Security

Apple Pays Hackers Six Figures To Find Bugs in Its Software. Then It Sits On their Findings. (washingtonpost.com) 23

Lack of communication, confusion about payments and long delays have security researchers fed up with Apple's bug bounty program. The Washington Post: Hoping to discover hidden weaknesses, Apple for five years now has invited hackers to break into its services and its iconic phones and laptops, offering up to $1 million to learn of its most serious security flaws. [...] But many who are familiar with the program say Apple is slow to fix reported bugs and does not always pay hackers what they believe they're owed. Ultimately, they say, Apple's insular culture has hurt the program and created a blind spot on security. "It's a bug bounty program where the house always wins," said Katie Moussouris, CEO and founder of Luta Security, which worked with the Defense Department to set up its first bug bounty program. She said Apple's bad reputation in the security industry will lead to "less secure products for their customers and more cost down the line."

Apple said its program, launched in 2016, is a work in progress. Until 2019, the program was not officially opened to the public, although researchers say the program was never exclusive. [...] In interviews with more than two dozen security researchers, some of whom spoke on the condition of anonymity because of nondisclosure agreements, the approaches taken by Apple's rivals were held up for comparison. Facebook, Microsoft and Google publicize their programs and highlight security researchers who receive bounties in blog posts and leader boards. They hold conferences and provide resources to encourage a broad international audience to participate. And most of them pay more money each year than Apple, which is at times the world's most valuable company.

Microsoft paid $13.6 million in the 12-month period beginning July 2020. Google paid $6.7 million in 2020. Apple spent $3.7 million last year, Krstic said in his statement. He said that number is likely to increase this year. Payment amounts aren't the only measure of success, however. The best programs support open conversations between the hackers and the companies. Apple, already known for being tight-lipped, limits communication and feedback on why it chooses to pay or not pay for a bug, according to security researchers who have submitted bugs to the bounty program and a former employee who spoke on the condition of anonymity because of a nondisclosure agreement. Apple also has a massive backlog of bugs that it hasn't fixed, according to the former employee and a current employee, who also spoke on the condition of anonymity because of an NDA.

Security

McDonald's Leaks Password For Monopoly VIP Database To Winners (bleepingcomputer.com) 33

A bug in the McDonald's Monopoly VIP game in the United Kingdom caused the login names and passwords for the game's database to be sent to all winners. BleepingComputer reports: After skipping a year due to COVID-19, McDonald's UK launched their popular Monopoly VIP game on August 25th, where customers can enter codes found on purchase food items for a chance to win a prize. These prizes include 100,000 pounds in cash, an Ibiza villa or UK getaway holiday, Lay-Z Spa hot tubs, and more. Unfortunately, the game hit a snag over the weekend after a bug caused the user name and passwords for both the production and staging database servers to be in prize redemption emails sent to prize winners.

An unredacted screenshot of the email sent to prize winners was shared with BleepingComputer by Troy Hunt that shows an exception error, including sensitive information for the web application. This information included hostnames for Azure SQL databases and the databases' login names and passwords, as displayed in the redacted email below sent to a Monopoly VIP winner. The prize winner who shared the email with Troy Hunt said that the production server was firewalled off but that they could access the staging server using the included credentials. As these databases may have contained winning prize codes, it could have allowed an unscrupulous person to download unused game codes to claim the prizes. Luckily for McDonald's, the person responsibly disclosed the issue with McDonald's, and while they did not receive a response, they later found that the staging server's password was soon changed.

Security

Ghostscript Zero-Day Allows Full Server Compromises (therecord.media) 40

Proof-of-concept exploit code was published online over the weekend for an unpatched Ghostscript vulnerability that puts all servers that rely on the component at risk of attacks. From a report: Published by Vietnamese security researcher Nguyen The Duc, the proof-of-concept code is available on GitHub and was confirmed to work by several of today's leading security researchers. Released back in 1988, Ghostscript is a small library that allows applications to process PDF documents and PostScript-based files. While its primary use is for desktop software, Ghostscript is also used server-side, where it is typically included with image conversion and file upload processing toolkits, such as the popular ImageMagick. The proof-of-concept code released by Nguyen on Sunday exploits this latter scenario, allowing an attacker to upload a malformed SVG file that escapes the image processing pipeline and runs malicious code on the underlying operating system. While Nguyen released the public exploit for this bug, he is not the one who discovered the vulnerability.
China

Chinese Hackers Behind July 2021 SolarWinds Zero-day Attacks (therecord.media) 13

In mid-July this year, Texas-based software provider SolarWinds released an emergency security update to patch a zero-day in its Serv-U file transferring technology that was being exploited in the wild. From a report: At the time, SolarWinds did not share any details about the attacks and only said that it learned of the bug from Microsoft's security team. In a blog post on Thursday, Microsoft revealed more details about the July attacks. The company said the zero-day was the work of a new threat actor the company was tracking as DEV-0322, which Microsoft described as "a group operating out of China, based on observed victimology, tactics, and procedures." Microsoft said the group targeted SolarWinds Serv-U servers "by connecting to the open SSH port and sending a malformed pre-auth connection request," which allowed DEV-0322 operators to run malicious code on the targeted system and take over vulnerable devices. The OS maker did not go into details about what the intruders did once they breached a target. It is unclear if the hackers were interested in cyber-espionage and intelligence collection or if DEV-0322 was a run-of-the-mill crypto-mining gang.
Android

Pixel 3 and 3 XL Phones Are Getting Stuck In EDL Mode and Seemingly Bricked (androidpolice.com) 72

New submitter throx shares a report from Android Police: For months users of the three-year-old Pixel 3 series have been complaining of a common and dreadful problem: seemingly random shutdowns that completely lock their devices. The Pixel 3 and 3 XL have been plagued by the "EDL Mode" bug, which locks the device with no screen or button inputs and makes it more or less impossible to use. To date there's no clear solution to this problem, at least not one that's easily available to even advanced users.

Google's official support channels are aware of the issue, and that it seems to be accelerating in terms of users in the last few months. But since more or less every Pixel 3 and 3 XL sold is out of warranty at this point, options are limited. You can start an official support ticket with Google and pay for a repair, or (as one volunteer on the Google support forums suggests) take it into an authorized repair shop to see if their Qualcomm tools can get the phone to wake up. At the time of writing there doesn't seem to be any indication of a user-accessible fix for the EDL issues.

Games

Poland's CD Projekt Working on Cyberpunk Expansion (reuters.com) 16

CD Projekt is working on a first expansion of Cyberpunk 2077, Chief Executive Adam Kicinski said after the Polish video games maker reported a first-half beat on its net profit. From a report: Cyberpunk 2077, featuring Hollywood star Keanu Reeves, was one of last year's most anticipated games, but after a bug-ridden start it was kept off Sony's (6758.T) PlayStation Store for six months, only returning in June. CD Projekt did not give an update on how many units of Cyberpunk it had sold in the first half of 2021, but company officials told a conference call that the game was the leading source of revenue in the period. Along with The Witcher 3: Wild Hunt, Cyberpunk drove CD Projekt's revenue 29% higher in the first half of the year to 470.6 million zlotys ($124 million).

CD Projekt said its net profit was 105 million zlotys, which was 28% lower compared to last year but above the 71 million expected by analysts. The planned Cyberpunk expansion would involve a charge to gamers, similar to the ones released for The Witcher, board member Michal Nowakowski said during Wednesday's call. "When we talk about expansions then we talk about bigger things," he said, while declining to give a specific timing for its release.

Bitcoin

Hackers Steal $29 Million From Crypto-Platform Cream Finance (therecord.media) 35

An anonymous reader quotes a report from The Record, written by Catalin Cimpanu: Hackers are estimated to have stolen more than $29 million in cryptocurrency assets from Cream Finance, a decentralized finance (DeFi) platform that allows users to loan and speculate on cryptocurrency price variations. The company confirmed the hack earlier today, half an hour after blockchain security firm PeckShield noticed signs of an ongoing attack. Cream Finance said the hacker used a "reentrancy attack" in its "flash loan" feature to steal 418,311,571 in AMP tokens (estimated at around $25.1 million at the time of the hack) and 1,308.09 in ETH coins (estimated at around $4.15 million). The term "flash loan" refers to a contract (script) that runs on the Etherium blockchain that allows Cream Finance users to take quick loans from the company's funds and then return them at a later date.

Reentrancy attacks take place when a bug in these contracts allows an attacker to withdraw funds repeatedly, in a loop, before the original transaction is approved or declined or the funds need to be returned. PeckShield and Tal Be'ery, the founder of cryptocurrency wallet app ZenGo, confirmed that the Cream Finance hacker exploited a bug in the ERC777 token contract interface that's used by Cream Finance to interact with the underlying Etherium blockchain. Be'ery told The Record today that ERC777 has enabled several reentrancy attacks on DeFi online services, which keep relying on the feature despite its history of bad implementations, bugs, and hacks. The ZenGo founder also told The Record that DeFi services need to develop or implement a firewall-like system for their platforms in order to filter malicious requests to their underlying contracts, which are the backbone of their services and the targets of most of these hacks.

Iphone

'No Service' Bug Hits Some IOS 14.7.1 Users After Updating Their IPhones (zdnet.com) 26

"What seemed like a small update has, for some, turned into a huge headache," reports ZDNet: Over on Apple's support forum, there are several threads from users complaining that iOS 14.7.1 broke their iPhones, causing a "no service" problem where users are unable to connect to cell service. Ther">e are similar threads on Apple's developer forums as well.

While there doesn't seem to be a pattern to which phones are affected, I've seen reports of everything from the iPhone 6 to iPhone 12 affected, and the cause is clear — upgrading to iOS 14.7.1.

"Users are saying that restarting the phone, removing the SIM, and even resetting network settings didn't help," according to 9to5Mac (in an article shared by long-time Slashdot reader antdude).

Forbes reports the bug appears to happen when you lose your cellular connection and switch to WiFi calling, "so those living in areas with good reception may never see it. Of course, this scenario also helps to mask the scale of iPhones which might be affected." If you haven't upgraded to iOS 14.7.1 yet, this potentially crippling flaw could (understandably) put you off upgrading. The problem is that the release also contains a critical fix for a new zero-day security flaw...
Security

Critical Bug Impacting Millions of IoT Devices Lets Hackers Spy On You (bleepingcomputer.com) 42

An anonymous reader quotes a report from BleepingComputer: Security researchers are sounding the alarm on a critical vulnerability affecting tens of millions of devices worldwide connected via ThroughTek's Kalay IoT cloud platform. The security issue impacts products from various manufacturers providing video and surveillance solutions as well as home automation IoT systems that use the Kalay network for easy connectin and communication with a corresponding app. A remote attacker could leverage the bug to gain access to the live audio and video streams, or to take control of the vulnerable device. Researchers at Mandiant's Red Team discovered the vulnerability at the end of 2020 and worked with the U.S. Cybersecurity and Infrastructure Security Agency and ThroughTek to coordinate the disclosure and create mitigation options.

Tracked as CVE-2021-28372, the issue is a device impersonation vulnerability that received a severity score of 9.6 out of 10. It affects the Kalay protocol that is implemented as a software development kit (SDK) that is built into mobile and desktop applications. Mandiant's Jake Valletta, Erik Barzdukas, and Dillon Franke looked at ThroughTek's Kalay protocol and found that registering a device on the Kalay network required only the device's unique identifier (UID). Following this lead, the researchers discovered that a Kalay client, such as a mobile app, usually receives the UID from a web API hosted by the vendor of the IoT device. An attacker with the UID of a target system could register on the Kalay network a device they control and receive all client connection attempts. This would allow them to obtain the login credentials that provide remote access to the victim device audio-video data. The researchers say that this type of access combined with vulnerabilities in device-implemented RPC (remote procedure call) interface can lead to complete device compromise. By the latest data from ThroughTek, its Kalay platform has more than 83 million active devices and manages over 1 billion connections every month.
The best way to protect yourself from this vulnerability is to keep your device software and applications updated to the latest version, as well as create complex, unique login passwords. The report also recommends you avoid connecting to IoT devices from an untrusted network.
Bug

Linux Glibc Security Fix Created a Nastier Linux Bug (zdnet.com) 74

A fix that was made in early June to the GNU C Library (glibc) introduced a new and nastier problem. Steven J. Vaughan-Nichols writes via ZDNet: The first problem wasn't that bad. As Siddhesh Poyarekar, a Red Hat principal software engineer wrote, "In order to mount a minimal attack using this flaw, an attacker needs many pre-requisites to be able to even crash a program using this mq_notify bug." Still, it needed patching and so it was fixed. Alas, the fix contained an even nastier bug. While checking the patch, Nikita Popov, a member of the CloudLinux TuxCare Team, found the problem. It turns out that it is possible to cause a situation where a segmentation fault could be triggered within the library. This can lead to any application using the library crashing. This, of course, would cause a Denial-of-Service (DoS) issue. This problem, unlike the earlier one, would be much easier to trigger. Whoops.

Red Hat gives the problem in its Common Vulnerability Scoring System (CVSS) a score of 7.5, which is "high." An attack using it would be easy to build and requires no privileges to be made. In short, it's bad news. Popov himself thinks "every Linux application including interpreters of other languages (python, PHP) is linked with glibc. It's the second important thing after the kernel itself, so the impact is quite high." [...] The good news is both the vulnerability and code fix have been submitted to the glibc development team. It has already been incorporated into upstream glibc.

In addition, a new test has been submitted to glibc's automated test suite to pick up this situation and prevent it from happening in the future. The bottom line is sometimes changed in unrelated code paths can lead to behaviors changing elsewhere without the programmer realizing what's going on. This test will catch this situation. The Linux distributors are still working out the best way to deploy the fix. In the meantime, if you want to be extra careful -- and I think you should be -- you should upgrade to the newest stable version of glibc 2.34 or higher.

Firefox

Mozilla Tests If 'Firefox/100.0' User Agent Breaks Websites (bleepingcomputer.com) 44

Mozilla has launched an experiment where they change the Firefox browser user agent to a three-digit "Firefox/100.0" version to see if it will break websites. Bleeping Computer reports: A user agent is a string used by a web browser that includes information about the software, including its name, version, and technologies that it uses. When a new version of a browser is released, the developers also increment the version number in the user agent string. When visiting a website, the user agent strings are sent to a website so that the site knows the software capabilities of the visitor. This information allows the website to modify its response to account for different features of browsers.

As Firefox version numbers are currently two digits, Mozilla developers are investigating if anything breaks when they release Firefox Nightly version 100 in March 2022. "We would like to run an experiment to test whether a UA string with a three-digit Firefox version number will break many sites," Mozilla Staff Engineering Program Manager Chris Peterson said in a bug post first spotted by Techdows. "This new temporary general.useragent.experiment.firefoxVersion pref can override the UA string's Firefox version." When conducting the test, an enrolled Firefox user will have their user agent changed to the following string with the hopes that if anything breaks, they will report it to Mozilla: "Mozilla/5.0 (Windows NT 10.0; rv:100.0) Gecko/20100101 Firefox/100.0."

Twitter

Twitter Algorithm Prefers Slimmer, Younger, Light-Skinned Faces (bbc.com) 45

An anonymous reader quotes a report from the BBC: A Twitter image-cropping algorithm prefers to show faces that are slimmer, younger and with lighter skin, a researcher has found. Bogdan Kulynyc won $3,500 in a Twitter-organized contest to find biases in its cropping algorithm. Earlier this year, Twitter's own research found the algorithm had a bias towards cropping out black faces. The "saliency algorithm" decided how images would be cropped in Twitter previews, before being clicked on to open at full size. But when two faces were in the same image, users discovered, the preview crop appeared to favor white faces, hiding the black faces until users clicked through. As a result the company revised how images were handled, saying cropping was best done by people.

