Month: April 2017

Enlarge (credit: Natalie Maynor)

Google has announced that its widely used Octane JavaScript benchmark is being retired, with Google saying that it's no longer a useful way for browser developers to determine how best to optimize their JavaScript engines.

Octane was developed for and by the developers of V8, the JavaScript engine used in Chrome. It was intended to address flaws in the earlier SunSpider benchmark, developed by Apple's Safari team. SunSpider's tests were all microbenchmarks, sometimes testing something as small as a single operation performed thousands of times. It wasn't very representative of real-world code, and it was arguably being gamed, with browser vendors introducing optimizations that were aimed primarily, albeit not exclusively, at boosting SunSpider scores. This was being done even when those optimizations were detrimental to real-world performance, because having a good score carried so much prestige.

Octane was introduced in 2012 and includes cut-down versions of somewhat realistic workloads, such as compiling the TypeScript compiler. But since then, JavaScript coding styles have changed. JavaScript itself has changed; ECMAScript 2015 (the standardized version of JavaScript) introduced a range of new features that weren't available in 2012, and hence aren't tested by Octane, and all manner of new libraries and frameworks have emerged since.

Enlarge / An actor on a soundstage holding an exaggerated facsimile of a Burger King product.

Burger King made waves today after it released a TV ad that purposely triggered the Google Assistant. The ad ends with a person saying "OK Google, what is the Whopper burger?"'—a statement designed to trigger any Google Assistant devices like Android phones and Google Home to read aloud a description of the hamburger's ingredients. Google apparently wasn't happy with a third-party hijacking its voice command system to advertise fast food, and has issued a server-side update to specifically disable Burger King's recording.

Before the ad was disabled, the Google Assistant would verbally read a list of ingredients from Wikipedia. Of course the internet immediately took to Wikipedia to vandalize the burger's entry page, with some edits claiming it contained "toenails" or "cyanide." Getting the Google Assistant to actually read one of these false edits was a tough task, since the Google Assistant gets its data from Google's search index, rather than a live query of Wikipedia. Still, according to The Verge, there was actually a brief period when the Google Assistant would read a false edit.

Google's shutdown of the feature is interesting. The ad will still wake up a Google Home—the "Ok Google" phrase will light up the device, and the little lights on top will spin while it waits for the query to make a round trip to Google's servers. Google Home will no longer dutifully recite the burger's ingredient list, though. Apparently Google has made changes so that Burger King's specific recording of the phrase will no longer trigger a voice response. Instead, the Google Home just quietly goes back to sleep, without any response to the query. Having a live person ask "OK Google, what is the Whopper burger?"' will still trigger a voice response, though.

Enlarge / An identical artifact in two exploits, one installing Finspy and the other Latenbot. (credit: FireEye)

A critical Microsoft Word zero-day that was actively exploited for months connected two strange bedfellows, including government-sponsored hackers spying on Russian targets and financially motivated crooks pushing crimeware.

That assessment, made Wednesday with "moderate confidence" from researchers at security firm FireEye, is all the more intriguing because the payload delivered to the Russian targets was developed by Gamma Group, the controversial UK-based seller of so-called "lawful intercept" spyware to governments around the world. The company suffered a major setback in 2014 when a hack of its servers exposed more than 40 gigabytes of highly proprietary data showing that its software was used to spy on computers in the United States, Germany, Russia, Iran, and Bahrain. Gamma Group has continued to operate since then, as evidenced by Wednesday's report showing that its software, known as Finspy, was installed as early as January using what until Tuesday was the zero-day vulnerability in Word.

Adding even more intrigue, the Word exploit used to install Finspy on Russian computers shares some of the same digital fingerprints as an exploit used in March to install crimeware. Known as Latenbot, the malware boasted a variety of capabilities, including credential theft, hard drive and data wiping, security software disabling, and remote desktop functions. The shared artifacts found by FireEye—which are documented in the image at the top of this post—strongly suggest the exploits used by both government spies and criminal hackers originated with the same source. That finding draws a connection between state-sponsored hacking and financially motivated online crime.