China

Apple's China iCloud Data Migration Sweeps Up International User Accounts (techcrunch.com) 45

Yesterday, it was reported that Apple's iCloud services in mainland China will be operated by a Chinese company from next month. What wasn't reported was the fact that Apple has included iCloud accounts that were opened in the U.S., are paid for using U.S. dollars and/or are connected to U.S.-based App Store accounts in the data that will be handled by local partner Guizhou-Cloud Big Data (GCBD) from February 28. TechCrunch reports: Apple has given China-based users the option to delete their data, but there is no opt out that allows them to have it stored elsewhere. That has concerned some users who are uneasy that the data migration is a sign of closer ties with the Chinese government, particularly since GCBD is owned by the Guizhou provincial government. When asked for comment, Apple pointed TechCrunch to its terms and conditions site which explains that it is migrating iCloud accounts based on their location: "The operation of iCloud services associated with Apple IDs that have China in their country or region setting will be subject to this transition. You will be notified of this transition via email and notifications on your devices. You don't need to take any further action and can keep using iCloud in China. After February 28, 2018, you will need to agree to the terms and conditions of iCloud operated by GCBD to keep using iCloud in China."

However, TechCrunch found instances of iCloud accounts registered overseas that were part of the migration. One user did find an apparent opt-out. That requires the user switching their iCloud account back to China, then signing out of all devices. They then switch their phone and iCloud settings to the U.S. and then, upon signing back into iCloud, their account will (seemingly) not be part of the migration. Opting out might be a wise-move, as onlookers voice concern that a government-owned company is directly involved in storing user data.

Intel

Researcher Finds Another Security Flaw In Intel Management Firmware (arstechnica.com) 87

An anonymous reader quotes a report from Ars Technica: Meltdown and Spectre are not the only security problems Intel is facing these days. Today, researchers at F-Secure have revealed another weakness in Intel's management firmware that could allow an attacker with brief physical access to PCs to gain persistent remote access to the system, thanks to weak security in Intel's Active Management Technology (AMT) firmware -- remote "out of band" device management technology installed on 100 million systems over the last decade, according to Intel. [T]he latest vulnerability -- discovered in July of 2017 by F-Secure security consultant Harry Sintonen and revealed by the company today in a blog post -- is more of a feature than a bug. Notebook and desktop PCs with Intel AMT can be compromised in moments by someone with physical access to the computer -- even bypassing BIOS passwords, Trusted Platform Module personal identification numbers, and Bitlocker disk encryption passwords -- by rebooting the computer, entering its BIOS boot menu, and selecting configuration for Intel's Management Engine BIOS Extension (MEBx).

If MEBx hasn't been configured by the user or by their organization's IT department, the attacker can log into the configuration settings using Intel's default password of "admin." The attacker can then change the password, enable remote access, and set the firmware to not give the computer's user an "opt-in" message at boot time. "Now the attacker can gain access to the system remotely," F-Secure's release noted, "as long as they're able to insert themselves onto the same network segment with the victim (enabling wireless access requires a few extra steps)."

Android

Google Pulls 60 Apps From Play Store After Malware Exposes Kids To Porn (gizmodo.com) 49

Cyberthreat intelligence firm Check Point on Friday disclosed the existence of malicious code buried inside dozens of apps that displays pornographic images to users. Many of the apps are games reportedly geared toward young children. As a result, Google quickly removed the roughly 60 apps said to be affected from its Play Store. Gizmodo reports: While they appeared as such, the pornographic images displayed were not actually Google ads. Google supposedly maintains tight controls on all ads that appear in what it calls "Designed for Family" apps. The company also maintains a white-list of advertisers deemed safe for children under the ages of 13. None of the affected apps were part of Google's "Family Link" program, which is the category of recognized kid-friendly apps available across Google's platforms. The malware, dubbed AdultSwine, is said to have displayed the highly inappropriate images while also attempting to trick users into installing a fake-security app, or "scareware." After the fake "ads" were delivered, users would've received a "Remove Virus Now" notification, or something similar, designed to provoke users into downloading the scareware. The affected gaming apps included at least one which may have had up to 5,000,000 downloads -- Five Nights Survival Craft -- as well as many others which had between 50,000 and 500,000 downloads.
Bug

Intel's Chip Bug Fixes Have Bugs of Their Own (bleepingcomputer.com) 59

From a report: Intel said late Thursday it is investigating an issue with Broadwell and Haswell CPUs after customers reported higher system reboot rates when they installed firmware updates for fixing the Spectre flaw. The hardware vendor said these systems are both home computers and data center servers. "We are working quickly with these customers to understand, diagnose and address this reboot issue," said Navin Shenoy, executive vice president and general manager of the Data Center Group at Intel Corporation. "If this requires a revised firmware update from Intel, we will distribute that update through the normal channels. We are also working directly with data center customers to discuss the issue," Shenoy added. The Intel exec said users shouldn't feel discouraged by these snags and continue to install updates from OS makers and OEMs.
Security

Cisco Can Now Sniff Out Malware Inside Encrypted Traffic (theregister.co.uk) 97

Simon Sharwood, writing for The Register: Cisco has switched on latent features in its recent routers and switches, plus a cloud service, that together make it possible to detect the fingerprints of malware in encrypted traffic. Switchzilla has not made a dent in transport layer security (TLS) to make this possible. Instead, as we reported in July 2016, Cisco researchers found that malware leaves recognisable traces even in encrypted traffic. The company announced its intention to productise that research last year and this week exited trials to make the service -- now known as Encrypted Traffic Analytics (ETA) -- available to purchasers of its 4000 Series Integrated Service Routers, the 1000-series Aggregation Services Router and the model 1000V Cloud Services Router 1000V. Those devices can't do the job alone: users need to sign up for Cisco's StealthWatch service and let traffic from their kit flow to a cloud-based analytics service that inspects traffic and uses self-improving machine learning algorithms to spot dodgy traffic.
AMD

AMD Is Releasing Spectre Firmware Updates To Fix CPU Vulnerabilities (theverge.com) 74

