Trivial authentication bypass in libssh leaves servers wide open

Trivial authentication bypass in libssh leaves servers wide open

Enlarge (credit: starwars.com)

There’s a four-year-old bug in the Secure Shell implementation known as libssh that makes it trivial for just about anyone to gain unfettered administrative control of a vulnerable server. While the authentication-bypass flaw represents a major security hole that should be patched immediately, it wasn’t immediately clear what sites or devices were vulnerable since neither the widely used OpenSSH nor Github’s implementation of libssh was affected.

The vulnerability, which was introduced in libssh version 0.6 released in 2014 makes it possible to log in by presenting a server with a SSH2_MSG_USERAUTH_SUCCESS message rather than the SSH2_MSG_USERAUTH_REQUEST message the server was expecting, according to an advisory published Tuesday. Exploits are the hacking equivalent of a Jedi mind trick, in which an adversary uses the Force to influence or confuse weaker-minded opponents. The last time the world saw an authentication-bypass bug with such serious consequences and requiring so little effort was 11 months ago, when Apple’s macOS let people log in as admin without entering a password.

The effects of malicious exploits, assuming there were any during the four-plus years the bug was active, are hard to fathom. In a worst-case scenario, attackers would be able to use exploits to gain complete control over vulnerable servers. The attackers could then steal encryption keys and user data, install rootkits and erase logs that recorded the unauthorized access. Anyone who has used a vulnerable version of libssh in server mode should consider conducting a thorough audit of their network immediately after updating.

Read 8 remaining paragraphs | Comments



Source: Ars Technica – Trivial authentication bypass in libssh leaves servers wide open

Apple, Google, Microsoft, and Mozilla come together to end TLS 1.0

A green exterior door is sealed with a padlock.

Enlarge (credit: Indigo girl / Flickr)

Apple, Google, Microsoft, and Mozilla have announced a unified plan to deprecate the use of TLS 1.0 and 1.1 early in 2020.

TLS (Transport Layer Security) is used to secure connections on the Web. TLS is essential to the Web, providing the ability to form connections that are confidential, authenticated, and tamper-proof. This has made it a big focus of security research, and over the years, a number of bugs that had significant security implications have been found in the protocol. Revisions have been published to address these flaws.

The original TLS 1.0, heavily based on Netscape’s SSL 3.0, was first published in January 1999. TLS 1.1 arrived in 2006, while TLS 1.2, in 2008, added new capabilities and fixed these security flaws. Irreparable security flaws in SSL 3.0 saw support for that protocol come to an end in 2014; the browser vendors now want to make a similar change for TLS 1.0 and 1.1.

Read 2 remaining paragraphs | Comments



Source: Ars Technica – Apple, Google, Microsoft, and Mozilla come together to end TLS 1.0

Trump’s coal rescue is getting more complicated

Uncovered coal trains

Enlarge / An eastbound Norfolk Southern Corp. unit coal train passes through Waddy, Kentucky. (credit: Luke Sharrett/Bloomberg via Getty Images)

According to four people who spoke to Politico on conditions of anonymity, the Trump administration’s plan to bail out coal and nuclear plants has hit a speed bump within the White House itself.

The most recent plan from the Department of Energy (DOE) involved invoking the Defense Production Act of 1950, a wartime rule that allows the president to incentivize and prioritize purchases from American industries that are considered vital to national security.

Another potential plan involved invoking Section 202(c) of the Federal Power Act to mandate that struggling coal and nuclear plants stay open either through compulsory purchases by grid managers or through subsidies. FirstEnergy, a power corporation whose coal and nuclear units are under Chapter 11 bankruptcy, petitioned the DOE to use this power in April.

Read 20 remaining paragraphs | Comments



Source: Ars Technica – Trump’s coal rescue is getting more complicated

Verizon slammed for poor hurricane response as Floridians lack cell service

Read 17 remaining paragraphs | Comments



Source: Ars Technica – Verizon slammed for poor hurricane response as Floridians lack cell service

Starlink: Battle for Atlas review: Cool toys, solid spacefaring

Shiny.