The "algorithmic-bias bounty competition" was launched in July -- a reference to the widespread practice of companies offering "bug bounties" for researchers who find flaws in code -- with the aim of uncovering other harmful biases. And Mr Kulynyc, a graduate student at the Swiss Federal Institute of Technology in Lausanne's Security and Privacy Engineering Laboratory, discovered the "saliency" of a face in an image could be increased -- making it less likely to be hidden by the cropping algorithm -- by "making the person's skin lighter or warmer and smoother; and quite often changing the appearance to that of a younger, more slim, and more stereotypically feminine person".

Awarding him first prize, Twitter said his discovery showed beauty filters could be used to game the algorithm and "how algorithmic models amplify real-world biases and societal expectations of beauty." Second prize went to Halt AI, a female-founded University of Toronto start-up Twitter said showed the algorithm could perpetuate marginalization in the way images were cropped. For example, "images of the elderly and disabled were further marginalized", the company said. Taraaz Research founder Roya Pakzad won third prize for an entry that showed the algorithm was more likely to crop out Arabic text than English in memes.

Security

DEF CON: Security Holes In Deere, Case IH Shine Spotlight On Agriculture Cyber Risk (securityledger.com) 48

chicksdaddy shares a report from The Security Ledger: A lot has changed in the agriculture sector in the last decade. And farm country's cybersecurity bill has come due in a big way. A (virtual) presentation at the annual DEF CON hacking conference in Las Vegas on Sunday described a host of serious, remotely exploitable holes in software and services by U.S. agricultural equipment giants John Deere and Case IH, The Security Ledger reports. Together, the security flaws and misconfigurations could have given nation-state hackers access to Deere's global product infrastructure, sensitive customer and third-party data and, potentially, the ability to remotely access critical farm equipment like planters and harvesters that are the lynchpin of the U.S. food chain.

The talk is the most detailed presentation, to date, of a range of flaws in Deere software and services that were first identified and disclosed to the company in April. The disclosure of two of those flaws in the company's public-facing web applications set off a scramble by Deere and other agricultural equipment makers to patch the flaws, unveil a bug bounty program and to hire cyber security and embedded device security talent.

In addition to a slew of common web flaws like Cross Site Scripting- and account enumeration bugs linked to Deere's web site and public APIs, the researchers discovered a vulnerability (CVE-2021-27653) in third-party software by Pega Systems, a maker of customer relationship management (CRM) software that Deere uses. A misconfiguration of that software gave the researchers administrative access to the remote, back end Pegasystems server. With wide ranging, administrative access to the production backend Pega server, the researchers were able to obtain other administrative Pegasystems credentials including passwords, security audit logs, as well as John Deere's OKTA signing certificate for the Pegasystems server, according to the presentation. In an email statement to The Security Ledger, a John Deere spokesperson said that "none of the claims -- including those identified at DEF CON -- have enabled access to customer accounts, agronomic data, dealer accounts, or sensitive personal information," though data included in the presentation as well as prior public disclosures make clear that sensitive data on Deere employees, equipment, customers and suppliers was exposed.

United States

US Developer's Workstation Exposed State Department's Network Data, Researchers Find (forbes.com) 16

Long-time Slashdot reader chicksdaddy writes: Sensitive systems and data for the U.S. Department of State could have been exposed by a third party development workstation running the eXide software, according to researchers for the hacking crew Sakura Samurai. According to a report in Forbes, the researchers took advantage of a new State Department Vulnerability Disclosure Program to look for security flaws in one of 8 wild-carded State Department domains included in the program. Using automated tools to do reconnaissance on one of the subdomains the State Department had included in its VDP, researcher Jackson Henry discovered a vulnerable workstation running the open source, web based eXide IDE. It was linked to a third party doing work for the State Department and contained a number of serious security holes including Cross Site Scripting (XSS), Remote File Inclusion (RFI), and Server Side Request Forgery (SSRF) flaws. All are powerful weapons in the hands of a sophisticated cyber adversary.

