Connect with us

Gadgets

How desperate are you for GPUs, CPUs, consoles? Newegg tests with new lottery

Published

on

Aurich Lawson / Getty Images

Over the past 12 months, electronics retailers have been under increased fire and scrutiny for mishandling how they sell brand-new consoles and high-end PC components. This week, online retailer Newegg has moved forward with a new, peculiar system for selling high-demand, low-supply electronics: the Newegg Shuffle. (Or, as the site’s metadata calls it, the Newegg Popular Product Lottery Queue.)

If you catch this article early enough on Friday, January 22, consider this a drop-everything suggestion to rush to the site by 5 pm ET and place a product-purchase request. Really: Do that right now if you’re interested in recent AMD CPUs, Nvidia GPUs, or the all-digital PlayStation 5. It’s free to try. We’ll wait.

OK, so, that process might have been a bit confusing. What’s going on with the Newegg Shuffle?

Shuffling into a forced bundle? Not necessarily, but likely

The Newegg Shuffle buzz began earlier this week when savvy shoppers noticed a limited-time lottery event under the same name in messages sent to a limited pool of Newegg customers. It advertised a variety of CPUs and graphics cards, and the lead-in page included a sales pitch: Pick what you want to buy, sign into your established Newegg customer profile, and submit a request. Do this by a certain time, and within a few hours, you’d get notified if your account was selected to purchase any of the products you picked. (Meaning, you could try to sign up for every listing, or just one, without the choices apparently changing your odds of being randomly selected.)

The problems with that early test, however, came in the form of furious customers sharing images of what the shopping interface actually looked like. After clicking a shiny new AMD processor, or an Nvidia RTX 3080 graphics card, you’d be shown the real shopping option: a forced bundle. Every single option appeared to require purchasing a brand new motherboard, even if you didn’t need one. That was particularly egregious in the case of Nvidia’s graphics cards, which are compatible with the common PCI-e 3.0 standard and thus don’t necessitate a new motherboard for interested PC gamers.

When pressed by PC Mag about this anti-consumer, forced-bundle promotion, Newegg clarified that its Shuffle feature was still in “beta.” The promotion would cut down on forced bundles once it rolled out to all customers. Friday’s Newegg Shuffle launch has confirmed this—but a few forced bundles remain.

Both of today’s available AMD CPUs, the Ryzen 5 5600X and Ryzen 7 5800X, can be purchased as standalone options. They’re additionally listed with bundles, however, and that means you essentially have a better shot at purchasing them from Newegg if you’re willing to attach a motherboard purchase to the CPU. The same goes for one of the promotion’s GPUs, an ASUS flavor of the RTX 3070, which can either be purchased a la carte or with a bundled ASUS motherboard.

Three other GPUs appear in the promotion; two of them can only be purchased a la carte, and one, the ASUS RTX 3080, can only be purchased with a bundled ASUS motherboard (for a whopping combined price of $1179.98).

And the all-digital PlayStation 5 on offer can only be purchased as part of a bundle, adding a staggering $160 to its normal $399 price with an extra controller (sure), a 1080p webcam (meh), and a media remote (ugh). Them’s some serious Gamestop vibes, and not in a good way.

Microsoft taking leadership in the space

The worst part about Newegg Shuffle is that it’s arguably the best system currently on the market for interested PC-parts shoppers. Otherwise, your best bet is following in-the-know Twitter accounts and online-shopping guides to learn exactly when high-end computer components and consoles are in stock—since retailers seem completely disinterested in, you know, letting us pre-order these things and enter a purchase queue.

The sole exception in this madness seems to be Xbox Series X/S. Microsoft has developed a somewhat scalper-proof purchasing system in the form of Xbox All Access. Combine a monthly subscription price with a dedicated Xbox account (and associated mailing address), and you can get your hands on a shiny new Xbox. Such systems are a pain for scalpers to transfer account ownership with. (As a bonus, buying a Series X/S this way may save you money compared to buying the hardware and attached subscription rates at retail prices.)

Until we see more retailers embrace customer verification systems, purchase limits, and anti-scalper efforts, we’re likely going to see more funky “lottery” systems like Newegg’s, complete with predatory bundle-enticement offers.

Continue Reading

Gadgets

More top-tier companies targeted by new type of potentially serious attack

Published

on

Getty Images

A new type of supply chain attack unveiled last month is targeting more and more companies, with new rounds this week taking aim at Microsoft, Amazon, Slack, Lyft, Zillow, and an unknown number of others. In weeks past, Apple, Microsoft, Tesla, and 32 other companies were targeted by a similar attack that allowed a security researcher to execute unauthorized code inside their networks.

