Except that the article *was not* about chips being reprogrammed at the factory
Except that the article *was not* about chips being reprogrammed at the factory
Yes? And how does that sort of tool help you install rogue backdoor? You can at best hide some files on the drive. Which you can pretty much do anyway, without any hardware hacking. It is not like you can convert the flash drive into a keylogger that will transmit captured data to NSA with it.
Nope. While these chips are common both are way too expensive for mass-produced hardware. Practically every microcontroller has a version with USB interface today and most of mass produced gear doesn't use these - an FTDI bridge is around $1/pop at quantity, that's crazy for an $20-40 end-user price item.
Anyhow, FTDI chips cannot be reprogrammed - you can modify their settings, but the are only an UART/I2C/SPI-to-USB bridge, they don't do anything by themselves. And that something uses e.g. an Atmel AVR chip (actually really rare, they are very expensive for the capabilities they have) doesn't mean that the programming pins are *actually hooked up* to something that is USB-accessible. Some may have the DFU bootloader, but typically they would have the firmware locked. You are way more likely to find various ARM micros and cheap Chinese clones of MCS'51 series these days, but again, that the chip is programmable doesn't mean it could be reprogrammed by the host system!
I would love to see malware that will reprogram a mask-programmed blob in a common throwaway hardware. Or a microcontroller in a webcam that doesn't even have the programming pins (typically some sort of ISP or JTAG) connected to anything USB accessible (or not even connected at all, at best to some test pads).
A typical USB stick or a webcam don't have hardware to permit firmware upgrades, even though the silicon inside could be theoretically upgradable. Not to mention that the exploit would have to be written specifically for the target hardware - different processors, memory layout, USB interface, etc - all that would make it really hard to produce a generic malware. If you want to see what is involved in something like that, look at the article on hacking HDD controllers:
http://spritesmods.com/?art=hd... And that is a harddrive, which are produced by only few manufacturers, have relatively standardized interfaces and controllers. Now imagine having to do that sort of reverse engineering on every type of harddrive in common use if you wanted to write a reasonably effective malware (e.g. a data stealing worm). It is much easier to exploit some Windows bug or use a phishing scam than this.
So yes, this is potentially a threat, but panicking over your USB sticks or webcams going rogue on you is vastly overblown. This could be an issue for a very targeted attack where the benefits of compromising e.g. a keyboard of a high value target will outweigh the effort required, but not really anything else. And that assumes that the keyboard is actually able to be updated! It would be probably simpler to just send an operative in and install e.g. a keylogger
Oh and they mention the "BadBios" story
The entire article is harping on 3rd-party ad network libraries stealing personal data and phoning tracking info home. As these are libraries and developers are re-using open source libraries, then it follows that "Open source is no free lunch" and is stealing your data. What a majestic leap in logic!
They conflate open source libraries with various ad-network code stealing personal data, basically trying to portrait open source code as being responsible for it. Never mind that the ad-network code is almost never open source.
Granted, OSS is certainly not bug-free, but the spyware has little to do with it.
What a load of
This is "news" only to people who don't have a clue how research works - and usually the ones setting the publication criteria - like "you have to publish 2 journal papers per year" for an assistant professor (fresh post-doc or a PhD student), along with all the teaching load, of course. I was teaching 10 different courses (!) one semester and was still expected to actually do research half of my time and to publish those 2 journal papers.
Never mind that shepherding a journal paper through the review process and publication takes a year or two on average alone, plus you have to actually have something to publish to begin with. Even conference papers can take 6 months to publish and you must attend them as well (but nobody wants to pay for that!).
The prolific "publishers" are mostly professors that are heads of labs. They are not actually doing any of the work themselves. It is the young PhD students and post-docs who are slaving away in the lab, writing the papers and then put the name of the prof on the paper as a coauthor. It is a very common practice, basically giving a nod to the prof for paying their salary and letting them graduate. If you have a large lab with 20 PhDs who write 1-2 papers a year, that's alone 40 papers for the prof's CV annually. Then you get invited to contribute to various book chapters (again PhD students write that), you get invited lectures and what not - all that counts as publications.
The young researchers have absolutely no chance to break through in such competition where the number of publications is a criteria. You can have two very good papers but when you apply for an academic job, you have no chance against a guy with 40+ (no matter that most of them are the same thing publishes under different names or it isn't really their work). Unfortunately, that often leads to BS publications - like doing few minor changes and publishing the same work several times in different venues, publishing obvious, non-interesting "results" in minor, often in-house workshops or conferences, in the worse cases even scientific fraud and various misconduct - all for the sake of getting that number of publications up. It is only your job and chance for tenure that is at stake.
I have left university pretty much because of this - with no/not enough publications no chance to get a permanent position, but no chance to get those papers published if all you are doing is teaching teaching and more teaching (even though I love teaching). And when not teaching you are doing paperwork and trying to justify your own existence to various clueless bureaucrats every few months so that they don't cut your funding again. That's not exactly a situation where you can do research.
