Biz & IT

Review: Apple’s new iPad mini continues to be mini

Published

5 years ago

March 22, 2019

The iPad mini is super enjoyable to use and is the best-sized tablet for everything but traditional laptop work. It’s very good and I’m glad Apple updated it.

Using Apple Pencil is aces on the smaller mini; don’t worry about the real estate being an issue if you like to scribble notes or make sketches. It’s going to fall behind a larger iPad for a full-time artist, but as a portable scratch pad it’s actually far less unwieldy or cumbersome than an iPad Pro or Air will be.

The only caveat? After using the brilliant new Pencil, the old one feels greasy and slippery by comparison, and lacks that flat edge that helps so much when registering against your finger for shading or sketching out curves.

The actual act of drawing is nice and zippy, and features the same latency and responsiveness as the other Pencil-capable models.

The reasoning behind using the old pencil here is likely a result of a combination of design and cost-saving decisions. No flat edge would require a rethink of the magnetic Pencil charging array from the iPad Pro and it is also apparently prohibitively expensive in a way similar to the smart connector. Hence its lack of inclusion on either Air or mini models.

Touch ID feels old and slow when compared to iPad Pro models, but it’s not that bad in a mini, where you’re almost always going to be touching and holding it rather than setting it down to begin typing. It still feels like you’re being forced to take an awkward, arbitrary additional action to start using the iPad though. It really puts into perspective how fluidly Face ID and the new gestures work together.

The design of the casing remains nearly identical, making for broad compatibility with old cases and keyboards if you use those with it. The camera has changed positions and the buttons have been moved slightly though, so I would say your mileage may vary if you’re bringing old stuff to the table.

The performance of the new mini is absolutely top notch. While it falls behind when compared to the iPad Pro, it is exactly the same (I am told, I do not have one to test yet) as the iPad Air. It’s the same on paper though, so I believe it in general and there is apparently no “detuning” or under-clocking happening. This makes the mini a hugely powerful tiny tablet, clearly obliterating anything else in its size class.

The screen is super solid, with great color, nearly no air gap and only lacking tap-to-wake.

That performance comes at a decently chunky price, $399. If you want the best, you pay for it.

Last year I took the 12.9” iPad Pro on a business trip to Brazil, with no backup machine of any sort. I wanted to see if I could run TechCrunch from it — from planning to events to editorial and various other multi-disciplinary projects. It worked so well that I never went back, and have not opened my MacBook in earnest since. I’ll write up that experience at some point because I think there are some interesting things to talk about there.

I include that context here because, though the iPad Pro is a whole-ass computer and really capable, it is not exactly “fun” to use in non-standard ways. That’s where the iPad mini has always shined and continues to do so.

It really is pocketable in a loose jacket or coat. Because the mini is not heavy, it exercises little of the constant torsion and strain on your wrist that a larger iPad does, making it one-handed.

I could go on, but in the end, all that can be said about the iPad mini being “the small iPad” has already been said ad nauseam over the years, beginning with the first round of reviews back in 2012. This really is one of the most obvious choices Apple has in its current iPad lineup. If you want the cheap one, get the cheap one (excuse me, “most affordable” one). And if you want the small one, get the iPad mini.

The rest of the iPads in Apple’s lineup have much more complicated purchasing flow charts — the mini does indeed sell itself.

Back even before we knew for sure that a mini iPad was coming, I wrote about how Apple could define the then very young small-tablet market. It did. No other small-tablet model has ever made a huge dent on the market, unless you count the swarm of super-crappy Android tablets that people buy in blister packs expecting them to eventually implode as a single hive-mind model.

Here’s how I saw it in 2012:

To put it bluntly, there is no small tablet market…Two years ago we were talking about the tablet market as a contiguous whole. There was talk about whether anyone would buy the iPad and that others had tried to make consumer tablets and failed. Now, the iPad is a massive success that has yet to be duplicated by any other manufacturer or platform.

But the tablet market isn’t a single ocean, it’s a set of interlocking bodies of water that we’re just beginning to see take shape. And the iPad mini isn’t about competing with the wriggling tadpoles already in the ‘small tablet’ pond, it’s about a big fish extending its dominion.

