Slashdot Mirror

The race to exascale speed is getting a little more interesting with the introduction of HPE's Astra -- what will be the world's largest ARM-based supercomputer. From a report: HPE is building Astra for Sandia National Laboratories and the US Department of Energy's National Nuclear Security Administration (NNSA). The NNSA will use the supercomputer to run advanced modeling and simulation workloads for things like national security, energy, science and health care.

HPE is involved in building other ARM-based supercomputing installations, but when Astra is delivered later this year, "it will hands down be the world's largest ARM-based supercomputer ever built," Mike Vildibill, VP of Advanced Technologies Group at HPE, told ZDNet. The HPC system is comprised of 5,184 ARM-based processors -- the Thunder X2 processor, built by Cavium. Each processor has 28 cores and runs at 2 GHz. Astra will deliver over 2.3 theoretical peak petaflops of performance, which should put it well within the top 100 supercomputers ever built -- a milestone for an ARM-based machine, Vildibill said.

Steven J. Vaughan-Nichols, writing for ZDNet: The latest Intel revelation, Lazy FP state restore, can theoretically pull data from your programs, including encryption software, from your computer regardless of your operating system. Like its forebears, this is a speculative execution vulnerability. In an interview, Red Hat Computer Architect Jon Masters explained: "It affects Intel designs similar to variant 3-a of the previous stuff, but it's NOT Meltdown." Still, "it allows the floating point registers to be leaked from another process, but alas that means the same registers as used for crypto, etc." Lazy State does not affect AMD processors.

This vulnerability exists because modern CPUs include many registers (internal memory) that represent the state of each running application. Saving and restoring this state when switching from one application to another takes time. As a performance optimization, this may be done "lazily" (i.e., when needed) and that is where the problem hides. This vulnerability exploits "lazy state restore" by allowing an attacker to obtain information about the activity of other applications, including encryption operations. Further reading: Twitter thread by security researcher Colin Percival, BleepingComputer, and HotHardware.

On the heels of recent redesigns by Google and Apple, Microsoft is giving its Office apps a facelift over the coming months. From a report: Over the coming months, Microsoft will begin rolling out changes to the interface of Outlook, Word, Excel and PowerPoint for Office 365 and Office Online (Office.com) users. Key to the Office app redesign are an updated Ribbon, icon refreshes and new ways to more easily see changes coming to the Office suite. There's a simplified version of the Office Ribbon, which allows users to collapse it so it takes up less space and hides many options, or keep it expanded into the current three-line view. Microsoft is starting to roll out this new Ribbon in the web version of Word to "select consumer users today in Office.com." In July, Microsoft will also make this new Ribbon design available in Outlook for Windows. "We've found that the same ten commands are used 95% of the time by everybody," said Jon Friedman, General Manager of Design Management and Operations. In Outlook such as "Reply," "Reply All" and "Forward" are basically universal. But that other five percent is different for every person, so Microsoft is adding an option to remove commands from the Ribbon, such as Archive, for example, and pin others to it, such as "Reply by IM."

Microsoft has published a new draft document clarifying which security bugs will get a rapid fix and which it will let stew for a later release. From a report: The document outlines the criteria the Microsoft Security Response Center uses to decide whether a reported vulnerability gets fixed swiftly, usually in a Patch Tuesday security update, or left for a later version update. Microsoft said in a blogpost the document is intended to offer researchers "better clarity around the security features, boundaries and mitigations which exist in Windows and the servicing commitments which come with them." The criteria revolve around two key questions: "Does the vulnerability violate a promise made by a security boundary or a security feature that Microsoft has committed to defending?"; and, "Does the severity of the vulnerability meet the bar for servicing?" If the answer to both questions is 'yes', the bug will be patched in a security update, but if the answer to both is 'no', the vulnerability will be considered for the next version or release of the affected product or feature.

An anonymous reader quotes ZDNet: Vint Cerf notes that the world ran out of IPv4 address space around 2011, some 13 years after internet engineers started sketching out IPv6, under the belief back then that IPv4 addresses would run out imminently. Since 'World IPv6 Launch' on June 6, 2012, significant progress has been made. Back then just one percent of users accessed Google services over IPv6. Now roughly a quarter of users access Google over IPv6. But Cerf noted that "it's certainly been a long time since the standards were put in place, and it's time to get with the program"...

The Internet Society's snapshot of IPv6 in 2018 notes that Google reports that 49 countries deliver more than five percent of traffic over IPv6. There are also 24 countries where IPv6 traffic is greater than 15 percent, including the US, Canada, Brazil, Finland, India, and Belgium. Additionally, 17 percent of the top million Alexa sites work with IPv6, while 28 percent of the top 1,000 Alexa sites do. Enterprise operations are IPv6's "elephant in the room", according to the Internet Society. Around 25 percent of all internet-connected networks advertise IPv6 connectivity, and the Internet Society suspects that most of the networks that don't are enterprise networks.

The US Department of Energy on Friday unveiled Summit, a supercomputer capable of performing 200 quadrillion calculations per second, or 200 petaflops. Its performance should put it at the top of the list of the world's fastest supercomputers, which is currently dominated by China. From a report (thanks to reader cb_abq for the tip): Summit, housed at the Oak Ridge National Laboratory (ORNL), was built for AI. IBM designed a new heterogeneous architecture for Summit, which combines IBM POWER9 CPUs with Nvidia GPUs. It has approximately 4,600 nodes, with six Nvidia Volta Tensor Core GPUs per node -- that's more than 27,000. The last US supercomputer to top the list of the world's fastest was Titan, in 2012. ORNL, which houses Titan as well, says Summit will deliver more than five times the computational performance of Titan's 18,688 nodes.

The Welcome Rain shares a report from ZDNet: Microsoft officials have been talking to GitHub about possibly acquiring the company, according to a June 1 report in Business Insider. BI claims that the two have discussed the possibility of an acquisition on an on-and-off-again basis over the years "but in the last few weeks talks have grown more serious." BI is citing unnamed "people close to the companies" as its sources. "This isn't as surprising as it would have been ten or more years ago," writes The Welcome Rain. "Microsoft is investing a lot in git, including GVFS, a Git Virtual File System to help Git work with very large codebases. What might this mean for the future of Github?"

