily engaged site in the world. Since 2008, the site has served as the first stop for developers searching for answers to their programming-related questions—and eventually, their non-programming-related questions, as the Stack Exchange network of sites expanded into categories including culture, recreation, arts, science, business, and more.
Prosus will likely be much less familiar, particularly to Americans, as the Amsterdam-listed investment firm has a much lower public profile. Although based in Europe, Prosus invests internationally; for example, it has the largest single stake in Chinese


Original URL: https://arstechnica.com/?p=1769534

Original article

Proudly powered by WordPress | Theme: Baskerville 2 by Anders Noren.

Up ↑

%d bloggers like this: