An indie developer has found an interesting observation: Though only 5.8% of his game's buyers were playing on Linux, they generated over 38% of the bug reports. Not because the Linux platform was buggier, either. Only 3 of the roughly 400 bug reports submitted by Linux users were platform specific, that is, would only happen on Linux. PC Gamer reports: The developer, posting as Koderski for developer Kodera Software on Reddit, makes indie game [Delta] V: Rings of Saturn -- that's Delta V, or DV, for the non-rocket-science-literate. [...] Koderski says he's sold a little over 12,000 copies of his game, and about 700 of those were bought by Linux players. "I got 1040 bug reports in total, out of which roughly 400 are made by Linux players," says Koderski's post. "That's one report per 11.5 users on average, and one report per 1.75 Linux players. That's right, an average Linux player will get you 650% more bug reports." Koderski's numbers are a limited sample size drawn from one person's experience, but tell a compelling story.

Koderski also says that very few of those bugs were specific to Linux, being clear that "This 5.8% of players found 38% of all the bugs that affected everyone." The bug reports themselves were also pretty high quality, he said, including software and OS versions, logs, and steps for replication. Multiple commenters on the post chalked this up to the kind of people who use Linux: Software professionals, IT employees, and engineers who would already be familiar with official bug reporting processes. It's a strong theory as to why this might be, though the sheer passion that the gaming on Linux community has for anyone who supports their favorite hobby may be another.

An anonymous reader quotes a report from Motherboard: Bitcoin is on a tear, reaching an all time high price of $67,000 for 1 BTC on Wednesday, buoyed by a series of approvals for Bitcoin futures funds on the stock market. But on one major U.S. exchange, the price flash-crashed 87 percent to roughly $8,200 on Thursday due to a bug in a trading algorithm. The crash occurred during a massive sell-off on the Binance.US exchange that occurred around 7:42 a.m. ET, Bloomberg reported. Binance is the largest cryptocurrency exchange in the world, and its Binance.US exchange is meant to be compliant with U.S. regulations, although it is still banned in several states.

According to a Binance.US spokesperson, the crash was due to an issue with a trading algorithm being run by one "institutional trader," which may indicate an investment fund of some sort. "One of our institutional traders indicated to us that they had a bug in their trading algorithm, which appears to have caused the sell-off," Binance.US told Bloomberg. "We are continuing to look into the event, but understand from the trader that they have now fixed their bug and that the issue appears to have been resolved." It's entirely possible that some lucky traders were at the right place at the right time and managed to snap up some incredibly cheap BTC, but mostly it's yet another example of weirdness along the edges of the crypto ecosystem.

Intel has open-sourced ControlFlag , a tool that uses machine learning to detect problems in computer code -- ideally to reduce the time required to debug apps and software. From a report: In tests, the company's machine programming research team says that ControlFlag has found hundreds of defects in proprietary, "production-quality" software, demonstrating its usefulness. "Last year, ControlFlag identified a code anomaly in Client URL (cURL), a computer software project transferring data using various network protocols over one billion times a day," Intel principal AI scientist Justin Gottschlich wrote in a blog post on LinkedIn.

"Most recently, ControlFlag achieved state-of-the-art results by identifying hundreds of latent defects related to memory and potential system crash bugs in proprietary production-level software. In addition, ControlFlag found dozens of novel anomalies on several high-quality open-source software repositories." The demand for quality code draws an ever-growing number of aspiring programmers to the profession. After years of study, they learn to translate abstracts into concrete, executable programs -- but most spend the majority of their working hours not programming. A recent study found that the IT industry spent an estimated $2 trillion in 2020 in software development costs associated with debugging code, with an estimated 50% of IT budgets spent on debugging.

Scott Gilbertson, writing for The Register: The legacy of Internet Explorer 6 haunts web developer nightmares to this day. Microsoft's browser of yore made their lives miserable and it's only slightly hyperbolic to say it very nearly destroyed the entire internet. It really was that bad, kids. It made us walk to school in the snow. Uphill. Both ways. You wouldn't understand. Or maybe you would. Today developers who want to use "cutting-edge" web APIs find themselves resorting to the same kind of browser-specific workarounds, but this time the browser dragging things down comes from Apple. Apple's Safari lags considerably behind its peers in supporting web features. Whether it's far enough behind to be considered "the new IE" is debatable and may say more about the shadow IE still casts across the web than it does about Safari. But Safari -- or more specifically the WebKit engine that powers it -- is well behind the competition. According to the Web Platform Tests dashboard, Chrome-based browsers support 94 per cent of the test suite, and Firefox pulls off 91 per cent, but Safari only manages 71 per cent.

