Microsoft OneDrive gets a more secure Personal Vault, plus additional storage options

The Microsoft logo displayed at Microsoft's booth at a trade show.

Enlarge / Microsoft at a trade show. (credit: Getty Images | Justin Sullivan)

Microsoft is launching a new layer of security for users of its OneDrive cloud storage service. OneDrive Personal Vault is a new section of your storage that's accessed through two-step verification, or a "strong authentication method," although Microsoft didn't define the latter term.

Microsoft notes that fingerprinting, face scans, PINs, and one-time codes by email, SMS, or an authenticator app are among the acceptable two-step verification methods. And you’ll automatically get de-authenticated after a period of inactivity—that's the key to Microsoft's special security argument here. Two-factor authentication using text or email is less secure than other options. Using the more heavy-duty face or fingerprint verification will require the appropriate hardware, such as a device with Windows Hello.

It also has options for transferring physical documents to the OneDrive mobile app. You can scan documents or take photos directly into the Personal Vault section without needing to store the file in a less secure part of your device first.

Read 4 remaining paragraphs | Comments

The clever cryptography behind Apple’s “Find My” feature

The 2018 15-inch Apple MacBook Pro with Touch Bar.

Enlarge / The 2018 15-inch Apple MacBook Pro with Touch Bar. (credit: Samuel Axon)

When Apple executive Craig Federighi described a new location-tracking feature for Apple devices at the company's Worldwide Developer Conference keynote on Monday, it sounded—to the sufficiently paranoid, at least—like both a physical security innovation and a potential privacy disaster. But while security experts immediately wondered whether Find My would also offer a new opportunity to track unwitting users, Apple says it built the feature on a unique encryption system carefully designed to prevent exactly that sort of tracking—even by Apple itself.

In upcoming versions of iOS and macOS, the new Find My feature will broadcast Bluetooth signals from Apple devices even when they're offline, allowing nearby Apple devices to relay their location to the cloud. That should help you locate your stolen laptop even when it's sleeping in a thief's bag. And it turns out that Apple's elaborate encryption scheme is also designed not only to prevent interlopers from identifying or tracking an iDevice from its Bluetooth signal, but also to keep Apple itself from learning device locations, even as it allows you to pinpoint yours.

"Now what’s amazing is that this whole interaction is end-to-end encrypted and anonymous," Federighi said at the WWDC keynote. "It uses just tiny bits of data that piggyback on existing network traffic so there’s no need to worry about your battery life, your data usage, or your privacy."

Read 7 remaining paragraphs | Comments

Windows 10 May 2019 Update now rolling out to everyone… slowly

Stylized image of glass skyscrapers under construction.

Enlarge (credit: David Holt / Flickr)

To avoid a replay of the problems faced by the Windows 10 October 2018 Update, version 1809, Microsoft has taken a very measured approach to the release of the May 2019 Update, version 1903, with both a long spell as release candidate and a much less aggressive rollout to Windows Update.

That rollout starts today: while previously one needed to be in the Insider Program (or have a source such as an MSDN subscription) to download and install version 1903, it's now open to everyone through Windows Update.

However, Windows users are unlikely to see the update automatically installed for many months. Initially, only those who explicitly visit Windows Update and click "Check for Updates" will be offered version 1903, and even then, they'll have to explicitly choose to download and install the update. This is part of Microsoft's attempt to make Windows Update less surprising: feature updates are offered separately from regular updates, because feature updates take a long time to install and regular updates don't (or at least, shouldn't). This installation experience requires the use of version 1803 or 1809, and it also requires the most recent monthly patch, which is also released today.

Read 3 remaining paragraphs | Comments

New speculative execution bug leaks data from Intel chips’ internal buffers

First disclosed in January 2018, the Meltdown and Spectre attacks have opened the floodgates, leading to extensive research into the speculative execution hardware found in modern processors, and a number of additional attacks have been published in the months since.

Today sees the publication of a range of closely related flaws named variously RIDL, Fallout, ZombieLoad, or Microarchitectural Data Sampling. The many names are a consequence of the several groups that discovered the different flaws. From the computer science department of Vrije Universiteit Amsterdam and Helmholtz Center for Information Security, we have "Rogue In-Flight Data Load." From a team spanning Graz University of Technology, the University of Michigan, Worcester Polytechnic Institute, and KU Leuven, we have "Fallout." From Graz University of Technology, Worcester Polytechnic Institute, and KU Leuven, we have "ZombieLoad," and from Graz University of Technology, we have "Store-to-Leak Forwarding."

Intel is using the name "Microarchitectural Data Sampling" (MDS), and that's the name that arguably gives the most insight into the problem. The issues were independently discovered by both Intel and the various other groups, with the first notification to the chip company occurring in June last year.

Read 12 remaining paragraphs | Comments