Programming

Why Swift Creator Chris Lattner Stepped Down From Its Core Team This Week (devclass.com) 98

The creator of Apple's Swift programming language stayed involved in the Swift core team and Evolution community... until this week. Though he'd left Apple more than five years ago, "Swift is important to me, so I've been happy to spend a significant amount of time to help improve and steer it," Lattner wrote in an explanatory comment on the Swift community forum. "This included the ~weekly core team meetings (initially in person, then over WebEx)..."

The tech news site DevClass notes Lattner is also "the mind behind compiler infrastructure project LLVM," but reports that "Apparently, Lattner hasn't been part of the [Swift] core team since autumn 2021, when he tried discussing what he perceived as a toxic meeting environment with project leadership after an especially noteworthy call made him take a break in summer." "[...] after avoiding dealing with it, they made excuses, and made it clear they weren't planning to do anything about it. As such, I decided not to return," Lattner wrote in his explanation post. Back then, he planned to keep participating via the Swift Evolution community "but after several discussions generating more heat than light, when my formal proposal review comments and concerns were ignored by the unilateral accepts, and the general challenges with transparency working with core team, I decided that my effort was triggering the same friction with the same people, and thus I was just wasting my time."

Lattner had been the steering force behind Swift since the language's inception in 2010. However, after leaving Apple in 2017 and handing over his project lead role, design premises like "single things that compose" seem to have fallen by the wayside, making the decision to move on completely easier for language-creator Lattner.

The article points out Lattner's latest endeavour is AI infrastructure company Modular.AI.

And Lattner wrote in his comment that Swift's leadership "reassures me they 'want to make sure things are better for others in the future based on what we talked about' though...." Swift has a ton of well meaning and super talented people involved in and driving it. They are trying to be doing the best they can with a complicated situation and many pressures (including lofty goals, fixed schedules, deep bug queues to clear, internal folks that want to review/design things before the public has access to them, and pressures outside their team) that induce odd interactions with the community. By the time things get out to us, the plans are already very far along and sometimes the individuals are attached to the designs they've put a lot of energy into. This leads to a challenging dynamic for everyone involved.

I think that Swift is a phenomenal language and has a long and successful future ahead, but it certainly isn't a community designed language, and this isn't ambiguous. The new ideas on how to improve things sounds promising — I hope they address the fundamental incentive system challenges that the engineers/leaders face that cause the symptoms we see. I think that a healthy and inclusive community will continue to benefit the design and evolution of Swift.

DevClass also reported on the aftermath: Probably as a consequence of the move, the Swift core team is currently looking to restructure project leadership. According to Swift project lead Ted Kremenek... "The intent is to free the core team to invest more in overall project stewardship and create a larger language workgroup that can incorporate more community members in language decisions."

Kremenek also used the announcement to thank Lattner for his leadership throughout the formative years of the project, writing "it has been one of the greatest privileges of my life to work with Chris on Swift."

In 2017 Chris Lattner answered questions from Slashdot's readers.
Programming

Programming in Rust is Fun - But Challenging, Finds Annual Community Survey (rust-lang.org) 58

Respondents to the annual survey of the Rust community reported an uptick in weekly usage and challenges, writes InfoWorld: Among those surveyed who are using Rust, 81% were using the language on at least a weekly basis, compared to 72% in last year's survey. Of all Rust users, 75% said they are able to write production-ready code but 27% said it was at times a struggle to write useful, production-ready code.... While the survey pointed toward a growing, healthy community of "Rustaceans," it also found challenges. In particular, Rust users would like to see improvements in compile times, disk usage, debugging, and GUI development...

- For those who adopted Rust at work, 83% found it "challenging." But it was unclear how much of this was a Rust-specific issue or general challenges posed by adopting a new language. During adoption, only 13% of respondents believed the language was slowing their team down while 82% believed Rust helped their teams achieve their goals.

- Of the respondents using Rust, 59% use it at least occasionally at work and 23% use it for the majority of their coding. Last year, only 42% used Rust at work.

From the survey's results: After adoption, the costs seem to be justified: only 1% of respondents did not find the challenge worth it while 79% said it definitely was. When asked if their teams were likely to use Rust again in the future, 90% agreed. Finally, of respondents using Rust at work, 89% of respondents said their teams found it fun and enjoyable to program.

