Trend Micro researchers at Black Hat Asia are warning that millions of Android devices worldwide come pre-infected with malicious firmware before the devices leave their factories. "This hardware is mainly cheapo Android mobile devices, though smartwatches, TVs, and other things are caught up in it," reports The Register. From the report: This insertion of malware began as the price of mobile phone firmware dropped, we're told. Competition between firmware distributors became so furious that eventually the providers could not charge money for their product. "But of course there's no free stuff," said [Trend Micro researcher Fyodor Yarochkin], who explained that, as a result of this cut-throat situation, firmware started to come with an undesirable feature -- silent plugins. The team analyzed dozens of firmware images looking for malicious software. They found over 80 different plugins, although many of those were not widely distributed. The plugins that were the most impactful were those that had a business model built around them, were sold on the underground, and marketed in the open on places like Facebook, blogs, and YouTube.

The objective of the malware is to steal info or make money from information collected or delivered. The malware turns the devices into proxies which are used to steal and sell SMS messages, take over social media and online messaging accounts, and used as monetization opportunities via adverts and click fraud. One type of plugin, proxy plugins, allow the criminal to rent out devices for up to around five minutes at a time. For example, those renting the control of the device could acquire data on keystrokes, geographical location, IP address and more. "The user of the proxy will be able to use someone else's phone for a period of 1200 seconds as an exit node," said Yarochkin. He also said the team found a Facebook cookie plugin that was used to harvest activity from the Facebook app.

Through telemetry data, the researchers estimated that at least millions of infected devices exist globally, but are centralized in Southeast Asia and Eastern Europe. A statistic self-reported by the criminals themselves, said the researchers, was around 8.9 million. As for where the threats are coming from, the duo wouldn't say specifically, although the word "China" showed up multiple times in the presentation, including in an origin story related to the development of the dodgy firmware. Yarochkin said the audience should consider where most of the world's OEMs are located and make their own deductions.

The team confirmed the malware was found in the phones of at least 10 vendors, but that there was possibly around 40 more affected. For those seeking to avoid infected mobile phones, they could go some way of protecting themselves by going high end. That is to say, you'll find this sort of bad firmware in the cheaper end of the Android ecosystem, and sticking to bigger brands is a good idea though not necessarily a guarantee of safety. "Big brands like Samsung, like Google took care of their supply chain security relatively well, but for threat actors, this is still a very lucrative market," said Yarochkin.

A ransomware intrusion on hardware manufacturer Micro-Star International, better known as MSI, is stoking concerns of devastating supply chain attacks that could inject malicious updates that have been signed with company signing keys that are trusted by a huge base of end-user devices, a researcher said. From a report: "It's kind of like a doomsday scenario where it's very hard to update the devices simultaneously, and they stay for a while not up to date and will use the old key for authentication," Alex Matrosov, CEO, head of research, and founder of security firm Binarly, said in an interview. "It's very hard to solve, and I don't think MSI has any backup solution to actually block the leaked keys."

The intrusion came to light in April when, as first reported by Bleeping Computer, the extortion portal of the Money Message ransomware group listed MSI as a new victim and published screenshots purporting to show folders containing private encryption keys, source code, and other data. A day later, MSI issued a terse advisory saying that it had "suffered a cyberattack on part of its information systems." The advisory urged customers to get updates from the MSI website only. It made no mention of leaked keys. Since then, Matrosov has analyzed data that was released on the Money Message site on the dark web. To his alarm, included in the trove were two private encryption keys. The first is the signing key that digitally signs MSI firmware updates to cryptographically prove that they are legitimate ones from MSI rather than a malicious impostor from a threat actor. This raises the possibility that the leaked key could push out updates that would infect a computer's most nether regions without triggering a warning. To make matters worse, Matrosov said, MSI doesn't have an automated patching process the way Dell, HP, and many larger hardware makers do. Consequently, MSI doesn't provide the same kind of key revocation capabilities.

Phoronix shares some overlooked news from AMD's openSIL presentation at the OCP Regional Summit in April. Specifically, that AMD openSIL — their open-source x86 silicon initialization library — "is planned to eventually replace AMD's well known AGESA [BIOS utility]" around 2026, and "it will be supported across AMD's entire processor stack — just not limited to EPYC server processors as some were initially concerned..." Raj Kapoor, AMD Fellow and AMD's Chief Firmware Architect, in fact began the AMD openSIL presentation by talking about the challenges they've had with AGESA in adapting it to Coreboot for Chromebook purposes with Ryzen SoCs... With AMD openSIL not expected to be production ready until around 2026, this puts it roughly inline for an AMD Zen 6 or Zen 7 introduction. The proof of concept code for AMD Genoa is expected to come soon...