I do wonder how this is going to stop someone from smuggling an explosive on board. It is vastly easier to conceal some nasty payload inside of a bulky laptop than inside of a battery. And it could still even work as a laptop - a brick of a plastic explosive the size of a disk drive or a secondary battery would be enough to cause a huge problem on board, without preventing the laptop from booting up and working.
And that is still assuming someone would actually want to bother with this - the guy with explosive underpants certainly didn't need a working battery
Mind boggling stupidity.
Oh that DMCA was issued by Cyveillance - the incompetent company Hollywood and music labels hired for policing P&P by string matching filenames and then carpet bombing service providers with DMCA requests, even though the content was not infringing at all. I bet they simply crawled Github for Qualcomm copyright notices, something that is often left in source code, even though it was relicensed long time ago already. Unfortunately, their bot is not that smart.
These bozos are known and someone at Qualcomm should get fired for hiring them. This is going to backfire at Qualcomm in a spectacular way, IMO.
ARM doesn't build chips, thus no drivers neither. That falls on the silicon vendors - TI, Broadcom, Samsung, etc. They are a pure-IP licensing company.
BTW, their Mali GPUs have open source drivers.
How does this surprise anyone? After Ubisoft CEO calling PC users "pirates" (http://www.rockpapershotgun.com/2012/09/05/ubisoft-drm-piracy-interview/), always-on DRM required on PC, Ubisoft changing focus to consoles because of piracy (http://www.tomshardware.com/news/ubisoft-guillemot-E3-games-piracy,6152.html) and more and more of similar vibe coming out of the Montreal's company over the recent years. They don't give a crap about PC and ideally they wouldn't publish for it all if they could, as it is only an extra expense and liability for their piracy obsessed CEO.
They are obviously crippling their PC titles to both push people away from the platform towards the consoles and to not undermine the sales of their console versions at the same time, because PC can outperform the consoles without too much hassle. If the PC version looked significantly better, the console players would cry foul, having paid the same money but getting inferior product. If everything looks like the same crap, players will not think about it twice.
Any PC gamer still buying Ubisoft's stuff is a masochist.
Actually, it is being sold in reverse - you buy the DS1074Z for e.g. $500 and you get the basic scope as specced + some 50 hours of demo of extra features that would normally drive the cost to those $1500 if you buy all of them. You try whether you like them and if you do, you pay for the options (or use a keygen - Rigols were hacked long time ago).
However, if you are buying one of these from a shady dealer somewhere at a hamfest being sold out of a car boot and without doing your homework, you get what you pay for. I want the thing to have at least calibration and warranty, so I buy it from a proper dealer - that's where I have got mine from a month ago (for ~500 EUR, VAT included: http://ovio-scope.com/index.ph... ).
Actually the new DS1074Z is $500 bucks now (got one recently), the -S version with the built-in sig gen is $800. The old DS1052E is still being sold for about $400 new, but the DS1074Z is a much better deal - 4 channels, much faster waveform update, larger sample memory, intensity graded display, etc. It is more comparable to the 2000 series than the old DS1000 one.
I think it is pretty comparable with the low end Agilents also (which are actually rebadged Rigols sold for higher price - Rigol is OEM for Agilent).
The Agilent 2000 series is a higher class instrument, then you are in the $2000+ price category.
I have actually owned DS1052E, that one is not sw upgradable, no hidden surprises there. DS1074Z is on my desk today and you get something like 50 hours of usage from some advanced things like I2C/SPI decoding and triggering or double sample memory. Buying those options is not very expensive neither, but then there is also http://riglol.3owl.com/ if you want.
If you are an electronics teacher, you should know better. The PC-based scopes and the various "DSO Nano" clones are universally crap and none fits into your budget anyway.
Your students would be vastly better served by buying a used analog scope, those could be obtained on eBay and similar places for a song these days. A used Tektronix or Hameg scope will beat the pants off of any PC-based toy and, more importantly, the student will actually learn and understand how the instrument works and what is being measured, because there are no "magic buttons" to push.
If the student has a bit larger budget, then the Rigol DS1052E or the newer DS1074Z is a really hard to beat value. There are also Siglents or Attens for the budget conscious, but both brands tend to suffer from poor manufacturing quality and the price is not really much lower than the Rigols.
Forget spectrum analyzer - there is no decent one for less than $1000 on the market. Digital scopes can do FFT, that helps in a pinch, otherwise the student can always record the data from something like the Rigols above and do a proper spectrum analysis on the PC, e.g. using Matlab or some other tool.
It could pretty well be illegal in Europe. Many EU countries have laws banning this sort of tactics as the abuse of the "market power". If you have more than a certain percentage of the market, you are treated as a quasi-monopoly and restrictions apply. These laws are mostly targeted at various retail chains that have abusive terms in their supplier contracts, but it is only a matter of time before this gets applied to Amazon, Google and similar.