Intel announced CrossTalk, a new side-channel attack that can leak data from CPU buffers. It’s the same story we’ve heard before. Bits of internal CPU state can be inferred by other processes. This attack is a bit different, in that it can leak data across CPU cores. Only a few CPU instructions are vulnerable, like RDRAND, RDSEEED, and EGETKEY. Those particular instructions matter, because they’re used in Intel’s Secure Enclave and OpenSSL, to name a couple of important examples.
What’s happening here is that a “special register buffer” is shared between all the cores on a CPU, and is only used for a few instructions. That buffer can be inferred by existing data vulnerabilities, like MFBDS (Zombieload) and TAA. The mitigation is rather extreme. The entire processor is paused until the vulnerable instruction completes and the buffer is overwritten. The performance hit can be intense on some workloads.
And in other side-channel news, the Linux kernel just received a few fixes. The first is a fix for certain cases where speculative execution mitigations have been enabled, but they’re not actual active. The second bug was a case of performance optimization gone awry. An attacking process can simply set a couple of flags, and is given a pass, allowing a SPECTRE V4 attack. And finally, it was discovered that it was possible to re-enable speculative execution, and the machine will still report speculation is disabled. These bugs were announced publicly, and are in the process of being fixed.
A bit of a kerfuffle developed this week around the Brave browser. A twitter user noticed something odd when visiting a few particular sites in the Brave browser — going to a particular web site, Binance.us, ended up sending him to an affiliated link. As you can imagine, this behavior from the browser that sells itself as being privacy-focused wasn’t exactly well received.
So when you are using the @brave browser and type in “binance[.]us” you end up getting redirected to “binance[.]us/en?ref=35089877” – I see what you did there mates 😂
— Cryptonator1337 (@cryptonator1337) June 6, 2020
What’s going on here? The first detail to note is that the affiliated link was an autofill, not a redirect. The official response clears up what’s going on here. Brave has an option, on by default, to show “Brave suggested sites” as part of the autofill list. These are sponsored links, and have a global referral code baked into the link. According to the official response, it was unintended for the sponsored suggested link to show up first in the list of autocompletes, where it was automatically selected by hitting enter.
GNUTLS 1.3 Compromise
A bug in GnuTLS was recently reported, where session resumption could be abused by a malicious server to launch a MitM attack against a TLS connection. Session resumption is built into the TLS 1.3 protocol, and is a way to avoid a full TLS handshake when a client re-connects to the server. Instead, on initial connection, the server sends an encrypted session snapshot — a session ticket. Because it’s encrypted by the server, the client can’t extract any data from the ticket. On a reconnection, the session ticket is sent instead of the normal handshake, and the included session data is used to resume the encrypted TLS connection.
It’s a good scheme, so long as the session ticket encryption is solid. On the other hand, if a server fails to set a good encryption key, then this scheme is just asking for problems. GnuTLS, up until a few days ago, seemed to be using an encryption key of all zeroes. It’s an unfortunate mistake, and a dangerous one. When a client sends the session ticket to a hostile server, it’s easily decrypted, and the client believes it’s talking to the original server.
Smart Contract Malware
The cryptocurrency world is a developing target for malware. Case in point, a malicious contract that was recently discovered on the Ethereum blockchain. This particular contract is reminiscent of the attack on The Dao back in 2016.
The big selling point of Ethereum is the smart contract. It’s a way to embed code into a blockchain, and automatically run that code on certain conditions. If we’ve learned anything from history like the obfuscated C contest, it’s that code isn’t always what it seems.
In this case, the problem is a reentry vulnerability. If another smart contract makes a withdrawal, this second smart contract has an opportunity to run its own code as a part of the withdrawal action. When that happens, it’s possible to make a call back into the vulnerable contract, and continue extracting money. The attack on a vulnerable contract like this one goes as follows: Deposit at least 1 ETH, which grants the right to make a withdrawal. Wait until others have invested in the same contract, and then use the vulnerability to withdraw everyone’s funds.
But hang on, this isn’t just a vulnerable contract, it’s a malicious one. The part of the contract that allows withdrawing money has a catch: only the creator of the contract is actually able to withdraw any funds. The whole thing is a malicious honeypot. The contract appears to contain an exploitable vulnerability, but really it steals the 1 Ether price of entry from anyone looking to drain the funds.
This is just fun, but as Microsoft doesn’t consider it a real security threat, it still works in Windows 10.
cmd.exe /c "ping 127.0.0.1/../../../../../../../../../../windows/system32/calc.exe"
What’s the story here? Cmd.exe is first trying to interpret the string as a relative path. “ping 127.0.0.1/” and the first “../” essentially cancel each other out. It’s not a vulnerability per se, but I can only imagine that this particular unexpected behavior could be abused. Imagine a ping test that takes a user input, and uses the cmd /c command to run the test. If user input isn’t sanitized, this quirk can be abused to run an arbitrary command.
Energy Harvesting with Bluetooth 5.0
Energy harvesting technology is likely to be a game-changer for countless industries, offering the potential to bring battery life forever to connected devices. So what is energy harvesting technology – let’s dive in and learn more.
