Google is pressing on with new plans to hide all parts of web addresses except the domain name. Android Police reports: A few new feature flags have appeared in Chrome's Dev and Canary channels (V85), which modify the appearance and behavior of web addresses in the address bar. The main flag is called "Omnibox UI Hide Steady-State URL Path, Query, and Ref" which hides everything in the current web address except the domain name. For example, "https://www.androidpolice.com/2020/06/07/lenovo-ideapad-flex-5-chromebook-review/" is simply displayed as "androidpolice.com." There are two additional flags that modify this behavior. One reveals the full address once you hover over the address bar (instead of having to click it), while the other only hides the address bar once you interact with the page. An issue page on the Chromium Bug tracker has also been created for keeping track of the changes, though there aren't any additional details there.

There's no public explanation yet for why Google is pressing ahead with these changes, but the company has said in the past that it believes showing the full address can make it harder to tell if the current site is legitimate. "Showing the full URL may detract from the parts of the URL that are more important to making a security decision on a webpage," Chromium software engineer Livvie Lin said in a design document earlier this year. Google has since clarified how the experiment will work and what opt-out options will be available.

"We think this is an important problem area to explore because phishing and other forms of social engineering are still rampant on the web," a Chromium developer on the bug tracker for the change said, "and much research shows that browsers' current URL display patterns aren't effective defenses. We're implementing this simplified domain display experiment so that we can conduct qualitative and quantitative research to understand if it helps users identify malicious websites more accurately."

It was also confirmed that Google will keep the opt-out mechanism that is already present -- an 'Always show full URLs' setting that appears when you right-click the address bar. "We plan to support this opt-out option indefinitely," the same developer said.

An anonymous reader writes: FreeBSD has has adopted a new LLVM-derived code of conduct. The code of conduct requires users to: be friendly and patient,
be welcoming,
be considerate,
be respectful,
be careful in the words that you choose and be kind to others,
when we disagree, try to understand why.

This isn't an exhaustive list of things that you can't do. Rather, take it in the spirit in which it's intended - a guide to make it easier to communicate and participate in the community. This code of conduct applies to all spaces managed by the FreeBSD project. This includes online chat, mailing lists, bug trackers, FreeBSD events such as the developer meetings and socials, and any other forums created by the project that the community uses for communication. It applies to all of your communication and conduct in these spaces, including emails, chats, things you say, slides, videos, posters, signs, or even t-shirts you display in these spaces. In addition, violations of this code outside these spaces may, in rare cases, affect a person's ability to participate within them, when the conduct amounts to an egregious violation of this code.

Security and software development company Quarkslab played around with Google's new Fuchsia operating system, which could one day replace Android on smartphones and Chrome OS on laptops. The researchers "decided to give a quick look at Fuchsia, learn about its inner design, security properties, strengths and weaknesses, and find ways to attack it." Here's what they concluded: Fuchsia's micro kernel is called Zircon. It is written in C++. [...] Contrary to every other major OS, it appears rather difficult to target the Zircon kernel directly. A successful RCE (Remote Code Execution) on the world-facing parts of the system (USB, Bluetooth, network stack, etc) will only give you control over the targeted components, but they run in independent userland processes, not in the kernel. From a component, you then need to escalate privileges to the kernel using the limited number of syscalls you can access with the handles you have. Overall, it seems easier to target other components rather than the kernel, and to focus on components that you can talk to via IPC and that you know have interesting handles.

Overall, Fuchsia exhibits interesting security properties compared to other OSes such as Android. A few days of vulnerability research allowed us to conclude that the common programming bugs found in other OSes can also be found in Fuchsia. However, while these bugs can often be considered as vulnerabilities in other OSes, they turn out to be uninteresting on Fuchsia, because their impact is, for the most part, mitigated by Fuchsia's security properties. We note however that these security properties do not -- and in fact, cannot -- hold in the lowest layers of the kernel related to virtualization, exception handling and scheduling, and that any bug here remains exploitable just like on any other OS. All the bugs we found were reported to Google, and are now fixed.

Again, it is not clear where Fuchsia is heading, and whether it is just a research OS as Google claims or a real OS that is vowed to be used on future products. What's clear, though, is that it has the potential to significantly increase the difficulty for attackers to compromise devices.

Academics from a university in the Netherlands have published details today about a new vulnerability in Intel processors. From a report: The security bug, which they named CrossTalk, enables attacker-controlled code executing on one CPU core to leak sensitive data from other software running on a different core. The Vrije University's Systems and Network Security Group (VUSec) says the CrossTalk vulnerability is another type of MDS (microarchitectural data sampling) attack. MDS attacks target user data while in a "transient" state, as it's being processed inside the CPU and its many data-caching systems. More specifically, CrossTalk attacks data while it's being processed by the CPU's Line Fill Buffer (LBF), one of these aforementioned CPU cache systems. According to the VUSec team, the LBF cache actually works with a previously undocumented memory "staging buffer" that is shared by all CPU cores.

South Korean phone manufacturer LG has released a security update last month to fix a vulnerability that impacts its Android smartphones sold over the past seven years. From a report: The vulnerability, tracked under the identifier of CVE-2020-12753, impacts the bootloader component that ships with LG smartphones. In March this year, US software engineer Max Thomas discovered a vulnerability in the bootloader component that had been added to LG smartphones starting with the LG Nexus 5 series. In a technical breakdown of the vulnerability published on Tuesday, Thomas says the bootloader component's graphics package contains a bug that lets attackers sneak in their own code to run alongside the bootloader's graphics under certain conditions, such as when the battery dies out and when the device is in the bootloader's Download Mode. Thomas says that threat actors who perfectly time an attack can gain the ability to run their own custom code, which could allow them to take over the bootloader, and inherently the entire device.

Well-known leaker Universe Ice on Twitter, along with dozens of other users, have discovered that simply setting an image as wallpaper on your phone could cause it to crash and become unable to boot. Android Authority reports: Based on user reports, many models from Samsung and Google are affected, while we've also seen some reports from users of OnePlus, Nokia, and Xiaomi devices (it's not clear if these latter devices ran stock software or custom ROMs). From our own testing and looking at user reports, Huawei devices seem to be less exposed to the wallpaper crash issue. There are a few solutions, depending on how hard the phone is hit. Some users were able to change the wallpaper in the short interval between crashes. Others had success deleting the wallpaper using the recovery tool TWRP. But in most cases, the only solution was to reset the phone to factory settings, losing any data that's not backed up.

The issue affects up-to-date phones running Android 10, but as it turns out, it's not actually new. Users have been reporting similar problems for a couple of years, and just last month Android Police reported on what appears to be a closely related issue specifically impacting Pixel phones running the Google Wallpapers app. [...] An issue with a very similar description has been reported in Google's Android issue tracker back in 2018. At the time, Google developers said they were unable to reproduce the issue and closed it out (Hat tip: inverimus on Reddit).

An anonymous reader quotes Forbes: When Apple announced Sign in with Apple at the June 2019 worldwide developers conference, it called it a "more private way to simply and quickly sign into apps and websites." The idea was, and still is, a good one: replace social logins that can be used to collect personal data with a secure authentication system backed by Apple's promise not to profile users or their app activity... Unsurprisingly, it has been pushed as being a more privacy-oriented option than using your Facebook or Google account.

Fast forward to April 2020, and a security researcher from Delhi uncovered a critical Sign in with Apple vulnerability that could allow an attacker to potentially take over an account with just an email ID. A critical vulnerability that was deemed important enough that Apple paid him $100,000 through its bug bounty program by way of a reward. With the vulnerability already now patched by Apple on the server-side, Bhavuk Jain published his disclosure of the security shocker on May 30.
It applied "only to third-party apps which used Sign in with Apple without taking any further security measures," the article points out , adding that the researcher who found it "said Apple carried out an internal investigation and determined that no account compromises or misuse had occurred before the vulnerability was fixed."

But they also quote an SME application security lead at ImmersiveLabs who said he "would have expected better testing around this from a company such as Apple, especially when it is trying to set itself a reputation as privacy-focused."

An anonymous reader quotes a report from The Register: A very specific software bug made airliners turn the wrong way if their pilots adjusted a pre-set altitude limit. The bug, discovered on Bombardier CRJ-200 aircraft fitted with Rockwell Collins Aerospace-made flight management systems (FMSes), led to airliners trying to follow certain missed approaches turning right instead of left -- or vice versa.