An anonymous reader writes: Tesla cars are powered not only by batteries but by open-source software. Until recently, though, Tesla hasn't lived up to its obligations under open-source licenses, but now Tesla is finally releasing some of its Linux source code for the Model S and X cars. The Tesla GitHub repository contains the code for the Model S/X 2018.12 software release. Specifically, it holds the system image on the Tesla Autopilot platform, the kernel sources for its underlying hardware, and the code for its Nvidia Tegra-based infotainment system.

Tesla will release additional open-source code for other systems in their cars soon. According to Tesla, "Work is underway on preparing sources in other areas as well, together with a more coordinated information page. We wanted to let you know about this material as it is available now while work continues on the other parts." The electric car thought-leader will also update its code as updated software releases are made.

The latest installment of Microsoft's browser battery challenge shows once again that Edge consumes less energy than Chrome and Firefox. From a report: With the Windows 10 April 2018 Update rolling out across the globe, Microsoft thinks it's once again time to square Edge up against Chrome and Firefox in a new battery-life test. Microsoft's browser experiment shows a time-lapse of "three identical devices, three different browsers, streaming one video." Firefox, Edge, and Chrome play what appears to be a Netflix video on three Surface Books. As usual, the Edge device lasts the longest, depleting the battery after 14 hours and 20 minutes. The Chrome device lasted 12 hours and 32 minutes, while the Firefox laptop ran out of steam after just seven hours and 15 minutes.

In its most recent reports, AV-Test had very few flattering things to say about Windows Defender. Microsoft's security suite was rated as the seventh best antivirus product in the independent test. In total, 15 AV products were tested. Microsoft, however, has now disputed AV-Test's methodology and conclusion. For some context, the top AV products rated by AV-Test on Windows 10 were Trend Micro, Vipre, AhnLab, Avira, Bitdefender, Kaspersky, and McAfee.

Windows Defender was able to detect 100 percent of new and old malware, but it lost few points for performance (which, AV-Test measures on the basis of how a security suite slows applications and websites on the test computer); and usability (which counts false-positives or instances where AV wrongly identifies a file as malicious.) From a report: Windows Defender's performance rating was dragged down because it slowed the installation of frequently used applications more than the industry average, and wrongly detected 16 pieces of legitimate software compared with the industry average of four. But Microsoft wants enterprise customers to know that Windows Defender is only half the picture, given the option for customers to also deploy Windows Defender Advanced Threat Protection's (ATP) "stack components" including Smartscreen, Application Guard, and Application Control.

In the January and February test Windows Defender also scored 100 percent on protection. However it did miss two samples. Since then it's retrained its machine-learning classifiers to detect them. But Microsoft notes in a new paper that Defender ATP did catch them, which isn't reflected in AV-Test's or other testing firms' result. Microsoft hopes to change this so that testers include so-called stack components available in ATP. "As threats become more sophisticated, Microsoft and other security platform vendors continue evolving their product capabilities to detect threats across different attack stages," Microsoft's Windows Defender Research team writes. "We hope to see independent testers evolve their methodologies as well. Our customers need greater transparency and optics into what an end-to-end solution can accomplish in terms of total preventive protection, including the quality of individual components like antivirus."

An anonymous reader writes: A bug in T-Mobile's website let anyone access the personal account details of any customer with just their cell phone number, ZDNet reported Thursday. The flaw, since fixed, could have been exploited by anyone who knew where to look -- a little-known T-Mobile subdomain that staff use as a customer care portal to access the company's internal tools. The subdomain -- promotool.t-mobile.com, which can be easily found on search engines -- contained a hidden API that would return T-Mobile customer data simply by adding the customer's cell phone number to the end of the web address.

Although the API is understood to be used by T-Mobile staff to look up account details, it wasn't protected with a password and could be easily used by anyone. The returned data included a customer's full name, postal address, billing account number, and in some cases information about tax identification numbers. The data also included customers' account information, such as if a bill is past-due or if the customer had their service suspended.

At OpenStack Summit in Vancouver, Canada this week, Canonical CEO and Ubuntu Linux founder Mark Shuttleworth came out firing at two of his major enterprise OpenStack competitors: Red Hat and VMware. He claimed that Canonical OpenStack is a better deal than either Red Hat or VMware's OpenStack offerings. From a report: Shuttleworth opened quietly enough, saying, "Mission is to remove all the friction from deploying OpenStack. We can deliver OpenStack deployments with two people in less two weeks anywhere in the world." So far, so typical for a keynote speech. But, then Shuttleworth started to heat things up: "Amazon increased efficiency, so now everyone is driving down cost of infrastructure. Everyone engages with Ubuntu, not Red Hat or VMware. Google, IBM, Microsoft are investing and innovating to drive down the cost of infrastructure. Every single one of those companies works with Canonical to deliver public services."

Then, Shuttleworth got down to brass tacks: "Not one of them engages with VMware to offer those public services. They can't afford to. Clearly, they have the cash, but they have to compete on efficiencies, and so does your private cloud." So, Canonical is rolling rolling out a migration service to help users shift from VMware to a "fully managed" version of Canonical's Ubuntu OpenStack distribution. Customers want this, Shuttleworth said, because, "When we take out VMware we are regularly told that our fully managed OpenStack solution costs half of the equivalent VMware service."

Thanks to cloud computing, the Internet of Things and artificial intelligence, we should start to think of the planet as one giant computer, according to Microsoft chief executive Satya Nadella. From a report: "Digital technology, pervasively, is getting embedded in every place: every thing, every person, every walk of life is being fundamentally shaped by digital technology -- it is happening in our homes, our work, our places of entertainment," said Nadella speaking in London. "It's amazing to think of a world as a computer. I think that's the right metaphor for us as we go forward."

[...] AI is core to Microsoft's strategy, Nadella said: "AI is the run time which is going to shape all of what we do going forward in terms of applications as well as the platform." Microsoft is rethinking its core products by using AI to connect them together, he said, giving an example of a meeting using translation, transcription, Microsoft's HoloLens and other devices to improve decision-making. "The idea that you can now use all of the computing power that is around you -- this notion of the world as a computer -- completely changes how you conduct a meeting and fundamentally what presence means for a meeting," he said.

An anonymous reader quotes a report from ZDNet: A bug in Comcast's website used to activate Xfinity routers can return sensitive information on the company's customers. The website, used by customers to set up their home internet and cable service, can be tricked into displaying the home address where the router is located, as well as the Wi-Fi name and password. Two security researchers, Karan Saini and Ryan Stevenson, discovered the bug. Only a customer account ID and that customer's house or apartment number is needed -- even though the web form asks for a full address.

ZDNet obtained permission from two Xfinity customers to check their information. We were able to obtain their full address and zip code -- which both customers confirmed. The site returned the Wi-Fi name and password -- in plaintext -- used to connect to the network for one of the customers who uses an Xfinity router. The other customer was using his own router -- and the site didn't return the Wi-Fi network name or password.

An anonymous reader quotes a report from ZDNet: At least one server used by an app for parents to monitor their teenagers' phone activity has leaked tens of thousands of accounts of both parents and children. The mobile app, TeenSafe, bills itself as a "secure" monitoring app for iOS and Android, which lets parents view their child's text messages and location, monitor who they're calling and when, access their web browsing history, and find out which apps they have installed. But the Los Angeles, Calif.-based company left its servers, hosted on Amazon's cloud, unprotected and accessible by anyone without a password.

"We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted," said a TeenSafe spokesperson told ZDNet on Sunday. The database stores the parent's email address associated with their associated child's Apple ID email address. It also includes the child's device name -- which is often just their name -- and their device's unique identifier. The data contains the plaintext passwords for the child's Apple ID. Because the app requires that two-factor authentication is turned off, a malicious actor viewing this data only needs to use the credentials to break into the child's account to access their personal content data.

Long-time Slashdot reader CrtxReavr shares a report from ZDNet: Quantum computers will be able to instantly break the encryption of sensitive data protected by today's strongest security, warns the head of IBM Research. This could happen in a little more than five years because of advances in quantum computer technologies. "Anyone that wants to make sure that their data is protected for longer than 10 years should move to alternate forms of encryption now," said Arvind Krishna, director of IBM Research... Quantum computers can solve some types of problems near-instantaneously compared with billions of years of processing using conventional computers... Advances in novel materials and in low-temperature physics have led to many breakthroughs in the quantum computing field in recent years, and large commercial quantum computer systems will soon be viable and available within five years...

In addition to solving tough computing problems, quantum computers could save huge amounts of energy, as server farms proliferate and applications such as bitcoin grow in their compute needs. Each computation takes just a few watts, yet it could take several server farms to accomplish if it were run on conventional systems.
The original submission raises another possibility. "What I wonder is, if encryption can be 'instantly broken,' does this also mean that remaining crypto-coins can be instantly discovered?"

"I asked Apple to give me all the data it's collected on me since I first became a customer in 2010," writes the security editor for ZDNet, "with the purchase of my first iPhone." That was nearly a decade ago. As most tech companies have grown in size, they began collecting more and more data on users and customers -- even on non-users and non-customers... Apple took a little over a week to send me all the data it's collected on me, amounting to almost two dozen Excel spreadsheets at just 5MB in total -- roughly the equivalent of a high-quality photo snapped on my iPhone. Facebook, Google, and Twitter all took a few minutes to an hour to send me all the data they store on me -- ranging from a few hundred megabytes to a couple of gigabytes in size...

The zip file contained mostly Excel spreadsheets, packed with information that Apple stores about me. None of the files contained content information -- like text messages and photos -- but they do contain metadata, like when and who I messaged or called on FaceTime. Apple says that any data information it collects on you is yours to have if you want it, but as of yet, it doesn't turn over your content which is largely stored on your slew of Apple devices. That's set to change later this year... And, of the data it collects to power Siri, Maps, and News, it does so anonymously -- Apple can't attribute that data to the device owner... One spreadsheet -- handily -- contained explanations for all the data fields, which we've uploaded here...

[T]here's really not much to it. As insightful as it was, Apple's treasure trove of my personal data is a drop in the ocean to what social networks or search giants have on me, because Apple is primarily a hardware maker and not ad-driven, like Facebook and Google, which use your data to pitch you ads.
CNET explains how to request your own data from Apple.

Yuriy Bulygin, the former head of Intel's advanced threat team, has published research showing that the Spectre CPU flaws can be used to break into the highly privileged CPU mode on Intel x86 systems known as System Management Mode (SMM). ZDNet reports: Bulygin, who has launched security firm Eclypsium, has modified Spectre variant 1 with kernel privileges to attack a host system's firmware and expose code in SMM, a secure portion of BIOS or UEFI firmware. SMM resides in SMRAM, a protected region of physical memory that should only be accessible by BIOS firmware and not the operating system kernel, hypervisors or security software. SMM handles especially disruptive interrupts and is accessible through the SMM runtime of the firmware, knows as System Management Interrupt (SMI) handlers.

"Because SMM generally has privileged access to physical memory, including memory isolated from operating systems, our research demonstrates that Spectre-based attacks can reveal other secrets in memory (eg, hypervisor, operating system, or application)," Bulygin explains. To expose code in SMM, Bulygin modified a publicly available proof-of-concept Spectre 1 exploit running with kernel-level privileges to bypass Intel's System Management Range Register (SMRR), a set or range registers that protect SMM memory. "These enhanced Spectre attacks allow an unprivileged attacker to read the contents of memory, including memory that should be protected by the range registers, such as SMM memory," he notes.

Keeper, a password manager maker that recently and controversially sued a reporter, has fixed a bug that a security researcher claimed could have allowed access to a user's private data. From a report: The bug -- which the company confirmed and has since fixed -- filed anonymously to a public security disclosure list, detailed how anyone controlling Keeper's API server could gain access to the decryption key to a user's vault of passwords and other sensitive information. The researcher found the issue in the company's Python-powered script called Keeper Commander, which allows users to rotate passwords, eliminating the need for hardcoded passwords in software and systems.

According to the write-up, the researcher said it's possible that someone in control of Keeper's API -- such as employees at the company -- could unlock an account, because the API server stores the information used to produce an intermediary decryption key. "What seems to appear in the code of Keeper Commander from November 2015 to today is blind trust of the API server," said the researcher.

Keeper, a password manager maker that recently and controversially sued a reporter, has fixed a bug that a security researcher claimed could have allowed access to a user's private data. From a report: The bug -- which the company confirmed and has since fixed -- filed anonymously to a public security disclosure list, detailed how anyone controlling Keeper's API server could gain access to the decryption key to a user's vault of passwords and other sensitive information. The researcher found the issue in the company's Python-powered script called Keeper Commander, which allows users to rotate passwords, eliminating the need for hardcoded passwords in software and systems.

According to the write-up, the researcher said it's possible that someone in control of Keeper's API -- such as employees at the company -- could unlock an account, because the API server stores the information used to produce an intermediary decryption key. "What seems to appear in the code of Keeper Commander from November 2015 to today is blind trust of the API server," said the researcher.

