Items tagged with: driver
Our discovery of two privilege escalation vulnerabilities in a driver highlights the strength of Microsoft Defender ATP’s sensors. These sensors expose anomalous behavior and give SecOps personnel the…
Article word count: 2094
HN Discussion: https://news.ycombinator.com/item?id=19567399
Posted by trtobe (karma: 165)
Post stats: Points: 158 - Comments: 56 - 2019-04-03T21:27:57Z
#HackerNews #driver #escalation #finds #huawei #microsoft #privilege #vulnerability
With Microsoft continuously improving kernel mitigations and raising the bar for exploiting native kernel components, third-party kernel drivers are becoming a more appealing target for attackers and an important area of research for security analysts. A vulnerability in a signed third-party driver could have a serious impact: it can be abused by attackers to escalate privileges or, more commonly, bypass driver signature enforcement—without the complexity of using a more expensive zero-day kernel exploit in the OS itself.
Computer manufacturers usually ship devices with software and tools that facilitate device management. These software and tools, including drivers, often contain components that run with ring-0 privileges in the kernel. With these components installed by default, each must be as secure as the kernel; even one flawed component could become the Achilles’ heel of the whole kernel security design.
We discovered such a driver while investigating an alert raised by Microsoft Defender Advanced Threat Protection’s kernel sensors. We traced the anomalous behavior to a device management driver developed by Huawei. Digging deeper, we found a lapse in the design that led to a vulnerability that could allow local privilege escalation.
We reported the vulnerability (assigned CVE-2019-5241) to Huawei, who responded and cooperated quickly and professionally. On January 9, 2019, Huawei released a fix: https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190109-01-pcmanager-en.
In this blog post, we’d like to share our journey from investigating one Microsoft Defender ATP alert to discovering a vulnerability, cooperating with the vendor, and protecting customers.
Detecting kernel-initiated code injections with Microsoft Defender ATP
Starting in Windows 10, version 1809, the kernel has been instrumented with new sensors designed to trace User APC code injection initiated by a kernel code, providing better visibility into kernel threats like DOUBLEPULSAR. As described in our in-depth analysis, DOUBLEPULSAR is a kernel backdoor used by the WannaCry ransomware to inject the main payload into user-space. DOUBLEPULSAR copied the user payload from the kernel into an executable memory region in lsass.exe and inserted a User APC to a victim thread with NormalRoutine targeting this region.
Figure 1. WannaCry User APC injection technique schematic diagram
While the User APC code injection technique isn’t novel (see Conficker or Valerino’s earliest proof-of-concept), detecting threats running in the kernel is not trivial. Since PatchGuard was introduced, hooking NTOSKRNL is no longer allowed; there’s no documented way drivers could get notification for any of the above operations. Hence, without proper optics, the only sustainable strategy would be applying memory forensics, which can be complicated.
The new set of kernel sensors aim to address this kind of kernel threat. Microsoft Defender ATP leverages these sensors to detect suspicious operations invoked by a kernel code that might lead to code injection into user-mode. One such suspicious operation, though not related to WannaCry, DOUBLEPULSAR, or other known kernel threats, triggered this investigation that led to our discovery of a vulnerability.
Investigating an anomalous code injection from the kernel
While monitoring alerts related to kernel-mode attacks, one alert drew our attention:
Figure 2. Microsoft Defender ATP kernel-initiating code injection alert
The alert process tree showed an abnormal memory allocation and execution in the context of services.exe by a kernel code. Investigating further, we found that an identical alert was fired on another machine around the same time.
To get a better understanding of the observed anomaly, we looked at the raw signals we got from the kernel sensors. This analysis yielded the following findings:
* A system thread called nt!NtAllocateVirtualMemory allocated a single page (size = 0x1000) with PAGE_EXECUTE_READWRITE protection mask in services.exe address space * The system thread then called nt!KeInsertQueueApc to queue User APC to a services.exe arbitrary thread with NormalRoutine pointing to the beginning of the executable page and NormalContext pointing to offset 0x800
The payload copied from kernel mode is divided into two portions: a shellcode (NormalRoutine) and a parameter block (NormalContext). At this point, the overall behavior looked suspicious enough for us to proceed with the hunting. Our goal was to incriminate the kernel code that triggered the alert.