After reporting their findings to the State Department on April 27th, researcher Jackson Henry and Sakura Samurai received acknowledgement of their report on April 29th. The vulnerable endpoint in question was taken offline by the State Department by May 13th. Henry and Sakura Samurai then began working with the State Department on public disclosure of the vulnerabilities, while also communicating with the developers responsible for the open source project to get the flaws fixed, according to communications shared with Forbes.

The discovery of flaws buried in an open source development tool underscores the risks that federal agencies face as more and more government business shifts to the web. "The State Department can't audit every open source package it uses," Henry said. "That's why the VDP is such a big thing (and) a step in the right direction."

It is also an endorsement of the benefits of a quiet security revolution within the federal government in recent months, as agencies have responded to Binding Operational Directive 20-01, a new requirement from the CISA, the Cybersecurity and Infrastructure Security Agency, that Executive Branch agencies publish and maintain public vulnerability disclosure programs, or VDPs — a kind of front door for bug hunters and "white hat" cybersecurity professionals.

Privacy

Google+ Class Action Starts Paying Out $2.15 For G+ Privacy Violations (arstechnica.com) 15

Ron Amadeo writing via Ars Technica: Who remembers the sudden and dramatic death of Google+? Google's Facebook competitor and "social backbone" was effectively dead inside the company around 2014, but Google let the failed service hang around for years in maintenance mode while the company spun off standalone products. In 2018, The Wall Street Journal reported that Google+ had exposed the private data of "hundreds of thousands of users" for years, that Google knew about the problem, and that the company opted not to disclose the data leak for fear of regulatory scrutiny. In the wake of the report, Google was forced to acknowledge the data leak, and the company admitted that the "private" data of 500,000 accounts actually wasn't private. Since nobody worked on Google+ anymore, Google's "fix" for the bug was to close Google+ entirely. Then the lawsuits started.

Today's class-action lawsuit, Matt Matic and Zak Harris v. Google, was filed in October 2018 and blames Google's "lax approach to data security" for the bugs. The complaint added, "Worse, after discovery of this vulnerability in the Google+ platform, Defendants kept silent for at least seven months, making a calculated decision not to inform users that their Personal Information was compromised, further compromising the privacy of consumers' information and exposing them to risk of identity theft or worse." The case website with full details is at googleplusdatalitigation.com. The case was settled in June 2020, with Google agreeing to pay out $7.5 million. After losing about half of that money to legal and administrative fees, and with 1,720,029 people filling out the right forms by the October 2020 deadline, the payout for each person is a whopping $2.15.

Security

Amazon and Google Patch Major Bug in Their DNS-as-a-Service Platforms (therecord.media) 11

At the Black Hat security conference Wednesday, two security researchers have disclosed a security issue impacting hosted DNS service providers that can be abused to hijack the platform's nodes, intercept some of the incoming DNS traffic, and then map customers' internal networks. From a report: Discovered by Shir Tamari and Ami Luttwak from cloud security company Wiz, the vulnerability highlights the amount of sensitive information collected by managed DNS platforms and their attractiveness from a cyber-espionage and intelligence data collection standpoint.

Also known as DNS-as-a-Service providers, these companies effectively rent DNS servers to corporate entities. While it's not hard to run your own DNS name server, the benefit of using a service like AWS Route53 or the Google Cloud Platform is that companies can offload managing DNS server infrastructure to a third-party and take advantage of better uptime and top-notch security. Companies that sign up for a managed DNS provider typically have to onboard their internal domain names with the service provider. This typically means companies have to go to a backend portal and add their company.com and other domains to one of the provider's name servers (i.e., ns-1611.awsdns-09.co.uk). Once this is done, when a company employee wants to connect to an intranet app or an internet website, their computer will query the third-party DNS server for the IP address it needs to connect. What the Wiz team discovered was that several managed DNS providers did not blacklist their own DNS servers inside their backends.

