Lenovo's widely used ThinkPad laptop hasn't changed much over the years. Corporate technology leaders say that's why they love it. From a report: "There's a lot to be said for familiarity and that consistent experience," said Ace Hardware Chief Information Officer Rick Williams, whose company uses about 4,000 ThinkPads. The ThinkPad brand of personal computers, originally created by International Business Machines, hit the market in 1992 before Lenovo acquired it, along with IBM's PC division, in 2005. Since then, the boxy design -- originally inspired by the Japanese bento box -- has gotten thinner and lighter, but not much else has changed from a design perspective, Lenovo said.

The logo is the same, although in 2005 Lenovo did add the red dot over the "i" in "Think" that remains today. That logo has remained angled at 37 degrees on the device. And on the keyboard the small, red, old-timey trackpoint remains nestled between the "B," "G" and "H" keys (which Lenovo says some users swear by and some CIOs say they never use). Ports and camera placement have also been relatively consistent. And despite some experimentation with colors, the laptop itself primarily remains its original black. "You're going to recognize the iconic ThinkPad," said Tom Butler, executive director for worldwide commercial portfolio and product management at Hong Kong-based Lenovo.

Its strategy might seem counterintuitive in an industry where winners and losers are often determined based on their pace of innovation, and where to stay the same often means to become obsolete. Big consumer tech companies that dominated the early 2000s, like BlackBerry, Nokia and Motorola, ultimately couldn't keep pace with competitors and struggled. But for Lenovo, which plays in the enterprise space, it's paying off. Lenovo has been leading in market share in the worldwide personal computer vendor market, based on unit shipments, on and off for more than 10 years, according to research firm Gartner.

Security researchers from SafeBreach have found what they say is a Windows downgrade attack that's invisible, persistent, irreversible and maybe even more dangerous than last year's BlackLotus UEFI bootkit. From a report: After seeing the damage that UEFI bootkit could do by bypassing secure boot processes in Windows, SafeBreach's Alon Leviev became curious whether there were any other fundamental Windows components that could be abused in a similar manner. He hit the jackpot in one of the most unlikely places: The Windows update process.

"I found a way to take over Windows updates to update the system, but with control over all of the actual update contents," Leviev told us in an interview ahead of his Black Hat USA conference presentation today detailing his findings. Using his technique, having compromised a machine so that he could get in as a normal user, Leviev was able to control which files get updated, which registry keys are changed, which installers get used, and the like. And he was able to do all of it while side-stepping every single integrity verification implemented in the Windows update process. After that, "I was able to downgrade the OS kernel, DLLs, drivers ... basically everything that I wanted." To make matters worse, Leviev said that poking and prodding around the vulnerabilities he found enabled him to attack the entire Windows virtualization stack, including virtualization-based security (VBS) features that are supposed to isolate the kernel and make attacker access less valuable.

Things aren't working out well for Humane, a heavily-funded startup that launched an eponymous AI device earlier this year. Despite significant funding from prominent Silicon Valley figures, the product has been grappling with negative reviews -- and now more pressing issues are emerging. An anonymous reader shares a report: Shortly after Humane released its $699 AI Pin in April, the returns started flowing in. Between May and August, more AI Pins were returned than purchased, according to internal sales data obtained by The Verge. By June, only around 8,000 units hadn't been returned, a source with direct knowledge of sales and return data told me. As of today, the number of units still in customer hands had fallen closer to 7,000, a source with direct knowledge said.

At launch, the AI Pin was met with overwhelmingly negative reviews. Our own David Pierce said it "just doesn't work," and Marques Brownlee called it "the worst product" he's ever reviewed. Now, Humane is attempting to stabilize its operations and maintain confidence among staff and potential acquirers. The New York Times reported in June that HP is considering purchasing the company, and The Information reported last week that Humane is negotiating with its current investors to raise debt, which could later be converted into equity.

