A new type of supply-chain attack with serious consequences is flourishing


A computer screen is filled with code.

A new type of supply chain attack unveiled last month is targeting more and more companies, with new rounds this week taking aim at Microsoft, Amazon, Slack, Lyft, Zillow, and an unknown number of others. In weeks past, Apple, Microsoft, Tesla, and 32 other companies were targeted by a similar attack that allowed a security researcher to execute unauthorized code inside their networks.

The latest attack against Microsoft was also carried out as a proof-of-concept by a researcher. Attacks targeting Amazon, Slack, Lyft, and Zillow, by contrast, were malicious, but it’s not clear if they succeeded in executing the malware inside their networks. The npm and PyPi open source code repositories, meanwhile, have been flooded with more than 5,000 proof-of-concept packages, according to Sonatype, a firm that helps customers secure the applications they develop.

“Given the daily volume of suspicious npm packages being picked up by Sonatype’s automated malware detection systems, we only expect this trend to increase, with adversaries abusing dependency confusion to conduct even more sinister activities,” Sonatype researcher Ax Sharma wrote earlier this week.

A slick attack

The goal of these attacks is to execute unauthorized code inside a target’s internal software build system. The technique works by uploading malicious packages to public code repositories and giving them a name that’s identical to a package stored in the target developer’s internal repository.

Developers’ software management apps often favor external code libraries over internal ones, so they download and use the malicious package rather than the trusted one. Alex Birsan—the researcher who tricked Apple and the other 34 companies into running the proof-of-concept packages he uploaded to npm and PyPi—dubbed the new type of supply chain attack dependency confusion or namespace confusion because it relies on software dependencies with misleading names.

Software dependencies are code libraries that an application must incorporate for it to work. Normally, developers closely guard the names of dependencies inside their software build systems. But Birsan found that the names often leak when package.json files—which hold various metadata relevant to a development project—are embedded into public script files. Internal paths and public scripts that contain the require() programming call can also leak dependency names.

In the event the file with the same name isn’t available in a public repository, hackers can upload a malicious package and give it the same file name and a version number that’s higher than the authentic file stored internally. In many cases, developers either accidentally use the malicious library, or their build application automatically does so.

“It’s a slick attack,” HD Moore, co-founder and CEO of network discovery platform Rumble, said. “My guess is it affects a ton of folks.” He added that most at risk are organizations that use large numbers of internal packages and don’t take special steps to prevent public packages from replacing internal ones.

Raining confusion

In the weeks since Birsan published his findings, dependency confusion attacks have flourished. Already hit by a proof-of-concept attack that executed Birsan’s unauthorized package in its network, Microsoft recently fell to a second attack, which was done by researchers from firm Contrast Security.

Matt Austin, director of security research at Contrast, said he started by looking for dependencies used in Microsoft’s Teams desktop application. After finding a JavaScript package called “Optional Dependencies,” he seized on a way to get a Teams development machine to download and run a package he put on npm. The package used the same name as a module listed as an optional dependency.

Shortly after doing so, a script Austin put into the module started contacting him from several internal Microsoft IP addresses. Austin wrote:

Whether the responses I saw were automated or manual, the fact that I was able to generate this reaction poses significant risk. By taking advantage of the post-install script, I was able to execute code in whatever environment this was being installed on. If attackers were to execute code the way I did on a build server for a desktop application update that was about to be distributed, they could insert anything they wanted into that update, and that code would go out to every desktop using Teams—more than 115 million machines. Such an attack could have monumental repercussions, potentially affecting as many organizations as the massive attack on the SolarWinds software factory that was revealed in December.

He provided the following figure illustrating how a malicious attack might work under this theoretical scenario:

Contrast Security

A Microsoft spokeswoman wrote: “As part of our larger efforts to mitigate package substitution attacks, we quickly identified the issue mentioned and addressed it, and at no point did it pose a serious security risk to our customers.” The spokeswoman added that the system that executed Austin’s code was part of the company’s security testing infrastructure. Microsoft has more about the risks and ways to mitigate them here.

Attacks turn malicious

Like the packages uploaded by Birsan and Austin, the thousands of files that flooded npm and PyPi have mostly contained benign scripts that send the researchers the IP address and other generic details of the computer that runs them.

But not all of the uploads have observed such restraint. On Monday, Sonatype researchers reported files uploaded to npm that attempted to steal password hashes and bash script histories from companies including Amazon, Slack, Lyft, and Zillow.

A .bash_history file being accessed by the package uploaded to npm.
Enlarge / A .bash_history file being accessed by the package uploaded to npm.

