Researchers Hack Into Intel's VPro

Security researchers said they've found a way to circumvent an Intel vPro security feature used to protect PCs and the programs that they run from tampering.

Invisible Things Labs researchers Rafal Wojtczuk and Joanna Rutkowska said they've created software that can "compromise the integrity" of software loaded using the Trusted Execution Technology (TXT) that is part of Intel's vPro processor platform. That's bad news, because TXT is supposed to help protect software - a program running within a virtual machine, for example - from being seen or tampered with by other programs on the machine. Formerly code-named LaGrande, TXT first started shipping in some Intel-based PCs last year.

Although almost no software uses the TXT technology today, the research could matter a lot to computer companies and government agencies that are thinking of using it to secure their future products.

Wojtczuk and Rutkowska said they've created a two-stage attack, with the first stage exploiting a bug in Intel's system software. The second stage relies on a design flaw in the TXT technology itself, they said in an announcement of their work, released Monday.

The Invisible Things researchers wouldn't say exactly what system software contains one of these "first stage" bugs before they have been patched, because that information could be misused by cyber-criminals.

The "second stage" problem may be tricky to fix, however. "It is still not clear how Intel should address the problem that is exploited by the second stage of our attack," Invisible Things researcher Joanna Rutkowska said in an e-mail interview. "Intel claims it can resolve the issue by updating the TXT specification."

The researchers conducted their attack against a program called tboot, used to load trusted versions of Linux or virtual machine modules onto the computer. They chose tboot because it is one of the few programs available that takes advantage of the TXT technology, but they did not find bugs in tboot itself, Rutkowska said.

Intel spokesman George Alfs said his company is working with the Invisible Things team, but he declined to comment further on their work, saying he didn't want to pre-empt the Black Hat presentation.

The researchers plan to give more details on their work at the upcoming Black Hat Washington security conference next month.

Because TXT isn't widely used, the work may not have much of an effect on Intel's customers, according to Stefano Zanero, CTO of Italian security consultancy Secure Network. "As of now, only a very limited subset of developers who are playing with the technology will find it interesting," he said in an instant message interview.

However, the work could end up being important if it outlines new ways attackers could compromise the vPro architecture, he added. "If it just outlines a specific vulnerability in Intel's implementation, then it's less interesting," he said.

AMD: Creating a New Laptop Category

Netbooks have their appeal - tiny budget machines with just enough oomph to run Windows XP. Ultraportables have horsepower in spades, but they cost too much to suit some people. This year we're going to see a whole new category of notebook take shape that falls somewhere between ultraportables and netbooks - and AMD is hot to have its processors on board.

During CES, AMD will showcase its Athlon Neo processor (the Yukon platform) designed to power a reasonably muscular ultraportable whose pricing starts at around $700 (just a hair above what some companies charge for their high-end netbooks) and tops out at $1400. Think of it as a step up from Intel's Atom and a possible competitor to nVidia's Ion platform concept - an nVidia GeForce 9400M GPU married to an Intel Atom CPU on a tiny motherboard. In AMD's case, that baseline configuration has a 1.6-GHz CPU working with ATI Radeon X1250 graphics on the motherboard. Though it's faster than Intel's integrated option, the Neo doesn't exactly light the world on fire. Partner a Neo with an ATI Mobility HD3410, as AMD is proposing, and the combination can handle 1080p high-def playback and reasonable game performance.

AMD is playing a high-stakes game, but this is a smart move at the right time. And what I've seen so far on paper looks good. Whereas nVidia is just showing off its prototype net-top boxes, AMD has a real product that will launch soon.

AMD's poster child packing Neo under the hood is HP's Pavilion Dv2. The Dv2 packs some fancy features into a 11.50-by-9.45-by-0.93-inch, 3.8-pound magnesium alloy frame. The most obvious of these is the new 1.6-GHz AMD Athlon Neo MV-40 CPU. Besides that, the Dv2 hosts a full suite of external notebook ports (three USB 2.0 ports,VGA, RJ-45/ethernet, headphone/line out, microphone in, 5-in-1 Digital Media Reader), Wi-Fi connectivity, and optional Gobi WWAN integration. I'm especially curious to see how well the ATI Mobility Radeon HD3410 GPU will look on the machine's 12.1-inch diagonal WXGA (1280 by 800) LED.