Yeah, that’s about right, still.

One huge difference, of course, is that the iPad mini now has the benefit of an enormous amount of additional apps that have been built for iPad in the interim. Apps that provide real, genuine access to content and services on a tablet — something that was absolutely not guaranteed in 2012. How quickly we forget.

In addition to the consumer segment, the iPad mini is also extremely popular in industrial, commercial and medical applications. From charts and patient records to point-of-sale and job-site reference, the mini is the perfect size for these kinds of customers. These uses were a major factor in Apple deciding to update the mini.

Though still just as pricey (in comparison) as it was when it was introduced, the iPad mini remains a standout device. It’s small, sleek, now incredibly fast and well-provisioned with storage. The smallness is a real advantage in my opinion. It allows the mini to exist as it does without having to take part in the “iPad as a replacement for laptops” debate. It is very clearly not that, while at the same time still feeling more multipurpose and useful than ever. I’m falling in real strong like all over again with the mini, and the addition of Pencil support is the sweetener on top.

Source link

Biz & IT

Vulnerabilities in Supermicro BMCs could allow for unkillable server rootkits

Published

2 hours ago

October 4, 2023

Francisco Peguero

Getty Images

If your organization uses servers that are equipped with baseboard management controllers from Supermicro, it’s time, once again, to patch seven high-severity vulnerabilities that attackers could exploit to gain control of them. And sorry, but the fixes must be installed manually.

Typically abbreviated as BMCs, baseboard management controllers are small chips that are soldered onto the motherboard of servers inside data centers. Administrators rely on these powerful controllers for various remote management capabilities, including installing updates, monitoring temperatures and setting fan speeds accordingly, and reflashing the UEFI system firmware that allows servers to load their operating systems during reboots. BMCs provide these capabilities and more, even when the servers they’re connected to are turned off.

Code execution inside the BMC? Yup

The potential for vulnerabilities in BMCs to be exploited and used to take control of servers hasn’t been lost on hackers. In 2021, hackers exploited a vulnerability in BMCs from HP Enterprise and installed a custom rootkit, researchers from Amnpardaz, a security firm in Iran, reported that year. ILObleed, as the researchers named the rootkit, hid inside the iLO, a module in HPE BMCs that’s short for Integrated Lights-Out.

ILObleed was programmed to destroy data stored on disk. If admins reinstalled the operating system, iLObleed would remain intact and reactivate the disk-wiping attack repeatedly. The unknown attackers responsible took control of the BMCs by exploiting a vulnerability HPE had fixed four years earlier. In June, the National Security Agency urged admins to follow guidance to prevent such incidents.

Researchers from security firm Binarly on Tuesday disclosed seven high-severity vulnerabilities in the IPMI (Intelligent Platform Management Interface) BMC firmware. Supermicro has acknowledged the vulnerabilities, thanked Binarly, and provided patching information here. There’s no automated way to install the updates. Supermicro said it’s unaware of any malicious exploitation of the vulnerabilities in the wild.

One of the seven vulnerabilities, tracked as CVE-2023-40289, allows for the execution of malicious code inside the BMC, but there’s a catch: Exploiting the flaw requires already obtained administrative privileges in the web interface used to configure and control the BMCs. That’s where the remaining six vulnerabilities come in. All six of them allow cross-site scripting, or XSS, attacks on machines used by admins. The exploit scenario is to use one or more of them in combination with CVE-2023-40289.

In an email, Binarly founder and CEO Alex Matrosov wrote:

Exploiting this vulnerability requires already obtained administrative privileges in the BMC Web Interface. To achieve it, a potential attacker can utilize any of the XSS vulnerabilities we found. In such a case, the exploitation path will look like this potential scenario:

1. an attacker prepares a malicious link with the malicious payload
2. includes it in phishing emails (for example)
3. when this click is opened, the malicious payload will be executed inside BMC OS.

Admins can remotely communicate with Supermicro BMCs through various protocols, including SSH, IPMI, SNMP, WSMAN, and HTTP/HTTPS. The vulnerabilities Binarly discovered can be exploited using HTTP. While the NSA and many other security practitioners strongly urge that BMC interfaces be isolated from the Internet, there’s evidence that this advice is routinely ignored. A recent query to the Shodan search engine revealed more than 70,000 instances of Supermicro BMC that have their IPMI web interface publicly available.

