Slashdot Mirror

At the OpenStack Summit in Berlin last week, Ubuntu Linux founder Mark Shuttleworth said in a keynote that Ubuntu 18.04 Long Term Support (LTS) support lifespan would be extended from five years to 10 years. "I'm delighted to announce that Ubuntu 18.04 will be supported for a full 10 years," said Shuttleworth, "In part because of the very long time horizons in some of industries like financial services and telecommunications but also from IoT where manufacturing lines for example are being deployed that will be in production for at least a decade." ZDNet reports: Ubuntu 18.04 released in April 2018. While the Ubuntu desktop gets most of the ink, most of Canonical's dollars comes from server and cloud customers. It's for these corporate users Canonical first extended Ubuntu 12.04 security support, then Ubuntu 14.04's support, and now, preemptively, Ubuntu 18.04. In an interview after the keynote, Shuttleworth said Ubuntu 16.04, which is scheduled to reach its end of life in April 2021, will also be given a longer support life span.

When it comes to OpenStack, Shuttleworth promised again to support versions of OpenStack dating back to 2014's IceHouse. Shuttleworth said, "What matters isn't day two, what matters is day 1,500." He also doubled-down on Canonical's promise to easily enable OpenStack customers to migrate from one version of OpenStack to another. Generally speaking, upgrading from one version of OpenStack is like a root canal: Long and painful but necessary. With Canonical OpenStack, you can step up all the way from the oldest supported version to the newest one with no more than a second of downtime.

An anonymous reader quotes a report from ZDNet: U.S. President Donald Trump signed today a bill into law, approving the creation of the Cybersecurity and Infrastructure Security Agency (CISA). The bill, known as the CISA Act, reorganizes and rebrands the National Protection and Programs Directorate (NPPD), a program inside the Department of Homeland Security (DHS), as CISA, a standalone federal agency in charge of overseeing civilian and federal cybersecurity programs. The NPPD, which was first established in 2007, has already been handling almost all of the DHS' cyber-related issues and projects.

As part of the DHS, the NPPD was the government entity in charge of physical and cyber-security of federal networks and critical infrastructure, and oversaw the Federal Protective Service (FPS), the Office of Biometric Identity Management (OBIM), the Office of Cyber and Infrastructure Analysis (OCIA), the Office of Cybersecurity & Communications (OC&C), and the Office of Infrastructure Protection (OIP). As CISA, the agency's prerogatives will remain the same, and nothing is expected to change in day-to-day operations, but as a federal agency, CISA will now benefit from an increased budget and more authority in imposing its directives. "Elevating the cybersecurity mission within the Department of Homeland Security, streamlining our operations, and giving NPPD a name that reflects what it actually does will help better secure the nation's critical infrastructure and cyber platforms," said NPPD Under Secretary Christopher Krebs. "The changes will also improve the Department's ability to engage with industry and government stakeholders and recruit top cybersecurity talent."

An extensive testing session carried out by bank security experts at Positive Technologies has revealed that most ATMs can be hacked in under 20 minutes, and even less, in certain types of attacks. From a report: Experts tested ATMs from NCR, Diebold Nixdorf, and GRGBanking, and detailed their findings in a 22-page report published this week. The attacks they tried are the typical types of exploits and tricks used by cyber-criminals seeking to obtain money from the ATM safe or to copy the details of users' bank cards (also known as skimming). Experts said that 85 percent of the ATMs they tested allowed an attacker access to the network. The research team did this by either unplugging and tapping into Ethernet cables, or by spoofing wireless connections or devices to which the ATM usually connected to. Researchers said that 27 percent of the tested ATMs were vulnerable to having their processing center communications spoofed, while 58 percent of tested ATMs had vulnerabilities in their network components or services that could be exploited to control the ATM remotely.

Mark Wilson writes: Ads in your inbox. Sounds like something you'd expect from the likes of Google or Yahoo, but Microsoft appears to be about to get in on the act as well. And we're not talking about online ads in your Outlook.com account -- we're talking about ads in the Mail app that's included with Windows 10. A new report says that Microsoft is currently testing ads with Windows Insiders, so it could be just a matter of time before they spread wider. In a support page, spotted first by news outlet Thurrott, Microsoft says, "Consistent with consumer email apps and services like Outlook.com, Gmail, and Yahoo Mail, advertising allows us to provide, support, and improve some of our products. We're always experimenting with new features and experiences. Currently, we have a pilot running in Brazil, Canada, Australia, and India to get user feedback on ads in Mail."

Update: ZDNet reports that Calendar app for Windows 10 is getting the same treatment.

A new study has found that more than half of the top free mobile VPN returned by Play Store and App Store searches are from developers based in China or with Chinese ownership, raising serious concerns about data privacy. "Our investigation uncovered that over half of the top free VPN apps either had Chinese ownership or were actually based in China, which has aggressively clamped down on VPN services over the past year and maintains an iron grip on the internet within its borders," said Simon Migliano, Head of Research at Metric Labs, a company that runs the Top10VPN portal. ZDNet reports: The researcher says he analyzed the top 20 free VPN apps that appear in searches for VPN apps on the Google and Apple mobile app stores, for both the US and UK locales. He says that 17 of the 30 apps he analyzed (10 apps appeared on both stores) had formal links to China, either being a legally registered Chinese entity or by having Chinese ownership, based on business registration and shareholder information Migliano shared with ZDNet.

The expert says that 86 percent of the apps he analyzed had "unacceptable privacy policies." For example, some apps didn't say if they logged traffic, some apps appeared to use generic privacy policies that didn't even mention the term VPN, while some apps didn't feature a privacy policy at all. On top of this, other apps admitted in their policies to sharing data with third-parties, tracking users, and sending and sharing data with Chinese third-parties. Almost half of the free VPN apps also appeared to take the privacy policy as a joke, with some hosting the policy as a plain text file on Pastebin, AWS servers, or raw IP addresses, with no domain name. In addition, 64 percent of the apps also didn't bother setting up a dedicated website for their VPN service, operating strictly from the Play Store.