Will it be able to handle modern games? That's the million-dollar question. As usual, nVidia was quick to demonstrate that its 9400M GPU can run Call of Duty 4: Modern Warfare at 1024 by 768 pixels with a solid frame rate of 25to 30 frames per second. Once I get a little up-close-and-personal time with the Pavilion Dv2, I'll let you know how it fares.

Mozilla and Microsoft Move to Nix Web Security Flaw

A vulnerability in a widespread digital certificate technology has lit a fire under major Internet stakeholders, prompting moves by Microsoft, the Mozilla Foundation and others to prevent attackers from using the hack to endanger secure Web sites.

Researchers yesterday announced they had found a flaw in MD5, or Message-Digest algorithm 5 (define), a cryptographic technique used in a variety of security applications, including secure Web site certificates.

Digital certificate vouch for the safety of numerous types of secure online communications, like e-commerce transactions.

In response, Microsoft and Mozilla each said they are working with affected certification authorities, or CAs, to ensure they update their issuing processes to prevent this threat from harming users of the Internet Explorer and Firefox browsers. CAs act as trusted third parties to issue online certificates guaranteeing that the certificate's owner, an e-commerce site for example, is who it claims to be.

Mozilla's Johnathan Nightingale, a security and usability specialist at the group, said that the attack could pose a threat to some users but that Mozilla is not aware of any instances of it occurring.

"We advise users to exercise caution when interacting with sites that require sensitive information, particularly when using public internet connections," he wrote in a post on Mozilla's security blog. "This is not an attack on a Mozilla product, but we are nevertheless working with affected certificate authorities to ensure that their issuing processes are updated to prevent this threat."

Likewise, Microsoft issued Security Advisory 961509, in which it said the vulnerability does not significantly increase the risk to customers, since its discoverers had not published the cryptographic background to the flaw, which hackers would need to mount an attack.

"Microsoft is not aware of any active attacks and is working with certificate authorities to ensure they are aware of this new research and is encouraging them to migrate to the newer SHA-1 signing algorithm," Christopher Budd, security response communications lead for Microsoft, told InternetNews.com in an e-mail.

Microsoft and Mozilla aren't the only ones working to mitigate the threat. The team responsible for uncovering the vulnerability said most of the affected certificates it found online had been issued by the RapidSSL unit of VeriSign.

VeriSign, one of the largest CAs, yesterday said it had responded to the vulnerability by transitioning its RapidSSL certificates from MD5 to the stronger SHA-1 algorithm. The company today added that it would replace existing RapidSSL certificates using MD5 with new ones using SHA-1 free of charge.

SHA-1, or Secure Hash Algorithm, was developed by the National Security Agency (NSA) in 1993 to replace MD5 and MD4, an earlier technology. It was followed by SHA-2. According to Microsoft, Web sites that use Extended Validation certificates, which are always signed using SHA-1, will show a green address bar in most modern browsers - enabling users to verify that they're protected by the stronger technology.

Budd added that Microsoft would continue to monitor the situation and would provide updates to its advisory and on the company's Microsoft Security Response Center and Security, Vulnerability, Research and Defense blogs.

Others also said the threat won't impact many online users.

Holders of existing certificates signed with MD5 will not be affected because attackers using the new exploit must issue new certificates, Christina Rohall, a spokesperson at VeriSign, told InternetNews.com in an e-mail.

Breaking it down

The attack on MD5 was conducted by seven researchers in the U.S., Switzerland and the Netherlands, who presented their findings at the Chaos Computer Club's 25th annual conference in Berlin yesterday.

They created a rogue CA that was accepted by all common Web browsers, according to their blog. Creating a rogue CA enables the creator to intercept traffic to a secure Web site - potentially enabling them to steal sensitive information such as passwords and credit card data.