First discovered in 2017, the flaw was only apparent when pilots manually edited a pre-set "climb to" altitude programmed into a "missed approach" procedure following an Instrument Landing System approach. It also arose if pilots used the FMS's temperature compensation function in extremely cold weather. In theory the bug could have led to airliners crashing into the ground, though the presence of two trained and alert humans in the cockpit monitoring what the aircraft was doing made this a remote possibility. "The bug was first uncovered when a CRJ-200 crew flying into Canada's Fort St John airport used the FMS's temperature correction function," the report adds. "They discovered that the software turned their aeroplane in the wrong direction while it was following the published missed approach, something that generally does not happen. The fault was swiftly reported to the authorities and the relevant manufacturers."

Full details, including the maths, are available here. The U.S. Federal Aviation Authorities also published a Powerpoint presentation (PDF) about the bug.

An anonymous reader quotes a report from VentureBeat: Google today launched Android Studio 4.0, the latest version of its integrated development environment (IDE). Android Studio 4.0 is supposed to help developers "code smarter, build faster, and design apps." Version 4.0 includes a new Motion Editor, a Build Analyzer, and Java 8 language APIs. Google also overhauled the CPU Profiler user interface and improved the Layout Inspector. [In the article] you'll find Android Studio 4.0 features broken down by category: design, develop, and build. The new version also includes the usual performance improvements and bug fixes on top of the new features (full release notes). Google didn't share its plans for the next version. Normally we'd get hints at the company's I/O developer conference, but 2020 is a weird year.

Bug bounty platform HackerOne announced today that it has paid out $100,000,000 in rewards to white-hat hackers around the world as of May 26, 2020. From a report: Since it started delivering vulnerability reports to its customers, HackerOne bug bounty hunters have found roughly 170,000 security vulnerabilities according to the company's CEO Marten Mickos. Over 700,000 ethical hackers are no using the bug bounty platform to get paid for security bugs in the products of more than 1,900 HackerOne customers. "It is impossible to know exactly how many cyber breaches have thereby been averted but we can estimate that it is thousands or perhaps over ten thousand," Mickos said.

"Altran has released a new tool that uses artificial intelligence to help software engineers spot bugs during the coding process instead of at the end," reports TechRepublic. "Available on GitHub, Code Defect AI uses machine learning to analyze existing code, spot potential problems in new code, and suggest tests to diagnose and fix the errors." Walid Negm, group chief innovation officer at Altran, said that this new tool will help developers release quality code quickly. "The software release cycle needs algorithms that can help make strategic judgments, especially as code gets more complex," he said in a press release....

"Microsoft and Altran have been working together to improve the software development cycle, and Code Defect AI, powered by Microsoft Azure, is an innovative tool that can help software developers through the use of machine learning," said David Carmona, general manager of AI marketing at Microsoft, in a press release...

In a new report about artificial intelligence and software development, Deloitte predicts that more and more companies will use AI-assisted coding tools. From January 2018 to September 2019, software vendors launched dozens of AI-powered software development tools, and startups working in this space raised $704 million over a similar timeframe.... "The benefits of AI-assisted coding are numerous," according to Deloitte analysts David Schatsky and Sourabh Bumb, the authors of AI is Helping to Make Better Software. " However, the principal benefit for companies is efficiency. Many of the new AI-powered tools work in a similar way to spell- and grammar-checkers, enabling coders to reduce the number of keystrokes they need to type by around 50%. They can also spot bugs while code is being written, while they can also automate as many as half of the tests needed to confirm the quality of software." This capability is even more important as companies continue to rely on open-source code.
The Register got more details about Altran's Code Defect AI: The company told us that the AI does not look much at the source code itself, but rather at the commit metadata, "the number of files in the check-in, code complexity, density of the check-in, bug history of the file, history of the developer, experience of the developer in the particular module/file etc." Training of the model is done only on the project being examined...

"Around 70% of our serious security bugs are memory safety problems," the Chromium project announced this week. "Our next major project is to prevent such bugs at source."

ZDNet reports: The percentage was compiled after Google engineers analyzed 912 security bugs fixed in the Chrome stable branch since 2015, bugs that had a "high" or "critical" severity rating. The number is identical to stats shared by Microsoft. Speaking at a security conference in February 2019, Microsoft engineers said that for the past 12 years, around 70% of all security updates for Microsoft products addressed memory safety vulnerabilities. Both companies are basically dealing with the same problem, namely that C and C++, the two predominant programming languages in their codebases, are "unsafe" languages....

