Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customise your settings, hit “Customise Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences

Necessary. Always active Read more

These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.
Tailored Advertising. Read more

These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.
Analytics. Read more

These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

Customise Settings

Channel

Sony bundles rootkit-like software on USB drive

Hits replay on CD debacle

John Leyden Wed 29 Aug 2007 // 10:29 UTC

A USB fingerprint authentication device from Sony contains rootkit-like technology, according to security watchers. The MicroVault USM-F fingerprint reader software bundled with the stick installs a hidden directory under Windows.

"Files in this directory are also hidden from some antivirus scanners (as with the Sony BMG DRM case) — depending on the techniques employed by the anti-virus software. It is therefore technically possible for malware to use the hidden directory as a hiding place," warns anti-virus firm F-Secure.

Attempts to hide MicroVault software in a hidden directory may be an attempt to protect fingerprint authentication from tampering and bypass. This aim is laudable but the technique Sony used is misguided, F-Secure argues.

Sony, which drew fire for its use of similar rootkit-like techniques as copy protection mechanism on CDs two years ago, is yet to respond to the latest criticism.

Back in 2005 Sony BMG endured a public-relations and legal nightmare after it emerged digital rights management (DRM) software installed on some of its music CDs (First4Internet XCP program) created a handy means for hackers to hide malware from anti-virus scanning programs. Under pressure, Sony has been forced to recall discs loaded with the technology and create an exchange program for consumers. The music label still faces class action lawsuits by users who allege that their PCs have been damaged by the technology. ®

Corrections Send us news

Other stories you might like

UK government preps tech suppliers for £8bn mega framework

Software? Ticked. Hardware? Ticked. Kitchen sink? Oh go on then, why not

Lindsay Clark Thu 21 Apr 2022 // 09:15 UTC

The British government is looking to speak with suppliers in preparation for a multi-year procurement that could be worth up to £8 billion in technology products and services.
Crown Commercial Services, the purchasing arm of the Cabinet Office which reaches across central government departments, has published a tender notice looking for tech vendors' feedback on a new framework agreement.
Set to cover everything from IT software, hardware, services and even magnetic cards, the CCS is looking to put together a new procurement mechanism with set T&Cs and pricing available to the whole public sector – including central government departments, the NHS, local government, emergency services and more.

Continue reading
UK government says motorists will be allowed to watch TV in self-driving vehicles

Meanwhile, Elon Musk says we need to crack real-world AI to get fully autonomous cars to work

Lindsay Clark Thu 21 Apr 2022 // 08:30 UTC

The UK government has confirmed planned revisions to the Highway Code to accommodate self-driving vehicles, including allowing drivers to watch TV while an AI takes the wheel.
In a moment history may judge as legislative hubris, the Department for Transport (DfT) said the modifications would include "allowing drivers to view content that is not related to driving on built-in display screens, while the self-driving vehicle is in control."
However, somewhat counterintuitively, the Department added it would "still be illegal to use mobile phones in self-driving mode, given the greater risk they pose in distracting drivers as shown in research."

Continue reading
Machine-learning models vulnerable to undetectable backdoors: new claim

It's 2036 and another hijacked AI betrays its operators

Thomas Claburn in San Francisco Thu 21 Apr 2022 // 07:24 UTC

Boffins from UC Berkeley, MIT, and the Institute for Advanced Study in the United States have devised techniques to implant undetectable backdoors in machine learning (ML) models.
Their work suggests ML models developed by third parties fundamentally cannot be trusted.
In a paper that's currently being reviewed – "Planting Undetectable Backdoors in Machine Learning Models" – Shafi Goldwasser, Michael Kim, Vinod Vaikuntanathan, and Or Zamir explain how a malicious individual creating a machine learning classifier – an algorithm that classifies data into categories (eg "spam" or "not spam") – can subvert the classifier in a way that's not evident.

Continue reading

Biotech firm: Graphcore IPUs faster for AI-based drug discovery than GPUs

Someone's got to keep, say, Nvidia on its toes

Dylan Martin Thu 21 Apr 2022 // 07:00 UTC

In the race to provide the best machine-learning accelerators, one of Nvidia's top challengers has claimed a victory in the biotech space, London firm LabGenius, which said Graphcore's intelligence processing units (IPUs) provide significantly faster performance for AI-based drug discovery than some unidentified traditional GPUs.
Founded in 2012, LabGenius is a venture-backed company that develops antibody treatments for cancer and inflammatory diseases by leaning on machine-learning algorithms and laboratory automation to discover proteins that have the right qualities to treat medical conditions.
In a blog post to be published Thursday, and seen by The Register, Bristol, UK-based Graphcore is set to reveal LabGenius turned to its IPUs to train a BERT Transformer model on a large data set of existing proteins to predict masked amino acids. This, in turn, we're told, helped LabGenius suss out important protein features that can help it develop new therapies.

Continue reading
So, what happened with GitHub, Heroku, and those raided private repos?

Who knew what when and what did they do?

Jeff Burt Thu 21 Apr 2022 // 06:33 UTC

Analysis GitHub says it has identified and alerted developers who have had their private repositories accessed and downloaded via stolen authentication tokens.
In this multifaceted fiasco, Microsoft-owned GitHub insisted its security was not breached. Instead, we're told, "compromised OAuth user tokens from Heroku and Travis-CI-maintained OAuth applications were stolen and abused to download private repositories belonging to dozens of victim organizations that were using these apps."
Salesforce-owned Heroku confirmed someone compromised an OAuth token – presumably an internal staffer's token – to get into Heroku's GitHub account and rifle through, and potentially update, users' GitHub repositories "using OAuth tokens issued to Heroku’s OAuth integration dashboard hosted on GitHub."