The security industry has long known that MD5 is flawed, and both VeriSign and Microsoft say the industry is moving away from MD5 to SHA-1. VeriSign had planned to complete its own transition to the stronger technology by the end of January, but said yesterday that it had been forced to speed things up after the researchers' announcement.

However, moving to SHA-1 will not render users entirely safe. Both versions of SHA are facing threats, and the U.S. Department of Commerce's National Institute of Standards and Technology has begun encouraging the development of replacements.

China to 'clean up' the Internet

The Chinese authorities have launched a fresh campaign to get rid of unhealthy, vulgar and pornographic content on the internet.

The authorities have also published the names of 19 websites that have failed to heed requests to get rid of unsuitable material.

These include Google and China's top internet search engine, Baidu.

These websites could be closed down if they do not delete the offending material, according to one official.

China believes it has a duty to protect public morality.

Officials seem to be particularly concerned about pretty girls in suggestive poses that can be accessed through various websites.

They fear this and other "unhealthy" content could damage young people's physical and mental health.

Excuse for censorship?

The new campaign is being co-ordinated by a total of seven government ministries.

They have published the names of 19 offending websites that have so far ignored warnings to get rid of unsuitable content.

These websites are being told to clean up their websites - or else.

"We will continue to expose, punish or close down websites that have a lot of vulgar content," said one official, Cai Mingzhao, speaking on Chinese Central Television.

Officials also want the public to act as their eyes and ears in this campaign against sleaze.

But there is a fear the crackdown will not just be restricted to vulgar material.

The Chinese government keeps a firm grip on the internet, blocking certain websites and censoring some sensitive material.

This campaign could be used as an excuse to stifle political dissent in a country that allows little public criticism.

One of the websites that has been publicly criticised, Tianya, is popular with people who post their criticisms of the government.

Microsoft's Official Fix for Failing Zunes

Zune owners now have a fix for their failing devices thanks to Microsoft that has posted instructions on how to start the new year off with a working digital music player. Yesterday 30-gigabyte Zunes suffered a crippling glitch causing the digital music players to lock up, reboot themselves, and freeze. Zune users are calling Micorosoft screw-up "Zune 2K9", a reference to the Y2K bug. The problem was caused by the Zune's internal clock and its inability to handle leap years, according to Microsoft.

Microsoft posted instructions on its support site Zune.net/support on how to thaw your Zune from its deep freeze and get it working again. However, if you're a Zune Pass subscriber with music managed by DRM copyright protection Microsoft says you might have to take extra steps to play those music tracks.

The Zune fix (outlined below) worked from 7 am ET January 1, 2009. Microsoft says it will also issue a fix for the device so that this problem won't re-occur the next leap year, in 2012.

To Fix Your Zune Follow These Steps:

1. Disconnect your Zune from USB and AC power sources.

2. Because the player is frozen, its battery will drain - this is good. Wait until the battery is empty and the screen goes black. If the battery was fully charged, this might take a couple of hours.

3. Connect your Zune to either a USB port on the back or your computer or to AC power using the Zune AC Adapter and let it charge.

Once the battery has sufficient power, the player should start normally. No other action is required-you can go back to using your Zune!

What if I have rights-managed (DRM) content on my Zune?

Most likely, rights-managed content will not be affected by this issue. However, it's a good idea to sync your Zune with your computer once the freeze has been resolved, just to make sure your usage rights are up to date.

What if I took advice from the forums and reset my Zune by disconnecting the battery?

This is a bad idea and we do not recommend opening your Zune by yourself (for one thing, doing so will void your warranty). However, if you've already opened it, do one of the following:

- Wait 24 hours from the time that you reset the Zune and then sync with your computer to refresh the usage rights; or

- Delete the player's content using the Zune software (go to Settings, Device, Sync Options, Erase All Content), then re-sync it from your collection.

