Technology

Microsoft earlier this week said it had fallen victim to "Strontium," its code name for the Russian hacking group also known as "Fancy Bear," which has been linked to recent attacks on Democratic Party systems.

The group launched a spear phishing attack that targeted vulnerabilities in both the Windows operating system and Adobe Flash, according to Terry Myerson, executive vice president of Microsoft's Windows and Devices Group.

The attack, first identified by Google's Threat Analysis Group, involved two zero-day vulnerabilities in Flash and the down level Windows kernel, he explained. It used the Flash exploit to gain control over browsers, elevate privileges to escape the browser sandbox and install a backdoor to gain access to a user's computer.

Microsoft is working with Google and Adobe on a patch and plans to release the fix by Nov. 8, when the next update is scheduled, Myerson said.

Those who use Microsoft Edge on the Windows 10 Anniversary Update are known to be protected from versions of the attack observed in the wild. Microsoft recommended that users upgrade to Windows 10 and said that those who enable Windows Defender Advanced Threat Protection will be able to detect the attempted attacks.

Google's Disclosure

Google should not have disclosed the vulnerability before the patches were made available, according to Myerson.

"We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure," he said. "Google's decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing and puts customers at increased risk."

Google on Monday revealed the Microsoft and Adobe vulnerabilities, noting that Adobe already had updated Flash to address the flaw. The Adobe patch is available through the Adobe updater and Chrome auto update.

Google, per its policy of seven-day disclosure of actively exploited critical vulnerabilities, reported the remaining critical vulnerability in Windows, noting that it was being exploited in the wild.

The vulnerability was a local privilege escalation that could be used as a security sandbox escape, noted Neel Mehta and Billy Leonard of Google's Threat Analysis Group in an online post. They urged users to make sure that Flash was auto updated, or to manually update if necessary.

They should make sure to apply Windows patches, when available, Mehta and Leonard also wrote.

Election Jitters

The new attacks came at a sensitive time in the United States, with the presidential election less than a week away. Federal and local officials have made a major effort to ensure the public has confidence in the electoral system.

Thus far, 48 states and 36 county and local governments have taken up an offer by the Department of Homeland Security to assist local governments with ensuring that the state and local election systems are protected against cyberattacks, DHS spokesperson Scott McConnell told TechNewsWorld.

The states of Illinois and Arizona were targeted more than a month ago by a suspected Russian hack that impacted 200,000 voters in the Illinois voter registration database.

There is little risk of a foreign hacker impacting the actual outcome of the race, but there are fears that a new round of cyberattacks could impact the level of confidence in the integrity of the system.

"While the actual fallout is hard to predict, it's important to look at the chaos that Russian hackers have allegedly been sowing in the past couple months," said Bryan Burns, vice president of threat research at Proofpoint.

"This group has access to multiple zero-day vulnerabilities, which are always very powerful, as no patches exist," he told TechNewsWorld. "The potential fallout, especially with the election just a week away, is quite concerning."

---

Microsoft last week unveiled its new vision for bringing 3D to the masses through a modernized version of its Paint application for Windows 10. Paint 3D will be available in the Windows 10 Creators Update.

Anyone who would like to start creating and sharing in Paint 3D can do so by joining the Windows Insider Program -- available for PC and Phone -- the company said.

To date, most computer users have been limited to a two-dimensional canvas, even though we live in a multidimensional world, noted Megan Saunders, general manager for the Windows Experience Group.

3D could improve the communication of ideas, and even accelerate comprehension, because objects that are three-dimensional better represent the world, she pointed out. For individuals trained in sophisticated CAD or design programs, 3D Paint thus could be a valuable tool for expression.

Unlike more complicated commercial applications for rendering of 3D images, Paint 3D allows for the creation of fully 3D objects using mouse and keyboard, touchscreen or stylus inputs.

Lowing the Barrier to Entry

Microsoft could face established 3D modeling software tools such as SolidWorks, AutoCAD and Rhino3D as it enters the 3D design space. However, Microsoft Paint for Windows never was a serious competitor to Adobe's Photoshop.