On the desktop this doesn't matter all that much because users can always switch to Google Chrome (or even better, Vivaldi). On iOS devices, however, that's not possible. According to Apple's App Store rules: "apps that browse the web must use the appropriate WebKit framework and WebKit Javascript." Every iPhone user is a Safari/WebKit user whether they use Safari or Chrome. Apple has a browser monopoly on iOS, which is something Microsoft was never able to achieve with IE. In Windows you could at least install Firefox. If you do that on iOS it might say Firefox, but you're still using WebKit. The reality is if you have an iOS device, you use Safari and are bound by its limitations. Another thing web developers find distressing is Apple's slow development cycle. Apple updates Safari roughly every six months at best. Blink-based browsers update every six weeks (soon every four), Firefox releases every four weeks, and Brave releases every three. This means that not only is Apple slow to add new features, but its development cycle means that even simple bug fixes have to wait a long time before they actually land on users' devices. Safari workarounds are not quick fixes. If your website is affected by a Safari bug, you can expect to wait up to a year before the problem is solved. One theme that emerges when you dig into the Web Platform Tests data on Safari's shortcomings is that even where WebKit has implemented a feature, it's often not complete.

"Apparently a bug in GPSD, the daemon responsible for deriving time from the GPS system, is going to trigger on October 24, 2021, jumping the time back to March of 2002," writes Slashdot reader suutar. "There's a fix that's been committed since August, but of course not everything is up to date." ZDNet's Steven J. Vaughan-Nichols writes: This will be ugly. Or, as Stephen Williams, who uncovered the bug put it, "I have a feeling that there will be some 'interesting moments' in the early morning when a bunch of the world's stratum 1 NTP servers using GPSD take the long strange trip back to 2002." GPSD maintainer Gary E. Miller has acknowledged the problem, and a fix has been made to the code. To be exact, the fix is in August 2021's GPSD 3.23 release. So, what's the problem if the fix is already in?

Well, there are two problems. First, it won't be backported to previous releases. If you're still using an older version, you may be out of luck. Second, as Miller observed, not all distros "pick up GPSD updates or upstream their patches. [This] is a very sore spot with me." So, just because your operating system is up to date does not mean that it will have the necessary GPSD fix. Miller suggests that you check it and do it yourself: "I [am] gonna fall back on Greg K_H's dictum: All users must update."

Oh, wondering what the mysterious root cause of all this commotion GPS Week Rollover? It's a legacy GPS problem. The GPS signal GPS week number uses a 10-bit code with a maximum value of 1,023. This means every 19.7 years; the GPS week number rolls over to zero. Or, as Miller noted, "This code is a 1024 week time warp waiting to happen." So, check your systems now for this problem. And, if, like most of us, you're relying on someone upstream from you for the correct time, check with them to make sure they've taken care of this forthcoming trouble.

AMD and Microsoft have issued patches to address the slowdowns reported with Ryzen processors when Windows 11 launched. Engadget reports: The latest chipset driver (version 3.10.08.506) should take care of the UEFI CPPC2 issue, which in some cases didn't "preferentially schedule threads on a processor's fastest core," AMD said. That could have slowed down apps that are sensitive to CPU thread performance. AMD noted that the problem was likely more noticeable in more powerful processors with more than eight cores and 65W or higher Thermal Design Power (TDP).

Meanwhile, Microsoft is rolling out a software update tackling a bug that increased L3 cache latency. The issue impacted apps that need quick memory access, which in turn caused CPUs to slow down by up to 15 percent. The patch, Windows 11 update KB5006746, will be available starting today, but at the time of writing, a page containing instructions for installing it isn't yet live. You should be able to install it via Windows Update too.