15 Reasons PC Gaming Beats All

1. PCs are scalable. Sure, it's a glass half-full or half-empty proposition, because component upgrades often vandalize (and scandalize) your wallet. Question is, would you rather have a platform that can play nearly anything, past to present, contingent on do-it-yourself propensity? Or be locked into a restrictively governed molding that's only changed out once every half-decade or so?

2. PC games are endlessly manipulable. Another "your mileage may vary" point, because tinkering's not for everyone, and plenty of people just want something that works. On the other hand, if you've only played Far Cry 2 on a console, you've been prowling around in visuals that only shadow the game's tricked-out PC sibling. And while stuff like NVIDIA's PhysX is accessible on NVIDIA-derivative consoles, don't expect Mirror's Edge to ever look as gleefully dissolvable on a PS3 or Xbox 360 as its physics-enhanced PC version. Also: Two words = mod scene.

3. PCs ape consoles in emulation. Here's a point often missed. PCs can be nearly any past-tense console, by hook or by crook. Miss stuff like Rare's Wizards & Warriors? The original tag-team Mario Bros.? Mega Man? Berzerk? No need to track down a moldering Atari 2600 or original NES, or Edward Stratton III's original Tempest arcade box. Just find an emulator and a stack of ROMs, or a Flash or Java site like PlayNES.net running scads of these in ostensibly legal emulation (including save-state options!) and you're golden.

4. PCs can be anywhere. If you're living in the 1970s, you think computers still hunker in lightless basements, or converted linen closets, or musty attics. I've never parked my PC anywhere other than a desk/armoire/piped-and-fluted-hybrid in a living room within cabling distance of my Dolby-fied flat-screened piece-de-resistance. Swapping between a desktop LCD and your larger living room variety is a snap, not to mention that doing so offers more audio/video playback options than any of the console manufacturers.

5. Keyboard and mouse beats all. We've yet to see an interface as intuitive and broadly commanding (and that's including Nintendo's vaunted Wiimote and nunchuk).

6. PCs do gamepads, surprise! Take that, all you blinkered QWERTY mockers. Got an Xbox 360 controller? Plug it into your PC and games like Dead Space and Gears of War adapt instantly. What's more, I dare anyone to invoke a console's comparably foggy web browser and tap out a response to this point, cycling through detached-panel ASCII symbols and frantically pulling triggers, one tedious sequential character at a time.

7. Consoles go kaplooey, too. I'll see your "blue screen" and raise you a "red ring" or two (or 33 percent of total, if those early estimates were accurate). Leave your pity for PC gamers at the door, because consoles are just as prone to bellying up when something short circuits in quality control. (Because, hate to break it to you, consoles are PCs too!) And memo: Game-breaking creepy-crawlies and PC-style firmware updates and patches have consoles on the hook these days, too.

8. Consoles could vanish tomorrow, but PC gaming is forever. Planning to solve for the unified theory of everything while lounging on your sofa in front of your new 50-inch plasma power-gobbler? Chances are, not so much. Feng Shui your heart out, you still need a place to spread the tree-ware and focus without distractions. Vive la PC! In the end, PC gaming soldiers on in part because the business-to-casual range of our daily activities remains wildly PC-centric. "And it plays games too?" There you go.

9. PC games are stylistically unbounded. It's like the Irving Berlin song: Anything consoles can do, PCs can do better. There's nothing consoles offer that PCs (and PC games) can't, and we're talking strictly one-way negotiation. Anything that requires fast-switch precision movement's out the window on a 360, Wii, or PS3. Real-time strategy games are a tangled mess on consoles, and while certain tactical third-person shooters work well enough, a decent mouse/keyboard gamer will repeatedly roast anyone wielding a pair of comparably clumsy thumb-sticks. Don't get me started on the complete lack of console support for serious simulations and wargames.

10. PCs are the creative heart of video gaming. This is where the grandest, wackiest, coolest, hippest, least predictable stuff in gaming's happening, folks. Hands down and bar none. Don't believe me? Then you need to try more stuff like Crayon Physics, DCS Black Shark, Synaesthete, Fret Nice, and for goodness sake spend some time with Iron Dukes.

