Connect with us

Biz & IT

Transportation Weekly: Polestar CEO speaks, Tesla terminology, and a tribute

Published

on

Welcome back to Transportation Weekly; I’m your host Kirsten Korosec, senior transportation reporter at TechCrunch . This is the fourth edition of our newsletter, a weekly jaunt into the wonderful world of transportation and how we (and our packages) move.

This week we chat with Polestar CEO Thomas Ingenlath, dig into Lyft’s S-1, take note of an emerging trend in AV development, and check out an experiment with paving. Oh, and how could we forget Tesla.

Never heard of TechCrunch’s Transportation Weekly? Catch up here, here and here. As I’ve written before, consider this a soft launch. Follow me on Twitter @kirstenkorosec to ensure you see it each week. (An email subscription is coming). 


ONM …

There are OEMs in the automotive world. And here, (wait for it) there are ONMs — original news manufacturers. (Cymbal clash!) This is where investigative reporting, enterprise pieces and analysis on transportation lives.

This week, we’re featuring excerpts taken from a one-on-one interview with Polestar CEO Thomas Ingenlath.

On February 27, Volvo’s standalone electric performance brand Polestar introduced its first all-electric vehicle, a five-door fastback called the Polestar 2. The EV, which has a 78 kWh battery pack and can travel 275 miles (estimated EPA guidance) on a single charge, will be manufactured at a new factory in Chengdu, China. Other notable specs: The infotainment system will be powered by Android OS, Polestar is offering subscriptions to the vehicle, and production starts in 2020.

Here is what Ingenlath had to say to me about …

EV charging infrastructure

To be very unpolitical, I think it would be totally stupid if we were to aim to develop electric charging infrastructure on our own or for our brand specifically. If you join the electric market today, of course, you would see partnerships; that’s sensible thing to do. Car companies together are making a big effort in getting out a network of necessary charging stations along the highway. 

That’s what we’re doing; we’re teaming up and have the contracts being designed and soon signed.

On the company’s approach to automation 

The terminology is important for us. We very clearly put that into a different picture, we’re not talking about, and we clearly do not ever want to label it, anautopilot.” The focus of this system is a very safe distance control, which brakes for you and accelerates for you, and of course, the lane keeping. This is not about developing an autopilot system, it is about giving your safety. And that’s where we don’t want to provoke people thinking that they have full rollout autopilot system there. But it is a system that helps you being safe and protected on the road.

I also reached out to Transportation Weekly readers and asked what they wanted to know and then sent some of those questions to Ingenlath.

TW Reader: How did it feel taking one of your personal styling elements – the C shaped rear lamps – from your previous brand over to Polestar?

Ingenlath: It’s an evolutionary process. Polestar naturally builds on its “mothers” DNA and as a new branch develops its own personality. Thor’s hammer, the rear light signature -—with each new model launch (Volvo and Polestar) those elements diverge into a brand specific species.

TW Reader: How much do you still get to do what you love, which is design?

Ingenlath: Being creative is still my main job, now applied on a broader scope — trying to lead a company with a creative and  brand building mindset. Still, I love the Fridays when I meet up with Robin and Max to review the models, sketches and new data. We really enjoy driving the design of both brands to new adventures.


Dig In

Tesla is finally going to offer customers a $35,000 Model 3. How the automaker is able to sell this electric vehicle at the long-awaited $35,000 price point is a big piece of that story — and one that some overlooked. In short, the company is blowing up its sales model and moving to an online only strategy. Tesla stores will close or be converted to “information centers” and retail employees will be laid off.

But this is not what we’re going to talk about today. Tesla has also brought back its so-called “full self-driving” feature, which was removed as an option on its website last year. Now it’s back. Owners can opt for Autopilot, which has automatic steering on highways and traffic-aware cruise control, or FSD.

FSD capability includes several features such as Navigate on Autopilot that is supposed to guide a car from a highway on-ramp to off-ramp, including navigating interchanges and making lane changes. FSD also includes Advanced Summon, Auto Lane Change, and Autopark. Later this year, the system will recognize and respond to traffic lights in more complex urban environments, Tesla says.