Earlier this week, ZDNet shed some light on a company called LocationSmart that is buying your real-time location data from four of the largest U.S. carriers in the United States. The story blew up because a former police sheriff snooped on phone location data without a warrant, according to The New York Times. ZDNet is now reporting that the company "had a bug in its website that allowed anyone to see where a person is located -- without obtaining their consent." An anonymous reader shares an excerpt: "Due to a very elementary bug in the website, you can just skip that consent part and go straight to the location," said Robert Xiao, a PhD. student at the Human-Computer Interaction Institute at Carnegie Mellon University, in a phone call. "The implication of this is that LocationSmart never required consent in the first place," he said. "There seems to be no security oversight here." The "try" website was pulled offline after Xiao privately disclosed the bug to the company, with help from CERT, a public vulnerability database, also at Carnegie Mellon. Xiao said the bug may have exposed nearly every cell phone customer in the U.S. and Canada, some 200 million customers.

The researcher said he started looking at LocationSmart's website following ZDNet's report this week, which followed from a story from The New York Times, which revealed how a former police sheriff snooped on phone location data without a warrant. The sheriff has pleaded not guilty to charges of unlawful surveillance. He said one of the APIs used in the "try" page that allows users to try the location feature out was not validating the consent response properly. Xiao said it was "trivially easy" to skip the part where the API sends the text message to the user to obtain their consent. "It's a surprisingly simple bug," he said.

Earlier this week, ZDNet shed some light on a company called LocationSmart that is buying your real-time location data from four of the largest U.S. carriers in the United States. The story blew up because a former police sheriff snooped on phone location data without a warrant, according to The New York Times. ZDNet is now reporting that the company "had a bug in its website that allowed anyone to see where a person is located -- without obtaining their consent." An anonymous reader shares an excerpt: "Due to a very elementary bug in the website, you can just skip that consent part and go straight to the location," said Robert Xiao, a PhD. student at the Human-Computer Interaction Institute at Carnegie Mellon University, in a phone call. "The implication of this is that LocationSmart never required consent in the first place," he said. "There seems to be no security oversight here." The "try" website was pulled offline after Xiao privately disclosed the bug to the company, with help from CERT, a public vulnerability database, also at Carnegie Mellon. Xiao said the bug may have exposed nearly every cell phone customer in the U.S. and Canada, some 200 million customers.

The researcher said he started looking at LocationSmart's website following ZDNet's report this week, which followed from a story from The New York Times, which revealed how a former police sheriff snooped on phone location data without a warrant. The sheriff has pleaded not guilty to charges of unlawful surveillance. He said one of the APIs used in the "try" page that allows users to try the location feature out was not validating the consent response properly. Xiao said it was "trivially easy" to skip the part where the API sends the text message to the user to obtain their consent. "It's a surprisingly simple bug," he said.

Four of the largest cell giants in the US are selling your real-time location data to a company that you've probably never heard about before. ZDNet: In case you missed it, a senator last week sent a letter demanding the Federal Communications Commission (FCC) investigate why Securus, a prison technology company, can track any phone "within seconds" by using data obtained from the country's largest cell giants, including AT&T, Verizon, T-Mobile, and Sprint, through an intermediary, LocationSmart. The story blew up because a former police sheriff snooped on phone location data without a warrant, according The New York Times. The sheriff has pleaded not guilty to charges of unlawful surveillance.

Yet little is known about how LocationSmart obtained the real-time location data on millions of Americans, how the required consent from cell user owners was obtained, and who else has access to the data. Kevin Bankston, director of New America's Open Technology Institute, explained in a phone call that the Electronic Communications Privacy Act only restricts telecom companies from disclosing data to the government. It doesn't restrict disclosure to other companies, who then may disclose that same data to the government. He called that loophole "one of the biggest gaps in US privacy law. The issue doesn't appear to have been directly litigated before, but because of the way that the law only restricts disclosures by these types of companies to government, my fear is that they would argue that they can do a pass-through arrangement like this," he said. Further reading: The Tech Used To Monitor Inmate Calls Is Able To Track Civilians Too.

Four of the largest cell giants in the US are selling your real-time location data to a company that you've probably never heard about before. ZDNet: In case you missed it, a senator last week sent a letter demanding the Federal Communications Commission (FCC) investigate why Securus, a prison technology company, can track any phone "within seconds" by using data obtained from the country's largest cell giants, including AT&T, Verizon, T-Mobile, and Sprint, through an intermediary, LocationSmart. The story blew up because a former police sheriff snooped on phone location data without a warrant, according The New York Times. The sheriff has pleaded not guilty to charges of unlawful surveillance.

Yet little is known about how LocationSmart obtained the real-time location data on millions of Americans, how the required consent from cell user owners was obtained, and who else has access to the data. Kevin Bankston, director of New America's Open Technology Institute, explained in a phone call that the Electronic Communications Privacy Act only restricts telecom companies from disclosing data to the government. It doesn't restrict disclosure to other companies, who then may disclose that same data to the government. He called that loophole "one of the biggest gaps in US privacy law. The issue doesn't appear to have been directly litigated before, but because of the way that the law only restricts disclosures by these types of companies to government, my fear is that they would argue that they can do a pass-through arrangement like this," he said. Further reading: The Tech Used To Monitor Inmate Calls Is Able To Track Civilians Too.

The three biggest PC OEMs -- Dell, HP, and Lenovo -- are now offering AMD Ryzen PRO mobile and desktop accelerated processing units (APUs) with built-in Radeon Vega graphics in a variety of commercial systems. There are a total of seven new APUs -- three for the mobile space and four for the desktop. As AMD notes in its press release, the first desktops to ship with these latest chips include: the HP Elitedesk G4 and 285 Desktop, the Lenovo ThinkCentre M715, and the Dell Optiplex 5055. ZDNet's Adrian Kingsley-Hughes writes about what makes Ryzen PRO so appealing: Ryzen PRO has been built from the ground up to focus on three pillars -- power, security and reliability. Built-in security means integrated GuardMI technology, an AES 128-bit encryption engine, Windows 10 Enterprise Security support, and support for fTPM/TPM 2.0 Trusted Platform Module. One of the features of Ryzen PRO that AMD hopes will appeal to commercial users is the enterprise-grade reliability that the chips come backed with, everything from 18-moths of planned software availability, 24-months processor availability, a commercial-grade QA process, 36-moth warranty, and enterprise-class manageability.