Microsoft continues to baby-step around the obvious, but it has officially deprecated the Universal Windows Platform (UWP) as it pushes the desktop-focused Windows App SDK (formerly called Project Reunion) and WinUI 3 as the future of Windows application development. Paul Thurrott reports: For those unclear on the matter, the Windows App SDK basically takes key UWP technologies and new technologies like WinUI 3 that will not be backported to UWP and makes them available to developers in a way that is not tied to specific Windows releases (as was the case with individual UWP features). In this way, Microsoft can "deliver on the agility and backward compatibility developers need to reach across the entire Windows ecosystem" while not leaving developers behind. Going forward, UWP will only receive "bug, reliability, and security fixes," and not new features, Microsoft says, indicating that it is now deprecated. Developers with UWP apps in the market who "are happy with [the] current functionality in UWP" can of course continue to keep using UWP. But those who want "the latest runtime, language, and platform features," including WinUI 3, WebView 2, .NET 5, full compatibility with Windows 10 version 1809 or newer, and any upcoming new features will have to migrate their apps to the Windows App SDK.

Long-time Slashdot reader ArchieBunker writes: Everyone's favorite security focused operating system OpenBSD released version 7.0 Thursday. In addition to the usual bug fixes and performance enhancements, support for RISC-V processors has been added.
It's 26 years old, and still chugging along. One interesting feature highlighted by Phoronix: Improving the ARM64 platform support with improved drivers for the Apple Silicon / Apple M1 but still not considered ready yet for end-users. OpenBSD 7.0 improvements on the Apple M1 include support for installing on a disk with a GPT and various Apple driver improvements for USB, GPIO, SPMI, NVMe storage, and other Apple M1 hardware components.
Also check out the 7.0 Song: "The Style Hymn" (part of an archive of all the OpenBSD release songs).

ArchieBunker writes: Everyone's favorite security-focused operating system, OpenBSD, released version 7.0 today. In addition to the usual bug fixes and performance enhancements, support for RISC-V processors has been added. The changelog and mirrors can be found at their respective links.

AMD warned last week that its chips are experiencing performance issues in Windows 11, and now Microsoft's first update to its new OS has reportedly made the problems worse. From a report: TechPowerUp reports that it's seeing much higher latency, which means worse performance, after the Windows 11 update went live yesterday. AMD and Microsoft found two issues with Windows 11 on Ryzen processors. Windows 11 can cause L3 cache latency to triple, slowing performance by up to 15 percent in certain games. The second issue affects AMD's preferred core technology, that shifts threads over to the fastest core on a processor. AMD says this second bug could impact performance on CPU-reliant tasks. TechPowerUp measured the L3 cache latency on its Ryzen 7 2700X at around 10ns, and Windows 11 increased this to 17ns. "This was made much worse with the October 12 'Patch Tuesday' update, driving up the latency to 31.9ns," says TechPowerUp. That's a huge jump, and the exact type of issue AMD warned about.

LibreOffice and OpenOffice have pushed updates to address a vulnerability that makes it possible for an attacker to manipulate documents to appear as signed by a trusted source. Although the severity of the flaw is classified as moderate, the implications could be dire. BleepingComputer reports: The discovery of the flaw, which is tracked as CVE-2021-41832 for OpenOffice, was the work of four researchers at the Ruhr University Bochum. The same flaw impacts LibreOffice, which is a fork of OpenOffice spawned from the main project over a decade ago, and for their project is tracked as CVE-2021-25635. If you're using either of the open-source office suites, you're advised to upgrade to the latest available version immediately. For OpenOffice, that would be 4.1.10 and later, and for LibreOffice, 7.0.5 or 7.1.1 and later. Since neither of these two applications offer auto-updating, you should do it manually by downloading the latest version from the respective download centers -- LibreOffice, OpenOffice. If you're using Linux and the aforementioned versions aren't available on your distribution's package manager yet, you are advised to download the "deb", or "rpm" package from the Download center or build LibreOffice from source. If updating to the latest version is not possible for any reason, you can always opt to completely disable the macro features on your office suite, or avoid trusting any documents containing macros.

The Apache Software Foundation has released a security patch to address a vulnerability in its HTTP Web Server project that has been actively exploited in the wild. From a report: Tracked as CVE-2021-41773, the vulnerability affects only Apache web servers running version 2.4.49 and occurs because of a bug in how the Apache server converts between different URL path schemes (a process called path or URI normalization). "An attacker could use a path traversal attack to map URLs to files outside the expected document root," the ASF team said in the Apache HTTP Server 2.4.50 changelog. "If files outside of the document root are not protected by 'require all denied' these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts," Apache engineers added. More than 120,000 servers currently exposed online to attacks.