Enlarge / Shiny. (credit: Ubisoft)

Amid the luminescent, blue-green plants of some once-forgotten world, my sharp red dart of a ship narrowly avoids ambush. Carrying important cargo that is hefty enough to keep my versatile vessel from being able to take off, I’m left with two choices: flee or dump the ballast to turn and fight.

Those who are familiar with 2016’s No Man’s Sky will undoubtedly notice more than a few similarities between it and Starlink: Battle for Atlas, which created the above scene. The visuals in both are consistently bizarre and otherworldly—they are believably alien in a way the last few decades of serialized television haven’t been able to capture. Both games offer just about free rein to fly anywhere and do more or less whatever you will across the vast reaches of space (though Starlink is limited to a single solar system).

The key difference—aside from Starlink’s additional narrative glue (at least compared with No Man’s Sky at launch)—is that it’s a toys-to-life game, much like Disney Infinity or Activision’s Skylanders. Yet despite the contraptions you’ll need to attach to your controller, the game itself is remarkably accessible and surprisingly entertaining regardless of your age.

Build-a-ship

Starlink’s narrative setup is straightforward: thanks to a genius astrophysicist and an alien that crashed on Earth, humans are now making their first nascent voyages to the stars. But the fuel humans are using for those trips, Nova, is a rare resource. The aliens of the Atlas star system have long since lost the knowledge of how to make the interstellar fuel, leaving them largely trapped near their home planet.

Read 22 remaining paragraphs | Comments



Source: Ars Technica – Starlink: Battle for Atlas review: Cool toys, solid spacefaring

21-year-old who created powerful RAT software sentenced to 30 months

Stylized photo of desktop computer.

Enlarge (credit: Lino Mirgeler/picture alliance via Getty Images)

A 21-year-old Kentucky man who previously admitted to creating and selling a “remote access trojan” (RAT) known as LuminosityLink has been sentenced to 30 months in federal prison.

Colton Grubbs had previously pleaded guilty to conspiracy to unlawfully accessing computers in the furtherance of a criminal act, among other crimes.

When Grubbs was first charged, he claimed LuminosityLink was a legitimate tool for system administrators, and he never intended for it to be used maliciously. He reversed course in a plea agreement he signed in July 2017. In that document, he admitted for the first time that he knew some customers were using the software to control computers without owners’ knowledge or permission. Grubbs also admitted emphasizing a wealth of malicious features in marketing materials that promoted the software.

Read 9 remaining paragraphs | Comments



Source: Ars Technica – 21-year-old who created powerful RAT software sentenced to 30 months

Roborace wants the future of racing to be AI plus humans, working together

Errolson Hugh

A quick look through the Cars Technica back catalog (the carchive, perhaps?) shows that autonomous driving technology and racing technology are both topics we return to quite often. But it has been a while since we covered their intersection—specifically, what’s been going on at Roborace. The series first broke cover at the end of 2015 and then wowed everybody with the Robocar a few months later. It looks outrageous, made possible because it does not need to protect a human driver or generate meaningful downforce, two factors that overwhelmingly influence most race car designs.

Initially, the idea was for a driverless support series for Formula E. Roborace would supply teams with identical Robocars, and the teams would try to program a better racing AI. However, it’s fair to say that the idea of watching a grid full of AI cars race each other did not meet with universal approval. “We realized that humans are very much part of the storyline of autonomous driving technology. The machines need to learn from humans. What’s it like to take a ride in one as a passenger? These cars have to learn how to fit into a human world. Human and AI cars will share the road,” said Rod Chong, Roborace’s deputy CEO.