As for why respondents are using Rust at work, the top answer was that it allowed users "to build relatively correct and bug free software" with 96% of respondents agreeing with that statement. After correctness, performance (92%) was the next most popular choice. 89% of respondents agreed that they picked Rust at work because of Rust's much-discussed security properties.

Overall, Rust seems to be a language ready for the challenges of production, with only 3% of respondents saying that Rust was a "risky" choice for production use.

Thanks to Slashdot reader joshuark for submitting the story...
Privacy

Behind the Stalkerware Network Spilling the Private Phone Data of Thousands (techcrunch.com) 17

An anonymous reader quotes a report from TechCrunch, written by security editor Zack Whittaker: Consumer-grade spyware is often sold under the guise of child monitoring software, but also goes by the term "stalkerware" for its ability to track and monitor other people or spouses without their consent. Stalkerware apps are installed surreptitiously by someone with physical access to a person's phone and are hidden from home screens, but will silently and continually upload call records, text messages, photos, browsing history, precise location data and call recordings from the phone without the owner's knowledge. Many of these spyware apps are built for Android, since it's easier to plant a malicious app than on iPhones, which have tighter restrictions on what kind of apps can be installed and what data can be accessed. Last October, TechCrunch revealed a consumer-grade spyware security issue that's putting the private phone data, messages and locations of hundreds of thousands of people, including Americans, at risk. But in this case it's not just one spyware app exposing people's phone data. It's an entire fleet of Android spyware apps that share the same security vulnerability.

On the front line of the operation is a collection of white-label Android spyware apps that continuously collect the contents of a person's phone, each with custom branding, and fronted by identical websites with U.S. corporate personas that offer cover by obfuscating links to its true operator. Behind the apps is a server infrastructure controlled by the operator, which is known to TechCrunch as a Vietnam-based company called 1Byte. TechCrunch found nine nearly identical spyware apps that presented with distinctly different branding, some with more obscure names than others: Copy9, MxSpy, TheTruthSpy, iSpyoo, SecondClone, TheSpyApp, ExactSpy, FoneTracker and GuestSpy. Other than their names, the spyware apps have practically identical features under the hood, and even the same user interface for setting up the spyware. Once installed, each app allows the person who planted the spyware access to a web dashboard for viewing the victim's phone data in real time -- their messages, contacts, location, photos and more. Much like the apps, each dashboard is a clone of the same web software. And, when TechCrunch analyzed the apps' network traffic, we found the apps all contact the same server infrastructure. But because the nine apps share the same code, web dashboards and the same infrastructure, they also share the same vulnerability.

The vulnerability in question is known as an insecure direct object reference, or IDOR, a class of bug that exposes files or data on a server because of sub-par, or no, security controls in place. It's similar to needing a key to unlock your mailbox, but that key can also unlock every other mailbox in your neighborhood. IDORs are one of the most common kinds of vulnerability [...]. But shoddy coding didn't just expose the private phone data of ordinary people. The entire spyware infrastructure is riddled with bugs that reveal more details about the operation itself. It's how we came to learn that data on some 400,000 devices -- though perhaps more -- have been compromised by the operation. Shoddy coding also led to the exposure of personal information about its affiliates who bring in new paying customers, information that they presumably expected to be private; even the operators themselves.
After emailing 1Byte with details of the security vulnerability, the email address was shut down along with "at least two of the branded spyware apps," according to TechCrunch. "That leaves us here. Without a fix, or intervention from the web host, TechCrunch cannot disclose more about the security vulnerability -- even if it's the result of bad actors themselves -- because of the risk it poses to the hundreds of thousands of people whose phones have been unknowingly compromised by this spyware."

In a separate report, security editor Zack Whittaker explains how one can remove common consumer-grade spyware.
The Almighty Buck

Phishing Attack Tricks 32 OpenSea Users Out of 254 NFTs (theverge.com) 35

"On Saturday, attackers stole hundreds of NFTs from OpenSea users, causing a late-night panic among the site's broad user base," reports the Verge.

"A spreadsheet compiled by the blockchain security service PeckShield counted 254 tokens stolen over the course of the attack, including tokens from Decentraland and Bored Ape Yacht Club." The bulk of the attacks took place between 5PM and 8PM ET, targeting 32 users in total. Molly White, who runs the blog Web3 is Going Great, estimated the value of the stolen tokens at more than $1.7 million.

