Bug bounty platform HackerOne announced today that it has paid out $100,000,000 in rewards to white-hat hackers around the world as of May 26, 2020. From a report: Since it started delivering vulnerability reports to its customers, HackerOne bug bounty hunters have found roughly 170,000 security vulnerabilities according to the company's CEO Marten Mickos. Over 700,000 ethical hackers are no using the bug bounty platform to get paid for security bugs in the products of more than 1,900 HackerOne customers. "It is impossible to know exactly how many cyber breaches have thereby been averted but we can estimate that it is thousands or perhaps over ten thousand," Mickos said.

"Altran has released a new tool that uses artificial intelligence to help software engineers spot bugs during the coding process instead of at the end," reports TechRepublic. "Available on GitHub, Code Defect AI uses machine learning to analyze existing code, spot potential problems in new code, and suggest tests to diagnose and fix the errors." Walid Negm, group chief innovation officer at Altran, said that this new tool will help developers release quality code quickly. "The software release cycle needs algorithms that can help make strategic judgments, especially as code gets more complex," he said in a press release....

"Microsoft and Altran have been working together to improve the software development cycle, and Code Defect AI, powered by Microsoft Azure, is an innovative tool that can help software developers through the use of machine learning," said David Carmona, general manager of AI marketing at Microsoft, in a press release...

In a new report about artificial intelligence and software development, Deloitte predicts that more and more companies will use AI-assisted coding tools. From January 2018 to September 2019, software vendors launched dozens of AI-powered software development tools, and startups working in this space raised $704 million over a similar timeframe.... "The benefits of AI-assisted coding are numerous," according to Deloitte analysts David Schatsky and Sourabh Bumb, the authors of AI is Helping to Make Better Software. " However, the principal benefit for companies is efficiency. Many of the new AI-powered tools work in a similar way to spell- and grammar-checkers, enabling coders to reduce the number of keystrokes they need to type by around 50%. They can also spot bugs while code is being written, while they can also automate as many as half of the tests needed to confirm the quality of software." This capability is even more important as companies continue to rely on open-source code.
The Register got more details about Altran's Code Defect AI: The company told us that the AI does not look much at the source code itself, but rather at the commit metadata, "the number of files in the check-in, code complexity, density of the check-in, bug history of the file, history of the developer, experience of the developer in the particular module/file etc." Training of the model is done only on the project being examined...

"Around 70% of our serious security bugs are memory safety problems," the Chromium project announced this week. "Our next major project is to prevent such bugs at source."

ZDNet reports: The percentage was compiled after Google engineers analyzed 912 security bugs fixed in the Chrome stable branch since 2015, bugs that had a "high" or "critical" severity rating. The number is identical to stats shared by Microsoft. Speaking at a security conference in February 2019, Microsoft engineers said that for the past 12 years, around 70% of all security updates for Microsoft products addressed memory safety vulnerabilities. Both companies are basically dealing with the same problem, namely that C and C++, the two predominant programming languages in their codebases, are "unsafe" languages....

Google says that since March 2019, 125 of the 130 Chrome vulnerabilities with a "critical" severity rating were memory corruption-related issues, showing that despite advances in fixing other bug classes, memory management is still a problem... Half of the 70% are use-after-free vulnerabilities, a type of security issue that arises from incorrect management of memory pointers (addresses), leaving doors open for attackers to attack Chrome's inner components...

While software companies have tried before to fix C and C++'s memory management problems, Mozilla has been the one who made a breakthrough by sponsoring, promoting and heavily adopting the Rust programming language in Firefox... Microsoft is also heavily investing in exploring C and C++ alternatives⦠But this week, Google also announced similar plans as well... Going forward, Google says it plans to look into developing custom C++ libraries to use with Chrome's codebase, libraries that have better protections against memory-related bugs. The browser maker is also exploring the MiraclePtr project, which aims to turn "exploitable use-after-free bugs into non-security crashes with acceptable performance, memory, binary size and minimal stability impact."

And last, but not least, Google also said it plans to explore using "safe" languages, where possible. Candidates include Rust, Swift, JavaScript, Kotlin, and Java.

The official COVID-19 contact-tracing app for the state of North Dakota, designed to detect whether people have potentially been exposed to the coronavirus, sends location data and a unique user identifier to Foursquare -- and other data to Google and a bug-tracking company -- according to a new report from smartphone privacy company Jumbo Privacy. From a report: The app, called Care19, and produced by a company called ProudCrowd that also makes a location-based social networking app for North Dakota State sports fans, generates a random ID number for each person who uses it. Then, it can "anonymously cache the individual's locations throughout the day," storing information about where people spent at least 10 minutes at a time, according to the state website. If users test positive for the coronavirus, they can provide that information to the North Dakota Department of Health for contact-tracing purposes so that other people who spent time near virus patients can potentially be notified. According to the app's privacy policy, "location data is private to you and is stored securely on ProudCrowd, LLC servers" and won't be shared with third parties "unless you consent or ProudCrowd is compelled under federal regulations."