"Like its predecessor versions, Paint 3D is very much an entry-level product," said Charles King, principal analyst at Pund-IT.

"To my mind, its purpose is to familiarize consumers, especially youngsters, with 3D technologies and help them become more comfortable using those tools," he told TechNewsWorld.

"In that sense, it's very much a forward-facing solution with the goal of democratizing and growing demand for 3D technologies organically," King added. "That's more or less opposite from the approaches we've seen other 3D vendors pursue to date."

Better Computing Power

Although Paint 3D can not boast the most advanced tools, it might allow users to do more with ordinary desktop computers and mobile devices.

"What is different is that we are beginning to have the raw computing power to turn the vision into reality," observed Roger Entner, principal analyst at Recon Analytics.

"Essentially, it's a tremendous use of co-processing power -- CPU and GPU -- to deliver real-time, renderable objects as ordinary things," said Roger Kay, principal analyst at Endpoint Technologies Associates.

The field is still in its early stages, but the "enthusiasts and bleeding edge users" who experiment with the new products will "give us a glimpse of what -- in an improved version -- will become commonplace in one or two upgrade cycles," Entner told TechNewsWorld.

Still, "the biggest barrier to past and even many current 3D products is that they fit into the class of 'solutions looking for a problem,'" noted Pund-IT's King.

"For most consumers, 3D printers and the like qualify as overpriced luxury items that gather dust after the first few times they're operated," he pointed out.

Fully 3D Future

Although many products and software solutions proclaim with some justification that the future is now, the future still could be somewhere down the line in the case of 3D.

"Microsoft is right, that 3D will become the expectation at some point," Endpoint Technologies Associates' Kay told TechNewsWorld.

"As far as the particular tool and how many people will adopt it as a regular part of their regimen, it's hard to say," he added.

There could be creative niches that will adopt it deeply -- but not everyone is an artist Kay noted. "It's still early days yet, and a lot of people will check it out and play with it but not adopt it for everyday use."

Use Scenarios

Just as there are levels of graphical design tools -- from InDesign to Photoshop for professionals and enthusiasts to Paint for casual users -- there may be multiple levels for 3D.

"There are certainly industrial use cases for 3D modeling and printing, but those are different classes of devices and users," said Kay.

"Consumer 3D tech will inevitably come down in price, and Microsoft Paint 3D appears to be aiming for that next generation of solutions and customers," he noted. "If the company succeeds, it could help spark significant demand for a wide range of 3D products and applications."

3D design and printing could be just one part of it -- Microsoft could be thinking of how 3D technology could be integrated with other future-tech solutions as well.

The products that will open "the real consumer frontier are VR platforms for consoles," said Recon Analytics' Entner. "As we have no new consoles on the horizon, gamers will spend the $300 on VR for a Sony PlayStation for Christmas instead of a new console. This will drive adoption and drive us forward."

---

Lenovo's recently unveiled 2-in-1, the Yoga Book, is available in Android Marshmallow and Windows 10 Home versions.

Reviews have been mixed, with some praising its look and feel, but some considering its capabilities not up to scratch. Its Intel Atom processor doesn't provide enough power for a workhorse device, they have argued.

The Android version costs US$500 and the Windows version goes for $550.

Inside the Covers

The Yoga Book runs on a quad-core Intel Atom x5-Z8550 with a 2-MB cache that goes up to 2.4 GHz. It has 4 GB of RAM, 64 GB of ROM, and a microSD card with up to 128 GB capacity.

The Atom processor "was a cost-saving measure, because Lenovo hasn't yet shown that its customers will shell out top dollar for a device with a sixth- or seventh-generation Intel processor," said Eric Smith, a senior analyst at Strategy Analytics.

That choice was "not the best move performance-wise," he told TechNewsWorld, but "from the standpoint of testing the market ... very well done."

The Book's 8500 math li-ion polymer battery is rated to provide more than 70 days of standby time and 13 hours of general use.

It has a 10.1-inch FHD IPS 1920 x 1200 capacitive touchscreen with a 70 percent color gamut and brightness rated at 400 nits.

The Windows version runs Any Pen technology, and the Android version runs EMR Pen.

