"Researchers have identified a large number of bugs to do with the processing of images at boot time," writes longtime Slashdot reader jd. "This allows malicious code to be installed undetectably (since the image doesn't have to pass any validation checks) by appending it to the image. None of the current secure boot mechanisms are capable of blocking the attack." Ars Technica reports: LogoFAIL is a constellation of two dozen newly discovered vulnerabilities that have lurked for years, if not decades, in Unified Extensible Firmware Interfaces responsible for booting modern devices that run Windows or Linux. The vulnerabilities are the product of almost a year's worth of work by Binarly, a firm that helps customers identify and secure vulnerable firmware. The vulnerabilities are the subject of a coordinated mass disclosure released Wednesday. The participating companies comprise nearly the entirety of the x64 and ARM CPU ecosystem, starting with UEFI suppliers AMI, Insyde, and Phoenix (sometimes still called IBVs or independent BIOS vendors); device manufacturers such as Lenovo, Dell, and HP; and the makers of the CPUs that go inside the devices, usually Intel, AMD or designers of ARM CPUs. The researchers unveiled the attack on Wednesday at the Black Hat Security Conference in London.

As its name suggests, LogoFAIL involves logos, specifically those of the hardware seller that are displayed on the device screen early in the boot process, while the UEFI is still running. Image parsers in UEFIs from all three major IBVs are riddled with roughly a dozen critical vulnerabilities that have gone unnoticed until now. By replacing the legitimate logo images with identical-looking ones that have been specially crafted to exploit these bugs, LogoFAIL makes it possible to execute malicious code at the most sensitive stage of the boot process, which is known as DXE, short for Driver Execution Environment. "Once arbitrary code execution is achieved during the DXE phase, it's game over for platform security," researchers from Binarly, the security firm that discovered the vulnerabilities, wrote in a whitepaper. "From this stage, we have full control over the memory and the disk of the target device, thus including the operating system that will be started." From there, LogoFAIL can deliver a second-stage payload that drops an executable onto the hard drive before the main OS has even started. The following video demonstrates a proof-of-concept exploit created by the researchers. The infected device -- a Gen 2 Lenovo ThinkCentre M70s running an 11th-Gen Intel Core with a UEFI released in June -- runs standard firmware defenses, including Secure Boot and Intel Boot Guard. LogoFAIL vulnerabilities are tracked under the following designations: CVE-2023-5058, CVE-2023-39538, CVE-2023-39539, and CVE-2023-40238. However, this list is currently incomplete.

"A non-exhaustive list of companies releasing advisories includes AMI (PDF), Insyde, Phoenix, and Lenovo," reports Ars. "People who want to know if a specific device is vulnerable should check with the manufacturer."

"The best way to prevent LogoFAIL attacks is to install the UEFI security updates that are being released as part of Wednesday's coordinated disclosure process. Those patches will be distributed by the manufacturer of the device or the motherboard running inside the device. It's also a good idea, when possible, to configure UEFIs to use multiple layers of defenses. Besides Secure Boot, this includes both Intel Boot Guard and, when available, Intel BIOS Guard. There are similar additional defenses available for devices running AMD or ARM CPUs."

An anonymous reader quotes a report from Ars Technica: [L]ast week, researchers at Blackwing Intelligence published an extensive document showing how they had managed to work around some of the most popular fingerprint sensors used in Windows PCs. Security researchers Jesse D'Aguanno and Timo Teras write that, with varying degrees of reverse-engineering and using some external hardware, they were able to fool the Goodix fingerprint sensor in a Dell Inspiron 15, the Synaptic sensor in a Lenovo ThinkPad T14, and the ELAN sensor in one of Microsoft's own Surface Pro Type Covers. These are just three laptop models from the wide universe of PCs, but one of these three companies usually does make the fingerprint sensor in every laptop we've reviewed in the last few years. It's likely that most Windows PCs with fingerprint readers will be vulnerable to similar exploits.

Blackwing's post on the vulnerability is also a good overview of exactly how fingerprint sensors in a modern PC work. Most Windows Hello-compatible fingerprint readers use "match on chip" sensors, meaning that the sensor has its own processors and storage that perform all fingerprint scanning and matching independently without relying on the host PC's hardware. This ensures that fingerprint data can't be accessed or extracted if the host PC is compromised. If you're familiar with Apple's terminology, this is basically the way its Secure Enclave is set up. Communication between the fingerprint sensor and the rest of the system is supposed to be handled by the Secure Device Connection Protocol (SCDP). This is a Microsoft-developed protocol that is meant to verify that fingerprint sensors are trustworthy and uncompromised, and to encrypt traffic between the fingerprint sensor and the rest of the PC.