Incriminating the source
In user-mode threats, the caller process context could shed light on the actor and link to other phases in the attack chain. In contrast, with kernel-mode threats, the story is more complicated. The kernel by nature is asynchronous; callbacks might be called in an arbitrary context, making process context meaningless for forensics purposes.
Therefore, we tried to find an indirect evidence to third-party code loaded into the kernel. By inspecting the machine timeline, we found that several third-party drivers were loaded earlier that day.
We concluded based on their file path that they are all related to an app from Huawei called PC Manager, a device management software for Huawei MateBook laptops. The installer is available on Huawei website, so we downloaded it for inspection. For each Huawei driver we used dumpbin.exe to examine imported functions.
And then we had a hit:
Figure 3. dumpbin utility used to detect user APC injection primitives
HwOs2Ec10x64.sys: Unexpected behavior from a driver
Hunting led us to the kernel code that triggered the alert. One would expect that a device management software would perform mostly hardware-related tasks, with the supplied device drivers being the communication layer with the OEM-specific hardware. So why was this driver exhibiting unusual behavior? To answer this question, we reverse-engineered HwOs2Ec10x64.sys.
Our entry point was the function implementing the user APC injection. We found a code path that:
1. allocates RWX page in some target process;
2. resolves CreateProcessW and CloseHandle function pointers in the address space of the target process;
3. copies a code area from the driver as well as what seemed to be a parameter block to the allocated page; and
4. performs User APC injection targeting that page
The parameter block contains both the resolved function pointers as well as a string, which was found to be a command line.
Figure 4. User APC injection code
The APC normal routine is a shellcode which calls CreateProcessW with the given process command line string. This implied that the purpose of the code injection to services.exe is to spawn a child process.
Figure 5. User shellcode performing process creation
Inspecting the xrefs, we noticed that the injection code originated from a create-process notify routine when Create = FALSE. Hence, the trigger was some process termination.
But what command does the shellcode execute? Attaching a kernel debugger and setting a breakpoint on the memcpy_s in charge of copying the parameters from kernel to user-mode revealed the created process: one of Huawei’s installed services, MateBookService.exe, invoked with “/startup” in its command line.
Figure 6. Breakpoint hit on the call to memcpy_s copying shellcode parameters
Why would a valid service be started that way? Inspecting MateBookService.exe!main revealed a “startup mode” that revived the service if it’s stopped – some sort of watchdog mechanism meant to keep the Huawei PC Manager main service running.
Figure 7. MateBookService.exe /startup code path
At this point of the investigation, the only missing piece in the puzzle was making sure the terminated process triggering the injection is indeed MateBookService.exe.
Figure 8. Validating terminated process identity
The code path that decides whether to inject to services.exe uses a global list of watched process names. Hitting a breakpoint in the iteration loop revealed which process was registered: it was MateBookService.exe, as expected, and it was the only process on that list.
Figure 9. Breakpoint hit during process name comparison against global list
HwOs2Ec10x64.sys also provided process protection against external tampering. Any attempt to force MateBookService.exe termination would fail with Access Denied.
Abusing HwOs2Ec10x64.sys process watch mechanism
The next step in our investigation was to determine whether an attacker can tamper with the global watched process list. We came across an IOCTL handler that added an entry to that list. MateBookService.exe process likely uses this IOCTL to register itself when the service starts. This IOCTL is sent to the driver control device, created from its DriverEntry.
Figure 10. HwOs2Ec10x64.sys control device creation with IoCreateDevice
Since the device object is created with IoCreateDevice, Everyone has RW access to it. Another important observation was that this device isn’t exclusive, hence multiple handles could be opened to it.
Nevertheless, when we tried to open a handle to the device \.\HwOs2EcX64, it failed with Last Error = 537, “Application verifier has found an error in the current process”. The driver was rejecting our request to open the device. How is access enforced? It must be on the CreateFile path; in other words, in HwOs2Ec10x64.sys IRP_MJ_CREATE dispatch routine.