Enlarge / A screenshot showing Shodan results.

The road map for exploiting the vulnerabilities against servers with Supermicro interfaces exposed this way is illustrated below:

Enlarge / The road map for exploiting a BMC that has its web interface exposed to the Internet.

In Tuesday’s post, Binarly researchers wrote:

First, it is possible to remotely compromise the BMC system by exploiting vulnerabilities in the Web Server component exposed to the Internet. An attacker can then gain access to the Server’s operating system via legitimate iKVM remote control BMC functionality or by flashing the UEFI of the target system with malicious firmware that allows persistent control of the host OS. From there, nothing prevents an attacker from lateral movement within the internal network, compromising other internal hosts.

All the vulnerabilities Binarly discovered originate in IPMI firmware third-party developer ATEN developed for Supermicro. While ATEN patched CVE-2023-40289 six months ago, the fix never made its way into the firmware.

“This is a supply chain problem because it can be other BMC vendors that can be potentially impacted by these vulnerabilities,” Matrosov wrote.

Biz & IT

Facebook’s new AI stickers can generate Mickey Mouse holding a machine gun

Published

9 hours ago

October 4, 2023

Francisco Peguero

Enlarge / A selection of AI-generated stickers created in Facebook Messenger and shared on social media site X.

Less than a week after Meta unveiled AI-generated stickers in its Facebook Messenger app, users are already abusing it to create potentially offensive images and sharing the results on social media, reports VentureBeat. In particular, an artist named Pier-Olivier Desbiens posted a series of virtual stickers that went viral on X on Tuesday, starting a thread of similarly problematic AI image generations shared by others.

“Found out that facebook messenger has ai generated stickers now and I don’t think anyone involved has thought anything through,” Desbiens wrote in his post. “We really do live in the stupidest future imaginable,” he added in a reply.

Available to some users on a limited basis, the new AI stickers feature allows people to create AI-generated simulated sticker images from text-based descriptions in both Facebook Messenger and Instagram Messenger. The stickers are then shared in chats, similar to emojis. Meta uses its new Emu image synthesis model to create them and has implemented filters to catch many potentially offensive generations. But plenty of novel combinations are slipping through the cracks.

The questionable generations shared on X include Mickey Mouse holding a machine gun or a bloody knife, the flaming Twin Towers of the World Trade Center, the pope with a machine gun, Sesame Street’s Elmo brandishing a knife, Donald Trump as a crying baby, Simpsons characters in skimpy underwear, Luigi with a gun, Canadian Prime Minister Justin Trudeau flashing his buttocks, and more.

This isn’t the first time AI-generated imagery has inspired threads full of giddy experimenters trying to break through content filters on social media. Generations like these have been possible in uncensored open source image models for over a year, but it’s notable that Meta publicly released a model that can create them without more strict safeguards in place through a feature integrated into flagship apps such as Instagram and Messenger.

Notably, OpenAI’s DALL-E 3 has been put through similar paces recently, with people testing the AI image generator’ filter limits by creating images that feature real people or include violent content. It’s difficult to catch all the potentially harmful or offensive content across cultures worldwide when an image generator can create almost any combination of objects, scenarios, or people you can imagine. It’s yet another challenge facing moderation teams in the future of both AI-powered apps and online spaces.

Enlarge / A selection of AI-generated stickers created in Facebook Messenger.

Over the past year, it has been common for companies to beta-test generative AI systems through public access, which has brought us doozies like Meta’s flawed Galactica model last November and the unhinged early version of the Bing Chat AI model. If past instances are any indication, when something offensive gets wide attention, the developer typically reacts by either taking it down or strengthening built-in filters. So will Meta pull the AI stickers feature or simply clamp down by adding more words and phrases to its keyword filter?

When VentureBeat reporter Sharon Goldman questioned Meta spokesperson Andy Stone about the stickers late Tuesday, he pointed to a blog post titled Building Generative AI Features Responsibly and said, “As with all generative AI systems, the models could return inaccurate or inappropriate outputs. We’ll continue to improve these features as they evolve and more people share their feedback.”