Each fingerprint sensor was ultimately defeated by a different weakness. The Dell laptop's Goodix fingerprint sensor implemented SCDP properly in Windows but used no such protections in Linux. Connecting the fingerprint sensor to a Raspberry Pi 4, the team was able to exploit the Linux support plus "poor code quality" to enroll a new fingerprint that would allow entry into a Windows account. As for the Synaptic and ELAN fingerprint readers used by Lenovo and Microsoft (respectively), the main issue is that both sensors supported SCDP but that it wasn't actually enabled. Synaptic's touchpad used a custom TLS implementation for communication that the Blackwing team was able to exploit, while the Surface fingerprint reader used cleartext communication over USB for communication. "In fact, any USB device can claim to be the ELAN sensor (by spoofing its VID/PID) and simply claim that an authorized user is logging in," wrote D'Aguanno and Teras."Though all of these exploits ultimately require physical access to a device and an attacker who is determined to break into your specific laptop, the wide variety of possible exploits means that there's no single fix that can address all of these issues, even if laptop manufacturers are motivated to implement them," concludes Ars.

Blackwing recommends all Windows Hello fingerprint sensors enable SCDP, the protocol Microsoft developed to try to prevent this exploit. PC makers should also "have a qualified expert third party audit [their] implementation" to improve code quality and security.

"Government-funded investment accounts for children could be on the horizon," writes CNBC, "and if tech investor Brad Gerstner has his way, corporate America will match the funds..." Gerstner been working with lawmakers to promote a legislative program known as Invest America that would create an investing account seeded with $1,000 for each child that's born in the U.S., but it's still too early in the process to publicly name supporters. He's aiming, however, to have legislation passed before the next presidential election. At the same time, he's working with corporate America to encourage businesses to offer matching funds to help employees further their savings.

"The vision is simple — that corporations would include an Invest America match of $1,000 into the Invest America account of children of their employees," Gerstner, founder and chief executive of Altimeter Capital, said in an email. "We have talked with companies ranging from Zillow to Dell to Uber and, subject to details, the response has been overwhelmingly positive," he said. Rich Barton, co-founder and chief executive of Zillow, said it's a "no-brainer" for his company to fully support and match the type of program Gerstner is proposing. "A 401(k)-style investment account from birth seems like a great way to tackle the growing divide around financial literacy and wealth," he said in an email. "It is a small investment to help parents achieve more peace of mind."

Representatives for Microsoft CEO Satya Nadella, Michael Dell and Uber CEO Dara Khosrowshahi, other companies Gerstner cited in a recent CNBC interview as being receptive to his pitch, did not respond to email requests for comment...

Certainly, there can be tangible — and intangible — benefits to companies that participated in a matching program. For instance, the government would have to provide tax incentives to companies that would presumably function similarly to how deductions are handled for 401(k) contributions, said Jeffrey Sharp, executive vice president at HUB International, a global insurance broker that provides employee benefits, and other products and services. Someone with $1,000 in her account at birth could expect a balance of about $107,000 by age 67, provided the portfolio grew at an annualized rate of 7%, according to CNBC Make It's compounding interest calculator. With a company match, a $2,000 investment could grow to around $215,000, under the same conditions. The outcome could be even more beneficial if parents contribute additional funds.
The article also hedges that companies "would have to consider the advisability of paying for this type of benefit that not all employees could take advantage of. They might decide, for instance, they'd be better off upping their 401(k) match so more employees could benefit."

But "I think we have a historic moment right now to get everybody into the game of capitalism," Gerstner says in an interview, noting it would cost just $3.7 billion to fund 50 million accounts -- "less than 1/100th of 1% of the national budget" -- and that he hopes to see the legislation introduced next year "in the spring."

Microsoft's Windows Hello fingerprint authentication has been bypassed on laptops from Dell, Lenovo, and even Microsoft. From a report: Security researchers at Blackwing Intelligence have discovered multiple vulnerabilities in the top three fingerprint sensors that are embedded into laptops and used widely by businesses to secure laptops with Windows Hello fingerprint authentication. Microsoft's Offensive Research and Security Engineering (MORSE) asked Blackwing Intelligence to evaluate the security of fingerprint sensors, and the researchers provided their findings in a presentation at Microsoft's BlueHat conference in October.

