Businesses

IT Services Company Wipro Forces 600 Employees To Work In Bed Bug Infested Office (11alive.com) 44

McGruber writes: Information Technology Services CorporationWipro's 600-employee call center in Chamblee, Georgia is in infected with bed bugs according to Atlanta television station 11Alive. The facilities manager admits there is a bed bug problem and it's been an issue since late May. Employees told the tv station that the bugs are all over the three floors -- and they're biting. But employees are being told they still must go to work. Kwanita Holmes sent 11Alive photos of what she said is a bed bug bite on her arm: "We're at work 8 hours a day and we're getting munched on all day," she said. Wipro said it's paying for in-home bed bug consultations and treatments for employees.
Linux

Linus Torvalds Says Linux Still Surprises and Motivates Him (linux.com) 52

Linus Torvalds: What I find interesting is code that I thought was stable continually gets improved. There are things we haven't touched for many years, then someone comes along and improves them or makes bug reports in something I thought no one used. We have new hardware, new features that are developed, but after 25 years, we still have old, very basic things that people care about and still improve. I really like what I'm doing. I like waking up and having a job that is technically interesting and challenging without being too stressful so I can do it for long stretches; something where I feel I am making a real difference and doing something meaningful not just for me. I occasionally have taken breaks from my job. The 2-3 weeks I worked on Git to get that started for example. But every time I take a longer break, I get bored. When I go diving for a week, I look forward to getting back. I never had the feeling that I need to take a longer break.
Open Source

Opus 1.2 Released 22

jmv writes: The Opus audio codec, used in WebRTC and now included in all major web browsers, gets another major upgrade with the release of version 1.2. This release brings quality improvements to both speech and music, while remaining fully compatible with RFC 6716. There are also optimizations, new options, as well as many bug fixes. This Opus 1.2 demo describes a few of the upgrades that users and implementers will care about the most. It includes audio samples comparing to previous versions of the codec, as well as speed comparisons for x86 and ARM.
Government

Using Texts as Lures, Government Spyware Targets Mexican Journalists and Their Families (nytimes.com) 54

Mexico's most prominent human rights lawyers, journalists and anti-corruption activists have been targeted by advanced spyware sold to the Mexican government on the condition that it be used only to investigate criminals and terrorists, reports the New York Times. From the report: The targets include lawyers looking into the mass disappearance of 43 students (alternative source), a highly respected academic who helped write anti-corruption legislation, two of Mexico's most influential journalists and an American representing victims of sexual abuse by the police. The spying even swept up family members, including a teenage boy. Since 2011, at least three Mexican federal agencies have purchased about $80 million worth of spyware created by an Israeli cyberarms manufacturer. The software, known as Pegasus, infiltrates smartphones to monitor every detail of a person's cellular life -- calls, texts, email, contacts and calendars. It can even use the microphone and camera on phones for surveillance, turning a target's smartphone into a personal bug.
Security

You Can Hack Some Mazda Cars With a USB Flash Drive (bleepingcomputer.com) 52

An anonymous reader writes: "Mazda cars with next-gen Mazda MZD Connect infotainment systems can be hacked just by plugging in a USB flash drive into their dashboard, thanks to a series of bugs that have been known for at least three years," reports Bleeping Computer. "The issues have been discovered and explored by the users of the Mazda3Revolution forum back in May 2014. Since then, the Mazda car owner community has been using these 'hacks' to customize their cars' infotainment system to tweak settings and install new apps. One of the most well-designed tools is MZD-AIO-TI (MZD All In One Tweaks Installer)." Recently, a security researcher working for Bugcrowd has put together a GitHub repository that automates the exploitation of these bugs. The researcher says an attacker can copy the code of his GitHub repo on a USB flash drive, add malicious scripts and carry out attacks on Mazda cars. Mazda said the issues can't be exploited to break out of the infotainment system to other car components, but researchers disagreed with the company on Twitter. In the meantime, the car maker has finally plugged the bugs via a firmware update released two weeks ago.
Bug