The presentation also noted that beyond AMD openSIL code being open-source, the openSIL specification will also be open. AMD "invites every silicon vendor" to participate in this open-source system firmware endeavor.

mrflash818 writes: Colorado has enacted the nation's first state law guaranteeing farmers a right to repair tractors and other equipment themselves or at independent repair shops. Colorado Gov. Jared Polis, a Democrat, signed the bill yesterday. "I am proud to sign this important bipartisan legislation that saves hardworking farmers and ranchers time and money on repairs, and supports Colorado's thriving agriculture industry... Farmers and ranchers can lose precious weeks and months when equipment repairs are stalled due to long turnaround times by manufacturers and dealers. This bill will change that," Polis said.

The state House voted 46-14 in favor of the bill on April 11, while the Senate voted 21-12 on March 30. "The legislation advanced through long committee hearings, having been propelled forward mostly by Democrats even though a Republican lawmaker co-sponsored the bill," the Associated Press wrote. "The proposal left some GOP lawmakers stuck between their farming constituents pleading for the ability to repair their equipment and the manufacturers who vehemently opposed it." The law's requirements are scheduled to take effect on January 1, 2024. Farm equipment manufacturers will have "to provide parts, embedded software, firmware, tools, or documentation, such as diagnostic, maintenance, or repair manuals, diagrams, or similar information (resources), to independent repair providers and owners of the manufacturer's agricultural equipment," according to the legislature's summary of the Consumer Right To Repair Agricultural Equipment bill.

Denver legislators have just passed the first-ever agricultural Right to Repair bill. Today's landslide 44-16 vote in the House follows a successful vote in the Senate last month. iFixit reports: Once the Agricultural Right to Repair bill passes, manufacturers will be required to share all the parts, embedded software, firmware, tools, and documentation necessary for repair. One critical step remains: a signature by Governor Polis, who has signaled that he supports the legislation.

To support Right to Repair legislation near you, find your state on Repair.org -- or, if you're outside the US, look for your country's advocacy network here. The summary of HB23-1011 reads: "Starting January 1, 2024, the bill requires a manufacturer to provide parts, embedded software, firmware, tools, or documentation, such as diagnostic, maintenance, or repair manuals, diagrams, or similar information (resources), to independent repair providers and owners of the manufacturer's agricultural equipment to allow an independent repair provider or owner to conduct diagnostic, maintenance, or repair services on the owner's agricultural equipment.

The bill folds agricultural equipment into the existing consumer right-to-repair statutes, which statutes provide the following:

- A manufacturer's failure to comply with the requirement to provide resources is a deceptive trade practice;
- In complying with the requirement to provide resources, a manufacturer need not divulge any trade secrets to independent repair providers and owners; and
- Any new contractual provision or other arrangement that a manufacturer enters into that would remove or limit the manufacturer's obligation to provide resources to independent repair providers and owners is void and unenforceable; and
- An independent repair provider or owner is not authorized to make modifications to agricultural equipment that permanently deactivate any safety notification system or bring the equipment out of compliance with safety or emissions laws or to engage in any conduct that would evade emissions, copyright, trademark, or patent laws."

Slashdot reader unixbhaskar writes: A company in the U.K. calling itself Minifree has started to ship old Thinkpad (specifically the X series and T series models) with Libreboot firmware. Which is based on coreboot firmware.
More specifically, Libreboot is the free-as-in-speech replacement for proprietary BIOS/UEFI firmware, the site notes, "offering faster boots speeds, better security and many advanced features compared to most proprietary boot firmware." Those advanced features include the GNU project's multiple-OS-booting "grand unified bootloader" GNU GRUB directly in the boot flash, along with several other customization options. "The aim is simple: make it easy to have a computer that was made to run entirely on Free Software at every level, meaning no proprietary software of any kind. That includes the boot firmware, operating system, drivers and applications."