The attack appears to have exploited a flexibility in the Wyvern Protocol, the open-source standard underlying most NFT smart contracts, including those made on OpenSea. One explanation (linked by CEO Devin Finzer on Twitter) described the attack in two parts: first, targets signed a partial contract, with a general authorization and large portions left blank. With the signature in place, attackers completed the contract with a call to their own contract, which transferred ownership of the NFTs without payment. In essence, targets of the attack had signed a blank check — and once it was signed, attackers filled in the rest of the check to take their holdings.

"I checked every transaction," said the user, who goes by Neso. "They all have valid signatures from the people who lost NFTs so anyone claiming they didn't get phished but lost NFTs is sadly wrong...."

Writing on Twitter shortly before 3AM ET, OpenSea CEO Devin Finzer said the attacks had not originated from OpenSea's website, its various listing systems, or any emails from the company. The rapid pace of the attack — hundreds of transactions in a matter of hours — suggests some common vector of attack, but so far no link has been discovered.

An update to OpenSea's smart contract was scheduled the day before (to remove old and inactive listings from the platform), and the scammer mimicked a genuine OpenSea email, according to The Street. A user who posted the text of the phishing email online explains that the scammer "then got a number of people to sign permissions with WyvernExchange. No exploit, just people not reading sign permissions as normal."

CEO Finzer told Bloomberg that some of the stolen NFTs have actually been returned, with no further malicious activity seen from the attacker's account. "He also dispelled rumors of a $200 million hack, saying the attacker has $1.7 million of Ethereum in his wallet from selling some of the stolen NFTs."

And PC Magazine shares this update about the wallet: CoinDesk reports that Etherscan, which bills itself as "the Ethereum blockchain explorer," has flagged the account that appears to be connected to these NFT thefts. (The public name of which is, fittingly enough, "Fake_Phishing5169.")
Bug

Linux Developers Patch Bugs Faster Than Microsoft, Apple, and Google, Study Shows (zdnet.com) 43

Linux programmers fixed bugs faster than anyone — in an average of just 25 days (improving from 32 days in 2019 to just 15 in 2021). That's the conclusion of Google's "Project Zero" security research team, which studied the speed of bug-fixing from January 2019 to December 2021.

ZDNet reports that Linux's competition "didn't do nearly as well." For instance, Apple, 69 days; Google, 44 days; and Mozilla, 46 days. Coming in at the bottom was Microsoft, 83 days, and Oracle, albeit with only a handful of security problems, with 109 days.

By Project Zero's count, others, which included primarily open-source organizations and companies such as Apache, Canonical, Github, and Kubernetes, came in with a respectable 44 days.

Generally, everyone's getting faster at fixing security bugs. In 2021, vendors took an average of 52 days to fix reported security vulnerabilities. Only three years ago the average was 80 days. In particular, the Project Zero crew noted that Microsoft, Apple, and Linux all significantly reduced their time to fix over the last two years.

As for mobile operating systems, Apple iOS with an average of 70 days is a nose better than Android with its 72 days. On the other hand, iOS had far more bugs, 72, than Android with its 10 problems.

Browsers problems are also being fixed at a faster pace. Chrome fixed its 40 problems with an average of just under 30 days. Mozilla Firefox, with a mere 8 security holes, patched them in an average of 37.8 days. Webkit, Apple's web browser engine, which is primarily used by Safari, has a much poorer track record. Webkit's programmers take an average of over 72 days to fix bugs.

Chrome

Firefox and Chrome Versions '100' May Break Some Websites (engadget.com) 92

As both the Chrome and Firefox browsers approach their 100th versions, what should be a reason for the developers to celebrate could turn into a bit of a mess. From a report: It turns out that much like the Y2K bug, the triple-digit release numbers coded in the browsers' User-Agents (UAs) could cause issues with a small number of sites, Bleeping Computer reported. Mozilla launched an experiment last year to see if version number 100 would affect sites, and it just released a blogpost with the results. It did affect a small number of sites (some very big ones, though) that couldn't parse a user-agent string containing a three-digit number. Notable ones still affected included HBO Go, Bethesda and Yahoo, according to a tracking site. The bugs include "browser not supported" messages, site rendering issues, parsing failures, 403 errors and so on.
Desktops (Apple)

Zoom Update Prevents Microphone From Staying Active After Calls On Mac (9to5mac.com) 16

Popular video conferencing platform Zoom this week released an important update to its macOS app following user reports about the microphone not being disabled after ending a conference. Luckily, according to the company, this was just a bug that has now been fixed. 9to5Mac reports: Since December last year, a number of users have been complaining about this bug in the Zoom Community (via The Register). According to them, the Mac's microphone stayed active even after ending a Zoom conference -- which certainly raised privacy concerns.