Sonatype

“These activities would take place as soon as a dependency confusion attack succeeds and would need no action from the victim, given the nature of the dependency/namespace hijacking issue,” Sharma, the researcher at Sonatype, wrote.

Bash histories, which store commands and other input that administrators type into their computers, often contain plaintext passwords and other sensitive data. Files stored in the /etc/shadow path of Linux machines store the cryptographic hashes of passwords needed to access user accounts on the computer. (For hashes to be compromised, the npm app would have to be running in super user mode, an extremely elevated set of privileges that are almost never given to software management apps.)

Sonatype said it had no way of knowing whether the files were executed by any of the companies targeted by the scripts.

The targets respond

In a statement, Slack officials wrote:

The mimicked library in question is not part of Slack’s product, nor is it maintained or supported by Slack. We have no reason to believe the malicious software was executed in production. Our security team regularly scans the dependencies used in our product with internal and external tools to prevent attacks of this nature. Additionally, Slack’s secure development practices, such as using a private scope when using private dependencies, make it unlikely that a dependency-related attack would be successful against our product.

A Lyft statement read: “Lyft was not harmed in this attempt. There is no indication that this malicious software was executed on Lyft’s network. Lyft has a dedicated information security program to defend against such supply chain attacks and runs an active bug bounty program to continuously test its security controls.”

Zillow officials wrote:

We are aware of the recent security report involving a possible attack involving spoofed software packages. After an investigation by our security team, we found no evidence that our systems were compromised or exploited by the disclosed technique. Our team is also taking a number of actions to monitor and defend against any future possible attempts to gain unauthorized access to our systems.

Representatives from npm, meanwhile, wrote: “We’ve provided guidance on how to best protect against these types of substitution attacks in this blog post. We’re committed to keeping npm secure and continuing to improve the security of the ecosystem.”

Amazon representatives didn’t respond to an email seeking comment. A representative for PyPi didn’t immediately have a comment.

The recent hack against network tools provider Solar Winds—which compromised the Texas company’s software build system and used it to distribute malicious updates to 18,000 customers—was a stark reminder of the damage that can result from supply-side attacks. Dependency confusion attacks have the potential to inflict even more damage unless developers take precautionary measures.



Review: Fledging Hubble for iPad brings more ports and protection to your tablet


Hubble is a new combination case and USB-C hub designed for iPad Pro that protects your precious device while equipping it with expansive new connectivity.

Design

Hubble has an extremely unique design, unlike any other hub we’ve tested to date. We’ve seen many covers and cases for iPad Pro, and we’ve seen just as many USB-C hubs designed to expand the iPad’s functionality.

Rare is it to stumble upon a product that combines the two.

Hubble ports for iPad Pro

Your iPad Pro lives inside Hubble, which covers your device’s sides and back in anodized aluminum. The bottom of your iPad, where the USB-C port lives, extends roughly an inch further than it does without Hubble, adding a full array of ports.

With Hubble, your iPad gains:

  • 4K 60Hz HDMI port
  • UHS-I SD card reader
  • UHS-I micro SD card reader
  • USB 3.0 Type-A port
  • 30W USB-C input
  • 5Gbps USB-C data port
  • 3.5mm audio jack
  • Travel switch

Aside from the ports, Hubble also has a replica of Apple’s Smart Folio. It magnetically attaches to the rear of Hubble and protects the front of your iPad.

When your iPad is in use, the cover can be removed or it can be folded behind. Like the original Smart Cover, the Hubble cover can roll up as a grip or prop up the iPad at two different angles. This is just another way Hubble helps you get your work done.

The magnetic attraction holding the cover to the back is exceptionally strong and was very impressive. We were worried connecting it that way would be too weak, but that is clearly not the case.

Cover of Hubble for iPad Pro

Cover of Hubble for iPad Pro

Despite Hubble being protective, the left side is only half covered to allow wireless charging of your second-generation Apple Pencil.

There are many other small details to be aware of with Hubble. There are concise cutouts around the device to allow proper access to the camera, microphones, Smart Connector, and speakers. Even the Apple logo is prominently displayed.

Port labels on Hubble for iPad Pro

Port labels on Hubble for iPad Pro

Hubble secures itself around your iPad via a pair of clips located on either side of your new ports. These clips are one of the few things we dislike about Hubble.

They are very tight, which is great for security, but will require some sort of tool to pry free. A small screwdriver or other leverage will be needed for the task.

It’s unnecessarily annoying to do, especially if you are trying to take Hubble off quickly. We wish there were a less problematic method of securing the hub.