Figure 11. IRP_MJ_CREATE dispatch routine
This function validates the calling process by making sure that the main executable path belongs to a whitelist (e.g., C:\Program Files\Huawei\PCManager\MateBookService.exe). This simple check on the initiating process name, however, doesn’t guarantee the integrity of the calling process. An attacker-controlled instance of MateBookService.exe will still be granted access to the device \.\HwOs2EcX64 and be able to call some of its IRP functions. Then, the attacker-controlled process could abuse this capability to talk with the device to register a watched executable of its own choice. Given the fact that a parent process has full permissions over its children, even a code with low privileges might spawn an infected MateBookService.exe and inject code into it. In our proof-of-concept, we used process hollowing.
Figure 12. Procmon utility results showing POC process start/exit & IL
Because watched processes are blindly launched by the watchdog when they’re terminated, the attacker-controlled executable would be invoked as a child of services.exe, running as LocalSystem, hence with elevated privileges.
Figure 13. Procexp utility process-tree view showing LPE_POC running as LocalSystem
Responsible disclosure and protecting customers
Once we had a working POC demonstrating the elevation of privilege from a low-integrity attacker-controlled process, we responsibly reported the bug to Huawei through the Microsoft Security Vulnerability Research (MSVR) program. The vulnerability was assigned CVE-2019-5241. Meanwhile, we kept our customers safe by building a detection mechanism that would raise an alert for any successful privilege escalation exploiting the HwOs2Ec10x64.sys watchdog vulnerability as we described.
Figure 14. Microsoft Defender ATP alerting on the privilege escalation POC code
Abusing a second IOCTL handler
Having been able to freely invoke IOCTL handlers of the driver from user-mode, we looked for other capabilities that can be abused. We found one: the driver provided a capability to map any physical page into user-mode with RW permissions. Invoking this handler allowed a code running with low privileges to read-write beyond the process boundaries—to other processes or even to kernel space. This, of course, means a full machine compromise.
We also worked with Huawei to fix this second vulnerability, which was assigned CVE-2019-5242. Huawei addressed the flaw in the same security advisory: https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190109-01-pcmanager-en.
We presented our research at the Blue Hat IL Conference in February. Watch the video recording here, and get the slide deck here.
While the original alert turned out to be benign, in the sense that it didn’t detect an actual kernel threat like DOUBLEPULSAR, it did trigger an investigation that eventually led us to finding vulnerabilities. The two vulnerabilities we discovered in the driver prove the importance of designing software and products with security in mind. The two vulnerabilities we discovered in a driver prove the importance of designing software and products with security in mind. Security boundaries must be honored. Attack surface should be minimized as much as possible. In this case, the flaws could have been prevented if certain precautions were taken:
* The device object created by the driver should be created with a DACL granting SYSTEM RW access (since only the vendor’s services were communicating directly with the driver) * If a service should persist, developers should check that it’s not already provided by the OS before trying to implement a complex mechanism * User-mode shouldn’t be allowed to perform privileged operations like writing to any physical page; if needed, the driver should do the actual writing for well-defined, hardware-related scenarios
Microsoft’s driver security checklist provides some guidelines for driver developers to help reduce the risk of drivers being compromised.
Our discovery of the driver vulnerabilities also highlights the strength of Microsoft Defender ATP’s sensors. These sensors expose anomalous behavior and give SecOps personnel the intelligence and tools to investigate threats, as we did.
Anomalous behaviors typically point to attack techniques perpetrated by adversaries with only malicious intent. In this case, they pointed to a flawed design that can be abused. Nevertheless, Microsoft Defender ATP exposed a security flaw and protected customers before it can even be used in actual attacks.
Not yet reaping the benefits of Microsoft Defender ATP’s industry-leading optics and detection capabilities? Sign up for free trial today.
Amit Rapaport (@realAmitRap)
Microsoft Defender Research team
HackerNewsBot debug: Calculated post rank: 124 - Loop: 107 - Rank min: 100 - Author rank: 78
WireGuard Released For macOS, WireGuard Windows Coming & Linux Kernel Bits Still Pending The initial version of the WireGuard open-source secure VPN tunnel is now available for macOS, following the…
Article word count: 2611
HN Discussion: https://news.ycombinator.com/item?id=19182050
Posted by symisc_devel (karma: 967)
Post stats: Points: 140 - Comments: 22 - 2019-02-17T01:27:47Z
#HackerNews #code #discrete #driver #for #gpus #intel #linux #open-source #publishing #starts
WireGuard Released For macOS, WireGuard Windows Coming & Linux Kernel Bits Still Pending
The initial version of the WireGuard open-source secure VPN tunnel is now available for macOS, following the WireGuard for iOS port a few months prior. But sadly on the Linux front, the kernel bits still have yet to be mainlined.