A team of nine academics has revealed today seven new CPU attacks. The seven impact AMD, ARM, and Intel CPUs to various degrees. From a report: Two of the seven new attacks are variations of the Meltdown attack, while the other five are variations on the original Spectre attack -- two well-known attacks that have been revealed at the start of the year and found to impact CPUs models going back to 1995. Researchers say they've discovered the seven new CPU attacks while performing "a sound and extensible systematization of transient execution attacks" -- a catch-all term the research team used to describe attacks on the various internal mechanisms that a CPU uses to process data, such as the speculative execution process, the CPU's internal caches, and other internal execution stages. The research team says they've successfully demonstrated all seven attacks with proof-of-concept code. Experiments to confirm six other Meltdown-attacks did not succeed, according to a graph published by researchers. Update: In a statement to Slashdot, an Intel spokesperson said, "the vulnerabilities documented in this paper can be fully addressed by applying existing mitigation techniques for Spectre and Meltdown, including those previously documented here, and elsewhere by other chipmakers. Protecting customers continues to be a critical priority for us and we are thankful to the teams at Graz University of Technology, imec-DistriNet, KU Leuven, & the College of William and Mary for their ongoing research."

Microsoft on Wednesday resumed the rollout of Windows 10 version 1809. The re-release of the so-called October 2018 Update comes more than five weeks after the company pulled the original installation files from its download servers and stopped its scheduled delivery through Windows Update. From a report: In a blog post, Microsoft's John Cable, the director of Program Management for Windows Servicing and Delivery, says the data-destroying bug that triggered that unprecedented decision, as well as other quality issues that emerged during the unscheduled hiatus, have been "thoroughly investigated and resolved."

"The HTTP-over-QUIC experimental protocol will be renamed to HTTP/3 and is expected to become the third official version of the HTTP protocol, officials at the Internet Engineering Task Force (IETF) have revealed," writes Catalin Cimpanu via ZDNet. "This will become the second Google-developed experimental technology to become an official HTTP protocol upgrade after Google's SPDY technology became the base of HTTP/2." From the report: HTTP-over-QUIC is a rewrite of the HTTP protocol that uses Google's QUIC instead of TCP (Transmission Control Protocol) as its base technology. QUIC stands for "Quick UDP Internet Connections" and is, itself, Google's attempt at rewriting the TCP protocol as an improved technology that combines HTTP/2, TCP, UDP, and TLS (for encryption), among many other things. Google wants QUIC to slowly replace both TCP and UDP as the new protocol of choice for moving binary data across the Internet, and for good reasons, as test have proven that QUIC is both faster and more secure because of its encrypted-by-default implementation (current HTTP-over-QUIC protocol draft uses the newly released TLS 1.3 protocol).

In a mailing list discussion last month, Mark Nottingham, Chair of the IETF HTTP and QUIC Working Group, made the official request to rename HTTP-over-QUIC as HTTP/3, and pass it's development from the QUIC Working Group to the HTTP Working Group. In the subsequent discussions that followed and stretched over several days, Nottingham's proposal was accepted by fellow IETF members, who gave their official seal of approval that HTTP-over-QUIC become HTTP/3, the next major iteration of the HTTP protocol, the technology that underpins today's World Wide Web.

ZDNet's Steven J. Vaughan-Nichols argues that the founder of Oculus, Palmer Luckey, wasn't fired because of his political views, as a recently-published Wall Street Journal article suggests, but because the virtual-reality company lost a $500 million intellectual property theft case to game maker ZeniMax. An anonymous reader shares the report: According to The Wall Street Journal, Palmer Luckey, the founder of Oculus, a virtual reality company, was fired by Facebook because "he donated $10,000 to an anti-Hillary Clinton group" during the 2016 U.S. Presidential campaign. But the article fails to mention a simple little fact: On Feb. 1, 2017, Oculus lost an intellectual property (IP) theft case against game maker ZeniMax, to the tune of $500 million. So, if one of your employees just cost your company a cool half-billion bucks for doing wrong what would you do? Well, Facebook isn't saying, even now, but on March 30, 2017, it let Luckey go.

Yes, Luckey also lied about his political moves, which went well beyond donating to an anti-Hillary billboard campaign. But let's look at the record. Everyone knew he'd lied by Feb. 22, 2016. Was he fired then? No. Was he fired after being found guilty of stealing ZeniMax's trade secrets? Yes. Officially, Facebook stated: "All details associated with specific personnel matters are kept strictly confidential. This is our policy for all employees, no matter their seniority. But we can say unequivocally that Palmer's departure was not due to his political views." Let me spell it out for you: He made some political waves. Nothing happened. He cost Facebook $500 million. He was fired. Can anyone here seriously not draw the lines between the dots?

An anonymous reader writes: The Ruby programming language is impacted by a similar "deserialization issue" that has affected and wreaked havoc in the Java ecosystem in 2016; an issue that later also proved to be a problem for .NET and PHP applications as well. Researchers published proof-of-concept code this week showing how to exploit serialization/deserialization operations supported by the built-in features of the Ruby programming language itself.

"Versions 2.0 to 2.5 are affected," researchers said. "There is a lot of opportunity for future work including having the technique cover Ruby versions 1.8 and 1.9 as well as covering instances where the Ruby process is invoked with the command line argument --disable-all," the elttam team added. "Alternate Ruby implementations such as JRuby and Rubinius could also be investigated."

The deserialization issues can be used for remote code execution and taking over vulnerable servers. While .NET and PHP were affected, it was Java until now that has faced the biggest issues with deserialization, earlier this year, Oracle announcing it was dropping deserialization support from the Java language's standard package.

"A Russian security researcher has published details about a zero-day vulnerability affecting VirtualBox, an Oracle software application for running virtual machines," reports ZDNet. According to a text file uploaded on GitHub, Saint Petersburg-based researcher Sergey Zelenyuk has found a chain of bugs that can allow malicious code to escape the VirtualBox virtual machine (the guest OS) and execute on the underlying (host) operating system. Once out of the VirtualBox VM, the malicious code runs in the OS' limited userspace (kernel ring 3), but Zelenyuk said that attackers can use many of the already known privilege escalation bugs to gain kernel-level access (ring 0). "The exploit is 100% reliable," Zelenyuk said. "It means it either works always or never because of mismatched binaries or other, more subtle reasons I didn't account."

The Russian researcher says the zero-day affects all current VirtualBox releases, works regardless of the host or guest operating system the user is running, and is reliable against the default configuration of newly created VMs. Besides a detailed write-up of the entire exploit chain, Zelenyuk has also published video proof, showing the zero-day in action against an Ubuntu VM running inside VirtualBox on an Ubuntu host OS.
Long-time Slashdot reader Artem Tashkinov warns that the exploit utilizes "bugs in the data link layer of the default E1000 network interface adapter which makes this vulnerability critical for everyone who uses virtualization to run untrusted code." According to ZDNet, the same security researcher "found and reported a similar issue in mid-2017, which Oracle took over 15 months to fix."

