This week the Adacore blog shared a story about the NVIDIA Security Team: Like many other security-oriented teams in our industry today, they were looking for a measurable answer to the increasingly hostile cybersecurity environment and started questioning their software development and verification strategies. "Testing security is pretty much impossible. It's hard to know if you're ever done," said Daniel Rohrer, VP of Software Security at NVIDIA.

In my opinion, this is the most important point of the case study — that test-oriented software verification simply doesn't work for security. Once you come out of the costly process of thoroughly testing your software, you can have a metric on the quality of the features that you provide to the users, but there's not much you can say about security.

Rohrer continues, "We wanted to emphasize provability over testing as a preferred verification method." Fortunately, it is possible to prove mathematically that your code behaves in precise accordance with its specification. This process is known as formal verification, and it is the fundamental paradigm shift that made NVIDIA investigate SPARK, the industry-ready solution for software formal verification.

Back in 2018, a Proof-of-Concept (POC) exercise was conducted. Two low-level security-sensitive applications were converted from C to SPARK in only three months. After an evaluation of the return on investment, the team concluded that even with the new technology ramp-up (training, experimentation, discovery of new tools, etc.), gains in application security and verification efficiency offered an attractive trade-off. They realized major improvements in the security robustness of both applications (See NVIDIA's Offensive Security Research D3FC0N talk for more information on the results of the evaluation).

As the results of the POC validated the initial strategy, the use of SPARK spread rapidly within NVIDIA. There are now over fifty developers trained and numerous components implemented in SPARK, and many NVIDIA products are now shipping with SPARK components.

Thursday the Kudelski Group's cybersecurity division released "a tool for Linux that allows creation of multiple hidden volumes on a storage device in such a way that it is very difficult, even under forensic inspection, to prove the existence of such volumes."

"Each volume is encrypted with a different secret key, scrambled across the empty space of an underlying existing storage medium, and indistinguishable from random noise when not decrypted." Even if the presence of the Shufflecake software itself cannot be hidden — and hence the presence of secret volumes is suspected — the number of volumes is also hidden. This allows a user to create a hierarchy of plausible deniability, where "most hidden" secret volumes are buried under "less hidden" decoy volumes, whose passwords can be surrendered under pressure. In other words, a user can plausibly "lie" to a coercive adversary about the existence of hidden data, by providing a password that unlocks "decoy" data.

Every volume can be managed independently as a virtual block device, i.e. partitioned, formatted with any filesystem of choice, and mounted and dismounted like a normal disc. The whole system is very fast, with only a minor slowdown in I/O throughput compared to a bare LUKS-encrypted disk, and with negligible waste of memory and disc space.

You can consider Shufflecake a "spiritual successor" of tools such as Truecrypt and Veracrypt, but vastly improved. First of all, it works natively on Linux, it supports any filesystem of choice, and can manage up to 15 nested volumes per device, so to make deniability of the existence of these partitions really plausible.
"The reason why this is important versus "simple" disc encryption is best illustrated in the famous XKCD comic 538," quips Slashdot reader Gaglia (in the original submission. But the big announcement from Kudelski Security Research calls it "a tool aimed at helping people whose freedom of expression is threatened by repressive authorities or dangerous criminal organizations, in particular: whistleblowers, investigative journalists, and activists for human rights in oppressive regimes.

"Shufflecake is FLOSS (Free/Libre, Open Source Software). Source code in C is available and released under the GNU General Public License v3.0 or superior.... The current release is still a non-production-ready prototype, so we advise against using it for really sensitive operations. However, we believe that future work will sensibly improve both security and performance, hopefully offering a really useful tool to people who live in constant danger of being interrogated with coercive methods to reveal sensitive information.

Google says it has evidence that a commercial surveillance vendor was exploiting three zero-day security vulnerabilities found in newer Samsung smartphones. From a report: The vulnerabilities, discovered in Samsung's custom-built software, were used together as part of an exploit chain to target Samsung phones running Android. The chained vulnerabilities allow an attacker to gain kernel read and write privileges as the root user, and ultimately expose a device's data. Google Project Zero security researcher Maddie Stone said in a blog post that the exploit chain targets Samsung phones with a Exynos chip running a specific kernel version. Samsung phones are sold with Exynos chips primarily across Europe, the Middle East, and Africa, which is likely where the targets of the surveillance are located.

Stone said Samsung phones running the affected kernel at the time include the S10, A50, and A51. The flaws, since patched, were exploited by a malicious Android app, which the user may have been tricked into installing from outside of the app store. The malicious app allows the attacker to escape the app sandbox designed to contain its activity, and access the rest of the device's operating system. Only a component of the exploit app was obtained, Stone said, so it isn't known what the final payload was, even if the three vulnerabilities paved the way for its eventual delivery.

In an press release published earlier today, the National Security Agency (NSA) says it will be making a strategic shift to memory safe programming languages. The agency is advising organizations explore such changes themselves by utilizing languages such as C#, Go, Java, Ruby, or Swift. From the report: The "Software Memory Safety" Cybersecurity Information Sheet (PDF) highlights how malicious cyber actors can exploit poor memory management issues to access sensitive information, promulgate unauthorized code execution, and cause other negative impacts. "Memory management issues have been exploited for decades and are still entirely too common today," said Neal Ziring, Cybersecurity Technical Director. "We have to consistently use memory safe languages and other protections when developing software to eliminate these weaknesses from malicious cyber actors."

Microsoft and Google have each stated that software memory safety issues are behind around 70 percent of their vulnerabilities. Poor memory management can lead to technical issues as well, such as incorrect program results, degradation of the program's performance over time, and program crashes. NSA recommends that organizations use memory safe languages when possible and bolster protection through code-hardening defenses such as compiler options, tool options, and operating system configurations. The full report is available here (PDF).

Microsoft has started testing a new search and filtering system for the Task Manager on Windows 11. It will allow Windows users to easily search for a misbehaving app and end its process or quickly create a dump file, enable efficiency mode, and more. From a report: "This is the top feature request from our users to filter / search for processes," explains the Windows Insider team in a blog post. "You can filter either using the binary name, PID or publisher name. The filter algorithm matches the context keyword with all possible matches and displays them on the current page." You'll be able to use the alt + F keyboard shortcut to jump to the filter box in the Task Manager, and results will be filtered into single or groups of processes that you can monitor or take action on. Alongside the new search and filter functionality, Microsoft is also adding the ability to pick between light or dark themes in the Task Manager. Themes will also be applied fully throughout Task Manager, with some updates to its UI to fit more closely with Microsoft's overall Fluent work.

whoever57 writes: Would you trust your communications to a company that has links to a spyware company and claims that its address is a UPS store in Toronto? You probably already do. Washington Post reports: An offshore company that is trusted by the major web browsers and other tech companies to vouch for the legitimacy of websites has connections to contractors for U.S. intelligence agencies and law enforcement, according to security researchers, documents and interviews. Google's Chrome, Apple's Safari, nonprofit Firefox and others allow the company, TrustCor Systems, to act as what's known as a root certificate authority, a powerful spot in the internet's infrastructure that guarantees websites are not fake, guiding users to them seamlessly.

The company's Panamanian registration records show that it has the identical slate of officers, agents and partners as a spyware maker identified this year as an affiliate of Arizona-based Packet Forensics, which public contracting records and company documents show has sold communication interception services to U.S. government agencies for more than a decade. One of those TrustCor partners has the same name as a holding company managed by Raymond Saulino, who was quoted in a 2010 Wired article as a spokesman for Packet Forensics. Saulino also surfaced in 2021 as a contact for another company, Global Resource Systems, that caused speculation in the tech world when it briefly activated and ran more than 100 million previously dormant IP addresses assigned decades earlier to the Pentagon. The Pentagon reclaimed the digital territory months later, and it remains unclear what the brief transfer was about, but researchers said the activation of those IP addresses could have given the military access to a huge amount of internet traffic without revealing that the government was receiving it. whoever57 has also shared a unpaywalled link to the story.