Security

Google Launches New Bug Hunters Vulnerability Rewards Platform (bleepingcomputer.com) 4

Google has announced a new platform and community designed to host all its Vulnerability Rewards Programs (VRP) under the same roof. From a report: Since launching its first VRP more than ten years ago, the company has rewarded 2,022 security researchers from 84 different countries worldwide for reporting over 11,000 bugs. [...] "To celebrate our anniversary and ensure the next 10 years are just as (or even more) successful and collaborative, we are excited to announce the launch of our new platform, bughunters.google.com," Google said.

"This new site brings all of our VRPs (Google, Android, Abuse, Chrome and Play) closer together and provides a single intake form that makes it easier for bug hunters to submit issues." The new VRP platform should provide researchers with per-country leaderboards, healthier competition via gamification, awards/badges for specific bugs, and more opportunities for interaction. Google also launched a new Bug Hunter University, which would allow bug hunters to brush up on their skills or start a hunting learning streak.

Bug

Everyone Cites That 'Bugs Are 100x More Expensive To Fix in Production' Research, But the Study Might Not Even Exist (theregister.com) 118

"Software research is a train wreck," says Hillel Wayne, a Chicago-based software consultant who specialises in formal methods, instancing the received wisdom that bugs are way more expensive to fix once software is deployed. Wayne did some research, noting that "if you Google 'cost of a software bug' you will get tons of articles that say 'bugs found in requirements are 100x cheaper than bugs found in implementations.' They all use this chart from the 'IBM Systems Sciences Institute'... There's one tiny problem with the IBM Systems Sciences Institute study: it doesn't exist." The Register: Laurent Bossavit, an Agile methodology expert and technical advisor at software consultancy CodeWorks in Paris, has dedicated some time to this matter, and has a post on GitHub called "Degrees of intellectual dishonesty". Bossavit referenced a successful 1987 book by Roger S Pressman called Software Engineering: a Practitioner's Approach, which states: "To illustrate the cost impact of early error detection, we consider a series of relative costs that are based on actual cost data collected for large software projects [IBM81]." The reference to [IBM81] notes that the information comes from "course notes" at the IBM Systems Sciences Institute. Bossavit discovered, though, that many other publications have referenced Pressman's book as the authoritative source for this research, disguising its tentative nature.

Bossavit took the time to investigate the existence of the IBM Systems Science Institute, concluding that it was "an internal training program for employees." No data was available to support the figures in the chart, which shows a neat 100x the cost of fixing a bug once software is in maintenance. "The original project data, if any exist, are not more recent than 1981, and probably older; and could be as old as 1967," said Bossavit, who also described "wanting to crawl into a hole when I encounter bullshit masquerading as empirical support for a claim, such as 'defects cost more to fix the later you fix them'."

Bug

MITRE Updates List of Top 25 Most Dangerous Software Bugs (bleepingcomputer.com) 16

An anonymous reader quotes a report from BleepingComputer: MITRE has shared this year's top 25 list of most common and dangerous weaknesses plaguing software throughout the previous two years. MITRE developed the top 25 list using Common Vulnerabilities and Exposures (CVE) data from 2019 and 2020 obtained from the National Vulnerability Database (NVD) (roughly 27,000 CVEs). "A scoring formula is used to calculate a ranked order of weaknesses that combines the frequency that a CWE is the root cause of a vulnerability with the projected severity of its exploitation," MITRE explained. "This approach provides an objective look at what vulnerabilities are currently seen in the real world, creates a foundation of analytical rigor built on publicly reported vulnerabilities instead of subjective surveys and opinions, and makes the process easily repeatable."

MITRE's 2021 top 25 bugs are dangerous because they are usually easy to discover, have a high impact, and are prevalent in software released during the last two years. They can also be abused by attackers to potentially take complete control of vulnerable systems, steal targets' sensitive data, or trigger a denial-of-service (DoS) following successful exploitation. The list [here] provides insight to the community at large into the most critical and current software security weaknesses.

Slashdot Top Deals