Science

• Crane horror Reg reader uses his severed finger to unlock Samsung Galaxy phone

  On the other hand he was fine
  Gareth Corfield Thu 6 May 2021 // 09:15 UTC

  Graphic images Everyone knows the trope. The baddies smash their way in and gun down the guard standing in front of the vault. "Dammit," says the lead bad guy, "it's a biometric scanner, we'll never get in!" His most grizzled henchman turns round, holding up the dead guard's lifeless arm. "Oh yes we will…"

  A Reg reader recreated this scene in real life (bits of it) using his Samsung Galaxy A20 phone – and the severed tip of his index finger, parted from his hand thanks to an industrial accident involving a crane.

  Kieran Higgins, a semi-retired auditor living in Spain, showed El Reg that his phone's fingerprint sensor read his two-weeks-dead fingertip's print and happily unlocked the device.

  Continue reading

• Highways England seeks vendor to replace Windows 2003-based pavement management systems

  Whoever came up with the SWEEP acronym can have a job at El Reg
  Lindsay Clark Thu 6 May 2021 // 08:30 UTC

  Highways England, the authority responsible for the nation's roads and related infrastructure, is asking tech vendors to bid for a project worth up to £15m to replace its ageing pavement information management systems.

  Still running on an unsupported Windows 2003 system, the Highways Agency Pavement Management System (HAPMS) dates back more than 20 years and is responsible for recording the status of 6,920km of pavement in England.

  Highways England, which has an annual budget of around £4.5bn, is now looking for someone to build a new system based on commercial off-the-shelf software. The current system is based upon an outdated version of the Pitney Bowes Confirm product.

  Continue reading

• Big dogs get new ride-share service from Singaporean giant Grab

  What a time to be alive
  Simon Sharwood, APAC Editor Thu 6 May 2021 // 07:55 UTC

  Singapore’s dominant ride-sharing app Grab has added a service for large dogs, or humans who own large numbers of dogs.

  The company, which bought Uber’s local operations, has seen close to 170 percent growth over the last two years for its current “GrabPet” service that offers to carry two humans, “two small to medium-sized pets, or one large pet”.

  The new GrabPet XL will schlep three human passengers and three small to medium-sized pets (up to 41cm in length), or two large pets (41cm in length or more).

  Continue reading

• Chrome on Windows turns on Intel, AMD chip-level defenses against malicious websites

  Terms and conditions apply
  Thomas Claburn in San Francisco Thu 6 May 2021 // 07:23 UTC

  Version 90 of Google's Chrome browser includes a bit of extra security for users of recent versions of Windows and the latest x86 processors, in the form of hardware-enforced stack protection.

  This basically means that, if your PC supports it, it's a bit harder for malicious websites to exploit bugs in Chrome to hijack your computer.

  Released in April, Chrome 90 supports Intel’s Control-flow Enforcement Technology (CET) [PDF], a processor-based defense against exploits that use something like Return Oriented Programming (ROP) to violate a program's control-flow integrity (CFI).

  Continue reading

• The Starship has landed. Latest SpaceX test comes back to Earth without igniting fireballs

  There was just a little fire. But not enough to worry anybody
  Simon Sharwood, APAC Editor Thu 6 May 2021 // 06:15 UTC

  Video SpaceX’s latest test of its Starship vehicle has stuck its landing for the first time.

  On Wednesday, US time, Starship serial number 15 (SN15) ascended to 10,000 metres, turned off its three raptor engines, and then belly-flopped back toward Earth.

  The belly-flop phase of the flight was intentional: the craft has four flaps that let it control its descent.

  Continue reading

• JET engine flaws can crash Microsoft's IIS, SQL Server, say Palo Alto researchers

  Trio claim database queries can lead to remote code execution
  Simon Sharwood, APAC Editor Thu 6 May 2021 // 04:59 UTC

  Black Hat Asia A trio of researchers at Palo Alto Networks has detailed vulnerabilities in the JET database engine, and demonstrated how those flaws can be exploited to ultimately execute malicious code on systems running Microsoft’s SQL Server and Internet Information Services web server.

  The team also said Microsoft dismissed some of their findings as not worthy of a fix.