The Book has a metal housing. The Windows version is available in carbon black only; the Android device is available in carbon black, gunmetal gray and champagne gold.

The Book has an 8-MP autofocus rear camera and a 2-MP fixed-focus front camera with standard sensors.

The Windows device comes preloaded with Microsoft Office Mobile: Excel, Powerpoint, Word and OneNote, as well as a trial version of Evernote ArtRage Lite.

The Android version comes with Lenovo's Note Saver, Collection, SHAREit and SYNCit, as well as Google Docs, Google Sheets, Google Slides, McAfee Security, Evernote ArtRage and TouchPal IME.

The Real Pen, which is compatible with both OSes, costs $40.

Early Reactions

The Yoga Book "feels more like a mobile device than a heavy-duty computing machine," wrote Lauren Goode for The Verge.

The Android version makes more sense, but Lenovo is not using the latest version of Android and has put its own skin on top of Marshmallow instead, she noted.

The Windows 10 version "takes several seconds to boot up and apps stuttered or froze up entirely on it more than once" while Goode was testing it.

The Yoga Book "draws the eye like no other tablet or laptop available today," wrote Alex Cranz for Gizmodo.

Still, it "feels ... more like a funky distraction gadget," she continued. "Its Halo keyboard "has a terrible layout" and "is frustrating," with inadequate haptic feedback that has a minor delay, few keyboard shortcuts, and keys spaced "just differently enough for a lot of mistypes."

"There's very little about the design of this Yoga Book that doesn't scream premium," wrote Android Central's Russell Holly. "If you really want Android to run your laptop and don't care that apps are going to misbehave left and right, this is without a doubt the [device] for you." However, the Windows version is "a lot easier to recommend."

Where the Book Fits

The Yoga Book competes with middle-of-the-road Microsoft Surface clones from Asus, Acer, HP and Huawei," said Strategy Analytics' Smith.

It is "very innovative," he added. "Further, people "looking to replace a tablet and/or PC are increasingly giving 2-in-1s a second look."

Some observers were less impressed.

The Yoga Book "is more of a toy than a serious productivity machine," said Michael Jude, a program manager at Stratecast/Frost & Sullivan.

"It doesn't seem to have the power or interfaces to really work on, and its form factor isn't really ergonomic from a work point of view," he told TechNewsWorld.

"If you want a tablet, there are much better ones out there," Jude said. "If you want a laptop ... go buy a laptop." Still, "this thing is just so cute and light that you want it to be useful."

---

Q4OS is a lightweight Linux distro that offers some worthwhile alternatives to more established distros.

Q4OS version 1.6.1 "Orion," released this summer, has as its main claim to fame the developing Trinity desktop. Trinity is a breakaway fork from the KDE 3 community.

I took a detailed first look at this new distro last year, primarily to assess the Trinity desktop. Although it was a version 1 beta release, Trinity showed some potential.

You won't find the Trinity desktop shipping as an option with most Linux distros. Its growth with Q4OS makes the combination a viable alternative if you want a computing system that performs well without the excessive bells and whistles attached to a full-sized KDE environment.

Q4OS is a lightweight, Debian-based distribution that ships with an updated version of the Trinity R14.0.3 stable desktop environment. It is the third maintenance release of the R14 series. It is intended to bring bug fixes to users promptly, while preserving overall stability.

The Q4OS 1.6 release includes a set of new features and fixes. The default desktop look has changed slightly. The most evident changes are in the Q4OS Bourbon start menu and taskbar. Both are more polished and have a few enhancements.

Growing Potential

Q4OS is a Debian-based Linux distribution with a classic-style user interface and simple accessories. The goal is to provide stable APIs for complex third-party applications, such as Google Chrome, VirtualBox and development tools.

Q4OS is fast and runs well on low-powered computers. Its performance ratchets even higher on new computers. It is very well-suited for virtualization and cloud use.

It wraps a classic Linux style around a simplified Trinity desktop design that retains the look of KDE applications while eliminating the layers of customizations associated with KDE's Activities and virtual desktop navigations.

Trinity Overview

Trinity was forked in 2008 from the last official release of the K Desktop Environment's third series (KDE3), version 3.5.10. The Trinity desktop is now a project in its own right. The Trinity community planned on charting an independent path separate from KDE.