There are no worries on the performance front either, with the Ryzen PRO with Vega Graphics being the world's fastest processor currently available for ultrathin commercial notebooks, with the AMD Ryzen 7 PRO 2700U offering up to 22 percent more productivity performance than Intel's 8th-generation Core i7-8550U in testing carried out by AMD. AMD has also designed the Ryzen PRO processors to be energy-efficient, enabling up to 16 hours of battery life in devices, or 10.5 hours of video playback. The Ryzen PRO with Vega Graphics desktop processors are also no slouches, opening up a significant performance gap when compared to Intel Core i5 8400 and Core i3 8100 parts. AMD also announced that it is sampling its second-generation Threadripper 2900X, 2920X and 2950X products. "For Threadripper Gen2 you can expect a refresh of the current line-up; an 8-core Threadripper 2900X, a 12-core Threadripper 2920X and of course a 16-core Threadripper 2950X," reports Guru3D.com. "AMD will apply the same Zen+ tweaks to the processors; including memory latency optimizations and higher clock speeds."

AMD has something for the datacenter enthusiasts out there too. Epyc, AMD's x86 server processor line based on the company's Zen microarchitecture, has a new promo video, claiming more performance, more security features, and more value than Intel Xeon. The company plans to market Epyc in an aggressive head-to-head format similar to how T-Mobile campaigns against Verizon and AT&T. Given Intel Xeon's 99% market share, they sort of have to...

An anonymous reader writes: The source code behind a police breathalyzer widely used in multiple states -- and millions of drunk driving arrests -- is under fire. It's the latest case of technology and the real world colliding -- one that revolves around source code, calibration of equipment, two researchers and legal maneuvering, state law enforcement agencies, and Draeger, the breathalyzer's manufacturer. This most recent skirmish began a decade ago when Washington state police sought to replace its aging fleet of breathalyzers. When the Washington police opened solicitations, the only bidder, Draeger, a German medical technology maker, won the contract to sell its flagship device, the Alcotest 9510, across the state. But defense attorneys have long believed the breathalyzer is faulty. Jason Lantz, a Washington-based defense lawyer, enlisted a software engineer and a security researcher to examine its source code. The two experts wrote in a preliminary report that they found flaws capable of producing incorrect breath test results. The defense hailed the results as a breakthrough, believing the findings could cast doubt on countless drunk-driving prosecutions.

Last year's massive data breach at Equifax should have been a wake-up call for the entire industry. But a year after the patches were released, some of the world's wealthiest companies are still using, or have since introduced the same flawed software. From a report: Thousands of companies have downloaded vulnerable versions of Apache Struts, a popular web server software used across the Fortune 100 to provide web applications in Java. It's often used to power both front- and back-end applications -- including Equifax's public website. The bug used in the Equifax hack was fixed in March 2017, but Equifax never installed the patches. Since those patches were made available, data seen by ZDNet shows that least 10,800 companies downloaded vulnerable versions of the software. The data, provided by Sonatype, an open-source automation firm, shows that over half of the Fortune Global 100 are using vulnerable versions of the software. Although the firm wouldn't name the affected companies, a quarter of them are based in North America. The data showed that seven are tech giants, and 15 are financial services or insurance firms.

Wolfrider writes: Backblaze's hard drive report for the first quarter 2018 makes very interesting reading for anyone who is interested in hard drive performance and reliability. As of March 31, 2018, the company had 100,110 hard drives working for it, made up of 1,922 boot drives and 98,188 data drives, ranging from 3TB WDC WD30EFRX drives all the way up to 10TB and 12TB Seagate ST10000NM0086 and ST12000NM0007 drives, along with 10 Samsung 850 EVO SSDs. [...] The overall Annualized Failure Rate (AFR) for Q1 sat at just 1.2 percent, well below the Q4 2017 AFR of 1.65 percent. Some drives had an AFR of 0 percent (in other words, no drives failed during the period), while the 4TB Seagate ST4000DM000 had the highest AFR of 2.3 percent (out of 30,941 drives the company had in service, 178 failed during the Q1 period).

A coalition of Silicon Valley tech giants has doubled down on its criticism of encryption backdoors following a proposal that would give law enforcement access to locked and encrypted devices. From a report: The group, which focuses on efforts to reform government surveillance, said in a statement that it continues to advocate for strong encryption, and decried attempts to undermine the technology. "Recent reports have described new proposals to engineer vulnerabilities into devices and services -- but they appear to suffer from the same technical and design concerns that security researchers have identified for years," the statement read. The renewed criticism follows a lengthy Wired article, in which former Microsoft software chief Ray Ozzie proposed a new spin on key escrow. Device encryption has hampered police investigations, and law enforcement officials have pushed tech companies to fix the problem -- even by way of suing them.

A severe vulnerability in a widely used industrial control software could have been used to disrupt and shut down power plants and other critical infrastructure. From a report: Researchers at security firm Tenable found the flaw in the popular Schneider Electric software, used across the manufacturing and power industries, which if exploited could have allowed a skilled attacker to attack systems on the network. It's the latest vulnerability that risks an attack to the core of any major plant's operations at a time when these systems have become a greater target in recent years. The report follows a recent warning, issued by the FBI and Homeland Security, from Russian hackers. The affected Schneider software, InduSoft Web Studio and InTouch Machine Edition, acts as middleware between industrial devices and their human operators. It's used to automate the various moving parts of a power plant or manufacturing unit, by keeping tabs on data collection sensors and control systems. But Tenable found that a bug in that central software could leave an entire plant exposed.

GitHub has sent an email to some of its 27 million users alerting them of a bug that exposed some user passwords in plaintext. "During the course of regular auditing, GitHub discovered that a recently introduced bug exposed a small number of users' passwords to our internal logging system," said the email. "We have corrected this, but you'll need to reset your password to regain access to your account." ZDNet reports: The email said that a handful of GitHub staff could have seen those passwords -- and that it's "unlikely" that any GitHub staff accessed the site's internal logs. It's unclear exactly how this bug occurred. GitHub's explanation was that it stores user passwords with bcrypt, a stronger password hashing algorithm, but that the bug "resulted in our secure internal logs recording plaintext user passwords when users initiated a password reset." "Rest assured, these passwords were not accessible to the public or other GitHub users at any time," the email said. GitHub said it "has not been hacked or compromised in any way."

