Home Tags Chevrolet

Tag: Chevrolet

Buick’s 2018 Regal GS takes aim at the Audi A5

It has a 310hp V6, clever suspension, and all-wheel drive, starting at under $40k.

Camaro goes nuclear: Chevrolet escalates the muscle car war

Racing-derived dampers, a fist full of aero and a Superman V8.

Waymo and Lyft team up against Uber

In the self-driving world, the enemy of my enemy is my friend.

Performance overkill? The 2017 Chevrolet Camaro ZL1

It uses the engine from the Corvette Z06 for mind-bending performance.

GM, Lyft could deploy “thousands” of autonomous Bolts in 2018

GM won’t sell self-driving cars to individuals, wants to deploy them in fleets.

Chevrolet’s Bolt makes its ride-sharing debut in Los Angeles with Maven

The electric vehicle will be used for car-sharing and be accessible to Lyft drivers, too.

Could we be reaching the end of the road for small-capacity...

Engines designed to meet current tests don't perform the same way in the real world.

Consulting the engineers on what makes the Corvette C7.R such a...

This front-engined American racer has notched up over 100 wins since 1999.

It’s a really good car: Our first 100 miles in a...

It's spacious, stylish, and most important, it drives well.

Unsafe at any clock speed: Linux kernel security needs a rethink

reader comments 69 Share this story The Linux kernel today faces an unprecedented safety crisis. Much like when Ralph Nader famously told the American public that their cars were "unsafe at any speed" back in 1965, numerous security developers told the 2016 Linux Security Summit in Toronto that the operating system needs a total rethink to keep it fit for purpose. No longer the niche concern of years past, Linux today underpins the server farms that run the cloud, more than a billion Android phones, and not to mention the coming tsunami of grossly insecure devices that will be hitched to the Internet of Things.

Today's world runs on Linux, and the security of its kernel is a single point of failure that will affect the safety and well-being of almost every human being on the planet in one way or another. "Cars were designed to run but not to fail," Kees Cook, head of the Linux Kernel Self Protection Project, and a Google employee working on the future of IoT security, said at the summit. "Very comfortable while you're going down the road, but as soon as you crashed, everybody died."
A crash test between a 1959 Chevrolet Bel Air and 2009 Chevrolet Malibu.

The Linux kernel is more like the car on the right. "That's not acceptable anymore," he added, "and in a similar fashion the Linux kernel needs to deal with attacks in a manner where it actually is expecting them and actually handles gracefully in some fashion the fact that it's being attacked." Jeffrey Vander Stoep, a software engineer on the Android security team at Google, echoed Cook’s message: "This kind of hearkens back to last year's keynote speech when [Konstantin “Kai” Ryabitsev] compared computer safety with the car industry years ago. We need more and we need better safety features, and with it in mind this may cause inconvenience for developers, we still need them." For his part, Kai, a senior systems administrator at the Linux Foundation, who was unable to attend this year’s summit, is pleased that this car safety analogy is finding traction. “We approach security today as though we are still living in the world of the 1990s and 2000s, computers in a data centre managed by knowledgeable people,” he told Ars.

But, he pointed out, most computers today—laptops, smartphones, IoT devices—are not managed and secured by IT professionals. “For the cases where computers are not well protected in the hands of end-users who are not IT professionals, and who do not have any recourse to IT professional help, we need to design systems that proactively protect them,” he said. “We have to change the way we approach this dramatically, the same way the vehicle manufacturers in the 1970s did.” This is, however, easier said than done. Killing bug classes, not political dissidents The clear consensus at the Linux Security Summit was that squashing bugs is a losing strategy. Many deployed devices running Linux will never receive security updates, and patching a security hole in the upstream kernel does nothing to ensure the safety of an IoT device that could be in use for a decade and may forever be ignored by the manufacturer. Even devices that do receive patches may see long gaps between public bug discovery and a patch being applied.

Cook gave the example of an Internet-connected door lock that an end-user might well use for 15 years or more.
Such devices are likely to receive sporadic security patches, if at all. Worse, the average lifetime of a critical security bug in the Linux kernel, from introduction during a code commit to public discovery and having a patch issued, averages three years or more.

According to Cook’s analysis, critical and high-severity security bugs in the upstream kernel have lifespans from 3.3 to 6.4 years between commit and discovery. Red = critical severity bugs; orange = high; blue = medium; and black = low.

