• A new attack on GPUs can steal data from web pages as you view them.  (Ars Technica)
  
  This affects all significant GPU manufacturers - not just AMD and Nvidia, but also Intel (including integrated graphics), Apple, ARM, and Qualcomm's Adreno graphics, and impacts Chrome and Chromium-based browsers including Microsoft Edge.
  
  How worried should you be?
  
  Not at all.
  
  In the example provided by the security researchers, visitors to a malicious website that showed Wikipedia in an embedded frame (which Wikipedia allows websites to do) could have their usernames read by the site inside of, well, half an hour.
  
  If they didn't scroll the page at all during that time.
  
  What the hack does is very clever though not very useful, but is a great example of an entire class of tricks called side-channel attacks.
  
  The host website (the malicious one) loads the Wikipedia content, and then starts drawing over it invisibly using SVG filters.  (SVG is scalable vector graphics, a set of drawing operations supported by web browsers.)
  
  Most browsers support hardware acceleration for SVG, and if that is in effect, there is a consistent, measurable - though tiny - difference in the time taken to draw SVG filters depending on what is behind the filter.
  
  So by drawing filters over and over, at slightly different angles and screen locations, you can tell the difference between white background and black text depending on how long the drawing operations over each pixel take on average.
  
  It's statistical, and slow, but it gives you a blurry copy of what is showed on screen in a page that is supposed to be safely sandboxed away from the malicious site.
  
  So after half an hour of busily drawing invisible filters, the host website - knowing where on the page Wikipedia shows the username - has a blurry copy of that tiny section of the page and can OCR it and find out who you are.
  
  Of course, if you scroll the page at all during that half hour, its fun is ruined and all it gets is a jumbled mess.
  
  And what hackers really want is passwords and credit card CVCs, and all that it can get there - even if you leave the page whirring away with the login box open for half an hour - is *******.
  
  But when you see these hacks that leak data at the rate of one bit per minute or something like that, they are doing the digital equivalent of very, very slowly shading in a page on a notepad to get an impression of what was written on the previous page.

• Intel has clarified its clarification: Meteor Lake will be coming to the desktop, but there will only be Meteor Lake laptop CPUs.  (WCCFTech)
  
  No build-your-own, no socketed chips at all.  Only laptop chips in NUCs and all-in-one systems.
  
  
  
• Speaking of Meteor Lake Intel's Ultra 7 165H - which is one - reportedly underwhelms in Geekbench 6.  (Tom's Hardware)
  
  Though actually that's a decent score, so it will come down to price.  AMD's 7745HX beats it on both single and multi-threaded scores, but that's a...  Oh.
  
  The AMD chip has 8 cores; the Intel chip has 16.  And it's slower.
  
  Yeah, underwhelms is right.
  
  
  
• Why don't Americans eat mutton?  (Modern Farmer)
  
  Long story short: WWII field rations.
  
  
  
• OpenAI is raising funds at a valuation of $90 billion.  (Tech Crunch)
  
  Nah.
  
  
  
• The FCC wants to have another shot at enforcing Net Neutrality rules.  (Tech Crunch)
  
  Here we go again.
  
  
  
• Even nine out of ten Ars Technica readers now concedes that the Jodie Whittaker era of Doctor Who was poop.  (Ars Technica)
  
  Most of the blame is laid at the feet of showrunner Chris Chibnall, but I think that is correct.  He also wrote some of the worst episodes in the Matt Smith era.
  
  
  

Posted by: Rick C at Wednesday, September 27 2023 11:52 PM (BMUHC)

Posted by: three-humped camel at Thursday, September 28 2023 03:07 AM (Ncog+)

Posted by: normal at Thursday, September 28 2023 10:45 PM (obo9H)

Hide Comments | Add Comment