The Libreboot project's founder is also the founder of Minifree, and the profits from Minifree's sales directly fund the Libreboot project. (The whole Minifree web site runs on Libreboot-powered servers, on a network behind a Libreboot-powered router...) Their site points out that Minifree Ltd has also privately funded several new board ports to coreboot, including 90,000 USD to Raptor Engineering for ASUS KGPE-D16 and KCMA-D8 libreboot support, and 4000 AUD to Damien Zammit for Gigabyte GA-G41M-ES2L and Intel D510MO libreboot support.

The installed OS on the laptops is either encrypted Debian (KDE Plasma desktop environment), with full driver support, or "other Linux distro/BSD (e.g. OpenBSD, FreeBSD) at your request... Advanced features like encrypted /boot (GNU+Linux only), signed kernels and more are available." And the laptops are also shipped — worldwide — with "your choice of 480/960GB SSD or 2x480GB/2x960GB RAID1 SSDs, with good batteries and 16GB RAM. Free technical support via email/IRC plus 5-year warranty."

But judging by their FAQ, the support is even more extensive. "If you brick your Minifree laptop when updating Libreboot, Minifree will unbrick it for free if you send it back to us. Even if your warranty has expired! However, such bricking is rare."

An anonymous reader quotes a report from Ars Technica: HP customers are showing frustration online as the vendor continues to use firmware updates to discourage or, as users report, outright block the use of non-HP-brand ink cartridges in HP printers. HP has already faced class-action lawsuits and bad publicity from "dynamic security," but that hasn't stopped the company from expanding the practice. Dynamic security is a feature used by HP printers to authenticate ink cartridges and prevent use of cartridges that aren't HP-approved. As the company explains: "Dynamic security relies on the printer's ability to communicate with the security chips or electronic circuitry on the cartridges. HP uses dynamic security measures to protect the quality of our customer experience, maintain the integrity of our printing systems, and protect our intellectual property. Dynamic security equipped printers are intended to work only with cartridges that have new or reused HP chips or electronic circuitry. The printers use the dynamic security measures to block cartridges using non-HP chips or modified or non-HP electronic circuitry. Reused, remanufactured, and refilled cartridges that reuse the HP chip or electronic circuitry are unaffected by dynamic security."

HP is set on continuing to use DRM to discourage its printer customers from spending ink and toner money outside of the HP family. "HP have updated their printers to outright ban 'non-HP' ink! They no longer shows the 'can't guarantee quality' message, but instead cancels your print completely until you inset a HP ink cartridge," Reddit user grhhull posted Tuesday. "After contacting HP, they advised 'this is due to the recent 'update' of all printers.'" It's unclear when HP issued updates for which model printers, but there are alleged customer complaints online stemming from late last year, showing plenty of customers surprised their printer no longer worked with non-HP ink cartridges after an update. Some pointed to third-party brands they had relied on for years.

HP community support threads include complaints about the OfficeJet 7740 and OfficeJet Pro 6970. HP lists both printers, as well as others, as able to circumnavigate dynamic security under specific conditions. However, HP's support page states this only applies to models manufactured before December 1, 2016. For more examples, there are comments on HP's support community suggesting that HP's OfficeJet 6978 and 6968 were recently affected. Both printers are discontinued, but HP's product pages make it clear that the fickle nature of dynamic security means that third-party ink could stop working at any time. And HP's dynamic security page also leaves the door open for the sudden bricking of functioning ink: "Firmware updates delivered periodically over the internet will maintain the effectiveness of the dynamic security measures," the page reads. "Updates can improve, enhance, or extend the printer's functionality and features, protect against security threats, and serve other purposes, but these updates can also block cartridges using a non-HP chip or modified or non-HP circuitry from working in the printer, including cartridges that work today."

Researchers have announced a major cybersecurity find -- the world's first-known instance of real-world malware that can hijack a computer's boot process even when Secure Boot and other advanced protections are enabled and running on fully updated versions of Windows. From a report: Dubbed BlackLotus, the malware is what's known as a UEFI bootkit. These sophisticated pieces of malware hijack the UEFI -- short for Unified Extensible Firmware Interface -- the low-level and complex chain of firmware responsible for booting up virtually every modern computer. As the mechanism that bridges a PC's device firmware with its operating system, the UEFI is an OS in its own right. It's located in an SPI-connected flash storage chip soldered onto the computer motherboard, making it difficult to inspect or patch. Because the UEFI is the first thing to run when a computer is turned on, it influences the OS, security apps, and all other software that follows. These traits make the UEFI the perfect place to run malware. When successful, UEFI bootkits disable OS security mechanisms and ensure that a computer remains infected with stealthy malware that runs at the kernel mode or user mode, even after the operating system is reinstalled or a hard drive is replaced.