More than two dozen Lenovo notebook models are vulnerable to malicious hacks that disable the UEFI secure-boot process and then run unsigned UEFI apps or load bootloaders that permanently backdoor a device, researchers warned on Wednesday. From a report: At the same time that researchers from security firm ESET disclosed the vulnerabilities, the notebook maker released security updates for 25 models, including ThinkPads, Yoga Slims, and IdeaPads. Vulnerabilities that undermine the UEFI secure boot can be serious because they make it possible for attackers to install malicious firmware that survives multiple operating system reinstallations.

Short for Unified Extensible Firmware Interface, UEFI is the software that bridges a computer's device firmware with its operating system. As the first piece of code to run when virtually any modern machine is turned on, it's the first link in the security chain. Because the UEFI resides in a flash chip on the motherboard, infections are difficult to detect and remove. Typical measures such as wiping the hard drive and reinstalling the OS have no meaningful impact because the UEFI infection will simply reinfect the computer afterward. ESET said the vulnerabilities -- tracked as CVE-2022-3430, CVE-2022-3431, and CVE-2022-3432 -- "allow disabling UEFI Secure Boot or restoring factory default Secure Boot databases (incl. dbx): all simply from an OS." Secure boot uses databases to allow and deny mechanisms. The DBX database, in particular, stores cryptographic hashes of denied keys. Disabling or restoring default values in the databases makes it possible for an attacker to remove restrictions that would normally be in place.

Google has announced that it's making the new Gmail interface the standard experience for users. From a report: The company first released the new interface earlier this year but allowed users to revert back to the original view. Starting this month, users will no longer have the option to go back to the old interface. "The integrated view with Gmail, Chat, Spaces, and Meet on the left side of the window will also become standard for users who have turned on Chat," the company said in a blog post. "Through quick settings, you can customize this new interface to include the apps most important to you, whether it's Gmail by itself or a combination of Gmail, Chat, Spaces, and Meet."

As insurance companies struggle to stay afloat amid rising cyber claims, Swiss Re has recommended a public-private partnership insurance scheme with one option being a government-backed fund to help fill the coverage gap. From a report: Global cyber insurance premiums hit $10 billion in 2021, according to Swiss Re's estimates. In a study published this week, the insurance giant forecasted 20 percent annual growth to 2025, with premiums rising to $23 billion over the next few years.

Meanwhile, annual cyberattack-related losses total about $945 billion globally, and about 90 of that risk remains uninsured, according to insurance researchers at the Geneva Association. While Forrester estimates a typical data breach costs an average $2.4 million for investigation and recovery, only 55 percent of companies currently have cyber insurance policies. Additionally, less than 20 percent have coverage limits in excess of $600,000, which the analyst firm cites as the median ransomware demand in 2021. "The market needs to mature further to ensure enough insurance protection is available," John Coletti, head cyber reinsurance at Swiss Re, told The Register. "Our industry has a key role to play by addressing three issues: improving data and modeling, increasing contract consistency and clarity and identifying new sources of capital."

Microsoft is now promoting some of its products in the sign-out flyout menu that shows up when clicking the user icon in the Windows 11 start menu. BleepingComputer: This new Windows 11 "feature" was discovered by Windows enthusiast Albacore, who shared several screenshots of advertisement notifications in the Accounts flyout. The screenshots show that Microsoft promotes the OneDrive file hosting service and prods users to create or complete their Microsoft accounts.

Those reacting to this on social media had an adverse reaction to Redmond's decision to display promotional messages in the start menu. Some said that Windows 11 is "getting worse in each and every update it gets," while others added that this is a weird choice given that "half of the Start Menu is for recommendations" anyway. BleepingComputer has also tried replicating this on multiple Windows 11 systems, but we didn't get any ads. This hints at an A/B testing experiment trying to gauge the success of such a "feature" on devices running Windows Insider builds or the company pushing such ads to a limited set of customers.