We thought the carnage was over for popular decentralized finance, or DeFi, staking protocol Compound, but as it turns out, millions more than we thought are at risk. About $162 million is up for grabs after an upgrade gone very wrong, according to Robert Leshner, founder of Compound Labs. CNBC reports: At first, the Compound chief tweeted Friday that there was a cap to how many comp tokens could be accidentally distributed, noting that âoethe impact is bounded, at worst, 280,000 comp tokens,â or about $92.6 million. But on Sunday morning, Leshner revealed that the pool of cash that had already been emptied once had been replenished â" exposing another 202,472.5 comp tokens to exploit, or roughly $66.9 million at its current price.

On Wednesday, Compound rolled out what should have been a pretty standard upgrade. Soon after implementation, however, it was clear that something had gone seriously wrong, once users started to receive millions of dollars in comp tokens. For example, $30 million worth of comp tokens were claimed in one transaction. The saving grace of the entire debacle, however, was the fact that the pool of cash that was open to exploit -- something called the Comptroller contract -- had a finite amount of tokens. The problem is that this leaky pool got a fresh influx of cash, and 0.5 comp tokens are being added roughly every 15 seconds, according to Gupta. "When the drip() function was called this morning, it sent the backlog (202,472.5, about two months of COMP since the last time the function was called) into the protocol for distribution to users," Leshner wrote in a tweet Sunday morning. Leshner noted that this brought the total comp at risk to 490,000 comp tokens, or about $162 million.

There are a few proposals to fix the bug, but Compound's governance model is such that any changes to the protocol require a multiday voting window, and Gupta said it takes another week for the successful proposal to be executed. In the meantime, this pool of cash is once again up for grabs for users who know how to exploit the bug. Compound made clear that no supplied or borrowed funds were at risk, which is some consolation. "No user funds are or were at risk so it's not that big of a deal," said Gupta. "Everyone kinda got diluted but didn't lose anything directly."

An anonymous reader quotes a report from Ars Technica: Telegram patched another image self-destruction bug in its app earlier this year. This flaw was a different issue from the one reported in 2019. But the researcher who reported the bug isn't pleased with Telegram's months-long turnaround time -- and an offered $1,159 bounty award in exchange for his silence. In February 2021, Telegram introduced a set of such auto-deletion features in its 2.6 release: Set messages to auto-delete for everyone 24 hours or 7 days after sending; Control auto-delete settings in any of your chats, as well as in groups and channels where you are an admin; and To enable auto-delete, right-click on the chat in the chat list > Clear History > Enable Auto-Delete. But in a few days, mononymous researcher Dmitrii discovered a concerning flaw in how the Telegram Android app had implemented self-destruction.

Messages that should be auto-deleted from participants in private and private group chats were only 'deleted' visually [in the messaging window], but in reality, picture messages remained on the device [in] the cache," the researcher wrote in a roughly translated blog post published last week. Tracked as CVE-2021-41861, the flaw is rather simple. In the Telegram Android app versions 7.5.0 to 7.8.0, self-destructed images remain on the device in the /Storage/Emulated/0/Telegram/Telegram Image directory after approximately two to four uses of the self-destruct feature. But the UI appears to indicate to the user that the media was properly destroyed.

But for a simple bug like this, it wasn't easy to get Telegram's attention, Dmitrii explained. The researcher contacted Telegram in early March. And after a series of emails and text correspondence between the researcher and Telegram spanning months, the company reached out to Dmitrii in September, finally confirming the existence of the bug and collaborating with the researcher during beta testing. For his efforts, Dmitrii was offered a $1,159 bug bounty reward. Since then, the researcher claims he has been ghosted by Telegram, which has given no response and no reward. "I have not received the promised reward from Telegram in [$1,159] or any other," he wrote.