The team identified popular fingerprint sensors from Goodix, Synaptics, and ELAN as targets for their research, with a newly-published blog post detailing the in-depth process of building a USB device that can perform a man-in-the-middle (MitM) attack. Such an attack could provide access to a stolen laptop, or even an "evil maid" attack on an unattended device. A Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro X all fell victim to fingerprint reader attacks, allowing the researchers to bypass the Windows Hello protection as long as someone was previously using fingerprint authentication on a device. Blackwing Intelligence researchers reverse engineered both software and hardware, and discovered cryptographic implementation flaws in a custom TLS on the Synaptics sensor. The complicated process to bypass Windows Hello also involved decoding and reimplementing proprietary protocols.

VentureBeat reports: Thursday San Francisco-based Oxide, a startup founded by computing experts from Joyent and Dell, launched what it calls the world's first "commercial cloud computer," a rack-scale system that enterprises can own to reap the benefits and flexibility of cloud computing on-premises, right within their data center. The company believes the new offering can finally put an end to the "cloud vs on-prem" dilemma enterprises face while setting up their infrastructure...

It also announced $44 million in a series A round of funding, led by Eclipse VC with participation from Intel Capital, Riot Ventures, Counterpart Ventures and Rally Ventures. Oxide plans to use this money to accelerate the adoption of its cloud computer, giving teams a new, better option to serve their customers... The round brings Oxide's total financing raised to date to $78 million.
Since 2019 Oxide has thrown a team of 60 technologists at the problem — and Thursday, Oxide also revealed an impressive list of current customers: There's the U.S. Department of Energy — specifically its Idaho National Laboratory (which has historically been involved in nuclear research) — as well as "a well-known financial services firm". Oxide also announced that within just a few months, there'll be additional installments at multiple Fortune 1000 companies. And beyond that, Oxide is also boasting that they now have "a long wait list of customers ready to install once production catches up with demand...."

Will Coffield, a partner at Riot Ventures, quipped that Oxide had "essentially wrapped all the hopes and dreams of a software engineer, IT manager, and a CFO into a single box...." Steve Tuck, CEO and co-founder of Oxide, pointed out that cloud computing "remains restricted to a centralized, rental-only model." There are many reasons why an enteprise might want to own their infrastructure — security, reliability, cost, and response time/latency issues — and as Tuck sees it, "the rental-only model has denied them modern cloud capabilities for these use cases.

"We are changing that."
Earlier this year on the Software Engineering Daily podcast, CTO/co-founder Bryan Cantrill remembered that when doing their compliance testing, "The folks at the compliance lab — they see a lot of servers — and they're like, 'Are you sure it's on?' Because it's so quiet!" (This June article notes that later on the podcast Cantrill argued that the acoustics of today's data centers are "almost like an odor. It is this visceral reminder that this domain has suffered for lack of real systemic holistic thinking...")

Oxide's press packet lays out other advantages for their servers. "Power usage is 2x efficient, takes up half the space, and can be up and running in just four hours instead of three months."

Linus Torvalds has said he bought a Dell XPS-13 with Ubuntu Linux for his daughter. Now ZDNet shares some trivia from the history of "the most well-known Linux laptop," citing a presentation by Barton George, Dell Technologies' Developer Community manager, at the Linux/open-source conference All Things Open: First, however, you should know that Dell has supported Linux desktops and laptops since the middle 2000s. In 2006, Michael Dell told me that Dell would be the first major PC vendor to release and support desktop Linux — and this proved to be a success. Barton George explained that Dell had always done great volume with these computers. Not volume, like the Windows machines, of course, but enough that Dell has always offered Linux-based — primarily Red Hat Enterprise Linux (RHEL) powered — workstations.

Still, none of these machines really appealed to developers... George announced on his personal blog what Dell was planning, and his traffic went from 60 views a day to 15,000. Then, as now, there's a lot of interest in laptops that come with Linux ready to go... Dell got together with Canonical, Ubuntu Linux's parent company, to make sure all the drivers were in place for a top-notch Ubuntu Linux developer desktop experience. Indeed, the name 'Project Sputnik' is a nod to Mark Shuttleworth, Ubuntu founder and Canonical CEO. A decade before the project itself, Shuttleworth had spent eight days orbiting the Earth in a Soviet Soyuz spacecraft. George and the crew decided "Soyuz" didn't have an inspiring ring to it, so the company went with "Sputnik" instead.

George continued: "We announced a beta program for the machine with a 10% off offer. We thought, well, we'll probably get 300 people. Instead, we got 6,000. This is where senior management said OK, you've got something real."