Being productive with Hubble

Hubble has been attached to our 11-inch 2020 iPad Pro for some time and also fits the 2020 iPad Air. We typically work on the larger iPad Pro, but we tested an engineering sample from Fledging and the 12.9-inch version wasn’t yet available.

It’s come in handy time and time again when we had to connect flash drives and other peripherals to our tablet. The Files app on iPad has made working between machines easier than ever and with integrated USB-C and USB-A ports.

A surprising benefit also came by way of the overhanging hub. Normal hubs are very susceptible to getting knocked free and certainly can’t handle any degree of pressure being put on the side.

Since Hubble wraps around the sides and the back, it is more than secure. It creates an easily grip-able hangle for your iPad.

We walked around with our iPad with a secure grip on Hubble that didn’t end with our fingers covering the screen. It was even great for reading.

Hubble for iPad Pro

All the ports on Hubble worked as expected, with the charging port successfully recharging our iPad, and the USB ports worked for peripherals. It is a little burdensome that each USB-C port is specific for charging or data but not both, but this could be a limitation stemming from USB itself.

Another issue we have with Hubble is the travel switch, basically a kill switch that completely disables the hub when not in use. If you leave the hub on, it will slowly drain power from your iPad, leaving you with less battery capacity than you expected.

No one wants to flip a switch each time they use it, and it’s a shame that Hubble has enough phantom power draw to make this an issue.

We understand that this phantom power draw can happen with any USB-C hub, but since this can’t easily be removed, it is easy to forget to flip the switch and wind up with a low battery issue.

Should you buy Hubble?

Hubble is a great addition to the iPad for those that need it. If you aren’t using the extra ports regularly, investing in Hubble makes less sense.

Camera cutout on Hubble for iPad Pro

Camera cutout on Hubble for iPad Pro

The added ports offer much-expanded functionality for us, and as we regularly connect storage, microphones, and card readers, it comes in handy. But it did add extra bulk and became a bit annoying when we took it on the go.

We couldn’t remove it easily, so we were just stuck with extra ports despite the fact we didn’t need them at that time.

As with most accessories, they are tailored to the workflow, and power users will love what Hubble has to offer. Others, perhaps not as much.

  • Integrated case and cover
  • Cover can double as a stand
  • Off switch prevents phantom power draw when not in use
  • Adds additional grip to hold tablet
  • Several new ports
  • Can’t remove without tool
  • Top two corners are slightly sharp
  • Drains iPad battery if not turned off

Rating: 3.5 out of 5

Where to buy

Find the Hubble from Fledging starting at $99 for the iPad Air and 11-Inch iPad Pro models and $109 for the 12.9-inch iPad Pro model.



Global Live Event Video Streaming Software & Services Market 2020 Key Drivers and Restraints, Regional Outlook, End-User Applicants by 2025 – KSU


Comparing the Top 10 Live Streaming Software for Broadcasting in 2021The research study on Global Live Event Video Streaming Software & Services Market 2020 by Manufacturers, Countries, Type and Application, Forecast to 2025 brings to light the excellent research on the market overview. The report offers a primary focus on influential factors in the global Live Event Video Streaming Software & Services industry. The report includes insightful information about pricing, cost, value, capacity, gross revenue, and profit margins with reference to historical analysis and forecast estimation for the 2020 to 2025 time period. It presents a close overview of the market’s major drivers, restraints, challenges, opportunities and current market trends, the supply chain and share market, and strategies impacting the global market along with estimates and forecast of revenue and share analysis.

The report firstly contains a broad introduction of the global Live Event Video Streaming Software & Services market and then analyses specific segments such as application, regional markets, end-users, value chain structure, and emerging trends. It offers a comprehensive analysis of the global Live Event Video Streaming Software & Services market inclusive of product portfolio, categories, applications, and a comprehensive analysis of the value chain structure. The report studies the dynamics of the market, the changing competition landscape, and the flow of the global supply and consumption.

NOTE: Our report highlights the major issues and hazards that companies might come across due to the unprecedented outbreak of COVID-19.

DOWNLOAD FREE SAMPLE REPORT: https://www.marketsandresearch.biz/sample-request/6215

Trending Factors Influencing the Market Shares:

There are various dynamic features of the business, like client need and feedback from the customers. The report has studied in-depth from all dynamic aspects such as industrial structure, application, classification, and definition. The report gives an in-depth view to the readers, detailed geographical segmentation within the global market has been covered in this study. The market research report predicts the size of the global Live Event Video Streaming Software & Services market with respect to the information on key merchant revenues, development of the industry by upstream and downstream, industry progress, key companies, along with market segments and application.