Several popular energy harvesting methods, including photovoltaic/solar, radio frequency (RF), mechanical (motion), thermal, and a low power radio implementation that supports the latest Bluetooth 5.0 standard. Energy harvesting enables certain applications to operate without a battery or with a “forever battery” that automatically recharges for the life of an Internet of Things (IoT) device. In some instances, batteries aren’t needed at all. Just imagine how many batteries would be saved from going into landfills! Not to mention the costs of purchasing and replacing batteries.
This article will look at five top industries – consumer electronics, smart cities, transportation, manufacturing, and fulfillment and entertainment – where energy harvesting technology promises to make a big impact over the next decade.
Consider all of the different connected devices you have in your home. Many of these devices need to be changed often, while others use batteries that need to be changed anywhere from every few months to every few years. Now think about how nice it would be if your smartwatches, wearables, remotes, keyboards, and other connected devices would run for the entire lifetime of the device – no more remotes dying right when you’re watching the big game.
During the past few years, there has been a lot of hype and excitement around smart city solutions like sensors that can monitor temperature, humidity, air quality, the presence of gas, etc. These metrics help companies run their facilities more efficiently and safely and allow cities to make more informed decisions about mitigating quality of life issues. Today most of these sensors run on batteries, so it’s no surprise that Bluetooth 5 sensors with energy harvesting technology will become increasingly popular. Plus, the cost savings will allow cities to allocate funds to the things that need it most, like education and healthcare.
Car accessories and infotainment devices are also prime targets for energy harvesting technology. Key fobs, for example, need their batteries changed every few years. While changing one every few years might not sound so bad, the consequences of your key fob dying and leaving you stranded makes energy harvesting technology sound a lot more appealing. Plus, with over a billion cars on the road globally, reducing battery usage in these devices – with energy harvesting, Bluetooth 5 and other cutting-edge technologies – will make a huge difference.
Manufacturing and Fulfillment
Many manufacturing and fulfillment centers use asset trackers such as small beacons to help keep track of equipment and shipping goods. These asset trackers help streamline operations and ensure items don’t get lost, meaning that it’s essential that they work at all times. Using Bluetooth 5 asset trackers with energy harvesting technology is saving companies time and money by not having to replace batteries regularly, decreasing overall cost of ownership of these systems. In the future we’ll also see more facilities using robotics that have integrated energy harvesting capabilities.
Theme parks offer fun for the whole family, but it can often be stressful navigating these big, crowded attractions. Using your smartphone’s GPS might be helpful on the road, but it’s often little help at amusement parks. This is doubly true for trying to navigate any places that are indoors. In the future, we’ll see more theme parks adopt Bluetooth 5 locations beacons to help solve this problem. These beacons can send signals to your smartphone. When used with a theme park’s dedicated app, you can get more precise location information so you can focus on having fun. With some theme parks being as large as cities, many batteries are saved from going into landfills, and big cost savings that theme parks can reinvest into exciting new attractions.
These above examples are just five of the many (and ever increasing) adoption of Bluetooth 5 energy harvesting solutions and how they are benefiting the environment while also saving companies time and money. The market will continue to witness the power of energy harvesting now and into the future.
Prioritizing Artificial Intelligence and Machine Learning in a Pandemic
Artificial Intelligence (AI) and Machine Learning (ML) give companies the one thing humans can’t – scalability. Over time, humans limit a businesses’ ability to scale; they can only work so many hours at a given efficiency. On the other hand, AI and ML can work around the clock with the sole focus on a given project. As organizations navigate through COVID-19’s impact and the future of a remote workforce, scalability and efficiency can be the key to an organization’s successful recovery.
The benefits of AI and ML don’t come without their own challenges; however, the top challenges are a lack of skills and time for proper implementation. In July, Deloitte found in a survey that 69% of respondents said the skills gap for AI implementation ranged from moderate to major to extreme. Simultaneously, many companies overlook the investment it takes to build the processes and infrastructure needed for successfully training, testing, deploying, and maintaining AI and ML in their enterprise.
Such challenges often cause companies to de-prioritize AI and ML projects, especially in times of uncertainty. That has been increasingly obvious throughout the COVID-19 pandemic. But while some organizations have drawn back on their efforts, the current global state demands the greater need for AI and ML to support critical business processes. This is especially true today given the growing remote workforce, considerations for returning to the workplace and work happening in silos worldwide.
Though challenging, it is not impossible to properly implement AI and ML. In this evolving COVID-influenced business landscape, four steps are key to effectively implementing a strong AI and ML system that helps streamline critical business processes despite uncertainty and limited resources.
Identify the Problem to Be Solved
Some companies mistakenly view AI and ML projects as a ‘silver bullet’ to solve all their problems. This often results in overinflated expectations, an unfocused approach, and unsatisfactory results. Instead, companies should identify those specific problems that will have the biggest impact from implementing AI and ML solutions and be hyper-focused on solving those problems.