Trump Orders Government To Stop Work On Y2K Bug, 17 Years Later (bloomberg.com) 460

The federal government will finally stop preparing for the Y2K bug, seventeen years after it came and went. Yes, you read that right. Bloomberg reports: The Trump administration announced Thursday that it would eliminate dozens of paperwork requirements for federal agencies, including an obscure rule that requires them to continue providing updates on their preparedness for a bug that afflicted some computers at the turn of the century. As another example, the Pentagon will be freed from a requirement that it file a report every time a small business vendor is paid, a task that consumed some 1,200 man-hours every year. Seven of the more than 50 paperwork requirements the White House eliminated on Thursday dealt with the Y2K bug, according to a memo OMB released. Officials at the agency estimate the changes could save tens of thousands of man-hours across the federal government. The agency didn't provide an estimate of how much time is currently spent on Y2K paperwork, but Linda Springer, an OMB senior adviser, acknowledged that it isn't a lot since those requirements are already often ignored in practice.
IOS

Chess.com Has Stopped Working On 32bit iPads After the Site Hit 2^31 Game Sessions (chess.com) 271

Apple's decision to go all in on 64bit-capable devices, OS and apps has caused some trouble for Chess.com, a popular online website where people go to play chess. Users with a 32bit iPad are unable to play games on the website, according to numerous complaints posted over the weekend and on Monday. Erik, the CEO of Chess.com said in a statement, "Thanks for noticing. Obviously this is embarrassing and I'm sorry about it. As a non-developer I can't really explain how or why this happened, but I can say that we do our best and are sorry when that falls short." Hours later, he had an explanation: The reason that some iOS devices are unable to connect to live chess games is because of a limit in 32bit devices which cannot handle gameIDs above 2,147,483,647. So, literally, once we hit more than 2 billion games, older iOS devices fail to interpret that number! This was obviously an unforeseen bug that was nearly impossible to anticipate and we apologize for the frustration. We are currently working on a fix and should have it resolved within 48 hours.
The Almighty Buck

Report Reveals In-App Purchase Scams In the App Store (macrumors.com) 48

In a Medium article titled How to Make $80,000 Per Month On the Apple App Store, Johnny Lin uncovers a scamming trend in which apps advertising fake services are making thousands of dollars a month from in-app purchases. The practice works by manipulating search ads to promote dubious apps in the App Store and then preys on unsuspecting users via the in-app purchase mechanism. MacRumors reports: "I scrolled down the list in the Productivity category and saw apps from well-known companies like Dropbox, Evernote, and Microsoft," said Lin. "That was to be expected. But what's this? The #10 Top Grossing Productivity app (as of June 7th, 2017) was an app called 'Mobile protection :Clean & Security VPN.' Given the terrible title of this app (inconsistent capitalization, misplaced colon, and grammatically nonsensical 'Clean & Security VPN?'), I was sure this was a bug in the rankings algorithm. So I check Sensor Tower for an estimate of the app's revenue, which showed ... $80,000 per month?? That couldn't possibly be right. Now I was really curious." To learn how this could be, Lin installed and ran the app, and was soon prompted to start a "free trial" for an "anti-virus scanner" (iOS does not need anti-virus software thanks to Apple's sandboxing rules for individual apps). Tapping on the trial offer then threw up a Touch ID authentication prompt containing the text "You will pay $99.99 for a 7-day subscription starting Jun 9, 2017." Lin was one touch away from paying $400 a month for a non-existent service offered by a scammer. Lin dug deeper and found several other similar apps making money off the same scam, suggesting a wider disturbing trend, with scam apps regularly showing up in the App Store's top grossing lists.
Android

Google Launches Android O Developer Preview 3 With Final APIs (venturebeat.com) 16