An anonymous reader quotes a report from The Verge: AMD's initial response to the Meltdown and Spectre CPU flaws made it clear "there is a near zero risk to AMD processors." That zero risk doesn't mean zero impact, as we're starting to discover today. "We have defined additional steps through a combination of processor microcode updates and OS patches that we will make available to AMD customers and partners to further mitigate the threat," says Mark Papermaster, AMD's chief technology officer. AMD is making firmware updates available for Ryzen and EPYC owners this week, and the company is planning to update older processors "over the coming weeks." Like Intel, these firmware updates will be provided to PC makers, and it will be up to suppliers to ensure customers receive these. AMD isn't saying whether there will be any performance impacts from applying these firmware updates, nor whether servers using EPYC processors will be greatly impacted or not. AMD is also revealing that its Radeon GPU architecture isn't impacted by Meltdown or Spectre, simply because those GPUs "do not use speculative execution and thus are not susceptible to these threats." AMD says it plans to issue further statements as it continues to develop security updates for its processors.
Security

Hackers Could Blow Up Factories Using Smartphone Apps (technologyreview.com) 125

An anonymous reader quotes a report from MIT Technology Review: Two security researchers, Alexander Bolshev of IOActive and Ivan Yushkevich of Embedi, spent last year examining 34 apps from companies including Siemens and Schneider Electric. They found a total of 147 security holes in the apps, which were chosen at random from the Google Play Store. Bolshev declined to say which companies were the worst offenders or reveal the flaws in specific apps, but he said only two of the 34 had none at all. Some of the vulnerabilities the researchers discovered would allow hackers to interfere with data flowing between an app and the machine or process it's linked to. So an engineer could be tricked into thinking that, say, a machine is running at a safe temperature when in fact it's overheating. Another flaw would let attackers insert malicious code on a mobile device so that it issues rogue commands to servers controlling many machines. It's not hard to imagine this causing mayhem on an assembly line or explosions in an oil refinery. The researchers say they haven't looked at whether any of the flaws has actually been exploited. Before publishing their findings, they contacted the companies whose apps had flaws in them. Some have already fixed the holes; many have yet to respond.
Microsoft

Microsoft Partners with Signal to Bring End-To-End Encryption to Skype (bleepingcomputer.com) 64

Microsoft and Open Whisper Systems (makers of the Signal app) surprised many on Thursday when they said they are partnering to bring support for end-to-end (E2E) encrypted conversations to Skype. From a report: The new feature, called Skype Private Conversations has been rolled out for initial tests with Skype Insider builds. Private Conversations will encrypt Skype audio calls and text messages. Images, audio or video files sent via Skype's text messaging feature will also be encrypted. Microsoft will be using the Signal open-source protocol to encrypt these communications. This is the same end-to-end encryption protocol used by Facebook for WhatsApp and Facebook Messenger, and by Google for the Allo app.
Intel

Intel Says Chip-Security Fixes Leave PCs No More Than 10% Slower (axios.com) 276

Intel trying to defuse concern that fixes to widespread chip security vulnerabilities will slow computers, released test results late Wednesday showing that personal computers won't be affected much and promised more information on servers. From a report: The chipmaker published a table of data showing that older processors handled typical tasks 10 percent slower at most, after being updated with security patches. The information covered three generations of processors, going back to 2015, running Microsoft's Windows 10 and Windows 7 computer operating systems. Further reporting: Intel, Microsoft offer differing views on impact of chip flaw
Businesses

Uber Used Another Secret Software To Evade Police, Report Says (bloomberg.com) 226

schwit1 shares a Bloomberg report: In May 2015 about 10 investigators for the Quebec tax authority burst into Uber Technologies's office in Montreal. The authorities believed Uber had violated tax laws and had a warrant to collect evidence. Managers on-site knew what to do, say people with knowledge of the event. Like managers at Uber's hundreds of offices abroad, they'd been trained to page a number that alerted specially trained staff at company headquarters in San Francisco. When the call came in, staffers quickly remotely logged off every computer in the Montreal office, making it practically impossible for the authorities to retrieve the company records they'd obtained a warrant to collect. The investigators left without any evidence.

Most tech companies don't expect police to regularly raid their offices, but Uber isn't most companies. The ride-hailing startup's reputation for flouting local labor laws and taxi rules has made it a favorite target for law enforcement agencies around the world. That's where this remote system, called Ripley, comes in. From spring 2015 until late 2016, Uber routinely used Ripley to thwart police raids in foreign countries, say three people with knowledge of the system. Allusions to its nature can be found in a smattering of court filings, but its details, scope, and origin haven't been previously reported. The Uber HQ team overseeing Ripley could remotely change passwords and otherwise lock up data on company-owned smartphones, laptops, and desktops as well as shut down the devices. This routine was initially called the unexpected visitor protocol. Employees aware of its existence eventually took to calling it Ripley, after Sigourney Weaver's flamethrower-wielding hero in the Alien movies. The nickname was inspired by a Ripley line in Aliens, after the acid-blooded extraterrestrials easily best a squad of ground troops. 'Nuke the entire site from orbit. It's the only way to be sure.'

Encryption

FBI Calls Apple 'Jerks' and 'Evil Geniuses' For Making iPhone Cracks Difficult (itwire.com) 348

troublemaker_23 shares a report from iTWire: A forensics expert from the FBI has lashed out at Apple, calling the company's security team a bunch of "jerks" and "evil geniuses" for making it more difficult to circumvent the encryption on its devices. Stephen Flatley told the International Conference on Cyber Security in New York on Wednesday that one example of the way that Apple had made it harder for him and his colleagues to break into the iPhone was by recently making the password guesses slower, with a change in hash iterations from 10,000 to 10,000,000. A report on the Motherboard website said Flatley explained that this change meant that the speed at which one could brute-force passwords went from 45 attempts a second to one every 18 seconds. "Your crack time just went from two days to two months," he was quoted as saying. "At what point is it just trying to one up things and at what point is it to thwart law enforcement? Apple is pretty good at evil genius stuff," Flatley added.
Desktops (Apple)

macOS High Sierra's App Store System Preferences Can Be Unlocked With Any Password (macrumors.com) 58

A bug report submitted on Open Radar this week reveals a security vulnerability in the current version of macOS High Sierra that allows the App Store menu in System Preferences to be unlocked with any password. From a report: MacRumors is able to reproduce the issue on macOS High Sierra version 10.13.2, the latest public release of the operating system, on an administrator-level account by following these steps: 1. Click on System Preferences. 2. Click on App Store. 3. Click on the padlock icon to lock it if necessary. 4. Click on the padlock icon again. 5. Enter your username and any password. 6. Click Unlock.

As mentioned in the radar, System Preferences does not accept an incorrect password with a non-administrator account. We also weren't able to unlock any other System Preferences menus with an incorrect password. We're unable to reproduce the issue on the third or fourth betas of macOS High Sierra 10.13.3, suggesting Apple has fixed the security vulnerability in the upcoming release. However, the update currently remains in testing.

