Catch up on October’s most-read stories on MSN – Windows Experience Blog

The Microsoft News team has a mission to keep the world informed, with nearly half a billion people coming to MSN and Microsoft Edge every month to find out what’s going on around the globe.
Each day, Microsoft News editors work with more than 1,000 premium publishing partners (such as “The New York Times,” “Fox News,” “USA Today” and “Sports Illustrated”) to curate the best news and high-quality, credible journalism across a variety of topics so that readers get the latest news.
Each month, MSN will publish a list of its most-read news stories “in order to share what our readers are drawn to and allow you to catch up on stories you may have missed.”
Head over to The Microsoft News Blog to check out the five most-read stories for October.

PortSmash side-channel attack targets Intel Hyper-Threading

Researchers have discovered another side-channel attack against CPUs, this time abusing the simultaneous multithreading architecture in order to steal private data.

The new attack method — named PortSmash — was discovered by the team of Billy Bob Brumley, Cesar Pereida Garcia, Sohaib ul Hassan and Nicola Tuveri, based at the Tampere University of Technology in Finland, and Alejandro Cabrera Aldaya of the Universidad Tecnologica de la Habana CUJAE in Cuba.

Brumley described PortSmash as being the result of leakage caused by “execution engine sharing” on simultaneous multithreading (SMT), known on Intel processors as Hyper-Threading.

“We detect port contention to construct a timing side channel to exfiltrate information from processes running in parallel on the same physical core,” Brumley wrote in a post. “We steal an OpenSSL P-384 private key from a TLS server using this new side-channel vector. It is a local attack in the sense that the malicious process must be running on the same physical core as the victim (an OpenSSL-powered TLS server in this case).”

Sumanth Gangashanaiah, director of engineering at ShieldX, said the effectiveness of PortSmash attacks would increase as the number of CPU cores increases.

“For the attack to be successful, the attacker has to run malicious code on the same core as the legitimate code running on the same processor,” Gangashanaiah wrote via email. “The challenge here is whether the hypervisor will schedule both the legitimate and malicious code to run on the same core in the case of IaaS. A determined attacker (nation state attackers) could keep trying. If so, the outcome is going to be huge.”

CPU side-channel attacks

PortSmash is the latest in a series of side-channel attacks against CPUs that began with the Spectre and Meltdown attacks, which were discovered by multiple independent groups and disclosed in January. Since then, more Spectre variants have been discovered such as NetSpectre, and there has already been a side-channel attack targeting Hyper-Threading, called TLBleed.

Hector Martin, a security researcher based in Tokyo, said via Twitter that side-channel attacks are here to stay.

Unlike TLBleed, which experts said might be difficult to exploit, PortSmash could prove more dangerous.

“A malicious actor would have nearly zero difficulty to run the malicious process on the same core as the victim process,” wrote Justin Jett, director of audit and compliance at Plixer, via email. “Specifically, once the malicious actor knows the process id (PID) of the victim process, they can leverage utilities like taskset to determine which core the process is running on. From there, they can set their malicious process to run on the same core.”

Kevin Bocek, chief cybersecurity officer at Venafi, noted via email that “Given the infectious nature of malware and increasing operations in the cloud — this attack is accessible to many hackers, whether out for profit or hacking a nation state.” 

PortSmash disclosure

According to Brumley, the team disclosed PortSmash to Intel on Oct. 1. AMD was not notified because the research was only verified on Intel Skylake and Kaby Lake processors, but Martin noted it is theoretically possible on AMD as well.

Brumley and his team publicly announced PortSmash and provided proof-of-concept code on Nov. 1, the same day Intel provided a patch against the issue.

“My team initially proposed an embargo until 01 Nov in a private communication with Intel Security,” Brumley wrote via email. “In the same communication, we gladly offered Intel Security the opportunity to suggest an alternative schedule. They declined to do so at any point during the responsible disclosure process.”

Jett noted the sticking point may still be in organizations patching systems.

“There are no hard and fast rules when it comes to reporting and responding,” Jett wrote. “Regardless of the amount of time given to Intel, very often patches to systems go undone for far too long. Organizations would very likely remain vulnerable because patches that require systems to be taken offline are done infrequently.”

Brumley, Red Hat and other experts suggested the best mitigation would be disabling SMT/Hyper-Threading, if possible, which could negatively impact system performance.