Read 13 remaining paragraphs | Comments



Source: Ars Technica – Roborace wants the future of racing to be AI plus humans, working together

Dealmaster: Get a Google Daydream View VR headset for $40

Dealmaster: Get a Google Daydream View VR headset for $40

Enlarge (credit: TechBargains)

Greetings, Arsians! Courtesy of our friends at TechBargains, we have another round of deals to share. Today’s list is headlined by a deal on the coral version of Google’s Daydream View VR headset, which is down to $40 at Verizon as of this writing.

While this is not the absolute lowest we’ve seen Google’s mobile VR headset, it’s still more than half off its standard $99 list price. Smartphone VR is still the lightest VR experience, but if you plan on buying a new Pixel 3, want to use it as your own personal movie theater, and don’t want to splash the cash on a more-advanced and standalone headset like the upcoming Oculus Quest, the Daydream View is still a decent entry point.

If you have no interest in virtual reality, we also have deals on AMD processors, sous vide cookers, the Nvidia Shield, storage, and much more. Have a look for yourself below.

Read 4 remaining paragraphs | Comments



Source: Ars Technica – Dealmaster: Get a Google Daydream View VR headset for

Comcast complains it will make less money under Calif. net neutrality law

A Star Wars AT-AT battle vehicle with a Comcast logo.

Enlarge (credit: Aurich Lawson)

California’s net neutrality law will cause “significant lost revenues” for Comcast, the nation’s largest cable company said in a court filing this month.

Comcast described the net neutrality law’s potential impact on its ability to charge online service providers and network operators for network interconnection.

“The paid interconnection provisions will harm Comcast’s ability to enter into new, mutually beneficial interconnection agreements with edge providers that involve consideration, leading to a loss of existing and prospective interconnection partners and significant lost revenues,” Comcast Senior VP Ken Klaer wrote in the filing in US District Court for the Eastern District of California. (“Edge provider” is the industry term for websites and other online platforms, such as Netflix and Google.)

Read 33 remaining paragraphs | Comments



Source: Ars Technica – Comcast complains it will make less money under Calif. net neutrality law

Want to move something at nearly the speed of light? Here’s how

We recently ran a little poll of our science readers to find out what they were looking for from our coverage. One of the things that was clear was that you wanted to know how things work—what’s the technology that enables the latest science (and vice versa), and how does it operate?

These things can be a challenge to handle via text, since there are often a lot of moving parts, things that really require diagrams to explain, and so forth. In a lot of ways, this makes video a better tool for helping people visualize what’s going on. Given that we’ve got access to people who make some fine videos, we decided to give it a try.

What you’ll see above is our first go at explaining a pretty amazing bit of technology: the Large Hadron Collider. Nearly everything about the LHC—its detectors, the data filtering, the clusters that store, share, and analyze the data—is pretty astonishing. But at the heart of it all, the key to enabling everything, is the fact that we have a way to accelerate objects so that they are moving so close to the speed of light that the difference is a rounding error. How do we do that? Hopefully, after watching the video, you’ll come away with a pretty good idea.

Read 1 remaining paragraphs | Comments



Source: Ars Technica – Want to move something at nearly the speed of light? Here’s how

Ars on your lunch break: Thinking in public and brawling with Batman

Batman: he drinks, and he knows things. Wait, maybe that's a different guy.

Enlarge / Batman: he drinks, and he knows things. Wait, maybe that’s a different guy. (credit: Warner Bros.)

This week we are serializing yet another episode from the After On Podcast here on Ars. The broader series is built around deep-dive interviews with world-class thinkers, founders, and scientists, and tends to be very tech- and science-heavy. You can access the excerpts on Ars via an embedded audio player, or by reading accompanying transcripts (both of which are below).

This week my guest is Sam Harris: a neuroscientist turned bestselling author turned podcasting colossus. We’ll be running the episode in four installments, starting today. Harris has described his job as “thinking in public.” In doing this, he has never been one to shrink from controversy. He irked many by revealing himself as a committed atheist in his first book, 2004’s End of Faith. He’s spent much of the time since then articulating a genuinely heterodox set of political and other beliefs.