Facebook

WhatsApp Security Flaws Could Be Exploited To Covertly Add Members To Group Chats (iacr.org) 29

A group of crytopgraphers from Germany's Ruhr University Bochum have uncovered flaws in WhatsApp's security that compromise the instant messaging service's end-to-end encryption. WhatsApp, owned by Facebook, has over one billion active users. In a paper published last week, "More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema," anyone who controls WhatsApp's servers, including company employees, can covertly add members to any group -- a claim that might not bode well with privacy enthusiasts. From the paper: The described weaknesses enable attacker A, who controls the WhatsApp server or can break the transport layer security, to take full control over a group. Entering the group however leaves traces since this operation is listed in the graphical user interface. The WhatsApp server can therefore use the fact that it can stealthily reorder and drop messages in the group. Thereby it can cache sent messages to the group, read their content first and decide in which order they are delivered to the members. Additionally the WhatsApp server can forward these messages to the members individually such that a subtly chosen combination of messages can help it to cover the traces. Further reading: Wired.
Security

Meltdown and Spectre Patches Bricking Ubuntu 16.04 Computers (bleepingcomputer.com) 233

An anonymous reader writes: Ubuntu Xenial 16.04 users who updated to receive the Meltdown and Spectre patches are reporting they are unable to boot their systems and have been forced to roll back to an earlier Linux kernel image. The issues were reported by a large number of users on the Ubuntu forums and Ubuntu's Launchpad bug tracker. Only Ubuntu users running the Xenial 16.04 series appear to be affected.

All users who reported issues said they were unable to boot after upgrading to Ubuntu 16.04 with kernel image 4.4.0-108. Canonical, the company behind Ubuntu OS, deployed Linux kernel image 4.4.0-108 as part of a security update for Ubuntu Xenial 16.04 users, yesterday, on January 9. According to Ubuntu Security Notice USN-3522-1 and an Ubuntu Wiki page, this was the update that delivered the Meltdown and Spectre patches.

Security

NVIDIA GPUs Weren't Immune To Spectre Security Flaws Either (engadget.com) 139

Nvidia has became the latest chipmaker to release software patches for the Spectre microchip security threat, indicating that the chipset flaw was affecting graphic processors as well as CPUs. From a report: To that end, NVIDIA has detailed how its GPUs are affected by the speculative execution attacks and has started releasing updated drivers that tackle the issue. All its GeForce, Quadro, NVS, Tesla and GRID chips appear to be safe from Meltdown (aka variant 3 of the attacks), but are definitely susceptible to at least one version of Spectre (variant 1) and "potentially affected" by the other (variant 2). The new software mitigates the first Spectre flaw, but NVIDIA is promising future mitigations as well as eventual updates to address the second. Most of the updates are available now, although Tesla and GRID users will have to wait until late January.
Security

Taiwanese Police Give Cyber-security Quiz Winners Infected Devices (bbc.com) 37

Taiwan's national police agency said 54 of the flash drives it gave out at an event highlighting a government's cybercrime crackdown contained malware. From a report: The virus, which can steal personal data and has been linked to fraud, was added inadvertently, it said. The Criminal Investigation Bureau (CIB) apologised for the error and blamed the mishap on a third-party contractor. It said 20 of the drives had been recovered. Around 250 flash drives were given out at the expo, which was hosted by Taiwan's Presidential Office from 11-15 December and aimed to highlight the government's determination to crack down on cybercrime.
Cellphones

'I Tried the First Phone With An In-Display Fingerprint Sensor' (theverge.com) 70

Vlad Savov from The Verge reports of his experience using the first smartphone with a fingerprint scanner built into the display: After an entire year of speculation about whether Apple or Samsung might integrate the fingerprint sensor under the display of their flagship phones, it is actually China's Vivo that has gotten there first. At CES 2018, I got to grips with the first smartphone to have this futuristic tech built in, and I was left a little bewildered by the experience. The mechanics of setting up your fingerprint on the phone and then using it to unlock the device and do things like authenticate payments are the same as with a traditional fingerprint sensor. The only difference I experienced was that the Vivo handset was slower -- both to learn the contours of my fingerprint and to unlock once I put my thumb on the on-screen fingerprint prompt -- but not so much as to be problematic. Basically, every other fingerprint sensor these days is ridiculously fast and accurate, so with this being newer tech, its slight lag feels more palpable. Vivo is using a Synaptics optical sensor called Clear ID that works by peering through the gaps between the pixels in an OLED display (LCDs wouldn't work because of their need for a backlight) and scanning your uniquely patterned epidermis. The sensor is already in mass production and should be incorporated in several flagship devices later this year.
Privacy

UK Backs Off From Banning Reidentification Research (theguardian.com) 10

An anonymous reader writes: The United Kingdom has recently debated banning reidentification in its new data privacy law. This proposal has quickly been identified as dangerous and criticized, as it was argued this is not only ineffective but would also put at risk legitimate security and privacy researchers. Following public outcry, the UK government amended the bill to include safe-guards allowing researchers to study anonymization weaknesses. Researchers will also gain a new channel of disclosure via the Information Commissioner Office (ICO). According to The Guardian, "Researchers will have to notify the ICO within three days of successfully deanonymizing data, and demonstrate that they had acted in the public interest and without intention to cause damage or distress in re-identifying data."
Microsoft

Microsoft Details Performance Impact of Spectre and Meltdown Mitigations on Windows Systems (microsoft.com) 237

Microsoft's Windows chief Terry Myerson on Tuesday outlined how Spectre and Meltdown firmware updates may affect PC performance. From a blog post: With Windows 10 on newer silicon (2016-era PCs with Skylake, Kabylake or newer CPU), benchmarks show single-digit slowdowns, but we don't expect most users to notice a change because these percentages are reflected in milliseconds.

With Windows 10 on older silicon (2015-era PCs with Haswell or older CPU), some benchmarks show more significant slowdowns, and we expect that some users will notice a decrease in system performance. With Windows 8 and Windows 7 on older silicon (2015-era PCs with Haswell or older CPU), we expect most users to notice a decrease in system performance.

Windows Server on any silicon, especially in any IO-intensive application, shows a more significant performance impact when you enable the mitigations to isolate untrusted code within a Windows Server instance. This is why you want to be careful to evaluate the risk of untrusted code for each Windows Server instance, and balance the security versus performance tradeoff for your environment.

