Tech News of The Week 03/12/24 [MTG-31]

Welcome to Tech News of the Week with your host, Richard Linklater, on a pogo stick.

Welcome to necklaces of the walruses. I used walruses before, but I don't care. This is our tech news of the week podcast where we go over 10 things that we found interesting in the news cycle. I'll go first. AWS drops egress fees for deserters.

Bastards you. Following suit with Google Cloud's announcement from last month, AWS announced on a blog post on March 5th that they will waive egress traffic fees for those who wish to take their data elsewhere. The so termed data transfer out or DTO fees, of course we needed an acronym for that, can be waived by contacting AWS support and requesting that the free rate be applied to your account for a limited amount of time. The blog post notes that unlike Google Cloud's egress waiver, you are not required to close your AWS account within a certain time period and you're welcome to come back anytime. However, repeated requests to waive the DTO fees for the same account will fall under additional scrutiny to avoid potential abuse.

Why are Google and AWS choosing now to waive what must be lucrative egress fees that they typically collect? Why it's the EU of course. The European Data Act has gone into effect with provisions that quote allow customers to switch seamlessly and eventually free of charge between different cloud providers. End quote. A statement which suggests to cloud providers that charging exorbitant fees for egress data when a customer wants to leave will result in penalties from the EU.

I fully expect a similar announcement from Microsoft in the next month or so, and then my data can be free. Free, I say.

Free, you say. Cloud provider, OPEC, I say. Fair. Apple releases urgent security patch covering 2 0 days. 2.

Count them, 2. Apple released an emergency update to their iOS OS version 17.4 on March 5th to patch 2 iPhone 0 days, 202423225 and 202423296. Got it on the first try. Look at me go. Now 0 days are, of course, known in the industry to be bad, but these are actually probably worse, as Apple notes that they have potentially been exploited in the wild.

These vulnerabilities found in the iOS kernel and something called RTKit, which I should probably know what it means, but I didn't look that up, could allow attackers to bypass kernel memory protections. Fixing this is a huge deal, and you should apply these updates immediately. The update is in addition to the already announced iOS 17.4 secondurity updates, including a new Imessage security protocol called pq3, enhancing protection against future quantum computing attacks. We didn't talk about these last week primarily because the very idea of quantum computing algorithms makes my brain hurt. Now it is worth noting that Apple is using the same algorithm as signal for these post quantum security problems.

It is called crystals dash kyber, and bonus sub link, signal wrote a whole blog post about it back in September of 2023. Full disclosure, I read it, sounds great. I don't understand it, I don't wanna talk about it. Where's the Tylenol? Let's move on.

HDMI 2.1 on Linux? AMD says no dice. If you picked up an AMD graphics card hoping to fire up a 5 k display with your handy copy of Arch Linux, prepare to be disappointed. An open ticket on the AMD forums about open source drivers for HDMI 2.1 received a crushing blow when Alex Dacher, we'll go with Dacher, engineer at AMD said that their implementation had been rejected by the HDMI forum. While you might think of HDMI simply as an expensive cable running from your Xbox to your TV, the reality is that HDMI is both a hardware and software standard, one that includes HDCP or High Bandwidth Digital Content Protection.

HDCP is how digital rights holders like studios try to prevent potential pirates from intercepting an HDMI signal and copying its contents. Despite HDCP being mostly cracked, out of date, and basically useless, an implementation of HDMI 2.1 must include it and this appears to be the sticking point on the HDMI drivers developed by the team at AMD. I guess the HDMI forum doesn't want an open source implementation of their shitty DRM system waving out in the wind. So for those open source evangelists that want to leverage HDMI to drive their shiny new monitors, it would appear that they are SOL. The good news is that DisplayPort has no such issues and can also drive 5 k content.

So if you haven't picked up a graphics card yet for your next Linux box, look for one that has DisplayPort on the back. As a fun bonus, the linked Register article notes that DisplayPort cables are way cheaper.

Yeah. DisplayPort rocks. It really should have gotten better.

Deserved more.

Yeah. Yeah. VMware releases emergency patches for sandbox escape vulnerabilities. So which one sounds scarier, sandbox escape or hypervisor escape? Did I steal that joke from Twitter?

Yes, I did. Fair. Now, the security conceit of virtual machines is well known. You build a little server, and he floats around in a sea of other little servers. None of those little servers can talk to each other unless you let them.

And none of them can talk to the larger sea of resources at all. Well, this week, it turns out that for VMware customers, VM's be talking. This is referred to as a sandbox escape, and VMware announced that, quote, all versions of their hypervisor products were affected by this vulnerability that was just discovered. That's not just one thing because, of course, not. There are 6 CVEs in total ranging from a 7.1 to a 9.3 out of 10 on the severity chart, and it differs slightly depending on the running version of the product, but these cover ESXi, VMware Workstation, VMware Fusion, and VMware Cloud Foundation.

The issues were so bad that patches have been released going back as far as vSphere 6. Wow. To their credit, Broadcom's VMware has created these patches for products that are effectively end of support. To their immense shame, you have to have an extended support contract to get them. Oh.

And if you're running the free tier VSX, well, anyway, there is a workaround, and it is to disable the VM's virtual USB controller. You do that, and you're safe from the sandbox escape. Now to be fair, using USB in virtual machines has long been a, quote, not best practice. To be fairer, it's still possible, and we all know sometimes shit happens.

Absolutely true. And that was one of the first things that I would remove when creating a template for virtual machine deployment, But not everybody would use my templates. So here we are.

Here we is.

And we will be. But not next week because I'm on vacation. So see you, suckers. Alright. That's it.

We're done. You can go away now. Bye.