The Model 3 will be entered into Pwn2Own this year, the first time a car has been included in the annual high-profile hacking contest. The prize for the winning security researchers: a Model 3. TechCrunch reports: Pwn2Own, which is in its 12th year and run by Trend Micro's Zero Day Initiative, is known as one of the industry's toughest hacking contests. ZDI has awarded more than $4 million over the lifetime of the program. Pwn2Own's spring vulnerability research competition, Pwn2Own Vancouver, will be held March 20 to 22 and will feature five categories, including web browsers, virtualization software, enterprise applications, server-side software and the new automotive category. The targets, chosen by ZDI, include software products from Apple, Google, Microsoft, Mozilla, Oracle and VMware. And, of course, Tesla . Pwn2Own is run in conjunction with the CanSec West conference. There will be "more than $900,000 worth of prizes available for attacks that subvert a variety of [the Model 3's] onboard systems," reports Ars Technica. "The biggest prize will be $250,000 for hacks that execute code on the car's getaway, autopilot, or VCSEC."

"A gateway is the central hub that interconnects the car's powertrain, chassis, and other components and processes the data they send. The autopilot is a driver assistant feature that helps control lane changing, parking, and other driving functions. Short for Vehicle Controller Secondary, VCSEC is responsible for security functions, including the alarm."

An anonymous reader quotes a report from MSPoweruser: Last year Microsoft released Windows Virtual Desktop, an Azure-based service that delivers a multi-user Windows 10 experience on any operating system. Now Scott Manchester, Group Manager for Microsoft's Remote Desktop Service, has shown off a new feature for the iOS version of the app which makes the client much more powerful on the iPad. Windows Virtual Desktop will soon support mice in the virtual environment. Unfortunately, only specific mice will be supported -- in the video the Swiftpoint GT and eventually Microsoft's own Bluetooth mice. The feature is said to becoming soon.

Linus Torvalds has announced the general availability of v4.20 of the Linux kernel. In a post to the Linux Kernel Mailing List, Torvalds said that there was no point in delaying the release of the latest stable version of the kernel just because so many people are taking a break for the holiday season. From a report: He says that while there are no known issues with the release, the shortlog is a little longer than he would have liked. However "nothing screams 'oh, that's scary'", he insists. The most notable features and changes in the new version includes: New hardware support! New hardware support includes bringing up the graphics for AMD Picasso and Raven 2 APUs, continued work on bringing up Vega 20, Intel has continued putting together its Icelake Gen 11 graphics support, there is support for the Hygon Dhyana CPUs out of China based upon AMD Zen, C-SKY 32-bit CPU support, Qualcomm Snapdragon 835 SoC enablement, Intel 2.5G Ethernet controller support for "Foxville", Creative Sound Blaster ZxR and AE-5 sound card support, and a lot of smaller additions.

Besides new hardware support when it comes to graphics processors, in the DRM driver space there is also VCN JPEG acceleration for Raven Ridge, GPUVM performance work resulting in some nice Vulkan gaming boosts, Intel DRM now has full PPGTT support for Haswell/IvyBridge/ValleyView, and HDMI 2.0 support for the NVIDIA/Nouveau driver. On the CPU front there are some early signs of AMD Zen 2 bring-up, nested virtualization now enabled by default for AMD/Intel CPUs, faster context switching for IBM POWER9, and various x86_64 optimizations. Fortunately the STIBP work for cross-hyperthread Spectre V2 mitigation was smoothed out over the release candidates that the performance there is all good now.

Btrfs performance improvements, new F2FS features, faster FUSE performance, and MDRAID improvements for RAID10 round out the file-system/storage work. One of the technical highlights of Linux 4.20 that will be built up moving forward is the PCIe peer-to-peer memory support for device-to-device memory copies over PCIe for use-cases like data going directly from NICs to SSD storage or between multiple GPUs.

What's new with Oracle's free and open-source hosted hypervisor? Long-time Slashdot reader Freshly Exhumed writes: Oracle has released major version 6.0 of VirtualBox with a variety of new features, including support for exporting a virtual machine to the Oracle Cloud; improved HiDPI and scaling (with better detection and per-machine configuration); a UI rework with simpler application and virtual machine set-up; a new file manager that allows control of the guest file system; a 3D graphics support update for Windows guests; VMSVGA 3D graphics device emulation on Linux and Solaris guests; surround speaker setups used by Windows 10 Build 1809; a new 'vboximg-mount' utility on Apple hosts to access the content of guest disks on the host; Hyper-V as the fallback execution core on Windows hosts to avoid inability to run VMs at reduced performance; and support for Linux Kernel 4.20 .

