News

3651 Articles

This Week In Security: Three Billion SS Numbers, IPv6 RCE, And Ring -2

August 16, 2024 by 3 Comments

You may have heard about a very large data breach, exposing the Social Security numbers of three billion individuals. Now hang on. Social Security numbers are a particularly American data point, and last time we checked there were quite a few Americans shy of even a half of a billion’s worth. As [Troy Hunt] points out, there are several things about this story that seem just a bit odd.

First up, the claim is that this is data grabbed from National Public Data, and there’s even a vague notice on their website about it. NPD is a legitimate business, grabbing data on as many people as possible, and providing services like background checks and credit checks. It’s not impossible that this company has records on virtually every citizen of the US, UK, and Canada. And while that’s far less than 2.9 billion people, it could feasibly add up to 2.9 billion records as was originally claimed.

The story gets strange as we consider the bits of data that have been released publicly, like a pair of files shared with [Troy] that have names, birthdays, addresses, phone numbers, and social security numbers. Those had a total of 2.69 billion records, with an average of 3 records for each ID number. That math is still just a little weird, since the US has to date only generated 450 million SSNs and change.

So far all we have are partial datasets, and claims on the Internet. The story is that there’s a grand total of 4 TB of data once uncompressed. The rest of the details are unclear, and it’s likely to take some time for the rest of the story to come out. Continue reading “This Week In Security: Three Billion SS Numbers, IPv6 RCE, And Ring -2”

Australia’s Controlled Loads Are In Hot Water

August 15, 2024 by 125 Comments

Australian grids have long run a two-tiered pricing scheme for electricity. In many jurisdictions, regular electricity was charged at a certain rate. Meanwhile, you could get cheaper electricity for certain applications if your home was set up with a “controlled load.” Typically, this involved high energy equipment like pool heaters or hot water heaters.

This scheme has long allowed Australians to save money while keeping their water piping-hot at the same time. However, the electrical grid has changed significantly in the last decade. These controlled loads are starting to look increasingly out of step with what the grid and the consumer needs. What is to be done?

Continue reading “Australia’s Controlled Loads Are In Hot Water”

The Long, Slow Demise Of DVD-RAM

August 13, 2024 by 35 Comments

While CDs were still fighting for market share against cassettes, and gaming consoles were just starting to switch over to CD from cartridge storage, optical media companies were already thinking ahead. Only two years after the introduction of the original PlayStation, the DVD Forum had introduced the DVD-RAM standard: 2.58 GB per side of a disc in a protective caddy. The killer feature? Essentially unlimited re-writeability. In a DVD drive that supports DVD-RAM, they act more like removable hard drive platters. You can even see hard sectors etched into the media at the time of manufacture, giving DVD-RAM its very recognizable pattern.

At the time, floppy drives were still popular, and CD-ROM drives were increasingly available pre-installed in new computers. Having what amounted to a hard drive platter with a total of 5 GB per disc should have been a killer feature for consumers. Magneto-optical drives were still very expensive, and by 1998 were only 1.3 GB in size. DVD-RAM had the same verify-after-write data integrity feature that magneto-optical drives were known for, but with larger capacity, and after the introduction of 4.7 GB size discs, no caddy was required.

Continue reading “The Long, Slow Demise Of DVD-RAM”

Prusa Picks Up The Pace With New MK4S Printer

August 12, 2024 by 28 Comments

One of the things you’re paying for when you buy a 3D printer from Prusa Research is, essentially, your next 3D printer. That’s because Prusa’s machines are designed to be upgraded and modified as time goes on. An upgrade kit is always released to allow each older printer to be converted into its successor, and while there’s occasionally been some debate about whether or not it’s the most cost-effective choice, at least it is a choice you have as an owner.

If you’ve got a Prusa MK4, you’ll soon get to make that decision for yourself. Announced earlier today, the new MK4S brings some notable changes to last year’s printer. The $99 upgrade is scheduled to be available by the end of the month for existing owners, but if you’ve been on the fence about joining Team Orange and Black, you can purchase the MK4S right now in both kit and assembled forms for the same price ($799 and $1,099 respectively) as the previous MK4.

Continue reading “Prusa Picks Up The Pace With New MK4S Printer”

A giemsa stained blood smear from a person with beta thalassemia (Credit: Dr Graham Beards, Wikimedia Commons)

Potential Cure For All Of England’s Beta Thalassemia Patients Within Reach

August 10, 2024 by 6 Comments

Beta thalassemia and sickle cell are two red blood cell disorders which both come with massive health implications and shortened lifespans, but at least for UK-based patients the former may soon be curable with a fairly new CRISPR-Cas9 gene therapy (Casgevy) via the UK’s National Health Service (NHS). Starting with the NHS in England, the therapy will be offered to the approximately 460 β thalassemia patients in that part of the UK at seven different NHS centers within the coming weeks.

We previously covered this therapy and the way that it might offer a one-time treatment to patients to definitely cure their blood disorder. In the case of β thalassemia this is done by turning off the defective adult hemoglobin (HbA) production and instead turning the fetal hemoglobin (HbF) production back on. After eradicating the bone marrow cells with the defective genes, the (externally CRISPR-Cas9 modified) stem cells are reintroduced as with a bone marrow transplant. Since this involves the patient’s own cells, no immune-system suppressing medication is necessary, and eventually the new cells should produce enough HbF to allow the patient to be considered cured.

So far in international trials over 90% of those treated in this manner were still symptom-free, raising the hope that this β thalassemia treatment is indeed a life-long cure.

Top image: A giemsa stained blood smear from a person with beta thalassemia. Note the lack of coloring. (Credit: Dr Graham Beards, Wikimedia Commons)

Video Game Preservation – Stop Killing Games!

August 10, 2024 by 60 Comments

It’s been an ongoing issue for years now. People who buy video games, especially physical copies, expect to be able to play that game at their leisure, no matter how old their console gets. This used to be a no-brainer: think about the SNES or Genesis/Mega Drive from the late 80s and early 90s. You can still buy one today and play the games without any issues. Not so with many modern, internet-connected games that rely on communication with servers the publishers own, whether or not the online features are necessary for gameplay. Stop Killing Games is a new initiative in the EU and worldwide to get enough valid petition signatures to force the issue to be brought up in parliaments all over the world, including the EU Parliament.

An increasing number of videogames are sold as goods, but designed to be completely unplayable for everyone as soon as support ends. The legality of this practice is untested worldwide, and many governments do not have clear laws regarding these actions. It is our goal to have authorities examine this behavior and hopefully end it, as it is an assault on both consumer rights and preservation of media.

StopKillingGames.com

Why now? Well, Ubisoft recently killed a popular videogame called The Crew by taking down the servers that support the game. Without these servers, the game is completely useless. France and many other European countries have strong consumer protection laws which, in theory, should prevent companies from pulling stunts like this, but this particular situation has never been tested in court. Besides this, the group are also petitioning governments around the world, including France (where Ubisoft is based), Germany, Canada, the UK, the US, Australia, and Brazil, and also options for anywhere else in the EU/world.

If you’re a gamer, and especially if you play video games which use online components, it’s definitely worth reading through their website. The FAQ section in particular answers a lot of questions. In any case, we wish them luck as the preservation of media is a very important topic!

[Thanks to Jori for the tip!]

This Week In Security: GhostWrite, Localhost, And More

August 9, 2024 by 5 Comments

You may have heard some scary news about RISC-V CPUs. There’s good news, and bad news, and the whole thing is a bit of a cautionary tale. GhostWrite is a devastating vulnerability in a pair of T-Head XuanTie RISC-V CPUs. There are also unexploitable crashes in another T-Head CPU and the QEMU soft core implementation. These findings come courtesy of a group of researchers at the CISPA Helmholtz Center for Information Security in Germany. They took at look at RISC-V cores, and asked the question, do any of these instructions do anything unexpected? The answer, obviously, was “yes”.

Undocumented instructions have been around just about as long as we’ve had Van Neumann architecture processors. The RISC-V ISA put a lampshade on that reality, and calls them “vendor specific custom ISA extensions”. The problem is that vendors are in a hurry, have limited resources, and deadlines wait for no one. So sometimes things make it out the door with problems. To find those problems, CISPA researchers put together a test framework is called RISCVuzz, and it’s all about running each instruction on multiple chips, and watching for oddball behavior. They found a couple of “halt-and-catch-fire” problems, but the real winner (loser) is GhostWrite.

Now, this isn’t a speculative attack like Meltdown or Spectre. It’s more accurate to say that it’s a memory mapping problem. Memory mapping helps the OS keep programs independent of each other by giving them a simplified memory layout, doing the mapping from each program to physical memory in the background. There are instructions that operate using these virtual addresses, and one such is vs128.v. That instruction is intended to manipulate vectors, and use virtual addressing. The problem is that it actually operates directly on physical memory addresses, even bypassing cache. That’s not only memory, but also includes hardware with memory mapped addresses, entirely bypassing the OS. This instruction is the keys to the kingdom. Continue reading “This Week In Security: GhostWrite, Localhost, And More”