For Sale – Complete RGB Gaming PC 7700K, GTX1080

Hi guys,

New to AVF selling but long time member on a members market of a well known computer parts retailer. I’m flying off to a Ski season on the 5th November so I’ve decided to sell my pride and joy so I can fund ski gear!

I built this computer myself from individual parts in September 2017 and so it is about 13 months old (a few components e.g. SSD and PSU are older as they came from a previous build).

The complete specs are:

Intel i7 7700K
Corsair Hydro H100i GTX 240mm
Asus Maximus IX Formula
Team Group Night Hawk RGB 16GB (2x8GB) DDR4 PC4-25600C16 3200MHz
Asus Strix GTX1080
Superflower Leadex 1000W Platinum
Phanteks Enthoo Luxe Glass Midi Tower Case
(w/ additional Phanteks Multicolor Magnetic RGB LED Strip which I have placed around the outside of the window)
Crucial M500 250GB SSD
Samsung F1 1TB HDD
DVD-RW Optical Drive

The case, GPU, RAM and motherboard are all RGB and sync with Asus’s software so any effects are perfectly synced and so it looks gorgeous.

The CPU has had a mild overclock but never pushed significantly.
I have a lot (but not all) of the boxes for the individual components should you wish to sell/change any parts.

I would never post this so payment on collection/meet-up only. Willing to drive up to 1hr from my post code of KT21 2LW (I will require a small deposit of £20 for driving just to avoid any time wasting).

Price and currency: 1000GBP
Delivery: Goods must be exchanged in person
Payment method: Cash, Paypal (F&F) or Bank Transfer
Location: Ashtead, Surrey
Advertised elsewhere?: Advertised elsewhere
Prefer goods collected?: I prefer the goods to be collected

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

AWS re:Invent 2018 another test for the cloud giant

The eyes of the IT world are on AWS this month for the cloud providers’ flagship user conference, AWS re:Invent 2018, and many want to see how far it will go to appease its growing base of enterprise clients.

AWS re:Invent gets bigger every year. And there are no signs that either the conference or AWS plans to slow down. AWS continues to dominate the cloud market and roll out services at a blistering pace, even as Microsoft and others have emerged as viable alternatives. There will be plenty of interest at AWS re:Invent 2018 in how the provider addresses the latest trends in IT, particularly around containers and AI. And yet, many industry observers think it’s also time for AWS to take a step back and consider a more holistic approach to its platform and its place in the IT landscape.

AWS hybrid strategy

For years, AWS publicly urged enterprises to go all-in on its cloud and dismissed hybrid cloud as counterproductive to future success. But despite its steadfast rhetoric, AWS has ceded to the demands of enterprise clients that have dozens, if not hundreds, of applications that are difficult to migrate.

“They talked about false cloud and fake cloud and used language like that to position public cloud very clearly,” said Paul Miller, a Forrester Research analyst. “[But] behind the scenes, they understand the reality for most customers is hybrid.”

It’s an acknowledgement that there is interest in higher-layer [AWS] services, but maybe the way it’s delivered is not through EC2 environments.
Deepak Mohananalyst, IDC

That hybrid strategy came to a head in 2017 with the rollout of VMware Cloud on AWS, a service that enables enterprises to port the familiar vSphere environment directly to Amazon’s cloud. Recently added services extend some of AWS’ software beyond its own network and into edge devices and private data centers.

Industry observers expect that strategy to go even further at AWS re:Invent 2018, particularly in light of this past August’s public preview of an on-premises version of Amazon Relational Database Service (RDS) in conjunction with VMware.

“It’s a completely new direction for them,” said Deepak Mohan, a research director at IDC. “It’s an acknowledgement that there is interest in higher-layer [AWS] services, but maybe the way it’s delivered is not through EC2 environments.”

Amazon RDS on VMware is essentially a SaaS version of AWS’ database service, Mohan said, and could open the door to bring more of Amazon’s services, such as RedShift, Aurora or its machine learning offerings, on premises.

Behind the scenes, they understand the reality for most customers is hybrid.
Paul Milleranalyst, Forrester Research

Microsoft Azure’s hybrid strategy represents one of the biggest long-term threats to AWS, said Rhett Dillingham, an analyst at Moor Insights & Strategy. Amazon RDS on VMware is a big step in the right direction, but it still relies on the VMware stack and what AWS can add on top.

“If the enterprise is comfortable with the VMware software stack and is running that across private infrastructure and AWS, then there is no perceived AWS gap in hybrid,” he said. “But, for an enterprise that is not looking to extend its VMware footprint into public cloud, they see a gap versus Azure’s hybrid solution.”