3 Hours Ago - Security - WireGuard Updates
Freedreno Picks Up OpenGL Compute Support For Adreno A6xx Hardware
The newest addition to the Freedreno Gallium3D driver for open-source 3D on Qualcomm graphics hardware is enabling OpenGL compute support for A6xx series hardware.
4 Hours Ago - Mesa - Freedreno A6xx Compute
Fedora 31 Planning To Use Cgroups V2 By Default
While the Linux kernel has shipped Cgroups V2 as stable since early 2016, on Fedora and most other Linux distributions it hasnʼt been enabled by default over the original control groups "Cgroups" implementation. But come Fedora 31 later this year, they are now planning to make it the default.
7 Hours Ago - Linux Kernel - Fedora 31
GNUʼs RPG/Adventure Game Updated For SDL2, Defaults To OpenGL Rendering
Of the many free software projects under the GNU umbrella, there arenʼt many games. One of the only titles is GNU FreeDink, which is out this weekend with its newest update after several active weeks of development.
10 Hours Ago - GNU - GNU FreeDink 109.6
Improved ETC2 Texture Compression Lands For Older Haswell/Ivybridge GPUs On Linux
The previously mentioned work on improving ETC2 support for older generations of Intel graphics has now been mainlined for Mesa 19.1.
16 February 06:34 PM EST - Intel - ETC2 + Mesa
Compiz 0.9.14 Released As First Update In Over Two Years
While Ubuntu may no longer be using Compiz by default as the compositing window manager, the Compiz project is still alive as marked by todayʼs Compiz 0.9.14.0 release.
16 February 01:04 PM EST - Desktop - Compiz 0.9.14
Debian 9.8 Released With Latest Security Fixes
Debian 9.8 is available this weekend as the latest bug-fix / security fix update to Debian GNU/Linux "Stretch".
16 February 12:14 PM EST - Debian - Debian 9.8
Bitmain SoC Support Coming To Linux 5.1 - Sophon ARMv8 + RISC-V Chip For Deep Learning
Queued for mainlining with the upcoming Linux 5.1 kernel cycle is initial support for Bitmain SoCs. Bitmain is the Chinese company that started out designing ASICs for Bitcoin mining with the Antminer and other products. The company has also been venturing into designs for artificial intelligence and deep learning.
16 February 10:04 AM EST - Linux Kernel - Bitmain SoC + Mainline Linux
BACO Power Savings Support Comes To AMDʼs Vega 12
The latest addition to AMDʼs open-source Linux kernel driver is supporting BACO on Vega 12.
16 February 08:46 AM EST - Radeon - Bus Active, Chip Off
RADV Driver Gets Big Patch Series For 8-bit & 16-bit Arithmetic, 8-bit Storage
A set of 38 patches have been sent out that wire in support for the VK_KHR_shader_float16_int8, VK_AMD_gpu_shader_half_float, VK_AMD_gpu_shader_int16, and VK_KHR_8bit_storage extensions to the RADV driver within Mesa.
16 February 08:07 AM EST - Mesa - RADV 8-bit / 16-bit Extensions
Windows 10 Will Soon Let You Access WSL Linux Files From Explorer, Other Improvements
With Windows 10 Version 1903 inching closer as the "April 2019" Update, Microsoft published a blog post on Friday night outlining the Windows Subsystem for Linux (WSL) changes they are making in this next installment of the operating system.
16 February 07:44 AM EST - Microsoft - Windows 10 Build 1903
Waylandʼs Weston 6.0 To Support XDG-Shell Stable, Helping Apps Like MPV Video Player
While the current Wayland/Weston release cycle is a bit behind schedule, it has allowed time for another addition to be made to the Weston 6.0 compositor.
16 February 12:27 AM EST - Wayland - Weston 6.0
Proton 3.16-7 Updates Against DXVK 0.96, New FAudio
Itʼs been a while since Valve issued a new Proton update for their spin of Wine that powers Steam Play for running Windows games on Linux. Fortunately, in time for any weekend gaming, a new Proton release is now available.
