Cisco Says It Won’t Fix Zero-Day RCE In End-of-Life VPN Routers

An anonymous reader quotes a report from BleepingComputer: Cisco advises owners of end-of-life Small Business RV routers to upgrade to newer models after disclosing a remote code execution vulnerability that will not be patched. The vulnerability is tracked as CVE-2022-20825 and has a CVSS severity rating of 9.8 out of 10.0. According to a Cisco security advisory, the flaw exists due to insufficient user input validation of incoming HTTP packets on the impacted devices. An attacker could exploit it by sending a specially crafted request to the web-based management interface, resulting in command execution with root-level privileges.

The vulnerability impacts four Small Business RV Series models, namely the RV110W Wireless-N VPN Firewall, the RV130 VPN Router, the RV130W Wireless-N Multifunction VPN Router, and the RV215W Wireless-N VPN Router. This vulnerability only affects devices with the web-based remote management interface enabled on WAN connections. […] Cisco states that they will not be releasing a security update to address CVE-2022-20825 as the devices are no longer supported. Furthermore, there are no mitigations available other than to turn off remote management on the WAN interface, which should be done regardless for better overall security. Users are advised to apply the configuration changes until they migrate to Cisco Small Business RV132W, RV160, or RV160W Routers, which the vendor actively supports.

Read more of this story at Slashdot.

A New Vulnerability in Intel and AMD CPUs Lets Hackers Steal Encryption Keys

Microprocessors from Intel, AMD, and other companies contain a newly discovered weakness that remote attackers can exploit to obtain cryptographic keys and other secret data traveling through the hardware, researchers said on Tuesday. From a report: Hardware manufacturers have long known that hackers can extract secret cryptographic data from a chip by measuring the power it consumes while processing those values. Fortunately, the means for exploiting power-analysis attacks against microprocessors is limited because the threat actor has few viable ways to remotely measure power consumption while processing the secret material. Now, a team of researchers has figured out how to turn power-analysis attacks into a different class of side-channel exploit that’s considerably less demanding.

The team discovered that dynamic voltage and frequency scaling (DVFS) — a power and thermal management feature added to every modern CPU — allows attackers to deduce the changes in power consumption by monitoring the time it takes for a server to respond to specific carefully made queries. The discovery greatly reduces what’s required. With an understanding of how the DVFS feature works, power side-channel attacks become much simpler timing attacks that can be done remotely. The researchers have dubbed their attack Hertzbleed because it uses the insights into DVFS to expose — or bleed out — data that’s expected to remain private. The vulnerability is tracked as CVE-2022-24436 for Intel chips and CVE-2022-23823 for AMD CPUs. The researchers have already shown how the exploit technique they developed can be used to extract an encryption key from a server running SIKE, a cryptographic algorithm used to establish a secret key between two parties over an otherwise insecure communications channel.

Read more of this story at Slashdot.

How a Religious Sect Landed Google in a Lawsuit

A video producer claims he was fired after he complained that an obscure group based in the Sierra foothills dominated a business unit at Google. From a report: In a tiny town in the foothills of the Sierra Nevada, a religious organization called the Fellowship of Friends has established an elaborate, 1,200-acre compound full of art and ornate architecture. More than 200 miles away from the Fellowship’s base in Oregon House, Calif., the religious sect, which believes a higher consciousness can be achieved by embracing fine arts and culture, has also gained a foothold inside a business unit at Google. Even in Google’s freewheeling office culture, which encourages employees to speak their own minds and pursue their own projects, the Fellowship’s presence in the business unit was unusual. As many as 12 Fellowship members and close relatives worked for the Google Developer Studio, or GDS, which produces videos showcasing the company’s technologies, according to a lawsuit filed by Kevin Lloyd, a 34-year-old former Google video producer.

Many others staffed company events, working registration desks, taking photographs, playing music, providing massages and serving wine. For these events, Google regularly bought wine from an Oregon House winery owned by a member of the Fellowship, according to the lawsuit. Mr. Lloyd claimed he was fired last year because he complained about the influence of the religious sect. His suit also names Advanced Systems Group, or ASG, the company that sent Mr. Lloyd to Google as a contractor. Most of the Google Developer Studio joined the team through ASG as contractors, including many members of the Fellowship. The suit, which Mr. Lloyd filed in August in California Superior Court, accuses Google and ASG of violating a California employment law that protects workers against discrimination. It is in the discovery stage. The New York Times corroborated many of the lawsuit’s claims through interviews with eight current and former employees of the Google business unit and examinations of publicly available information and other documents. These included a membership roster for the Fellowship of Friends, Google spreadsheets detailing event budgets and photos taken at these events.

Read more of this story at Slashdot.