As appealing as it is to threat actors to install nearly invisible and unremovable malware that has kernel-level access, there are a few formidable hurdles standing in their way. One is the requirement that they first hack the device and gain administrator system rights, either by exploiting one or more vulnerabilities in the OS or apps or by tricking a user into installing trojanized software. Only after this high bar is cleared can the threat actor attempt an installation of the bootkit. The second thing standing in the way of UEFI attacks is UEFI Secure Boot, an industry-wide standard that uses cryptographic signatures to ensure that each piece of software used during startup is trusted by a computer's manufacturer. Secure Boot is designed to create a chain of trust that will prevent attackers from replacing the intended bootup firmware with malicious firmware. If a single firmware link in that chain isn't recognized, Secure Boot will prevent the device from starting.

Formerly known as LinuxBIOS, coreboot is defined by Wikipedia as "a software project aimed at replacing proprietary firmware (BIOS or UEFI) found in most computers with a lightweight firmware."

Phoronix is wondering if there's about to be a big announcement from AMD: AMD dropped a juicy tid-bit of information to be announced next month with "openSIL" [an open-source AMD x86 silicon initialization library], complete with AMD Coreboot support....

While about a decade ago AMD was big into Coreboot and at the time committed to it for future hardware platforms (2011: AMD To Support Coreboot On All Future CPUs) [and] open-source AGESA at the time did a lot of enabling around it, that work had died off. In more recent years, AMD's Coreboot contributions have largely been limited to select consumer APU/SoC platforms for Google Chromebook use. But issues around closing up the AGESA as well as concerns with the AMD Platform Security Processor (PSP) have diminished open-source firmware hopes in recent years....

For the Open Compute Project Regional Summit in Prague, there is a new entry added with a title of OSF on AMD — Enabled by openSIL (yes, folks, OSF as in "Open-Source Firmware").... [H]opefully this will prove to be a monumental shift for open-source firmware in the HPC server space.
From the talk's description: openSIL (AMD open-source x86 Silicon Initialization Library) offers the versatility, scalability, and light weight interface to allow for ease of integration with open-source and/or proprietary host boot solutions such as coreboot, UEFI and others and adds major flexibility to the overall platform design.

In other words, this library-based solution simply allows a platform integrator to scale from feature rich solutions such as UEFI to slim, lightweight, and secure solutions such as coreboot.
The description promises the talk will include demonstrations "highlighting system bring-up using openSIL integrated with coreboot and UEFI Host Firmware stacks on AMD's Genoa based platforms."

"It's time for me to build a new Linux PC," writes Slashdot reader eggegick, complaining that while Dell (and Amazon) sell systems with Linux pre-installed, it feels like they're tacking on an unnecessary extra expense.

But then who sells a desktop PC where Linux is still easy to install? Windows seems to make it difficult to use your own (Linux OS) boot media: I guess this is a security measure, but I can think of better ways to implement this, for instance ask the user to type in "yes" or "fire the explosive bolts", or some sort of simple override).... As it is, I hit the F12 key during the boot to enter the BIOS, hoping to tell it to enable booting from the CD. Well I have not looked at a BIOS screen in a long time, and there is no "enable boot from CD option" anymore. There are some options for booting from other devices but it is all fubar magic to me.
One Dell user discovered it's as simple (or as complicated) as going into Settings / Recovery / Troubleshoot / Advanced options / See More Recovery Settings / Advanced Options / UEFI Firmware Settings / Restart to Change UEFI Firmware Settings. (And then under the Boot menu there's a choice called "Secure Boot" with an option labelled "Disabled," after which under the Boot menu the third choice becomes File Browser Add Boot Option / Select Media Driver...)

Is that simple enough — or is it fubar magic? "My question is, who builds a desktop PC these days that is user friendly in this regard (i.e. lets me install the OS I want)," asks the original submission.

Share your own experiences and suggestions in the comments. Where can you buy a desktop PC that makes Linux easy to install?

Neowin reports on "a potentially dangerous exploit capable of completely unenrolling enterprise-managed Chromebooks from their respective organizations" called SH1MMER.