All of these features require the driver to be engaged (or ready to take over), yet it’s called “full self-driving.” Now Tesla has two controversially named automation features. (The other is Autopilot). As Andrew Hawkins at The Verge noted in his coverage, “experts are beginning to realize that the way we discuss, and how companies market, autonomy is significant.”

Which begs the obvious question, and one that I asked Musk during a conference call on Thursday. “Isn’t it a problem that you’re calling this full self-driving capability when you’re still going to require the driver to take control or be paying attention?” (I also wanted to ask a followup on his response, but the moderator moved onto the next reporter).

His response:

“We are very clear when you buy the car what is meant by full self driving. It means it’s feature complete, but feature complete requiring supervision.

As we get more — we really need billions of miles, if not maybe 10 billion sort of miles or kilometers on that order collectively from the fleet — then in our opinion probably at that point supervision is not required, but that will still be up to regulators to agree.

So we’re just very clear.  There’s really three steps: there’s being feature complete of full self driving that requires supervision, feature complete but not requiring supervision, and feature complete not requiring supervision and regulators agree.

In other Tesla news, the National Transportation Safety Board is investigating a crash, that at first glance seems to be similar to the fatal crash that killed Tesla owner Joshua Brown.


A little bird …

We hear a lot. But we’re not selfish. Let’s share.

blinky-cat-bird

It’s no secret that Pittsburgh is one of the hubs of autonomous vehicle development in the world. But what’s not so widely known — except for a group of government and company insiders — is that Mayor William Peduto is on the verge of issuing an executive order that will give more visibility into testing there. 

The city’s department of mobility and infrastructure is the central coordinator of this new executive order that aims to help guide testing and policy development there. The department is going to develop guidelines for AV testing, we’re told. And it appears that information on testing will be released to the public at least once a year.

Got a tip or overheard something in the world of transportation? Email me or send a direct message to @kirstenkorosec.


Deal of the week

Daimler and BMW are supposed to be competitors. And they are, except with mapping (both part of the HERE consortium), mobility services (car sharing, ride-sharing), and now the development of highly automated driving systems. The deal is notable because it illustrates a larger trend that has emerged as the AV industry hunkers down into the “trough of disillusionment.” And that’s consolidation. If 2016, was the year of splashy acquisitions, then 2019 is shaping up to be chockfull of alliances and failures (of some startups).

Also interesting to note, and one that will make some AV safety experts cringe, both companies are working on Level 3 driving automation, a designation by the SAE that means conditional driving automation in which multiple high levels of automation are available in certain conditions, but a human driver must be ready to take over. This level of automation is the most controversial because of the so-called “hand off” problem in which a human driver is expected to take control of the wheel in time.

Speaking of partnerships, another deal that got our attention this week involved New York-based mapping and data analytics startup Carmera and Toyota Research Institute-Advanced Development. TRI-AD is an autonomous drive unit started by Toyota with Denso and Aisin. TRI-AD’s mission is to take the research being done over at the Toyota Research Institute and turn its into a product.

The two companies are going to test a concept that will use cameras in Toyota test vehicles to collect data from downtown Tokyo and use it to create high definition maps for urban and surface roads.

TRI-AD considers this the first step towards its open software platform concept known as Automated Mapping Platform that will be used to support the scalability of highly automated driving, by combining data gathered from vehicles of participating companies to generate HD maps. AMP is new and has possible widespread implications at Toyota. And TRI-AD is full of A-listers, including CEO James Kuffner, who came from the Google self-driving project and Nikos Michalakis, who built Netflix’s cloud platform, and Mandali Khalesi, who was at HERE.

Read more on Khalesi and the Toyota’s open source ambitions here.

Other deals:


Snapshot

Snapshot this week is a bit untraditional. It’s literally a snapshot of myself and my grandmother, months before her 100th birthday. Her memorial service was held Saturday. She died at 101.

I suppose I could blame my emotions and timing for her sudden inclusion in this week’s newsletter. But if Evelyn deserves a tribute anywhere, it’s here at TechCrunch.