15 February 10:00 PM EST - Valve - Proton 3.16-7
SVT-AV1 Already Seeing Nice Performance Improvements Since Open-Sourcing
It was just a few weeks ago that Intel open-sourced the SVT-AV1 project as a CPU-based AV1 video encoder. In the short time since publishing it, thereʼs already been some significant performance improvements.
15 February 07:15 PM EST - Intel - SVT-AV1
Wine 4.2 Released With Unicode String Normalization & ECC Crypto Key Support
The second bi-weekly development release following last monthʼs stable debut of Wine 4.0 is now available for testing.
15 February 03:43 PM EST - WINE - Wine 4.2
Mir 1.1.1 RC1 Has Fixes For PostmarketOS, Demo Shells Using Wayland
Mir 1.1 was released back in December as the first post-1.0 feature update while now preparing for release is the Mir 1.1.1 maintenance milestone.
15 February 01:29 PM EST - Wayland - Mir 1.1.1
The Linux Vendor Firmware Service Has Served Up More Than 5 Million Firmware Files
The Linux Vendor Firmware Service (LVFS), which serves up system BIOS/firmware files from many different vendors as well as various devices so that hardware can see firmware updates under Linux and be updated via Fwupd, has served up more than five million firmware images.
15 February 12:26 PM EST - Hardware - LVFS - 5 Million Files
Samsung 970 EVO Plus 500GB NVMe Linux SSD Benchmarks
Announced at the end of January was the Samsung 970 EVO Plus as the first consumer-grade solid-state drive with 96-layer 3D NAND memory. The Samsung 970 EVO NVMe SSDs are now shipping and in this review are the first Linux benchmarks of these new SSDs in the form of the Samsung 970 EVO Plus 500GB MZ-V7S500B/AM compared to several other SSDs on Linux.
15 February 11:41 AM EST - Storage
Virgl Lands A Number Of Performance Optimizations In Mesa 19.1
For those using the Virgl3D driver stack for having OpenGL acceleration within KVM guest VMs with VirtIO-GPU that is then accelerated by hosts, there are performance optimizations that have just landed in the Mesa 19.1 development code.
15 February 08:23 AM EST - Virtualization - Mesa 19.1 + Virgl Performance
Nouveau Driver Picks Up SVM Support Via HMM
The Nouveau kernel driver has queued patches for introducing Shared Virtual Memory (SVM) support for this open-source NVIDIA driver as a step forward to its OpenCL/compute opportunities.
15 February 07:17 AM EST - Nouveau - Shared Virtual Memory
Linux 5.1 Kernel Bringing New Option For Drivers To Be Async Probed
The Linux 5.1 kernel is bringing a new driver_async_probe= option for specifying a list of drivers that can be probed asynchronously to speed-up the boot process.
15 February 06:42 AM EST - Linux Kernel - driver_async_probe
Linux 5.1 To Deal With More Quirky Hardware From The Lenovo X1 Tablet To ASUS Transbook
Thereʼs no shortage of quirky HID hardware out there. With the upcoming Linux 5.1 kernel cycle will be more fixes/workarounds for such consumer devices.
15 February 05:59 AM EST - Hardware - Linux 5.1 HID
Intelʼs OpenGL Mesa Driver To Better Handle Recovery In Case Of GPU Hangs
Itʼs sure been a busy week in the Intel open-source graphics driver space... The latest improvement is a patch series providing better context restoration in the case of GPU hangs.
15 February 02:34 AM EST - Intel - Resilient Context Restoration
Fedora 30 Might Enable DNFʼs "Best" Mode By Default
Under a late change proposal for Fedora 30, the DNF package managerʼs "best" mode might be enabled by default.
15 February 12:00 AM EST - Fedora - DNF Package Manager Best
Ubuntu 18.04.2 LTS Now Available With The New HWE Stack
Following a small delay, Ubuntu 18.04.2 LTS is now available as the latest point release to the Bionic Beaver for a Valentineʼs Day debut.
14 February 06:45 PM EST - Ubuntu - Ubuntu 18.04.2 LTS
Intelʼs Linux DRM Driver To Enable PSR2 Power-Savings By Default
The Intel DRM/KMS kernel driver will soon see PSR2 panel self refresh capabilities enabled by default for allowing more power-savings on Intel-powered ultrabooks/notebooks.