Dell and Samsung are the latest beneficiaries of the current frenzy of speculation surrounding anything AI related, with both vendors seeing a rise in share prices related to their future AI prospects. From a report: Shares in Dell were said to be up 8 percent in extended trading following the Round Rock company releasing its results for the second quarter of its financial year 2024. These showed that revenue was $22.9 billion, down 13 percent on the same period last year. However, this figure was also up 10 percent on the previous quarter, with the company attributing this growth to rising demand for AI-optimized servers, as well as its PowerStore and PowerFlex storage systems. AI accounted for 20 percent of server revenue in the first half of the year, Dell said.

Similarly, Dell said it is seeing growth in demand for its workstations designed to help organizations run complex AI workloads locally, with its commercial client revenue hitting $10.6 billion. This accounted for the lion's share of the Client Solutions Group second quarter revenue of $12.9 billion, which was down 16 percent year-on-year but up 8 percent on the last quarter. Dell vice chairman and chief operating officer Jeff Clarke said that the company continued to focus on the most profitable segments of the market where he claimed Dell has a leading position.

Dell has been fined more than $6.5 million by Australian regulators after it was found to have misled consumers on discounted hardware prices. From a report: The Australian Consumer and Competition Commission (ACCC) imposed a $10 million AUS fine on the tech giant for "making false and misleading representations" about discounted prices for add-on computer monitors. Dell Australia admitted that it has misled customers over prices available on monitors in 'bundle' packages alongside desktop, laptop, or notebook devices. Add-on monitors were "often advertised with a higher 'strikethrough' price," an investigation by the regulator found. These strikethrough prices were framed as a way for consumers to make significant savings on monitors if purchased alongside other computing products.

However, these discounted prices were often overstated, with the regulator ruling that the monitors were not sold for discounted prices in many instances. Dell also conceded it misled customers about the discounted price of add-on monitors with statements such as "Total Savings," "Includes x% off," "Discounted Price," and "Get the best price for popular accessories when purchased with this product." The ACCC said in a statement, "In many cases, consumers paid more than if they had purchased the monitor as a standalone product."

It isn't just software companies looking to enter the generative AI fray. Dell, the PC maker, is going all in on generative AI and offering hardware to run powerful models and a new platform to help organizations get started. From a report:The company released what it calls Dell Generative AI Solutions for clients to set up access to large language models and create generative AI projects. The company will offer new hardware setups, a managed service platform, and computers to run generative AI projects faster.

Dell is known for releasing laptops and monitors, but the company also produces server racks and other enterprise hardware. While the more public face of the AI arms race is between developers of large language models like Meta, OpenAI, and Google, another group of tech companies is looking into how to cash in on the technology. From hardware providers to cloud providers, everyone believes they need an AI service to keep up as clients want to add more AI capabilities to their businesses.

Intel has decided to stop making its Next Unit of Computing (NUC), but the company will encourage partners to keep making the small form-factor (SFF) PCs, the company said Tuesday. From a report: Intel's NUC championed compact PCs, while leaving larger chassis options to partners like Dell and HP. But Intel's decision seems like a natural one, given that Intel has refocused on its core businesses during a period in which it also invested heavily in its own manufacturing operations and foundry business.

An Intel spokesman confirmed an initial report by Serve The Home, saying that Intel will continue to support the existing NUCs it has already shipped into the market. "We have decided to stop direct investment in the Next Unit of Compute (NUC) Business and pivot our strategy to enable our ecosystem partners to continue NUC innovation and growth," the Intel spokesman said in an email.

An anonymous reader quotes a report from Ars Technica: Dell Technologies' Australia subsidiary misled online shoppers into thinking that adding a monitor to their purchase would get them a discount on the display, even though doing so sometimes resulted in customers paying a higher price for the monitor than if they had bought it on its own. That's according to a declaration by the Australian Federal Court on Monday. The deceptive practices happened on Dell's Australian website, but they serve as a reminder to shoppers everywhere that a strikethrough line or sale stamp on an online retailer doesn't always mean you're getting a bargain. On June 5, the Federal Court said Dell Australia was guilty of making "false or misleading representations with respect to the price" of monitors that its website encouraged shoppers to add to their purchase. The purchases were made from August 2019 to the middle of December 2021.

The website would display the add-on price alongside a higher price that had a strikethrough line, suggesting that the monitor was typically sold at the price with the line going through it but that customers would get a discount if they added it to their cart at purchase. (The Australian Competition & Consumer Commission, or ACCC, posted a screenshot example here.) However, the strikethrough prices weren't actually representative of what Dell was charging for the monitors for most of the time before the purported discount. In fact, the allegedly discounted price occasionally turned out to be a rip-off, as ACCC commission Liza Carver said in a statement today: "In some cases, consumers paid more for the add-on monitor advertised as 'discounted' than they would have paid if they had bought it as a stand-alone product, which is shocking."