The X axis is total number of security bugs; the Y axis shows the kernel version.
So, the height of the bar shows how long that bug was present. Kees Cook "The question I get a lot is 'well isn't this just theoretical?'" he said. "No-one's actually finding these bugs to begin with, so there's no window of opportunity.

And that's demonstrably false.” Nation-state attackers are watching every commit, looking for an opening, he said, and "people are finding these bugs sometimes immediately when they're introduced." He went on: "This seems to be a big thing that people for some reason just can't accept mentally. You know, like 'well I have no open bugs in my bug tracker, everything's fine.'" How, then, can the kernel proactively defend itself against bugs that have not yet been reported—or even implemented? The answer, said Cook, could be a matter of life and death for some people: "If you're a dissident, an activist somewhere in the world, and you're getting spied on, your life is literally at risk because of these bugs.

As we move forward, we need devices that can protect themselves." A closer look at the lifespan of critical- and high-severity security bugs in the upstream Linux kernel. X axis is the number of security bugs; Y axis shows the kernel versions in which each security bug was present. Kees Cook Protecting a world in which critical infrastructure runs Linux—not to mention protecting journalists and political dissidents—begins with protecting the kernel.

The way to do that is to focus on squashing entire classes of bugs, so that a single undiscovered bug would not be exploitable, even on a future device running an ancient kernel. Further, since successful attacks today often require chaining multiple exploits together, finding ways to break the exploit chain is a critical goal. Kernel drivers suck However that's hard to do when the vast majority of kernel bugs come from vendor drivers, not the upstream Linux kernel, Stoep said. "Android does in fact inherit bugs from the upstream kernel," he said, "but our data shows that most of Android's kernel security vulnerabilities live in device drivers." A slide from Stoep's presentation at the Security Summit. Jeffrey Vander Stoep And, he explained, many more are introduced by manufacturers, meaning that securing the Linux kernel against bugs in code over which upstream has no control becomes the challenge. "[Kernel] maintainers say 'bugs you didn't inherit from upstream are not upstream's problem,' but I think the reality is that this is what most Linux systems look like, and it's not limited to Android devices," he said. "Kernel defence will protect both code that comes from upstream as well as out-of-tree vulnerabilities.

That's a really important point." He was quick to add that he was not calling out any particular vendor for poor security practices.

As he put it, to audience chuckles, “they’re really all doing poorly." The bug stops here While the technical challenges the Linux kernel faces in protecting itself against zero-days are “incredibly complex,” Cook said that the politics of submitting patches upstream can be even more challenging. Coming across as a consummate diplomat, both in his talk and in person, he gently chided the buck-passing over how kernel security issues are discovered, fixed, and deployed. "I hear a lot of blame-shifting of where this problem needs to be solved," he told the audience. "Even if upstream says 'oh sure we found that bug, we fixed it,' what kernel version was it fixed in? Did it end up in a stable release? Did a vendor backport it? Did the carrier for the phone take that update from the vendor and push it onto phones?" He went on: "The idea is to build in the protection technologies from the start, so that when a bug comes along, we don't really care." But these mitigations come with trade-offs to performance or maintainability—something that, he hinted, was a continuous struggle to convince upstream kernel maintainers to accept. "Understanding that developing against upstream means you're not writing code for the kernel, you're writing code for the kernel developers," he said. Not just the developers, either.
It's for everyone in the Internet-connected world we now live in. “If we are to start being mindful of this new era of computing,” said Kai, “we have to change the way we approach this dramatically, the same way that vehicle manufacturers in the 1970s did.” J.M. Porup is a freelance cybersecurity reporter who lives in Toronto. When he dies his epitaph will simply read "assume breach." You can find him on Twitter at @toholdaquill. This post originated on Ars Technica UK

Not-so-dynamite: Man proves awful at buying Dark Web explosives

This is the setup Ogborn allegedly received.US Attorney's Office Southern District of Texas reader comments 28 Share this story While Silk Road has long been shuttered, the Dark Web still thrives.
Sites like Alpha Bay have picked up where others have left off, offering a slew of illegal goods ranging from drugs to forged documents. On Monday, federal prosecutors in Houston announced the arrest of a 50-year-old man, Cary Lee Ogborn, who was accused of attempting to purchase explosives “for the purposes of injury or destruction of property.” He could face up to a decade in prison. According to the criminal indictment, the suspect picked up a package last Friday that he believed was a grenade and a stick of dynamite with a wireless detonator. (In fact, it was all inert.) The government claims that Ogborn believed that he had bought the explosives on Alpha Bay for $600 in bitcoins as of earlier this month.
In fact, the criminal complaint states that Ogborn was actually communicating with an undercover federal agent. Prosecutors indicate that it was extremely poor operational security that did Ogborn in. “Don’t want to kill, just send message” According to the complaint, on August 27, Ogborn (under the name “boatmanstv”) wrote to a man who the government refers to as an FBI Online Covert Employee (OCE).