An anonymous reader quotes a report from VentureBeat: Google today launched the third Android O developer preview, available for download now at developer.android.com and via the Android Beta Program. The preview includes an updated SDK with system images for the Nexus 5X, Nexus 6P, Nexus Player, Pixel, Pixel XL, Pixel C, and the official Android Emulator, and there's even an emulator for testing Android Wear 2.0 on Android O. The big highlight with this preview is that the Android O APIs are now final. Google launched the first Android O developer preview in March and the second developer preview in May at its I/O 2017 developer conference. Google is planning to release one more preview with near-final system images in July and has slated the final version for release "later this summer" (in Q3 2017). Developer Preview 3 includes the latest version of the Android O platform with the final API level 26 and "hundreds of bug fixes and optimizations."
Programming

Ask Slashdot: How Does Your Team Track And Manage Bugs In Your Software? 189

Slashdot reader jb373 is a senior software engineer whose team's bug-tracking methodology is making it hard to track bugs. My team uses agile software methodologies, specifically scrum with a Kanban board, and adds all bugs we find to our Kanban board. Our Kanban board is digital and similar to Trello in many regards and we have a single list for bugs... We end up with duplicates and now have a long list to try and scroll through... Has anyone run into a similar situation or do things differently that work well for their team?
The original submission ends with one idea -- "I'm thinking about pushing for a separate bug tracking system that we pull bugs from during refinement and create Kanban cards for." But is there a better way? Leave your own experiences in the comments. How does your team track and manage bugs in your software?
Android

Google Quadruples Top Reward For Hacking Android To $200,000 (venturebeat.com) 14

Krystalo quotes a report from VentureBeat: Google has paid security researchers millions of dollars since launching its bug bounty program in 2010. The company today expanded its Android Security Rewards program because "no researcher has claimed the top reward for an exploit chain in two years." Right. Well, the program has only been around for two years -- a Google spokesperson confirmed that nobody has ever claimed the top reward. The Android team is making two bug bounty increases today. The reward for a remote exploit chain or exploit leading to TrustZone or Verified Boot compromise has quadrupled from $50,000 to $200,000. The reward for a remote kernel exploit has quintupled from $30,000 to $150,000. Want to make six figures? Just figure out how to hack Android.
Bug

Google Chrome Bug Lets Sites Record Audio and Video Without a Visual Indicator (bleepingcomputer.com) 36

New submitter aafrn writes: "Ran Bar-Zik, a web developer at AOL, has discovered and reported a bug in Google Chrome that allows websites to record audio and video without showing a visual indicator," reports BleepingComputer. "The bug is not as bad as it sounds, as the malicious website still needs to get the user's permission to access audio and video components, but there are various ways in which this issue could be weaponized to record audio or video without the user's knowledge. The bug's central element is a 'red circle and dot' icon that Chrome usually shows when recording audio or video streams." Bar-Zik discovered that if the JavaScript code that does the actual audio and video recording is launched inside a small popup, the icon is not shown anymore. This opens the door for various types of scenarios, where an attacker that has tricked a user into granting him permission to record audio and video records user data but when the user doesn't expect this (no visual indicator). For example, an attacker could disguise audio/video recording code inside popup ads. If the user doesn't close the popup, the popup continues to stream audio and video from the victim's house. Google declined to consider this a security bug.
Security

India's Ethical Hackers Rewarded Abroad, Ignored at Home (yahoo.com) 82

An anonymous reader shares an article: Kanishk Sajnani did not receive so much as a thank you from a major Indian airline when he contacted them with alarming news -- he had hacked their website and could book flights anywhere in the world for free. It was a familiar tale for India's army of "ethical hackers," who earn millions protecting foreign corporations and global tech giants from cyber attacks but are largely ignored at home, their skills and altruism misunderstood or distrusted. India produces more ethical hackers -- those who break into computer networks to expose, rather than exploit, weaknesses -- than anywhere else in the world. The latest data from BugCrowd, a global hacking network, showed Indians raked in the most "bug bounties" -- rewards for red-flagging security loopholes. Facebook, which has long tapped hacker talent, paid more to Indian researchers in the first half of 2016 than any other researchers. Indians outnumbered all other bug hunters on HackerOne, another registry of around 100,000 hackers. One anonymous Indian hacker -- "Geekboy" -- has found more than 700 vulnerabilities for companies like Yahoo, Uber and Rockstar Games. Most are young "techies" -- software engineers swelling the ranks of India's $154-billion IT outsourcing sector whose skill set makes them uniquely gifted at cracking cyber systems.
Government

