Perils of Proprietary Software
News Analysis: Sonos shows the danger of a hardware-only business model
How long should a manufacturer be responsible for maintaining support for legacy products?
Consumer devices have increasingly become smart and connected, only to later be abandoned by the manufacturer. Smart suitcases have turned dumb, talking toys gone mute, and wireless security cameras bricked into paperweights. Most recently, Sonos got a lot of grief for announcing that older versions of its smart home speakers would soon lose access to services and functionality. Customers complained that they had spent thousands on their audio systems, with some products still on the market as recently as 2015.
A hardware device is a one-time purchase, while software updates require continual labor. As technology improves and devices last longer, the initial manufacturing cost may end up being a small proportion of the total lifetime cost of production. Many manufacturers have shifted to business models that treat the device sale as a loss leader for future revenue streams. Amazon can afford to underprice the Echo because it enables consumers to buy more stuff from Amazon; Google and Spotify teamed up to give away Google Home Minis; and even Apple recently lowered prices on its iPhones to grow a user base for its subscription services.
Magento patches critical code execution vulnerabilities, upgrade ASAP!
According to the newest Magento-themed security bulletin (now published as an Adobe security bulletin), three of the six fixed flaws are critical and three are important.
In the “critical” category are a deserialization of untrusted data (CVE-2020-3716) and a security bypass (CVE-2020-3718) that could lead to arbitrary code execution, and an SQL injection (CVE-2020-3719) that could be exploited to leak sensitive information.
In the “important” category are two stored cross-site scripting flaws (CVE-2020-3715, CVE-2020-3758) and a path traversal (CVE-2020-3717) vulnerability, all of which could lead to sensitive information disclosure.
UN hacked: Attackers got in via SharePoint vulnerability
According to the report, the attack started in July 2019, when the attackers managed to compromise a server located at the UN Office in Vienna through CVE-2019-0604, a security hole in Microsoft SharePoint patched by Microsoft in February 2019 and subsequently widely exploited by attackers to hit a variety of targets worldwide.
The hole should have been patched by the UN IT staff within a month of the release of the patch, but wasn’t.
The attackers then moved through UN’s networks and ultimately reached systems at the UN Office in Geneva and the UN Office of the High Commissioner for Human Rights (OHCHR), also in Geneva.
Security risks for e-scooters and riders exposed
However, a research out of UTSA finds e-scooters have risks beyond the perils of potential collisions. Computer science experts at UTSA have published the first review of the security and privacy risks posed by e-scooters and their related software services and applications.
[...]
Some e-scooter models communicate with the rider’s smartphone over a Bluetooth Low Energy channel. Someone with malicious intent could eavesdrop on these wireless channels and listen to data exchanges between the scooter and riders’ smartphone app by means of easily and cheaply accessible hardware and software tools such as Ubertooth and WireShark.
Those who sign up to use e-scooters also offer up a great deal of personal and sensitive data beyond just billing information. According to the study, providers automatically collect other analytics, such as location and individual vehicle information.
This data can be pieced together to generate an individual profile that can even include a rider’s preferred route, personal interests, and home and work locations.
Making Sure RISC-V Designs Work As Expected
The RISC-V instruction set architecture is attracting attention across a wide swath of markets, but making sure devices based on the RISC-V ISA work as expected is proving as hard, if not harder, than other commercially available ISA-based chips. The general consensus is that open source lacks the safety net of commercially available IP and tools. Characterization tends to be generalized, rather than specific for a particular application, and open-source tools are more difficult to work with and frequently less reliable. This has created a market for commercial implementations of both the RISC-V ISA, as well as tools aimed specifically for RISC-V, but it also has opened the door for commercially developed tools and IP that simplify and add consistency to RISC-V implementations. All of this is happening amid rapid growth throughout the RISC-V ecosystem. Semico Research predicts the communications segment will achieve a 209% compound annual growth rate by 2025, and that RISC-V will capture more than 6% of the CPU core business in that market between now and 2025. The firm also forecasts the available market for automotive will have a CAGR of 160% during that period, and the total available market for 5G infrastructure will reach 19 million units by 2025, with RISC-V playing an important role in both markets. In total, RISC-V growth is forecast to increase 160% during that period in devices targeted at a broad range of performance levels. Also: Intel Joins The CHIPS Alliance To Promote AIB As An Open Standard