Zoom has confirmed that there was a bug in its macOS app that could cause the orange microphone-in-use indicator to appear even after leaving a call. According to a company representative, the latest version of the app no longer has this problem: "We experienced a bug relating to the Zoom client for macOS, which could show the orange indicator light continue to appear after having left a meeting, call, or webinar. This bug was addressed in the Zoom client for macOS version 5.9.3 and we recommend you update to version 5.9.3 to apply the fix."

Privacy

Apple Says a 'Small Portion' of iPhones Recorded Interactions With Siri Even if You Opted Out (theverge.com) 21

Apple has acknowledged an iOS 15 bug that may have recorded interactions with Siri on some devices, regardless of whether the user opted out, according to a report from ZDNet. From a report: The bug automatically enabled the Improve Siri & Dictation setting that gives Apple permission to record, store, and review your conversations with Siri. Apple tells The Verge that it identified the bug shortly after the release of iOS 15, stopped reviewing any recordings inadvertently received, and is deleting info received from affected devices. After discovering the bug, the company turned off the feature for "many" users and corrected the opt-in setting when it released iOS 15.2. As ZDNet points out, this is the reason why you might get a prompt asking for your permission to enable the Improve Siri & Dictation feature once you install the new 15.4 beta or, eventually, its official release.
Bug

ExpressVPN Offering $100,000 To First Person Who Hacks Its Servers (bleepingcomputer.com) 28

ExpressVPN has updated its bug bounty program to make it more inviting to ethical hackers, now offering a one-time $100,000 bug bounty to whoever can compromise its systems. Bleeping Computer reports: Today, ExpressVPN announced that they are now offering a $100,000 bug bounty for critical vulnerabilities in their in-house technology, TrustedServer. "This is the highest single bounty offered on the Bugcrowd platform and 10 times higher than the top reward previously offered by ExpressVPN," the company shared in an email to BleepingComputer. The new $100,000 one-time bounty is offered with the following conditions:

- The first person to submit a valid vulnerability, granting unauthorized access or exposing customer data, will receive the $100,000 bounty. This one-time bonus is valid until the prize has been claimed.
- The one-time $100,000 bounty is only eligible for vulnerabilities in ExpressVPN's VPN Server.
- Activities should remain in scope to the TrustedServer platform. If unsure that your testing is considered in-scope, please reach out to support@bugcrowd.com to confirm first.

ExpressVPN also invites security researchers to uncover possible ways to leak the actual IP address of clients and monitor user traffic. The bug bounty program is run through BugCrowd, which offers a safe harbor for researchers who attempt to breach ExpressVPN's servers as part of the program.

KDE

KDE Plasma 5.24 Released (kde.org) 38

jrepin writes: Plasma is a popular desktop environment, which will also be powering the desktop mode on the Steam Deck hand-held gaming console. Today, KDE Community announced release of KDE Plasma 5.24, a Long Term Support (LTS) release that will receive updates and bug fixes until the final Plasma 5 version, before transition to Plasma 6.

This new Plasma release focuses on smoothing out wrinkles, evolving the design, and improving the overall feel and usability of the environment. Highlights include: Overview effect for managing all your desktops and application windows, easy discovery of KRunner features with the help assistant, and unlocking screen and authentication using fingerprint reader. You will also notice a new Honeywave wallpaper, the ability to pick any color for accent, and critically important Plasma notifications now come with an orange strip on the side to visually distinguish them from less urgent messages.

United States

Biden Administration Forms Cybersecurity Review Board To Probe Failures (wsj.com) 38

The Biden administration has formed a panel of senior administration officials and private-sector experts to investigate major national cybersecurity failures, and it will probe as its first case the recently discovered Log4j internet bug, officials said. From a report: The new Cyber Safety Review Board is tasked with examining significant cybersecurity events that affect government, business and critical infrastructure. It will publish reports on security findings and recommendations, officials said. Details of the board will be announced Thursday. The board, officials have said, is modeled loosely on the National Transportation Safety Board, which investigates and issues public reports on airplane crashes, train derailments and other transportation accidents. The new panel's authority derives from an executive order that President Biden signed in May to improve federal cybersecurity defenses.