The global market competitive scenario and participants detailed profiles: Brightcove, Haivision, IBM Cloud Video, Ooyala, VBrick, Qumu Corporation, Kaltura, Contus, Sonic Foundry, Panopto, Wowza Media Systems, Kollective Technology, Verizon Digital Media Services, DaCast, JW Player Live, Livestream (Vimeo), Muvi, StreamShark,

The most important types of products covered in this report are: PC-based, Mobile Apps,

The most widely used downstream fields of market covered in this report are: News, Sports, Concerts, Corporate, Government, Others,

Each geographic segment of the global Live Event Video Streaming Software & Services market has been independently surveyed along with pricing, distribution, and demand data for geographic market notably: North America (United States, Canada and Mexico), Europe (Germany, France, UK, Russia and Italy), Asia-Pacific (China, Japan, Korea, India and Southeast Asia), South America (Brazil, Argentina, Colombia etc.), Middle East and Africa (Saudi Arabia, UAE, Egypt, Nigeria and South Africa)

ACCESS FULL REPORT: https://www.marketsandresearch.biz/report/6215/global-live-event-video-streaming-software-services-market-2020-by-manufacturers-countries-type-and-application-forecast-to-2025

Regional Profile:

The market can delve into crucial assessment and substantial market-specific deductions that are deployed to ensure remarkable growth progression despite rigid competition and market volatility. Regional assessment of the global Live Event Video Streaming Software & Services market reveals untapped opportunities in regional and domestic market places. Here, the size and CAGR of the regional markets are also provided.

Customization of the Report:

This report can be customized to meet the client’s requirements. Please connect with our sales team ([email protected]), who will ensure that you get a report that suits your needs. You can also get in touch with our executives on +1-201-465-4211 to share your research requirements.

Contact Us
Mark Stone
Head of Business Development
Phone: +1-201-465-4211
Email: [email protected]
Web: www.marketsandresearch.biz



Tens of thousands of US organizations hit in ongoing Microsoft Exchange hack


A stylized skull and crossbones made out of ones and zeroes.

Tens of thousands of US-based organizations are running Microsoft Exchange servers that have been backdoored by threat actors who are stealing administrator passwords and exploiting critical vulnerabilities in the email and calendaring application, it was widely reported. Microsoft issued emergency patches on Tuesday, but they do nothing to disinfect systems that are already compromised.

KrebsOnSecurity was the first to report the mass hack. Citing multiple unnamed people, reporter Brian Krebs put the number of compromised US organizations at at least 30,000. Worldwide, Krebs said there were at least 100,000 hacked organizations. Other news outlets, also citing unnamed sources, quickly followed with posts reporting the hack had hit tens of thousands of organizations in the US.

Assume compromise

“This is the real deal,” Chris Krebs, the former head of the Cybersecurity and Infrastructure Security Agency, said on Twitter, referring to the attacks on on-premisis Exchange, which is also known as Outlook Web Access. “If your organization runs an OWA server exposed to the internet, assume compromise between 02/26-03/03.” His comments accompanied a Tweet on Thursday from Jake Sullivan, the White House national security advisor to President Biden.

Hafnium has company

Microsoft on Tuesday said on-premises Exchange servers were being hacked in “limited targeted attacks” by a China-based hacking group the software maker is calling Hafnium. Following Friday’s post from Brian Krebs, Microsoft updated its post to say that it was seeing “increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors beyond HAFNIUM.”

Katie Nickels, director of intelligence at security firm Red Canary, told Ars that her team has found Exchange servers that were compromised by hackers using tactics, techniques, and procedures that are distinctly different than those used by the Hafnium group Microsoft named. She said Red Canary has counted five “clusters that look differently from each other, [though] telling if the people behind those are different or not is really challenging and unclear right now.”

On Twitter, Red Canary said that some of the compromised Exchange servers the company has tracked ran malware that fellow security firm Carbon Black analyzed in 2019. The malware was part of an attack that installed cryptomining software called DLTminer. It’s unlikely Hafnium would install a payload like that.

Microsoft said that Hafnium is a skilled hacking group from China that focuses primarily on stealing data from US-based infectious disease researchers, law firms, higher-education institutions, defense contractors, policy think tanks, and nongovernmental organizations. The group, Microsoft said, was hacking servers by either exploiting the recently fixed zeroday vulnerabilities or by using compromised administrator credentials.

