Intel to Prohibit to Publish Benchmark Tests' Results

Let's try to figure out how this new 'policy' may be related to Meltdown and Specter vulnerabilities
24 August 2018   827

Intel has made changes to the license agreement for the updated microcode of its processors. The text mentions the ban on publishing performance testing results. Under the new conditions, users are not allowed to run benchmarks if their results are planned to be shown to third parties.

One of the leaders of Open Source movement Bruce Perens drew attention to the changes. Because the microcode is used for all instructions, the rules apply to the entire processor. At the same time, the ban even applies to performance tests written by users themselves.

Perens believes that the changes in the agreement are due to the company's fear of losing part of the sales. Microcode updates cover vulnerabilities like Meltdown and Specter and reduce processor performance by 5-10%, which can scare off buyers.

According to Bruce Perens, Intel is trying to keep silent about possible problems and makes customers act the same way. He believes that companies should publish updates, but the final decision should be left for users. Vulnerabilities are more dangerous for cloud service providers, so for most common users security patches are not relevant.

The mass release of security updates for processors began in January 2018. Intel found a serious vulnerability, which allows reading information from the kernel's private memory.

Third Party Apps Could Read Twitter Messaging

According to the company, no one used this vulnerability and the issues is now solved
18 December 2018   575

Until the beginning of December, third-party applications could access Twitter private messages. According to the company, no one took advantage of this vulnerability. Terence Eden, who found it, was paid almost $ 3,000 under the Bug Bounty program.

In 2013, there was a leak of keys to the Twitter API - so applications could access the interface bypassing the social network. To protect users, Twitter implemented an application authorization mechanism through predefined addresses (Callback URL), but it didn’t suit everyone.

Applications that do not support Callback URLs could authenticate using PIN codes. With this authorization, a window pops up that lists which data the user opens to access. The window did not request access to private messages, but in fact the application received it.

On December 6, Twitter reported that it had solved the problem. Judging by the statement of the company on the HackerOne website, no one had time to take advantage of this vulnerability.

This is not the first social network security error related to the API. In September, Twitter discovered a bug in AAAPI (Account Activity API): the system sent a copy of the user's personal message to a random recipient.