In its first year, the Trump administration kept one little-known courtroom in the capital busy. From a report: A secretive Washington DC-based court that oversees the US government's foreign spy programs denied more surveillance orders during President Donald Trump's first year than in the court's 40-year history, according to newly released figures. Annual data published Wednesday by the US Courts shows that the Foreign Intelligence Surveillance (FISA) Court last year denied 26 applications in full, and 50 applications in part. That's compared to 21 orders between when the court was first formed in 1978 and President Barack Obama's final year in office in 2016.

An anonymous reader writes: Security researchers have built a master key that exploits a design flaw in a popular and widely used hotel electronic lock system, allowing unfettered access to every room in the building. The electronic lock system, known as Vision by VingCard and built by Swedish lock manufacturer Assa Abloy, is used in more than 42,000 properties in 166 countries, amounting to millions of hotel rooms -- as well as garages and storage units. These electronic lock systems are commonplace in hotels, used by staff to provide granular controls over where a person can go in a hotel -- such as their room -- and even restricting the floor that the elevator stops at. And these keys can be wiped and reused when guests check-out.

It turns out these key cards aren't as secure as first thought. F-Secure's Tomi Tuominen and Timo Hirvonen, who carried out the work, said they could create a master key 'basically out of thin air.' Any key card will do. Even old and expired, or discarded keys retain enough residual data to be used in the attack. Using a handheld device running custom software, the researchers can steal data off of a key card -- either using wireless radio-frequency identification (RFID) or the magnetic stripe. That device then manipulates the stolen key data, which identifies the hotel, to produce an access token with the highest level of privileges, effectively serving as a master key to every room in the building.

Atlanta is setting aside more than $2.6 million on recovery efforts stemming from a ransomware attack, which crippled a sizable part of the city's online services. ZDNet reports: The city was hit by the notorious SamSam ransomware, which exploits a deserialization vulnerability in Java-based servers. The ransom was set at around $55,000 worth of bitcoin, a digital cryptocurrency that in recent weeks has wildy fluctated in price. But the ransom was never paid, said Atlanta city spokesperson Michael Smith in an email. Between the ransomware attack and the deadline to pay, the payment portal was pulled offline by the ransomware attacker. According to newly published emergency procurement figures, the city is projected to spend as much as 50 times that amount in response to the cyberattack. Between March 22 and April 2, the city budgeted $2,667,328 in incident response, recovery, and crisis management.

Zack Whittaker, reporting for ZDNet: A little-known data firm was able to build 48 million personal profiles, combining data from sites and social networks like Facebook, LinkedIn, Twitter, and Zillow, among others -- without the users' knowledge or consent. Localblox, a Bellevue, Wash.-based firm, says it "automatically crawls, discovers, extracts, indexes, maps and augments data in a variety of formats from the web and from exchange networks." Since its founding in 2010, the company has focused its collection on publicly accessible data sources, like social networks Facebook, Twitter, and LinkedIn, and real estate site Zillow to name a few, to produce profiles.

But earlier this year, the company left a massive store of profile data on a public but unlisted Amazon S3 storage bucket without a password, allowing anyone to download its contents. The bucket, labeled "lbdumps," contained a file that unpacked to a single file over 1.2 terabytes in size. The file listed 48 million individual records, scraped from public profiles, consolidated, then stitched together.

An anonymous reader writes: For years, embedded device manufacturers have been illegally using Linux. Typically, they use Linux without publishing their device's source code, which Linux's GNU General Public License version 2 (GPLv2) requires them to do. Well, guess what? Another vendor, this time Symantec, appears to be the guilty party. This was revealed when Google engineer and Linux security expert Matthew Garrett was diving into his new Norton Core Router. This is a high-end Wi-Fi router. Symantec claims it's regularly updated with the latest security mechanisms. Garrett popped his box open to take a deeper look into Symantec's magic security sauce.

What he found appears to be a Linux distribution based on the QCA Software Development Kit (QSDK) project. This is a GPLv2-licensed, open-source platform built around the Linux-based OpenWrt Wi-Fi router operating system. For Symantec's purposes, QSDK and OpenWrt are an excellent choice. Instead of a read-only firmware, OpenWrt has a fully writable filesystem with package management. This enables Symantec to easily customize its router with updated security features. But -- and it's a big but -- if it's indeed based on QSDK and OpenWrt, Symantec needs to share the Norton Core Router's code with the world.

Microsoft outlined a new intellectual-property policy on Thursday for co-developed technology that embraces open source and seeks to assure customers it won't run off with their innovations. From a report: The shared innovation principles build on its Azure IP Advantage program for helping customers combat patent trolls. The new principles for co-developed innovation cover ownership of existing technology, customer ownership of new patents, support for open source, licensing new IP back to Microsoft, software portability, transparency, and learning. Microsoft president Brad Smith says the principles aim to assuage customers' fears that Microsoft may end up using co-developed technology to rival them.

[...] In return, Microsoft gets to license back any of the patents in the new technology but promises to limit their use to improving its own platform technologies, such as Azure, Azure AI services, Office 365, Windows, Xbox, and HoloLens. It also reserves the right to use "code and tools developed by or on behalf of Microsoft that are intended to provide technical assistance to customers in their respective businesses."

An anonymous reader quotes a report from ZDNet: Cloudflare's new speed and privacy enhancing domain name system (DNS) servers, launched on Sunday, are also part of an experiment being conducted in partnership with the Asia Pacific Network Information Center (APNIC). The experiment aims to understand how DNS can be improved in terms of performance, security, and privacy. "We are now critically reliant on the integrity of the DNS, yet the details of the way it operates still remains largely opaque," wrote APNIC's chief scientist Geoff Huston in a blog post. "We are aware that the DNS has been used to generate malicious denial of service attacks, and we are keen to understand if there are simple and widely deployable measures that can be taken to mitigate such attacks. The DNS relies on caching to operate efficiently and quickly, but we are still unsure as to how well caching actually performs. We are also unclear how much of the DNS is related to end user or application requirements for name resolution, and how much is related to the DNS chattering to itself."

