Month: January 2020

• 

  This is not how thermal paste should be applied. [credit: Jyothis / Jim Salter ]

Early this morning, Cooler Master tweeted a picture of its new spade-tipped thermal compound applicators and captioned it "we didn't change the shape of the syringe to make applying thermal paste a lot easier, but because we're getting tired of having to explain to parents that their kid isn't using drugs."

It took the Ars staff a few minutes of grappling with Poe's Law to figure out if they were serious or not. On the one hand, how many parents would really mistake thermal compound for a medical syringe? On the other hand... the world's a big place, and as recently as 2015, I needed to tell parents en masse that the most prevalent server operating system on the planet isn't malware, so who knows? But Cooler Master is probably just joining the likes of Wendy's, Denny's, and Old Spice on Snarky Brand Twitter.

What we're sure of is that the spade-tipped applicator looks a lot more pleasant to use than the general purpose closed-needle-tip syringe senior techs and enthusiasts have been grappling with for decades. If you're not accustomed to it, thermal compound is thick, goopy, and an absolute nightmare to clean off of any credit card you unwisely use to try to spread a thin film of it evenly across your new CPU, as guides have advised for as long as thermal compound has existed. (Some techs keep a "fake" credit card around for just this purpose, which at least lets them get some use out of spam credit card offers.)

Enlarge / Giving a little joy. (credit: Flickr / xJasonRogersx)

Last month, we asked readers to donate to our 2019 Charity Drive sweepstakes. Now that the giving is done and the results have been tallied, we can report that Ars Technica readers donated $33,181.11 to Child's Play and the EFF through the charity drive. That's not quite a record for our annual effort, but it does bring our donation total over 13 years of charity driving past the $330,000 mark! Well done, Arsians!

Thanks to everyone who gave whatever they could. We're still early in the process of selecting and notifying winners of our swag giveaway, so don't fret if you haven't heard if you're a winner yet. In the meantime, enjoy these quick stats from the 2019 drive.

• 2018 Fundraising total: $33,181.11
  • Total given to Child's Play: $14,373.88
  • Total given to the EFF: $18,758.00
• Number of individual donations: 474
  • Child's Play donations: 253
  • EFF donations: 221
• Average donation: $70.00
  • Child's Play average donation: $57.04
  • EFF average donation: $84.88
• Median donation: $25.00
  • Median Child's Play donation: $25.00
  • Median EFF donation: $50.00
• Top single donation: $1,000 (2 to EFF, 1 to CP)
• Donations of $1,000 or more: 3
• Donations of $100 or more: 121(!)
• $1 donations: 3 (every little bit helps!)
• Total charity donations from Ars Technica drives since 2007 (approximate): $336,107.01
  • 2018: $20,210.66
  • 2017: $36,012.37
  • 2016: $38,738.11
  • 2015: $38,861.06
  • 2014: $25,094.31
  • 2013: $23,570.13
  • 2012: $28,713.52
  • 2011: ~$26,000
  • 2010: ~$24,000
  • 2009: ~$17,000
  • 2008: ~$12,000
  • 2007: ~$10,000

Enlarge / A crafted request is like a skeleton key for gaining access to unpatched Windows Remote Desktop servers. (credit: Anadolu Agency / Getty Images)

While much of the attention around Microsoft's latest Windows security patch has been focused on a flaw in Windows 10 and Windows Server that could be used to spoof a certificate for secure Web sessions or signing code, there were 48 other vulnerabilities that were fixed in the latest update package. Five were related to Microsoft's Remote Desktop Protocol (RDP)-based service, which is used by thousands of organizations for remote access to computers within their networks. And two of them are flaws in the Windows Remote Desktop Gateway that could allow attackers to gain access to networks without having to provide a login.

These two separate bugs, identified as CVE-2020-0609 and CVE-2020-0610, are rated as more dangerous than the crypto bug by Microsoft because, while they're not yet exploited, they could be used to remotely execute code on targeted RDP servers before the gateway even attempts to authenticate them.

"An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," the Microsoft Security Response Center summary of both vulnerabilities warned. And there is no way to work around the vulnerability without applying a software update. Both attacks rely on specially crafted requests to the Remote Desktop Gateway using the RDP protocol.