Select Your Data
The second step in creating a strong AI and ML algorithm is to select the source data that your algorithm will be training on. There are two main options: training on your own data or training on a larger scale data set. Based on experience, training your algorithm on your own data puts you at a disadvantage. By training on a larger scale data set, the likelihood of success increases because your data is more representative and varied. Through advanced concepts such as transfer learning, companies can use semi-trained models based on larger data sets and then train the “last mile” using their own specific content unique to their business.
The standby rules of data management apply here – garbage in, garbage out. Ultimately, the quality and accuracy of machine learning models depend on being representative. AI and ML – fed with the right data – can streamline operations and increase the benefit of companies’ DX and cloud migration journeys.
When you’re kicking off an AI or ML project, the most critical step is to clean up the data that your algorithm will be training on, especially if you’re using your own data or models.
Make Room for Training
AI and ML are all about probability. When you ask it a question, for example, “Is this a cat?,” the results you receive are the algorithm saying, “Out of the three buckets I was trained on, the likelihood of this image being a cat is .91, the likelihood of this image being a dog is .72 and the likelihood of this image being a bird is .32.”
This is why training on varied data is so important. If your training data only includes images of cats, dogs, and birds and you ask the algorithm to analyze the picture of a crocodile, it will only respond based on the buckets it’s been trained on – cats, dogs, and birds.
If you’ve properly selected and cleaned your data, training should be an easy last step, but it’s also an opportunity to go back to the first two steps and further refine based on your training.
The front end of training an AI and ML algorithm can be time-intensive, but following these four steps can make it easier to achieve significant outcomes. Across industries, AI and ML can quickly show ROI. For example, in the insurance industry, AI and ML can help insurers quickly search contracts, so employees aren’t sifting through contracts and repositories around the globe to answer simple questions. This means time efficiencies for an industry that COVID-19 has heavily impacted.
Even better, working with a SaaS provider with experience in your industry can make this process much easier and less costly. SaaS platforms allow companies to take advantage of having all of the infrastructure, security, and pre-trained models in place to reduce the overall effort and time to value. Many platforms allow users to uptrain the predefined models with unique customer data, reducing the training effort needed for model creation. Companies can then focus on integration with their ecosystem and workflows rather than model creation itself.
Overall, businesses can soften the impact of COVID by focusing on the bigger picture with AI and ML. Implementing AI and ML projects increase business productivity despite these times of uncertainty. As we continue on the road to recovery, we need tools like AI and ML to stay focused on the bigger picture, mission-critical tasks.
Dota 2 patch 7.29b brings nerfs to Phantom Lancer and Lifestealer amongst other hero balance changes
Apex Legends Season 9 will add new hero, fix Banglore bugs
Code S: Trap & Zest advance to RO8, playoff bracket set
New CSGO Update Makes Items Purchased From Store Non Tradable for a Week
Mining Bitcoin: How to Mine Bitcoin
Radiant Valorant streamer Solista banned for cheating on live stream
Fintech offers brokers better commissions after BID
How to Calculate Steam Market Tax on CSGO Items
OWL 2021 Power Rankings – #9 Guangzhou Charge
Stanislovas Tomas im Interview: „NFTs können unsere Gesellschaft verändern“
xQc Banned From NoPixel GTA RP Server Once Again
OWL 2021 Power Rankings – #10 Washington Justice
CDL Challengers Elite Stage 3 Preview
Hello Pal Signs Definitive Purchase Agreement to Acquire Interest in Dogecoin/Litecoin Mining Assets
Coinbase Addresses Future Revenue Concerns With Plans to Become Crypto’s Amazon
Zayt Retires From Competitive Fortnite For The Second Time
Twitch streamer Lando Norris takes Italian F1 Grand Prix podium
Dota 2: DPC Weekly Recap — SEA Apr 12-17, 2021
Three takeaways from the SWT Japan Ultimate Online Qualifier
Cloud9 Perkz says Kassadin can’t ever be balanced in LoL
Esports1 week ago
Free Fire World Series APK Download for Android
Esports1 week ago
DreamHack Online Open Ft. Fortnite April Edition – How To Register, Format, Dates, Prize Pool & More
Esports6 days ago
C9 White Keiti Blackmail Scandal Explains Sudden Dismissal
Esports1 week ago
Hikaru Nakamura drops chessbae, apologizes for YouTube strike
Esports1 week ago
League of Legends’ Patch 11.8 introduces Gwen, champion updates and new Skins
Esports6 days ago
Overwatch League 2021 Day 1 Recap
Esports1 week ago
Dota 2: Top Mid Heroes of Patch 7.29
Esports1 week ago
Ludwig Closes Out Month-Long Streaming Marathon in First Place – Weekly Twitch Top 10s, April 5-11
Blockchain7 days ago
CoinSmart Appoints Joe Tosti as Chief Compliance Officer
Blockchain1 week ago
Bitcoin Preis steigt auf über 60.000 USD, neues ATH wahrscheinlich
Esports1 week ago
LoL: MAD Lions Are The New Kings Of Europe, Is The Reign Of G2 Esports And Fnatic Finally Over?
Esports6 days ago
Fortnite: Epic Vaults Rocket Launchers, Cuddlefish & Explosive Bows From Competitive