Google says that since March 2019, 125 of the 130 Chrome vulnerabilities with a "critical" severity rating were memory corruption-related issues, showing that despite advances in fixing other bug classes, memory management is still a problem... Half of the 70% are use-after-free vulnerabilities, a type of security issue that arises from incorrect management of memory pointers (addresses), leaving doors open for attackers to attack Chrome's inner components...

While software companies have tried before to fix C and C++'s memory management problems, Mozilla has been the one who made a breakthrough by sponsoring, promoting and heavily adopting the Rust programming language in Firefox... Microsoft is also heavily investing in exploring C and C++ alternatives⦠But this week, Google also announced similar plans as well... Going forward, Google says it plans to look into developing custom C++ libraries to use with Chrome's codebase, libraries that have better protections against memory-related bugs. The browser maker is also exploring the MiraclePtr project, which aims to turn "exploitable use-after-free bugs into non-security crashes with acceptable performance, memory, binary size and minimal stability impact."

And last, but not least, Google also said it plans to explore using "safe" languages, where possible. Candidates include Rust, Swift, JavaScript, Kotlin, and Java.

The official COVID-19 contact-tracing app for the state of North Dakota, designed to detect whether people have potentially been exposed to the coronavirus, sends location data and a unique user identifier to Foursquare -- and other data to Google and a bug-tracking company -- according to a new report from smartphone privacy company Jumbo Privacy. From a report: The app, called Care19, and produced by a company called ProudCrowd that also makes a location-based social networking app for North Dakota State sports fans, generates a random ID number for each person who uses it. Then, it can "anonymously cache the individual's locations throughout the day," storing information about where people spent at least 10 minutes at a time, according to the state website. If users test positive for the coronavirus, they can provide that information to the North Dakota Department of Health for contact-tracing purposes so that other people who spent time near virus patients can potentially be notified. According to the app's privacy policy, "location data is private to you and is stored securely on ProudCrowd, LLC servers" and won't be shared with third parties "unless you consent or ProudCrowd is compelled under federal regulations."

Edison Mail has rolled back a software update that apparently let some users of its iOS app see emails from strangers' accounts. From a report: Several Edison users contacted The Verge to report seeing the glitch after they applied the update, which was meant to allow users to sync data across devices. Reader Matthew Grzybowski said after the update he had more than 100 unread messages from the UK-based email account of a stranger. He didn't have to enter any credentials to see the emails, Grzybowski added. The company said it was a bug, not a security breach, and that the issue appeared limited to users of the iOS app.

"Doom Eternal has become the latest game to use a kernel-level driver to aid in detecting cheaters in multiplayer matches," reports Ars Technica: The game's new driver and anti-cheat tool come courtesy of Denuvo parent Irdeto, a company once known for nearly unbeatable piracy protection and now known for somewhat effective but often cracked piracy protection. But the new Denuvo Anti-Cheat protection is completely separate from the company's Denuvo Anti-Tamper technology... The new Denuvo Anti-Cheat tool rolls out to Doom Eternal players after "countless hours and millions of gameplay sessions" during a two-year early access program, Irdeto said in a blog post announcing its introduction. But unlike Valorant's similar Vanguard system, the Denuvo Anti-Cheat driver "doesn't have annoying tray icons or splash screens" letting players monitor its use on their system. "This invisibility could raise some eyebrows," Irdeto concedes.

To assuage any potential fears, Irdeto writes that Denuvo Anti-Cheat only runs when the game is active, and Bethesda's patch notes similarly say that "use of the kernel-mode driver starts when the game launches and stops when the game stops for any reason...."

"No monitoring or data collection happens outside of multiplayer matches," Denuvo Anti-Cheat Product Owner Michail Greshishchev told Ars via email. "Denuvo does not attempt to maintain the integrity of the system. It does not block cheats, game mods, or developer tools. Denuvo Anti-Cheat only detects cheats." Greshishchev added that the company's driver has received "certification from renown[ed] kernel security researchers, completed regular whitebox and blackbox audits, and was penetration-tested by independent cheat developers." He said Irdeto is also setting up a bug bounty program to discover any flaws they might have missed.