Microsoft has officially unveiled "Windows Sandbox," a feature that was expected to be unveiled next year. Windows Sandbox, the company says, creates "an isolated, temporary desktop environment" where users can run potentially suspicious software. From a report: Windows Sandbox is an isolated desktop environment which functions much like a virtual machine; any software installed to it is completely sandboxed from the host operating system. Aimed at businesses, enterprises and security-conscious home users, Windows Sandbox will be part of Windows 10 Pro and Windows 10 Enterprise. It is not clear exactly when the feature will debut, but it could make an appearance in Windows 10 19H1 next year.

The company touts the following features of Windows Sandbox in a detailed blog post introducing the new feature:
Part of Windows -- everything required for this feature ships with Windows 10 Pro and Enterprise. No need to download a VHD!
Pristine -- every time Windows Sandbox runs, it's as clean as a brand-new installation of Windows.
Disposable -- nothing persists on the device; everything is discarded after you close the application.
Secure -- uses hardware-based virtualization for kernel isolation, which relies on the Microsoft's hypervisor to run a separate kernel which isolates Windows Sandbox from the host.
Efficient -- uses integrated kernel scheduler, smart memory management, and virtual GPU.

An anonymous reader writes: Saturday the Perl Advent Calendar entered its 19th year by describing how the Wise Old Elf used a Calendar::List module from CPAN to update his Elven Perl Monger website with all the dates for 2019. ("It is a well known fact that all of Santa's Elves are enthusiastic Perl Developers in their free time, contributing regularly to many of the amazing Perl projects we've come to know and love...")

But meanwhile, the Perl 6 Advent Calendar was describing how Santa gets data into the North Pole's CRM by defining a grammar unit which can be parsed using a built-in method (to trim out children's signatures) -- only to be chastised by his IT elf for failing to document his solution using Perl 6's built in markup language.

And 24Ways.org is also presenting its 14th annual "advent calendar for web geeks," a nicely-formatted offering that promises "a daily dose of web design and development goodness to bring you all a little Christmas cheer."

Meanwhile, the Go language site Gopher Academy launched their 6th annual advent calendar, describing how to split data with content-defined chunking.

Jose Valim, creator of the Elixir programming language, has also announced the fourth annual "Advent of Code," an event created by Eric Wastl that features an ongoing story that presents "a series of small programming puzzles for a variety of skill sets and skill levels in any programming language you like." (The folks behind the Nim programming language are even organizing their own leaderboard at Nim-lang.org.)

And even QEMU, a free and open-source emulator performing hardware virtualization, is getting into the act with a QEMU advent calendar offering "an amazing QEMU disk image" each day through December 24th.
Feel free to leave a comment with your own reactions -- or with the URL for your own favorite online geek advent calendars...

"A Russian security researcher has published details about a zero-day vulnerability affecting VirtualBox, an Oracle software application for running virtual machines," reports ZDNet. According to a text file uploaded on GitHub, Saint Petersburg-based researcher Sergey Zelenyuk has found a chain of bugs that can allow malicious code to escape the VirtualBox virtual machine (the guest OS) and execute on the underlying (host) operating system. Once out of the VirtualBox VM, the malicious code runs in the OS' limited userspace (kernel ring 3), but Zelenyuk said that attackers can use many of the already known privilege escalation bugs to gain kernel-level access (ring 0). "The exploit is 100% reliable," Zelenyuk said. "It means it either works always or never because of mismatched binaries or other, more subtle reasons I didn't account."

The Russian researcher says the zero-day affects all current VirtualBox releases, works regardless of the host or guest operating system the user is running, and is reliable against the default configuration of newly created VMs. Besides a detailed write-up of the entire exploit chain, Zelenyuk has also published video proof, showing the zero-day in action against an Ubuntu VM running inside VirtualBox on an Ubuntu host OS.
Long-time Slashdot reader Artem Tashkinov warns that the exploit utilizes "bugs in the data link layer of the default E1000 network interface adapter which makes this vulnerability critical for everyone who uses virtualization to run untrusted code." According to ZDNet, the same security researcher "found and reported a similar issue in mid-2017, which Oracle took over 15 months to fix."

