Businesses Delay Patch, Fear Fix Will Be Worse Than Chip Flaw

Chances that a fix to a major microchip security flaw may slow down or crash some computer systems are leading some businesses to hold off installing software patches, fearing the cure may be worse than the original problem.

Researchers this week revealed security problems with chips from Intel Corp and many of its rivals, sending businesses, governments and consumers scrambling to understand the extent of the threat and the cost of fixes.

Rather than rushing to put on patches, a costly and time-intensive endeavor for major systems, some businesses are testing the fix, leaving their machines vulnerable.

“If you start applying patches across your whole fleet without doing proper testing, you could cause systems to crash, essentially putting all of your employees out of work,” said Ben Johnson, co-founder of cyber-security startup Obsidian.

Flaws not ‘critical’

Banks and other financial institutions spent much of the week studying the vulnerabilities, said Greg Temm, chief information risk officer with the Financial Services Financial Services Information Sharing and Analysis Center, an industry group that shares data on emerging cyber threats.

The flaws affect virtually all computers and mobile devices, but are not considered “critical” because there is no evidence that hackers have figured out how to exploit them, said Temm, whose group works with many of the world’s largest banks.

“It’s like getting a diagnosis of high blood pressure, but not having a cardiac arrest,” Temm said. “We’re taking it seriously, but it’s not something that is killing us.”

Testing the patches

Banks are testing the patches to see if they slow operations and, if so, what changes need to be made, Temm said. For instance, computers could be added to networks to make up for the lack of processor speed in individual machines, he added.

Some popular antivirus software programs are incompatible with the software updates, causing desktop and laptop computers to freeze up and show a “blue screen of death,” researcher Johnson said.

Antivirus software makers responded by rolling out fixes to make their products compatible with the updated operating systems, he said. In a blog posting Friday, Microsoft Corp said it would only offer security patches to Windows customers whose antivirus software suppliers had confirmed with Microsoft that the patch would not crash the customer’s machine.

“If you have not been offered the security update, you may be running incompatible antivirus software, and you should consult the software vendor,” Microsoft advised in the blog post.

Government agencies also are watching. The Ohio Attorney General’s office is monitoring the situation, a spokesman said by email.

“Intel continues to believe that the performance impact of these updates is highly workload-dependent and, for the average computer user, should not be significant and will be mitigated over time,” the world’s No. 1 chipmaker said on Thursday in a release.

​No significant patch impact

It cited Amazon.com Inc, Apple Inc, Alphabet Inc’s and Microsoft as saying that most users had seen no significant impact on performance after installing the patches.

The cloud vendors are among a group of firms that quickly patched their technology to mitigate against the threat from one of those vulnerabilities, dubbed Meltdown, which only affects machines running Intel chips.

Major software makers have not issued patches to protect against the second vulnerability, dubbed Spectre, which affects nearly all computer chips made in the last decade, including those from Intel, Advanced Micro Devices Inc, and ARM-architecture manufacturers, including Qualcomm Inc. 

However, Google, Firefox and Microsoft have implemented measures in most web browsers to stop hackers from launching remote attacks using Spectre.

Governments and security experts say they have seen no cyber attacks seeking to exploit either vulnerability, though they expect attempts by hackers as they digest technical data about the security flaws.

One key risk is that hackers will develop code that can infect the personal computers of people visiting malicious websites, said Chris Wysopal, chief technology officer of cyber security firm Veracode.

He advised PC owners to install the patches to protect against such potential attacks. Computer servers at large enterprises are less at risk, he said, because those systems are not used to surf the web and can only be infected in a Meltdown attack if a hacker has breached that network.

Operating system protection

Microsoft has issued a patch for its Windows operating system, and Apple desktop users with the most recent operating system are protected. Google has said most of its Chromebook laptops are already protected and that the rest would be soon.

Apple said it planned to release a patch to its Safari web browser within coming days to protect Mac and iOS users from Spectre.

While third-party browsers from Google and others can protect Mac users from Spectre, all major web browsers for Apple’s iOS devices depend on receiving a patch from Apple.

Until then, hundreds of millions of iPhone and iPad users will be exposed to potential Spectre attacks while browsing the web.