"This lengthy and drawn-out patching process appears to have angered Zelenyuk, who instead of reporting this bug to Oracle, has decided to publish details online without notifying the vendor."

Veteran technology columnist Ed Bott writes: "Windows as a service" sounded like a good idea in 2015, when Microsoft released Windows 10. But after a terrible October, Microsoft's Windows 10 problems continued in November. Yesterday, an unknown number of devices running Windows 10 suddenly lost their activation status; the owners of those devices were told that they no longer had a valid digital license and were running a "non-genuine copy of Windows." Those activation problems are now apparently resolved, but Microsoft hasn't offered an explanation or an apology. A company spokesperson declined to provide any additional details.

[...] In the Windows-as-a-service era, it's perfectly understandable that problems will occasionally crop up. But customers have a right to expect prompt, accurate notification when those problems occur, and Microsoft is failing badly in that responsibility. For its enterprise customers, Microsoft long ago realized the need for timely and accurate status updates. If your organization is experiencing a problem with Office 365, there's a Service Status dashboard where you can find out what's wrong. Microsoft Azure customers have a similar Azure status dashboard and can even check the resolution of previous problems on the Azure status history page. Windows 10 customers have no similar resources.

Veteran technology columnist Ed Bott writes: "Windows as a service" sounded like a good idea in 2015, when Microsoft released Windows 10. But after a terrible October, Microsoft's Windows 10 problems continued in November. Yesterday, an unknown number of devices running Windows 10 suddenly lost their activation status; the owners of those devices were told that they no longer had a valid digital license and were running a "non-genuine copy of Windows." Those activation problems are now apparently resolved, but Microsoft hasn't offered an explanation or an apology. A company spokesperson declined to provide any additional details.

[...] In the Windows-as-a-service era, it's perfectly understandable that problems will occasionally crop up. But customers have a right to expect prompt, accurate notification when those problems occur, and Microsoft is failing badly in that responsibility. For its enterprise customers, Microsoft long ago realized the need for timely and accurate status updates. If your organization is experiencing a problem with Office 365, there's a Service Status dashboard where you can find out what's wrong. Microsoft Azure customers have a similar Azure status dashboard and can even check the resolution of previous problems on the Azure status history page. Windows 10 customers have no similar resources.

An anonymous reader quotes a report from ZDNet: Cisco, the world's leading provider of top networking equipment and enterprise software, has released today 15 security updates, including a fix for an issue that can be described as a backdoor account. This latest patch marks the seventh time this year when Cisco has removed a backdoor account from one of its products. Five of the seven backdoor accounts were discovered by Cisco's internal testers, with only CVE-2018-0329 and this month's CVE-2018-15439 being found by external security researchers. The company has been intentionally and regularly combing the source code of all of its software since December 2015, when it started a massive internal audit. Cisco started that process after security researchers found what looked to be an intentional backdoor in the source code of ScreenOS, the operating system of Juniper, one of Cisco's rivals.

Juniper suffered a massive reputational damage following the 2015 revelation, and this may secretly be the reason why Cisco has avoided using the term "backdoor account" all year for the seven "backdoor account" issues. Instead, Cisco opted for more complex wordings such as "undocumented, static user credentials for the default administrative account," or "the affected software enables a privileged user account without notifying administrators of the system." It is true that using such phrasings might make Cisco look disingenuous, but let's not forget that Cisco has been ferreting these backdoor accounts mainly on its own, and has been trying to fix them without scaring customers or impacting its own stock price along the way.

Ukrainian vulnerability researcher has found a bug that would have allowed him to download all the activation keys (also known as CD keys) made available through the Steam gaming platform, for any game, ever. From a report: Discovered by Artem Moskowsky, the bug resided in Steamworks, a platform that Valve runs to help developers with building and publishing games via its Steam gaming client. Moskowsky found the bug in a Steam web API located at partner.steamgames.com/partnercdkeys/assignkeys/. This is the API that lets game developers or affiliates retrieve CD keys made available to Steam users so their customers can activate a game installed via the Steam client. This API is accessible using a regular Steam account and takes several parameters, but the ones most relevant are appid (representing the game), keyid (representing the identifier of a set of CD keys), and keycount (representing the number of CD keys that Steam needs to return inside a CD key set).

The Cyber National Mission Force (CNMF), a subordinate unit of US Cyber Command (USCYBERCOM), set in motion a new initiative this week through which the DOD would share malware samples it discovered on its networks with the broader cybersecurity community. From a report: The CNMF kicked off this new project by creating an account on VirusTotal, an online file scanning service that also doubles as an online malware repository, and by uploading two malware samples.

Corporate Vice President of Cortana Javier Soltero is leaving the company after being in charge of Cortana for less than a year. "Soltero joined Microsoft when it bought at the end of 2014 Acompli, a mobile mail startup in San Francisco which he co-founded and led," reports ZDNet. "After joining Microsoft four years ago, Soltero spearheaded Outlook Mobile, then all of Outlook." Before being appointed to run Cortana in March of this year, he was the head of strategy for Office. From the report: Last month, Microsoft officials confirmed that Cortana was one of the technologies that management was moving from AI + Research to the Experiences & Devices team, which is under Executive Vice President Rajesh Jha. Microsoft is in the midst of trying to reposition Cortana from a standalone digital assistant to more of an assistance aide. Given the strong focus on home and work productivity by the Microsoft 365 and Office teams, officials seemingly decided it made sense for Cortana to be situated in that group.

I've heard Soltero is going to go back to doing entrepreneurial activities once he leaves by year-end. Perry Clarke is going to be working with Soltero on transition plans in the next couple of months, sources are telling me. Clarke has been with Microsoft engineering since 1996, when he led Exchange. He also has been a Microsoft Distinguished Engineer for the past several years. I've heard talk that Microsoft ultimately is looking to bring Cortana and Search together into a single engineering team.