Bleeping Computer has an update on the unique predicament of Compound, "an Ethereum-based money market protocol that enables users to earn interest or borrow assets against collateral." (Which "Due to an erroneous upgrade process, the decentralized finance platform ended up spilling out Ethereum assets worth $90 million to its users...") Compound's founder Robert Leshner urged users who received these Compound tokens in error to return the assets to the platform's Timelock contract. To incentivize users, Leshner stated that for their "white-hat" behaviour they may keep 10% as a reward. "Otherwise, it's being reported as income to the IRS, and most of you are doxxed," threatened the founder in the same tweet... Realizing that the original wording of his tweet may not have sat well with many, Leshner revised his tone:

"I'm trying to do anything I can to help the community get some of its COMP back, and this was a bone-headed tweet / approach. That's on me," said Leshner. "Luckily, the community is much bigger, and smarter, than just me. I appreciate your ridicule and support...."

Because the Compound protocol requires a seven-day governance process before any production changes can be made, Compound's only option at this time is to wait on users, hoping they will return the assets.
CoinDesk reported Friday afternoon that "So far, two users have returned a total of 37,493 COMP tokens worth over $12 million at the time of writing." But on Saturday Leshner was tweeting out more thank-you's to additional white-hat users "returning COMP to the community." In an interview with CoinDesk, Leshner said the moral dilemma can be split roughly into two camps. "There's a lot of members of the community that view protocols like Compound as benefitting the entire ecosystem," he said. "And there are some users that don't necessarily care. The builder mindset is, 'This adds value, this is crucially important,' and the trader mindset is 'Money is money,' and that's the only ethos of crypto."

He went on: "I'm personally hopeful users will return funds to the community. It's not my property, it's not their property, it's the community's property...."
One suggestion from Twitter? "The first 5 people to return COMP get 1/5 pieces of Leshner NFT that can be combined Exodia style to summon Robert in real life." "This idea is crazy, and I'm in," Leshner tweeted, adding later that "Anyone who returns COMP to the community is an alien giga-chad; and if a squad of alien giga-chads ever summon me, I will appear."

Leshner told CoinDesk: "I want to hear other people's views on this, because it's not my decision," he said. "This is a decision every user has to make themselves, and I think most of them are taking the view of, 'Haha, f**k you guys, it's your problem.'"

An anonymous reader quotes a report from The Record: More than 6,000 Coinbase users had funds stolen from their accounts after hackers used a vulnerability in Coinbase's SMS-based two-factor authentication system to breach accounts. The intrusions took place earlier this year, between March and May, the exchange said in a data breach notification letter it has filed with US state attorney general offices. Coinbase said the attacks could exploit this bug only if they knew the victim's username and password. "While we are not able to determine conclusively how these third parties gained access to this information, this type of campaign typically involves phishing attacks or other social engineering techniques to trick a victim into unknowingly disclosing login credentials to a bad actor. "We have not found any evidence that these third parties obtained this information from Coinbase itself," the company said. Coinbase said it would reimburse all users who lost funds in these intrusions.

phalse phace writes: Robert Leshner, the founder of Compound Labs, just sent out a tweet pleading its users to return the $90.1 million in COMP tokens it accidentally deposited to user accounts.

Users of the popular DeFi staking protocol received the platform's crypto tokens after a system upgrade went epically wrong. As an incentive, Leshner told users to "keep 10% as a white-hat. Otherwise, it's being reported as income to the IRS, and most of you are doxxed."

In another tweet Leshner explains what happened: "A few hours ago, Proposal 62 went into effect, updating the Comptroller contract, which distributes COMP to users of the protocol. The new Comptroller contract contains a bug, causing some users to receive far too much COMP. All supplied assets, borrowed assets, and positions are completely unaffected. Users don't have to worry about their funds; the only risk is that you (or another user) receives an unfairly large quantity of COMP."

Researchers have demonstrated that someone could use a stolen, unlocked iPhone to pay for thousands of dollars of goods or services, no authentication needed. Threatpost reports: An attacker who steals a locked iPhone can use a stored Visa card to make contactless payments worth up to thousands of dollars without unlocking the phone, researchers are warning. The problem is due to unpatched vulnerabilities in both the Apple Pay and Visa systems, according to an academic team from the Universities of Birmingham and Surrey, backed by the U.K.'s National Cyber Security Centre (NCSC). But Visa, for its part, said that Apple Pay payments are secure and that any real-world attacks would be difficult to carry out.