The latest attack against Microsoft was also carried out as a proof-of-concept by a researcher. Attacks targeting Amazon, Slack, Lyft, and Zillow, by contrast, were malicious, but it’s not clear if they succeeded in executing the malware inside their networks. The npm and PyPi open source code repositories, meanwhile, have been flooded with more than 5,000 proof-of-concept packages, according to Sonatype, a firm that helps customers secure the applications they develop.

“Given the daily volume of suspicious npm packages being picked up by Sonatype’s automated malware detection systems, we only expect this trend to increase, with adversaries abusing dependency confusion to conduct even more sinister activities,” Sonatype researcher Ax Sharma, wrote earlier this week.

A slick attack

The goal of these attacks is to execute unauthorized code inside a target’s internal software build system. The technique works by uploading malicious packages to public code repositories and giving them a name that’s identical to a package stored in the target developer’s internal repository.

Developers’ software management apps often favor external code libraries over internal ones, so they download and use the malicious package rather than the trusted one. Alex Birsan—the researcher who tricked Apple and the other 34 companies into running the proof-of-concept packages he uploaded to NPM and PyPi—dubbed the new type of supply chain attack dependency confusion or namespace confusion because it relies of software dependencies with misleading names.

Software dependencies are code libraries that an application must incorporate for it to work. Normally, developers closely guard the names of dependencies inside their software build systems. But Birsan found that the names often leak when package.json files—which hold various metadata relevant to a development project—are embedded into public script files. Internal paths and public scripts that contain the require() programming call can also leak dependency names.

In the event the file with the same name isn’t available in a public repository, hackers can upload a malicious package and give it the same file name and a version number that’s higher than the authentic file stored internally. In many cases, developers either accidentally use the malicious library or their build application automatically does so.

“It’s a slick attack,” HD Moore, co-founder and CEO of network discovery platform Rumble, said. “My guess is it affects a ton of folks,” He added that most at risk are organizations that use large numbers of internal packages and don’t take special steps to prevent public packages from replacing internal ones.

Raining confusion

In the weeks since Birsan published his findings, dependency confusion attacks have flourished. Already hit by a proof-of-concept attack that executed Birsan’s unauthorized package in its network, Microsoft recently fell to a second attack, which was done by researchers from firm Contrast Security.

Matt Austin, director of security research at Contrast, said he started by looking for dependencies used in Microsoft’s Teams desktop application. After finding a JavaScript package called “Optional Dependencies,” he seized on a way to get a Teams development machine to download and run a package he put on NPM. The package used the same name as a module listed as an optional dependency.

Shortly after doing so, a script Austin put into the module started contacting him from several internal Microsoft IP addresses. Austin wrote:

Whether the responses I saw were automated or manual, the fact that I was able to generate this reaction poses significant risk. By taking advantage of the post-install script, I was able to execute code in whatever environment this was being installed on. If attackers were to execute code the way I did on a build server for a desktop application update that was about to be distributed, they could insert anything they wanted into that update, and that code would go out to every desktop using Teams—more than 115 million machines. Such an attack could have monumental repercussions, potentially affecting as many organizations as the massive attack on the SolarWinds software factory that was revealed in December.

He provided the following figure illustrating how a malicious attack might work under this theoretical scenario:

Contrast Security

A Microsoft spokeswoman wrote: “As part of our larger efforts to mitigate package substitution attacks, we quickly identified the issue mentioned and addressed it, and at no point did it pose a serious security risk to our customers.” The spokeswoman added that system that executed Ausin’s code was part of our security testing infrastructure. Microsoft has more about the risks and ways to mitigate them here.

Attacks turn malicious

Like the packages uploaded by Birsan and Austin, the thousands of files that flooded NPM and PyPi have mostly contained benign scripts that send the researchers the IP address and other generic details of the computer that runs them.

But not all of the uploads have observed such restraint. On Monday, Sonatype researchers reported files uploaded to NPM that attempted to steal password hashes and bash script histories from companies including Amazon, Slack, Lyft, Zillow.

A .bash_history file being accessed by the package uploaded to npm.<br />
Enlarge / A .bash_history file being accessed by the package uploaded to npm.

Sonatype

“These activities would take place as soon as a dependency confusion attack succeeds and would need no action from the victim, given the nature of the dependency/namespace hijacking issue,” Sharma, the researcher at Sonatype, wrote.

Bash histories, which store commands and other input that administrators type into their computers, often contain plaintext passwords and other sensitive data. Files stored in the /etc/shadow path of Linux machines store the cryptographic hashes of passwords needed to access user accounts on the computer. (For hashes to be compromised, the NPM app would have to be running in super user mode, an extremely elevated set of privileges that are almost never given to software management apps.)