I often wonder, that if given the opportunity, what technical field she would have ended up in? Given her specific skill set, I think she would have been a wonderful mechanical engineer. She was a closet techie, a lover of science fiction who was equally fascinated by the very real breakthroughs in science and space travel that occurred throughout her lifetime. Her 30-year career as a factory worker at an avionics manufacturer certainly wasn’t romantic. But it did give her a certain technical acumen (not to mention tenacity) that I admired.

And, she was one of my favorite test car companions. She loved cars and fast ones, but not so much driving them. Every time I got a new press car, we’d hit the road and she’d encourage me to take the turns a bit faster — sometimes beyond my comfort zone.

She also loved road trips and in the 1920s and 30s, her father would drive the family on the mostly dirt roads from New Jersey to Vermont and even Canada. In her teens, she loved riding in the rumble seat, a feature found in a few vehicles at the time including the Ford Model A.

She was young at heart, until the very end. And my one regret is that I didn’t find a way to get her into an autonomous vehicle.

Next week, we’ll focus on the youngest drivers and one automotive startup that is targeting that demographic.


Tiny but mighty micromobility

Lyft’s S-1 lays out the risks associated with its micromobility business and its intent to continue relying on third parties to manufacture its bikes and scooters. Here’s a key nugget about adoption:

“While some major cities have widely adopted bike and scooter sharing, there can be no assurance that new markets we enter will accept, or existing markets will continue to accept, bike and scooter sharing, and even if they do, that we will be able to execute on our business strategy or that our related offerings will be successful in such markets. Even if we are able to successfully develop and implement our network of shared bikes and scooters, there may be heightened public skepticism of this nascent service offering.”

And another about seasonality:

“Our limited operating history makes it difficult for us to assess the exact nature or extent of the effects of seasonality on our network of shared bikes and scooters, however, we expect the demand for our bike and scooter rentals to decline over the winter season and increase during more temperate and dry seasons.”

Lyft, which bought bike-share company Motivate back in July, also released some data about its electric pedal-assist bikes this week, showing that the pedal assist bikes are, unsurprisingly, more popular than the traditional bikes. They also traveled longer distances and improved winter ridership numbers. Now, Lyft is gearing up to deploy 4,000 additional electric bikes to the Citi Bike system in New York City.

One more thing …

Google Maps has added a feature that lets users see Lime scooters, pedal bikes and e-bikes right from the transit tab in over 80 new cities around the world. Users can click the tab to find out if Lime vehicle is available, how long it’ll take to walk to the vehicle, an estimate of how much their ride could cost, along with total journey time and ETA.


Notable reads

If take the time to read anything this week (besides this newsletter), spend some time with Lyft’s S-1. The ride-hailing company’s prospectus mentions autonomous 109 times. In short, yeah, it’s something the company’s executives are thinking about and investing in.

Lyft says it has a two-pronged strategy to bring autonomous vehicles to market. The company encouraging developers of autonomous vehicle technology to use its open platform to get access to its network and enable their vehicles to fulfill rides on the Lyft platform. And Lyft is trying to build its own autonomous vehicle system at its confusingly named “Level 5 Engineering Center.”

  • The company’s primary investors are Rakuten with a 13 percent stake, GM with 7.8 percent, Fidelity with 7.7 percent, Andreessen Horowitz with 6.3 percent and Alphabet with 5.3 percent. GM and Alphabet have business units, GM Cruise and Waymo respectively, that are also developing AV technology.
  • Through Lyft’s partnership with AV systems developer and supplier Aptiv, people in Las Vegas have taken more than 35,000 rides in Aptiv autonomous vehicles with a safety driver since January 2018.
  • One of the “risks” the company lists is “a failure to detect a defect in our autonomous vehicles or our bikes or scooters”

Other quotable notables:

Check out the Pedestrian Traffic Fatalities by State report, a newly released report from Volvo Car USA and The Harris Poll called  The State of Electric Vehicles in America.


Testing and deployments

Again, deployments doesn’t always mean the latest autonomous vehicle pilot.