The team explained that fraudulent tap-and-go payments at card readers can be made using any iPhone that has a Visa card set up in "Express Transit" mode. Express Transit allows commuters around the world, including those riding the New York City subway, the Chicago El and the London Underground, to tap their phones on a reader to pay their fares without unlocking their devices. "An attacker only needs a stolen, powered-on iPhone," according to a writeup (PDF) published this week. "The transactions could also be relayed from an iPhone inside someone's bag, without their knowledge. The attacker needs no assistance from the merchant."

This attack is made possible by a combination of flaws in both Apple Pay and Visa's systems, the academic team noted. "The details of this vulnerability have been disclosed to Apple (Oct 2020) and to Visa (May 2021)," according to the writeup. "Both parties acknowledge the seriousness of the vulnerability, but have not come to an agreement on which party should implement a fix." "Variations of contactless-fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world," Visa said in a statement to the BBC, adding that its fraud-detection systems would flag any suspicious transactions. Apple meanwhile shifted the responsibility to Visa and told the outlet, "We take any threat to users' security very seriously. This is a concern with a Visa system, but Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place. In the unlikely event that an unauthorized payment does occur, Visa has made it clear that their cardholders are protected by Visa's zero-liability policy." The researchers say users can protect themselves by not using Visa as a transport card in Apple Pay, and if they do, by remotely wiping the device if lost or stolen. The bug does not affect other types of payment cards or payment systems.

An anonymous reader shares an excerpt from a ZDNet article, written by Liam Tung: [A] survey has come up with another reason why your engineers might want to quit -- their fellow developers' terrible code. Software engineers have long struggled with 'technical debt' created by past coding practices that might have been clever but also were undocumented and exotic. At a high level, technical debt is the price paid by supporting legacy systems rather than overhauling them or implementing a better, new system. The term can span everything from a major IT implementation, such as a core banking system that requires a decade of bug fixes, to the choice of programming language to build backend systems. In the latter case, subsequent language updates can require today's developers to rewrite old code written by long-gone developers who wrote under different conditions and who might not have documented what they did and why they did it. That's a big problem for companies that have millions of lines of code written in a language.

Stepsize, a firm that focuses on technical debt by tracking development issues in major code editors such as VS Code, conducted a fairly small survey of 200 software engineers to find out why they leave their jobs. The company said that 51% of engineers in its survey have considered leaving or left a job because of technical debt. Of that group who feel irked by technical debt issues, some 20% said that type of debt is the main reason they left a company. The results should be taken in context: the company's key selling point is trying to solve technical debt challenges that organizations face, but at the same time, technical debt could be one area worthy of attention considering how hard it is to hire and retain software engineers.

Technical debt, or 'code quality and codebase health', was the fourth most important issue cited by respondents. Salary still trumped it, with 82% citing it as one of the "most important factors" when interviewing for a new role. The survey allowed respondents to choose several primary factors. "Technical challenges and growth opportunities" was the second priority, with 75% choosing it as the one of the most important factors. Some 68% of respondents said remote work was the most important actor, while 62% put said 'code quality and codebase health' was one of those prime factors. Slashdot reader ellithligraw first shared the report, adding: "Yet another reason developers are quitting... to escape the technical debt, or schlock code, or code rot. COBOL anyone?"

A serious bug in the iOS 15 Messages app can cause some saved photos to be deleted, according to multiple complaints reported by MacRumors readers and Twitter users. From the report: If you save a photo from a Messages thread and then go on to delete that thread, the next time an iCloud Backup is performed, the photo will disappear. Even though the image is saved to your personal iCloud Photo Library, it appears to still be linked to the Messages app in "iOS 15," and saving it does not persist through the deletion of the thread and an "iCloud" backup. This is a concern because most users keep the "iCloud" Backup feature enabled and it's something that happens automatically. If you're someone who regularly deletes message threads, if there's a photo that you want to keep, you won't be able to keep it with "iCloud" Backup turned on.

To replicate this bug, the following steps must be taken:
1. Save a photo from a Messages conversation to your Camera Roll.
2. Check to see that the photo has been saved.
3. Delete the Messages conversation the photo came from. The photo will still be in your "iCloud Photo Library" at this point.
4. Perform an "iCloud" Backup, and the photo disappears.