The man was the purported explosives seller and told Ogborn that he did not need a fuse, as he had just purchased some. The OCE said: Ok fuse not the best for you job. we get dynamite no problem you use that instead of gas yes? we send you kit from my country for dynamite with trigger you just place under building and go use preset number you call to ignite. simple you know that how we build it so no mistake. all parts they from EU for that so nobody find anything. the trick is getting explosion hot enough to burn that can be difficult. it important to use the right explosive. is building like a house or different there stuff inside or empty you know? sorry we ask it important to make device work you know. if you rather talk email we do that no problem or this work too. we use email [OCE e-mail address]. we wait to hear about that. Twenty-three minutes later, boatmanstv replied: This com is fine, I use Multi Hop VPN, no worries.

The building like shed or storage, so yes like a house of wood.
I guess I could use 1/4 stick TNT and gas to make sure it burns, or diesel fuel I may use pressure sprayer to wet down the outside of the building Right before I trigger it to help the burn.

Dont know exactly whats inside but person using for apartment. Person will not be there when set off.

Dont want to kill, just send message.

Thanks boatmanstv. Boatmanstv said he would send the bitcoins to the OCE on September 5, which he seemingly did.

Five days later, everything was ready. Sent by OCE Vendor on Sep 10, 2016 at 01:05 hello everything look very nice. We send box that have grenade and a dynamite alarm trigger yes. We send tracking when reship put in box in post. What email we send picture and instruction you know what to expect yes. Sent by boatmanstv Member on Sep 10, 2016 at 06:53 send to darknetstv@outlook. com So when are you shipping and how long to you think it will take to arrive. Later that day, the OCE sent a “toy” with the explosive components stuffed inside—a United States Postal Service tracking number soon followed. Betrayed by a Corvette Although boatmanstv at one point switched to PGP-encrypted e-mail (which he referred to as “ppg”) using “darknetstv@outlook.com” with the OCE, because his recipient was in fact an FBI agent, that didn’t matter.

The OCE provided the mailing address: Randy Smith, PO Box 263515, Houston, TX 77207, United States. Meanwhile, on September 8, the USPS then located records showing that the person who registered this PO Box provided a phone number with an 832 area code.

Those same records showed that this man did so with a Georgia driver’s license and a fake car insurance document but provided a real Houston address. USPS officials also determined that the man who used PO Box 263515 drove a “dark-colored” Chevrolet Corvette. The next day, the FBI dispatched agents to the Houston address, and just two blocks away, they found a boat repair garage marked as “Cary’s Mobile Marine Services.” Inside the garage was a dark Corvette, and painted on the building was nearly the exact same 832 phone number, off by just one digit. As the complaint continues, the FBI then performed an “analysis” on the darknetstv@outlook.com e-mail address—presumably, Microsoft provided some records.

There, authorities found that whoever had access to this account was e-mailing photos of himself to marinatech260@gmail.com.

A quick search of that e-mail address linked it to the Better Business Bureau directory for a firm called “Your Mobile Boat Dr,” for which Ogborn was listed as the owner. That company led authorities back to the same address on Mayfair St. in Houston—for Cary’s Mobile Marine Services. The complaint also suggests that Microsoft and/or the ISP also provided records showing that the “IP address associated with darknetstv@outlook.com” resolves specifically to the specific suite on Mayfair St. for “Your Mobile Boat Doctor.” On September 16, Ogborn went to retrieve the package and took it back to the boat garage. He opened it about three hours later and was arrested approximately 30 minutes after that. As Vocativ pointed out, Ogborn’s opsec leaves something to be desired.
In May 2014, he publicly posted a high-resolution, entirely unredacted picture of his passport and wrote that he intended to move to Belize. Local television station KHOU also reported that Ogborn had previously been arrested for illegal possession of an AR-15 in 2013. After that episode, Ogborn wrote on Facebook: Well everybody, l am back, finally, finally a freed rebel, freed from the likes of confinement, freed from terrible food, freed from only seeing ugly men for 90 days. No more, I have caressed soft boobs and felt the warmth only a woman can give.