Trinity is little more than a KDE environment gone lightweight -- and I mean really lightweight. The Q4OS developers are positioning this new distro for custom development and business flexibility.

Trinity is not yet as flexible and customizable as Xfce or LXLE. This release shows signs of progress, but remember -- Trinity is a lightweight desktop environment by design.

So if you like all of the tweaking and screen animations built into the KDE desktop, you probably will not like the limitations in the Trinity desktop. Trinity lacks desktop applets, for instance. However, Trinity does support panel applets.

The Trinity interface has very little animation and no keyboard shortcuts either. Those two functions are among the very useful adornments available in KDE.

Under the Hood

Q4OS is available in both 64-bit and 32-bit versions. Minimum basic hardware requirements include a 300-MHz Pentium, 128 MB Ram and 3 GB of hard drive space.

This release is available for download, as an installation CD or a Live CD with an included installer. Q4OS 1.6 Orion - 64bit / x64 consumes 281 MB. Q4OS 1.6 Orion - 32bit / i386 takes up 315 MB.

This is a Long Term Support release providing five years of security patches and updates. It will be supported until May 2020.

Q4OS is also available as a Raspberry Pi image. The Q4OS RPI port is a free operating system optimized for the Raspberry Pi family hardware. The Q4OS 1.6 Orion - Raspberry Pi / armhf image takes 339 MB. It runs on a wide variety of hardware equipped with ARM processors, including Chromebooks, tablets, single board computers, embedded devices and more.

One handy utility you should be sure to install is the Look Switcher -- a separate download and installation from within Q4OS that lets you easily switch between classic and modern user interface.

Light on Apps

One of the reasons this lightweight distro comes with a smaller footprint is its lack of installed software. Out of the box, Q4OS leaves you begging for more already-to-use applications.

You get an installer for the Google Chrome browser. KDE's Konqueror browser is installed. The G-Partition Editor is installed. You also get the K editor and the Scientific calculator with a smattering of basic system tools, such as a file manager.

Of course, you can rummage through the Software Center for the meager assortment of available titles. You can install the Synaptic Package Manager from the Software Center and increase your inventory of applications.

Q4OS does provide a few semiautomated installation options. One of these is the Desktop Profiler. This gives you a choice of three installation patterns.

The full featured desktop option installs the default Web browser, office suite and recommended application set. The basic desktop option installs common utilities, system tools and libraries. The third option keeps the minimal installed OS components and allows you to rummage to your heart's content.

Bottom Line

The name of the developers is not publicized on the website, but Q4OS clearly is intended as more than a community-supported general purpose Linux distro. The website also invites businesses to makes use of Q4OS.org's commercial support and software customization services.

The Trinity desktop provides a lightweight KDE environment. The Q4OS platform shows strong potential for business use. It could provide an interesting alternative for consumer home and small business use.

Want to Suggest a Review?

Is there a Linux software application or distro you'd like to suggest for review? Something you love or would like to get to know?

Please email your ideas to me, and I'll consider them for a future Linux Picks and Pans column.

And use the Talkback feature below to add your comments!

---

Google on Monday posted to the Internet a previously unpublicized flaw that could pose a security threat to users of the Microsoft Windows operating system.

Google notified both Microsoft and Adobe of zero day vulnerabilities in their software on Oct. 21, wrote Neel Mehta and Billy Leonard, members of Google's Threat Analysis Group, in an online post.

Google has a policy of making critical vulnerabilities public seven days after it informs a software maker about them. Adobe was able to fix its vulnerability within seven days; Microsoft was not.

"This [Windows] vulnerability is particularly serious because we know it is being actively exploited," wrote Mehta and Leonard.

However, Google's Chrome browser prevents exploitation of the vulnerability when running in Windows 10, they added.

Flaw Not Critical

Microsoft challenged Google's analysis of the Windows flaw in a statement provided to TechNewsWorld by spokesperson Charlotte Heesacker.

