The latest threat has been dubbed “Meltdown and Spectre.” But what is it?
Well, we gave it a week for the facts to start percolating, and here's the lowdown:
Google's Project Zero revealed details last week of a vulnerability impacting Intel chips going all the way back to 1995; and confirmed rumours that it involved the use of speculative execution.
They also went against comments made by AMD that said it was not affected.
Google said, "These vulnerabilities affect many CPUs, including those from AMD, ARM, and Intel, as well as the devices and operating systems running them."
The flaws, dubbed “Meltdown and Spectre,” allow an attacker to read memory that should not be accessible. This allows a virtual machine to read the memory of the host machine, thereby having access to memory of other VMs hosted on that machine.
Modern CPUs use speculative execution to increase performance. The concern therefore is that by patching against the exploit, performance will also suffer. Greatly.
While the response to Meltdown and Spectre hasn't been as smooth as originally hoped, vendors appear to have done a thorough job. Meltdown, though easier to exploit, is also easier to protect against: operating system updates appear successful and should do a solid job for the Intel, Apple, and future ARM chips that are susceptible to the attack.
Spectre, on the other hand, is going to be tricky. It doesn't have any clean, simple fix. Unlike the other attacks, there doesn't appear to be any way of implementing an operating system-level fix. Appropriate application-level fixes is in all likelihood going to require lots of manual effort by developers.
Longer term, it seems likely that Meltdown will recede into the distance—an annoyance, perhaps, but fully patched and protected against—while the rather more subtle Spectre is going to be with us for some time.
The best thing we can do for now is update our systems to get the latest OS patches, and watch as the story continues to unfold.
Sent to us by: Robbie Ferguson
Lithium-ion Batteries in HP Notebook Computers and Mobile Workstations, that are not customer replaceable, are being recalled.
The recall involves certain lithium-ion batteries compatible with HP notebook computers and mobile workstations. The affected batteries were sold with the notebook computers and mobile workstations, and were also sold separately as replacement batteries.
Approximately 2,600 affected batteries were sold in Canada, 50,000 in the United States and 1,900 in Mexico. The recalled batteries were sold over a two year period from December 2015 to December 2017 at various retail locations, and online.
The problem, is that battery can overheat: posing a potential burn and fire hazard.
The company has not received any reports of incidents or injuries in Canada. In the United States, the company has received 8 reports of overheating batteries, and 1 report of injury. In Mexico, the company has received 1 report of battery overheating, and no reports of injuries.
This recall affects several models of HP ENVY, Pavilion, ZBook, x360, ProBook, and more, so make sure you review the HP Battery Recall web site to see if you're affected.
The product name can be found by utilizing the keyboard shortcut 'fn+Esc' or on the barcode label on the bottom of the notebook PC.
Sent to us by: Robbie Ferguson
The US Federal Trade Commission (FTC) has agreed to a settlement deal with a children's electronic toymaker that it accused of collecting kids' personal information and failing to properly secure that data.
The government watchdog said VTech will pay $650,000 and agree to a set of privacy and security requirements in order to settle charges that it violated both the Children's Online Privacy Protection Act (COPPA) and the FTC Act.
The settlement deal puts to bed allegations by the FTC that VTech broke the law with its operation of the following: Learning Lodge, Kid Connect, Planet VTech games, and educational websites for kids. And specifically, the allegation that the company did not properly secure the information on millions of children and parents prior to the 2015 hack of its services and theft of customer data.
The breached Learning Lodge and Kid Connect services were said to have hosted around 2.25 million accounts that contained information on roughly three million kids. The accounts had things like the child's name, date of birth, and gender as well as the parent's name, physical address, email address, and security question answers.
The toymaker will be required to cut the FTC a $650,000 check—about 22 cents per affected child—to settle the case. VTech will also agree to a stricter set of compliance requirements, including regular third-party security audits to check whether it is properly storing and encrypting its collected information, and to make sure it is getting express consent from parents before it collects any personal information.
Sent to us by: Roy W. Nash
Toyota has partnered with a number of companies to form the “e-Palette Alliance,” which is a group intended to help guide its transformation as a mobility services company; and to determine how it will make use of its new e-Palette vehicle platform.
e-Palette is a modular, driverless vehicle intended to suit a number of purposes all at once.
The initial group of companies includes Uber, Didi, Mazda, Amazon, and Pizza Hut. They will be working together to help guide the direction of Toyota’s concept vehicle, the e-Palette, and how it develops and supports the mobility services it offers to companies as a result. Toyota discussed this as a way to help build a “common platform” that all businesses and companies can use as a “plug-and-play” open platform for building out their own mobility services; which they can then offer to consumers.
For example, Amazon could use the vehicles for parcel deliveries, and Pizza Hut could use them for pizza deliveries.
The vision from Toyota is a vast one, that would ultimately see its vehicles deployed as a fleet of flexible service vehicles that can switch from logistics, to delivery, to passenger travel, as part of a large, autonomous electric network.
Toyota plans to launch the e-Palette and the early results of its partnership with the Alliance at the Tokyo Olympics in 2021.
Sent to us by: Bekah Ferguson