WEEKLY NEWSLETTER 19 - 24 AUGUST, 2024
Hello and Welcome,
Meeting TODAY
2024/08/17 — 14:00-16:00 — August, Sat — Web Design
Join Zoom Meeting
https://us02web.zoom.us/j/86141133224
Meeting ID: 861 4113 3224
Passcode: WebDesign
Meeting This Week
2024/08/20 — 10:00-12:00 — August, Tue — Tuesday Group
Bring your Laptop along and we could set up a KVM demo with two or more computers [ — Ed. ]
Meetings Next Week
NO MEETINGS
Schedule of Current & Upcoming Meetings
First Tuesday 18:00-20:00 — Main Meeting
Third Tuesday 10:00-12:00 — Tuesday Group
Third Saturday 14:00-16:00 — Web Design
----------
Go to the official Sydney PC Calendar for this month's meeting details.
----------
ASCCA News:Tech News:
'Sinkclose' Flaw in Hundreds of Millions of AMD Chips Allows Deep, Virtually Unfixable Infections
See the Wired article by ANDY GREENBERG | SECURITY | AUG 9, 2024 8:00 am.
*** WIRED requires you to SUBSCRIBE to read any of their articles [ Two or three articles FREE — Ed. ] ***
Old AMD Firmware Bug Discovered
Researchers warn that a bug in AMD's chips would allow attackers to root into some of the most privileged portions of a computer — and that it has persisted in the company's processors for decades.
SECURITY FLAWS IN your computer's firmware, the deep-seated code that loads first when you turn the machine on and controls even how its operating system boots up, have long been a target for hackers looking for a stealthy foothold. Rarely does that kind of vulnerability appear not in the firmware of any particular computer maker but in the chips found across hundreds of millions of PCs and servers. Now, security researchers have found one such flaw that has persisted in AMD processors for decades, and that would allow malware to burrow deep enough into a computer's memory that, in many cases, it may be easier to discard a machine than to disinfect it.
At the Defcon hacker conference tomorrow, Enrique Nissim and Krzysztof Okupski, researchers from the security firm IOActive, plan to present a vulnerability in AMD chips called Sinkclose. The flaw would allow hackers to run their code in one of the most privileged modes of an AMD processor, System Management Mode, designed to be reserved only for a specific, protected portion of its firmware. IOActive's researchers warn that it affects virtually all AMD chips dating back to 2006 or possibly earlier.
Nissim and Okupski note that exploiting the bug would require hackers to have already obtained relatively deep access to an AMD-based PC or server but that the Sinkclose flaw would allow them to plant their malicious code far deeper still. In fact, for any machine with one of the vulnerable AMD chips, the IOActive researchers warn that an attacker could infect the computer with malware known as a "bootkit" that evades antivirus tools and is potentially invisible to the operating system while offering a hacker full access to tamper with the machine and surveil its activity. For systems with specific faulty configurations in how a computer maker implemented AMD's security feature known as Platform Secure Boot — which the researchers warn encompasses the large majority of the systems they tested — a malware infection installed via Sinkclose could be harder yet to detect or remediate, they say, surviving even a reinstallation of the operating system.
"Imagine nation-state hackers or whoever wants to persist on your system. Even if you wipe your drive clean, it will still be there," says Okupski. "It's going to be nearly undetectable and nearly unpatchable." Only opening a computer's case, connecting directly to a certain portion of its memory chips with a hardware-based programming tool known as SPI Flash programmer, and meticulously scouring the memory would allow the malware to be removed, Okupski says.
Nissim summarizes the worst-case scenario in more practical terms: "You basically have to throw your computer away."
In a statement shared with WIRED, AMD acknowledged IOActive's findings, thanked the researchers for their work, and noted that it has "released mitigation options for its AMD EPYC datacentre products and AMD Ryzen PC products, with mitigations for AMD embedded products coming soon." (In this case, the term "embedded" refers to AMD chips found in systems such as industrial devices and cars.) For its EPYC processors designed for use in datacentre servers, specifically, the company noted that it released patches earlier this year. AMD declined to answer questions in advance about how it intends to fix the Sinkclose vulnerability or for exactly which devices and when. It pointed to a complete list of affected products that can be found on its website's security bulletin page.