"We disagree with Google's characterization of a local elevation of privilege as 'critical' and 'particularly serious,' since the attack scenario they describe is fully mitigated by the deployment of the Adobe Flash update released last week," Microsoft said.

After cracking a system, hackers typically try to elevate their privileges in it to obtain access to increasingly sensitive data.

"Additionally, our analysis indicates that this specific attack was never effective against the Windows 10 Anniversary Update due to security enhancements previously implemented," Microsoft noted.

The Windows vulnerability Google's team discovered is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape triggered by a win32k.sys call, according to Mehta and Leonard.

The sandbox in Google's Chrome browser blocks win32k.sys calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of the sandbox escape vulnerability, they explained in their post.

Short Deadline

Although Google contrasted Adobe's quick action in patching its zero day vulnerability with Microsoft's inaction, the comparison may be less than fair.

"The time to patch code in Adobe Reader or Flash versus something that integrates into an operating system is considerably different," said Brian Martin, director of vulnerability intelligence at Risk Based Security.

What takes time is not so much changing the code as testing it after it's changed, he explained.

"If Microsoft patches code in one version of Windows, it will likely affect several other versions," Martin told TechNewsWorld.

"Then they have platform issues -- 32-bit and 64-bit -- and then the different versions -- home, professional, server, whatever," he pointed out.

"The amount of time it takes to patch it is one thing," he said. "The amount of time to go through the full QA cycle is another. Seven days is generally considered unrealistic for an operating system."

To Disclose or Not

The short deadline was necessary because it saw the vulnerability being exploited by hackers, Google's team maintained. That logic, though can be a two-edged sword.

"To me, this doesn't ultimately help achieve everyone's goal, which should be keeping consumers and their data safe," said Udi Yavo, CTO of enSilo.

"By disclosing a vulnerability early, without allowing time for a patch, Google opened up the small pool of people who found the vulnerability and knew how to exploit it, to all," he told TechNewsWorld.

However, keeping the vulnerability under wraps at all is questionable, suggested Jim McGregor, principal analyst at Tirias Research.

"Considering how closely the hacker community communicates, seven days may have been too much time," he told TechNewsWorld.

"Google was being a friendly corporate citizen by letting Microsoft know about the vulnerability, but in my mind it would have been more appropriate to make it public knowledge once you see it in the wild," McGregor said.

"A vulnerability can spread though the hacker community in milliseconds," he remarked. "By not making the vulnerability public, the only people who don't know about it are the people who should know about it."

---

What I think is funny in this market is that most people can look at two companies, see the difference in their performance, and not learn the fundamental lesson -- even though it has been repeated over the decades.

Microsoft and Apple are cases in point, because Apple was very successful under the initial founders, then was unsuccessful after the founders left, was successful again when Jobs came back, and now is struggling without him. Microsoft was very successful under Gates, struggled when Gates left, and is successful again now that it is run by someone very much like Gates.

The core magic is this: having someone who is running the company who both understands the technology and understands either the customer's current needs -- or how to manipulate customers to need what you make.

I'll focus on that this time and close with my product of the week, which has to be the amazing Microsoft Surface Studio, which is arguably what Apple should have shipped.

Steve Jobs Was Unique

I get why Apple struggled to find a replacement for Steve Jobs -- not only after he died, but also earlier, after he initially was fired. The guy was unique. After reading a number of books on his life and on his presentation and product secrets, it became clear to me that what made him different was that he both understood technology well enough to direct his firm and understood people well enough to convince us that what we wanted was what he built.

He was absolutely correct in believing that it was stupid to use focus groups as a planning exercise. He understood that people don't know what they want, and that the successful company is the one that can manipulate them into wanting what it builds.

He became CEO of the decade and built the most financially successful firm in the current age -- yet there isn't another firm in the market that even comes close to emulating his model.

Now the reason we don't see this model emulated is that if Steve Jobs were to apply for a job at any tech company today with the resume he had at Apple's beginning, he would not be hired. I think you could say the same of Bill Gates, which really points to what I think is a fundamental problem with the current hiring process.

People who might rise to run a firm like Jobs ran Apple and Gates ran Microsoft can get to the CEO position only if they form their own firms, and right now getting VC money without a degree would be nearly as impossible as getting hired would be.