14 February 06:00 PM EST - Intel - More Power Savings
Panfrost Gallium3D Driver Gets Mali T600/T700 Midgard Update
The Panfrost Gallium3D driver that was recently merged into Mesa 19.1 will soon have better support for the Mali T600/T700 series graphics.
14 February 04:19 PM EST - Mesa - Panfrost Midgard
RadeonSI Primitive Culling Yields Mixed Benchmark Results
Yesterdayʼs patches introducing RadeonSI primitive culling via async compute yielded promising initial results, at least for the ParaView workstation application. Iʼve been running some tests of this new functionality since yesterday and have some initial results to share on Polaris and Vega.
14 February 02:22 PM EST - Radeon - Primitive Culling
Celebrate Valentineʼs Day By Going Premium To Support Linux Benchmarking
If you enjoy the new and original content on Phoronix each and every day of the year, now approaching the 15th birthday of Phoronix, consider taking part in our Valentineʼs Day special to "go premium" to help support the site while being able to enjoy the site ad-free, multi-page articles on a single page, and other benefits.
14 February 12:00 PM EST - Premium - Valentine Special
Intel Linux Graphics Driver Adding Device Local Memory - Possible Start of dGPU Bring-Up
A big patch series was sent out today amounting to 42 patches and over four thousand lines of code for introducing the concept of memory regions to the Intel Linux graphics driver. The memory regions support is preparing for device local memory with future Intel graphics products.
14 February 11:50 AM EST - Intel - Graphics Cards
Benchmarking The Python Optimizations Of Clear Linux Against Ubuntu, Intel Python
Stemming from Clear Linux detailing how they optimize Pythonʼs performance using various techniques, thereʼs been reader interest in seeing just how their Python build stacks up. Hereʼs a look at the Clear Linux Python performance compared to a few other configurations as well as Ubuntu Linux.
14 February 10:38 AM EST - Clear Linux - Python Performance
Arm Introduces ARMv8.1-M Architecture With New "Helium" Vector Extension
Arm Holdings today announced ARMv8.1-M as their newest M-series architecture with enhancements around signal processing and machine learning for embedded devices.
14 February 09:27 AM EST - Arm - M-Profile Vector Extension
WebKitGTK 2.23.90 Adds Support For JPEG2000, More Touchpad Gestures
It missed the GNOME 3.32 Beta by a week, but out today is the WebKitGTK 2.23.90 release, the downstream of the WebKit web layout engine focused on GTK integration and used by the likes of GNOME Web (Epiphany).
14 February 08:27 AM EST - GNOME - WebKitGTK 2.24
Linux Kernel Getting io_uring To Deliver Fast & Efficient I/O
The Linux kernel is getting a new ring for Valentineʼs Day... io_uring. The purpose of io_uring is to deliver faster and more efficient I/O operations on Linux and should be coming with the next kernel cycle.
14 February 06:13 AM EST - Linux Kernel - Linux io_uring
Systemd 241 Released With Security Fixes & Other Changes
Lennart Poettering has just tagged the systemd 241 update that includes the "system down" security fixes and other improvements to this widely-used Linux init system.
14 February 05:35 AM EST - systemd - systemd 241
No Surprise But Intel Linux Developers Are Working Towards Adaptive-Sync Support
Back during the Intel Architecture Day event in December, Intel confirmed that finally with Icelake "Gen 11" graphics there is Adaptive-Sync support after talking about it for several years. While they didnʼt explicitly mention Linux support, theyʼve been largely spot on for years with supporting new display features on Linux and this should be the case as well with Adaptive-Sync and their next-generation graphics.
14 February 03:39 AM EST - Intel - Intel VRR
Microsoft Developer: You Still Should Have Anti-Virus With Windows Subsystem For Linux
While disabling Windows Defender or other anti-virus programs may partially help offset the performance losses imposed by running Windows Subsystem for Linux, a.k.a. "Bash for Windows" or Ubuntu and other distributions running natively atop Windows 10 and now Windows Server 2019, itʼs not the root cause of the I/O performance bottleneck and is not a recommended course of action.
14 February 12:27 AM EST - Microsoft - Do Not Skip Windows Defender
Fedora 31 Is Already Planning Ahead For Python 3.8
While Fedora 30 isnʼt debuting for another three months, with the system-wide change deadline already having passed on that release, ambitious Fedora developers are already thinking about early feature plans for Fedora 31 that will debut in November.