"This lengthy and drawn-out patching process appears to have angered Zelenyuk, who instead of reporting this bug to Oracle, has decided to publish details online without notifying the vendor."

The 45th version of the OpenBSD project has been released, bringing more hardware support (Radeon driver updates, Intel microcode integration, and more), a virtualization tool that supports the disk format qcow2, and a network interface where you can quickly join and switch between different Wi-Fi networks.

Root.cz also notes that audio recording is now disabled by default. If you need to record audio, it can be enabled with the new sysctl variable. An anonymous Slashdot reader first shared the announcement. You can download it from any of the mirrors here.

"Linux runs the world, right? So we want to make sure that things are secure," says Linux kernel maintainer Greg Kroah-Hartman. When asked in a new video interview which bug makes them most angry, he first replies "the whole Spectre/Meltdown problem. What made us so mad, in a way, is we were fixing a bug in somebody else's layer!" One also interesting thing about the whole Spectre/Meltdown is the complexity of that black box of a CPU is much much larger than it used to be. Right? Because they're doing -- in order to eke out all the performance and all the new things like that, you have to do extra-special tricks and things like that. And they have been, and sometimes those tricks come back to bite you in the butt. And they have, in this case. So we have to work around that.
But a companion article on Linux.com notes that "Intel has changed its approach in light of these events. 'They are reworking on how they approach security bugs and how they work with the community because they know they did it wrong,' Kroah-Hartman said." (And the article adds that "for those who want to build a career in kernel space, security is a good place to get started...")

Kroah-Hartman points out in the video interview that "we're doing more and more testing, more and more builds," noting "This infrastructure we have is catching things at an earlier stage -- because it's there -- which is awesome to see." But security issues can persist thanks to outside vendors beyond their control. Linux.com reports: Hardening the kernel is not enough, vendors have to enable the new features and take advantage of them. That's not happening. Kroah-Hartman releases a stable kernel every week, and companies pick one to support for a longer period so that device manufacturers can take advantage of it. However, Kroah-Hartman has observed that, aside from the Google Pixel, most Android phones don't include the additional hardening features, meaning all those phones are vulnerable. "People need to enable this stuff," he said.

"I went out and bought all the top of the line phones based on kernel 4.4 to see which one actually updated. I found only one company that updated their kernel," he said. "I'm working through the whole supply chain trying to solve that problem because it's a tough problem. There are many different groups involved -- the SoC manufacturers, the carriers, and so on. The point is that they have to push the kernel that we create out to people."
"The good news," according to Linux.com, "is that unlike with consumer electronics, the big vendors like Red Hat and SUSE keep the kernel updated even in the enterprise environment. Modern systems with containers, pods, and virtualization make this even easier. It's effortless to update and reboot with no downtime."

An anonymous reader quotes a report from ZDNet: On Sept. 24, Microsoft announced what it's calling the Windows Virtual Desktop (WMD). WVD will allow users to virtualize Windows 7 and 10, Office 365 ProPlus apps and other third-party applications by running them remotely in Azure virtual machines. Using WMD, customers will be able to provide remote desktop sessions with multiple users logged into the same Windows 10 or Windows Server virtual machine. They also can opt to virtualize the full desktop or individual Microsoft Store and/or line-of-business applications. The WMD service also supports full VDI with Windows 10 and Windows 7, Microsoft officials told Ars Technica. (Those wanting to virtualize Windows 7 after Microsoft support ends in January 2020 will be able to do so for three years without paying for Extended Security Updates.)

Licenses for WVD will be provided for no additional cost as part of Windows Enterprise and Education E3 and E5 subscriptions. The aforementioned Windows 10 Enterprise for Virtual Desktops edition won't be released as a separate version of Windows 10 at all. That name is just for licensing purposes, officials said. Microsoft officials said a public preview of WVD will be available later this year, and those interested can request notification of the preview's availability. To use WVD, users need an Azure subscription and will be charged for the storage and compute their virtual machines use. Microsoft also plans to offer WVD via Microsoft Cloud Solution Providers and is working with third parties like Citrix to build on top of WVD, officials said.