On Saturday, Sidewalk Labs hosted its Open Sidewalk event in Toronto. This is part of Sidewalk Toronto, a joint effort by Waterfront Toronto and Alphabet’s Sidewalk Labs to create a “mixed-use, complete community” on Toronto’s Eastern Waterfront

The idea of this event was to share ideas and prototypes for making outdoor public space the “social default year-round.” One such prototype “hexagonal paving” got our attention because of its use case for traffic control and pedestrian and bicyclist safety. (Pictured below)

These individual precast concrete slabs are movable and permeable, can light up and give off heat. The idea is that these hexagonal-shaped slabs and be used to clear snow and ice in trouble spots and light up to warn drivers and pedestrians of changes to the street use or to illuminate an area for public uses or even designate bike lanes and hazard zones. And because they’re permeable they can be used to absorb stormwater or melted snow and guide it to underground stormwater management systems.

Sidewalk Labs tell me that the pavers have “plug and play” holes, which allow things like bike racks, bollards, and sign posts to be inserted. Sidewalk Labs initially built these with wood, and the new prototype is the next iteration, featuring modules built from concrete.


On our radar

There is a lot of transportation-related activity this month.

The Geneva Motor Show: Press days are March 5 and March 6. Expect concept, prototype and production electric vehicles from Audi, Honda, Kia, Peugeot, Pininfarina, Polestar, Spanish car company Hispano Suiza, and Volkswagen.

SXSW in Austin: TechCrunch will be at SXSW this coming week. Here’s where I’ll be.

  • 2 p.m. to 6:30 p.m. March 9 at the Empire Garage for the Smart Mobility Summit, an annual event put on by Wards Intelligence and C3 Group. The Autonocast, the podcast I co-host with Alex Roy and Ed Niedermeyer, will also be on hand.
  • 9:30 a.m. to 10:30 a.m. March 12 at the JW Marriott. The Autonocast and founding general partner of Trucks VC, Reilly Brennan will hold a SXSW podcast panel on automated vehicle terminology and other stuff.
  • 3:30 p.m over at the Hilton Austin Downtown, I’ll be moderating a panel Re-inventing the Wheel: Own, Rent, Share, Subscribe. Sherrill Kaplan with Zipcar, Amber Quist, with Silvercar and Russell Lemmer with Dealerware will join me.
  • TechCrunch is also hosting a SXSW party from 1 pm to 4 pm Sunday, March 10, 615 Red River St., that will feature musical guest Elderbrook. RSVP here

Self Racing Cars

Finally, I’ve been in contact with Joshua Schachter who puts on the annual Self Racing Car event, which will be held March 23 and March 24 at Thunderhill Raceway near Willows, California.

There is still room for participants to test or demo their autonomous vehicles, drive train innovation, simulation, software, teleoperation, and sensors. Hobbyists are welcome. Sign up to participate or drop them a line at contact@selfracingcars.com.

Thanks for reading. There might be content you like or something you hate. Feel free to reach out to me at kirsten.korosec@techcrunch.com to share those thoughts, opinions or tips. 

Nos vemos la próxima vez.

Source link



Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Biz & IT

Three iOS 0-days revealed by researcher frustrated with Apple’s bug bounty

Published

on

Enlarge / Pseudonymous researcher illusionofchaos joins a growing legion of security researchers frustrated with Apple’s slow response and inconsistent policy adherence when it comes to security flaws.

Aurich Lawson | Getty Images

Yesterday, a security researcher who goes by illusionofchaos dropped public notice of three zero-day vulnerabilities in Apple’s iOS mobile operating system. The vulnerability disclosures are mixed in with the researcher’s frustration with Apple’s Security Bounty program, which illusionofchaos says chose to cover up an earlier-reported bug without giving them credit.

This researcher is by no means the first to publicly express their frustration with Apple over its security bounty program.

Nice bug—now shhh

illusionofchaos says that they’ve reported four iOS security vulnerabilities this year—the three zero-days they publicly disclosed yesterday plus an earlier bug that they say Apple fixed in iOS 14.7. It appears that their frustration largely comes from how Apple handled that first, now-fixed bug in analyticsd.