Parody site creator David Senk has rebuffed CrowdStrike's attempt to shut down his "ClownStrike" website, which lampoons the cybersecurity firm's role in a recent global IT outage. Senk swiftly contested the Digital Millennium Copyright Act takedown notice, asserting fair use for parody. When hosting provider Cloudflare failed to acknowledge his counter-notice, Senk defiantly relocated the site to a Finnish server beyond U.S. jurisdiction. The IT consultant decried the takedown as "corporate cyberbullying," accusing CrowdStrike of exploiting copyright law to silence criticism. Despite CrowdStrike's subsequent admission that parody sites were not intended targets, Senk is remaining resolute, demanding a public apology and refusing to return to Cloudflare's services.

Logitech has quashed its earlier remarks about building a subscription-based mouse, following widespread backlash to comments made by CEO Hanneke Faber. The Swiss-American computer peripherals maker clarified that the "forever mouse" concept, mentioned by Faber in a recent podcast interview, was merely speculative internal discussion and not a planned product.

Disney Plus will soon no longer let you share your password with people outside your household. From a report: During an earnings call on Wednesday, Disney CEO Bob Iger said the crackdown will kick off "in earnest" this September. The timeline for Disney's password-sharing crackdown has been a bit confusing so far. In February, Disney announced plans to roll out paid sharing and also began notifying users about the change. It then launched paid sharing in a "few countries" in June but provided no information on when it would reach the US.

Zack Whittaker reports via TechCrunch: A cyberattack on Mobile Guardian, a U.K.-based provider of educational device management software, has sparked outages at schools across the world and has left thousands of students unable to access their files. Mobile Guardian acknowledged the cyberattack in a statement on its website, saying it identified "unauthorized access to the iOS and ChromeOS devices enrolled to the Mobile Guardian platform." The company said the cyberattack "affected users globally," including in North America, Europe and Singapore, and that the incident resulted in an unspecified portion of its userbase having their devices unenrolled from the platform and "wiped remotely." "Users are not currently able to log in to the Mobile Guardian Platform and students will experience restricted access on their devices," the company said.

Mobile device management (MDM) software allows businesses and schools to remotely monitor and manage entire fleets of devices used by employees or students. Singapore's Ministry of Education, touted as a significant customer of Mobile Guardian on the company's website since 2020, said in a statement overnight that thousands of its students had devices remotely wiped during the cyberattack. "Based on preliminary checks, about 13,000 students in Singapore from 26 secondary schools had their devices wiped remotely by the perpetrator," the Singaporean education ministry said in a statement. The ministry said it was removing the Mobile Guardian software from its fleet of student devices, including affected iPads and Chromebooks.

Intel has announced significant progress on its 18A process technology, with lead products successfully powering on and booting operating systems. The company's Panther Lake client processor and Clearwater Forest server chip, both built on 18A, achieved these milestones less than two quarters after tape-out. The 18A node, featuring RibbonFET gate-all-around transistors and PowerVia backside power delivery, is on track for production in 2025.

Intel released the 18A Process Design Kit 1.0 in July, enabling foundry customers to leverage these advanced technologies in their designs. "Intel is out ahead of everyone else in the industry with these innovations," Kevin O'Buckley, Intel's new head of Foundry Services stated, highlighting the node's potential to drive next-generation AI solutions. Clearwater Forest will be the industry's first mass-produced, high-performance chip combining RibbonFET, PowerVia, and Foveros Direct 3D packaging technology. It also utilizes Intel's 3-T base-die technology, showcasing the company's systems foundry approach. Intel expects its first external customer to tape out on 18A in the first half of 2025. EDA and IP partners are updating their tools to support customer designs on the new node. The success of 18A is crucial for Intel's ambitions to regain process leadership and grow its foundry business.

An anonymous reader shares a report: Google has revealed technical details of its in-house data transfer tool, called Effingo, and bragged that it uses the project to move an average of 1.2 exabytes every day. As explained in a paper [PDF] and video to be presented on Thursday at the SIGCOMM 2024 conference in Sydney, bandwidth constraints and the stubbornly steady speed of light mean that not even Google is immune to the need to replicate data so it is located close to where it is processed or served.