The uniqueness of Harris’ perspective is evidenced by his ability to trigger comparable gusts of outrage from both the left and the right (generally from the extremes of each camp). The many fans and supporters he has won likewise hail from throughout the political spectrum. I’ll add that a lot of Sam’s fascinations and domains of expertise are apolitical. These include meditation and the nature of consciousness, as well as both philosophy and neuroscience writ large.

Read 8 remaining paragraphs | Comments



Source: Ars Technica – Ars on your lunch break: Thinking in public and brawling with Batman

iFixit rips open the Pixel 3 XL, finds a Samsung display panel

The Pixel 3 XL is out, but even after the usual slate of announcements and reviews, there’s still a few things we don’t know about it. For some answers on the internals, we turn to iFixit, which recently ripped open the Pixel 3 XL to show the world its insides.

In last year’s Pixel 2 XL, the LG OLED display panel was a big concern. Last year LG jumped back into the OLED smartphone market after being absent for years, and it found itself way behind the competition. The display was grainy and dirty looking at low brightness, and there were burn-in issues. Others complained of a color shift whenever the phone was looked at on an angle. The smartphone OLED industry leader is Samsung, which supplies displays for its own Galaxy line and for Apple’s high-end iPhones.

Read 5 remaining paragraphs | Comments



Source: Ars Technica – iFixit rips open the Pixel 3 XL, finds a Samsung display panel

Sega’s Genesis (and more) get an HDMI upgrade with the Mega Sg

After giving the high-end, HDMI-enabled aftermarket treatment to both NES and SNES hardware, Analogue is now setting its sights on recreating and upgrading Sega’s classic game consoles. The $189 Mega Sg, shipping next April, promises full FPGA-driven, HDMI-powered support for a bevy of early Sega cartridges.

Out of the box, the Mega Sg will offer region-free support for Genesis/Mega Drive and Sega Master System cartridges, the latter via an included adapter. Other optional cartridge adapters (which should sell for about $10 each) will add support for the Game Gear and international Sega systems like the SG-1000, SC-3000, and Mark III. Users will also be able to connect a standard Sega CD/Mega CD hardware to play Sega’s earliest CD-ROM games.

Read 4 remaining paragraphs | Comments



Source: Ars Technica – Sega’s Genesis (and more) get an HDMI upgrade with the Mega Sg

Amazon makes Kindle Paperwhite waterproof—and it still starts at $129

Amazon

Amazon updated its best-value Kindle with some of the coveted features found in its high-end, $249 Kindle Oasis. The new Kindle Paperwhite announced today has a thinner, lighter design that’s now waterproof, making it the first Kindle other than the Oasis to have an IPX8 rating.

Amazon last updated the Kindle Paperwhite in 2015, giving it a better screen without raising its price. Now, the newest Paperwhite appears to be a mix of the old model and the now-defunct Kindle Voyage (the latter disappeared from Amazon’s site about a month ago). It has a 6-inch, 300ppi touch display with five backlighting LEDs, and the new screen is now flush with the black bezels around it. It’s still a black slab, but now it’s just 8.18mm thick and weighs just 6.4 ounces.

Read 6 remaining paragraphs | Comments



Source: Ars Technica – Amazon makes Kindle Paperwhite waterproof—and it still starts at 9

Tech firms to SEC: We want the option to pay non-employee workers in equity

Tech firms to SEC: We want the option to pay non-employee workers in equity

Enlarge (credit: Guillaume Payen/SOPA Images/LightRocket via Getty Images)

In recent weeks, both Uber and Airbnb have sent formal letters to the Securities and Exchange Commission, asking the regulatory agency to expand efforts that would allow drivers and hosts to also be paid in company shares. Exactly how this would work in practice remains unclear.

The move comes nearly three months after the SEC asked for public comment in a proposed revision to “Rule 701,” which currently requires that anyone paid in stock be an investor or an employee. Those directly involved in the “gig” or “sharing” economies are generally not considered to be employees and so, for now, are ineligible for this arrangement.