The cyber board isn't an independent agency like the transportation board and will instead reside within the Department of Homeland Security. It will have 15 members -- three times as many as the full complement of the transportation board -- from government and the public sector who don't need to be confirmed by the Senate. It lacks subpoena power, unlike the transportation board. Homeland Security Secretary Alejandro Mayorkas said in an interview that the cyber board was intended to draw solutions to future problems from past cybersecurity crises, rather than casting blame where shortcomings are identified.

Intel

Intel Fails To Get Spectre, Meltdown Chip Flaw Class-action Suit Tossed Out (theregister.com) 32

"Intel will have to defend itself against claims that the semiconductor goliath knew its microprocessors were defective and failed to tell customers," reports the Register: On Wednesday, Judge Michael Simon, of the US District Court of Oregon, partially denied the tech giant's motion to dismiss a class-action lawsuit arising from the 2018 public disclosure of Meltdown and Spectre, the family of data-leaking chip microarchitecture design blunders....

To defend against Meltdown and Spectre, Intel and other affected vendors have had to add software and hardware mitigations that for some workloads make patched processors mildly to significantly slower. The disclosure of related flaws has continued since that time, as researchers develop variations on the initial attacks and find other parts of chips that similarly expose privileged data. It is a problem that still is not entirely solved...

[L]awsuits have been consolidated into a multi-district proceeding known as "Intel Corp. CPU Marketing, Sales Practices and Products Liability Litigation" (3:18-md-02828-SI). And since 2018, Intel has been trying to get them to go away. Twice before the judge had dismissed the plaintiffs' complaint while allowing the plaintiffs to amend and refile their allegations. This third time, the judge only partially granted Intel's motion to toss the case. Judge Simon dismissed claims based on purchases up through August 2017 because Intel was unaware of the microarchitecture vulnerabilities up to that point. But he allowed seven claims, from September 2017 onward, to proceed, finding the plaintiffs' contention that Intel delayed disclosure of the flaws to maximize holiday season sales plausible enough to allow the case to move forward.

"Based on plaintiffs' allegations, it is not clear that Intel had a countervailing business interest other than profit for delaying disclosure for as long as it did (through the holiday season), for downplaying the negative effects of the mitigation, for suppressing the effects of the mitigation, and for continuing to embargo further security exploits that affect only Intel processors," the judge wrote in his order. [PDF]

Bitcoin

DeFi Platform Qubit Finance Begs Hacker To Return $80 Million In Stolen Funds (zdnet.com) 70

Qubit Finance took to Twitter last night to beg hackers to return more than $80 million in stolen cryptocurrency this week. ZDNet reports: On Thursday, the DeFi platform said their protocol was exploited by a hacker who eventually stole 206,809 binance coins from Qubit's QBridge protocol, worth more than $80 million according to PeckShield. An hour after the first message, the company explained that they were tracking the exploiter and monitoring the stolen cryptocurrency. They noted that they contacted the hacker and offered them the maximum bug bounty in exchange for a return of the funds, something a number of other hacked DeFi platforms have tried to middling success. They shared multiple messages on Twitter that they purportedly sent to the hacker offering a bug bounty of $250,000 and begging for a return of the stolen funds.

"We propose you negotiate directly with us before taking any further action. The exploit and loss of funds have a profound effect on thousands of real people. If the maximum bounty offer is not what you are looking for, we are open to have a conversation. Let's figure out a situation," the Qubit Finance Team wrote. The company later explained in a blog post that their Qubit protocol "was subject to an exploit to our QBridge deposit function." [...] Blockchain security company CertiK released a detailed explanation of how the attack occurred and has been tracking the stolen funds as the hackers move them to different accounts. "For the non-technical readers, essentially what the attacker did is take advantage of a logical error in Qubit Finance's code that allowed them to input malicious data and withdraw tokens on Binance Smart Chain when none were deposited on Ethereum," CertiK explained.