Indeed, the paper describes managed data transfer as "an unsung hero of large-scale, globally-distributed systems" because it "reduces the network latency from across-globe hundreds to in-continent dozens of milliseconds." The paper also points out that data transfer tools are not hard to find, and asks why a management layer like Effingo is needed. The answer is that the tools Google could find either optimized for transfer time or handled point-to-point data streams -- and weren't up to the job of handling the 1.2 exabytes Effingo moves on an average day, at 14 terabytes per second. To shift all those bits, Effingo "balances infrastructure efficiency and users' needs" and recognizes that "some users and some transfers are more important than the others: eg, disaster recovery for a serving database, compared to migrating data from a cluster with maintenance scheduled a week from now."

Microsoft said Delta Air Lines turned down repeated offers for assistance following last month's catastrophic system outage, echoing claims by CrowdStrike in an increasingly contentious conflict between the carrier and its technology partners. From a report: Microsoft employees reached out to Delta to give technical support every day from July 19 through July 23, and "each time Delta turned down Microsoft's offers to help," according to a letter Tuesday from the technology giant's attorneys to Delta's representatives. Microsoft Chief Executive Officer Satya Nadella also personally emailed Delta CEO Ed Bastian and never heard back. "Even though Microsoft's software had not caused the CrowdStrike incident, Microsoft immediately jumped in and offered to assist Delta at no charge," according to the letter, which was signed by Mark Cheffo of Dechert LLP. The claims, in response to Delta's hiring of attorney David Boies, heighten the tension after Delta suggested it would try to seek compensation for a breakdown it expects to cost it $500 million this quarter. The airline was slower to recover than competitors after an errant software update from CrowdStrike affected Microsoft systems, creating a cascading effect that led Delta to cancel thousands of flights over several days.

Mainframe computers, stalwarts of high-speed data processing, are finding new relevance in the age of AI. Banks, insurers, and airlines continue to rely on these industrial-strength machines for mission-critical operations, with some now exploring AI applications directly on the hardware, WSJ reported in a feature story. IBM, commanding over 96% of the mainframe market, reported 6% growth in its mainframe business last quarter. The company's latest zSystem can process up to 30,000 transactions per second and hold 40 terabytes of data. WSJ adds: Globally, the mainframe market was valued at $3.05 billion in 2023, but new mainframe sales are expected to decline through 2028, IDC said. Of existing mainframes, however, 54% of enterprise leaders in a 2023 Forrester survey said they would increase their usage over the next two years.

Mainframes do have limitations. They are constrained by the computing power within their boxes, unlike the cloud, which can scale up by drawing on computing power distributed across many locations and servers. They are also unwieldy -- with years of old code tacked on -- and don't integrate well with new applications. That makes them costly to manage and difficult to use as a platform for developing new applications.

An anonymous reader quotes a report from Ars Technica: Hackers delivered malware to Windows and Mac users by compromising their Internet service provider and then tampering with software updates delivered over unsecure connections, researchers said. The attack, researchers from security firm Volexity said, worked by hacking routers or similar types of device infrastructure of an unnamed ISP. The attackers then used their control of the devices to poison domain name system responses for legitimate hostnames providing updates for at least six different apps written for Windows or macOS. The apps affected were the 5KPlayer, Quick Heal, Rainmeter, Partition Wizard, and those from Corel and Sogou.

Because the update mechanisms didn't use TLS or cryptographic signatures to authenticate the connections or downloaded software, the threat actors were able to use their control of the ISP infrastructure to successfully perform machine-in-the-middle (MitM) attacks that directed targeted users to hostile servers rather than the ones operated by the affected software makers. These redirections worked even when users employed non-encrypted public DNS services such as Google's 8.8.8.8 or Cloudflare's 1.1.1.1 rather than the authoritative DNS server provided by the ISP. "That is the fun/scary part -- this was not the hack of the ISPs DNS servers," Volexity CEO Steven Adair wrote in an online interview. "This was a compromise of network infrastructure for Internet traffic. The DNS queries, for example, would go to Google's DNS servers destined for 8.8.8.8. The traffic was being intercepted to respond to the DNS queries with the IP address of the attacker's servers."