For context, on newer CPUs such as on Skylake and beyond, Intel has refined the instructions used to disable branch speculation to be more specific to indirect branches, reducing the overall performance penalty of the Spectre mitigation. Older versions of Windows have a larger performance impact because Windows 7 and Windows 8 have more user-kernel transitions because of legacy design decisions, such as all font rendering taking place in the kernel.

Wireless Networking

With WPA3, Wi-Fi Security is About To Get a Lot Tougher (zdnet.com) 121

One of the biggest potential security vulnerabilities -- public Wi-Fi -- may soon get its fix. From a report: The Wi-Fi Alliance, an industry body made up of device makers including Apple, Microsoft, and Qualcomm, announced Monday its next-generation wireless network security standard, WPA3. The standard will replace WPA2, a near-two decades-old security protocol that's built in to protect almost every wireless device today -- including phones, laptops, and the Internet of Things.

One of the key improvements in WPA3 will aim to solve a common security problem: open Wi-Fi networks. Seen in coffee shops and airports, open Wi-Fi networks are convenient but unencrypted, allowing anyone on the same network to intercept data sent from other devices. WPA3 employs individualized data encryption, which scramble the connection between each device on the network and the router, ensuring secrets are kept safe and sites that you visit haven't been manipulated.
Further reading: WPA3 WiFi Standard Announced After Researchers KRACKed WPA2 Three Months Ago
Encryption

FBI Chief Calls Unbreakable Encryption 'Urgent Public Safety Issue' (reuters.com) 442

The inability of law enforcement authorities to access data from electronic devices due to powerful encryption is an "urgent public safety issue," FBI Director Christopher Wray said on Tuesday in remarks that sought to renew a contentious debate over privacy and security. From a report: The FBI was unable to access data from nearly 7,800 devices in the fiscal year that ended Sept. 30 with technical tools despite possessing proper legal authority to pry them open, a growing figure that impacts every area of the agency's work, Wray said during a speech at a cyber security conference in New York. "This is an urgent public safety issue," Wray added, while saying that a solution is "not so clear cut."
Microsoft

Microsoft Pauses Rollout of Spectre and Meltdown Patches To AMD Systems (betanews.com) 100

Microsoft is suspending patches to guard against Meltdown and Spectre security threats for computers running AMD chipsets after complaints by AMD customers that the software updates froze their machines. From a report: The company is blaming AMD's failure to comply with "the documentation previously provided to Microsoft to develop the Windows operating system mitigations to protect against the chipset vulnerabilities known as Spectre and Meltdown." There's no word on when the patches will be fixed, but Microsoft says that it is working with AMD to address the problem.
Windows

Microsoft Says No More Windows Security Updates Unless AVs Set a Registry Key (bleepingcomputer.com) 136

Catalin Cimpanu, reporting for BleepingComputer: Microsoft has added a new and very important detail on the support page describing incompatibilities between antivirus (AV) products and the recent Windows Meltdown and Spectre patches. According to an update added this week, Microsoft says that Windows users will not receive the January 2018 Patch Tuesday security updates, or any subsequent Patch Tuesday security updates, unless the antivirus program they are using becomes compatible with the Windows Meltdown and Spectre patches. The way antivirus programs become compatible is by updating their product and then adding a special registry key to the Windows Registry. The presence of this registry key tells the Windows OS the AV product is compatible and will trigger the Windows Update that installs the Meltdown and Spectre patches that address critical flaws in the design of modern CPUs.
Data Storage

Western Digital 'My Cloud' Devices Have a Hardcoded Backdoor (betanews.com) 160

BrianFagioli shares a report from BetaNews: Today, yet another security blunder becomes publicized, and it is really bad. You see, many Western Digital MyCloud NAS drives have a hardcoded backdoor, meaning anyone can access them -- your files are at risk. It isn't even hard to take advantage of it -- the username is "mydlinkBRionyg" and the password is "abc12345cba" (without quotes). To make matters worse, it was disclosed to Western Digital six months ago and the company did nothing. GulfTech Research and Development explains, "The triviality of exploiting this issues makes it very dangerous, and even wormable. Not only that, but users locked to a LAN are not safe either. An attacker could literally take over your WDMyCloud by just having you visit a website where an embedded iframe or img tag make a request to the vulnerable device using one of the many predictable default hostnames for the WDMyCloud such as 'wdmycloud' and 'wdmycloudmirror' etc." The My Cloud Storage devices affected by this backdoor include: MyCloud, MyCloudMirror, My Cloud Gen 2, My Cloud PR2100, My Cloud PR4100, My Cloud EX2 Ultra, My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100, and My Cloud DL4100. Firmware 2.30.172 reportedly fixes the bug, so make sure your device is updated before reconnecting to the internet.
IOS

Apple Updates macOS and iOS To Address Spectre Vulnerability (engadget.com) 67

Days after Apple disclosed how it would be dealing with the Meltdown bug that affects modern computers, it's pushed out fixes for the Spectre exploit as well. From a report: iOS 11.2.2 includes "Security improvements to Safari and WebKit to mitigate the effects of Spectre," the company writes on its support page, while the macOS High Sierra 10.13.2 Supplemental Update does the same for your Mac laptop or desktop. Installing this update on your Mac will also update Safari to version 11.0.2.
Microsoft

Microsoft's Meltdown and Spectre Patch Is Bricking Some AMD PCs (betanews.com) 299

Mark Wilson writes: As if the Meltdown and Spectre bug affecting millions of processors was not bad enough, the patches designed to mitigate the problems are introducing issues of their own. Perhaps the most well-known effect is a much-publicized performance hit, but some users are reporting that Microsoft's emergency patch is bricking their computers. We've already seen compatibility issues with some antivirus tools, and now some AMD users are reporting that the KB4056892 patch is rendering their computer unusable. A further issue -- error 0x800f0845 -- means that it is not possible to perform a rollback.
Bug

After Intel ME, Researchers Find Security Bug In AMD's SPS Secret Chip-on-Chip (bleepingcomputer.com) 76

An anonymous reader writes: AMD has fixed, but not yet released BIOS/UEFI/firmware updates for the general public for a security flaw affecting the AMD Secure Processor. This component, formerly known as AMD PSP (Platform Security Processor), is a chip-on-chip security system, similar to Intel's much-hated Management Engine (ME). Just like Intel ME, the AMD Secure Processor is an integrated coprocessor that sits next to the real AMD64 x86 CPU cores and runs a separate operating system tasked with handling various security-related operations.

The security bug is a buffer overflow that allows code execution inside the AMD SPS TPM, the component that stores critical system data such as passwords, certificates, and encryption keys, in a secure environment and outside of the more easily accessible AMD cores. Intel fixed a similar flaw last year in the Intel ME.