Python

Apple Finally Removing Python 2 In macOS 12.3 (macrumors.com) 70

Apple will no longer bundle Python 2.7 with macOS 12.3, according to developer release notes for the upcoming software update. MacRumors reports: Python 2 has not been supported since January 1, 2020 and no longer receives any bug fixes, security patches, or other changes. Apple says that developers should use an alternative programming language instead, such as Python 3, but it's worth noting that Python 3 also does not come preinstalled on macOS. Developers can run the stub /usr/bin/python3 in Terminal, but it prompts users to install Xcode developer tools, which includes Python 3.
Security

An OpenSea Bug Let Attackers Snatch NFTs from Owners at Six-figure Discounts (theverge.com) 54

A bug in OpenSea, the popular NFT marketplace, has let hackers buy rare NFTs for well below market value, in some cases leading to hundreds of thousands of dollars in losses for the original owners -- and hundreds of thousands of dollars in profits for the apparent thieves. From a report: The bug appears to have been present for weeks and seems to be referenced in at least one tweet from January 1st, 2022. But exploitation of the bug has picked up significantly in the past day: blockchain analytics company Elliptic reported that in a 12-hour stretch before the morning of January 24th, it was exploited at least eight times to "steal" NFTs with a market value of over $1 million. One of the NFTs, Bored Ape Yacht Club #9991, was purchased using the exploit technique for 0.77 ETH ($1,760) and quickly resold for 84.2 ETH ($192,400), netting the attacker a profit of more than $190,000. An Ethereum address linked to the reseller had received more than 400 ETH ($904,000) in payouts from OpenSea in the same 12-hour period.

"It's a subjective thing whether you consider this to be a loophole or a bug, but the fact is that people are being forced into sales at a price they wouldn't otherwise have accepted right now," said Tom Robinson, chief scientist and co-founder of Elliptic. According to a Twitter thread by software developer Rotem Yakir, the bug is caused by a mismatch between the information available in NFT smart contracts and the information presented by OpenSea's user interface. Essentially, the attackers are taking advantage of old contracts that persist on the blockchain but are no longer present in the view provided by the OpenSea application.

Programming

Developer Who Intentionally Corrupted His Libraries Wants NPM To Restore His Publishing Rights (twitter.com) 251

Remember that developer who intentionally corrupted his two libraries which collectively had over 20 million weekly downloads and thousands of dependent projects? In the immediate aftermath he'd complained on Twitter that NPM "has reverted to a previous version of the faker.js package and Github has suspended my access to all public and private projects. I have 100s of projects. #AaronSwartz."

That was January 6th, and within about a week GitHub had restored his access, while one of his two libraries (faker-js) was forked by its community to create a community-driven project. But Thursday the developer announced on his Twitter account: What's up @Github? Ten days since you removed my ability to publish to NPM and fix the Infinity Zalgo bug in colors.js

Never responded to my support emails.

I have 100s of packages I need to maintain.

Everyone makes programming mistakes from time to time. Nobody is perfect.

It hasn't been confirmed that NPM has actually blocked his ability to publish — but the tweet already appears to be attracting reactions from other developers on social media.
Microsoft

Microsoft Released an Out-of-Band Update to Rollback January Patch's VPN Issues (bleepingcomputer.com) 18

"Microsoft's first Patch Tuesday for 2022 was a rocky start to the year, giving admins and users numerous headaches to deal with..." reports ZDNet. "The Windows Update on January 11 was intended to address 96 security flaws but also brought a load of pain for users and admins."

"One of the major issues that came up during the week for IT admins included finding that Windows Server 2012 became stuck in a boot loop," adds the Verge, "while other versions suffered broken Windows VPN clients, and some hard drives appeared as RAW format (and unusable). Many IT Admins were forced to roll back the updates — leaving many servers vulnerable with none of last week's security patches."

And now for some versions of Windows, this week Microsoft "released emergency out-of-band updates to address multiple issues..." reports BleepingComputer: "This update addresses issues related to VPN connectivity, Windows Server Domain Controllers restarting, Virtual Machines start failure," the company said.... According to admin reports, Windows domain controllers were being plagued by spontaneous reboots, Hyper-V was no longer starting on Windows servers, and Windows Resilient File System (ReFS) volumes were no longer accessible after deploying the January 2022 updates. Windows 10 users and administrators also reported problems with L2TP VPN connections after installing the recent Windows 10 and Windows 11 cumulative updates and seeing "Can't connect to VPN." errors....

[S]ince Microsoft also bundles all the security updates with these Windows cumulative updates, removing them will also remove all fixes for vulnerabilities patched during the January 2022 Patch Tuesday.