It’s not clear what percentage of infected servers are the work of Hafnium. Microsoft on Tuesday warned that the ease of exploiting the vulnerabilities made it likely other hack groups would soon join Hafnium. If ransomware groups aren’t yet among the clusters compromising servers, it’s almost inevitable that they soon will be.

Backdooring servers

Brian Krebs and others reported that tens of thousands of Exchange servers had been compromised with a webshell, which hackers install once they’ve gained access to a server. The software allows attackers to enter administrative commands through a terminal Window that’s accessed through a web browser.

Researchers have been careful to note that simply installing the patches Microsoft issued in Tuesday’s emergency release would do nothing to disinfect servers that have already been backdoored. The webshells and any other malicious software that have been installed will persist until it is actively removed, ideally by completely rebuilding the server.

People who administer Exchange servers in their networks should drop whatever they’re doing right now and carefully inspect their machines for signs of compromise. Microsoft has listed indicators of compromise here. Admins can also use this script from Microsoft to test if their environments are affected.

This week’s escalation of Exchange server hacks comes three months after security professionals uncovered the hack of at least nine federal agencies and about 100 companies. The primary vector for infections was through software updates from network tools maker SolarWinds. The mass hack was one of—if not the—the worst computer intrusions in US history. It’s possible the Exchange Server will soon claim that distinction.

There’s still much that remains unknown. For now, people would do well to follow Chris Krebs’ advice to assume on-premises servers are compromised and act accordingly.





iPhone 11 reunited with owner after spending 6 months in a lake


A diver has recovered an iPhone 11 from the bottom of a lake in British Columbia, one that managed to survive submerged for almost 6 months.

Chilliwack free divers Clayton Helkenberg and wife Heather have a hobby of diving to the bottom of lakes to find lost items and clear rubbish. In a video released on Thursday, he revealed he had discovered an iPhone at the bottom of Harrison Lake.

On exploring the lake bed, Heather noticed the iPhone amongst sediment, while Clayton found a flip phone, reports CBC. While Clayton’s find was severely damaged, Heather’s iPhone discovery was in far better condition.

“I took it home, cleaned the dirt off of it, and it just turned right on, so it was pretty amazing,” said Clayton. Aside from a broken microphone and speaker issues, the iPhone emerged largely unscathed from the ordeal.

After ejecting the SIM and putting it into another device to contact the original owner, it was returned to Vancouver resident Fatemeh Ghodsi. The iPhone was reportedly dropped during a boat ride in September, and contained photos of Ghodsi just before the drop.

“I was in a situation where I kind of lost balance and dropped it in the water,” said Ghodsi. Staff members at the park told her it was impossible to find the iPhone in the water, forcing Ghodsi to leave empty-handed.

Ghodsi later replaced the iPhone with another mobile device.

On receiving a text from her old number, the iPhone’s owner thought it was friends pranking her, but was later convinced to visit Chilliwack to retrieve her smartphone.

“I was in complete shock, initially to start with,” she continued. “It was kind of like a zombie phone coming back to me, because I’d totally make peace with it being gone.”

The water-resistance of iPhones has led to numerous other reports over the years, where iPhones are dropped into bodies of water then retrieved at a later time.

In February 2020, Disney officials returned an iPhone to its owner, after scuba divers picked it up from the Seven Seas Lagoon two months after being dropped. One year later in February 2021, a man jumped into Victoria Inner Harvour in British Columbia to retrieve his iPhone XS from the freezing water.



Cloud leaks plagued thousands of mobile apps


Although security breaches in mobile applications have unfortunately become commonplace, there is another way for hackers to steal data, using the hosting services used by these applications directly on poorly configured servers.

This is an alarm signal sent to all developers: it is imperative that they check the configuration of cloud services used by their application to store user data. Zimperium security researchers have identified that thousands of applications provide access to sensitive information from their cloud.

14% apps were affected

Of the 1.3 million mobile applications analyzed by Zimperium, approximately 12,000 Android apps and more than 6,500 iOS apps used Amazon, Microsoft, or Google’s servers that were incorrectly configured. This represents 14% of cloud-based apps, which can therefore pose a serious security risk.

Even if Zimperium has not exploited these poor configurations by hackers, these bad practices can cause serious problems such as theft of confidential data, or even access to publishers’ infrastructure. Researchers cite the financial app of a large company as an example: well-exploited flaws may allow users to access banking information.

Cloud hosting service providers have data protection systems, but this is insufficient if the developer does not take the necessary precautions. Many publishers have been approached by Zimperium to correct this point, but it is impossible to warn all developers.



SpaceX Starlink factory in Texas will speed up production of Dishy McFlatface


View of the SpaceX Starlink satellite dish, with the back panel taken off.
Enlarge / The SpaceX Starlink satellite dish partway through a teardown.