Intel

Linus Torvalds Says Intel Needs To Admit It Has Issues With CPUs (itwire.com) 271

troublemaker_23 shares an article from ITWire: Linux creator Linus Torvalds has had some harsh words for Intel in the course of a discussion about patches for two bugs that were found to affect most of the company's processors... Torvalds was clearly unimpressed by Intel's bid to play down the crisis through its media statements, saying: "I think somebody inside of Intel needs to really take a long hard look at their CPUs, and actually admit that they have issues instead of writing PR blurbs that say that everything works as designed... Or is Intel basically saying 'we are committed to selling you shit forever and ever, and never fixing anything'?" he asked. "Because if that's the case, maybe we should start looking towards the ARM64 people more."
Elsewhere Linus told ZDNet that "there's no one number" for the performance drop users will experience after patches. "It will depend on your hardware and on your load. I think 5 percent for a load with a noticeable kernel component (e.g. a database) is roughly in the right ballpark. But if you do micro-benchmarks that really try to stress it, you might see double-digit performance degradation. A number of loads will spend almost all their time in user space, and not see much of an impact at all."
Intel

Intel Hit With Three Class-Action Lawsuits Over Meltdown and Spectre Bugs (theguardian.com) 220

An anonymous reader quotes a report from The Guardian: Intel has been hit with at least three class-action lawsuits over the major processor vulnerabilities revealed this week. Three separate class-action lawsuits have been filed by plaintiffs in California, Oregon and Indiana seeking compensation, with more expected. All three cite the security vulnerability and Intel's delay in public disclosure from when it was first notified by researchers of the flaws in June. Intel said in a statement it "can confirm it is aware of the class actions but as these proceedings are ongoing, it would be inappropriate to comment." The plaintiffs also cite the alleged computer slowdown that will be caused by the fixes needed to address the security concerns, which Intel disputes is a major factor. "Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time," Intel said in an earlier statement.
Cloud

New US Customs Guidelines Limit Copying Files and Searching Cloud Data (theverge.com) 71

The U.S. Customs and Border Protection Agency has updated its guidelines for electronic border searches, adding new detail to border search rules that were last officially updated in 2009. The Verge reports: Officers can still request that people unlock electronic devices for inspection when they're entering the U.S., and they can still look through any files or apps on those devices. But consistent with a statement from acting commissioner Kevin McAleenan last summer, they're explicitly banned from accessing cloud data -- per these guidelines, that means anything that can't be accessed while the phone's data connection is disabled. The guidelines also draw a distinction between "basic" and "advanced" searches. If officers connect to the phone (through a wired or wireless connection) and copy or analyze anything on it using external devices, that's an advanced search, and it can only be carried out with reasonable suspicion of illegal activity or a national security concern. A supervisor can approve the search, and "many factors" might create reasonable suspicion, including a terrorist watchlist flag or "other articulable factors."
Operating Systems

Eben Upton Explains Why Raspberry Pi Isn't Vulnerable To Spectre Or Meltdown (raspberrypi.org) 116

Raspberry Pi founder and CEO Eben Upton says the Raspberry Pi isn't susceptible to the "Spectre" or "Meltdown" vulnerabilities because of the particular ARM cores they use. "Spectre allows an attacker to bypass software checks to read data from arbitrary locations in the current address space; Meltdown allows an attacker to read data from arbitrary locations in the operating system kernel's address space (which should normally be inaccessible to user programs)," Upton writes. He goes on to provide a "primer on some concepts in modern processor design" and "illustrate these concepts using simple programs in Python syntax..."

In conclusion: "Modern processors go to great lengths to preserve the abstraction that they are in-order scalar machines that access memory directly, while in fact using a host of techniques including caching, instruction reordering, and speculation to deliver much higher performance than a simple processor could hope to achieve," writes Upton. "Meltdown and Spectre are examples of what happens when we reason about security in the context of that abstraction, and then encounter minor discrepancies between the abstraction and reality. The lack of speculation in the ARM1176, Cortex-A7, and Cortex-A53 cores used in Raspberry Pi render us immune to attacks of the sort."
Intel

Nope, No Intel Chip Recall After Spectre and Meltdown, CEO Says (cnet.com) 372

Hoping the Meltdown and Spectre security problems might mean Intel would be buying you a shiny new computer after a chip recall? Sorry, that's not on the cards. From a report: Intel famously paid hundreds of millions of dollars to recall its Pentium processors after the 1994 discovery of the "FDIV bug" that revealed rare but real calculation errors. But Intel CEO Brian Krzanich said the new problems are much more easily fixed -- and indeed are already well on their way to being fixed, at least in the case of Intel-powered PCs and servers. "This is very very different from FDIV," Krzanich said, criticizing media coverage of Meltdown and Spectre as overblown. "This is not an issue that is not fixable... we're seeing now the first iterations of patches." On Thursday, Intel said it was aiming to fix 90 percent of all Intel products that have been introduced within the past year by end of next week. CNET asked if the company was looking at older Intel processors? From the report: "We're working with [computer makers] to determine which ones to prioritize based on what they see as systems in the field," an executive at the company said. Intel also is fixing the problem in future chips, starting with products that will arrive later this year. Intel is effectively taking the software fixes being released now and building them directly into hardware, he said.
Intel

When F00F Bug Hit 20 Years Ago, Intel Reacted the Same Way (itwire.com) 141

troublemaker_23 writes: A little more than 20 years ago, Intel faced a problem with its processors, though it was not as big an issue as compared to the speculative execution bugs that were revealed this week. The 1997 bug, which came to be known as the F00F bug, allowed a malicious person to freeze up Pentium MMX and "classic" Pentium computers. Any Intel Pentium/Pentium MMX could be remotely and anonymously caused to hang, merely by sending it the byte sequence "F0 0F C7 C8". At the time, Intel said it learnt about the bug on 7 November 1997, but a report said that at least two people had indicated on an Intel newsgroup that the company knew about it earlier before. The processor firm confirmed the existence on 10 November. But, says veteran Linux sysadmin Rick Moen, the company's reaction to that bug was quite similar to the way it has reacted to this week's disclosures.

"Intel has a long history of trying to dissemble and misdirect their way out of paying for grave CPU flaws," Moen said in a post to Linux Users of Victoria mailing list. "Remember the 'Pentium Processor Invalid Instruction Erratum' of 1997, exposing all Intel Pentium and Pentium MMX CPUs to remote security attack, stopping them in their tracks if they could be induced to run processory instruction 'F0 0F C7 C8'? "No, of course you don't. That's why Intel gave it the mind-numbingly boring official name 'Pentium Processor Invalid Instruction Erratum', hoping to replace its popular names 'F00F bug' and 'Halt-and-Catch Fire bug'."

Google

Google Says CPU Patches Cause 'Negligible Impact On Performance' With New 'Retpoline' Technique (theverge.com) 120

In a post on Google's Online Security Blog, two engineers described a novel chip-level patch that has been deployed across the company's entire infrastructure, resulting in only minor declines in performance in most cases. "The company has also posted details of the new technique, called Retpoline, in the hopes that other companies will be able to follow the same technique," reports The Verge. "If the claims hold, it would mean Intel and others have avoided the catastrophic slowdowns that many had predicted." From the report: "There has been speculation that the deployment of KPTI causes significant performance slowdowns," the post reads, referring to the company's "Kernel Page Table Isolation" technique. "Performance can vary, as the impact of the KPTI mitigations depends on the rate of system calls made by an application. On most of our workloads, including our cloud infrastructure, we see negligible impact on performance." "Of course, Google recommends thorough testing in your environment before deployment," the post continues. "We cannot guarantee any particular performance or operational impact."

Notably, the new technique only applies to one of the three variants involved in the new attacks. However, it's the variant that is arguably the most difficult to address. The other two vulnerabilities -- "bounds check bypass" and "rogue data cache load" -- would be addressed at the program and operating system level, respectively, and are unlikely to result in the same system-wide slowdowns.

Intel

How a Researcher Hacked His Own Computer and Found One of the Worst CPU Bugs Ever Found (reuters.com) 138

Reuters tells the story of how Daniel Gruss, a 31-year-old information security researcher and post-doctoral fellow at Austria's Graz Technical University, hacked his own computer and exposed a flaw in most of the Intel chips made in the past two decades. Prior to his discovery, Gruss and his colleagues Moritz Lipp and Michael Schwarz had thought such an attack on the processor's "kernel" memory, which is meant to be inaccessible to users, was only theoretically possible. From the report: "When I saw my private website addresses from Firefox being dumped by the tool I wrote, I was really shocked," Gruss told Reuters in an email interview, describing how he had unlocked personal data that should be secured. Gruss, Lipp and Schwarz, working from their homes on a weekend in early December, messaged each other furiously to verify the result. "We sat for hours in disbelief until we eliminated any possibility that this result was wrong," said Gruss, whose mind kept racing even after powering down his computer, so he barely caught a wink of sleep.

Gruss and his colleagues had just confirmed the existence of what he regards as "one of the worst CPU bugs ever found." The flaw, now named Meltdown, was revealed on Wednesday and affects most processors manufactured by Intel since 1995. Separately, a second defect called Spectre has been found that also exposes core memory in most computers and mobile devices running on chips made by Intel, Advanced Micro Devices (AMD) and ARM Holdings, a unit of Japan's Softbank.

Intel

By Next Week, Intel Expects To Issue Updates To More Than 90% of Processor Products Introduced Within Past Five Years (intel.com) 289

Intel said on Thursday that by next week it expects to have patched 90 percent of its processors that it released within the last five years, making PCs and servers "immune" from both the Spectre and Meltdown exploits. The company adds: Intel has already issued updates for the majority of processor products introduced within the past five years. By the end of next week, Intel expects to have issued updates for more than 90 percent of processor products introduced within the past five years. In addition, many operating system vendors, public cloud service providers, device manufacturers and others have indicated that they have already updated their products and services.

Intel continues to believe that the performance impact of these updates is highly workload-dependent and, for the average computer user, should not be significant and will be mitigated over time. While on some discrete workloads the performance impact from the software updates may initially be higher, additional post-deployment identification, testing and improvement of the software updates should mitigate that impact. System updates are made available by system manufacturers, operating system providers and others.

Security

Personal Data of a Billion Indians Sold Online For $8, Report Claims (theguardian.com) 74

Michael Safi, reporting for The Guardian: The personal information of more than a billion Indians stored in the world's largest biometric database can be bought online for less than $8, according to an investigation by an Indian newspaper. The reported breach is the latest in a series of alleged leaks from the Aadhaar database, which has been collecting the photographs, thumbprints, retina scans and other identifying details of every Indian citizen. The report in the Chandigarh-based Tribune newspaper claimed that software is also being sold online that can generate fake Aadhaar cards, an identity document that is required to access a growing number of government services including free meals and subsidised grain. The Unique Identification Authority of India (UIDAI), which administers the Aadhaar system, said it appeared the newspaper had accessed only limited details through a search facility that had been made available to government officials.
Desktops (Apple)

Intel Memory Access Design Flaw Partially Addressed by Apple in macOS 10.13.2 [Unconfirmed] (macrumors.com) 49

An anonymous reader shares a report: A serious design flaw and security vulnerability discovered in Intel CPUs has reportedly already been partially addressed by Apple in the recent macOS 10.13.2 update, which was released to the public on December 6. According to developer Alex Ionescu, Apple introduced a fix in macOS 10.13.2, with additional tweaks set to be introduced in macOS 10.13.3, currently in beta testing. AppleInsider also says that it has heard from "multiple sources within Apple" that updates made in macOS 10.13.2 have mitigated "most" security concerns associated with the KPTI vulnerability. A Bloomberg reporter pointed out that Apple has not officially commented on the story.
Microsoft

Microsoft Issues Rare Out-of-Band Emergency Windows Update For Processor Security Bugs (theverge.com) 129

An anonymous reader shares a report: Microsoft is issuing a rare out-of-band security update to supported versions of Windows today (Wednesday). The software update is part of a number of fixes that will protect against a newly-discovered processor bug in Intel, AMD, and ARM chipsets. Sources familiar with Microsoft's plans tell The Verge that the company will issue a Windows update that will be automatically applied to Windows 10 machines at 5PM ET / 2PM PT today. The update will also be available for older and supported versions of Windows today, but systems running operating systems like Windows 7 or Windows 8 won't automatically be updated through Windows Update until next Tuesday. Windows 10 will be automatically updated today.
Intel

Intel Says CEO Dumping Tons of Stock Last Year 'Unrelated' To Big Security Exploit (gizmodo.com) 93