The Register explains where the name came from — and how it works: A shim is Google-signed software used by hardware service vendors for Chromebook diagnostics and repairs. With a shim that has been processed and patched, managed Chromebooks can be booted from a suitably prepared recovery drive in a way that allows the device setup to be altered via the SH1MMER recovery screen menu....

In a statement provided to The Register, a Google spokesperson said, "We are aware of the issue affecting a number of ChromeOS device RMA shims and are working with our hardware partners to address it."
"Google added that it will keep the community closely updated when it ships out a fix," reports SC Magazine, "but did not specify a timetable." "What we're talking about here is jailbreaking a device," said Mike Hamilton, founder and chief information security office of Critical Insight, and a former CISO for the city of Seattle who consults with many school districts. "For school districts, they probably have to be concerned about a tech-savvy student looking to exercise their skills...."

Hamilton said Google will need to modify the firmware on the Chromebooks. He said they have to get the firmware to check for cryptographic signatures on the rest of the authorization functions, not just the kernel functions — "because that's where the crack is created to exploit it. I think Google will fix this quickly and schools need to develop a policy on jailbreaking your Chromebook device and some kind of penalty for that to make it real," said Hamilton. "Schools also have to make sure they can detect when a device goes out of policy. The danger here is if a student does this and there's no endpoint security and the school doesn't detect it and lock out the student, then some kind of malware could be introduced. I'm not going to call this a 'nothingburger,' but I'd be very surprised if it showed up at any scale."
Thanks to Slashdot reader segaboy81 for submitting the story.

HPE and Oracle have settled their long-running legal case over alleged copyright infringement regarding Solaris software updates for HPE customers, but it looks like the nature of the settlement is going to remain under wraps. The Register reports: The pair this week informed [PDF] the judge overseeing the case that they'd reached a mutual settlement and asked for the case to be dismissed "with prejudice" -- ie, permanently. The settlement agreement is confidential, and its terms won't be made public. The case goes back to at least 2016, when Oracle filed a lawsuit against HPE over the rights to support the Solaris operating system. HPE and a third company, software support outfit Terix, were accused of offering Solaris support for customers while the latter was not an authorized Oracle partner.

Big Red's complaint claimed HPE had falsely represented to customers that it and Terix could lawfully provide Solaris Updates and other support services at a lower cost than Oracle, and that the two had worked together to provide customers with access to such updates. The suit against HPE was thrown out of court in 2019, but revived in 2021 when a judge denied HPE's motion for a summary judgement in the case. Terix settled its case in 2015 for roughly $58 million. Last year, the case went to court and in June a jury found HPE guilty of providing customers with Solaris software updates without Oracle's permission, awarding the latter $30 million for copyright infringement.

But that wasn't the end of the matter, because HPE was back a couple of months later to appeal the verdict, claiming the complaint by Oracle that it had directly infringed copyrights with regard to Solaris were not backed by sufficient evidence. This hinged on HPE claiming that Oracle had failed to prove that any of the patches and updates in question were actually protected by copyright, but also that Oracle could not prove HPE had any control over Terix in its purported infringement activities. Oracle for its part filed a motion asking the court for a permanent injunction against HPE to prevent it copying or distributing the Solaris software, firmware or support materials, except as allowed by Oracle. Now it appears that the two companies have come to some mutually acceptable out-of-court arrangement, as often happens in acrimonious and long-running legal disputes.

Over 290 MSI motherboards are reportedly affected by an insecure default UEFI Secure Boot setting that allows any operating system image to run regardless of whether it has a wrong or missing signature. From a report: This discovery comes from a Polish security researcher named Dawid Potocki, who claims that he did not receive a response despite his efforts to contact MSI and inform them about the issue. The issue, according to Potocki, impacts many Intel and AMD-based MSI motherboards that use a recent firmware version, affecting even brand-new MSI motherboard models.

A Canadian systems security consultant discovered that an Android TV box purchased from Amazon was pre-loaded with persistent, sophisticated malware baked into its firmware. BleepingComputer reports: The malware was discovered by Daniel Milisic, who created a script and instructions to help users nullify the payload and stop its communication with the C2 (command and control) server. The device in question is the T95 Android TV box with an AllWinner T616 processor, widely available through Amazon, AliExpress, and other big e-commerce platforms. It is unclear if this single device was affected or if all devices from this model or brand include the malicious component.