US Senators Propose Bug Bounties For Hacking Homeland Security (cnn.com) 66

An anonymous reader quotes CNN: U.S. senators want people to hack the Department of Homeland Security. On Thursday, Senators Maggie Hassan, a Democrat and Republican Rob Portman introduced the Hack DHS Act to establish a federal bug bounty program in the DHS... It would be modeled off the Department of Defense efforts, including Hack the Pentagon, the first program of its kind in the federal government. Launched a year ago, Hack the Pentagon paved the way for more recent bug bounty events including Hack the Army and Hack the Air Force...

The Hack the DHS Act establishes a framework for bug bounties, including establishing "mission-critical" systems that aren't allowed to be hacked, and making sure researchers who find bugs in DHS don't get prosecuted under the Computer Fraud and Abuse Act. "It's better to find vulnerabilities through someone you have engaged with and vetted," said Jeff Greene, the director of government affairs and policy at security firm Symantec. "In an era of constrained budgets, it's a cost-effective way of identifying vulnerabilities"... If passed, it would be among the first non-military bug bounty programs in the public sector.

Data Storage

SSD Drives Vulnerable To Rowhammer-Like Attacks That Corrupt User Data (bleepingcomputer.com) 93

An anonymous reader writes: NAND flash memory chips, the building blocks of solid-state drives (SSDs), include what could be called "programming vulnerabilities" that can be exploited to alter stored data or shorten the SSD's lifespan. According to research published earlier this year, the programming logic powering of MLC NAND flash memory chips (the tech used for the latest generation of SSDs), is vulnerable to at least two types of attacks.

The first is called "program interference," and takes place when an attacker manages to write data with a certain pattern to a target's SSD. Writing this data repeatedly and at high speeds causes errors in the SSD, which then corrupts data stored on nearby cells. This attack is similar to the infamous Rowhammer attack on RAM chips.

The second attack is called "read disturb" and in this scenario, an attacker's exploit code causes the SSD to perform a large number of read operations in a very short time, which causes a phenomenon of "read disturb errors," that alters the SSD ability to read data from nearby cells, even long after the attack stops.

Bug

Wormable Code-Execution Bug Lurked In Samba For 7 Years (arstechnica.com) 83

Long-time Slashdot reader williamyf was the first to share news of "a wormable bug [that] has remained undetected for seven years in Samba verions 3.5.0 onwards." Ars Technica reports: Researchers with security firm Rapid7...said they detected 110,000 devices exposed on the internet that appeared to run vulnerable versions of Samba. 92,500 of them appeared to run unsupported versions of Samba for which no patch was available... Those who are unable to patch immediately can work around the vulnerability by adding the line nt pipe support = no to their Samba configuration file and restart the network's SMB daemon. The change will prevent clients from fully accessing some network computers and may disable some expected functions for connected Windows machines.
The U.S. Department of Homeland Security's CERT group issued an anouncement urging sys-admins to update their systems, though SC Magazine cites a security researcher arguing this attack surface is much smaller than that of the Wannacry ransomware, partly because Samba is just "not as common as Windows architectures." But the original submission also points out that while the patch came in fast, "the 'Many eyes' took seven years to 'make the bug shallow'."
Bug

Two Different Studies Find Thousands of Bugs In Pacemakers, Insulin Pumps and Other Medical Devices 47