An anonymous reader shares a report: Late last year, the CEO of Intel sold millions of dollars in company stock, as CEOs often do. The sale appears to have occurred while developers were reportedly rushing to fix a major security flaw affecting Intel processors made in the last decade. According to a report published by the Register this week, "a fundamental design flaw in Intel's processor chips has forced a significant redesign of the Linux and Windows kernels to defang the chip-level security bug." Windows and Linux developers have reportedly been working to address the issue since November. As our friends at Gizmodo ES pointed out, Intel's CEO Brian Krzanich sold roughly $11 million in company stock at the end of November. Counting the employee stock options Krzanich exercised, the CEO unloaded 245,743 shares, leaving him with 250,000 remaining shares -- the minimum Krzanich is required to own according to the company's bylaws, the Motley Fool reported. To be clear, this isn't proof of some insider-trading conspiracy. Contacted by Gizmodo, an Intel spokesperson called the sale "unrelated," and said it "was made pursuant to a pre-arranged stock sale plan (10b5-1) with an automated sale schedule."
Google

Google Says Almost All CPUs Since 1995 Vulnerable To 'Meltdown' And 'Spectre' Flaws (bleepingcomputer.com) 269

Catalin Cimpanu, reporting for BleepingComputer: Google has just published details on two vulnerabilities named Meltdown and Spectre that in the company's assessment affect "every processor [released] since 1995." Google says the two bugs can be exploited to "to steal data which is currently processed on the computer," which includes "your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents." Furthermore, Google says that tests on virtual machines used in cloud computing environments extracted data from other customers using the same server. The bugs were discovered by Jann Horn, a security researcher with Google Project Zero, Google's elite security team. These are the same bugs that have been reported earlier this week as affecting Intel CPUs. Google was planning to release details about Meltdown and Spectre next week but decided to publish the reports today "because of existing public reports and growing speculation in the press and security research community about the issue, which raises the risk of exploitation."
Google

Google's Project Zero Team Discovered Critical CPU Flaw Last Year (techcrunch.com) 124

An anonymous reader quotes a report from TechCrunch: In a blog post published minutes ago, Google's Security team announced what they have done to protect Google Cloud customers against the chip vulnerability announced earlier today. They also indicated their Project Zero team discovered this vulnerability last year (although they weren't specific with the timing). The company stated that it informed the chip makers of the issue, which is caused by a process known as "speculative execution." This is an advanced technique that enables the chip to essentially guess what instructions might logically be coming next to speed up execution. Unfortunately, that capability is vulnerable to malicious actors who could access critical information stored in memory, including encryption keys and passwords. According to Google, this affects all chip makers, including those from AMD, ARM and Intel (although AMD has denied they are vulnerable). In a blog post, Intel denied the vulnerability was confined to their chips, as had been reported by some outlets. The Google Security team wrote that they began taking steps to protect Google services from the flaw as soon as they learned about it.
Privacy

2 Years Later, Security Holes Linger In GPS Services Used By Millions of Devices (securityledger.com) 12

chicksdaddy quotes a report from The Security Ledger: Security researchers say that serious security vulnerabilities linger in GPS software by the China-based firm ThinkRace more than two years after the hole was discovered and reported to the firm, The Security Ledger reports. Data including a GPS enabled device's location, serial number, assigned phone number and model and type of device can be accessed by any user with access to the GPS service. In some cases, other information is available including the device's location history going back 1 week. In some cases, malicious actors could also send commands to the device via SMS including those used to activate or deactivate GEO fencing alarms features, such as those used on child-tracking devices.

The vulnerabilities affect hundreds of thousands of connected devices that use the GPS services, from smart watches, to vehicle GPS trackers, fitness trackers, pet trackers and more. At issue are security holes in back-end GPS tracking services that go by names like amber360.com, kiddo-track.com, carzongps.com and tourrun.net, according to Michael Gruhn, an independent security researcher who noted the insecure behavior in a location tracker he acquired and has helped raise awareness of the widespread flaws. Working with researcher Vangelis Stykas, Gruhn discovered scores of seemingly identical GPS services, many of which have little security, allowing low-skill hackers to directly access data on GPS tracking devices.

Alas, news about the security holes is not new. In fact, the security holes in ThinkRace's GPS services are identical to those discovered by New Zealand researcher Lachlan Temple in 2015 and publicly disclosed at the time. Temple's research focused on one type of device: a portable GPS tracker that plugged into a vehicle's On Board Diagnostic (or OBD) port. However, Stykas and Gruhn say that they have discovered the same holes spread across a much wider range of APIs (application program interfaces) and services linked to ThinkRace.

Intel

Intel Responds To Alleged Chip Flaw, Claims Effects Won't Significantly Impact Average Users (hothardware.com) 375

An anonymous reader quotes a report from Hot Hardware: The tech blogosphere lit up yesterday afternoon after reports of a critical bug in modern Intel processors has the potential to seriously impact systems running Windows, Linux and macOS. The alleged bug is so severe that it cannot be corrected with a microcode update, and instead, OS manufacturers are being forced to address the issue with software updates, which in some instances requires a redesign of the kernel software. Some early performance benchmarks have even suggested that patches to fix the bug could result in a performance hit of as much as 30 percent. Since reports on the issues of exploded over the past 24 hours, Intel is looking to cut through the noise and tell its side of the story. The details of the exploit and software/firmware updates to address the matter at hand were scheduled to go live next week. However, Intel says that it is speaking out early to combat "inaccurate media reports."

Intel acknowledges that the exploit has "the potential to improperly gather sensitive data from computing devices that are operating as designed." The company further goes on state that "these exploits do not have the potential to corrupt, modify or delete data." The company goes on to state that the "average computer user" will be negligibly affected by any software fixes, and that any negative performance outcomes "will be mitigated over time." In a classic case of trying to point fingers at everyone else, Intel says that "many different vendors' processors" are vulnerable to these exploits.
You can read the full statement here.
Google

Amazon's YouTube Workaround on Fire TV Works Just Fine (geekwire.com) 64

Last month, a notification that YouTube would no longer be available through Fire TV and Fire TV Stick devices starting Jan. 1 popped up, threatening to leave a huge hole in Amazon's streaming lineup. But just last week, Amazon added the ability to surf the web and get to YouTube via a browser. But does it work? GeekWire thinks so: The result is a simple path to YouTube, circumventing Google's move to pull it from Fire TV. Web browsing probably wasn't a direct response to Amazon's issues with Google, which owns YouTube, but it provides a convenient alternative to keep the service accessible for Fire TV users. The first step is downloading one or both of the web browsers. Opening Firefox leads to this home screen with easy access tiles to both Google and YouTube. On Silk, the home screen defaults to Bing search. But as I poked around, I noticed that YouTube for TV showed up in my bookmarks even though this was the first time I opened the browser. A YouTube interface optimized for TV, the same one you would see on other streaming devices, pops up on both browsers. To sign in, YouTube prompted me to activate YouTube for TV through a phone or computer. Once that process was complete, YouTube showed the same personalized recommendations as my phone and computer.
Firefox