Milisic believes the malware installed on the device is a strain that resembles 'CopyCat,' a sophisticated Android malware first discovered by Check Point in 2017. This malware was previously seen in an adware campaign where it infected 14 million Android devices to make its operators over $1,500,000 in profits. The analyst tested the stage-1 malware sample on VirusTotal, where it returns only 13 detections out of 61 AV engine scans, classified with the generic term of an Android trojan downloader. [...]

Unfortunately, these inexpensive Android-based TV box devices follow an obscure route from manufacturing in China to global market availability. In many cases, these devices are sold under multiple brands and device names, with no clear indication of where they originate. [...] To avoid such risks, you can pick streaming devices from reputable vendors like Google Chromecast, Apple TV, NVIDIA Shield, Amazon Fire TV, and Roku Stick.

Netgear has fixed a high-severity vulnerability affecting multiple WiFi router models and advised customers to update their devices to the latest available firmware as soon as possible. BleepingComputer reports: The flaw impacts multiple Wireless AC Nighthawk, Wireless AX Nighthawk (WiFi 6), and Wireless AC router models. Although Netgear did not disclose any information about the component affected by this bug or its impact, it did say that it is a pre-authentication buffer overflow vulnerability. The impact of a successful buffer overflow exploitation can range from crashes following denial of service to arbitrary code execution, if code execution is achieved during the attack. Attackers can exploit this flaw in low-complexity attacks without requiring permissions or user interaction. In a security advisory published on Wednesday, Netgear said it "strongly recommends that you download the latest firmware as soon as possible." A list of vulnerable routers and the patched firmware versions can be found here.

An anonymous reader shares a report: While AMD provided upstream open-source driver support for the Radeon RX 7900 series launch, the initial user experience can be less than desirable if running a new Radeon GPU but initially running an out-of-date kernel or lacking the necessary firmware support. With a new patch series posted AMD is looking to improve the experience by being able to more easily fallback to the firmware frame-buffer when their AMDGPU kernel graphics driver fails to properly load.

With the new IP-based discovery "block by block" approach to how the open-source AMD Radeon Linux graphics driver is managing the hardware initialization with RDNA3 and moving forward, the AMDGPU driver will try to probe all Radeon GPUs even if it might not end up being fully supported. In turn that ends up destroying the system firmware frame-buffer. But right now in the case of booting an RDNA3 GPU with a slightly out of date kernel (pre-6.0) or lacking the necessary RDNA3 firmware for hardware initialization, it can mean the screen freezing or system appearing unresponsive.

An anonymous reader quotes a report from Ars Technica: Pine64, makers of ARM-based, tinker-friendly gadgets, is making the PineTab 2, a sequel to its Linux-powered tablet that mostly got swallowed up by the pandemic and its dire global manufacturing shortages. The PineTab 2, as described in Pine64's "December Update," is based around the RK3566, made by RockChip. Pine64 based its Quartz64 single-board system on the system-on-a-chip (SoC), and has all but gushed about it across several blog posts. It's "a dream-of-a-SoC," writes Community Director Lukasz Erecinski, a "modern mid-range quad-core Cortex-A55 processor that integrates a Mali-G52 MP2 GPU. And it should be ideal for space-constrained devices: it runs cool, has a variety of I/O options, solid price-to-performance ratio, and "is genuinely future-proof."

The PineTab 2 is a complete redesign, Erecinski claims. It has a metal chassis that "is very sturdy while also being easy to disassemble for upgrades, maintenance, and repair." The tablet comes apart with snap-in tabs, and Pine64 will offer replacement parts. The insides are modular, too, with the eMMC storage, camera, daughter-board, battery, and keyboard connector all removable "in under 5 minutes." The 10.1-inch IPS display, with "modern and reasonably thin bezels," should also be replaceable, albeit with more work. On that easily opened chassis are two USB-C ports, one for USB 3.0 I/O and one for charging (or USB 2.0 if you want). There's a dedicated micro-HDMI port, and a front-facing 2-megapixel camera and rear-facing 5-megapixel (not the kind of all-in-one media production machine Apple advertises, this tablet), a microSD slot, and a headphone jack. While a PCIe system is exposed inside the PineTab, most NVMe SSDs will not fit, according to Pine64. All of this is subject to change before final production, however.