13 February 06:36 PM EST - Fedora - Fedora 31 + Python 3.8
Mesa 19.0-RC4 Released With More Fixes
After yesterdayʼs botched Mesa 19.0-RC3 release, Mesa 19.0-RC4 is now available while itʼs looking like two weeks or so until the stable debut.
13 February 05:44 PM EST - Mesa - Mesa 19.0-RC4
AMDGPU DC Gets Fixes For Seamless Boot, Disappearing Cursor On Raven Ridge
Should you be running into any display problems or just want to help in testing out the open-source AMD Linux driverʼs display code, a new round of patches were published today.
13 February 03:20 PM EST - Radeon - AMDGPU DC
Linux-Firmware Adds Signed NVIDIA Firmware Binaries For Turingʼs Type-C Controller
While we are still waiting on NVIDIA to publish the signed firmware images for Turing GPUs in order to bring-up 3D hardware acceleration on the GeForce RTX 2000 series graphics cards with the open-source Nouveau driver, today they did post the signed firmware image files for their Type-C controller found on these new GPUs.
13 February 10:20 AM EST - NVIDIA - Type-C Firmware Blobs
Qt 5.13 Alpha Released With WebAssembly Preview, Qt Lottie Technical Preview
The Qt Company has announced the alpha release of the forthcoming Qt 5.13 tool-kit.
13 February 07:19 AM EST - Qt - Qt 5.13
RadeonSI Picks Up Primitive Culling With Async Compute For Performance Wins
Prolific open-source AMD Linux driver developer Marek Olšák has sent out his latest big patch series in the name of performance. His new set of 26 patches provide primitive culling with asynchronous compute and at least for workstation workloads yields a big performance uplift.
13 February 05:44 AM EST - Mesa - BIG WIN!!
How Clear Linux Optimizes Python For Greater Performance
Clear Linuxʼs leading performance isnʼt limited to just C/C++ applications but also scripting languages like PHP, R, and Python have seen great speed-ups too. In a new blog post, one of Intelʼs developers outlines some of their performance tweaks to Python for delivering greater performance.
13 February 05:34 AM EST - Clear Linux - Python Performance Tuning
VK9 Project Stalls As Developer Leaves To Pursue Other Interests
While VK9 was the first open-source project to pursue mapping Direct3D over Vulkan, at least for now the project has halted.
13 February 05:13 AM EST - Vulkan - VK9
AMD_DEBUG Can Now Be Used In Place Of R600_DEBUG For RadeonSI Options
When setting various debug options for the RadeonSI Gallium3D driver -- like enabling its NIR back-end among many other options -- that has traditionally been done through the R600_DEBUG= environment variable. But that variable name makes little sense these days since RadeonSI doesnʼt even support the now-vintage R600 GPUs. Thankfully, AMD_DEBUG= is now a supported alternative.
13 February 02:08 AM EST - Radeon - AMD_DEBUG
Open-Source NVIDIA "Nouveau" DRM Changes Begin Queuing Ahead Of Linux 5.1
The Nouveau kernel driver tree where development happens on this open-source NVIDIA DRM driver saw a fresh batch of changes on Tuesday in aiming for new material with Linux 5.1.
13 February 12:03 AM EST - Nouveau - Nouveau For Linux 5.1
HackerNewsBot debug: Calculated post rank: 100 - Loop: 191 - Rank min: 100 - Author rank: 52
Amazon at times dips into the tips earned by contracted delivery drivers to cover their promised pay, a Times review of emails and receipts reveals.
Article word count: 928
HN Discussion: https://news.ycombinator.com/item?id=19109455
Posted by anonymfus (karma: 2588)
Post stats: Points: 134 - Comments: 74 - 2019-02-07T22:49:55Z
#HackerNews #amazon #base #does #driver #drivers #pay #sometimes #the #tip #toward #where
Skip to content
Amazon at times dips into the tips earned by contracted delivery drivers to cover their promised pay, a Times review of emails and receipts reveals.
Amazon guarantees third-party drivers for its Flex program a minimum of $18 to $25 per hour, but the entirety of that payment doesn’t always come from the company. If Amazon’s contribution doesn’t reach the guaranteed wage, the e-commerce giant makes up the difference with tips from customers, according to documentation shared by five drivers.