In a background statement to WIRED, AMD emphasized the difficulty of exploiting Sinkclose: To take advantage of the vulnerability, a hacker has to already possess access to a computer's kernel, the core of its operating system. AMD compares the Sinkhole technique to a method for accessing a bank's safe deposit boxes after bypassing its alarms, guards, and vault door.
Nissim and Okupski respond that while exploiting Sinkclose requires kernel-level access to a machine, such vulnerabilities are exposed in Windows and Linux practically every month. They argue that sophisticated state-sponsored hackers who might take advantage of Sinkclose likely already possess techniques for exploiting known or unknown vulnerabilities. "People have kernel exploits right now for all these systems," says Nissim. "They exist, and they're available for attackers. This is the next step."
...
Even if Sinkclose requires relatively deep access, the IOActive researchers warn that the far deeper level of control it offers means that potential targets shouldn't wait to implement any available fix. "If the foundation is broken," says Nissim, "then the security for the whole system is broken."
Updated 9 am ET, 8/9/2024: Following the publication of this article, AMD updated its security bulletin page to include a list of chips affected by Sinkclose.
Science Week 10 — 18 August, 2024
PLAY LIVE RADIO: ABC RN
Hello All,
Natasha Mitchell here from the Big Ideas podcast.
When did you last see a truly dark sky at night? The Milky Way is no longer visible to about a third of the planet. The culprit? Light pollution.
This spells big trouble for creatures, culture, and science. But there are things we can all do to protect the darkness, and I don't just mean embracing your inner goth!
ABC Science is drumming up fab activities you can get involved in across National Science Week. Join us, walk out your door, and look up!
Night Sky LIVE
On 15 August at 8 pm, tune in for Night Sky LIVE on ABC RN and the ABC Listen app. I'll be joined by a live audience on the rooftop of ABC Melbourne, astronomy experts, amateur sky nerds, and YOU under your night sky.
Vote for your favourite night sky object
We want to hear about things that have filled you with awe and wonder. We'll collect your suggestions and votes to find Australia's most beloved night sky experience.
Look up and get snapping!
Snap a pic of the night sky and tag it with #ABCmyphoto. @ABCAustralia will compile the best night sky pictures from around the country. Get ready with these smartphone photography tips!
Can you see the Milky Way at night?
For many of us, it's vanishing — but this interactive article shows how simple changes can bring the stars back into view.
Are you looking for more great science stories?
Join Dr Ann Jones in The Secret Lives of Our Urban Birds — Perth, and while you're there, make sure to stream all your favourite science programs — for free — on ABC iView.
We can't wait to unpack the mysteries of the sky with you!
Natasha
Natasha Mitchell is the host and co-producer of the Big Ideas podcast on ABC Listen and radio show on ABC RN (Sunday–Thursday 8 pm). A multi-award-winning science journalist, Natasha was the founding host and producer of the ABC's blockbuster podcast All in the Mind, the Science Friction podcast, and ABC RN's daily Life Matters program. Big Ideas brings you big thinkers at the best live events by partnering with festivals, forums, and community and cultural institutions across Australia and the world. Tell us about your events!
Natasha Mitchell
Play ABC RN
Online Child Privacy Laws a Step Closer
See the InfoPackets article by John Lister on August 13, 2024 at 02:08 pm EDT.
[ IN THE USA: — Ed. ]
Two proposed laws to boost online privacy and security for children have received widespread backing in the Senate. Whether the measures will become law remains unclear.
The Kids Online Safety Act (KOSA) and the Children and Teen's Online Privacy Protection Act (COPPA 2.0) are laws. They've now been combined into a single package for administrative and voting purposes.
86 Senators agreed the Senate should consider the laws, while just one voted against them. That means they will go to a final approval vote after further discussion. (Source: ctmirror.org)
Greater Parental Controls
KOSA takes two main approaches. One is to make websites have a legal duty of care to mitigate specific risks to young users, such as online bullying, information about eating disorders, and exploitation.
The other is to require additional controls for children's accounts (including via parental settings). These include choosing stricter privacy settings, opting out of an algorithm's recommended content, and turning off "addictive features."
COPPA 2 is an update to an existing Federal Trade Commission (FTC) rule that says sites must obtain parental consent to collect personal data about under-13s. That's one reason many social networking sites don't allow pre-teen users.