This now-fixed vulnerability allowed arbitrary user-installed apps to access iOS’s analytics data—the stuff that can be found in Settings --> Privacy --> Analytics & Improvements --> Analytics Data—without any permissions granted by the user. illusionofchaos found this particularly disturbing, because this data includes medical data harvested by Apple Watch, such as heart rate, irregular heart rhythm, atrial fibrillation detection, and so forth.

Analytics data was available to any application, even if the user disabled the iOS Share Analytics setting.

According to illusionofchaos, they sent Apple the first detailed report of this bug on April 29. Although Apple responded the next day, it did not respond to illusionofchaos again until June 3, when it said it planned to address the issue in iOS 14.7. On July 19, Apple did indeed fix the bug with iOS 14.7, but the security content list for iOS 14.7 acknowledged neither the researcher nor the vulnerability.

Apple told illusionofchaos that its failure to disclose the vulnerability and credit them was just a “processing issue” and that proper notice would be given in “an upcoming update.” The vulnerability and its resolution still were not acknowledged as of iOS 14.8 on September 13 or iOS 15.0 on September 20.

Frustration with this failure of Apple to live up to its own promises led illusionofchaos to first threaten, then publicly drop this week’s three zero-days. In illusionofchaos‘ own words: “Ten days ago I asked for an explanation and warned then that I would make my research public if I don’t receive an explanation. My request was ignored so I’m doing what I said I would.”

We do not have concrete timelines for illusionofchaos‘ disclosure of the three zero-days, or of Apple’s response to them—but illusionofchaos says the new disclosures still adhere to responsible guidelines: “Google Project Zero discloses vulnerabilities in 90 days after reporting them to vendor, ZDI – in 120. I have waited much longer, up to half a year in one case.”

New vulnerabilities: Gamed, nehelper enumerate, nehelper Wi-Fi

The zero-days illusionofchaos dropped yesterday can be used by user-installed apps to access data that those apps should not have or have not been granted access to. We’ve listed them below—along with links to illusionofchaos‘ Github repos with proof of concept code—in order of (our opinion of) their severity:

  • Gamed zero-day exposes Apple ID email and full name, exploitable Apple ID authentication tokens, and read access to Core Duet and Speed Dial databases
  • Nehelper Wi-Fi zero-day exposes Wi-Fi information to apps that have not been granted that access
  • Nehelper Enumerate zero-day exposes information about what apps are installed on the iOS device

The Gamed 0-day is obviously the most severe, since it both exposes Personal Identifiable Information (PII) and may be used in some cases to be able to perform actions at *.apple.com that would normally need to be either instigated by the iOS operating system itself, or by direct user interactions.

The Gamed zero-day’s read access to Core Duet and Speed Dial databases is also particularly troubling, since that access can be used to gain a pretty complete picture of the user’s entire set of interactions with others on the iOS device—who is in their contact list, who they’ve contacted (using both Apple and third-party applications) and when, and in some cases even file attachments to individual messages.

The Wi-Fi zero-day is next on the list, since unauthorized access to the iOS device’s Wi-Fi info might be used to track the user—or, possibly, learn the credentials necessary to access the user’s Wi-Fi network. The tracking is typically a more serious concern, since physical proximity is generally required to make Wi-Fi credentials themselves useful.

One interesting thing about the Wi-Fi zero-day is the simplicity of both the flaw and the method by which it can be exploited: “XPC endpoint com.apple.nehelper accepts user-supplied parameter sdk-version, and if its value is less than or equal to 524288, com.apple.developer.networking.wifi-info entitlement check is skipped.” In other words, all you need to do is claim to be using an older software development kit—and if so, your app gets to ignore the check that should disclose whether the user consented to access.

The Nehelper Enumerate zero-day appears to be the least damaging of the three. It simply allows an app to check whether another app is installed on the device by querying for the other app’s bundleID. We haven’t come up with a particularly scary use of this bug on its own, but a hypothetical malware app might leverage such a bug to determine whether a security or antivirus app is installed and then use that information to dynamically adapt its own behavior to better avoid detection.