In fact, Uber told the SEC that it prefers the term “entrepreneurial economy“—odd, given that Uber drivers have no ability to set their own price. Uber also refers to its drivers as “driver partners,” suggesting that those behind the wheel have more power than they do in actuality.

Read 11 remaining paragraphs | Comments



Source: Ars Technica – Tech firms to SEC: We want the option to pay non-employee workers in equity

The 2019 Volvo S60 is Swedish style at a surprisingly good price

Jonathan Gitlin

They say the sedan is dead and that the public only wants crossovers and SUVs now. If true, that’s really too bad, because I think we’re in something of a golden era for the four-door. At the cheaper end of the market, you can’t beat the new Honda Accord. Increase the MSRP a little—cars starting in the mid 30s, say—and it’s hard to find a clear winner because we’re spoiled for choice. And now that choice is a little harder thanks to this: the new Volvo S60.

This is Volvo’s first American-made car, built at a new plant in Charleston, South Carolina. And it’s the latest car to use Volvo’s Scalable Product Architecture, the toolkit that also gave us the XC60 SUV, plus the bigger S90 sedan, V90 wagon, and XC90 SUV. We’ve been quite taken with each of the previous SPA Volvos we’ve tested; they’ve looked good, felt well-screwed together, and the Sensus infotainment system is better than most. (If you follow those links you can read about all that in greater depth.) As a rule, I prefer smaller vehicles to larger ones and cars to SUVs, so the S60 (and the new V60 wagon which you can read about tomorrow) have been the SPA cars I’ve been waiting for.

Read 16 remaining paragraphs | Comments



Source: Ars Technica – The 2019 Volvo S60 is Swedish style at a surprisingly good price

Paul Allen—Microsoft co-founder, Seahawks owner, and space pioneer—dies at 64

Paul Allen, who with Bill Gates founded Microsoft, has died at the age of 65. His death comes shortly after he resumed treatment for non-Hodgkin’s lymphoma; the cancer had returned after being in remission for nine years.

Allen was a Seattle native and went to high school with Gates. The two kept in touch at university—Allen at Washington State, Gates at Harvard—and when Allen dropped out in 1975 to start a company to develop software for the MITS Altair 8800, he soon convinced Gates to follow. That company was Micro-Soft, which shed its hyphen the following year. In 1980, Microsoft was chosen by IBM to develop DOS for its new PC. With the success of the PC and PC compatibles, Microsoft became hugely successful.

Allen had his first run-in with cancer in 1982, when he was diagnosed with Hodgkins lymphoma and drastically cut back his work at the company while recovering. He formally left Microsoft in 1983, but he retained his share of ownership and became a billionaire when the company went public in 1986.

Read 4 remaining paragraphs | Comments



Source: Ars Technica – Paul Allen—Microsoft co-founder, Seahawks owner, and space pioneer—dies at 64

Already facing an uphill misinformation fight, Facebook loses to scammers, too

Read 13 remaining paragraphs | Comments



Source: Ars Technica – Already facing an uphill misinformation fight, Facebook loses to scammers, too

Winamp set to release entirely new version next year

Computer monitor using Winamp.

Enlarge (credit: Keng Susumpow / Flickr)

Rejoice, llama-whipping fans, a new version of Winamp is set to be released in 2019, according to a Monday report by TechCrunch.

Alexandre Saboundjian, the CEO of Radionomy, said that the upgrade would bring a “complete listening experience.”

AudioValley, Radionomy’s parent company, did not immediately respond to Ars’ request for comment.

Read 4 remaining paragraphs | Comments



Source: Ars Technica – Winamp set to release entirely new version next year

The full Photoshop CC is coming to the iPad in 2019

Read 2 remaining paragraphs | Comments



Source: Ars Technica – The full Photoshop CC is coming to the iPad in 2019