Sonatype said it had no way of knowing whether the files were executed by any of the companies targeted by the scripts.

The targets respond

In a statement, Slack officials wrote:

The mimicked library in question is not part of Slack’s product, nor is it maintained or supported by Slack. We have no reason to believe the malicious software was executed in production. Our security team regularly scans the dependencies used in our product with internal and external tools to prevent attacks of this nature. Additionally, Slack’s secure development practices, such as using a private scope when using private dependencies, make it unlikely that a dependency-related attack would be successful against our product.

A Lyft statement read: “Lyft was not harmed in this attempt.There is no indication that this malicious software was executed on Lyft’s network. Lyft has a dedicated information security program to defend against such supply chain attacks and runs an active bug bounty program to continuously test its security controls.”

Zillow officials wrote:

We are aware of the recent security report involving a possible attack involving spoofed software packages. After an investigation by our security team, we found no evidence that our systems were compromised or exploited by the disclosed technique. Our team is also taking a number of actions to monitor and defend against any future possible attempts to gain unauthorized access to our systems.

NPM representatives, meanwhile, wrote: “We’ve provided guidance on how to best protect against these types of substitution attacks in this blog post. We’re committed to keeping npm secure and continuing to improve the security of the ecosystem.”

Amazon representatives didn’t respond to an email seeking comment. A representative for PyPi didn’t immediately have a comment.

The recent hack against network tools provider Solar Winds—which compromised the Texas company’s software build system and used it to distribute malicious updates to 18,000 customers—was a stark reminder of the damage that can result from supply-side attacks. Dependency confusion attacks have the potential to inflict even more damage unless developers take precautionary measures.

Continue Reading

Gadgets

Microsoft adds Startup Boost, Sleeping Tabs to Edge build 89

Published

on

Enlarge / We’re not sure why Chromium-based Edge’s branding seems so thoroughly wet.

Microsoft

This week, Microsoft announced several more features trickling down to Edge Stable from its Beta insider channel. These features include Startup Boost, Sleeping Tabs, Vertical Tabs, and a more navigable History dialog. The company also announced some welcome interface tweaks to Bing—which Microsoft insists on categorizing as Edge features, but these items seem to apply equally to Bing in any browser so far.

If you’re not familiar with Microsoft Edge’s release and download system, there are three Insider channels (Canary, Dev, and Beta) that represent daily, weekly, and six-weekly updates in increasing order of stability. New features debut there before eventually making their way into Stable, where normal users will encounter them.

If you’re a Windows user, you can’t actually download new builds in the Stable channel directly. Instead, you must either look for them in Windows Update or navigate to edge://settings/help in-browser and ask Edge to check for updates to itself. If you’d also like to check out the Edge Insider builds, you can do so safely—they won’t replace your Edge Stable; they install side-by-side, with separate icons on your taskbar making them easy to distinguish.

Startup Boost

When we updated Edge Stable to Build 89, we found Startup Boost (shown here as "Continue running background apps") and Sleeping Tabs already enabled.
Enlarge / When we updated Edge Stable to Build 89, we found Startup Boost (shown here as “Continue running background apps”) and Sleeping Tabs already enabled.

Jim Salter

Edge’s new Startup Boost feature is pretty simple. Instead of killing all processes when you close the browser, it leaves a minimal set open and running. Microsoft says that these always-on background processes decrease Edge launch times—whether opened from an Edge icon or opened automatically as an association with hyperlinks from other applications—by 29% to 41%.

Microsoft also says that the background processes have very little impact on CPU and memory footprint of the system as a whole. The new feature is enabled by default in Edge Stable Build 89, but if you don’t like it, you can disable it on your system—go to edge://settings/system and disable Continue running background apps when Microsoft Edge is closed.

Sleeping Tabs

Edge’s new Sleeping Tabs feature automatically puts tabs to sleep—building upon Chromium’s “tab freezing” feature—after two hours of background status without interaction. You can adjust this timeout period manually if it’s not right for you, and Edge also uses heuristics to detect cases when sleep might be inappropriate (for example, tabs that are streaming music in the background).

You can see which tabs have gone to sleep due to their faded appearance in the tab bar; clicking a sleeping tab wakes it up and brings it back into the foreground. To our disappointment, there’s no option to right-click a tab and put it to sleep manually yet—all you can do is wait for the browser to do it for you after a sufficiently long inactivity period.

Vertical tabs

Behold, vertical tabs in action.

Vertical tabs—a feature we first reported nearly a year ago—finally made it to release this week in Edge Stable 89.

