Qualcomm announced during its Computex press conference today that it will launch the first Snapdragon-powered 5G PC with Lenovo. The two companies describe the PC, called Project Limitless, as “the world’s first 7nm platform purpose-built for PCs that offers 5G connectivity.”
Qualcomm and Lenovo unveil the first Snapdragon-powered 5G PC at Computex in Taipei
The laptop runs on Qualcomm’s Snapdragon 8cx Compute Platform, which is designed to support both 5G and 4G connections, combines the Qualcomm Adreno 680 GPU with the Qualcomm Kryo 495 CPU and has a battery that Qualcomm claims can last for several days per charge. The platform uses the Snapdragon X55 5G modem, which has download speeds of up to 2.5 Gbps.
Project Limitless’ release date and pricing haven’t been revealed yet.
It’s not really clear just yet exactly what all these powerful, agile quadrupedal robots people …
Government officials in the US, UK, and Australia are urging public- and private-sector organizations to secure their networks by ensuring firewalls, VPNs, and other network-perimeter devices are patched against the most widespread exploits.
In a joint advisory published Wednesday, the US FBI and CISA (Cybersecurity and Infrastructure Security Agency), the Australian Cyber Security Center, and the UK’s National Cyber Security Center listed the top 30 or so most-exploited vulnerabilities. The vulnerabilities reside in a host of devices or software marketed by the likes of Citrix, Pulse Secure, Microsoft, and Fortinet.
“Cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations worldwide,” the advisory stated. “However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system.”
What, me patch?
Four of the most-targeted vulnerabilities last year resided in VPNs, cloud-based services, and other devices that allow people to remotely access employer networks. Despite the explosion in work-from-home employees driven by the COVID-19 pandemic, many VPN gateway devices remained unpatched during 2020.
Discovery dates of the top 4 vulnerabilities ranged from 2018 to 2020, an indication of how common it is for many organizations using the affected devices to withhold applying security patches. The security flaws include CVE-2019-19781, a remote code-execution bug in Citrix’s application delivery controller (which customers use to perform load balancing of inbound application traffic); CVE 2019-11510, which allows attackers to remotely read sensitive files stored by the Pulse Secure Pulse Connect Secure VPN; CVE 2018-13379, a path-traversal weakness in VPNs made by Fortinet; and CVE 2020-5902, a code-execution vulnerability in the BIG-IP advanced delivery controller made by F5.
The top 12 flaws are:
arbitrary code execution
arbitrary file reading
F5- Big IP
remote code execution (RCE)
elevation of privilege
elevation of privilege
Breaching the gate
The vulnerabilities—all of which have received patches from vendors—have provided the opening vector from an untold number of serious intrusions. For instance, according to an advisory the US government issued in April, hackers working for the Russian government routinely exploited CVE-2018-13379, CVE-2019-11510, and CVE-2019-19781.
That same month, word emerged that a different set of hackers was also exploiting CVE-2018-13379. In one case, the hackers allowed ransomware operators to seize control of two production facilities belonging to a European manufacturer.
Wednesday’s advisory went on to say:
CISA, ACSC, the NCSC, and FBI assess that public and private organizations worldwide remain vulnerable to compromise from the exploitation of these CVEs. Malicious cyber actors will most likely continue to use older known vulnerabilities, such as CVE-2017-11882 affecting Microsoft Office, as long as they remain effective and systems remain unpatched. Adversaries’ use of known vulnerabilities complicates attribution, reduces costs, and minimizes risk because they are not investing in developing a zero-day exploit for their exclusive use, which they risk losing if it becomes known.
The officials also listed 13 vulnerabilities discovered this year that are also being exploited in large numbers. The vulnerabilities are:
Microsoft Exchange: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE2021-27065
Pulse Secure: CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900
The advisory provides technical details for each vulnerability, mitigation guidance, and indicators of compromise to help organizations determine if they’re vulnerable or have been hacked. The advisory also provides guidance for locking down systems.
2021’s infamous chip shortages aren’t only affecting automakers. In a post-earnings conference call Tuesday, Apple CEO Tim Cook said, “We’ll do everything we can to mitigate whatever circumstances we’re dealt”—a statement that likely means the company will ration its chip supplies, prioritizing the most profitable and in-demand items such as iPhones and AirPods, at the expense of less profitable and lower-demand items.
CFRA analyst Angelo Zino told Reuters that Cook’s somewhat cryptic statement “largely reflects the timing of new product releases”—specifically, new iPhone releases in September. Counterpoint Research Director Jeff Fieldhack speculates from the flip side of the same coin, saying the company will likely direct supply chain “pain” to its least lucrative products. “Assuming Apple prioritizes the iPhone 12 family, it probably affects iPads, Macs, and older iPhones more,” Fieldhack said.
