Month: April 2016

Enlarge

Go ahead and poo poo the overdone marketing of the Badlock vulnerability. With its fire-engine-red logo and a dedicated website that went live more than a month before the release of any patches, claims the risk was shamelessly hyped are justified. That said, Badlock represents a real and critical threat to virtually any organization that maintains a Microsoft network. Administrators who don't patch right away fail to do so at their own peril.

In a nutshell, Badlock refers to a defect in a security component contained in just about every version of the Windows and Linux operating systems. Known as the Distributed Computing Environment/Remote Procedure Call (DCE/RPC), it's used by administrators around the world to access the most valuable asset on any Windows network—the Active Directory, which acts as a network's digital security guard, allowing, for instance, an organization's CFO to log in to an accounting server, while locking out the janitor or the groundskeeper. Because Active Directories enforce security policies and contain password data and other crucial credentials, they are almost always the first asset hackers access once they gain a limited foothold into a targeted network.

By design, DCE/RPC is able to use a cryptographic system to protect connections between an admin's remote computer and the server running the Active Directory. In many ways, the system is analogous to the transport layer security protocol that protects connections between end users and the websites they visit. DCE/RPC ensures that parties are who they claim to be. It can also encrypt the data traveling between the parties. That way, anyone who happens to have access to the same corporate network—say, a rogue janitor or groundskeeper employed by the same organization—can't monitor or modify the crucial information inside the Active Directory.

The author's interpretation of a recently discovered FCC filing from Microsoft. Xbox One Super-Slim! Has a nice ring to it, right? We'll have to wait until late June to find out, if not sooner. (credit: Sam Machkovech)

Game console revisions are pretty standard stuff, combining improved manufacturing processes, smaller form factors, and lower prices to keep sales going strong. However, rumblings about a PlayStation 4K and vague statements about the Xbox One's hardware future make this generation's revision possibilities a lot more tantalizing than usual.

At least on the Xbox side of things, we have one more piece of information thanks to a crafty German user at the famed NeoGAF gaming forums. On Tuesday, "Mike R" noticed two FCC filings by Microsoft, both filed in March, for wireless radio devices. The filing for part number 1683 appears to have clear ties to the original Xbox One's WLAN module FCC filing, as both include a 202kB "user manual" PDF with a "1525" model number designation—and in the old filing's case, that brings up a guide to the Xbox One's legal warnings.

The other FCC filing for part number 1682 has a few differences, including a longer list of attached "exhibits" and a lack of that specific user manual PDF—but it has other commonalities, including another "User Manual (system) rev" PDF that is 213kB in both filings. The 1682 filing has a short-term confidentiality request that expires on June 25, weeks after the annual Electronic Entertainment Expo, while the 1683 filing's confidentiality won't expire until July 29.

(credit: uBiome - Microbiome Sequencing Gut Bacteria Sample Kit)

The more we learn about the microbes that inhabit the nooks and crannies of our bodies and wield profound influence on our health, the more questions arise from scientists and patients alike. Now, thanks to the microbial genomics company uBiome, we all have a chance to vote on which questions are most pressing.

The company opened a research grant competition that aims to “fast track an innovative study that has potential to affect human health and well-being.” Out of all of the submissions, uBiome’s scientists have selected six top entries and is asking the public to help pick the winner. The successful project will receive up to $100,000 worth of research assistance in the way of microbiome sampling kits and genetic analysis help.

After the voting, which you can do here, the winner will be announced in May.

(credit: Brad Smith)

For a few years, it seemed pretty clear that Verizon wouldn't be expanding its fiber-based FiOS network.

That changed today with an announcement from Boston, Massachusetts that Verizon will be "replacing its copper-based infrastructure with a state-of-the-art fiber-optic network platform across the city." Verizon will invest more than $300 million in the project over six years, and the city will provide expedited permitting to speed things along.

"[T]he project will begin in Dorchester, West Roxbury and the Dudley Square neighborhood of Roxbury in 2016, followed by Hyde Park, Mattapan, and other areas of Roxbury and Jamaica Plain," Mayor Martin Walsh's announcement said.

USB-IF

The new USB Type-C Authentication spec.

3 more images in gallery

So far, adoption of the versatile, reversible USB Type-C connector has been going pretty well. It's hardly universal, but it's showing up in an increasing number of smartphones and laptops, and the number of cables and other accessories that support it is slowly growing. One of the problems that has emerged as the port has grown in popularity is non-compliant cables and power adapters, accessories that look like they ought to work but might actually end up frying the device they're plugged into.

That's one of the problems the USB-IF is trying to solve with the USB Type-C Authentication specification, announced today at the Intel Developer Forum in Shenzhen, China. When you connect a power adapter, cable, or accessory that supports the specification into a host device (like a phone or laptop) that supports the specification, the host device can verify the accessories capabilities and whether the accessory has been fully certified by the USB-IF. This information is transmitted to the host using 128-bit encryption before an actual data or power connection is established, and the specification is designed to work even if your charger and cable are only providing power and not a data connection.

We've already seen some companies make USB Type-C chargers that don't work universally with all USB Type-C devices, as outlined in this PC World article from late last year. A supplemental specification that makes verifying the capabilities of chargers easier should hopefully put a stop to this sort of thing. The USB-IF also continues to encourage OEMs and accessory makes to use the various USB logos to clarify the capabilities of their devices, though the use of those logos on actual real-world devices is hit-or-miss at this point.

An optical fiber cable. (credit: Srleffler)

Verizon has reportedly switched 1.1 million customers from copper to fiber lines over the past few years under a program it calls "Fiber Is the Only Fix." But some phone customers have refused the switch to fiber because they prefer to keep their copper lines—even though Verizon apparently is refusing to fix problems in the copper infrastructure.

The Philadelphia Inquirer reports that it obtained internal company documents that describe the effort to switch problematic copper lines to fiber. Verizon customers with copper-based landline phones who call for repairs twice in 18 months "will be told that their 'only fix' is to replace decades-old copper line with high-speed fiber as Verizon won't fix the copper," the report said.

While Verizon still has a few million copper-line customers, the Fiber Is the Only Fix policy is responsible for 1.1 million changes to fiber in Pennsylvania and other states. The policy is also in place in New York, Massachusetts, Virginia, and Delaware, and it's expected to expand to New Jersey, the report said.

The San Antonio Independent School District's superintendent said that 27-year-old district officer Joshua Kehm's use of force at Rhodes Middle School on March 29 was "absolutely unwarranted."

"Additionally, the officer’s report was inconsistent with the video and it was also delayed," Pedro Martinez, the district's superintendent, continued in a statement. He added, "We want to be clear that we will not tolerate this behavior." Martinez said that the officer did not note the violence in his report. The school district has referred the investigation "to a third-party law enforcement agency."