What I don't get is why firms don't have a process specifically designed to bring in passionate creative types who have high IQs but who didn't do well in schools -- or why schools that specialize in creating CEO types, like Harvard, don't find a better way to find and certify them.

From Jobs vs. Ballmer to Nadella vs. Cook

What also is fascinating is that after Apple's board saw how Jobs stepped all over Steve Ballmer at Microsoft, it went ahead and replaced Jobs with someone more like Ballmer.

Cook and Ballmer are both good managers. They're great with numbers, they're hard workers, and they both love their firms. However, neither has a creative bone in their bodies. They aren't even remotely charismatic, and the only customers they readily identify with are corporate customers, which is particularly problematic for Apple, which doesn't really serve that customer base.

In effect, Nadella is very similar to Gates, and Cook is very similar to Ballmer -- granted, without the famous temper -- and the end result is that Apple has dropped into decline and Microsoft is surging again, albeit with Azure and Web services, which luckily is where the excitement is.

Warring Announcements

It was fascinating to watch the Microsoft and Apple hardware launches last week. The Microsoft launch was focused tightly on creators, Apple's historic core base, while the Apple launch didn't seem to focus on users at all. Apple presented a collection of features that don't seem to be sourced in any clear customer need.

For instance, I've never seen customers ask for a flexible secondary touch screen, particularly when the product lacks a primary touch screen. Also ironic is the fact that folks leaving the Microsoft event lusted after both the new Surface Book and, particularly, the Surface Studio, while those at the Apple event seemed disappointed they'd have to settle.

If I were to go back a decade, the exact opposite would have been true. We'd all have wanted what Jobs presented and wondered if Ballmer missed a meeting.

What makes me sad is that we never got to see what would have happened in a Jobs vs. Nadella matchup, because that would have been amazing. I expect that both men would have driven their opponent to ever higher levels of performance.

Wrapping Up: Lessons Learned

There are several things I take away from this. One is that you need a CEO who has a number of key core skills to be successful. A CEO needs to be knowledgeable enough about the products the company builds to manage the process, as well as connected to the folks who buy the products.

The CEO needs to be able to make intelligent choices with regard to product direction, to be able to pitch the offerings effectively, and to be charismatic enough to develop a following. The CEO must be willing to take large measured risks in order to bring out compelling new products that their competitors have to chase, rather than copying what is out there -- which, sadly, is more the norm.

We need a better way to get folks like Jobs into companies and to fast-track them into becoming CEOs. Otherwise, it may be a really long time before we again have a firm that stands out like Apple once did. Generally, folks like Jobs choose to go into politics, religion or crime... .

Something to think about this week.

Every once in a while, a firm creates a product that I lust for at first sight. That "once in a while" happened last week at the launch of the Microsoft Surface Studio.

The product is designed for creators, and it made me wish I'd followed in the footsteps of my mother, who was a graphics artist. Sadly, I couldn't draw to save my life -- but if I did, having a tool like this would be amazing.

What's amazing are the industrial design and image quality. Had I not known better, I would have thought the image on the screen was a taped-on high resolution picture and not a display. Even an inch away, I couldn't see the pixels. Had someone told me it was an OLED screen and not an LCD screen, I likely would have believed it -- the colors were that deep.

It uses a Bluetooth wheel that can be placed on the screen to reconfigure its functions automatically -- from selecting colors and brushes to controlling volume and screen brightness. I've used wheels like this before, and they are incredibly handy if you are willing to spend the time it takes to learn their functions.

It has only one critical cord in the back, giving you a very clean desktop. The industrial design places most of the electronics in the base, making the result far more stable and far more useful than an iMac. This really is the product Apple should have announced last week.

At just a tad under US$3,000 the Surface Studio isn't a cheap date, but for those who need a tool like this, it is well worth the money. When placed side by side, it makes a now badly aging iMac look so last century.

The Surface Studio is really for a small set of special people: creators, executives, and anyone who wants to fill their Apple friends with embarrassing envy. That last point alone makes it worth the price of admission, so the Microsoft Surface Studio is an ideal choice for my product of the week.

---