Oracle's Internet Intelligence division has confirmed today the findings of a recently published academic paper that accused China of "hijacking the vital internet backbone of western countries." From a report: The research paper was authored by researchers from the US Naval War College and Tel Aviv University and it made quite a few waves online after it was published. Researchers accused China Telecom, one of China's biggest state-owned internet service providers, of hijacking and detouring internet traffic through its normally-closed internet infrastructure. Some security experts contested the research paper's findings because it didn't come from an authoritative voice in the world of internet BGP hijacks, but also because the paper touched on many politically sensitive topics, such as China's cyber-espionage activities and how China used BGP hijacks as a way to circumvent the China-US cyber pact of 2015. But today, Doug Madory, Director of Oracle's Internet Analysis division (formerly Dyn), confirmed that China Telecom has, indeed, engaged in internet traffic "misdirection." "I don't intend to address the paper's claims around the motivations of these actions," said Madori. "However, there is truth to the assertion that China Telecom (whether intentionally or not) has misdirected internet traffic (including out of the United States) in recent years."

Oracle's Internet Intelligence division has confirmed today the findings of a recently published academic paper that accused China of "hijacking the vital internet backbone of western countries." From a report: The research paper was authored by researchers from the US Naval War College and Tel Aviv University and it made quite a few waves online after it was published. Researchers accused China Telecom, one of China's biggest state-owned internet service providers, of hijacking and detouring internet traffic through its normally-closed internet infrastructure. Some security experts contested the research paper's findings because it didn't come from an authoritative voice in the world of internet BGP hijacks, but also because the paper touched on many politically sensitive topics, such as China's cyber-espionage activities and how China used BGP hijacks as a way to circumvent the China-US cyber pact of 2015. But today, Doug Madory, Director of Oracle's Internet Analysis division (formerly Dyn), confirmed that China Telecom has, indeed, engaged in internet traffic "misdirection." "I don't intend to address the paper's claims around the motivations of these actions," said Madori. "However, there is truth to the assertion that China Telecom (whether intentionally or not) has misdirected internet traffic (including out of the United States) in recent years."

An anonymous reader writes: Researchers have found flaws that can be exploited to bypass hardware encryption in well known and popular SSD drives. Master passwords and faulty standards implementations allow attackers access to encrypted data without needing to know the user-chosen password.

SSDs from Micron (Crucial) and Samsung are affected. These are SSDs that support hardware-level encryption via a local built-in chip, separate from the main CPU. Some of these devices have a factory-set master password that bypasses the user-set password, while other SSDs store the encryption key on the hard drive, from where it can be retrieved. The issue is worse on Windows, where BitLocker defers software-level encryption to hardware encryption-capable SSDs, meaning user data is vulnerable to attacks without the user's knowledge. More in the research paper.

An anonymous reader writes: A Microsoft exec has confirmed yesterday that the company's engineers are working on porting the highly popular Sysinternals software package to Linux. Microsoft engineers have already ported the ProcDump utility and are currently working on porting ProcMon as well. More tools to follow.

Microsoft's decision to port this highly popular debugging utility to Linux comes after two months ago, in September, Scott Guthrie, Microsoft's executive vice president of the cloud and enterprise group, revealed that "sometimes slightly over half of Azure VMs are Linux." With Linux's growing adoption as the preferred OS for running Azure VMs, it's only natural that Azure engineers are now looking into porting their favorite debugging utilities to Linux, for both themselves but also for the company's customers.

iRobot and Google are looking for ways to integrate the Roomba-maker's home maps with Google Assistant to extend instructions to other gadgets. "The collaboration centers on iRobot's Roomba i7+ vacuum models' ability to map home floor plans and remember room names," notes TechCrunch. From the report: As it is, Google Home users or anyone with Google Assistant can give a voice command like, "Hey Google, clean the kitchen," and a Roomba carries out the task. The integration supports the task across multiple rooms that have been assigned a name, such as the bedroom, living room, and other named areas. According to iRobot, the home-mapping data could also be used to make it easier to set up new smart home gadgets and create new ways to automate the home.

In a statement to The Verge, Google said iRobot's maps could help locate wifi-connected lights and automatically assign names and locations to them within the house. Google stressed that Assistant only learns the names people have given to areas in the home so it can then instruct Roomba i7+ to go to that area. Google doesn't receive information about the layout of the home. Colin Angle, chairman and CEO of iRobot, told the publication that the partnership could help users in future tell Assistant to control other smart home gadgets using the same naming and location information used by the Roomba.

ZDNet writes: There have been three great movements shaping the information technology landscape. There is Agile, which emphasizes collaboration in software development; Lean IT, which promotes delivering software faster, better and cheaper; and DevOps, which seeks to align software development with continuous delivery...

These three movements have their own advocates, methodologies and terminology. But when you think about Agile, Lean IT and Agile, aren't these all the same thing, essentially? They all have the same goals, which is to deliver high-quality software on a continuous basis, collaboratively. Is it time to chuck the terminology and semantics and bring these three activities under the same roof?
Their article cites "advocates" -- two authors who have both written books about Lean It -- who are pushing for the concepts to all be brought together into a single mold. But it'd be interesting to get some opinions and real-world anecdotes from Slashdot's readers. So leave your own thoughts in the comments.

Are DevOps, Agile, and Lean IT the same thing?

Intel processors are impacted by a new vulnerability that can allow attackers to leak encrypted data from the CPU's internal processes. From a report: The new vulnerability, which has received the codename of PortSmash, has been discovered by a team of five academics from the Tampere University of Technology in Finland and Technical University of Havana, Cuba. Researchers have classified PortSmash as a side-channel attack. In computer security terms, a side-channel attack describes a technique used for leaking encrypted data from a computer's memory or CPU, which works by recording and analyzing discrepancies in operation times, power consumption, electromagnetic leaks, or even sound to gain additional info that may help break encryption algorithms and recovering the CPU's processed data. Researchers say PortSmash impacts all CPUs that use a Simultaneous Multithreading (SMT) architecture, a technology that allows multiple computing threads to be executed simultaneously on a CPU core. [...] Researchers say they've already confirmed that PortSmash impacts Intel CPUs which support the company's Hyper-Threading (HT) technology, Intel's proprietary implementation of SMT.

Two new zero-day vulnerabilities called "Bleeding Bit" have been revealed by security firm Armis, impacting Bluetooth Low-Energy (BLE) chips used in millions of Cisco, Meraki, and Aruba wireless access points (APs). "Developed by Texas Instruments (TI), the vulnerable BLE chips are used by roughly 70 to 80 percent of business wireless access points today by way of Cisco, Meraki and Aruba products," reports ZDNet. From the report: The first vulnerability, CVE-2018-16986, impacts Cisco and Meraki APs using TI BLE chips. Attacks can remotely send multiple benign BLE broadcast messages, called "advertising packets," which are stored on the memory of the vulnerable chip. As long as a target device's BLE is turned on, these packets -- which contain hidden malicious code to be invoked later on -- can be used together with an overflow packet to trigger an overflow of critical memory. If exploited, attackers are able to trigger memory corruption in the chip's BLE stack, creating a scenario in which the threat actor is able to access an operating system and hijack devices, create a backdoor, and remotely execute malicious code.