The Cloudflare-APNIC experiment uses two IPv4 address ranges, 1.1.1/24 and 1.0.0/24, which have been reserved for research use. Cloudflare's new DNS uses two addresses within those ranges, 1.1.1.1 and 1.0.0.1. These address ranges were originally configured as "dark traffic addresses", and some years ago APNIC partnered with Google to analyze the unsolicited traffic directed at them. There was a lot of it. "Our initial work with it certainly showed it to be an unusually strong attractor for bad traffic. At the time we stopped doing it with Google, it was over 50 gigabits per second. Quite frankly, few folk can handle that much noise," Huston told ZDNet on Wednesday. By putting Cloudflare's DNS on these research addresses, APNIC gets to see the noise as well as the DNS traffic -- or at least "a certain factored amount" of it -- for research purposes.

Developers of popular open-source CMS Drupal are warning admins to immediately patch a flaw that an attacker can exploit just by visiting a vulnerable site. From a report: The bug affects all sites running on Drupal 8, Drupal 7, and Drupal 6. Drupal's project usage page indicates that about a million sites are running the affected versions. Admins are being urged to immediately update to Drupal 7.58 or Drupal 8.5.1. Drupal issued an alert for the patch last week warning admins to allocate time for patching because exploits might arrive "within hours or days" of its security release. So far, there haven't been any attacks using the flaw, according to Drupal. The bug, which is being called Drupalgeddon2, has been assigned the official identifier CVE-2018-7600. Drupal has given it a 'highly critical' rating with a risk score of 21 out of 25 under the NIST Common Misuse Scoring System. Further reading: Drupal Fixes Drupalgeddon2 Security Flaw That Allows Hackers to Take Over Sites (BleepingComputer). Commenting on security advisory that Drupal issued last week, BleepingComputer's Catalin Cimpanu said, "In the 9 years I've been around Drupal, I've never seen them publish such an apocalyptic security advisory."

In this age of instant communication, there is pressure on employees to be "switched on" all hours of the day. But do we really have the mental attitude to totally disconnect from work? From a report: A new study by UK-based HandsetExpert has revealed that almost two out of three tech workers would ignore an out-of-hours call from the boss. It surveyed 1,850 mobile device users in the UK to find out how we deal with the pressures of being an "always-on" society. This number might be the roll-up of various reasons -- from being on the toilet, in the bath, or in other compromising situations. The survey showed different behaviours from different job roles. Healthcare professionals seem to be most connected to their place of work. They were the least likely to cancel any calls from their boss, with only 42.5 percent stating they would not pick up the call. At the other end of the scale, real estate agents -- who already work some of the longest hours in the industry -- are least likely to respond. Almost three out of four workers (72.6 percent) in that industry sector would not respond to calls from their boss.

Microsoft has released a tool to help Linux distribution maintainers bring their distros to the Windows Store to run on Windows 10's Windows Subsystem for Linux. From a report: Microsoft describes the tool as a "reference implementation for a Windows Subsystem for Linux (WSL) distribution installer application," which is aimed at both distribution maintainers and developers who want to create custom Linux distributions for running on WSL. "We know that many Linux distros rely entirely on open-source software, so we would like to bring WSL closer to the OSS community," said Tara Raj of Microsoft's WSL team. "We hope open-sourcing this project will help increase community engagement and bring more of your favorite distros to the Microsoft Store." WSL helps programmers build a full Linux development environment for testing production code on a Windows machine.

Zack Whittaker, reporting for ZDNet: It's been almost a week since the City of Atlanta was hit by a ransomware attack, which encrypted city data and led to the shutdown of some services. Mayor Keisha Lance Bottoms said in a press conference Monday that the city's government is working on recovering the network after ransom notes appeared on computer displays on Thursday afternoon. The city has hired local cybersecurity firm SecureWorks to assess the situation. Reports say the notorious SamSam ransomware was used in the Atlanta attack, which exploits a deserialization vulnerability in Java-based servers.

[...] But according to one security firm, last week's cyberattack was not a surprise because the city had fallen victim to leaked government exploits used in the WannaCry outbreak. New data provided by Augusta, Ga.-based cybersecurity firm Rendition Infosec, seen by ZDNet, shows that the city's network was silently infected last year with leaked exploits developed by the National Security Agency. The cybersecurity firm's founder Jake Williams said at least five internet-facing city servers were infected with the NSA-developed DoublePulsar backdoor in late April to early May 2017. That was more than a month after Microsoft released critical patches for the exploits and urged users to install.

The FBI did not have the technical capability to access an iPhone used by one of the terrorists behind the San Bernardino shooting, a Justice Department watchdog has found. ZDNet: A report by the department's Office of Inspector General sheds new light on the FBI's efforts to gain access to the terrorist's phone. It lands almost exactly a year after the FBI dropped a legal case against Apple, which had refused a demand by the government to build a backdoor that would've bypassed the encryption on the shooter's iPhone. Apple said at the time that if it was forced to backdoor one of its products, it would "set a dangerous precedent." Syed Farook and his wife, Tashfeen Malik, killed 14 people in the southern Californian town in December 2015. The 11-page report said that the FBI "had no such capability" to access the contents of Farook's encrypted iPhone, amid concerns that there were conflicting claims about whether the FBI may have had techniques to access the device by the time it had filed a suit against Apple. Those claims were mentioned in affidavits in the court case, as well as in testimony by former FBI director James Comey.

An anonymous reader quotes a report from ZDNet: Firefox maker Mozilla has outlined its 2018 roadmap to make the web less intrusive and safer for users. First up, Mozilla says it will proceed and implement last year's experiment with a breach alerts service, which will warn users when their credentials have been leaked or stolen in a data breach. Mozilla aims to roll out the service around October. Breach Alerts is based on security consultant Troy Hunt's data breach site Have I Been Pwned. Firefox will also implement a similar block on autoplay video to the one Chrome 66 will introduce next month, and that Safari already has. However, Dotzler says Firefox's implementation will "provide users with a way to block video auto-play that doesn't break websites". This feature is set to arrive in Firefox 62, which is scheduled for release in May.

After Firefox 62 the browser will gain an optional Chrome-like ad filter and several privacy-enhancing features similar to those that Apple's WebKit developers have been working on for Safari's Intelligent Tracking Prevention. By the third quarter of 2018, Firefox should also be blocking ad-retargeting through cross-domain tracking. It's also going to move all key privacy controls into a single location in the browser, and offer more "fine-grained" tracking protection. Dotzler says Mozilla is in the "early stages" of determining what types of ads Firefox should block by default. Also on the roadmap is a feature that arrived in Firefox 59, released earlier this month. A new Global Permissions feature will help users avoid having to deny every site that requests permission for location, camera, microphone and notifications. Beyond security and privacy, Mozilla plans to build on speed-focused Quantum improvements that came in Firefox 57 with smoother page rendering.