11. PC games cost less. I'm not saying it makes a lick of sense (it doesn't) but Epic's Gears of War cost 60 bucks when it debuted on the 360. When it hit the PC with brand new content, that price dropped to $50, and that's still the going rate for PC A-listers. A $10 delta may sound trivial if you only buy a few games a year, but even two games a month is pushing $240 - enough to fund a new Xbox 360 or Nintendo Wii every 365 days.

12. Online PC matchmaking is free. I realize it's only Microsoft dragging its base through the mud here, and analysts claiming Xbox Live offers something unique are simply wrong. Still, it's worth mentioning that online PC matchmaking and multiplayer are, and always have been free. It's not a luxury item, it's not a special service, it's not a value proposition - it's an entrenched and completely reasonable customer expectation.

13. Piracy ain't just a PC problem. Console piracy rates barely scratch the PC's reportedly onerous numbers, but the former's aren't exactly waning. The more people playing console games, the more the scene laser-targets each console's proprietary padlocks, the more increasingly end-user-friendly workaround hacks and mod-jobs and firmware-fooling pre-insert ROM disc tools flood the market. While there may be cash to have short-term by switching gears, abandoning the PC over piracy rates may turn out to be yet another iteration of the "grass-is-greener" myth.

14. PCs excel at family-hotseat-group-play, too. First of all, You Don't Know Jack was working the lines long before the likes of Scene It!. Second, sure, there's stuff like Buzz Quiz and, you know, Amercan Idol Encore 2 on tap, but they're still a tiny fraction of the broader number of family-friendly party games you can pull up (many for free) and play on your PC, whether piped through an office monitor or jacked into your Dolby/plasma master-lounge-center.

15. PC display screens trump living room TVs. The old anti-CRT/NTSC argument is finally weakening now that HDTVs with 1080p have a foot in, but I'll still see your 1920 x 1080 max lines of resolution and raise you 3840 x 2400 while you're waiting for market momentum to clumsily foist the Next Big Thing on entertainment centers (while online entertainment providers ironically bleed the life out of picture quality by compressing the heck out of on-demand digital video). Okay, so picture quality's not as big a deal these days for non-videophiles, and graphics bickering is pretty 1990s. Still, I needed a 15th point, so there you go!

Online Shoppers Satisfied

Were you satisfied with your holiday shopping experience? That's the question that researcher ForeSee Results asked more than 9,000 holiday shoppers to find which retailers provide the most satisfying shopping. Retailers were graded on a 1-100 scale with 100 the most satisfied. In the results, those who shopped online gave their experience an average satisfaction rating of 90, while offline retail shopping received an average rating of 72. I guess even holiday shipping delays are preferable to the mad, chaotic rush of retail shopping on black Friday.

ForeSee Results also identifies the top 40 ranked retailers this holiday season, with Amazon.com and Netflix leading the pack with tied ratings of 84. Some other big successes were Walmart, Staples, Hewlett Packard, and Target, which saw the greatest increases in customer satisfaction from last year. Overall, the top 5 retailers for customer satisfaction were Amazon.com, Netflix, QVC.com, Apple, and Barnes and Noble.

But all is not good news, as 15 of the top 40 retailers had declining customer satisfaction from last year. Some of those retailers which dropped were among the top 5, with Netflix, QVC.com, and Apple all losing ground this year over last year's customer satisfaction ratings. The biggest drops, though, were experienced by Circuit City, the Gap, and the Home Shopping Network, which tied for last place with retailers Overstock.com, Home Depot, and Neiman Marcus, all with a rating of 69.

With the economy in poor shape, customer satisfaction is an important factor. The research notes that satisfied customers are 65 percent more likely to buy from the same retailer, which suggests a shift to online shopping overtaking brick-and-mortar retail experience. I know that I did a majority of my own holiday shopping online, as did most of my friends and relatives. And based on these satisfaction results, it doesn't look like that trend will change.