The second vulnerability, CVE-2018-7080, is present in the over-the-air firmware download (OAD) feature of TI chips used in Aruba Wi-Fi access point Series 300 systems. The vulnerability is technically a leftover development backdoor tool. This oversight, the failure to remove such a powerful development tool, could permit attackers to compromise the system by gaining a foothold into a vulnerable access point. "It allows an attacker to access and install a completely new and different version of the firmware -- effectively rewriting the operating system of the device," the company says. "The OAD feature doesn't offer a security mechanism that differentiates a "good" or trusted firmware update from a potentially malicious update."

US prosecutors are preparing new charges against a former CIA coder who was indicted earlier this year in June for leaking classified CIA material to WikiLeaks, in what later become known as the Vault7 leaks. From a report: According to new court documents filed late Wednesday, October 31, US prosecutors plan to file three new charges against Joshua Schulte for allegedly leaking more classified data while in detention at the New York Metropolitan Correctional Center (MCC). Prosecutors say they first learned of Schulte's behavior back in May, when they found out that "Schulte had distributed the Protected Search Warrant Materials to his family members for purposes of dissemination to other third parties, including members of the media." The prosecution held a court hearing in May and initially warned the suspect about his actions, a warning they found Schulte ignored. The US government says that "in or about early October 2018, the Government learned that Schulte was using one or more smuggled contraband cellphones to communicate clandestinely with third parties outside of the MCC." A search of his housing unit performed by FBI agents revealed "multiple contraband cellphones (including at least one cellphone used by Schulte that is protected with significant encryption); approximately 13 email and social media accounts (including encrypted email accounts); and other electronic devices."

An anonymous reader quotes a report from ZDNet: Google announced today four new security features for securing Google accounts. These four updates are meant to bolster protections before and after users sign into accounts, but also in the case of recovering after a hack. According to Google's Jonathan Skelker, the first of these protections that Google has rolled out today comes into effect even before users start typing their username and password. In the coming future, Skelker says that Google won't allow users to sign into accounts if they disabled JavaScript in their browser. The reason is that Google uses JavaScript to run risk assessment checks on the users accessing the login page, and if JavaScript is disabled, this allows crooks to pass through those checks undetected. This change is likely to impact only a very small number of users -- around 0.01 percent according to Google's data -- but it will likely impact bots harder, as many of them run through headless browsers where this feature is turned off for performance reasons. Google also plans to pull data from Google Play Protect and list all malicious apps that are still installed on a user's Android smartphone. Google's Jonathan Skelker says they will be notifying you "whenever you share any data from your Google Account," expanding on the notifications it sends when you've granted access to sensitive information, like Gmail data or your Google Contacts.

"Last but not least is a security feature that Google plans to use after an account hack," reports ZDNet. "This feature is already live and is a new set of procedures for regaining access and re-securing compromised profiles. The procedure is detailed in this Google support page, and besides just helping users regain access to accounts, it will also help them check financial activity related to Google Pay accounts, review new files added to Gmail or Drive, and secure other accounts at other services that are tied to the main Google account."

MIT researchers have devised a way to train semantic parsers by mimicking the way a child learns language. "The system observes captioned videos and associates the words with recorded actions and objects," ZDNet reports, citing the paper presented this week. "It could make it easier to train parsers, and it could potentially improve human interactions with robots." From the report: To train their parser, the researchers combined a semantic parser with a computer vision component trained in object, human and activity recognition in video. Next, they compiled a dataset of about 400 videos depicting people carrying out actions such as picking up an object or walking toward an object. Participants on the crowdsourcing platform Mechanical Turk to wrote 1,200 captions for those videos, 840 of which were set aside for training and tuning. The rest were used for testing. By associating the words with the actions and objects in a video, the parser learns how sentences are structured. With that training, it can accurately predict the meaning of a sentence without a video.

Google has pushed an update to its reCAPTCHA technology that the company has been offering since 2007 to fight off bots on the world wide web. From a report: reCAPTCHA v3, as the new version has been branded, is a complete overhaul of the reCAPTCHA technology that we know and... most of the time hate. The good news is that the new system does not require any user interaction anymore. Gone are the days of reCAPTCHA v1 when everyone was trying to decipher in garbled text, and gone are the days of v2 when everyone was getting annoyed at clicking on endless image streams of "store fronts," "roads," and "cars" for up to 2-3 minutes. Instead, reCAPTCHA v3 will use a secret new Google proprietary technology to learn a website's normal traffic and user behavior. Google says that by observing how regular users interact with the website and its sections, it would be able to detect abnormalities and detect bots or undesirable actions.

An anonymous reader quotes a report from ZDNet: The Trump administration on Monday announced it was banning U.S. exports to a Chinese semiconductor firm named Fujian Jinhua Integrated Circuit Company, citing national security concerns. In a statement released by the U.S. Department of Commerce (DoC), officials said the Chinese chipmaker posed "a significant risk of being or becoming involved, in activities contrary to the national security or foreign policy interests of the United States." DoC officials are now barring US companies from selling any products to Fujian Jinhua, which was recently nearing completion of a new dynamic random access memory (DRAM) factory project. "When a foreign company engages in activity contrary to our national security interests, we will take strong action to protect our national security. Placing Jinhua on the Entity List will limit its ability to threaten the supply chain for essential components in our military systems," said Wilbur Ross, Secretary of Commerce.

An anonymous reader writes: Windows Defender is the first antivirus to gain the ability to run inside a sandbox environment, Microsoft said in an announcement. In software design, a "sandbox" is a security mechanism that works by separating a process inside a tightly controlled area of the operating system that gives that process access to limited disk and memory resources. The idea is to prevent bugs and exploit code from spreading from one process to another, or to the underlying OS.

"We're in the process of gradually enabling this capability for Windows insiders and continuously analyzing feedback to refine the implementation," Microsoft said in a celebratory blog post. Users who can't wait until Microsoft finishes testing the feature can also enable it right now. Support for Windows Defender running inside a sandbox environment has been silently added since Windows 10 version 1703. To enable it right now, Windows 10 users can follow these steps.