Liam Tung reporting for ZDNet: Ubuntu maintainer Canonical and Microsoft have teamed up to release an optimized Ubuntu Desktop image that's available through Microsoft's Hyper-V gallery. The Ubuntu Desktop image should deliver a better experience when running it as a guest on a Windows 10 Pro host, according to Canonical. The optimized version is Ubuntu Desktop 18.04.1 LTS release, also known as Bionic Beaver. Microsoft's work with Canonical was prompted by its users who wanted a "first-class experience" on Linux virtual machines (VMs) as well as Windows VMs. To achieve this goal, Microsoft worked with the developers of XRDP, an open-source remote-desktop protocol (RDP) for Linux based on Microsoft's RDP for Windows. Thanks to that work, XRDP now supports Microsoft's Enhanced Session Mode, which allows Hyper-V to use the open-source implementation of RDP to connect to Linux VMs. This in turn gives Ubuntu VMs on Windows hosts a better mouse experience, an integrated clipboard, windows resizing, and shared folders for easier file transfers between host and guest. Microsoft's Hyper-V Quick Create VM setup wizard should also help improve the experience. "With the Hyper-V Quick Create feature added in the Windows 10 Fall Creators Update, we have partnered with Ubuntu and added a virtual machine image so in a few quick minutes, you'll be up and developing," said Clint Rutkas, a senior technical product manager on Microsoft's Windows Developer Team. "This is available now -- just type 'Hyper-V Quick Create' in your start menu."

An anonymous reader quotes a report from Bleeping Computer: A recent Windows 10 Insider Feedback Hub quest revealed that Microsoft is developing a new throwaway sandboxed desktop feature called "InPrivate Desktop." This feature will allow administrators to run untrusted executables in a secure sandbox without fear that it can make any changes to the operating system or system's files. This quest is no longer available in the Feedback Hub, but according to it's description, this feature is being targeted at Windows 10 Enterprise and requires at least 4 GB of RAM, 5 GB of free disk space, 2 CPU cores, and CPU virtualization enabled in the BIOS. It does not indicate if Hyper-V needs to be installed or not, but as the app requires admin privileges to install some features, it could be that Hyper-V will be enabled. "InPrivate Desktop (Preview) provides admins a way to launch a throwaway sandbox for secure, one-time execution of untrusted software," the Feedback Hub questions explains. "This is basically an in-box, speedy VM that is recycled when you close the app!"

Audiofan writes from a report via Audioholics, written by Gene DellaSala: Variety is said to be the spice of life. Why only eat cherry Starbursts when you can sample orange, watermelon, lemon, etc? The same applies to multi-channel surround sound upmixers. But the folks at Dolby apparently want you to eat only one flavor. Their flavor. Dolby recently issued a mandate to all of their Atmos licensee partners to restrict usage of third-party upmixers with any Dolby signals including 5.1/7.1 DD, DD+, TrueHD and Atmos. That means if you're running a DTS Soundbar, it won't process a Dolby signal, or no dice if you want to use the Auro-Matic Upmixer for a native Dolby signal. Is Dolby doing this to protect their IP or to monopolize consumer audio like they tried to do with their patented Atmos-enabled speaker? The copy of the mandate that was sent to all of Dolby's licensee partners has the following guidelines: Native Dolby Atmos content shall NOT be up-mixed, surround or height virtualized by any 3rd party competitor upmixer (ie. DTS or Auro-3D); Channel-Based DD/DD+, Dolby TrueHD 5.1 and 7.1 codecs shall not be height virtualized by any 3rd party upmixer (ie. DTS). (This implies height virtualization without height speakers. DTS has this capability but Auro-3D does not).

Audioholics notes the company will however "permit third party upmixing and/or surround virtualization of channel-based codecs that support Dolby Atmos rendering as long as the third party doesn't license their own upmixing technologies to third parties."

As for why Dolby is issuing this mandate to its licensees, it may come down to two reasons: control quality of content so that their upmixer is only used with their software; put an end to Auro-3D and strike a blow to DTS.

Shaun Nichols, reporting for The Register: A group of German researchers have devised a method to thwart the VM security in AMD's server chips. Dubbed SEVered (PDF), the attack would potentially allow an attacker, or malicious admin who had access to the hypervisor, the ability to bypass AMD's Secure Encrypted Virtualization (SEV) protections.

The problem, say Fraunhofer AISEC researchers Mathias Morbitzer, Manuel Huber, Julian Horsch and Sascha Wessel, is that SEV, which is designed to isolate VMs from the prying eyes of the hypervisor, doesn't fully isolate and encrypt the VM data within the physical memory itself.