"We serve about 100 million monthly visitors worldwide," says the CEO of Stack Overflow, "making us one of the most popular websites in the world. I think we are in the top 50 of all websites in the world by traffic."

In a new interview, he says the site's been accessed about 50 billion times over the past 14 years — and then shares his thoughts on the notion that programmers could be replaced by no-code, low-code, or AI-driven pair programming: A: Over the years, there have many, many tools, trying to democratize software development. That's a very positive thing. I actually love the fact that programming is becoming easier to do with these onramps. I was speaking at Salesforce recently, and they've got people in sales organizations writing workflows, and that's low code. You've got all these folks who are not software engineers that are creating their own automations and applications.

However, there is this trade-off. If you're making software easier to build, you're sacrificing things like customizability and a deeper understanding of how this code actually works. Back in the day, you might remember Microsoft FrontPage [an early HTML web page editor] as an example of that. You were limited to certain basic things, but you could get web work done. So similarly, these tools will work for general use cases. But, if they do that, without learning the fundamental principles of code, they will inevitably have some sort of a limit. For example, having to fix something that broke, I think they're going to be really dumbfounded.

Still, I think it's important, and I'm a believer. It's a great way to get people engaged, excited, and started. But you got to know what you're building. Access to sites like Stack Overflow help, but with more people learning as they're building, it's essential to make learning resources accessible at every stage of their journey....

Q: Is Stack Overflow considering any kind of certification? Particularly, as you just mentioned, since it's so easy now for people to step in and start programming. But then there's that big step from "Yes, I got it to work," but now "I have to maintain it for users using it in ways I never dreamed of."

A: "It's very much part of our vision for our company. We see Stack Overflow going from collective knowledge to collective learning. Having all the information is fine and dandy, but are you learning? Now, that we're part of Prosus's edtech division, we're very much looking forward to offering educational opportunities. Just as today, we can get knowledge to developers at the right place and time, we think we can deliver learning at just the right place and time. We believe we can make a huge impact with education and by potentially getting into the certification game.

Q: Some of the open-source nonprofits are moving into education as well. The Linux Foundation, in particular, has been moving here with the LF Training and Certification programs. Are you exploring that?

A: This is very much part of our vision....
Stack Overflow's CEO adds that the site's hot topics now include blockchain, machine learning, but especially technical cloud questions, "rising probably about 50% year over year over the past 10 years.... Related to this is an increase in interest in containerization and cloud-native services."

An anonymous reader quotes a report from TechCrunch: Pharmaceutical giant AstraZeneca has blamed "user error" for leaving a list of credentials online for more than a year that exposed access to sensitive patient data. Mossab Hussein, chief security officer at cybersecurity startup SpiderSilk, told TechCrunch that a developer left the credentials for an AstraZeneca internal server on code sharing site GitHub in 2021. The credentials allowed access to a test Salesforce cloud environment, often used by businesses to manage their customers, but the test environment contained some patient data, Hussein said. Some of the data related to AZ&ME applications, which offers discounts to patients who need medications. TechCrunch provided details of the exposed credentials to AstraZeneca, and the GitHub repository containing the credentials was inaccessible hours later. In a statement, AstraZeneca spokesperson Patrick Barth told TechCrunch: "The protection of personal data is extremely important to us and we strive for the highest standards and compliance with all applicable rules and laws. Due to an [sic] user error, some data records were temporarily available on a developer platform. We stopped access to this data immediately after we have been [sic] informed. We are investigating the root cause as well as assessing our regulatory obligations."

It's unclear if anyone was able to access the data, or if any data was exfiltrated.