Microsoft is joining Red Hat, Facebook, Google and IBM in committing to extending right to "cure" open source licensing noncompliance before taking legal measures. From a report: On March 19, officials from Microsoft -- along with CA Technologies, Cisco, HPE, SAP and SUSE -- said they'd work with open together with the already-committed vendors to provide more "predictability" for users of open source software. "The large ecosystems of projects using the GPLv2 and LGPLv2.x licenses will benefit from adoption of this more balanced approach to termination derived from GPLv3," explained Red Hat in a press release announcing the new license-compliance partners. The companies which have agreed to adopt the "Common Cure Rights Commitment" said before they file or continue to prosecute those accused of violating covered licenses, they will allow for users to cure and reinstate their licenses.

Adrian Lamo, a well-known hacker known for his involvement in passing information on whistleblower Chelsea Manning and hacking into systems at The New York Times, Microsoft, and Yahoo in the early-2000s, has died at 37. ZDNet reports: His father, Mario, posted a brief tribute to his son in a Facebook group on Friday. "With great sadness and a broken heart I have to let know all of Adrian's friends and acquittances that he is dead. A bright mind and compassionate soul is gone, he was my beloved son," he wrote. The coroner for Sedgwick County, where Lamo lived, confirmed his death, but provided no further details. Circumstances surrounding Lamo's death are not immediately known. A neighbor who found his body said he had been dead for some time.

Zack Whittaker, reporting for ZDNet: For hours on Thursday, the top Google search result for "Amazon" was pointed to a scam site. The bad ad appeared at the very top of the search result for anyone searching for the internet retail giant -- even above the legitimate search result for Amazon.com. Anyone who clicked on the ad was sent to a page that tried to trick the user into calling a number for fear that their computer was infected with malware -- and not sent to Amazon.com as they would have hoped.

The page presents itself as an official Apple or Windows support page, depending on the type of computer you're visiting the page from. An analysis of the webpage's code showed that anyone trying to dismiss the popup box on the page would likely trigger the browser expanding to full-screen, giving the appearance of ransomware. A one-off event would be forgivable. But this isn't the first time this has happened. It's at least the second time in two years that Google has served up a malicious ad under Amazon's name.

Earlier this week, CTS Labs, a Tel Aviv-based cybersecurity startup claimed it has discovered critical security flaws in AMD chips that could allow attackers to access sensitive data from highly guarded processors across millions of devices. Linus Torvalds, Linux's creator doesn't buy it. ZDNet reports: Torvalds, in a Google+ discussion, wrote: "When was the last time you saw a security advisory that was basically 'if you replace the BIOS or the CPU microcode with an evil version, you might have a security problem?' Yeah." Or, as a commenter put it on the same thread, "I just found a flaw in all of the hardware space. No device is secure: if you have physical access to a device, you can just pick it up and walk away. Am I a security expert yet?" CTS Labs claimed in an interview they gave AMD less than a day because they didn't think AMD could fix the problem for "many, many months, or even a year" anyway. Why would they possibly do this? For Torvalds: "It looks more like stock manipulation than a security advisory to me."

These are real bugs though. Dan Guido, CEO of Trail of Bits, a security company with a proven track-record, tweeted: "Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works." But, Guido also admitted, "Yes, all the flaws require admin [privileges] but all are flaws, not expected functionality." It's that last part that ticks Torvalds off. The Linux creator agrees these are bugs, but all the hype annoys the heck out of him. Are there bugs? Yes. Do they matter in the real world? No. They require a system administrator to be almost criminally negligent to work. To Torvalds, inflammatory security reports are annoying distractions from getting real work done.

Earlier this week, a little-known security firm called CTS Labs reported, what it claimed to be, severe vulnerabilities and backdoors in some AMD processors. While AMD looks into the matter, the story behind the researchers' discovery and the way they made it public has become a talking point in security circles. The researchers, who work for CTS Labs, only reported the flaws to AMD shortly before publishing their report online. Typically, researchers give companies a few weeks or even months to fix the issues before going public with their findings. To make things even stranger, a little bit over 30 minutes after CTS Labs published its report, a controversial financial firm called Viceroy Research published what they called an "obituary" for AMD. Motherboard reports: "We believe AMD is worth $0.00 and will have no choice but to file for Chapter 11 (Bankruptcy) in order to effectively deal with the repercussions of recent discoveries," Viceroy wrote in its report. CTS Labs seemed to hint that it too had a financial interest in the performance of AMD stock. "We may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports," CTS Labs wrote in the legal disclaimer section of its report.

On Twitter, rumors started to swirl. Are the researchers trying to make money by betting that AMD's share price will go down due to the news of the vulnerabilities? Or, in Wall Street jargon, were CTS Labs and Viceroy trying to short sell AMD stock? Security researcher Arrigo Triulzi speculated that Viceroy and CTS Lab were profit sharing for shorting, while Facebook's chief security officer Alex Stamos warned against a future where security research is driven by short selling.

[...] There's no evidence that CTS Labs worked with Viceroy to short AMD. But something like that has happened before. In 2016, security research firm MedSec found vulnerabilities in pacemakers made by St. Jude Medical. In what was likely a first, MedSec partnered with hedge fund Muddy Waters to bet against St. Jude Medical's stock. For Adrian Sanabria, director of research at security firm Threatcare and a former analyst at 451 Research, where he covered the cybersecurity industry, trying to short based on vulnerabilities just doesn't make much sense. While it could work in theory and could become more common in the future, he said in a phone call, "I don't think we've seen enough evidence of security vulnerabilities really moving the stock for it to really become an issue." Further reading: Linus Torvalds slams CTS Labs over AMD vulnerability report (ZDNet).

OffTheLip writes: Jun Ying, a former CIO with Equifax has been charged with insider trading by the US Department of Justice. From the linked article:

Wednesday's announcement marks the first criminal charge brought in one of the largest data breaches in history. Ying, the former chief information officer for Equifax's U.S. information-solutions business, used confidential information entrusted to him by the company to determine it had been hacked, according to a separate complaint filed by the Securities and Exchange Commission.

ZDNet adds: According to a Justice Department statement, Ying sent a text message to a colleague two weeks before Equifax revealed the hack, in which he said the breach "sounds bad." Three days later, Ying searched the web to research the effect of Experian's 2015 own breach on its stock price. Later that day, Ying excised all his available stock options.