Internet Association to Join Expected Net Neutrality Lawsuit

The Internet Association, a trade group representing companies such as Google parent Alphabet Inc and Facebook Inc, said on Friday it intends to join an expected lawsuit against a decision to roll back net neutrality rules.

Several states including New York, and public interest advocacy groups have said they intend to sue to stop the mid-December ruling by the Federal Communications Commission.

The approval of FCC Chairman Ajit Pai’s proposal in a 3-2 vote marked a victory for internet service providers such as AT&T Inc, Comcast Corp and Verizon Communications Inc, handing them power over what content consumers can access. 

Democrats, Hollywood and companies such as Google parent Alphabet and Facebook had urged Pai, a Republican appointed by U.S. President Donald Trump, to keep the Obama-era rules barring service providers from blocking, slowing access to or charging more for certain content.

“The final version of Chairman Pai’s rule, as expected, dismantles popular net neutrality protections for consumers. This rule defies the will of a bipartisan majority of Americans and fails to preserve a free and open internet,” the Internet Association said in a statement.

The new rules give internet service providers sweeping powers to change how consumers access the internet but must have new transparency requirements that will require them to disclose any changes to consumers.

Internet Association members also include Airbnb, Etsy Inc, Amazon.com and several dozen online and social media companies.

Apple to Issue Fix for iPhones, Macs at Risk From Chip Flaw

Apple Inc. will release a patch for the Safari web browser on its iPhones, iPads and Macs within days, it said Thursday, after major chipmakers disclosed flaws that leave nearly every modern computing device vulnerable to hackers.

On Wednesday, Alphabet Inc.’s Google and other security researchers disclosed two major chip flaws, one called Meltdown affecting only Intel Corp. chips and one called Spectre affecting nearly all computer chips made in the last decade. The news sparked a sell-off in Intel’s stock as investors tried to gauge the costs to the chipmaker.

In a statement on its website, Apple said all Mac and iOS devices were affected by both Meltdown and Spectre. But the most recent operating system updates for Mac computers, Apple TVs, iPhones and iPads protect users against the Meltdown attack and do not slow down the devices, it added. Meltdown does not affect the Apple Watch.

Macs and iOS devices are vulnerable to Spectre attacks through code that can run in web browsers. Apple said it would issue a patch to its Safari web browser for those devices “in the coming days.”

Intel Shares Fall as Investors Worry About Costs of Chip Flaw

Intel Corp shares fell nearly 2 percent Thursday as investors worried about the potential financial liability and reputational hit from recently disclosed security flaws in its widely used microprocessors.

The largest chipmaker had confirmed Wednesday that flaws reported by researchers could allow hackers to steal sensitive information from computers, phones and other devices. Apple Inc, Microsoft Corp and other software makers have issued patches to protect against the vulnerabilities.

Intel may be on the hook for costs stemming from lawsuits claiming that the patches would slow computers and effectively force consumers to buy new hardware, and big customers will likely seek compensation from Intel for any software or hardware fixes they make, security experts said.

“The potential liability is big for Intel,” said Eric Johnson, dean of Vanderbilt University’s Owen Graduate School of Management. “Everybody will be scrambling over the next few days to figure out just how big it is.”

Intel has said that the patches for the bugs would slow its chips down somewhat but that most users will not notice.

Amazon Web Services (AWS), the largest seller of cloud computing services, said in a statement it does not “expect meaningful performance impact for most customer workloads.”

Microsoft and Alphabet Inc’s Google both said in statements on their websites that they expect few performance problems for most of their cloud computing customers.

Financial repercussions

But the incident is likely to spur cloud companies to press Intel for lower prices on chips in future talks, said Kim Forrest, senior equity research analyst at Fort Pitt Capital Group in Pittsburgh, which owns shares in Intel.

“What [Intel’s cloud customers] are going to say is, ‘You wronged us, we hate you, but if we can get a discount, we’ll still buy from you,'” Forrest said.

Forrest also expects Intel will have to increase its chip development spending to focus on security.

Government agencies and security experts said they knew of no cyberattacks that had exploited the vulnerabilities.

Financial services firms were studying information on the vulnerabilities to determine how to best respond, said the Financial Services Information Sharing and Analysis Center, a global industry group known as FS-ISAC that shares data on cyberthreats.

Banks and other firms are trying to understand what it will cost to respond to the issue, FS-ISAC said in an emailed statement.

“In addition to the security considerations raised by this design flaw, performance degradation is expected, which could require more processing power for affected systems to compensate and maintain current baseline performance,” FS-ISAC said. “There will need to be consideration and balance between fixing the potential security threat vs. the performance and other possible impact to systems.”

Lawsuit filed

Lawyers filed a lawsuit in San Jose, California, federal court on Wednesday that sought class-action status and compensation for people who had bought vulnerable Intel chips or computers that came with them already installed.

Intel did not immediately respond to a request for comment on Thursday about the lawsuit.

While more lawsuits are expected, Intel’s biggest customers are likely to quietly seek compensation for any harm caused by the vulnerabilities, including costs to patch machines or replace microprocessors, Johnson said.

Legal experts said that consumers would have to prove concrete damages and harm to proceed with claims.

Intel shares fell 1.8 percent, following a 3.4 percent decline Wednesday.

Shares in rival Advanced Micro Devices Inc climbed 4.9 percent as investors speculated the No. 2 maker of microprocessors would woo customers away from Intel.

Still, researchers had said some of AMD’s chips had one of the two vulnerabilities disclosed on Wednesday, as do processors from ARM Holdings.

YouTube Star Logan Paul Steps Away From Posting After Outcry

YouTube star Logan Paul has stepped away from posting videos following an outcry when he uploaded images of what appeared to be the body of someone who killed themselves in a Japanese forest.

Paul took to Twitter on Wednesday to say he was suspending his video blog “for now” and “taking time to reflect.”

A petition on Change.org that demands his YouTube channel be deleted had been signed by more than 125,000 people by Thursday morning.

Paul created a furor when he posted a video of him in a forest near Mount Fuji showing what seemed to be a body hanging from a tree.

The video was viewed some 6 million times before being removed from Paul’s YouTube channel, a verified account with more than 15 million subscribers.

A storm of criticism followed despite two apologies, with commenters saying Paul seemed disrespectful and that his initial apology was inadequate.

In Paul’s initial apology, he said he had wanted to raise awareness about suicide and possibly save lives, and he denied his goal was to drive clicks to his social media content.

“I thought I could make a positive ripple on the internet, not cause a monsoon of negativity,” he said in his Twitter post.

“I don’t expect to be forgiven. I’m simply here to apologize,” he said on the more somber video apology uploaded on YouTube and Twitter late Tuesday. “None of us knew how to react or how to feel.”

Blackberry Surges on Deal With Baidu for Self-driving Cars

BlackBerry Ltd and Chinese internet search firm Baidu Inc on Wednesday signed a deal to jointly develop self-driving vehicle technology, sending BlackBerry’s Toronto-listed shares up 13 percent to a four-year high.

The deal follows similar agreements with firms including Qualcomm Inc, Denso and Aptiv Plc to develop autonomous-driving technology with BlackBerry’s QNX software, which are expected to start generating revenue in 2019.

Investors and analysts are closely watching what comes of those agreements amid expectations that QNX could become a key technology in the burgeoning self-driving vehicle industry, serving as the operating system for computer chips used to run self-driving vehicles.

QNX will be the operating system for Apollo, a platform for self-driving vehicles that Baidu announced in April and has billed as the “Android” of the autonomous driving industry.

“The opportunity is global, it’s for a very large market and I think it’s a very solid win for BlackBerry,” said CIBC Capital Markets analyst Todd Coupland.

Apollo has since signed up several major automakers, including Ford Motor Co, Hyundai Motor Group and several Chinese carmakers.

QNX has long been used to run car infotainment consoles. BlackBerry has recently developed the software to run sophisticated computer chips for autos that manage multiple safety-critical systems.

BlackBerry shares rose 13 percent in Toronto to C$16.95, their sharpest one-day gain since April and highest close since March 2013.

The two companies said they will also integrate Baidu’s CarLife, a leading smartphone integration software for connected cars in China, its conversational AI system and high definition maps with BlackBerry’s infotainment platform.

 

One Difference Between 2009 vs 2018 Iran Protests? 48 Million Smartphones

In 2009, the world watched as Iranians marching in the streets turned to social media sites like Twitter and Facebook to organize and share information.

The technology-assisted protests were dubbed the first “Twitter revolution.”

Flash forward to 2018 and technology again is playing a role in demonstrations sweeping cities across Iran.

But much has changed in the intervening years when it comes to the communication tools used by Iranian citizens for organizing and publicizing protests.

Here are some of the main changes:

1. The rise of smartphones has brought more Iranians on to the internet

In 2009, fewer than 15 percent of Iranians had internet access, according to the World Bank.

While Twitter was used to get news of the protests out to the world, it is unclear how much of a role it or any service played to help organize political actions. Word of mouth, in some accounts, as well as SMS messaging over cellphones (and just 30 percent of Iranians owned a cell phone) played a larger role than internet services.

Now, with the advent of smartphones in Iran – about half of Iranians, or 48 million people, have smartphones. More than 50 percent of Iranians are online.

2. An explosion in messaging options

In 2009, Facebook and Twitter were relatively new with Iranians accessing the services mostly on their desktop computers.

As the 2009 protests unfolded, the Obama administration asked Twitter to delay an update that would have taken the service offline to allow Iranians to continue to use it.

Now, Iranian citizens have a number of ways of receiving and sending messages – straight from the device they carry in their pockets.

Of these newer services, the most popular in Iran is Telegram, an instant messaging service that offers encrypted secret chats and channels, where people discuss news and current events. By one count, more than 100,000 Iranian channels are on Telegram. Facebook’s Instagram is the second most popular service.

“Telegram channels are frequently used for organizing protests and for sharing political opinion,” said Eva Galperin, director of cybersecurity for the Electronic Frontier Foundation.

As the protests continued, the Iranian government shut down Telegram and Instagram. But other messaging apps give users options.

“Regime in Iran can shut down signal, telegram, etc., but differently from 2009, the whole country is connected and they have a long list of other messaging apps to use,” tweeted Jared Cohen, founder and chief executive of Jigsaw, an Alphabet company, and a senior fellow on the Council of Foreign Relations. “This time around, it’s much harder to win a game of technology wack-a-mole.”

And indeed, the head of Telegram took to Twitter on Tuesday to suggest users go to Whatsapp, which “remains fully accessible in Iran.”

3. Wider adoption of anti-filtering tools

Since the 2009 Green Movement, more Iranians have access to anti-censorship technology, such as VPNs and proxies, servers that transmit content that can evade government controls.

“Iranian internet users are making use of a wider variety of circumvention tools that allow for selective access to blocked resources,” said Alp Toker, founder of NetBlocks.org, a digital rights group.

“This could be down to a more mature understanding of internet filtering that has developed since the Green Movement protests after 2009, supported by domestic technical expertise and earlier initiatives to develop tools for Iran,” Toker said. “This suggests that workarounds for Iran’s internet filters have become a way of life for many mobile and desktop internet users.”

4. Dangers exist for Iranians using mobile technology

With more communication technologies available to Iranians, they are more regulated and less open than they were in 2009, says Toker. Mobile devices are more restricted than computers, making it more difficult to circumvent Iran’s internet filters, he added.

In addition, many Iranians are using outdated iPhone devices and skipping software security updates, which means they may be more vulnerable to state-sponsored hacking and surveillance, Toker said.

Since 2009, the Iranian government has worked to create its own internet service and restricted content it considers objectionable on commercial services.

“Iran’s own strict regime of internet filters, but also U.S. sanctions limiting the transfer and sale of technology and security products, are likely contributing factors that mean the choke points are still an effective mechanism for mass control,” Toker said.

What’s Next in the Robotics Industry?

The robotics industry has made impressive advancements in 2017, and that’s expected to continue as robots are becoming more sophisticated, doing more complicated tasks and spreading almost everywhere. Faiza Elmasry has the story. Faith Lapidus narrates.