SpaceX says it is building a factory in Austin, Texas, to design systems that will help make satellite dishes, Wi-Fi routers, and other equipment for its Starlink satellite broadband network. The news comes from a job posting for an automation and controls engineer position flagged in a story Tuesday by local news channel KXAN.

“To keep up with global demand, SpaceX is breaking ground on a new, state of the art manufacturing facility in Austin, TX,” the job posting said. “The Automation & Controls Engineer will play a key role as we strive to manufacture millions of consumer facing devices that we ship directly to customers (Starlink dishes, Wi-Fi routers, mounting hardware, etc).”

The factory apparently won’t make the dishes and routers on site but will instead design systems that improve the manufacturing process. “Specifically, they will design and develop control systems and software for production line machinery—ultimately tackling the toughest mechanical, software, and electrical challenges that come with high-volume manufacturing, all while maintaining a focus on flexibility, reliability, maintainability, and ease of use,” the job posting said.

Starlink is in beta and is serving over 10,000 customers, and it has asked the Federal Communications Commission for permission to deploy up to 5 million user terminals in the US. SpaceX calls this piece of hardware “Dishy McFlatface,” and it receives transmissions from SpaceX’s low-Earth orbit satellites. See our article about a Dishy McFlatface teardown for more details on the hardware’s inner portions, and this article for more pictures of the dish in its fully intact state.

Starlink has been charging $99 per month plus a one-time fee of $499 for the user terminal, mounting tripod, and router. Starlink recently began taking preorders for service that would become available in the second half of 2021.

Shipping to 25 countries this year

The new job posting said the successful applicant will work in Austin but spend up to 25 percent of the time at SpaceX headquarters in Los Angeles “until [the] Austin facility is fully established.” The new engineer will make an impact on Starlink’s ability to ship hardware this year. The person will “set, implement, and maintain schedules and budgets to ensure project completion as we strive to ship to 25+ countries by the end of the year,” the job posting said.

The engineer will be expected to “design, develop, and manage automation and controls projects to manufacture consumer electronics that are easy for humans around the world to use, but are technically very sophisticated—this includes initial factory ideation, on-line commissioning and proof of rate capability, and eventual hand-off to operational teams.” The engineer will also “spearhead facility bring up and initial equipment conceptual development by carefully balancing product specifications, process requirements, layout complexity, cost, and lead-time limits,” the job posting said.

We asked SpaceX for more detail on plans for the Austin facility and when it will open, and on where exactly the dishes and routers will be manufactured. We’ll update this article if we get an answer.

The new SpaceX factory would be near Tesla’s planned car factory in Austin. SpaceX founder and CEO Elon Musk is also the CEO of Tesla.



Deals: Apple Magic Keyboard for 12.9-inch iPad Pro falls to record low $250 ($100 off)


After slashing the price of the 11-inch version, Amazon has now dropped Apple’s Magic Keyboard for the 12.9-inch iPad Pro to a record low $249.99. Save $100 while supplies last.

Magic Keyboard blowout sale

The $249.99 price is thanks to a $20 instant rebate paired with a $79.01 in-cart discount, bringing the total savings to $100 off.

The same $100 discount also applies to the Magic Keyboard for Apple’s current 11-inch iPad Pro, which at $199 is also a record low price.

Both deals are in stock at press time, with free expedited shipping for Prime members. Apple iPads are also reduced, with the cheapest iPad prices at your fingertips in the AppleInsider Price Guide.

Magic Keyboard for Apple iPad Pro deal button

Additional deals on Apple hardware

Best Apple Prices

AppleInsider and Apple Authorized Resellers are also running additional exclusive promotions on other Apple hardware that will not only deliver the lowest prices on many of the items, but also throw in bonus savings on AppleCare, peripherals and more. Here’s a sampling of the offers:



Smartphones Launched This Week, Flipkart Voice Search, OnePlus 9 Launch, And More


In case you missed them, here are the biggest developments from the world of technology from the week ending March 5.

March 06, 2021 / 12:15 PM IST

Vivo has announced the vision plus initiative for India. With Vision Plus, it hopes to build a visual content ecosystem by working together with content creators, researching educational applications and promote cultural exchanges. This new strategy stands on four pillars: a mobile photography academy, mobile photography awards, masterclasses with top photographers and a federation of like-minded photography enthusiasts. Vivo says it will announce more about each of the pillars in the future.