Modern displays generally have nearly twice as much horizontal screen real estate as vertical, and arranging tabs, application icons, and so forth across the display’s horizontal axis rather than its vertical makes more efficient use of the working space you have.

Edge certainly isn’t the first application to notice this fact—Ubuntu began using a vertical application launcher (its equivalent to the Windows taskbar) by default almost 10 years ago, for one example. We’ve found that the more efficient use of screen real estate is a great idea, but many users have an immediate, strong negative reaction to such a basic change to their navigation concepts.

Probably for that reason, Microsoft left the default tab bar orientation horizontal. If you’d like to browse like it’s 2021, though, the new vertical tab bar is a single click away—as is putting it back the way you found it.

History Hub

History Hub in action.

Edge’s new History Hub is another welcome UX update, and it’s simpler to use than it is to describe. Navigating to History from the hamburger menu (or hitting the Ctrl+H hotkey) opens your browsing history as a drop-down menu rather than a full page.

The drop-down History menu also has a stickpin icon on its upper right—clicking the pin dynamically resizes the browser pane, making room for a persistent, pinned History pane to its right. The History pane remains in place and is visible as you navigate the web, whether through links in pages or clicking the History links themselves. This makes it much easier to find what you’re looking for in the recent past.

Bing updates

Rounding out the goodies this week, Microsoft announced some updates to how it displays search results. These updates were also billed as Edge improvements, but when we checked bing.com in Google Chrome on a Linux workstation, we saw the same results there.

Local search results in Bing will begin showing stickpins on a map, dynamically updated as you browse them. This makes it easier to sort your search results by geographical area—which isn’t always as simple as “what’s closest” or “what’s furthest away.” This feature isn’t fully implemented yet; Microsoft says it will be fully available in the US in the coming weeks.

The search engine is also adapting its search results contextually when it understands the broad category of what you’re searching for in the first place. Carousel results for recipes now include dynamically updated panes showing caloric information alongside the picture and meta text of the recipe, for one example. Documentary film search results are another good showcase for this update. They pop up in tiles showing box art, title, and little else; hovering over each tile slides open further detailed information about the film.

Finally, educational searches may give more easily digestible, infographic-style returns instead of the simple dense-text based output we’ve become familiar with in the last two decades. It’s not clear exactly what topics will or will not receive the infographic returns or how those are generated, but Microsoft showcases the result of a Bing search for “giraffe animal” as one example.

Continue Reading

Gadgets

Visual Studio Code now runs natively on M1 Macs

Published

on

Enlarge / The 2020, M1-equipped Mac mini.

Samuel Axon

Microsoft has released a new version of source-code editor Visual Studio Code that runs natively on Apple Silicon Macs like the MacBook Air, MacBook Pro, and Mac mini models with Apple M1 chips.

The change came in Visual Studio Code 1.54 (now 1.54.1 thanks to a bug fix update), which is available as a universal 64-bit binary, as is standard for apps with Apple Silicon support. That said, Microsoft also offers downloads for x86-64 and Arm64 versions specifically, if desired.

There are no differences in features between the two versions, of course. And the non-Apple Silicon version worked just fine on M1 Macs previously via Rosetta, but Microsoft says M1 users can expect a few optimizations with the new binaries:

We are happy to announce our first release of stable Apple Silicon builds this iteration. Users on Macs with M1 chips can now use VS Code without emulation with Rosetta, and will notice better performance and longer battery life when running VS Code. Thanks to the community for self-hosting with the Insiders build and reporting issues early in the iteration.

Other key features in Visual Studio Code 1.54 include the ability to retain terminal processes on window reload, performance improvements in the Windows version, product icon themes, improvements when viewing Git history timeline entries, and various accessibility improvements.

This is the latest in a slow march of productivity and power user apps that have launched native Apple Silicon versions, such as Adobe Photoshop. But many popular apps are still not native, including Visual Studio Code’s IDE sibling, Visual Studio 2019 for Mac.

However, native Apple Silicon support is expected to come to Visual Studio 2019 for Mac with .NET 6, which is expected to ship in November. The first .NET 6 preview was distributed last month.

Many makers of development and creative production software have committed to releasing Apple Silicon versions of apps, including Adobe and Unity. But others, like Autodesk, haven’t made much noise about Apple Silicon support yet.

Apple is expected to shift its entire Mac lineup to the new architecture by the end of 2022. Reports citing people familiar with Apple’s plans have indicated that more Apple Silicon-based MacBook Pros are coming this year, as well as significant redesigns for both the iMac and MacBook Air, which will also have Apple Silicon chips.

Continue Reading

Trending