Processor manufacturer AMD has also been carefully managing its supply chain in response to pandemic-induced shortages. With flagship products that finally outperform rival Intel’s, AMD is focusing on the more profitable high end of the market while leaving the economy segment—until a few years ago, its strongest performer—to Intel. “We’re focusing on the most strategic segments of the PC market,” CEO Lisa Su told investors on a conference call.
Apple and AMD are two of semiconductor foundry TSMC’s largest customers—but the problem isn’t limited to TSMC. Intel, which operates its own foundries, acknowledges supply problems of its own. Intel CEO Pat Gelsinger told the BBC that shortages will get worse in the second half of 2021—and that it will be “a year or two” before supplies return to normal.
Gelsinger played up the importance of building new foundries, as Intel is currently doing in Arizona. But he warns that the foundries will take time to get up to speed and begin alleviating shortages—predicting “a year to two years until we’re back to some reasonable supply-demand balance.” This news arrives on the heels of a delay Intel announced this week for its forthcoming 7 nm process, now not expected until 2022.
In some ways, Intel may actually benefit long-term from the pandemic-related supply chain shortages. Although Intel is falling behind rivals AMD and Apple in both performance and power efficiency, the market can only move so far in the absence of supply.
With all vendors selling essentially every processor they can build, Intel’s long-standing ability to produce 80 percent of the world’s x86 desktop CPUs and 90 percent of x86 data center CPUs cements its place in the market—for now—despite ceding performance crowns to its rivals.
“A security update will be applied to Drive,” Google’s weird new email reads. A whole bunch of us on the Ars Technica staff got blasted with this last night. If you visit drive.google.com, you’ll also see a message saying, “On September 13, 2021, a security update will be applied to some of your files.” You can even see a list of the affected files, which have all gotten an unspecified “security update.” So what is this all about?
Google is changing the way content sharing works on Drive. Drive files have two sharing options: a single-person allow list (where you share a Google Doc with specific Google accounts) and a “get link” option (where anyone with the link can access the file). The “get link” option works the same way as unlisted YouTube videos—it’s not really private but, theoretically, not quite public, either, since the link needs to be publicized somewhere. The secret sharing links are really just security through obscurity, and it turns out the links are actually guessable.
Along with Drive, Google is also changing the way unlisted YouTube links work, and the YouTube support page actually describes this change better than Drive does:
In 2017, we rolled out an update to the system that generates new YouTube Unlisted links, which included security enhancements that make the links for your Unlisted videos even harder for someone to discover if you haven’t shared the link with them.
Google knew about the problem of guessable secret links for a while and changed the way link generation works back in 2017 (presumably for Drive, too?). Of course, that doesn’t affect links you’ve shared in the past, and soon Google is going to require your old links to change, which can break them. Google’s new link scheme adds a “resourcekey” to the end of any shared Drive links, making them harder to guess. So a link that used to look like “https://drive.google.com/file/d/0BxI1YpjkbX0OZ0prTHYyQ1U2djQ/” will now look like “https://drive.google.com/file/d/0BxI1YpjkbX0OZ0prTHYyQ1U2djQ/view?resourcekey=0-OsOHHiQFk1QEw6vIyh8v_w.” The resource key makes it harder to guess.
If you head to drive.google.com/drive/update-drives in a browser, you should be able to see a list of your impacted files, and if you mouse over them you’ll see a button on the right to remove or apply the security update. “Applied” means the resourcekey will be required after September 13, 2021, and will (mostly) break the old link, while “removed” means the resourcekey isn’t required and any links out there should keep working.
YouTube already went through this process earlier in the month, with all unlisted links before 2017 going dead, unless the owners of the videos are still active on YouTube and opted out. Drive is doing this with a bit more finesse than YouTube, though. Thanks to account-based sharing, anyone who accessed your unlisted Drive links in the past will still be granted access to them, even if you upgrade the security. No new people will be able to access the old, upgraded link, though. This way, if you have a stable community that uses an unlisted file, it should mostly be able to keep on trucking. Any new members, however, will be locked out and will need to request access. If you don’t want this, at any point the owner of the file can hit the “share” button and change the settings to generate a new link or turn off the link altogether.
Not letting third parties create a list of all your unlisted files is a good thing, but don’t confuse this link change with any actual security. You should never share anything over the “unlisted” or “get link” features on YouTube, Drive, or Google Photos if you actually want it to be private. Secret links are just security through obscurity, and even with Google’s upgrades, they should not be considered secure or undiscoverable. This arrangement is totally fine for casual documents, but always assume that anyone in the world can read an “unlisted” file. If you’re OK with that, fine. But if not, use Google’s actually private account-based sharing options.