In other words, the DNS responses returned by any DNS server would be changed once it reached the infrastructure of the hacked ISP. The only way an end user could have thwarted the attack was to use DNS over HTTPS or DNS over TLS to ensure lookup results haven't been tampered with or to avoid all use of apps that deliver unsigned updates over unencrypted connections. As an example, the 5KPlayer app uses an unsecure HTTP connection rather than an encrypted HTTPS one to check if an update is available and, if so, to download a configuration file named Youtube.config. StormBamboo, the name used in the industry to track the hacking group responsible, used DNS poisoning to deliver a malicious version of the Youtube.config file from a malicious server. This file, in turn, downloaded a next-stage payload that was disguised as a PNG image. In fact, it was an executable file that installed malware tracked under the names MACMA for macOS devices or POCOSTICK for Windows devices. As for the hacked ISP, the security firm said "it's not a huge one or one you'd likely know."

"In our case the incident is contained but we see other servers that are actively serving malicious updates but we do not know where they are being served from. We suspect there are other active attacks around the world we do not have purview into. This could be from an ISP compromise or a localized compromise to an organization such as on their firewall."

snydeq writes: CSO Online's Evan Schuman reports on a design flaw in Microsoft Authenticator that causes it to often overwrite authentication accounts when a user adds a new one via QR scan. "But because of the way the resulting lockout happens, the user is not likely to realize the issue resides with Microsoft Authenticator. Instead, the company issuing the authentication is considered the culprit, resulting in wasted corporate helpdesk hours trying to fix an issue not of that company's making."

Schuman writes: "The core of the problem? Microsoft Authenticator will overwrite an account with the same username. Given the prominent use of email addresses for usernames, most users' apps share the same username. Google Authenticator and just about every other authenticator app add the name of the issuer -- such as a bank or a car company -- to avoid this issue. Microsoft only uses the username."

The flaw appears to have been in place since Authenticator was released in 2016. Users have complained about this issue in the past to no avail. In its two correspondences with Schuman, Microsoft first laid blame on users, then on issuers. Several IT experts confirmed the flaw, with one saying, "It's possible that this problem occurs more often than anyone realizes because [users] don't realize what the cause is. If you haven't picked an authentication app, why would you pick Microsoft?"

Reeling from security and optics issues, Microsoft appears to be trying to correct its story. An anonymous reader shares a report: Microsoft made it clear earlier this year that it was planning to make security its top priority, following years of security issues and mounting criticisms. Starting today, the software giant is now tying its security efforts to employee performance reviews. Kathleen Hogan, Microsoft's chief people officer, has outlined what the company expects of employees in an internal memo obtained by The Verge. "Everyone at Microsoft will have security as a Core Priority," says Hogan. "When faced with a tradeoff, the answer is clear and simple: security above all else."

A lack of security focus for Microsoft employees could impact promotions, merit-based salary increases, and bonuses. "Delivering impact for the Security Core Priority will be a key input for managers in determining impact and recommending rewards," Microsoft is telling employees in an internal Microsoft FAQ on its new policy. Microsoft has now placed security as one of its key priorities alongside diversity and inclusion. Both are now required to be part of performance conversations -- internally called a "Connect" -- for every employee, alongside priorities that are agreed upon between employees and their managers.

CrowdStrike says that it isn't to blame for Delta Air Lines' dayslong meltdown following the tech outage caused by the cybersecurity company, and that it isn't responsible for all of the money that the carrier says it lost. From a report: In a letter responding to the airline's recent public comments and hiring of a prominent lawyer, CrowdStrike said Delta's threats of a lawsuit have contributed to a "misleading narrative" that the cybersecurity company was responsible for the airline's tech decisions and response to the outage. "Should Delta pursue this path, Delta will have to explain to the public, its shareholders, and ultimately a jury why CrowdStrike took responsibility for its actions -- swiftly, transparently, and constructively -- while Delta did not," wrote Michael Carlinsky, an attorney at law firm Quinn Emanuel Urquhart & Sullivan.