And because of Denuvo Anti-Cheat's design, Greshishchev says the driver is more secure than others that might have more exposure to the Internet. "Unlike existing anti-cheats, Denuvo Anti-Cheat does not stream shell code from the Web," Greshishchev told Ars. "This means that, if compromised, attackers can't send down arbitrary malware to gamers' machines...."

If a driver exploit is discovered in the wild, Greshishchev told Ars that revocable certificates and self-expiring network keys can be used as "kill switches" to cut them off.

Two security researchers have published today details about a vulnerability in the Windows printing service that they say impacts all Windows versions going back to Windows NT 4, released in 1996. From a report: The vulnerability, which they codenamed PrintDemon, is located in Windows Print Spooler, the primary Windows component responsible for managing print operations. The service can send data to be printed to a USB/parallel port for physically connected printers; to a TCP port for printers residing on a local network or the internet; or to a local file, in the rare event the user wants to save a print job for later. In a report published today, security researchers Alex Ionescu & Yarden Shafir said they found a bug in this old component that can be abused to hijack the Printer Spooler internal mechanism. The bug can't be used to break into a Windows client remotely over the internet, so it's not something that could be exploited to hack Windows systems at random over the internet.

Huawei denied on Monday having any official involvement in an insecure patch submitted to the Linux kernel project over the weekend; patch that introduced a "trivially exploitable" vulnerability. From a report: The buggy patch was submitted to the official Linux kernel project via its mailing list on Sunday. Named HKSP (Huawei Kernel Self Protection), the patch allegedly introduced a series of security-hardening options to the Linux kernel. Big tech companies that heavily use Linux in their data centers and online services, often submit patches to the Linux kernel. Companies like Google, Microsoft, Amazon, and others have been known to have contributed code. On Sunday, the HKSP submission sparked interest in the Linux community as could signal Huawei's wish to possibly contribute to the official kernel. Due to this, the patch came under immediate scrutiny, including from the developers of Grsecurity, a project that provides its own set of security-hardening patches for the Linux kernel. In a blog post published on the same day, the Grsecurity team said that it discovered that the HKSP patch was introducing a "trivially exploitable" vulnerability in the kernel code -- if the patch was to be approved.

turp182 writes: What's your story? How are you doing? What do you predict? Below is a summary of the stats I've been following, some assumptions, and an overview of my personal situation. Anyway, how you all doing?

A new set of flaws discovered in the Intel Thunderbolt port has put millions of machines at risk of local hacking. This new research by Eindhoven University's Bjorn Ruytenberg suggests that if a hacker gains access to a machine for just five minutes, they could bypass login methods to gain full data access. From a report: Thunderbolt ports are present in machines with Windows, Linux, and macOS. So, that covers a lot of computers. Ruytenberg said all Thunderbolt versions and systems shipped between 2011 to 2020 are affected and no software patch can fix these vulnerabilities. So, Intel would need to redesign silicon in order to fix these flaws. There's not much you can do here. However, with open-source software called Thunderspy, developed by Ruytenberg and their team, you can check if you're affected by the Thunderbolt bug.

An anonymous reader writes: You really can't make this stuff up, but Americans across the country, out of fear of "murder hornets," have begun killing all kinds of bees en masse. According to Doug Yanega, senior museum scientist for the Department of Entomology at UC Riverside, a national panic has led to the needless slaughter of native wasps and bees, beneficial insects whose populations are already threatened...

"Folks in China, Korea and Japan have lived side by side with these hornets for hundreds of years, and it has not caused the collapse of human society there. My colleagues in Japan, China and Korea are just rolling their eyes in disbelief at what kind of snowflakes we are..."

"I don't want to downplay this — they are logistically dangerous insects. But having people in Tennessee worry about this is just ridiculous. The only people who should be bothering experts with concerns about wasp IDs are living in the northwest quadrant of Washington (state). And really, right now, nobody else in the country should even be thinking about this stuff," he continued.
"The facts are, experts said, two dead hornets were found in Washington last December, a lone Canadian live nest was found and wiped out last September and no live hornets have yet been seen this year," reports the Associated Press.

And when they spoke to the Washington Agriculture Department entomologist working on the state's response, he issued an additional correction for all the journalists covering this story. "They are not 'murder hornets.' "They are just hornets."