back to article Kronos crims go retro, Apple builds cop portal, Swiss cheesed over Russian hack bid, etc

This was the week of ice cold exploits, re-appearing JavaScript nasties, and of course Patch Tuesday. A few other things happened too… Android gets its monthly patch-up Microsoft and Adobe weren't the only ones to kick out monthly updates recently. Google also issued the September update for Android. This month, fixes …

  1. onefang Silver badge

    "Hopefully those cops can track down the crooks charging $1,500 for a phone."

    I don't think they have to search far once they are on the Apple police portal to find those crooks.

    1. whoseyourdaddy

      or, litigate because they believe $20 in royalties per phone to the company that invented their modems is excessive.

      Nonetheless, I look at this as a positive first step as I've discovered when you invent activation locks, ICloud login phishing is the answer for resetting stolen handsets.

      1. Waseem Alkurdi Silver badge

        (The comment above was in response to OP)

        Nonetheless, I look at this as a positive first step as I've discovered when you invent activation locks, ICloud login phishing is the answer for resetting stolen handsets.

        You need to know your victim first, send an exploit or whatever, then steal the handset.

        Look how it just became at least three times more difficult than just nabbing a phone carelessly left in a pocket inside a purse?

    2. Waseem Alkurdi Silver badge
      Happy

      The first thing that I thought of when I saw this? An Arabic proverb that translates as "If the judge was a wolf, to whom must the shepherd pass his complaint?"

  2. Paul Herber

    FTFY

    Apple is said to be in the process of creating a web portal that would allow El Reg to directly contact the Cupertino giant when seeking information about anything fruity.

    1. Waseem Alkurdi Silver badge
      Devil

      Re: FTFY

      Seems to be a web portal that redirects any submissions to the Apple Priority Media Inquiries Box (/dev/null), from what they did to El Reg over the years.

      1. Francis Boyle Silver badge

        /dev/null?

        Don't you mean a certain video on Youtube?

  3. Waseem Alkurdi Silver badge

    Armed with those keys, an attacker could then decode sensitive information such as passwords that would allow them to take over Intel Management Engine (ME) firmware controls in PCs and servers.

    Fuck you, Intel.

    That's what we get for allowing a black box sitting on the processor "Intel vPro/AMT/ME/whatever".

    1. Jack of Shadows Silver badge

      And firmware updates for older machines from Intel are meaningless if the OEM doesn't update the firmware anymore. That's true of every Intel-based device I own, not a one that's any kind of a slouch in terms of performance, so I'm not junking them.

      1. Waseem Alkurdi Silver badge

        Most times (if we're talking business-class laptops/desktops here), you can update the firmware independently from the BIOS/UEFI firmware. The ME firmware sits on a separate region of the flash.

        But Intel doesn't seem to be releasing the firmware on its websites ... they only have a flasher, and the firmware comes from OEM. Damn, wly the hell?

        At least, if you're comfortable soldering chips, you can try me_cleaner or somthing.

        Edit: https://www.win-raid.com/t596f39-Intel-Management-Engine-Drivers-Firmware-amp-System-Tools.html

        This site seems to provide separate F/W packages for all versions of MEI.

        However, what if there are remotely exploitable zero-days? (I think that there ARE ones in the wild, which may be why the US Gov't. asked for HAP support on Skylake MEI and above)

        1. Jack of Shadows Silver badge
          Facepalm

          I used to be 2M (Micro-Miniature) certified by when all the crap in my spinal cord went to shit, that went out the window. I've been closely following the IME/AMT issue since the beginning and me-cleaner isn't an option, the wrong CPU-familes here. No, I just keep the Intel-CPU machines energy-gapped which sort of works as they are used for pure computing grunt. Machine learning, all sorts of modeling as well as pretty much any form of computer-aided engineering you could think of, even a couple you probably wouldn't. It's still so damned annoying that I have to pull datasets and then cryptographically/safely transport them across systems.

          I'm certainly not buying Intel ever again and have been a solid loyalist for a quarter century. Just "what" I get in the future is an open question as they are stuffing this shit into every decent CPU around, not that I have a large budget anymore. Even OpenRISC looks to be joining that now.

          {Frustrated-Shrug}

          1. whitepines Silver badge

            What about the new OpenPOWER chips? There's full firmware source and no black box signed stuff: https://twitter.com/RaptorCompSys/status/1011278248876167168

    2. onefang Silver badge

      Or it might be a way to take control of your own Intel Management Engine, and either kill it completely, or install your own operating system on it.

  4. Jack of Shadows Silver badge
    Happy

    And on a brighter note:

    The write-up of WannaMine by Amit Serper of Cybereason is pure teaching gold. Well worth the read.

  5. Francis Boyle Silver badge

    Russians hacking chemical labs

    Surprising. I'd have thought that, by now, they'd have all the poisons.

    1. MiguelC Silver badge

      Re: Russians hacking chemical labs

      I just don't understand why the two Russians blokes were arrested and subsequently deported back to Moscow. What about a trial and, if found guilty, enjoy some quality me time in a dutch prison? After that they should be deported, not instead of...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019