Vivo has announced the vision plus initiative for India. With Vision Plus, it hopes to build a visual content ecosystem by working together with content creators, researching educational applications and promote cultural exchanges. This new strategy stands on four pillars: a mobile photography academy, mobile photography awards, masterclasses with top photographers and a federation of like-minded photography enthusiasts. Vivo says it will announce more about each of the pillars in the future.

Flipkart has dropped a voice search on its platform that will allow customers to search for products by speaking in English or Hindi. According to the e-commerce giant, the feature will enable faster onboarding of customers from smaller towns and simplify their experience. Flipkart said that consumers who are new to the internet require assistance in searching for products and the voice search feature will address the requirement.  More details here .

Flipkart has dropped a voice search on its platform that will allow customers to search for products by speaking in English or Hindi. According to the e-commerce giant, the feature will enable faster onboarding of customers from smaller towns and simplify their experience. Flipkart said that consumers who are new to the internet require assistance in searching for products and the voice search feature will address the requirement. More details here.

The desktop app for WhatsApp has received a massive update on both PC and Mac. You can now make voice and video calls on your desktop. The desktop calls also have the same end-to-end encryption for extra security.  More details here .

The desktop app for WhatsApp has received a massive update on both PC and Mac. You can now make voice and video calls on your desktop. The desktop calls also have the same end-to-end encryption for extra security. More details here.

AMD is taking the fight to Nvidia with the recent launch of the new Radeon RX 6700 XT. The RX 6700 XT follows the launch of the Radeon RX 6800 and 6800 XT. The card is aimed at delivering smooth 1440p gameplay and will take on the likes of the Nvidia RTX 3060Ti and RTX 3070.  More details here.

AMD is taking the fight to Nvidia with the recent launch of the new Radeon RX 6700 XT. The RX 6700 XT follows the launch of the Radeon RX 6800 and 6800 XT. The card is aimed at delivering smooth 1440p gameplay and will take on the likes of the Nvidia RTX 3060Ti and RTX 3070. More details here.

Xiaomi has launched the new Redmi Note 10 series in India. Three new phones have been added to the portfolio of the Redmi Note series, the Redmi Note 10 Pro Max, Redmi Note 10 Pro and the Redmi Note 10.  Click here to check Redmi Note 10 series price and specifications .

Xiaomi has launched the new Redmi Note 10 series in India. Three new phones have been added to the portfolio of the Redmi Note series, the Redmi Note 10 Pro Max, Redmi Note 10 Pro and the Redmi Note 10. Click here to check Redmi Note 10 series price and specifications.

Realme just dropped its first Snapdragon 888-powered smartphone in China. The Realme GT is a flagship 5G phone with a high-refresh-rate display, power-packed performance, triple-camera setup, and super-fast charging. It is also the first Realme headset to run Android 11-based Realme UI 2.0.  Click here to check the Realme GT price  and specifications.

Realme just dropped its first Snapdragon 888-powered smartphone in China. The Realme GT is a flagship 5G phone with a high-refresh-rate display, power-packed performance, triple-camera setup, and super-fast charging. It is also the first Realme headset to run Android 11-based Realme UI 2.0. Click here to check the Realme GT price and specifications.

Over-the-top content platform Netflix has launched a new feed with short funny video clips called 'First Laughs' for its mobile app. The feature also allows the users to not only watch but also react and share the short clips with other users.  Click here for more details .

Over-the-top content platform Netflix has launched a new feed with short funny video clips called ‘First Laughs’ for its mobile app. The feature also allows the users to not only watch but also react and share the short clips with other users. Click here for more details.

Instagram has announced Live Rooms to“double up” the live broadcast, meaning that the photo and video social network would now allow the users to go live with three other users. Previously, the platform enabled only two people to go live in a stream.  Click here to check more details .

Instagram has announced Live Rooms to“double up” the live broadcast, meaning that the photo and video social network would now allow the users to go live with three other users. Previously, the platform enabled only two people to go live in a stream. Click here to check more details.

OnePlus 9 launch is around the corner. The company is expected to host the OnePlus 9 series launch event in March. OnePlus has officially teased the launch of its upcoming flagship. The latest teaser on the company’s website suggests that an announcement related to the OnePlus 9 series will be made on March 8.

OnePlus 9 launch is around the corner. The company is expected to host the OnePlus 9 series launch event in March. OnePlus has officially teased the launch of its upcoming flagship. The latest teaser on the company’s website suggests that an announcement related to the OnePlus 9 series will be made on March 8. Click here to check more details.





Bitflips when PCs try to reach windows.com: What could possibly go wrong?


Stock photo of ones and zeros displayed across a computer screen.