The letter to Delta's legal team Sunday evening is the latest move in a growing conflict between the cybersecurity firm and the airline, which was thrown into several days of disarray following the outage. Delta Chief Executive Ed Bastian said in an interview on CNBC last week that the outage cost the airline about $500 million, including lost revenue and compensation costs. The airline has alerted CrowdStrike and Microsoft that it is planning to pursue legal claims to recover its losses, and has hired litigation firm Boies Schiller Flexner to assist, according to a memo Bastian sent to Delta employees last week. CrowdStrike said Sunday that its liability is contractually capped at an amount in the "single-digit millions."

Charles Schwab and other retail brokerage users reported outages as a global stocks selloff surged when trading in the US market opened on Monday. From a report: More than 14,000 users reported an outage at Schwab at 9:50 a.m. in New York, according to the website Downdetector. The outage comes at a time when global financial markets are experiencing a significant downturn as a widespread sell-off intensified following Friday's disappointing US employment data, which heightened concerns about a potential recession in the world's largest economy. The turbulence was particularly pronounced in Asian markets, with Japanese stocks leading the decline, while cryptocurrencies, oil prices, and European equities also suffered losses. The volatility spread to the US, where stocks plummeted at the opening bell, and the yield curve briefly inverted as investors increased their bets on imminent Federal Reserve interest rate cuts.

America's Defense Department has launched a project "that aims to develop machine-learning tools that can automate the conversion of legacy C code into Rust," reports the Register — with an online event already scheduled later this month for those planning to submit proposals: The reason to do so is memory safety. Memory safety bugs, such buffer overflows, account for the majority of major vulnerabilities in large codebases. And DARPA's hope [that's the Defense Department's R&D agency] is that AI models can help with the programming language translation, in order to make software more secure. "You can go to any of the LLM websites, start chatting with one of the AI chatbots, and all you need to say is 'here's some C code, please translate it to safe idiomatic Rust code,' cut, paste, and something comes out, and it's often very good, but not always," said Dan Wallach, DARPA program manager for TRACTOR, in a statement. "The research challenge is to dramatically improve the automated translation from C to Rust, particularly for program constructs with the most relevance...."

DARPA's characterization of the situation suggests the verdict on C and C++ has already been rendered. "After more than two decades of grappling with memory safety issues in C and C++, the software engineering community has reached a consensus," the research agency said, pointing to the Office of the National Cyber Director's call to do more to make software more secure. "Relying on bug-finding tools is not enough...."

Peter Morales, CEO of Code Metal, a company that just raised $16.5 million to focus on transpiling code for edge hardware, told The Register the DARPA project is promising and well-timed. "I think [TRACTOR] is very sound in terms of the viability of getting there and I think it will have a pretty big impact in the cybersecurity space where memory safety is already a pretty big conversation," he said.
DARPA's statement had an ambitious headline: "Eliminating Memory Safety Vulnerabilities Once and For All."

"Rust forces the programmer to get things right," said DARPA project manager Wallach. "It can feel constraining to deal with all the rules it forces, but when you acclimate to them, the rules give you freedom. They're like guardrails; once you realize they're there to protect you, you'll become free to focus on more important things."

Code Metal's Morales called the project "a DARPA-hard problem," noting the daunting number of edge cases that might come up. And even DARPA's program manager conceded to the Register that "some things like the Linux kernel are explicitly out of scope, because they've got technical issues where Rust wouldn't fit."

Thanks to long-time Slashdot reader RoccamOccam for sharing the news.

Somewhere in America's Defense Department, the DARPA R&D agency is running a two-year contest to write an AI-powered program "that can scan millions of lines of open-source code, identify security flaws and fix them, all without human intervention," reports the Washington Post. [Alternate URL here.]