China’s WeChat Denies Storing User Chats

Tencent Holdings’ WeChat, China’s most popular messenger app, on Tuesday denied storing users’ chat histories, after a top businessman was quoted in media reports as saying he believed Tencent was monitoring everyone’s account.

“WeChat does not store any users’ chat history. That is only stored in users’ mobiles, computers and other terminals,” WeChat said in a post on the social media platform.

“WeChat will not use any content from user chats for big data analysis. Because of WeChat’s technical model that does not store or analyze user chats, the rumor that ‘we are watching your WeChat everyday’ is pure misunderstanding.”

Li Shufu, chairman of Geely Holdings, owner of the Volvo car brand, was quoted in Chinese media on Monday as saying Tencent Chairman Ma Huateng “must be watching all our WeChats every day”.

Like all Chinese social media platforms, WeChat is required to censor public posts deemed “illegal” by the Communist Party.

WeChat’s privacy policy says it may need to retain and disclose users’ information “in response to a request by a government authority, law enforcement agency or similar body”.

WeChat did not immediately respond to a request for further comment.

According to a report by Amnesty International, Tencent ranked at the bottom of 11 tech firms running the world’s most popular messenger apps for how they use encryption to protect user privacy.

China’s cyber watchdog in September announced a new rule making chat group administrators and companies accountable for breaches of content rules.

In the same month it handed down maximum penalties to tech firms including Tencent, Baidu Inc and Weibo Corp for failing to properly censor online content, and asked them to increase content auditing measures.

Minister: UK May Use Taxes to Get Tech Giants to Do More to Fight Extremism

Britain may impose new taxes on tech giants like Google and Facebook unless they do more to combat online extremism by taking down material aimed at radicalizing people or helping them to prepare attacks, the

country’s security minister said.

Ben Wallace accused tech firms of being happy to sell people’s data but not to give it to the government which was being forced to spend vast sums on de-radicalization programs, surveillance and other counter-terrorism measures.

“If they continue to be less than co-operative, we should look at things like tax as a way of incentivizing them or compen­sating for their inaction,” Wallace told the Sunday Times newspaper in an interview.

His quotes did not give further details on tax plans. The newspaper said that any demand would take the form of a windfall tax similar to that imposed on privatized utilities by former Prime Minister Tony Blair’s government in 1997.

Wallace accused the tech giants of putting private profit before public safety.

“We should stop pretending that because they sit on beanbags in T-shirts they are not ruthless profiteers,” he said. “They will ruthlessly sell our details to loans and soft-porn companies but not give it to our democratically elected

government.”

Facebook executive Simon Milner rejected the criticisms.

“Mr. Wallace is wrong to say that we put profit before safety, especially in the fight against terrorism,” he said in an emailed statement. “We’ve invested millions of pounds in people and technology to identify and remove terrorist content.”

YouTube, which is owned by Google, said it was doing more every day to tackle violent extremism.

“Over the course of 2017 we have made significant progress through investing in machine learning technology, recruiting more reviewers, building partnerships with experts and collaboration with other companies,” a YouTube spokeswoman said.

Deadly attacks

Britain suffered a series of attacks by Islamic extremists between March and June this year that killed a total of 36 people, excluding the attackers.

Two involved vehicles ramming people on bridges in London, followed by attackers stabbing people. The deadliest, a bombing at a concert in the northern city of Manchester, killed 22 people.

Following the second bridge attack, Prime Minister Theresa May proposed beefing up regulations on cyberspace, and weeks later interior minister Amber Rudd traveled to California to ask Silicon Valley to step up efforts against extremism.

“We are more vulnerable than at any point in the last 100 years,” said Wallace, citing extremist material on social media and encrypted messaging services like WhatsApp as tools that made life too easy for attackers.

“Because content is not being taken down as quickly as they could do, we’re having to de-radicalize people who have been radicalized. That’s costing millions. They can’t get away with that and we should look at all the options, including tax.”

Facebook said it removed 83 percent of uploaded copies of terrorist content within one hour of its being found on the social media network.

It also highlighted plans to double the number of people working in its safety and security teams to 20,000 by the end of 2018.

YouTube said that progress in machine learning meant that 83 percent of violent extremist content was removed without the need for users to flag it.