The Australian Federal Court also found that Dell's Australian website used deceptive language, like "Includes x% off," "Total Savings" plus a dollar amount, "Discounted Price" and a dollar amount, and "Get the best price for popular accessories when purchased with this product." According to the ACCC, shoppers spent over $2 million Australian dollars ($1.33 million USD) on 5,300 add-on monitors during this time period. The Australian Federal Court ordered Dell Australia to give full or partial refunds to affected customers. The company must also hire an "independent compliance professional" and contact affected customers. The Australian Federal Court will take comment on further penalties Dell Australia should incur, which could include fines, at a future date. Dell told The Register: "As we acknowledged in November 2022 when the ACCC commenced these proceedings, due to an unrectified error on our part, our web page misrepresented the level of savings consumers could achieve by purchasing a monitor in conjunction with a desktop, laptop, or notebook."

Dell is looking into refunding customers, "plus interest," Dell's statement to The Register added, and the company is "taking steps to improve our pricing processes to ensure this sort of error does not happen again."

ARM has joined the Linux Foundation's Open Programmable Infrastructure project, "a community-driven initiative focused on creating a standards-based open ecosystem for next-generation architectures and frameworks" based on programmable processor technologies like DPUs (Data Processing Units) and IPUs (Infrastructure Processing Units).

From the Linux Foundation's announcement: Launched in June 2021 under the Linux Foundation, the project is focused on utilizing open software and standards, as well as frameworks and toolkits, to enable the rapid adoption of DPUs. Arm joins other premier members including Dell Technologies, F5, Intel, Keysight Technologies, Marvell, Nvidia, Red Hat, Tencent, and ZTE. These member companies work together to create an ecosystem of blueprints and standards to ensure that compliant DPUs work with any server.

DPUs are used today to accelerate networking, security, and storage tasks. In addition to performance benefits, DPUs help improve data center security by providing physical isolation for running infrastructure tasks. DPUs also help to reduce latency and improve performance for applications that require real-time data processing. As DPUs create a logical split between infrastructure compute and client applications, the manageability of workloads within different development and management teams is streamlined.

"Arm has been contributing to the OPI Project for a while now," said Kris Murphy, Chair of the OPI Project Governing Board and Senior Principal Software Engineer at Red Hat. "Now, as a premier member, we are excited that they're bringing their leadership to the Governing Board and expertise to the technical steering committee and working groups. Their participation will help to ensure that the DPU components are optimized for programmable infrastructure solutions."

"Across network, storage, and security applications, DPUs are already proving the power efficiency and capex benefits of specialized processing technology," said Marc Meunier, director of ecosystem development, Infrastructure Line of Business, Arm and member of OPI Governing Board. "As a premier member of the OPI project, we look forward to contributing our expertise in heterogeneous computing and working with other leaders in the industry to create solution blueprints and standards that pave the way for successful deployments."

"The DPU market offers an opportunity for us to change how infrastructure services can be deployed and managed," Arpit Joshipura, General Manager, Networking, Edge, and IoT, the Linux Foundation. "With collaboration across software and hardware vendors representing silicon devices and the entire DPU software stack, the OPI Project is creating an open ecosystem for next generation data centers, private clouds, and edge deployments."

An anonymous reader shares a report: We fitted trackers in old, broken FT laptops -- cleared of data -- and gave them to the UK's six most prominent retailers, who are legally obliged to take back old goods from customers buying new ones. Over the next six months, the trackers took us on a curious tour of Britain, with stops at a Norfolk beach, two residential addresses in Slough and a warehouse in rural Wales. They opened a window into an industry plagued by an Achilles heel it calls "leakage" -- where goods slip through the fingers of formal recyclers into the hands of other, potentially questionable, actors.

All the retailers promised they would "recycle" the laptops, but one of the two we gave to John Lewis was stolen twice out of the recycling supply chain. Meanwhile, Argos sold the two we handed in to an eBay seller. None of the laptops we kept sight of ended up illegally exported, but some slipped into streams that could still head that way. [...] Six months after deploying the 14 FT laptops, 10 appeared to have been recycled correctly. Three deployed with Amazon, two with Dell, one with Curry's and one with John Lewis travelled to authorised recycling plants. The recycling company that received the three laptops we gave to Apple said they were recycled. The second Curry's laptop was still sitting at the site of a recycling company to be harvested for repairs, the retailer said.