Cherry, the original mechanical switch maker, is continuing to tap the mechanical keyboard community for new product ideas. From a report: Its new mechanical switch, the Cherry MX Black Clear-Top, is a nod to enthusiasts who would love to turn in their modern-day clacker for an old-school terminal keyboard with extra-smooth typing. Before Cherry's Thursday announcement of plans to release the MX Black Clear-Top, the switch was known to hobbyists as the Nixie switch.

Cherry made the switch in the 1980s for German office machine-maker Nixdorf Computer AG. The German switch maker was tasked with creating a version of its linear MX Black switch with "milky" upper housing, a 63.5 g actuation force rather than 60 g, and "the relatively rare solution at the time of having a diode integrated into the switch for n-key rollover," Cherry's announcement explained.The linear switch ended up being used primarily in Nixdorf's CT06-CT07/2 M Softkeys keyboards targeted at terminals, servers, and minicomputers.

An anonymous reader shares a report: Yesterday, a company called Rewind AI announced a self-titled software product for Macs with Apple Silicon that reportedly keeps a highly compressed, searchable record of everything you do locally on your Mac and lets you "rewind" time to see it later. If you forget something you've "seen, said, or heard," Rewind wants to help you find it easily. Rewind AI claims its product stores all recording data locally on your machine and does not require cloud integration. Among its promises, Rewind will reportedly let you rewind Zoom meetings and pull information from them in a searchable form. In a video demo on Rewind.AI's site, the app opens when a user presses Command+Shift+Space. The search bar suggests typing "anything you've seen, said, or heard." It also shows a timeline at the bottom of the screen that represents previous actions in apps.

After searching for "tps reports," the video depicts a grid view of every time Rewind has encountered the phrase "tps reports" as audio or text in any app, including Zoom chats, text messages, emails, Slack conversations, and Word documents. It describes filtering the results by app -- and the ability to copy and paste from these past instances if necessary. Founded by Dan Siroker and Brett Bejcek, Rewind AI is composed of a small remote team located in various cities around the US. Portions of the company previously created Scribe, a precursor to Rewind that received some press attention in 2021. In an introductory blog post, Rewind AI co-founder Dan Siroker writes, "What if we could use technology to augment our memory the same way a hearing aid can augment our hearing?" Rewind AI provides few details about the app's back-end technology but describes "mind-boggling compression" that can reportedly compress recording data up to 3,750 times "without a major loss of quality," giving an example of 10.5GB of data squeezed down to just 2.8MB.

An anonymous reader quotes a report from the Associated Press: The International Committee of the Red Cross said Thursday it is seeking support to create a "digital red cross/red crescent emblem" that would make clear to military and other hackers that they have entered the computer systems of medical facilities or Red Cross offices. The Geneva-based humanitarian organization said it was calling on governments, Red Cross and Red Crescent societies, and IT experts to join forces in developing "concrete ways to protect medical and humanitarian services from digital harm during armed conflict."

For over 150 years, symbols such as the red cross have been used to make clear that "in times of armed conflict, those who wear the red cross or facilities and objects marked with them must be protected from harm," the ICRC said. That same obligation should apply online, the organization said, noting that hacking operations in conflicts were likely to increase as more militaries develop cyber capabilities. The organization said that for the proposed "digital emblem" to become reality, nations worldwide would have to agree on its use and make it part of international humanitarian law alongside existing humanitarian insignia. It hopes the emblem would identify the computer systems of protected facilities much as a red cross or crescent on a hospital roof does in the real world. "The International Committee of the Red Cross said that it has identified three technical possibilities: a DNS-based emblem that would use a special label to link it to a domain name; an IP-based emblem; and an ADEM, or authenticated digital emblem, system that would use certificate chains to signal protection," adds the report.

It has been almost three years since Chromebook users got word that Steam support is coming to ChromeOS. We're still not totally there yet, but today Google announced that it's ready to enter beta testing. From a report: In a blog post, Zach Alcorn, Google product manager, announced that Steam on Chromebooks is available as a beta with ChromeOS 108.0.5359.24 and later. Steam on ChromeOS entered alpha in March, and Alcorn said the updates announced today are based on "thousands of gameplay reports." The Steam on ChromeOS alpha required not just an Intel CPU, but also an Intel 11th-gen Core i5 chip with Intel's Iris Xe graphics. The beta supports Intel's latest 12th-gen chips and extends support to Team Red. Alcorn said the beta supports AMD's Ryzen 5000 C-Series CPUs.