Managed services

AWS has built a massive ecosystem of partners to help enterprises manage the platform and to link its cloud to other prominent technologies. It’s often squeezed out smaller companies when it wants to directly offer a competing service or feature — so much so that the re:Invent keynotes have earned a reputation as a death knell for many third-party vendors in attendance. But AWS also relies heavily on that network of companies to help users navigate a sprawling set of services and a delivery model that carries a steep learning curve for traditional IT shops.

There are always questions about what that balance will look like coming out of the AWS re:Invent 2018 conference. In recent years, AWS has added more managed services, but it’s also done more to support third parties and even carved out a stand-alone partner summit as part of the weeklong conference. Still, industry observers expect — or at least hope — to see AWS be more hands on.

“They’ve always positioned it as, ‘We’ve got this fabulous platform, and we’ve got partners that will help you integrate into it,'” said Melanie Posey, a 451 Research analyst. A new strategy, she said, may call for AWS to become more involved in integrations and professional services.

Posey compared the arc of cloud adoption to a baseball season, saying it’s just getting to the late stages of spring training. To meet the needs of those enterprises, AWS must offer a more finished product, she said.

There’s also interest in greater ease of consumption. AWS has added features at a daunting pace for more than a decade, so it’s probably a good time for the company to tidy up the catalog and make it easier to guide users through their options, Miller said.

“Even for someone who is deeply expert in one area and knows all the options inside and out, they’re going to get overwhelmed when they get to another piece of the puzzle,” he said.

Users have welcomed many of the services AWS has added over the years, but there are concerns that it’s done so at the expense of functionality for some of its core products.

CloudFormation’s GUI looks like it was designed 15 years ago, said Brian Tarbox, lead cloud engineer at Cogito and a SearchAWS contributor. For example, users can view nested stacks but can’t break that down to show only top-level stacks.

“Just some of the basics,” Tarbox said. “I understand they are going a mile a minute, and, in most places, they have done a remarkable job with all the cross-integration. But, it’s like, guys, slow down and put just a little bit of work into your GUIs.”

Machine learning

One answer to the deluge of services and management responsibilities could be AI. AWS has already moved in this direction in security with its GuardDuty and Macie services, which use machine learning to detect threats and ensure proper security policies are followed. AWS will likely double down on the use of AI on the back end to help users, possibly in the areas of cost optimization and general operational health, said Jason McKay, CTO at Logicworks, an AWS managed services provider.

There’s also an expectation that AWS will continue to bolster its customer-facing AI tools — from its higher-level cognitive services to SageMaker, which makes machine learning more approachable on its platform for data scientists and analysts.

TechTarget Senior Site Editor Kristin Knapp contributed to this report.

For Sale – Complete RGB Gaming PC 7700K, GTX1080

Hi guys,

New to AVF selling but long time member on a members market of a well known computer parts retailer. I’m flying off to a Ski season on the 5th November so I’ve decided to sell my pride and joy so I can fund ski gear!

I built this computer myself from individual parts in September 2017 and so it is about 13 months old (a few components e.g. SSD and PSU are older as they came from a previous build).

The complete specs are:

Intel i7 7700K
Corsair Hydro H100i GTX 240mm
Asus Maximus IX Formula
Team Group Night Hawk RGB 16GB (2x8GB) DDR4 PC4-25600C16 3200MHz
Asus Strix GTX1080
Superflower Leadex 1000W Platinum
Phanteks Enthoo Luxe Glass Midi Tower Case
(w/ additional Phanteks Multicolor Magnetic RGB LED Strip which I have placed around the outside of the window)
Crucial M500 250GB SSD
Samsung F1 1TB HDD
DVD-RW Optical Drive

The case, GPU, RAM and motherboard are all RGB and sync with Asus’s software so any effects are perfectly synced and so it looks gorgeous.

The CPU has had a mild overclock but never pushed significantly.
I have a lot (but not all) of the boxes for the individual components should you wish to sell/change any parts.

I would never post this so payment on collection/meet-up only. Willing to drive up to 1hr from my post code of KT21 2LW (I will require a small deposit of £20 for driving just to avoid any time wasting).

Price and currency: 1000GBP
Delivery: Goods must be exchanged in person
Payment method: Cash, Paypal (F&F) or Bank Transfer
Location: Ashtead, Surrey
Advertised elsewhere?: Advertised elsewhere
Prefer goods collected?: I prefer the goods to be collected

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.