Conclusions

Assuming illusionofchaos‘ description of their disclosure timeline is correct—that they’ve waited for longer than 30 days, and in one case 180 days, to publicly disclose these vulnerabilities—it’s hard to fault them for the drop. We do wish they had included full timelines for their interaction with Apple on all four vulnerabilities, rather than only the already-fixed one.

We can confirm that this frustration of researchers with Apple’s security bounty policies is by no means limited to this one pseudonymous researcher. Since Ars published a piece earlier this month about Apple’s slow and inconsistent response to security bounties, several researchers have contacted us privately to express their own frustration. In some cases, researchers included video clips demonstrating exploits of still-unfixed bugs.

We have reached out to Apple for comment, but we have yet to receive any response as of press time. We will update this story with any response from Apple as it arrives.

Continue Reading

Biz & IT

Exchange/Outlook autodiscover bug exposed 100,000+ email passwords

Published

on

Enlarge / If you own the right domain, you can intercept hundreds of thousands of innocent third parties’ email credentials, just by operating a standard webserver.

Security researcher Amit Serper of Guardicore discovered a severe flaw in Microsoft’s autodiscover—the protocol which allows automagical configuration of an email account with only the address and password required. The flaw allows attackers who purchase domains named “autodiscover”—for example autodiscover.com, or autodiscover.co.uk—to intercept the clear-text account credentials of users who are having network difficulty (or whose admins incorrectly configured DNS).

Guardicore purchased several such domains and operated them as proof-of-concept credential traps from April 16 to August 25 of this year:

  • Autodiscover.com.br
  • Autodiscover.com.cn
  • Autodiscover.com.co
  • Autodiscover.es
  • Autodiscover.fr
  • Autodiscover.in
  • Autodiscover.it
  • Autodiscover.sg
  • Autodiscover.uk
  • Autodiscover.xyz
  • Autodiscover.online

A web server connected to these domains received hundreds of thousands of email credentials—many of which also double as Windows Active Directory domain credentials—in clear text. The credentials are sent from clients which request the URL /Autodiscover/autodiscover.xml, with an HTTP Basic authentication header which already includes the hapless user’s Base64-encoded credentials.

Three major flaws contribute to the overall vulnerability: the Autodiscover protocol’s “backoff and escalate” behavior when authentication fails, its failure to validate Autodiscover servers prior to giving up user credentials, and its willingness to use insecure mechanisms such as HTTP Basic in the first place.

Failing upward with autodiscover

The Autodiscover protocol’s real job is the simplification of account configuration—you can perhaps rely on a normal user to remember their email address and password, but decades of computing have taught us that asking them to remember and properly enter details like POP3 or IMAP4, TLS or SSL, TCP 465 or TCP 587, and the addresses of actual mail servers are several bridges too far.

The Autodiscover protocol allows normal users to configure their own email accounts without help, by storing all of the nonprivate portions of account configuration on publicly accessible servers. When you set up an Exchange account in Outlook, you feed it an email address and a password: for example, bob@example.contoso.com with password Hunter2.

Armed with the user’s email address, Autodiscover sets about finding configuration information in a published XML document. It will try both HTTP and HTTPS connections, to the following URLs. (Note: contoso is a Microsoftism, representing an example domain name rather than any specific domain.)

  • http(s)://Autodiscover.example.contoso.com/Autodiscover/Autodiscover.xml
  • http(s)://example.contoso.com/Autodiscover/Autodiscover.xml

So far, so good—we can reasonably assume that anyone allowed to place resources in either example.contoso.com or its Autodiscover subdomain has been granted explicit trust by the owner of example.contoso.com itself. Unfortunately, if these initial connection attempts fail, Autodiscover will back off and try to find resources at a higher-level domain.

In this case, Autodiscover’s next step would be to look for /Autodiscover/Autodiscover.xml on contoso.com itself, as well as Autodiscover.contoso.com. If this fails, Autodiscover fails upward yet again—this time sending email and password information to autodiscover.com itself.

This would be bad enough if Microsoft owned autodiscover.com—but the reality is considerably murkier. That domain was originally registered in 2002 and is currently owned by an unknown individual or organization using GoDaddy’s WHOIS privacy shield.