Encrypted messaging app Signal will soon have an ephemeral "stories" feature, with video, pictures or text that disappear after 24 hours. From a report: Signal, often used by journalists, activists and privacy minded individuals, plans to roll out the feature on Monday, the nonprofit's president Meredith Whittaker told Axios at the Web Summit in Lisbon, Portugal Thursday. Signal has been beta-testing the feature since last month.

User updates that last on profiles for 24 hours, often called "stories," are something popularized by Snapchat and Instagram, both companies with targeted advertising based business models who also monetize the feature, something Signal is vehemently opposed to. "The short answer is that people want [stories]," Whittaker told Axios in an exclusive interview when asked why the privacy-focused app is rolling out such a feature.

Geopolitics such as Russia's invasion of Ukraine has led to more damaging and widespread cybersecurity attacks in the year to July, EU cybersecurity agency ENISA said in its annual report on Thursday. From a report: ENISA's study follows concerns about the role of state actors and the growing range of threats to governments, companies and essential sectors such as energy, transport, banking and digital infrastructure. The agency said geopolitical situations - in particular the Russian invasion of Ukraine - were game-changers during the period under review. Zero-day exploits in which hackers exploit software vulnerabilities before developers have a chance to fix the flaws, as well as artificial intelligence-enabled disinformation and deepfakes resulted in more malicious and widespread attacks with more damaging impact, it said.

joshuark shares a report from BleepingComputer, written by Ax Sharma: Searching for 'GIMP' on Google as recently as last week would show visitors an ad for 'GIMP.org,' the official website of the well known graphics editor, GNU Image Manipulation Program. This ad would appear to be legitimate as it'd state 'GIMP.org' as the destination domain. But clicking on it drove visitors to a lookalike phishing website that provided them with a 700 MB executable disguised as GIMP which, in reality, was malware.

Reddit user ZachIngram04 earlier shared the development stating that the ad previously took users to a Dropbox URL to serve malware, but was soon "replaced with an even more malicious one" which employed a fake replica website 'gilimp.org' to serve malware. BleepingCompuer observed another domain 'gimp.monster' related to this campaign. To pass off the trojanized executable as GIMP in a believable manner to the user, the threat actor artificially inflated the malware, that is otherwise under 5 MB in size, to 700 MB by a simple technique known as binary padding. It still isn't clear if this instance was a slip up caused by a potential bug in Google Ad Manager that allowed malvertising.

Hawaii is implementing one of the most ambitious electronic waste recycling plans in the country, but some Hawaii retailers are afraid it will mean higher prices and less selection. From a report: Ironically, Hawaii has no ability to recycle electronic devices. Instead, the material has to be collected and shipped to processing centers elsewhere. The goal of the new law is to have manufacturers collect and ship out more and more of the used-up products. But industry lobbyist Walter Alcorn, with the Consumer Technology Association, said the law sets goals that cannot be met. "On the industry side, it's been a scramble." Alcorn said. "Particularly for the computer and printer manufacturers that previously did not have to have this type of a program."

State Rep. Nicole Lowen, chair of the Energy and Environmental Protection Committee, was among the lead advocates for the law. She said putting the full responsibility on the manufacturers will incentivize them to pay more attention to the waste their industry is generating. "We are pushing them to rethink the design packaging, distribution systems of their products and create more efficiency, for the reuse and recycling of those products or the materials that they contain," Lowen said. The law required 49 manufacturers, from Apple to Samsung, to report how much product has been shipped in by weight and how they would set up systems to collect discarded devices and ship them to recycling locations. There are none in Hawaii so all the products would have to be shipped out.