  In a talk today at Black Hat Asia titled Give Me a SQL Injection, I Shall PWN IIS and SQL Server, the three explained they found the JET engine – for years an underlying tech for Microsoft Access and other products, and still downloadable today – has many vulnerabilities. We've previously reported on such holes.

  Continue reading

• If you're the 1% and have 10 mins to spare this July, bid for a place on first Blue Origin space tourism launch

  For everyone else, get back to work and ordering those Amazon Prime deals
  Katyanna Quach Thu 6 May 2021 // 03:48 UTC

  Blue Origin is planning to launch its first crew into space on July 20 – and a seat on this inaugural spaceflight is up for auction.

  There will be three stages to this process. Anyone can enter a sealed bid from May 5: all you have to do is fill out a form containing personal and contact information, and say how much you’re willing to pay to go space.

  On May 19, Blue Origin will unseal the auction, and people must place the high bid to continue. Finally, on June 12, the richest person highest bidder and thus winning space tourist will be determined at auction held live online.

  Continue reading

• ‘Unauthorized API’ in VMware cost management tool can be exploited to hijack appliances

  Remote code execution possible on vRealize Business for Cloud – which knows a lot about your private and public platforms
  Simon Sharwood, APAC Editor Thu 6 May 2021 // 02:52 UTC

  VMware has admitted its vRealize Business for Cloud product includes an “unauthorised VAMI API” that can be exploited to achieve remote code execution on the virtual appliance. The security flaw is rated critical, scoring 9.8 on the ten-point Common Vulnerability Scoring System.

  VAMI is the vCenter Server Appliance Management Interface, the tool administrators use to drive its flagship vCenter Server Appliance and manage fleets of virtual machines. For VAMI to have an "unauthorised" API that can be abused by miscreants to gain unauthorized control of systems over the network or internet is very scary indeed.

  VMware’s advisory does not explain how an unauthorised API made its way into such a sensitive product.

  Continue reading

• Robo-taxis hit the streets of Beijing – albeit a small fleet in a geo-fenced suburb

  Code for the Baidu Apollo brains of the service is yours for the taking on GitHub, too
  Simon Sharwood, APAC Editor Thu 6 May 2021 // 00:50 UTC

  Chinese web giant Baidu has commenced operations of actual autonomous taxis on the streets of Beijing.

  The Apollo robo-taxi service only operates in Shougang Park, an area of the capital city that will host some events in the 2022 Winter Olympics. Just ten self-driving cars are rolling in this first commercial test of the tech.

  The cars are summoned with an Uber-like app and offer level-four autonomy – meaning they can independently drive in predefined geo-fenced areas, and allow humans to take the wheel if they feel it necessary.

  Continue reading

• Can your AI code be fooled by vandalized images or clever wording? Microsoft open sources a tool to test for that

  Counterfit automatically creates adversarial inputs to find weaknesses
  Katyanna Quach Wed 5 May 2021 // 23:27 UTC

  Microsoft this week released a Python tool that probes AI models to see if they can be hoodwinked by malicious input data.

  And by that, we mean investigating whether, say, an airport's object-recognition system can be fooled into thinking a gun is a hairbrush, or a bank's machine-learning-based anti-fraud code can be made to approve dodgy transactions, or a web forum moderation bot can be tricked into allowing through banned hate speech.

  The Windows giant's tool, dubbed Counterfit, is available on GitHub under the MIT license, and is command-line controlled. Essentially, the script can be instructed to delve into a sizable toolbox of programs that automatically generate thousands of adversarial inputs for a given AI model under test. If the output from the model differs from what was expected from the input, then this is recorded as a successful attack.

  Continue reading

• Signal banned for booking obviously targeted ads? That story's too good to be true, Facebook claims

  Antisocial giant dismisses chat app rival's 'stunt' in escalating war of words
  Thomas Claburn in San Francisco Wed 5 May 2021 // 20:54 UTC

  Encrypted messaging service Signal on Tuesday made a show of trolling Instagram and its parent company Facebook by creating ads that incorporated audience targeting categories into its ad copy.

  The ads address viewers by identifying targeting criteria like lifestyle categories, occupation, geographic location, and personal interests presumably gleaned through online data collection.

  Apart from the marketing value of tweaking a dominant messaging rival, Signal did so, it claims, to expose the inner workings of ad tech data collection.

  Continue reading