Guardicore’s results

In the approximately four months Guardicore ran its test credential trap, it collected 96,671 unique sets of email username and passwords in clear text. These credentials came from a wide array of organizations—publicly traded companies, manufacturers, banks, power companies, and more.

Affected users don’t see HTTPS/TLS errors in Outlook—when the Autodiscover protocol fails up from Autodiscover.contoso.com.br to Autodiscover.com.br, the protection afforded by contoso‘s ownership of its own SSL cert vanishes. Whoever purchased Autodiscover.com.br—in this case, Guardicore—simply provides their own certificate, which satisfies TLS warnings despite not belonging to contoso at all.

In many cases, the Outlook or similar client will offer its user’s credentials initially in a more secure format, such as NTLM. Unfortunately, a simple HTTP 401 from the web server requesting HTTP Basic auth in its place is all that’s necessary—upon which the client using Autodiscover will comply (typically without error or warning to the user) and send the credentials in Base64 encoded plain text, completely readable by the web server answering the Autodiscover request.

Conclusions

The truly bad news here is that, from the general public’s perspective, there is no mitigation strategy for this Autodiscover bug. If your organization’s Autodiscover infrastructure is having a bad day, your client will “fail upward” as described, potentially exposing your credentials. This flaw has not yet been patched—according to Microsoft Senior Director Jeff Jones, Guardicore disclosed the flaw publicly prior to reporting it to Microsoft.

If you’re a network administrator, you can mitigate the issue by refusing DNS requests for Autodiscover domains—if every request to resolve a domain beginning in “Autodiscover” is blocked, the Autodiscover protocol won’t be able to leak credentials. Even then, you must be careful: you might be tempted to “block” such requests by returning 127.0.0.1, but this might allow a clever user to discover someone else’s email and/or Active Directory credentials, if they can trick the target into logging into the user’s PC.

If you’re an application developer, the fix is simpler: don’t implement the flawed part of the Autodiscover spec in the first place. If your application never attempts to authenticate against an “upstream” domain in the first place, it won’t leak your users’ credentials via Autodiscover.

For more technical detail, we highly recommend Guardicore’s own blog post as well as Microsoft’s own Autodiscover documentation.

Listing image by Just_Super via Getty Images

Continue Reading

Biz & IT

Semiconductor firms can’t find enough workers, worsening chip shortage

Published

on

Enlarge / Don’t expect cheaper chips anytime soon.

The semiconductor chip shortage that has so vexed the auto industry looks set to continue for quite some time, according to a new industry survey. More than half of the companies that were surveyed by IPC said they expected the shortage to last until at least the second half of 2022. And right now, the chip shortage is being exacerbated by rising costs and a shortage of workers.

According to the survey, 80 percent of chip makers say that it’s become hard to find workers who have to be specially trained to handle the highly toxic compounds used in semiconductor manufacturing. The problem is worse in North America and in Asia, where more companies are reporting rising labor costs compared to those in Europe.

But only a third of Asian chip makers say they are finding it harder to find qualified workers, compared to 67 percent of North American companies and 63 percent of European companies. That may well explain why fewer Asian semiconductor companies (42 percent) are reporting increasing order backlogs, compared to 65 percent of North American and 60 percent of European companies.

Just under half (46 percent) said they were retraining their current workers to fill the gaps, and nearly as many (44 percent) said they were increasing wages to make the jobs more attractive. Other popular measures include more flexible hours and more training opportunities for workers.

Even more of the companies surveyed said that rising material costs were a problem, too—90 percent globally, with nearly as many suggesting that trend will continue for another six months at least. IPC says that chip makers’ profit margins are shrinking as a result.

That’s probably already being felt by some of their customers. According to a report by AlixPartners, the auto industry will lose out on $210 billion in revenue in 2021, forecasting a shortfall in production of 7.7 million vehicles worldwide. That’s got the US government’s attention, too. On Thursday, Commerce Secretary Gina Raimondo is meeting automakers and tech firms, as well as semiconductor companies, to see if the federal government can help.

Continue Reading

Trending