Home - Critical Computer Company Limited

XHTML 1.0 Transitional
[Valid RSS]

Search:    Start Date:    Detail:           Sources

Show Items:     Beginning 
16/02/2019 17:14:31  

"I've been making the argument that everything is a free software issue for a few months now," writes the campaigns manager for the Free Software Foundation, in a new essay sharing thoughts on "the issues proprietary technology poses in dating and maintaining romantic relationships": Many dating Web sites run proprietary JavaScript... Proprietary JavaScript is a trap that impacts your ability to run a free system, and not only does it sneak proprietary software onto your machine, but it also poses a security risk. Any piece of software can be malicious, but proprietary JavaScript goes the extra mile. Much of the JavaScript you encounter runs automatically when you load a Web site, which enables it to attack you without you even noticing. Proprietary JavaScript doesn't have to be the only way to use Web sites. LibreJS is an initiative which blocks "nonfree nontrivial" JavaScript while allowing JavaScript that is either free or trivial. Many dating apps are also proprietary, available only at the Apple App and Google Play stores, both of which currently require the use of proprietary software. The essay also warns about the proprietry software used for restaurant reservations, ride-sharing apps, and chat applications. (Not to mention the non-free software behind gift shopping on Amazon.) And even if you decide on a romantic evening at home, "you might find yourself tempted by freedom-disrespecting, DRM-supporting streaming services like Hulu and Netflix...." "These are all proprietary tools, and the act of using them restricts our freedoms. When the ways we connect with one another are proprietary, we're trusting our secrets, intimacies, and relationships to technology we cannot trust."

Read more of this story at Slashdot.

12/02/2019 22:14:12  

An anonymous reader shares an excerpt from an Ars Technica report: Researchers have found a way to run malicious code on systems with Intel processors in such a way that the malware can't be analyzed or identified by antivirus software, using the processor's own features to protect the bad code. As well as making malware in general harder to examine, bad actors could use this protection to, for example, write ransomware applications that never disclose their encryption keys in readable memory, making it substantially harder to recover from attacks. The research, performed at Graz University of Technology by Michael Schwarz, Samuel Weiser, and Daniel Gruss (one of the researchers behind last year's Spectre attack), uses a feature that Intel introduced with its Skylake processors called SGX ("Software Guard eXtensions"). SGX enables programs to carve out enclaves where both the code and the data the code works with are protected to ensure their confidentiality (nothing else on the system can spy on them) and integrity (any tampering with the code or data can be detected). The contents of an enclave are transparently encrypted every time they're written to RAM and decrypted upon being read. The processor governs access to the enclave memory: any attempt to access the enclave's memory from code outside the enclave is blocked; the decryption and encryption only occurs for the code within the enclave. SGX has been promoted as a solution to a range of security concerns when a developer wants to protect code, data, or both, from prying eyes. For example, an SGX enclave running on a cloud platform could be used to run custom proprietary algorithms, such that even the cloud provider cannot determine what the algorithms are doing. On a client computer, the SGX enclave could be used in a similar way to enforce DRM (digital rights management) restrictions; the decryption process and decryption keys that the DRM used could be held within the enclave, making them unreadable to the rest of the system. There are biometric products on the market that use SGX enclaves for processing the biometric data and securely storing it such that it can't be tampered with. SGX has been designed for this particular threat model: the enclave is trusted and contains something sensitive, but everything else (the application, the operating system, and even the hypervisor) is potentially hostile. While there have been attacks on this threat model (for example, improperly written SGX enclaves can be vulnerable to timing attacks or Meltdown-style attacks), it appears to be robust as long as certain best practices are followed.

Read more of this story at Slashdot.

23/01/2019 18:11:12  

Richard Stallman recently visited Mandya, a small town about 60 miles from Bengaluru, India, to give a talk. On the sidelines, Indian news outlet FactorDaily caught up with Stallman for an interview. In the wide-ranging interview, Stallman talked about companies that spy on users, popular Android apps, media streaming and transportation apps, smart devices, DRM, software backdoors, subscription software, and Apple and censorship. An excerpt from the interview: If you are carrying a mobile phone, it is always tracking your movements and it could have been modified to listen to the conversations around you. I call this product Stalin's dream. What would Stalin have wanted to hand out to every inhabitant of the former Soviet Union? Something to track that person's movements and listen to the person's conservations. Fortunately, Stalin could not do it because the technology didn't exist. Unfortunately for us, now it does exist and most people have been pressured or lured into carrying around such a Stalin's dream device, but not me. I am suspicious of new digital technology. I expect it to have new malicious functionalities. It has happened so many times that I have learned to expect this, so I have always checked before I start using some new digital technology. I asked to find out what is nasty about it and I found out these two things. It was something like 20 years ago, and I decided it was my duty as a citizen to refuse, regardless of whatever convenience it might offer me. To surrender my freedom in this way was failing to defend a free society. This is why I do not have a portable phone. I refuse to carry a portable phone. I never have one and unless things change, I never will. I do use portable phones, lots of different ones. If I needed to call someone right now, I would ask one of you, "Could you please make a call for me?" If I am on a bus and it is late and I need to tell somebody that I am going to arrive late, there is always some other passenger in the bus who will make a call for me or send a text for me. Practically speaking, it is not that hard.

Read more of this story at Slashdot.

04/01/2019 10:09:09  

The L3 protection level of Google's Widevine DRM technology has been cracked by a British security researcher who can now decrypt content transferred via DRM-protected multimedia streams. ZDNet's Catalin Cimpanu notes that while this "sounds very cool," it's not likely to fuel a massive piracy wave because "the hack works only against Widevine L3 streams, and not L2 and L1, which are the ones that carry high-quality audio and video content." From the report: Google designed its Widevine DRM technology to work on three data protection levels --L1, L2, and L3-- each usable in various scenarios. According to Google's docs, the differences between the three protection levels is as follows: L1 - all content processing and cryptography operations are handled inside a CPU that supports a Trusted Execution Environment (TEE). L2 - only cryptography operations are handled inside a TEE. L3 - content processing and cryptography operations are (intentionally) handled outside of a TEE, or the device doesn't support a TEE "Soooo, after a few evenings of work, I've 100% broken Widevine L3 DRM," [British security researcher David Buchanan] said on Twitter. "Their Whitebox AES-128 implementation is vulnerable to the well-studied DFA attack, which can be used to recover the original key. Then you can decrypt the MPEG-CENC streams with plain old ffmpeg." Albeit Buchanan did not yet release any proof-of-concept code, it wouldn't help anyone if he did. In order to get the DRM-encrypted data blob that you want to decrypt, an attacker would still need "the right/permission" to receive the data blob in the first place. If a Netflix pirate would have this right (being an account holder), then he'd most likely (ab)use it to pirate a higher-quality version of the content, instead of bothering to decrypt low-res video and lo-fi audio. The only advantage is in regards to automating the pirating process, but as some users have pointed out, this isn't very appealing in today's tech scene where almost all devices are capable of playing HD multimedia [1, 2].

Read more of this story at Slashdot.

24/12/2018 14:07:07  

Linus Torvalds has announced the general availability of v4.20 of the Linux kernel. In a post to the Linux Kernel Mailing List, Torvalds said that there was no point in delaying the release of the latest stable version of the kernel just because so many people are taking a break for the holiday season. From a report: He says that while there are no known issues with the release, the shortlog is a little longer than he would have liked. However "nothing screams 'oh, that's scary'", he insists. The most notable features and changes in the new version includes: New hardware support! New hardware support includes bringing up the graphics for AMD Picasso and Raven 2 APUs, continued work on bringing up Vega 20, Intel has continued putting together its Icelake Gen 11 graphics support, there is support for the Hygon Dhyana CPUs out of China based upon AMD Zen, C-SKY 32-bit CPU support, Qualcomm Snapdragon 835 SoC enablement, Intel 2.5G Ethernet controller support for "Foxville", Creative Sound Blaster ZxR and AE-5 sound card support, and a lot of smaller additions. Besides new hardware support when it comes to graphics processors, in the DRM driver space there is also VCN JPEG acceleration for Raven Ridge, GPUVM performance work resulting in some nice Vulkan gaming boosts, Intel DRM now has full PPGTT support for Haswell/IvyBridge/ValleyView, and HDMI 2.0 support for the NVIDIA/Nouveau driver. On the CPU front there are some early signs of AMD Zen 2 bring-up, nested virtualization now enabled by default for AMD/Intel CPUs, faster context switching for IBM POWER9, and various x86_64 optimizations. Fortunately the STIBP work for cross-hyperthread Spectre V2 mitigation was smoothed out over the release candidates that the performance there is all good now. Btrfs performance improvements, new F2FS features, faster FUSE performance, and MDRAID improvements for RAID10 round out the file-system/storage work. One of the technical highlights of Linux 4.20 that will be built up moving forward is the PCIe peer-to-peer memory support for device-to-device memory copies over PCIe for use-cases like data going directly from NICs to SSD storage or between multiple GPUs.

Read more of this story at Slashdot.