The Collapse of Complex Software

Nolan Lawson, writing in a blogpost: Anyone who’s worked in the tech industry for long enough, especially at larger organizations, has seen it before. A legacy system exists: it’s big, it’s complex, and no one fully understands how it works. Architects are brought in to “fix” the system. They might wheel out a big whiteboard showing a lot of boxes and arrows pointing at other boxes, and inevitably, their solution is… to add more boxes and arrows. Nobody can subtract from the system; everyone just adds. This might go on for several years. At some point, though, an organizational shakeup probably occurs — a merger, a reorg, the polite release of some senior executive to go focus on their painting hobby for a while. A new band of architects is brought in, and their solution to the “big diagram of boxes and arrows” problem is much simpler: draw a big red X through the whole thing. The old system is sunset or deprecated, the haggard veterans who worked on it either leave or are reshuffled to other projects, and a fresh-faced team is brought in to, blessedly, design a new system from scratch.

As disappointing as it may be for those of us who might aspire to write the kind of software that is timeless and enduring, you have to admit that this system works. For all its wastefulness, inefficiency, and pure mendacity (“The old code works fine!” “No wait, the old code is terrible!”), this is the model that has sustained a lot of software companies over the past few decades. Will this cycle go on forever, though? I’m not so sure. Right now, the software industry has been in a nearly two-decade economic boom (with some fits and starts), but the one sure thing in economics is that booms eventually turn to busts. During the boom, software companies can keep hiring new headcount to manage their existing software (i.e. more engineers to understand more boxes and arrows), but if their labor force is forced to contract, then that same system may become unmaintainable. A rapid and permanent reduction in complexity may be the only long-term solution.

One thing working in complexity’s favor, though, is that engineers like complexity. Admit it: as much as we complain about other people’s complexity, we love our own. We love sitting around and dreaming up new architectural diagrams that can comfortably sit inside our own heads — it’s only when these diagrams leave our heads, take shape in the real world, and outgrow the size of any one person’s head that the problems begin. It takes a lot of discipline to resist complexity, to say “no” to new boxes and arrows. To say, “No, we won’t solve that problem, because that will just introduce 10 new problems that we haven’t imagined yet.” Or to say, “Let’s go with a much simpler design, even if it seems amateurish, because at least we can understand it.” Or to just say, “Let’s do less instead of more.”

Read more of this story at Slashdot.

Why Chemists Can’t Quit Palladium

A retracted paper highlights chemistry’s history of trying to avoid the expensive, toxic — but necessary — catalyst. From a report: It’s hard to find a place on Earth untouched by palladium. The silvery-white metal is a key part of catalytic converters in the world’s 1.4 billion cars, which spew specks of palladium into the atmosphere. Mining and other sources add to this pollution. As a result, traces of palladium show up in some of the most remote spots on Earth, from Antarctica to the top of the Greenland ice sheet. Palladium is also practically indispensable for making drugs. That’s because catalysts with palladium atoms at their core have an unmatched ability to help stitch together carbon –carbon bonds. This kind of chemical reaction is key to building organic molecules, especially those used in medications.

“Every pharmaceutical we produce at some point or another has a palladium-catalysed step in it,” says Per-Ola Norrby, a pharmaceutical researcher at drug giant AstraZeneca in Gothenburg, Sweden. Palladium-catalysed reactions are so valuable that, in 2010, their discoverers shared a Nobel prize. But despite its versatility, chemists are trying to move away from palladium. The metal is more expensive than gold, and molecules that contain palladium can also be extremely toxic to humans and wildlife. Chemical manufacturers have to separate out all traces of palladium from their products and carefully dispose of the hazardous waste, which adds extra expense. Thomas Fuchb, a medicinal chemist at the life-sciences company Merck in Darmstadt, Germany, gives the example of a reaction to make 3 kilograms of a drug molecule for which the ingredients cost US$250,000. The palladium catalyst alone adds $100,000; purifying it out of the product another $30,000.

Finding less-toxic alternatives to the metal could help to reduce environmental harm from palladium waste and move the chemicals industry towards ‘greener’ reactions, says Tianning Diao, an organometallic chemist at New York University. Researchers hope to swap palladium for more common metals, such as iron and nickel, or invent metal-free catalysts that sidestep the issue altogether. Several times in the past two decades, researchers have reported finding palladium-free catalysts. But in what has become a recurring pattern for the field, each heralded discovery turned out to be a mistake.

Read more of this story at Slashdot.