But as they see it, "The contest is one of the clearest signs to date that the government sees flaws in open-source software as one of the country's biggest security risks, and considers artificial intelligence vital to addressing it." Free open-source programs, such as the Linux operating system, help run everything from websites to power stations. The code isn't inherently worse than what's in proprietary programs from companies like Microsoft and Oracle, but there aren't enough skilled engineers tasked with testing it. As a result, poorly maintained free code has been at the root of some of the most expensive cybersecurity breaches of all time, including the 2017 Equifax disaster that exposed the personal information of half of all Americans. The incident, which led to the largest-ever data breach settlement, cost the company more than $1 billion in improvements and penalties.

If people can't keep up with all the code being woven into every industrial sector, DARPA hopes machines can. "The goal is having an end-to-end 'cyber reasoning system' that leverages large language models to find vulnerabilities, prove that they are vulnerabilities, and patch them," explained one of the advising professors, Arizona State's Yan Shoshitaishvili.... Some large open-source projects are run by near-Wikipedia-size armies of volunteers and are generally in good shape. Some have maintainers who are given grants by big corporate users that turn it into a job. And then there is everything else, including programs written as homework assignments by authors who barely remember them.

"Open source has always been 'Use at your own risk,'" said Brian Behlendorf, who started the Open Source Security Foundation after decades of maintaining a pioneering free server software, Apache, and other projects at the Apache Software Foundation. "It's not free as in speech, or even free as in beer," he said. "It's free as in puppy, and it needs care and feeding."
40 teams entered the contest, according to the article — and seven received $1 million in funding to continue on to the next round, with the finalists to be announced at this year's Def Con, according to the article.

"Under the terms of the DARPA contest, all finalists must release their programs as open source," the article points out, "so that software vendors and consumers will be able to run them."

An anonymous reader shared this report from BleepingComputer: A Chinese hacking group tracked as StormBamboo has compromised an undisclosed internet service provider (ISP) to poison automatic software updates with malware. Also tracked as Evasive Panda, Daggerfly, and StormCloud, this cyber-espionage group has been active since at least 2012, targeting organizations across mainland China, Hong Kong, Macao, Nigeria, and various Southeast and East Asian countries.

On Friday, Volexity threat researchers revealed that the Chinese cyber-espionage gang had exploited insecure HTTP software update mechanisms that didn't validate digital signatures to deploy malware payloads on victims' Windows and macOS devices... To do that, the attackers intercepted and modified victims' DNS requests and poisoned them with malicious IP addresses. This delivered the malware to the targets' systems from StormBamboo's command-and-control servers without requiring user interaction.
Volexity's blog post says they observed StormBamboo "targeting multiple software vendors, who use insecure update workflows..." and then "notified and worked with the ISP, who investigated various key devices providing traffic-routing services on their network. As the ISP rebooted and took various components of the network offline, the DNS poisoning immediately stopped."

BleepingComputer notes that "âAfter compromising the target's systems, the threat actors installed a malicious Google Chrome extension (ReloadText), which allowed them to harvest and steal browser cookies and mail data."

Google wants to help ease the pain of comparison shopping across multiple tabs in Chrome with a new AI-powered tool that can summarize your tabs into one page. From a report: The tool, which Google is calling "tab compare," will use generative AI to pull product data from tabs you have open and collect it all into one table. Assuming it works and pulls accurate information, the tool seems like it could be a handy way to look at a number of different products in one unified view.

But while it's potentially useful, the tool could also take away traffic from sites that collect and compare product information -- which might be especially worrying for independent publishers that are already struggling to be seen on Google. I'm also skeptical that Google will correctly pull all of the finer details about various products into the tables it creates with tab compare. I don't always trust Google's accuracy right now! There are some limits on what tab compare can do. The tables it creates are limited to 10 items because "we've just found the column layout doesn't scale very well beyond that," Google spokesperson Joshua Cruz tells The Verge.