Two studies are warning of thousands of vulnerabilities found in pacemakers, insulin pumps and other medical devices. "One study solely on pacemakers found more than 8,000 known vulnerabilities in code inside the cardiac devices," reports BBC. "The other study of the broader device market found only 17% of manufacturers had taken steps to secure gadgets." From the report: The report on pacemakers looked at a range of implantable devices from four manufacturers as well as the "ecosystem" of other equipment used to monitor and manage them. Researcher Billy Rios and Dr Jonathan Butts from security company Whitescope said their study showed the "serious challenges" pacemaker manufacturers faced in trying to keep devices patched and free from bugs that attackers could exploit. They found that few of the manufacturers encrypted or otherwise protected data on a device or when it was being transferred to monitoring systems. Also, none was protected with the most basic login name and password systems or checked that devices they were connecting to were authentic. Often, wrote Mr Rios, the small size and low computing power of internal devices made it hard to apply security standards that helped keep other devices safe. In a longer paper, the pair said device makers had work to do more to "protect against potential system compromises that may have implications to patient care." The separate study that quizzed manufacturers, hospitals and health organizations about the equipment they used when treating patients found that 80% said devices were hard to secure. Bugs in code, lack of knowledge about how to write secure code and time pressures made many devices vulnerable to attack, suggested the study.
Windows

In a Throwback To the '90s, NTFS Bug Lets Anyone Hang Or Crash Windows 7, 8.1 (arstechnica.com) 128

Windows 7 and 8.1 (and also Windows Vista) have a bug that is reminiscent of Windows 98 age, when a certain specially crafted filename could make the operating system crash (think of file:///c:/con/con). From an ArsTechnica report: The new bug, which fortunately doesn't appear to afflict Windows 10, uses another special filename. This time around, the special filename of choice is $MFT. $MFT is the name given to one of the special metadata files that are used by Windows' NTFS filesystem. The file exists in the root directory of each NTFS volume, but the NTFS driver handles it in special ways, and it's hidden from view and inaccessible to most software. Attempts to open the file are normally blocked, but in a move reminiscent of the Windows 9x flaw, if the filename is used as if it were a directory name -- for example, trying to open the file c:\$MFT\123 -- then the NTFS driver takes out a lock on the file and never releases it. Every subsequent operation sits around waiting for the lock to be released. Forever. This blocks any and all other attempts to access the file system, and so every program will start to hang, rendering the machine unusable until it is rebooted.
Mozilla

Firefox Marketing Head Expresses Concerns Over Google's Apparent 'Only Be On Chrome' Push (medium.com) 189

Eric Petitt, head up Firefox marketing, writing in a blog: I use Chrome every day. Works fine. Easy to use. There are multiple things that bug me about the Chrome product, for sure, but I'm OK with Chrome. I just don't like only being on Chrome. And that's what Chrome wants. It wants you to only use Chrome. Chrome is not evil, it's just too big for its britches. Its influence on the internet economy and individuals is out of balance. Chrome, with 4 times the market share of its nearest competitor (Firefox), is an eight-lane highway to the largest advertising company in the world. Google built it to maximize revenue from your searches and deliver display ads on millions of websites. To monetize every... single... click. And today, there exists no meaningful safety valve on its market dominance. Beyond Google, the web looks more and more like a feudal system, where the geography of the web has been partitioned off by the Frightful Five. Google, Facebook, Microsoft, Apple and Amazon are our lord and protectors, exacting a royal sum for our online behaviors. We're the serfs and tenants, providing homage inside their walled fortresses. Noble upstarts are erased or subsumed under their existing order. (Footnote: Petitt has made it clear that the aforementioned views are his own, and not those of Mozilla.)
Security

Stealing Windows Credentials Using Google Chrome (helpnetsecurity.com) 53

Orome1 writes: A default setting in Google Chrome, which allows it to download files that it deems safe without prompting the user for a download location, can be exploited by attackers to mount a Windows credential theft attack using specially-crafted SCF shortcut files, DefenseCode researchers have found. What's more, for the attack to work, the victim does not even have to run the automatically downloaded file. Simply opening the download directory in Windows File Explorer will trigger the code icon file location inserted in the file to run, and it will send the victim's username, domain and NTLMv2 password hash to a remote SMB server operated by the attackers.

Slashdot Top Deals