In emails to drivers, Amazon acknowledges it can use “any supplemental earnings” to meet the promised minimum should the companyʼs own contribution fall short.
“We add any supplemental earnings required to meet our commitment that delivery partners earn $18-$25 per hour,” the company wrote in multiple emails reviewed by The Times.
Only drivers who deliver for Amazon’s grocery service or its Prime Now offering — which brings household goods to customers in two hours or less — can receive tips through the company’s app.
Amazon insists that drivers receive the entirety of their tips but declined to answer questions from The Times about whether it uses those tips to help cover the drivers’ base pay.
“Our pay commitment to delivery partners has not changed since we launched the Amazon Flex program — delivery partners still earn $18-25 per hour, including 100% of tips — and on average drivers earn over $20/hour,” Amazon spokeswoman Amanda Ip wrote in a statement.
Drivers question why they aren’t getting 100% of tips on top of their guaranteed pay.
“They just hide behind the fact that they guarantee $18” an hour, said driver Jeff Lee. “Sounds great, but that $18 [an hour] guarantee could be all from customer tips while Amazon chips in zero.”
As Amazon has grown into one of the world’s biggest companies, it has relied heavily on contractors to help keep up with the pace of deliveries. These workers do not qualify for benefits offered to staff employees. Tipping is one way Amazon and other tech firms such as Uber and Lyft have moved to appease their contractor workforce.
But using tips to cover promised wages has proved controversial for delivery start-ups Instacart and DoorDash.
Drivers have long suspected that Amazon uses their tips to hit promised wage targets, according to five former and current drivers who spoke on condition of anonymity for fear of reprisal.
It has been hard for drivers to prove — the company does not provide them a breakdown of their compensation beyond showing the total paid out, citing privacy concerns.
But two drivers tested their suspicions when assigned to deliver packages to their own homes.
It was slow that day and I had no orders to deliver, so I decided to place a one-hour order as a customer to see what the hell was going on with our tips.
Another contract driver in Virginia who ordered paper towels for his family and was assigned to deliver the package tipped himself $15.90 — an amount he said would easily stand out. Two days later he checked his account. For the entire two-hour shift he worked, he was credited with receiving no tips.
He wrote to Amazon to complain. Without offering any explanation, the company adjusted his pay for that shift to $50.11, which included additional tips, according to receipts The Times reviewed. He no longer drives for Amazon but asked not to be named because he operates a business that caters to Amazon Flex drivers and fears that speaking on the record could jeopardize that venture.
Lee, who still delivers for Amazon, said he tipped himself $12 and change for a package he brought to his own residence.
“It was slow that day and I had no orders to deliver, so I decided to place a one-hour order as a customer to see what the hell was going on with our tips as I knew I would be the next driver to deliver this one-hour [order]to my house,” Lee said.
His base pay for the 1½-hour shift was supposed to be $27. Including tips, he received a bit more than $30 — suggesting Amazon contributed only $18.
“The problem most drivers have with Amazon is there is zero transparency about our pay,” Lee said.
The practice is legal in some states. The California Labor Code’s Provision 351, which targets the practice, does not apply to contractors because they are seen as independent business owners. In Seattle, a group of drivers has contested that classification in a pending class-action lawsuit, claiming they are actually treated as employees.
Amazon would not say whether it dips into drivers’ tips in California.
A source familiar with the company’s practices who was not authorized to comment on the record said Amazon contributes an average of $19 per hour to contracted drivers’ wages.
Amazon determines how much it will pay each driver based on the length of the shift and any increases in customer demand, according to emails reviewed by The Times.
Drivers who make deliveries for Amazon’s Prime Now service noticed a drop in their tips in early 2018, prompting them to send questions to customer support. They were informed that Amazon had changed the pay structure to something called “variable base pay,” according to emails shared by four drivers.
Customer support representatives wrote in emails that the base pay drivers receive for each shift could vary from $18 to $25 per hour and that includes 100% of their tips. The emails did not explain why pay was suddenly much lower than it had been in the past.
HackerNewsBot debug: Calculated post rank: 114 - Loop: 289 - Rank min: 100 - Author rank: 28
#entertainment #music #1more #triple #driver #headphones #review #products #design #elegant #travel #quality #listening #experience #bass #drums #guitar