An anonymous reader writes: Windows Defender is the first antivirus to gain the ability to run inside a sandbox environment, Microsoft said in an announcement. In software design, a "sandbox" is a security mechanism that works by separating a process inside a tightly controlled area of the operating system that gives that process access to limited disk and memory resources. The idea is to prevent bugs and exploit code from spreading from one process to another, or to the underlying OS.

"We're in the process of gradually enabling this capability for Windows insiders and continuously analyzing feedback to refine the implementation," Microsoft said in a celebratory blog post. Users who can't wait until Microsoft finishes testing the feature can also enable it right now. Support for Windows Defender running inside a sandbox environment has been silently added since Windows 10 version 1703. To enable it right now, Windows 10 users can follow these steps.

Chinese smartphone maker Xiaomi has shipped 100 million units of phones as of October 26, completing its annual target more than two months ahead of its original plan, Xiaomi's founder and CEO Lei Jun announced on the company's Sina Weibo account. ZDNet: The smartphone brand, currently sitting behind Huawei and Oppo in China, is reporting a better sales result this year. It only shipped 70 million smartphones for the first 10 months in 2017, though it nevertheless also completed its shipment target for last year ahead of time, according to Lei's Sina Weibo post in November 2017. The 100 million shipment benchmark set in less than 10 months this year is also higher than the full-year shipment result of Xiaomi, which shipped a total of 90 million mobile handsets last year.

An anonymous reader writes: A software security engineer has identified 12 Python libraries uploaded on the official Python Package Index (PyPI) that contained malicious code. The 12 packages used typo-squatting in the hopes a user would install them by accident or carelessness when doing a "pip install" operation for a mistyped more popular package, like Django (ex: diango).

Eleven libraries would attempt to either collect data about each infected environment, obtain boot persistence, or even open a reverse shell on remote workstations. A twelfth package, named "colourama," was financially-motivated and hijacked an infected users' operating system clipboard, where it would scan every 500ms for a Bitcoin address-like string, which it would replace with the attacker's own Bitcoin address in an attempt to hijack Bitcoin payments/transfers made by an infected user.
54 users downloaded that package -- although all 12 malicious packages have since been taken down.

Four of the packages were misspellings of django -- diango, djago, dajngo, and djanga.

An anonymous reader quotes a report from ZDNet: Hong Kong-based airline Cathay Pacific informed the Hong Kong stock exchange of a data breach late on Wednesday night that could affect 9.4 million people. In a notice, the airline said it would reach out to members of its Marco Polo Club, Asia Miles, and registered users. Otherwise, people who are worried about whether they have been hit should fill in an enquiry form. Cathay said that passenger details including name, nationality, date of birth, phone number, email address, passport number, identity card number, frequent flyer membership number, customer service remarks, and historical travel information could have been accessed. In its statement [PDF] to the exchange, Cathay said 860,000 passport numbers and approximately 245,000 Hong Kong identity card numbers were accessed. A small number of credit card numbers, 403 in total, were accessed, as well as 27 cards with no CVV. Don't worry, the airline is "offering ID monitoring services" and "free credit monitoring services" to those impacted...

U.S. researchers from FireEye have linked a Russian research lab to a cyberattack on a Saudi petrochemical plant. The malware strain called Triton -- or Trisis -- "was designed to either shut down a production process or allow SIS-controlled machinery to work in an unsafe state," reports ZDNet, citing technical reports from FireEye, Dragos, and Symantec. From the report: The group behind the malware, which FireEye has been tracking under the codename of TEMP.Veles, nearly succeeded last year, when it almost caused an explosion at a Saudi petrochemical plant owned by Tasnee, a privately owned Saudi company, according to a New York Times report. The malware's origins were a mystery when FireEye first discovered Triton in 2017 and remained a mystery even after the New York Times report in March 2018.

But in a report published today, FireEye says that following further research into incidents where the Triton malware was deployed, it can now assess with "high confidence" that the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), a government-owned technical research institution located in Moscow, was involved in these attacks. FireEye's report does not link the Triton malware itself to CNIIHM, but the secondary malware strains used by TEMP.Veles and deployed during the incidents where Triton was deployed. Clues in these secondary malware strains used to aid the deployment of the main Triton payloads contained enough artifacts that allowed researchers to identify their source.

At Open Source Summit Europe in Edinburgh, Scotland, Linus Torvalds is meeting with Linux's top 40 or so developers at the Maintainers' Summit. This is his first step back in taking over Linux's reins. From a report: A little over a month ago, Torvalds stepped back from running the Linux development community. In a note to the Linux Kernel Mailing List (LKML), Torvalds said, "I need to change some of my behavior, and I want to apologize to the people that my personal behavior hurt and possibly drove away from kernel development entirely. I am going to take time off and get some assistance on how to understand people's emotions and respond appropriately." That time is over. Torvalds is back.

Whether he'll be a kinder and gentler Torvalds remains to be seen. In the Linux 4.19 announcement, Greg Kroah-Hartman, Linux's temporary leader and maintainer of the stable branch, wrote: "Linus, I'm handing the kernel tree back to you. You can have the joy of dealing with the merge window :)"

At Open Source Summit Europe in Edinburgh, Scotland, Linus Torvalds is meeting with Linux's top 40 or so developers at the Maintainers' Summit. This is his first step back in taking over Linux's reins. From a report: A little over a month ago, Torvalds stepped back from running the Linux development community. In a note to the Linux Kernel Mailing List (LKML), Torvalds said, "I need to change some of my behavior, and I want to apologize to the people that my personal behavior hurt and possibly drove away from kernel development entirely. I am going to take time off and get some assistance on how to understand people's emotions and respond appropriately." That time is over. Torvalds is back.

Whether he'll be a kinder and gentler Torvalds remains to be seen. In the Linux 4.19 announcement, Greg Kroah-Hartman, Linux's temporary leader and maintainer of the stable branch, wrote: "Linus, I'm handing the kernel tree back to you. You can have the joy of dealing with the merge window :)"

Microsoft is including Google's mitigation for the Spectre Variant 2 speculative execution side-channel attack in the next release of Windows 10, currently codenamed 19H1. ZDNet reports: Google developed a software-based mitigation for Spectre Variant 2 called Retpoline that constrains speculative execution behavior sufficiently to mitigate an attack. Google's testing found its fix had a negligible effect on performance. Retpoline was implemented by Linux distributions such as Red Hat and SUSE, as well as by Oracle for Oracle Linux 6 and 7. And now, as MSPoweruser spotted, Microsoft's kernel engineers have confirmed that Retpoline will be part of the next version of Windows 10, 19H1, which is due out next year. Google's Retpoline plus Microsoft's own kernel modifications have reduced the performance impact to "noise level", according to Mehmet Iyigun of Microsoft's Windows and Azure kernel team. "Yes, we have enabled Retpoline by default in our 19H1 flights along with what we call 'import optimization' to further reduce perf impact due to indirect calls in kernel-mode. Combined, these reduce the perf impact of Spectre v2 mitigations to noise-level for most scenarios," wrote Iyigun.