Then the tracker went dark, meaning it is unclear where the laptop went next. "The fact it happened twice might just be unfortunate," noted Sayers, "or it reiterates the fact that stuff leaks." Justin Greenaway, commercial manager at Sweeep Kuusakoski, an electronics recycling plant in Kent, said household waste recycling centres were regularly targeted by criminals and "if e-waste is stolen it is often destined to be exported." Slough Borough Council, which runs the recycling centre, said the accuracy radius of trackers meant it could not be proved the laptop entered its site, but "if someone wanted to lift somethingâ...âit could happen without being noticed." WasteCare insisted that theft from its operations was "rare," minimised by 24/7 on-site CCTV and cameras in its vehicles, and said it was working "to put in place additional measures to avoid a recurrence." John Lewis said the company was reviewing its processes to prevent this from happening again. Approximately 114,000 tonnes of electronics are lost from the UK's recycling system to theft every year, according to a report by Material Focus, a non-profit electrical recycling organisation.

Microsoft's annual developer event Build 2023 unveiled ChatGPT's integration into Bing and an AI 'personal assistant' for Windows 11.

But Windows Central also notes two more big (non-AI) announcements: Windows 11 is getting cloud-powered OS backup and restore Smartphone owners have long enjoyed a similar functionality, where you could buy a new device and upon the first start, simply log in to your platform account and select "Restore my apps" from the cloud backup. And now Windows will be able to do the same. ["If the user chooses yes, Windows will automatically apply the old wallpaper and settings and even begin preloading apps you had installed on your old PC. Once the user hits the desktop, they'll see all their previously pinned apps already in the Taskbar, and clicking on them will initiate an automatic download from the Microsoft Store."]

Windows 11 on ARM devices gets a big boost [B]ecause Microsoft has no intention of dropping x86 support, they have been slow in adopting ARM architecture to make it a viable alternative for Windows users. With Build 2023, this is moving ahead...
Elsewhere Windows Central argues that "should result in a better experience on devices like the Surface Pro 9 (ARM), Surface Pro X, and the new Dell Inspiron 14 with a Snapdragon 8cx 2 processor.

On the gaming side of things, Unity with native Windows on ARM support will become available in early June. Once launched, the tool will let developers target Windows on ARM devices for current and future games, resulting in better performance. Unity is a very popular development platform for games, and native support for Windows on ARM is a welcome addition...

Visual Studio having Multi-platform App UI (MAUI) support for Arm will give developers another way to target Windows on ARM PCs.
Even Node.js v20.0.0 now officially supports ARM64 Windows, "allowing for native execution on the platform. The MSI, zip/7z packages, and executable are available from the Node.js download site along with all other platforms."

And in addition, Visual Studio 17.71 Preview 1 now ships with support for Linux development with C++.

India is unveiling a 170 billion-rupee ($2.1 billion) financial incentive plan to draw makers of laptops, tablets and other hardware to the South Asian nation as companies look to diversify supply chains beyond China. From a report: Prime Minister Narendra Modi is capitalizing on the early success of Apple's local assembly operations -- which have helped the US company produce about 7% of its global iPhone output -- to pitch the country as a viable global manufacturing hub. New Delhi wants to bring more tech production to India after China's trade war with the US and its strict Covid policies prompted companies to weigh other options. Apple has yet to begin making iPads or MacBook laptops in India, but fresh incentives could push the Cupertino, California-based company to consider such moves. Other manufacturers who could take advantage of the new measures include Dell, HP and Asustek Computer.

An anonymous reader quotes a report from Ars Technica: Earlier this week, Microsoft released a patch to fix a Secure Boot bypass bug used by the BlackLotus bootkit we reported on in March. The original vulnerability, CVE-2022-21894, was patched in January, but the new patch for CVE-2023-24932 addresses another actively exploited workaround for systems running Windows 10 and 11 and Windows Server versions going back to Windows Server 2008. The BlackLotus bootkit is the first-known real-world malware that can bypass Secure Boot protections, allowing for the execution of malicious code before your PC begins loading Windows and its many security protections. Secure Boot has been enabled by default for over a decade on most Windows PCs sold by companies like Dell, Lenovo, HP, Acer, and others. PCs running Windows 11 must have it enabled to meet the software's system requirements.

Microsoft says that the vulnerability can be exploited by an attacker with either physical access to a system or administrator rights on a system. It can affect physical PCs and virtual machines with Secure Boot enabled. We highlight the new fix partly because, unlike many high-priority Windows fixes, the update will be disabled by default for at least a few months after it's installed and partly because it will eventually render current Windows boot media unbootable. The fix requires changes to the Windows boot manager that can't be reversed once they've been enabled. Additionally, once the fixes have been enabled, your PC will no longer be able to boot from older bootable media that doesn't include the fixes. On the lengthy list of affected media: Windows install media like DVDs and USB drives created from Microsoft's ISO files; custom Windows install images maintained by IT departments; full system backups; network boot drives including those used by IT departments to troubleshoot machines and deploy new Windows images; stripped-down boot drives that use Windows PE; and the recovery media sold with OEM PCs.

