Archive for January 12, 2018

#FAIL: Intel’s Meltdown And Spectre Fixes Have Bugs Of Their Own

Posted in Commentary with tags on January 12, 2018 by itnerd

There’s nothing worse for a guy in my line of work to find out that a fix that remedies a critical bug is itself buggy. Case in point is the fixes that Intel put out for Spectre and Meltdown. Apparently they have bugs that cause system reboots:

Intel said today it is investigating an issue with Broadwell and Haswell CPUs after customers reported higher system reboot rates when they installed firmware updates for fixing the Spectre flaw.

The hardware vendor said these systems are both home computers and data center servers.

“We are working quickly with these customers to understand, diagnose and address this reboot issue, “said Navin Shenoy, executive vice president and general manager of the Data Center Group at Intel Corporation.

“If this requires a revised firmware update from Intel, we will distribute that update through the normal channels. We are also working directly with data center customers to discuss the issue,” Shenoy added.

The Intel exec said users shouldn’t feel discouraged by these snags and continue to install updates from OS makers and OEMs.

Sure, right. this really inspires confidence. I say that because it suggests that Intel rushed these fixes out the door to mitigate not only the threat, but the PR disaster that is in progress. Of course if that’s true it is not good. My advice to Intel is to get to the bottom of this quickly and do whatever is required to get working patches on the street that have been fully QA’ed. Because if you don’t, you’ll look like Apple and their ability to QA their products.

Advertisements

Consumer Group Demands CRTC Investigate Telco Upselling

Posted in Commentary with tags , on January 12, 2018 by itnerd

The Public Interest Advocacy Centre has formally asked the CRTC to hold a public inquiry into aggressive telecom sales tactics, based on recent media reports like this one, this one and this one:

John Lawford, PIAC’s Executive Director and General Counsel signed the letter on behalf of PIAC, which reads in part: “The nature of these allegations is so serious that a formal inquiry into the entire industry’s sales practices is required.”

Lawford stated today that: “We are concerned that such aggressive and potentially misleading sales practices are endemic in retail Internet, wireless, subscription TV and wireline telephone markets, in particular in relation to bundles offered by the major providers. We are therefore calling on the CRTC to publicly inquire into these practices to restore consumer trust and to craft any necessary rules to prevent further harm to consumers.”

A copy of the letter is found here.

My $0.02 worth. Someone should investigate this. Be it the CRTC or Parliament. Clearly there is something wrong here where reports like these surface. Thus in the interests of Canadians, they need to be addressed and people who are perpetrating behavior like this need to be held to account. Thus, I will be very interested to see what the CRTC and others do with this request. If they do nothing, then it tells you all you need about those who regulate the telecommunications industry in Canada.

Flaw in Intel AMT Can Lead To Nearly Instant Pwnage By A Hacker

Posted in Commentary with tags on January 12, 2018 by itnerd

Here’s a new security issue for Intel to deal with that is really, really bad. F-Secure has discovered a security flaw in Intel’s Active Management Technology (AMT) can be used by attackers with physical access to get around authentication processes in seconds, effectively pwning the device. Here’s an overview of the security flaw:

The issue allows a local intruder to backdoor almost any corporate laptop in a matter of seconds, even if the BIOS passwordTPM PinBitlocker and login credentials are in place. No, we’re not making this stuff up.

According to F-Secure, this issue affects most corporate laptops and PCs running Intel AMT. And for the record AMT has had other security issues in the past. Now the F-Secure post has recommendations to mitigate this. But the’re not exactly quick and easy for companies to implement. Thus this is a problem that is should rightfully get a lot of attention until a solution is found for it.

Clearly 2018 hasn’t been a good year for Intel, and we’re only 12 days into 2018.

Intel CEO Posts Open Letter And Says They’ll Do Better When It Comes To Security….. Right…..

Posted in Commentary with tags on January 12, 2018 by itnerd

Intel CEO Brian Krzanich has posted an open letterto Intel customers following the Meltdown and Spectre vulnerabilities that impact its processors. In it he says among other things, these three points:

1. Customer-First Urgency: By Jan. 15, we will have issued updates for at least 90 percent of Intel CPUs introduced in the past five years, with updates for the remainder of these CPUs available by the end of January. We will then focus on issuing updates for older products as prioritized by our customers.

2. Transparent and Timely Communications: As we roll out software and firmware patches, we are learning a great deal. We know that impact on performance varies widely, based on the specific workload, platform configuration and mitigation technique. We commit to provide frequent progress reports of patch progress, performance data and other information. These can be found at the Intel.com website.

3. Ongoing Security Assurance: Our customers’ security is an ongoing priority, not a one-time event. To accelerate the security of the entire industry, we commit to publicly identify significant security vulnerabilities following rules of responsible disclosure and, further, we commit to working with the industry to share hardware innovations that will accelerate industry-level progress in dealing with side-channel attacks. We also commit to adding incremental funding for academic and independent research into potential security threats.

The cynic in me is saying that this is an attempt to mitigate the public relations nightmare that is in progress. But basically saying “Trust us, we’ll do better next time” doesn’t cut it. Here’s what Intel customers really want to hear:

  1. How did this slip through the cracks and went undetected for so long?
  2. What is Intel doing to make sure that this scenario never happens again.

If they did that, then this statement would have meant something. They didn’t thus it’s PR fluff that means nothing.

Linksys Releases WRT32X & WRT3200ACM Firmware To Remedy Month Long Firmware Nightmare

Posted in Commentary with tags on January 12, 2018 by itnerd

If you’re an owner of a Linksys WRT32X or WRT3200ACM router, and you’ve been waiting for Linksys to release an updated firmware to address the connectivity issues that you’ve been dealing with for the last month or so, I’m pleased to say that this firmware has now been released. Here’s a quote from a post made by  Linksys Lucas who has been working with users on the Linksys Community on this issue:

Today I am happy to announce firmware to help resolve the issues that people have been running into with their WRT routers with networks that have Android devices on them.

I will keep the overall description short here, but this firmware incorporates a new WLAN driver that will help mitigate an issue that was discovered where Android devices coming in and out of sleep mode would crash the Wireless Network.

Both of these firmwares will eventually make their way to our update servers for regular download, however decided that a month of this issue is long enough for us to post this for all of you that have been following this in the community to download and use while we go through our final QA checks that are required before putting it on the update server. 

As of now I feel very comfortable with releasing these to everyone since we have had approximately 50 people actively Beta testing over the past week and a half or so.

The only thing that gives me cause to pause is that this firmware is still going through their QA checks. But I’ve watched the Linksys Community to see what those who have been testing the firmware for Linksys have been saying, and their feedback is positive enough for me to suggest that if you have either of these routers, that you install this firmware from the links below:

WRT3200ACM Firmware Download

WRT32X Firmware Download

One of the things that I committed to doing was to test this firmware when it appeared on my WRT32X and report back as to if it remedies the issues that users have faced. I will be doing that this weekend and I will have a report on this by Monday morning at the latest. But in the meantime, if you’ve got feedback about this firmware that you’d like to share, please leave a comment and share your feedback.