"The bad news is that Microsoft didn't include the Retpoline fix in the latest Windows 10 October 2018 Update Redstone 5, or RS5, release, even though, according to CrowdStrike researcher Alex Ionescu, it could have," reports ZDNet.

An anonymous reader writes: A 44-year-old, Georgia-based programmer -- who'd been working at Equifax since 2003 -- has been sentenced to eight months of home confinement and a $50,000 fine for insider trading. Working as Equifax's Production Development Manager of Software Engineering in August of 2017, he'd been asked to create a web site where customers could query a database to see if they were affected by a yet-to-be-announced security breach for a high-profile client. Guessing correctly that it was his own employer's breach, he'd used his wife's brokerage account to purchase $2,166.11 in "put" options betting that Equifax's stock price would tumble -- and when it did, he'd scored a hefty profit of $75,167.68.

"As part of his SEC settlement, he must also forfeit $75,979, the ill-gotten funds, plus interest," ZDNet reports, noting that the transactions "came to light after Equifax started internal investigations into several reported cases of employee insider trading." Another federal complaint also alleges that another Equifax executive avoided $117,000 in losses by selling all $1 million of his stock options -- the same day he'd performed a web search about how Experian's stock was affected by a 2015 security breach, but two weeks before Equifax's breach was announced. That case is still ongoing.

An anonymous reader writes: A 44-year-old, Georgia-based programmer -- who'd been working at Equifax since 2003 -- has been sentenced to eight months of home confinement and a $50,000 fine for insider trading. Working as Equifax's Production Development Manager of Software Engineering in August of 2017, he'd been asked to create a web site where customers could query a database to see if they were affected by a yet-to-be-announced security breach for a high-profile client. Guessing correctly that it was his own employer's breach, he'd used his wife's brokerage account to purchase $2,166.11 in "put" options betting that Equifax's stock price would tumble -- and when it did, he'd scored a hefty profit of $75,167.68.

"As part of his SEC settlement, he must also forfeit $75,979, the ill-gotten funds, plus interest," ZDNet reports, noting that the transactions "came to light after Equifax started internal investigations into several reported cases of employee insider trading." Another federal complaint also alleges that another Equifax executive avoided $117,000 in losses by selling all $1 million of his stock options -- the same day he'd performed a web search about how Experian's stock was affected by a 2015 security breach, but two weeks before Equifax's breach was announced. That case is still ongoing.

Slashdot reader generic shares a report from ZDNet: For at least three years, hackers have abused a zero-day in one of the most popular jQuery plugins to plant web shells and take over vulnerable web servers, ZDNet has learned. The vulnerability impacts the jQuery File Upload plugin authored by prodigious German developer Sebastian Tschan, most commonly known as Blueimp. The plugin is the second most starred jQuery project on GitHub, after the jQuery framework itself. It is immensely popular, has been forked over 7,800 times, and has been integrated into hundreds, if not thousands, of other projects, such as CMSs, CRMs, Intranet solutions, WordPress plugins, Drupal add-ons, Joomla components, and so on.

Earlier this year, Larry Cashdollar, a security researcher for Akamai's SIRT (Security Intelligence Response Team), has discovered a vulnerability in the plugin's source code that handles file uploads to PHP servers. Cashdollar says that attackers can abuse this vulnerability to upload malicious files on servers, such as backdoors and web shells. The Akamai researcher says the vulnerability has been exploited in the wild. "I've seen stuff as far back as 2016," the researcher told ZDNet in an interview. The vulnerability was one of the worst kept secrets of the hacker scene and appears to have been actively exploited, even before 2016. Cashdollar found several YouTube videos containing tutorials on how one could exploit the jQuery File Upload plugin vulnerability to take over servers. One of three YouTube videos Cashdollar shared with ZDNet is dated August 2015. Thankfully, the CVE-2018-9206 identifier was pushed earlier this month to address this issue. "All jQuery File Upload versions before 9.22.1 are vulnerable," reports ZDNet. "Since the vulnerability affected the code for handling file uploads for PHP apps, other server-side implementations should be considered safe."

Apple has not documented some high-severity bugs it patched that were reported to it by Google's Project Zero researchers. From a report: While it's good news that Apple beat Project Zero's 90-day deadline for patching or disclosing the bugs it finds, the group's Ivan Fratric recently argued that the practice endangered users by not fully informing them why an update should be installed. This time the criticism comes from Project Zero's Ian Beer, who's been credited by Apple with finding dozens of serious security flaws in iOS and macOS over the years. Beer posted a blog about several vulnerabilities in iOS 7 he found in 2014 that share commonalities with several bugs he has found in iOS 11.4.1, some of which he's now released exploits for.

Beer notes that none of the latest issues is mentioned in the iOS 12 security bulletin even though Apple did fix them. The absence of information about them is a "disincentive" for iOS users to patch, Beer argues. "Apple are still yet to assign CVEs for these issues or publicly acknowledge that they were fixed in iOS 12," wrote Beer. "In my opinion a security bulletin should mention the security bugs that were fixed. Not doing so provides a disincentive for people to update their devices since it appears that there were fewer security fixes than there really were."

Ubuntu 18.10 Cosmic Cuttlefish, the latest version of Ubuntu, is now available to download. From a report: Under the hood, the Cosmic Cuttlefish boasts the 4.18 Linux Kernel. This updates comes with better support for for AMD and Nvidia GPU, USB Type-C and Thunderbolt, a way for unprivileged users to mount Filesystem in Userspace (FUSE) can be mounted by, and CPUfreq performance improvements. On top of this, you'll find the freshest version of GNOME 3.30. You can, of course, use other desktops, but GNOME, since Ubuntu 17.10, is Ubuntu's default desktop. You'll be glad to know that GNOME is faster than it has been for a while. That's because some nasty memory leaks have been patched. Canonical has also added some performance tweaks that didn't make it into the GNOME 3.30 upstream. Ubuntu 18.10 also comes with a new desktop theme, the Yaru Community theme installed by default, for your visual enjoyment. Further reading: Ubuntu 18.10: What's New? [Video]; Ubuntu 18.10 Review; and Ubuntu 18.10 Flavors Released, Ready to Download.