Not wanting to suddenly render any users' systems unbootable, Microsoft will be rolling the update out in phases over the next few months. The initial version of the patch requires substantial user intervention to enable -- you first need to install May's security updates, then use a five-step process to manually apply and verify a pair of "revocation files" that update your system's hidden EFI boot partition and your registry. These will make it so that older, vulnerable versions of the bootloader will no longer be trusted by PCs. A second update will follow in July that won't enable the patch by default but will make it easier to enable. A third update in "first quarter 2024" will enable the fix by default and render older boot media unbootable on all patched Windows PCs. Microsoft says it is "looking for opportunities to accelerate this schedule," though it's unclear what that would entail.

A ransomware intrusion on hardware manufacturer Micro-Star International, better known as MSI, is stoking concerns of devastating supply chain attacks that could inject malicious updates that have been signed with company signing keys that are trusted by a huge base of end-user devices, a researcher said. From a report: "It's kind of like a doomsday scenario where it's very hard to update the devices simultaneously, and they stay for a while not up to date and will use the old key for authentication," Alex Matrosov, CEO, head of research, and founder of security firm Binarly, said in an interview. "It's very hard to solve, and I don't think MSI has any backup solution to actually block the leaked keys."

The intrusion came to light in April when, as first reported by Bleeping Computer, the extortion portal of the Money Message ransomware group listed MSI as a new victim and published screenshots purporting to show folders containing private encryption keys, source code, and other data. A day later, MSI issued a terse advisory saying that it had "suffered a cyberattack on part of its information systems." The advisory urged customers to get updates from the MSI website only. It made no mention of leaked keys. Since then, Matrosov has analyzed data that was released on the Money Message site on the dark web. To his alarm, included in the trove were two private encryption keys. The first is the signing key that digitally signs MSI firmware updates to cryptographically prove that they are legitimate ones from MSI rather than a malicious impostor from a threat actor. This raises the possibility that the leaked key could push out updates that would infect a computer's most nether regions without triggering a warning. To make matters worse, Matrosov said, MSI doesn't have an automated patching process the way Dell, HP, and many larger hardware makers do. Consequently, MSI doesn't provide the same kind of key revocation capabilities.

For Red Hat's 30th anniversary, North Carolina's News & Observer newspaper ran a special four-part series of articles.

In the first article Red Hat co-founder Bob Young remembers Red Hat's first big breakthrough: winning InfoWorld's "OS of the Year" award in 1998 — at a time when Microsoft's Windows controlled 85% of the market. "How is that possible," Young said, "that one of the world's biggest technology companies, on this strategically critical product, loses the product of the year to a company with 50 employees in the tobacco fields of North Carolina?" The answer, he would tell the many reporters who suddenly wanted to learn about his upstart company, strikes at "the beauty" of open-source software.

"Our engineering team is an order of magnitude bigger than Microsoft's engineering team on Windows, and I don't really care how many people they have," Young would say. "Like they may have thousands of the smartest operating system engineers that they could scour the planet for, and we had 10,000 engineers by comparison...."

Young was a 40-year-old Canadian computer equipment salesperson with a software catalog when he noticed what Marc Ewing was doing. [Ewing was a recent college graduate bored with his two-month job at IBM, selling customized Linux as a side hustle.] It's pretty primitive, but it's going in the right direction, Young thought. He began reselling Ewing's Red Hat product. Eventually, he called Ewing, and the two met at a tech conference in New York City. "I needed a product, and Marc needed some marketing help," said Young, who was living in Connecticut at the time. "So we put our two little businesses together."

Red Hat incorporated in March 1993, with the earliest employees operating the nascent business out of Ewing's Durham apartment. Eventually, the landlord discovered what they were doing and kicked them out.
The four articles capture the highlights. ("A visual effects group used its Linux 4.1 to design parts of the 1997 film Titanic.") And it doesn't leave out Red Hat's skirmishes with Microsoft. ("Microsoft was owned by the richest person in the world. Red Hat engineers were still linking servers together with extension cords. ") "We were changing the industry and a lot of companies were mad at us," says Michael Ferris, Red Hat's VP of corporate development/strategy. Soon there were corporate partnerships with Netscape, Intel, Hewlett-Packard, Compaq, Dell, and IBM — and when Red Hat finally goes public in 1999, its stock sees the eighth-largest first-day gain in Wall Street history, rising in value in days to over $7 billion and "making overnight millionaires of its earliest employees."