While all the updates are available for download on the Microsoft Update Catalog, some of them can also be installed directly through Windows Update, notes Bleeping Computer. But "You will have to manually check for updates if you want to install the emergency fixes through Windows Update because they are optional updates and will not install automatically."

ZDNet adds: As Ask Woody's influential IT admin blogger Susan Bradley recently argued in 2020, Microsoft's decision to roll up patches in a big bundle on the second Tuesday of every month requires admins to place a great deal of trust in the company. That trust is eroded if applying the updates results in a lag on productivity from buggy patches.
Thanks to long-time Slashdot reader waspleg for sharing the story.
Android

Why is Android 12 So Buggy? (theverge.com) 80

Android 12 is one of the platform's most ambitious updates in recent history, bringing a major design overhaul to every corner of the operating system. It has also been one of the rockiest Android OS launches in the past few years. From a report: Both Samsung and OnePlus paused the rollout of their stable Android 12-based updates amid reports of serious bugs. Google itself has addressed a laundry list of bug reports from Pixel 6 owners, just as it's trying to convince them it's finally figured out how to build a truly premium phone. What in the heck is going on? The short answer is that there are some unique complicating factors at play this year but also that Android is inherently a little bit messy -- that just comes with the territory when you're designing a delightful public park compared to Apple's walled garden. Despite a refreshed look and some appealing new high-end handsets, Android is still Android -- the good and the bad.

To try and figure out what the heck is going on, we talked to Mishaal Rahman, former editor-in-chief of XDA Developers, who's well known for digging into Android codebases and discovering Google's secrets. Speaking to the Pixel 6 bugs in particular, Rahman guesses that it has a lot to do with the unusually large size of the update. "Many people have called it, myself included, the biggest OS update to Android since Android 5.0 Lollipop, and that was many years ago. There are just so many massive changes to the interface and to the feature set." He also suggests that Google's commitment to issue a new Android update every year can make things worse when it's trying to do so much, and the self-imposed one-year development cycle doesn't leave much wiggle room in the timeline. "They started immediately after Android 11 was released to the public -- and they have a hard cutoff date... After that, they just focus on fixing bugs." Delay any longer, and they'd risk bumping into next year's development cycle.

It's also possible that the attempt to bring timely Android updates to non-Google devices wound up backfiring. Android phone owners have been asking for faster updates for a long time -- outside of Google's Pixel phones and pricey flagships, many devices face long waits for OS updates. Sure enough, the updates have come faster this year. Case in point: Samsung users are accustomed to waiting about three months after an Android stable release to get their finished One UI update with the new version of the OS, but this year, One UI 4.0 arrived just one and a half months after Android 12. But the way things have gone this year, many users would likely have opted for a slower, stable update rather than a fast one riddled with bugs.

Safari

Safari Bug Can Leak Some of Your Google Account Info and Recent Browsing History (9to5mac.com) 11

A serious Safari bug disclosed in this blog post from FingerprintJS can disclose information about your recent browsing history and even some info of the logged-in Google account. From a report: A bug in Safari's IndexedDB implementation on Mac and iOS means that a website can see the names of databases for any domain, not just its own. The database names can then be used to extract identifying information from a lookup table. For instance, Google services store an IndexedDB instance for each of your logged in accounts, with the name of the database corresponding to your Google User ID. Using the exploit described in the blog post, a nefarious site could scrape your Google User ID and then use that ID to find out other personal information about you, as the ID is used to make API requests to Google services. In the proof-of-concept demo, the user's profile picture is revealed. FingerprintJS says they reported the bug to Apple on November 28, but it has not yet been resolved.
Transportation

Teen Hacker Finds Bug That Lets Him Control 25+ Teslas Remotely (arstechnica.com) 57

An anonymous reader quotes a report from Ars Technica: A young hacker and IT security researcher found a way to remotely interact with more than 25 Tesla electric vehicles in 13 countries, according to a Twitter thread he posted yesterday. David Colombo explained in the thread that the flaw was "not a vulnerability in Tesla's infrastructure. It's the owner's faults." He claimed to be able to disable a car's remote camera system, unlock doors and open windows, and even begin keyless driving. He could also determine the car's exact location.

However, Colombo clarified that he could not actually interact with any of the Teslas' steering, throttle, or brakes, so at least we don't have to worry about an army of remote-controlled EVs doing a Fate of the Furious reenactment. Colombo says he reported the issue to Tesla's security team, which is investigating the matter.

Slashdot Top Deals