A security researcher from Colombia has found a way of gaining admin rights and boot persistence on Windows PCs that's simple to execute and hard to stop -- all the features that hackers and malware authors are looking for from an exploitation technique. From a report: What's more surprising, is that the technique was first detailed way back in December 2017, but despite its numerous benefits and ease of exploitation, it has not received either media coverage nor has it been seen employed in malware campaigns. Discovered by Sebastian Castro, a security researcher for CSL, the technique targets one of the parameters of Windows user accounts known as the Relative Identifier (RID). The RID is a code added at the end of account security identifiers (SIDs) that describes that user's permissions group. There are several RIDs available, but the most common ones are 501 for the standard guest account, and 500 for admin accounts.

Castro, with help from CSL CEO Pedro Garcia, discovered that by tinkering with registry keys that store information about each Windows account, he could modify the RID associated with a specific account and grant it a different RID, for another account group. The technique does not allow a hacker to remotely infect a computer unless that computer has been foolishly left exposed on the Internet without a password. But in cases where a hacker has a foothold on a system -- via either malware or by brute-forcing an account with a weak password -- the hacker can give admin permissions to a compromised low-level account, and gain a permanent backdoor with full SYSTEM access on a Windows PC.

Krystalo quotes a report from VentureBeat: Google today launched Chrome 70 for Windows, Mac, and Linux. The release includes an option to disable linking Google site and Chrome sign-ins, Progressive Web Apps on Windows, the ability for users to restrict extensions' access to a custom list of sites, an AV1 decoder, and plenty more. You can update to the latest version now using Chrome's built-in updater or download it directly from google.com/chrome. An anonymous Slashdot reader adds: "The most anticipated addition to today's release is a new Chrome setting panel option that allows users to control how the browser behaves when they log into a Google account," reports ZDNet. "Google added this new setting after the company was accused last month of secretly logging users into their Chrome browser accounts whenever they logged into a Google website." Chrome 70 also comes with support for the AV1 video format, TLS 1.3 final, per-site Chrome extension permissions, TouchID and fingerprint sensor authentication, the Shape Detection API (gives Chrome the ability to detect and identify faces, barcodes, and text inside images or webcam feeds), and, last but not least, 23 security fixes.

Catalin Cimpanu, reporting for ZDNet: The voter information for approximately 35 million US citizens is being peddled on a popular hacking forum, two threat intelligence firms have discovered. "To our knowledge this represents the first reference on the criminal underground of actors selling or distributing lists of 2018 voter registration data," said researchers from Anomali Labs and Intel471, the two companies who spotted the forum ad.

The two companies said they've reviewed a sample of the database records and determined the data to be valid with a "high degree of confidence." Researchers say the data contains details such as full name, phone numbers, physical addresses, voting history, and other voting-related information. It is worth noting that some states consider this data public and offer it for download for free, but not all states have this policy.

Catalin Cimpanu, reporting for ZDNet: The voter information for approximately 35 million US citizens is being peddled on a popular hacking forum, two threat intelligence firms have discovered. "To our knowledge this represents the first reference on the criminal underground of actors selling or distributing lists of 2018 voter registration data," said researchers from Anomali Labs and Intel471, the two companies who spotted the forum ad.

The two companies said they've reviewed a sample of the database records and determined the data to be valid with a "high degree of confidence." Researchers say the data contains details such as full name, phone numbers, physical addresses, voting history, and other voting-related information. It is worth noting that some states consider this data public and offer it for download for free, but not all states have this policy.

Microsoft today said it plans to disable support for Transport Layer Security (TLS) 1.0 and 1.1 in Edge and Internet Explorer browsers by the first half of 2020. From a report: "January 19th of next year marks the 20th anniversary of TLS 1.0, the inaugural version of the protocol that encrypts and authenticates secure connections across the web," said Kyle Pflug, Senior Program Manager for Microsoft Edge. "Two decades is a long time for a security technology to stand unmodified," he said. "While we aren't aware of significant vulnerabilities with our up-to-date implementations of TLS 1.0 and TLS 1.1 [...] moving to newer versions helps ensure a more secure Web for everyone."

The move comes as the Internet Engineering Task Force (IETF) -- the organization that develops and promotes Internet standards -- is hosting discussions to formally deprecated both TLS 1.0 and 1.1. Microsoft is currently working on adding support for the official version of the recently-approved TLS 1.3 standard. Edge already supports draft versions of TLS 1.3, but not yet the final TLS 1.3 version approved in March, this year. Microsoft engineers don't seem to be losing any sleep over their decision to remove both standards from Edge and IE. The company cites public stats from SSL Labs showing that 94 percent of the Internet's sites have already moved to using TLS 1.2, leaving very few sites on the older standard versions. "Less than one percent of daily connections in Microsoft Edge are using TLS 1.0 or 1.1," Pflug said, also citing internal stats. You can check public stats on the usage of TLS 1.0 and 1.1 here.

An anonymous reader quotes Ars Technica: Microsoft was the fifth-biggest PC maker in the U.S. in the third quarter of this year, according to industry advisory firm Gartner. The top spot in the U.S. belongs to HP, with about 4.5 million machines sold, ahead of Dell at 3.8 million, Lenovo at 2.3 million, and Apple at 2 million. The gap between fourth and fifth is pretty big -- Microsoft sold only 0.6 million Surface devices last quarter -- but it suggests that Microsoft's PC division is heading in the right direction, with sales 1.9 percent higher than the same quarter last year. The company pushed down to sixth place was Acer. The current quarter should be better still; the Surface Pro, Surface Laptop, and Surface Studio have all been given hardware refreshes which, when combined with the always-busy holiday season, should stimulate higher sales.

Globally, both Gartner and IDC reported a flat PC market (up 0.1 percent in Gartner's view, down 0.9 percent in IDC's), after the previous quarter's modest growth.
"The PC market continued to be driven by steady corporate PC demand, which was driven by Windows 10 PC hardware upgrades," said one Gartner analyst.

In defining what constitutes a PC, Gartner includes notebooks and "premium" ultramobile devices -- but does not include iPads or Chromebooks.