But there's also inspiring details like the quote painted on the wall of Red Hat's headquarters in Durham: "Every revolution was first a thought in one man's mind; and when the same thought occurs to another man, it is the key to that era..." It's fun to see the story told by a local newspaper, with subheadings like "It started with a student from Finland" and "Red Hat takes on the Microsoft Goliath."

Something I'd never thought of. 2001's 9/11 terrorist attack on the World Trade Center "destroyed the principal data centers of many Wall Street investment banks, which were housed in the twin towers. With their computers wiped out, financial institutions had to choose whether to rebuild with standard proprietary software or the emergent open source. Many picked the latter." And by the mid-2000s, "Red Hat was the world's largest provider of Linux...' according to part two of the series. "Soon, Red Hat was servicing more than 90% of Fortune 500 companies." By then, even the most vehement former critics were amenable to Red Hat's kind of software. Microsoft had begun to integrate open source into its core operations. "Microsoft was on the wrong side of history when open source exploded at the beginning of the century, and I can say that about me personally," Microsoft President Brad Smith later said.

In the 2010s, "open source has won" became a popular tagline among programmers. After years of fighting for legitimacy, former Red Hat executives said victory felt good. "There was never gloating," Tiemann said.

"But there was always pride."
In 2017 Red Hat's CEO answered questions from Slashdot's readers.

An anonymous reader quotes a report from Ars Technica: Framework has delivered on the promise of its original 13-inch laptop. Three product generations in, the company has made a respectable competitor for the Dell XPS 13 or MacBook Air that can be repaired, modified, and upgraded, and owners of the original laptop can easily give themselves a significant performance boost by upgrading to the new 13th-generation Intel or AMD Ryzen-based boards the company announced today. Framework is now looking to build on that track record with an all-new Framework Laptop 16. It's a larger-screened model that can fit more powerful processors, dedicated GPUs, and a range of different keyboard modules, all with the same commitment to repairability and upgradeability seen in the original Framework Laptop (now retroactively dubbed the Framework Laptop 13).

Framework isn't discussing many details yet; preorders won't open until "this spring," and shipments won't begin until "late 2023." Today, the company provided a preview of the laptop's features, along with developer documentation to encourage the creation of new Input Modules -- components that allow for keyboard customization much like the current Expansion Card system allows for port customization.

In the land of patent litigation, all patent trolls want to file in the US Western District of Texas Court. This court is infamous for being sympathetic to patent plaintiffs. That's why patent litigator WSOU Investments, aka Brazos Licensing and Development, went after Dell, EMC, and VMware in this Court. Usually, this would have been the smart move. Not this time. District Judge Alan Albright granted the defendants a directed verdict, and that was the end of the matter. From a report: What happened was this: WSOU, although successful before with their carpet bombing patent lawsuit strategy, failed this time. According to the lead defense counsel and Gibson Dunn partner, Brian A. Rosenthal, "This case got to trial because the plaintiff refused to come to their senses before trial. We obtained a number of serious exclusions of evidence prior to trial, and told them very early on the case had no merit." The judge agreed.

That came as a surprise to those of us who watch patent lawsuits, so you don't have to. As Heather Meeker, the well-known open-source and intellectual property (IP) lawyer, said, "This is surprisingly defendant-friendly from Judge Albright, who has received a lot of criticism for making Waco such a patent plaintiff-friendly docket." Until now, WSOU had been very successful. As a Patent Assertion Entity (PAEs), its only goal is to profit by acquiring patents and then suing companies that might be using the patents' intellectual property (IP) assets. It does this by using its portfolio of technology patents to file numerous individual suits involving different patents against companies. WSOU's main tactic, as Unified Patents put it, "forces operating companies to either settle or fight, on average, eight lawsuits at once."

Most companies faced with the financial burden of struggling with so many lawsuits settle rather than fight. Not this time. For the first time, companies decided to take the issues to court. In this particular set of cases, WSOU claimed in a June 2020 lawsuit that the defendants had infringed on three cloud infrastructure networking patents, and sought $435 million in damages. Rosenthal argued that the patents in question were old and irrelevant to the defendants' interests. The defense team had informed WSOU in October 2020 that there was no proof of direct infringement, but the plaintiff persisted with the case, leading to exclusions of evidence prior to trial. So it was that on the first day of the trial, two of the patents were tossed out on evidentiary rulings, and the plaintiff rested its case on the third day. The defense then requested a directed verdict, which was granted by Albright, resulting in a win for the defendants. In short, even this patent-friendly court could find no evidence at all for WSOU's assertions.