Bitflips are events that cause individual bits stored in an electronic device to flip, turning a 0 to a 1 or vice versa. Cosmic radiation and fluctuations in power or temperature are the most common naturally occurring causes. Research from 2010 estimated that a computer with 4GB of commodity RAM has a 96 percent chance of experiencing a bitflip within three days.

An independent researcher recently demonstrated how bitflips can come back to bite Windows users when their PCs reach out to Microsoft’s windows.com domain. Windows devices do this regularly to perform actions like making sure the time shown in the computer clock is accurate, connecting to Microsoft’s cloud-based services, and recovering from crashes.

Remy, as the researcher asked to be referred to, mapped the 32 valid domain names that were one bitflip away from windows.com. He provided the following to help readers understand how these flips can cause the domain to change to whndows.com:

01110111 01101001 01101110 01100100 01101111 01110111 01110011
w i n d o w s
01110111 01101000 01101110 01100100 01101111 01110111 01110011
w h n d o w s

Of the 32 bit-flipped values that were valid domain names, Remy found that 14 of them were still available for purchase. This was surprising because Microsoft and other companies normally buy these types of one-off domains to protect customers against phishing attacks. He bought them for $126 and set out to see what would happen. The domains were:

  • windnws.com
  • windo7s.com
  • windkws.com
  • windmws.com
  • winlows.com
  • windgws.com
  • wildows.com
  • wintows.com
  • wijdows.com
  • wiodows.com
  • wifdows.com
  • whndows.com
  • wkndows.com
  • wmndows.com

No inherent verification

Over the course of two weeks, Remy’s server received 199,180 connections from 626 unique IP addresses that were trying to contact ntp.windows.com. By default, Windows machines will connect to this domain once per week to check that the time shown on the device clock is correct. What the researcher found next was even more surprising.

“The NTP client for windows OS has no inherent verification of authenticity, so there is nothing stopping a malicious person from telling all these computers that it’s after 03:14:07 on Tuesday, 19 January 2038 and wreaking unknown havoc as the memory storing the signed 32-bit integer for time overflows,” he wrote in a post summarizing his findings. “As it turns out though, for ~30% of these computers doing that would make little to no difference at all to those users because their clock is already broken.”

The researcher observed machines trying to make connections to other windows.com subdomains, including sg2p.w.s.windows.com, client.wns.windows.com, skydrive.wns.windows.com, windows.com/stopcode, and windows.com/?fbclid.

Remy said that not all of the domain mismatches were the result of bitflips. In some cases, the mismatches were caused by typos by people behind the keyboard, and in at least one case, the keyboard was on an Android device, as it attempted to diagnose a blue-screen-of-death crash that had occurred on a Windows machine.

To capture the traffic devices sent to the mismatched domains, Remy rented a virtual private server and created wildcard-domain lookup entries to point to them. The wildcard records allow traffic destined for different subdomains of the same domain—say, ntp.whndows.com, abs.xyz.whndows.com, or client.wns.whndows.com—to map to the same IP address.

“Due to the nature of this research dealing with bits being flipped, this allows me to capture any DNS lookup for a subdomain of windows.com where multiple bits have flipped.”

Remy said he’s willing to transfer the 14 domains to a “verifiably responsible party.” In the meantime, he will simply sinkhole them, meaning he will hold on to the addresses and configure the DNS records so they are unreachable.

“Hopefully, this spawns more research”

I asked Microsoft representatives if they’re aware of the findings and the offer to transfer the domains. The representatives are working on getting a response. Readers should remember, though, that the threats the research identifies aren’t limited to Windows.

In a 2019 presentation at the Kaspersky Security Analysts Summit, for instance, researchers from security firm Bishop Fox obtained some eye-opening results after registering hundreds of bitflipped variations of skype.com, symantec.com, and other widely visited sites.

Remy said the findings are important because they suggest that bitflip-induced domain mismatches occur at a scale that’s higher than many people realized.

“Prior research primarily dealt with HTTP/HTTPS, but my research shows that, even with a small handful of bitsquatted domains, you can still siphon up ill-destined traffic from other default network protocols that are constantly running, such as NTP,” Remy said in a direct message. “Hopefully, this spawns more research into this area as it relates to the threat model of default OS services.”

Update: Lots of commenters have pointed out that there’s no way to be certain the visits to his domain were the result of bit flips. Typos may also be the cause. Either way, the threat posed to end users remains the same.

Update 2: The Microsoft representatives didn’t answer my questions, but they did say: “We’re aware of industry-wide social engineering techniques that could be used to direct some customers to a malicious website.”