Back in the grove. Will holler! Ogborn’s federal public defender, Joshua Lake, did not immediately respond to Ars’ request for comment.

Hack of Automotive Keyless Entry Systems Puts More Than VWs at...

One hundred million Volkswagen vehicles are allegedly at risk after researchers reveal weaknesses in wireless key security.

But those aren't the only vehicles at risk. New research presented at the USENIX security conference this week revealed that there is a critical weakness in vehicles that could enable an attacker to unlock and start a car remotely.

The research was conducted by computer science researchers at the University of Birmingham in the UK."We show that the security of the keyless entry systems of most VW Group vehicles manufactured between 1995 and today relies on a few, global master keys," the research abstract states. "We show that by recovering the cryptographic algorithms and keys from electronic control units, an adversary is able to clone a VW Group remote control and gain unauthorized access to a vehicle by eavesdropping a single signal sent by the original remote."Not only does the paper provide insight into the flaws in Volkswagens, but it also details similar flaws in the Hitag2 mechanism used in Alfa Romeo, Chevrolet, Peugeot, Lancia, Opel, Renault and Ford vehicles that enable a rolling code approach for keyless entry."Our findings affect millions of vehicles worldwide and could explain unsolved insurance cases of theft from allegedly locked vehicles," the paper states. While the impact of vehicle theft is likely in the tens of thousands of dollars per stolen vehicle, the researchers' approach makes use of a $40 device they built using the open-source Arduino micro-controller. The researchers contacted Volkswagen Group in November 2015 and met with the company in February to discuss the findings.

According to the researchers, VW Group acknowledged the vulnerabilities."As mentioned in the paper, we agreed to leave out amongst others the following details: cryptographic keys, part numbers of vulnerable ECUs [electronic control units], and the used programming devices and details about the reverse-engineering process," the researchers stated.Vehicle security experts contacted by eWEEK were not surprised by the new disclosure of widespread issues in VW Group vehicles.

David Barzilai, co-founder of Karamba Security, noted that his company has been seeing similar security issues with multiple brands. Karamba launched its flagship Carwall security platform in June in an effort to help secure vehicles' ECUs."The innovation of the USENIX paper is that it shows that a single brand and its subsidiaries are exposed, with all cars that were sold since 1995, as they all use the same master key," Barzilai told eWEEK.Corey Thuen, senior consultant at IOActive, said the keyless entry risk is in line with IOactive's expectations."We see these types of vulnerabilities being systemic to the auto industry, and this area of vulnerability is the most likely to be exploited by attackers," Thuen told eWEEK. "Unless we're talking about nation states or similar groups, your average hacker is motivated by money, so any vulnerabilities that can be turned into dollars, like this keyless entry attack, are going to be a higher likelihood."In Thuen's view, the real trouble in the auto industry, and in particular with the keyless entry risk, is all about vendor failure to follow security industry best practices.
In this case, Thuen said that proper key infrastructure and management were lacking, with the vendor instead making use of hardcoded information. He added that in IOactive's recently released Commonalities in Vehicle Vulnerabilities report, the issue is documented in detail.Barzilai believes the Karamba Carwall platform could in fact be used to limit the risk of such keyless attacks. He noted that the reported hack on VW was done through reverse-engineering an ECU and obtaining a private key."With Karamba installed, hacking into the ECU and then reverse-engineering it would be detected and prevented as a deviation from factory settings," he said. "Therefore, the attack would have probably been prevented."Barzilai added, "The attack shows that security should be done from a system approach, and the ECU is the attack surface or attack gateway to the car."Security is a very difficult thing to "bolt-on" after the fact, according to Thuen.

A failure to follow security best practices during the design and implementation phases can be very difficult, and often impossible, to remediate afterward."Microsoft, Google, Apple, OWASP and now auto-specific organizations like the Auto-ISAC have learned a lot over the past couple decades, and the auto industry needs to take advantage of that," Thuen said.Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com.

Follow him on Twitter @TechJournalist.