Continue reading
Apple geniuses in Atlanta beat New York to the punch, file petition to unionize

Cannot confirm reports of Tim Cook on the Midnight Train to Georgia

Katyanna Quach Thu 21 Apr 2022 // 02:52 UTC

Workers in Atlanta, Georgia, have become the first US Apple Store staff to file an official request to hold an union vote with America's National Labor Relations Board.
"A number of us have been here for many years, and we don't think you stick at a place unless you love it," said Derrick Bowles, Apple Genius and Communications Workers of America (CWA) organizer.
"Apple is a profoundly positive place to work, but we know that the company can better live up to their ideals and so we're excited to be joining together with our coworkers to bring Apple to the negotiating table and make this an even better place to work."

Continue reading

Five Eyes nations fear wave of Russian attacks against critical infrastructure

If this is surprising to operators, we are doomed

Jessica Lyons Hardcastle Thu 21 Apr 2022 // 02:02 UTC

The Five Eyes nations' cybersecurity agencies this week urged critical infrastructure to be ready for attacks by crews backed by or sympathetic to the Kremlin amid strong Western opposition to Russia's invasion of Ukraine.
The joint alert, issued by cybersecurity authorities in the US, UK, Australia, Canada and New Zealand, provides technical details on more than a dozen Russian state-sponsored hacking groups and Russia-aligned cybercrime gangs.
The missive urges critical infrastructure organizations to take immediate actions to protect against cyberattacks from these foes. These steps include patching known exploited vulnerabilities, updating software, enforcing multi-factor authentication, securing and monitoring remote desktop protocol (RDP) and other "potentially risky" services, and providing end-user security awareness and training. If this action is truly surprising to critical infrastructure operators, we're screwed.

Continue reading
Brave, DuckDuckGo to unplug Google's AMP where possible

Webpage acceleration tech deemed harmful by rivals

Thomas Claburn in San Francisco Thu 21 Apr 2022 // 01:03 UTC

Brave, the browser maker, and DuckDuckGo, the web search service, have both taken aim at AMP, Google's controversial web publishing framework.
Brave on Tuesday introduced a feature called De-AMP that lets those using the Brave browser avoid Google-hosted AMP pages and go straight to publisher content on standard web pages.
De-AMP will rewrite fetched web pages that link to AMP pages so their links point to the publisher versions of those pages. Brave's browser, which uses a modified version of Google Chrome's Chromium, will watch for when AMP pages are being loaded and stop them before they can render. Doing so prevents Google’s AMP scripts and images from being fetched and executed while also reducing the ad giant's ability to see web traffic and understand where it's going.

Continue reading
Ex-eBay security director to plead guilty to cyberstalking

James Baugh faced trial over campaign against newsletter couple

Katyanna Quach Wed 20 Apr 2022 // 23:49 UTC

A now-former eBay security director accused of harassing a couple who wrote a critical newsletter about the internet tat bazaar is set to plead guilty to cyberstalking.
James Baugh, of San Jose, California, was charged with conspiracy to commit cyberstalking and conspiracy to tamper with witnesses, alongside six former colleagues in a baffling case brought in 2020.
Five of them pleaded guilty; Baugh and David Harville, eBay's now-ex-director of global resiliency, denied the allegations and were due to go on trial.

Continue reading
AWS's Log4j patches blew holes in its own security

Remote code exec is so 2014. Have this container escape and privilege escalation, instead

Jessica Lyons Hardcastle Wed 20 Apr 2022 // 21:51 UTC

Amazon Web Services has updated its Log4j security patches after it was discovered the original fixes made customer deployments vulnerable to container escape and privilege escalation.
The vulnerabilities introduced by Amazon's Log4j hotpatch – CVE-2021-3100, CVE-2021-3101, CVE-2022-0070, CVE-2022-0071 – are all high-severity bugs rated 8.8 out of 10 on the CVSS. AWS customers using Java software in their off-prem environments should grab the latest patch set from Amazon and install.
"We recommend that customers who run Java applications in containers, and use either the hotpatch or Hotdog, update to the latest versions of the software immediately," the cloud giant said in a security bulletin on Tuesday.

Continue reading
Oracle already wins 'crypto bug of the year' with Java digital signature bypass

Whole new meaning for zero consequences

Liam Proven in Prague Wed 20 Apr 2022 // 20:11 UTC

Java versions 15 to 18 contain a flaw in its ECDSA signature validation that makes it trivial for miscreants to digitally sign files and other data as if they were legit organizations.
Cyber-criminals could therefore pass off cryptographically signed malicious downloads and bogus information as if it were real, and affected Java applications and services won't know the difference.
The scope of the damage that could be done is wide: encrypted communications, authentication tokens, code updates, and more, built on Oracle's flawed code could be subverted, and as far as vulnerable Java-written programs are concerned, the data looks legitimate and trustworthy.

Continue reading

ABOUT US

MORE CONTENT

SITUATION PUBLISHING

The Register - Independent news and views for the tech community. Part of Situation Publishing

SIGN UP TO OUR DAILY NEWSLETTER

Security Scorecard

Biting the hand that feeds IT © 1998–2022

Your Consent Options Cookies Privacy Ts&Cs