As with the original PineTab, this model comes with a detachable, backlit keyboard cover, included by default. That makes supporting a desktop OS for the device far more viable, Erecinski writes. The firmware chipset is the same as in the PineBook Pro, which should help with that. No default OS has been decided as of yet, according to Pine64. The tablet should ship with two memory/storage variants, 4GB/64GB and 8GB/128GB. It's due to ship "sometime after the Chinese New Year" (January 22 to February 5), though there's no firm date. No price was announced, but "it will be affordable regardless of which version you'll settle on." A video version of the "December Update" can be found on YouTube.

Last year, Google announced Android Open Source Project (AOSP) support for Rust, and today the company provided an update, while highlighting the decline in memory safety vulnerabilities. 9to5Google reports: Google says the "number of memory safety vulnerabilities have dropped considerably over the past few years/releases."; Specifically, the number of annual memory safety vulnerabilities fell from 223 to 85 between 2019 and 2022. They are now 35% of Android's total vulnerabilities versus 76% four years ago. In fact, "2022 is the first year where memory safety vulnerabilities do not represent a majority of Android's vulnerabilities."

That count is for "vulnerabilities reported in the Android security bulletin, which includes critical/high severity vulnerabilities reported through our vulnerability rewards program (VRP) and vulnerabilities reported internally." During that period, the amount of new memory-unsafe code entering Android has decreased: "Android 13 is the first Android release where a majority of new code added to the release is in a memory safe language. "

Rust makes up 21% of all new native code in Android 13, including the Ultra-wideband (UWB) stack, DNS-over-HTTP3, Keystore2, Android's Virtualization framework (AVF), and "various other components and their open source dependencies." Google considers it significant that there have been "zero memory safety vulnerabilities discovered in Android's Rust code" so far across Android 12 and 13. Google's blog post today also talks about non-memory-safety vulnerabilities, and its future plans: "... We're implementing userspace HALs in Rust. We're adding support for Rust in Trusted Applications. We've migrated VM firmware in the Android Virtualization Framework to Rust. With support for Rust landing in Linux 6.1 we're excited to bring memory-safety to the kernel, starting with kernel drivers.

More than two dozen Lenovo notebook models are vulnerable to malicious hacks that disable the UEFI secure-boot process and then run unsigned UEFI apps or load bootloaders that permanently backdoor a device, researchers warned on Wednesday. From a report: At the same time that researchers from security firm ESET disclosed the vulnerabilities, the notebook maker released security updates for 25 models, including ThinkPads, Yoga Slims, and IdeaPads. Vulnerabilities that undermine the UEFI secure boot can be serious because they make it possible for attackers to install malicious firmware that survives multiple operating system reinstallations.

Short for Unified Extensible Firmware Interface, UEFI is the software that bridges a computer's device firmware with its operating system. As the first piece of code to run when virtually any modern machine is turned on, it's the first link in the security chain. Because the UEFI resides in a flash chip on the motherboard, infections are difficult to detect and remove. Typical measures such as wiping the hard drive and reinstalling the OS have no meaningful impact because the UEFI infection will simply reinfect the computer afterward. ESET said the vulnerabilities -- tracked as CVE-2022-3430, CVE-2022-3431, and CVE-2022-3432 -- "allow disabling UEFI Secure Boot or restoring factory default Secure Boot databases (incl. dbx): all simply from an OS." Secure boot uses databases to allow and deny mechanisms. The DBX database, in particular, stores cryptographic hashes of denied keys. Disabling or restoring default values in the databases makes it possible for an attacker to remove restrictions that would normally be in place.

Do you have a laptop that's either "pretty old" or "weird in some other way"? Did it ship without Windows from the factory, or did you flash its firmware with coreboot? You could help the Linux kernel move its backlight code forward without abandoning quirky gear like yours. ArsTechnica: Hans de Goede, a longtime Linux developer and principal engineer at Red Hat, writes on his Livejournal about the need to test "a special group of laptops" to prevent their backlight controls from disappearing in Linux kernel 6.1. Old laptop tests are needed because de Goede is initiating some major changes to user-space backlight controls, something he has been working on since 2014. As detailed at Linux blog Phoronix, there are multiple issues with how Linux tries to address the wide variety of backlight schemes in displays, which de Goede laid out at the recent Linux Plumbers Conference. There can be multiple backlight devices operating a single display, leaving high-level controls to "guess which one will work." Brightness control requires root permissions at the moment. And "0" passed along as a backlight value remains a conundrum, as the engineer pointed out in 2014: Is that entirely off, or as low as the display can be lit?