Mozilla Will Delete Firefox Crash Reports Collected by Accident (bleepingcomputer.com) 38

Catalin Cimpanu, writing for BleepingComputer: Mozilla said last week it would delete all telemetry data collected because of a bug in the Firefox crash reporter. According to Mozilla engineers, Firefox has been collecting information on crashed background tabs from users' browsers since Firefox 52, released in March 2017. Firefox versions released in that time span did not respect user-set privacy settings and automatically auto-submitted crash reports to Mozilla servers. The browser maker fixed the issue with the release of Firefox 57.0.3. Crash reports are not fully-anonymized.
Desktops (Apple)

The 'App' You Can't Trash: How SIP is Broken in Apple's High Sierra OS (eclecticlight.co) 164

A reader shares a blog post that talks about why Mac running High Sierra 10.13.2 (and other versions near it) refuses to let users uninstall some third-party applications easily. For instance, when users attempt to uninstall BlueStacks, an Android emulator, the Finder shows this warning: "The operation can't be completed because you don't have the necessary permission." The blog post looks into the subject: The moment that we see the word permission, all becomes clear: it's a permissions problem. So the next step is to select the offending item in the Finder, press Command-I to bring up the Get Info dialog, and change the permissions. It does, though, leave the slight puzzle as to why the Finder didn't simply prompt for authentication instead of cussedly refusing. Sure enough, after trying that, the app still won't go and the error message is unchanged. Another strange thing about this 'app' is that it's not an app at all. Tucked away in a mysterious folder, new to High Sierra, in /Library/StagedExtensions/Applications, its icon is defaced to indicate that the user can't even run it. Neither did the user install it there. Trying to remove it using a conventional Terminal command sudo rm -rf /Library/StagedExtensions/Applications/BlueStacks.app also fails, with the report Operation not permitted.


Censorship

US Calls On Iran To Unblock Social Media Sites Amid Protests (go.com) 135

The Trump administration is calling on the government of Iran to stop blocking Instagram and other social media sites while encouraging Iranians to use special software to circumvent controls. "The great Iranian people have been repressed for many years," President Trump tweeted yesterday. "They are hungry for food & for freedom. Along with human rights, the wealth of Iran is being looted. Time for change!" ABC News reports: Undersecretary of State Steve Goldstein, in charge of public diplomacy, said the U.S. wants Iran's government to "open these sites" including the photo-sharing platform Instagram and the messaging app Telegram. "They are legitimate avenues for communication," Goldstein said. "People in Iran should be able to access those sites." Iranians seeking to evade the blocks can use virtual private networks, Goldstein said. Known as VPNs, the services create encrypted data "tunnels" between computers and are used in many countries to access overseas websites blocked by the local government. Despite the blocks, the United States is working to maintain communication with Iranians in the Farsi language, including through official accounts on Facebook, Twitter and other platforms. The State Department also was to distribute videos of top U.S. officials encouraging the protesters through those and other sites.
Bug

'Kernel Memory Leaking' Intel Processor Design Flaw Forces Linux, Windows Redesign (theregister.co.uk) 416

According to The Register, "A fundamental design flaw in Intel's processor chips has forced a significant redesign of the Linux and Windows kernels to defang the chip-level security bug." From the report: Programmers are scrambling to overhaul the open-source Linux kernel's virtual memory system. Meanwhile, Microsoft is expected to publicly introduce the necessary changes to its Windows operating system in this month's Patch Tuesday: these changes were seeded to beta testers running fast-ring Windows Insider builds in November and December. Crucially, these updates to both Linux and Windows will incur a performance hit on Intel products. The effects are still being benchmarked, however we're looking at a ballpark figure of five to 30 per cent slow down, depending on the task and the processor model. More recent Intel chips have features -- specifically, PCID -- to reduce the performance hit. Similar operating systems, such as Apple's 64-bit macOS, will also need to be updated -- the flaw is in the Intel x86 hardware, and it appears a microcode update can't address it. It has to be fixed in software at the OS level, or buy a new processor without the design blunder. Details of the vulnerability within Intel's silicon are under wraps: an embargo on the specifics is due to lift early this month, perhaps in time for Microsoft's Patch Tuesday next week. Indeed, patches for the Linux kernel are available for all to see but comments in the source code have been redacted to obfuscate the issue. The report goes on to share some details of the flaw that have surfaced. "It is understood the bug is present in modern Intel processors produced in the past decade," reports The Register. "It allows normal user programs -- from database applications to JavaScript in web browsers -- to discern to some extent the contents of protected kernel memory. The fix is to separate the kernel's memory completely from user processes using what's called Kernel Page Table Isolation, or KPTI."
Democrats

New Bill Could Finally Get Rid of Paperless Voting Machines (arstechnica.com) 391

An anonymous reader quotes a report from Ars Technica: A bipartisan group of six senators has introduced legislation that would take a huge step toward securing elections in the United States. Called the Secure Elections Act, the bill aims to eliminate insecure paperless voting machines from American elections while promoting routine audits that would dramatically reduce the danger of interference from foreign governments. "With the 2018 elections just around the corner, Russia will be back to interfere again," said co-sponsor Sen. Kamala Harris (D-Calif.). So a group of senators led by James Lankford (R-Okla.) wants to shore up the security of American voting systems ahead of the 2018 and 2020 elections. And the senators have focused on two major changes that have broad support from voting security experts.

The first objective is to get rid of paperless electronic voting machines. Computer scientists have been warning for more than a decade that these machines are vulnerable to hacking and can't be meaningfully audited. States have begun moving away from paperless systems, but budget constraints have forced some to continue relying on insecure paperless equipment. The Secure Elections Act would give states grants specifically earmarked for replacing these systems with more secure systems that use voter-verified paper ballots. The legislation's second big idea is to encourage states to perform routine post-election audits based on modern statistical techniques. Many states today only conduct recounts in the event of very close election outcomes. And these recounts involve counting a fixed percentage of ballots. That often leads to either counting way too many ballots (wasting taxpayer money) or too few (failing to fully verify the election outcome). The Lankford bill would encourage states to adopt more statistically sophisticated procedures to count as many ballots as needed to verify an election result was correct -- and no more.

Slashdot Top Deals