Signs Are Not Enough To Save Beachgoers from Deadly Currents

Keeping people out of rip currents is more about reading human behavior than reading warning signs. From a report: Worldwide, rips cause hundreds of drownings and necessitate tens of thousands of rescues every year. In Australia, where 85 percent of the population lives within an hour’s drive of the coast, rips cause more fatalities than floods, cyclones, and shark attacks combined. In 1938, one of the country’s most popular beaches, Sydney’s Bondi Beach, was the site of an infamous rip-current tragedy: within minutes, roughly 200 swimmers were swept away by a rip, leaving 35 people unconscious and five dead. More often, however, rips take one life at a time, garnering little media attention. For many casual beach visitors, the toll of rip currents goes unnoticed. […] Although almost three-quarters of beach users said they knew what a rip current is, only 54 percent could correctly define it. In addition, only half of the people she surveyed remembered seeing either the warning signs or the colored flags denoting surf conditions that were posted on or near the main access point to each beach. An even smaller percentage could recall what color the flags had been — green for calm, yellow for moderate, or red for dangerous conditions. “I was genuinely shocked,” Locknick says.

[…] Part of the challenge of preventing rip-related drownings stems from the lack of a simple method to escape them. Rip currents form when waves pile water near the shoreline. The water then gushes back out to sea, taking the path of least resistance. It might flow along channels carved in between sandbars or next to solid structures, such as jetties or rocky headlands. These types of rips can stick around year after year. Others are more erratic, creating fleeting bursts of seaward-flowing water on smooth, open beaches. People often mislabel rip currents as undertows or rip tides. Rip currents are not caused by tides, however, and undertows are a different, weaker current, formed when water pushed onto the beach moves back offshore along the seabed. Some telltale signs of a rip include a streak of churned-up, sandy water or a dark, flat gap between breaking waves.

It’s not surprising that rip currents are often misunderstood by the public because, for decades, beach-safety experts also had an oversimplified perception of their mechanics. In some of the earliest research on rips in the mid-20th century, American scientists watched sticks, pieces of kelp, and volleyballs float out to sea and described lanes of flowing water extending more than 300 meters offshore. This work formed the basis for the popular view of rip currents as jets flowing perpendicular to the beach, shooting out past the surf. To escape the river of current, experts recommended that bathers swim parallel to the beach — a message once broadcast through education campaigns and warning signs in the United States and Australia. As it turns out, that approach may not always work.

Read more of this story at Slashdot.

Some Ads Play on Streaming Services Even When the TV Is Off, Study Finds

Many commercials continue to play on ad-supported streaming services after viewers turn off their television, new research shows, a problem that is causing an estimated waste of more than $1 billion a year for brands. From a report: The findings come as an ever-growing share of ad dollars is shifting from traditional TV to streaming platforms, a trend that is likely to accelerate now that industry giants Netflix and Walt Disney’s Disney+ have embraced the idea of offering an ad-supported version of their services. Some 17% of ads shown on televisions connected through a streaming device — including streaming boxes, dongles, sticks and gaming consoles — are playing while the TV is off, according to a study by WPP’s ad-buying giant GroupM and ad-measurement firm iSpot.tv.

That is because when a TV set is turned off, it doesn’t always send a signal to the streaming device connected to the TV through its HDMI port, GroupM said. As a result, the streaming device will continue playing the show and its ads unless users had exited or paused the streaming app they were watching before turning off their TV. Due to the nature of the problem, using a smart TV — on which streaming apps are loaded — makes it far less likely that ads would be shown while the TV is off, since in this instance the television and streaming device are just a single piece of hardware. GroupM said it found “virtually no incidence” of the issue on smart TV apps. The study, which included smart TVs and some hooked up with a streaming device, found that on average, between 8% and 10% of all streaming ads were shown while the TV was off.

Read more of this story at Slashdot.

Monkeypox Outbreak Poses ‘Real Risk’ To Public Health, WHO Official Says

The World Health Organization’s top official in Europe on Wednesday called for urgent action by the authorities and civic groups to control fast-rising cases of monkeypox that he said posed a real risk to public health. From a report: Europe has emerged as the epicenter of an outbreak of monkeypox, with more than 1,500 cases identified in 25 European countries, which account for 85 percent of global cases, the official, Dr. Hans Kluge, the W.H.O.’s director of its European region, said at a news conference. The W.H.O. will convene its emergency committee in Geneva next week, Dr. Kluge added, to determine if the outbreak constitutes a public health emergency of international concern, a formal declaration that calls for a coordinated response between countries.

“The magnitude of this outbreak poses a real risk,” Dr. Kluge said. “The longer the virus circulates, the more it will extend its reach, and the stronger the disease’s foothold will get in nonendemic countries.” Monkeypox is a viral infection endemic in West Africa, but it has now spread to 39 countries, including 32 that have no previous experience of it, the W.H.O. director, Dr. Tedros Adhanom Ghebreyesus, told reporters on Tuesday. Countries outside Africa and Europe that have identified cases of monkeypox include Australia, Brazil, Canada, Israel and the United States.

Read more of this story at Slashdot.