The new law would extend this requirement to cover people under 17. It would also bar targeted advertising from being shown to those under 17. (Source: insideprivacy.com)
A Matter of Time
Opponents of the bills say the measures would breach free speech principles, though their authors insist they do not violate the First Amendment. As the vote numbers show, the bills have bipartisan support, and it appears this may carry over as and when the Senate approves them and sends them to the House of Representatives. The White House has also indicated that the President would be willing to sign the bills into law.
However, whether the bills get that far may be more about timing than political support. There's no guarantee they will get to a final House Vote before the end of the succession or that they will be reintroduced into a new post-election session when Congress's makeup and priorities may have changed.
What's Your Opinion?
Do you support either or both of the bills? Should this be a legal matter or left to parents to control? Would the laws be effective?
Comments — Parents need to parent. — Submitted by Draq on Tue, 13/08/2024 — 20:38.
Seriously, parents need to stop handing kids technology without teaching them how to use it properly. Sites and services should absolutely do what they can to minimize harm, but many of these issues could be lessened if parents took some responsibility for what their kids were doing online.
Fun Facts:
The Chinese Have Made Ultra Fast Charging Batteries, But There's a Problem
See the Msn.com article by Enrico Punsalang | Published on Friday, 9 August, 2024.
BYD Blade 2.0 battery © RideApart.com
Can they be charged in 10 minutes? Sure. Will you be able to experience it? Maybe not.
Over the past few years, the issue of range anxiety surrounding electric vehicles has dramatically diminished. Nearly everywhere you look, there's an EV charging station for EV drivers and riders to use.
These days, it's all about juicing up batteries quickly. We've seen tons of innovations in battery technology championing ultra-fast charging times, with some dipping well below 15 minutes. Of course, it comes as no surprise that fast-charging tech innovations arise from some of the world's biggest battery manufacturers.
This is precisely what's happening with two of the world's biggest battery makers, BYD and CATL.
Each company has announced its own new fast-charging EV battery that can be fully charged in just 10 minutes. While other battery makers offer similar charge times, they usually charge up to just 80 per cent. But BYD and CATL promise to one-up the competition with zero to 100 per cent charge times in just 10 minutes.
Lithium Fires are Hard to Put Out
CATL
CATL Qilin 2.0 Battery
More specifically, CATL will manufacture 6C-capable Qilin 2.0 batteries by the end of 2024. Meanwhile, BYD's Blade 2.0 batteries will debut anytime now, with the company stating they'll roll out in the second half of 2024.
Pretty cool. Well, on paper, sure. But in real life, not so much.
You see, all these ultra-fast-charging batteries come with a catch, and it's quite a big catch. They require super-fast chargers that dispense over 650 kilowatts of juice in order to charge within the claimed 10-minute timeframe.
Where the heck are you going to get a charger that quick?
In the US, even Tesla's newest, fanciest fast chargers have an output of just 250 kilowatts — still quite a lot, but not even half the required output to charge BYD or CATL batteries in the claimed 10 minutes. Even in China, the home country of both BYD and CATL, 650-kilowatt chargers are hardly accessible to the general public, with most fast chargers rated at just 120 kilowatts.
So, we're looking at a more realistic charge time of about half an hour, which isn't bad. But if we look at things strictly from a time perspective, 30 minutes sounds more like a lunch stop than the claimed 10 minutes, which is akin to a quick coffee break or a really long bathroom break.
With all that being said, it isn't a question of whether or not a battery can be charged ultra-quickly. The numbers don't lie, and the science nerds behind the scenes have proven it can be done. It's just that this level of technology isn't accessible to us mere mortals.
At least not yet.
Meeting Location & Disclaimer
Bob Backstrom
~ Newsletter Editor ~
Information for Members and Visitors:
Link to — Sydney PC & Technology User Group
All Meetings, unless explicitly stated above, are held on the
1st Floor, Sydney Mechanics' School of Arts, 280 Pitt Street, Sydney.
Sydney PC & Technology User Group's FREE Newsletter — Subscribe — Unsubscribe
Go to Sydney PC & Technology User Group's — Events Calendar
Are you changing your email address? Would you please email your new address to — newsletter.sydneypc@gmail.com?
Disclaimer: We provide this Newsletter "As Is" without warranty of any kind.
The reader assumes the entire risk of accuracy and subsequent use of its contents.