Month: May 2018

Intel Skylake die shot. (credit: Intel)

A new attack that uses processors' speculative-execution capabilities to leak data, named Speculative Store Bypass (SSB), has been published after being independently discovered by Microsoft's Security Response Center and Google Project Zero. Processors from Intel and AMD, along with some of those using ARM's designs, are all affected.

Since the Meltdown and Spectre flaws were announced earlier this year, the speculative and predictive capabilities of modern microprocessors have been closely examined, revealing several new attacks.

All the attacks follow a common set of principles. Each processor has an architectural behavior (the documented behavior that describes how the instructions work and that programmers depend on to write their programs) and a microarchitectural behavior (the way an actual implementation of the architecture behaves). These can diverge in subtle ways. For example, architecturally, a program that loads a value from a particular address in memory will wait until the address is known before trying to perform the load. Microarchitecturally, however, the processor might try to speculatively guess at the address so that it can start loading the value from memory (which is slow) even before it's absolutely certain of which address it should use.

It has been a few weeks since we last checked in with the cadre of kids we threw into our dungeon of '80s tech delights. Previously, the youngsters successfully figured out Nintendos, Power Gloves, and Polaroids—but that was only the beginning.

It's fascinating watching the kids confront tech that was commonplace when I was their age. Actually, by the time I turned ten, it was 1988 and CDs were reasonably common, but asking a 10-year-old in 2018 to load up a CD player would be too easy. The thing that really made me shake my head this time around was the kids' comments about the original Game Boy—tech that my generation would try to sneak anywhere and everywhere. Being able to whip out a Game Boy on the bus to school and nonchalantly stack some lines in Tetris made you almost unbelievably cool—although you'd have to fend off the curious, sticky hands of your fellow bus riders. And, of course, if you were brave enough to try to use the Game Boy in class, you faced the possibility of an angry teacher confiscating it until the end of the day—or worse, calling your parents.

We still haven't set up the Windows 3.1-with-an-HP-DeskJet-500 nightmare scenario I mentioned in the last article, but I think that's definitely on the table for next time. Either that or we'll see about making the kids deal with tweaking a config.sys file to yield maximum EMS memory so they can see all the extra animations in the original Wing Commander—though maybe that's a step too far into maaaaaaaaaaaaaaaadness.

Enlarge / President Donald Trump talks on an iPhone with a Morphie battery pack aboard Air Force One on January 26, 2017. (Official White House Photo by Shealah Craighead.) Hat tip to Ron Amadeo for identifying the phone. (credit: Official White House photo via GettyImages)

The mobile device habits of President Donald J. Trump have been an ongoing source of agitation for many—and not just because of his frequent blasts on Twitter. Getting Trump to adapt his device use to the potential security threats faced by a head of state has proven to be a challenge for the White House Communications Agency (WHCA) and the White House's information technology team. Trump's truculence has hamstrung efforts to secure his personal communications and may well already have exposed them to domestic or foreign surveillance efforts by other governments—or just about anyone else with the ability to intercept cell calls and cellular data.

According to a report by Politico's Eliana Johnson, Emily Stephenson, and Daniel Lippman, Trump has resisted all efforts to get him to use a secured mobile device, instead relying on a pair of off-the-shelf cell phones—one for Twitter only and the other for placing calls. And while the phones used for calls are treated to a degree as "burner phones"—with devices being swapped out regularly—Trump has pushed back on regular security checks and swap-outs of his Twitter phone, calling them "too inconvenient." Two White House officials told Politico that Trump has gone as long as five months without having his Twitter device checked by IT or WHCA staff.

Because of the sensitivity of White House communications and their connection to national security, the WHCA is a military unit that falls under the Defense Information Systems Agency. DISA and the National Security Agency have worked together to develop secure mobile devices for national leadership; during the Obama administration, DISA launched the DOD Mobility Classified Capability-Secret (DMCC-S) program and an accompanying voice-only Top Secret device program (DMCC-TS). The Top Secret device is still in development, but former Secretary of State John Kerry was an early user of the DMCC-S device—a hardened Samsung Galaxy S4 device based on Samsung's Knox security architecture.

Enlarge / Exhaustion, injuries, and low morale stack up pretty quickly within your community.

I wanted to be a “State of Decay person” since the first game came to the Xbox 360 in 2013. My friend pretty much forced the issue. I remember a straight month where all they wanted to do was whack zombies from a third-person perspective, scrounge vital materials, and maneuver the valuables through menus to keep a playable squad of survivors happy. True State of Decay fans found the hunt for food and ammo was just a vehicle for ambient stories of post-apocalyptic survival. Assuming you could stomach the game’s many vicious glitches, that is.

Very little has changed in the half-decade since that original game. In State of Decay 2, you smack undead “zeds” around to loot the supply-rich structures they guard. The gear shores up your semi-safe headquarters. And while I’m still not feeling the fantasy as much as I’d like, the bugs sure are back in full force.

State of Decay’s continued lack of polish is sort of infuriating, and not just for the obvious reasons. The game’s premise was always sound: like the best zombie fiction, it gives us a window into an egalitarian nightmare-fantasy, where debt and bureaucratic power are wiped away by a threat we can exercise six-gun justice against, largely guilt-free.

Few other games strive to be a sandbox where those stories crop up organically. With a bit more polish and a lot more direction, State of Decay could have been an undisputed classic—and not just among a devoted cult of followers. Theoretically, State of Decay 2 should be that polished follow-up. It has had five years to cook, leverages more powerful hardware, and already has its own predecessor as a sound proof of concept.

Enlarge (credit: Comcast)

A security hole in a Comcast service-activation website allowed anyone to obtain a customer's Wi-Fi network name and password by entering the customer's account number and a partial street address, ZDNet reported yesterday.

The problem would have let attackers "rename Wi-Fi network names and passwords, temporarily locking users out" of their home networks, ZDNet wrote. Obviously, an attacker could also use a Wi-Fi network name and password to log into an unsuspecting Comcast customer's home network.

Shortly after ZDNet's story was published, Comcast disabled the website feature that was leaking Wi-Fi passwords. "Within hours of learning of this issue, we shut it down," Comcast told ZDNet and Ars. "We are conducting a thorough investigation and will take all necessary steps to ensure that this doesn't happen again."