Biz & IT

They’ve begun: Attacks exploiting vulnerability with maximum 10 severity rating

Published

1 day ago

October 3, 2023

Francisco Peguero

Getty Images

Ransomware hackers have started exploiting one or more recently fixed vulnerabilities that pose a grave threat to enterprise networks around the world, researchers said.

One of the vulnerabilities has a severity rating of 10 out of a possible 10 and another 9.9. They reside in WS_FTP Server, a file-sharing app made by Progress Software. Progress Software is the maker of MOVEit, another piece of file-transfer software that was recently hit by a critical zero-day vulnerability that has led to the compromise of more than 2,300 organizations and the data of more than 23 million people, according to security firm Emsisoft. Victims include Shell, British Airways, the US Department of Energy, and Ontario’s government birth registry, BORN Ontario, the latter of which led to the compromise of information for 3.4 million people.

About as bad as it gets

CVE-2023-40044, as the vulnerability in WS_FTP Server is tracked, and a separate vulnerability tracked as CVE-2023-42657 that was patched in the same October 28 update from Progress Software, are both about as critical as vulnerabilities come. With a severity rating of 10, CVE-2023-40044 allows attackers to execute malicious code with high system privileges with no authentication required. CVE-2023-42657, which has a severity rating of 9.9, also allows for remote code execution but requires the hacker to first be authenticated to the vulnerable system.

Last Friday, researchers from security firm Rapid7 delivered the first indication that at least one of these vulnerabilities might be under active exploitation in “multiple instances. On Monday, the researchers updated their post to note they had discovered a separate attack chain that also appeared to target the vulnerabilities. Shortly afterward, researchers from Huntress confirmed an “in-the-wild exploitation of CVE-2023-40044 in a very small number of cases within our partner base (single digits currently).” In an update Tuesday, Huntress said that on at least one hacked host, the threat actor added persistence mechanisms, meaning it was attempting to establish a permanent presence on the server.

Also on Tuesday came a post on Mastodon from Kevin Beaumont, a security researcher with extensive ties to organizations whose enterprise networks are under attack.

“An org hit by ransomware is telling me the threat actor got in via WS_FTP, for infos, so you might want to prioritize patching that,” he wrote. “The ransomware group targeting WS_FTP are targeting the web version.” He added advice for admins using the file transfer program to search for vulnerable entry points using the Shodan search tool.

A bit shocking

CVE-2023-40044 is what’s known as a deserialization vulnerability, a form of bug in code that allows user-submitted input to be converted into a structure of data known as an object. In programming, objects are variables, functions, or data structures that an app refers to. By essentially transforming untrusted user input into code of the attacker’s making, deserialization exploits have the potential to carry severe consequences. The deserialization vulnerability in WS_FTP Server is found in code written in the .NET programming language.

Researchers from security firm Assetnote discovered the vulnerability by decompiling and analyzing the WS_FTP Server code. They eventually identified a “sink,” which is code designed to receive incoming events, that was vulnerable to deserialization and worked their way back to the source.

“Ultimately, we discovered that the vulnerability could be triggered without any authentication, and it affected the entire Ad Hoc Transfer component of WS_FTP,” Assetnote researchers wrote Monday. “It was a bit shocking that we were able to reach the deserialization sink without any authentication.”

Besides requiring no authentication, the vulnerability can be exploited by sending a single HTTP request to a server, as long as there’s what’s known as a ysoserial gadget pre-existing.

The WS_FTP Server vulnerability may not pose as grave a threat to the Internet as a whole compared to the exploited vulnerability in MOVEit. One reason is that a fix for WS_FTP Server became publicly available before exploits began. That gave organizations using the file-transfer software time to patch their servers before they came under fire. Another reason: Internet scans find many fewer servers running WS_FTP Server as compared to MOVEit.

Still, the damage to networks that have yet to patch CVE-2023-40044 will likely be as severe as what was inflicted on unpatched MOVEit servers. Admins should prioritize patching, and if that’s not possible right away, disable server-ad hoc transfer mode. They should also analyze their environments for signs they’ve been hacked. Indicators of compromise include: