Brief items
Security
Disabling Intel ME 11 via undocumented mode (Positive Technologies)
A team of Positive Technologies researchers describe the discovery of a mechanism that can disable Intel Management Engine (ME) 11 after hardware is initialized and the main processor starts. "Intel Management Engine is a proprietary technology that consists of a microcontroller integrated into the Platform Controller Hub (PCH) chip and a set of built-in peripherals. The PCH carries almost all communication between the processor and external devices; therefore Intel ME has access to almost all data on the computer. The ability to execute third-party code on Intel ME would allow for a complete compromise of the platform. We see increasing interest in Intel ME internals from researchers all over the world. One of the reasons is the transition of this subsystem to new hardware (x86) and software (modified MINIX as an operating system). The x86 platform allows researchers to make use of the full power of binary code analysis tools. Previously, firmware analysis was difficult because earlier versions of ME were based on an ARCompact microcontroller with an unfamiliar set of instructions."
Security quotes of the week
Now back when I worked in banking, if someone went to Barclays, pretended
to be me, borrowed £10,000 and legged it, that was "impersonation", and it
was the bank's money that had been stolen, not my identity. How did things
change?
— Ross
Anderson
On the one hand, if you let an untrusted stranger install hardware in your
electronic device, you're opening yourself up to all kinds of potential
mischief; on the other hand, an estimated one in five smartphones has a
cracked screen and the easiest, most efficient and cheapest way to get that
fixed is to go to your corner repair-shop.
— Cory Doctorow
In Shattered Trust: When Replacement Smartphone Components Attack [PDF], a paper presented by four Ben Gurion University researchers at the recent 2017 Usenix Workshop on Offensive Technologies, they demonstrate that they can build add undetectable spying technology to replacement screens for as little as $10, and that once installed, these new screens would have near-total control over the device, able to harvest passwords, install apps, and send screenshots to the attacker. The screens could also exploit the device's main processor and interfere with OS-level operations.
Kernel development
Kernel release status
The current development kernel is 4.13-rc7, released on August 27. Linus said: "We had a few issues come up the past week, but nothing that is really impacting the release schedule. So here's rc7, and I still expect this to the the last rc, although the best-laid plans of mice and men.."
There are six known regressions in 4.13 as of the -rc7 release.
Stable updates: 4.12.9, 4.9.45, 4.4.84, and 3.18.67 were released on August 24, followed by 4.12.10, 4.9.46, 4.4.85, and 3.18.68 on August 30.
Distributions
SUSE reaffirms support for Btrfs
SUSE has let it be known that it plans to continue developing and supporting the Btrfs filesystem, regardless of what other distributors do. "If one of the rather small contributors to the btrfs filesystem announced to not support btrfs for production systems: should you wonder, whether SUSE, strongest contributor to btrfs today, would stop investing into btrfs? You probably shouldn’t. SUSE is committed to btrfs as the default filesystem for SUSE Linux Enterprise, and beyond."
Distribution quote of the week
Lesson learned: Attempting to provide professional-level sound in a
room named "Buzz" can lead to... Issues.
— Gunnar Wolf
Development
GnuPG 2.2.0 released
Version 2.2.0 of the GNU Privacy Guard is out; this is the beginning of a new long-term stable series. Changes in this release are mostly minor, but it does now install as gpg rather than gpg2, and it will automatically fetch keys from keyservers by default. "Note: this enables keyserver and Web Key Directory operators to notice when you intend to encrypt to a mail address without having the key locally. This new behaviour will eventually make key discovery much easier and mostly automatic."
Go 1.9 released
Version 1.9 of the Go language has been released. "The most important change to the language is the introduction of type aliases: a feature created to support gradual code repair." See the release notes for details.
Development quotes of the week
But be sure that you're not just selecting copies of yourself, rather that you're expanding the ecosystem. You're not replacing yourself, you're amplifying yourself. Be sure to amplify yourself in harmony, with many tones, volumes, beats, and countermelodies. Monotones are boring.
— Rich Bowen
Python is not much slower than other languages in execution. But it is much faster in writing. And people have far more impact on environment that a few kWh of electricity. By needing more man hours to write the same program, you are killing species. Save the world - program in Python.
— aigarius
Miscellaneous
Patrick McHardy and copyright profiteering (Opensource.com)
Over at Opensource.com, Heather Meeker, a lawyer who specializes in open-source licensing, published a lengthy FAQ on the GPL enforcement efforts of netfilter developer Patrick McHardy. In it, Meeker looks at how much code McHardy has contributed, specifics of the German legal system that may make it attractive to copyright trolling (or profiteering), and steps that companies and others can take to oppose these kinds of efforts. "Copyright ownership in large projects such as the Linux kernel is complicated. It’s like a patchwork quilt. When developers contribute to the kernel, they don’t sign any contribution agreement or assignment of copyright. The GPL covers their contributions, and the recipient of a copy of the software gets a license, under GPL, directly from all the authors. (The kernel project uses a document called a Developer Certificate of Origin, which does not grant any copyright license.) The contributors’ individual rights exist side-by-side with rights in the project as a whole. So, an author like McHardy would generally own the copyright in the contributions he created, but not in the whole kernel."
Page editor: Jake Edge
Next page:
Announcements>>