On Tuesday Red Hat announced the general availability of Red Hat Enterprise Linux version 7.5. An anonymous reader writes: Serving as a consistent foundation for hybrid cloud environments, Red Hat Enterprise Linux 7.5 provides enhanced security and compliance controls, tools to reduce storage costs, and improved usability, as well as further integration with Microsoft Windows infrastructure both on-premise and in Microsoft Azure.

New features include a large combination of Ansible Automation with OpenSCAP, and LUKS-encrypted removable storage devices can be now automatically unlocked using NBDE. The Gnome shell has been re-based to version 3.26, the Kernel version is 3.10.0-862, and the kernel-alt packages include kernel version 4.14 with support for 64-bit ARM, IBM POWER9 (little endian), and IBM z Systems, while KVM virtualization is now supported on IBM POWER8/POWER9 systems.
See the detailed release notes here.

"Free/libre and 100% community backed version of XenServer," promises a new Kickstarter page, adding that "Our first prototype (and proof of concept) is already functional." Currently, XenServer is a turnkey virtualization platform, distributed as a distribution (based on CentOS). It comes with a feature rich toolstack, called XAPI. The vast majority of XenServer code is Open Source.

But since XenServer 7.3, Citrix removed a lot of features from it. The goal of XCP-ng is to make a fully community backed version of XenServer, without any feature restrictions. We also aim to create a real ecosystem, not depending on one company only. Simple equation: the more we are, the healthier is the environment.
The campaign reached its fundraising goal within a few hours, reports long-time Slashdot reader NoOnesMessiah, and within three days they'd already raised four times the needed amount and began unlocking their stretch goals.

c4231 quotes Ars Technica: While everyone was screaming about Meltdown and Spectre, another urgent security fix was already in progress for many corporate data centers and cloud providers who use products from Dell's EMC and VMware units. A trio of critical, newly reported vulnerabilities in EMC and VMware backup and recovery tools -- EMC Avamar, EMC NetWorker, EMC Integrated Data Protection Appliance, and vSphere Data Protection -- could allow an attacker to gain root access to the systems or to specific files, or inject malicious files into the server's file system. These problems can only be fixed with upgrades. While the EMC vulnerabilities were announced late last year, VMware only became aware of its vulnerability last week.

Qualcomm is now challenging rival Intel in the rapidly changing data center market. From a report: The company is now selling its long-awaited Centriq 2400 Arm-based server processor that is aimed at the fast-growing cloud market and that Qualcomm officials say beats Intel in such crucial areas as power efficiency and cost. Officials from Arm and its manufacturing partners have for several years talked about pushing the Arm architecture into the data center as an alternative to Intel, and some manufacturers like Cavium and Applied Micro in recent years have rolled out systems-on-a-chip (SoCs) based on the 64-bit Armv8-A design. However, Qualcomm represents the most significant Arm chip maker in terms of scale and resources to challenge Intel, which holds more than 90 percent of the global server chip market. Qualcomm's Centriq chips offer up to 48 single-threaded cores running up to 2.6GHz and are manufactured on Samsung's 10-nanometer FinFET process. The processors sport a bidirectional segmented ring bus with as much as 250G bps of aggregate bandwidth to avoid performance bottlenecks, 512KB of shared L2 cache for every two cores and 60MB of unified L3 cache. There also are six channels of DDR4 memory and support for up to 768GB of total DRAM with 32 PCIe Gen 3 lanes and six PCIe controllers. They also support Arm's TrustZone security technology and hypervisors for virtualization.

An anonymous reader writes from a report via BleepingComputer: Yesterday, Microsoft released new standards that consumers should follow in order to have a highly secure Windows 10 device. These standards include the type of hardware that should be included with Windows 10 systems and the minimum firmware features. The hardware standards are broken up into 6 categories, which are minimum specs for processor generation, processor architecture, virtualization, trusted platform modules (TPM), platform boot verification, and RAM. Similarly, firmware features should support at least UEFI 2.4 or later, Secure Boot, Secure MOR 2 or later, and support the Windows UEFI Firmware Capsule Update specification.

You asked, he answered!

For Slashdot's 20th anniversary -- and the 23rd anniversary of the first release of Red Hat Linux -- here's a special treat.

Red Hat CEO Jim Whitehurst has responded to questions submitted by Slashdot readers. Read on for his answers...