Edison Mail has rolled back a software update that apparently let some users of its iOS app see emails from strangers' accounts. From a report: Several Edison users contacted The Verge to report seeing the glitch after they applied the update, which was meant to allow users to sync data across devices. Reader Matthew Grzybowski said after the update he had more than 100 unread messages from the UK-based email account of a stranger. He didn't have to enter any credentials to see the emails, Grzybowski added. The company said it was a bug, not a security breach, and that the issue appeared limited to users of the iOS app.

"Doom Eternal has become the latest game to use a kernel-level driver to aid in detecting cheaters in multiplayer matches," reports Ars Technica: The game's new driver and anti-cheat tool come courtesy of Denuvo parent Irdeto, a company once known for nearly unbeatable piracy protection and now known for somewhat effective but often cracked piracy protection. But the new Denuvo Anti-Cheat protection is completely separate from the company's Denuvo Anti-Tamper technology... The new Denuvo Anti-Cheat tool rolls out to Doom Eternal players after "countless hours and millions of gameplay sessions" during a two-year early access program, Irdeto said in a blog post announcing its introduction. But unlike Valorant's similar Vanguard system, the Denuvo Anti-Cheat driver "doesn't have annoying tray icons or splash screens" letting players monitor its use on their system. "This invisibility could raise some eyebrows," Irdeto concedes.

To assuage any potential fears, Irdeto writes that Denuvo Anti-Cheat only runs when the game is active, and Bethesda's patch notes similarly say that "use of the kernel-mode driver starts when the game launches and stops when the game stops for any reason...."

"No monitoring or data collection happens outside of multiplayer matches," Denuvo Anti-Cheat Product Owner Michail Greshishchev told Ars via email. "Denuvo does not attempt to maintain the integrity of the system. It does not block cheats, game mods, or developer tools. Denuvo Anti-Cheat only detects cheats." Greshishchev added that the company's driver has received "certification from renown[ed] kernel security researchers, completed regular whitebox and blackbox audits, and was penetration-tested by independent cheat developers." He said Irdeto is also setting up a bug bounty program to discover any flaws they might have missed.

And because of Denuvo Anti-Cheat's design, Greshishchev says the driver is more secure than others that might have more exposure to the Internet. "Unlike existing anti-cheats, Denuvo Anti-Cheat does not stream shell code from the Web," Greshishchev told Ars. "This means that, if compromised, attackers can't send down arbitrary malware to gamers' machines...."

If a driver exploit is discovered in the wild, Greshishchev told Ars that revocable certificates and self-expiring network keys can be used as "kill switches" to cut them off.

Two security researchers have published today details about a vulnerability in the Windows printing service that they say impacts all Windows versions going back to Windows NT 4, released in 1996. From a report: The vulnerability, which they codenamed PrintDemon, is located in Windows Print Spooler, the primary Windows component responsible for managing print operations. The service can send data to be printed to a USB/parallel port for physically connected printers; to a TCP port for printers residing on a local network or the internet; or to a local file, in the rare event the user wants to save a print job for later. In a report published today, security researchers Alex Ionescu & Yarden Shafir said they found a bug in this old component that can be abused to hijack the Printer Spooler internal mechanism. The bug can't be used to break into a Windows client remotely over the internet, so it's not something that could be exploited to hack Windows systems at random over the internet.

Huawei denied on Monday having any official involvement in an insecure patch submitted to the Linux kernel project over the weekend; patch that introduced a "trivially exploitable" vulnerability. From a report: The buggy patch was submitted to the official Linux kernel project via its mailing list on Sunday. Named HKSP (Huawei Kernel Self Protection), the patch allegedly introduced a series of security-hardening options to the Linux kernel. Big tech companies that heavily use Linux in their data centers and online services, often submit patches to the Linux kernel. Companies like Google, Microsoft, Amazon, and others have been known to have contributed code. On Sunday, the HKSP submission sparked interest in the Linux community as could signal Huawei's wish to possibly contribute to the official kernel. Due to this, the patch came under immediate scrutiny, including from the developers of Grsecurity, a project that provides its own set of security-hardening patches for the Linux kernel. In a blog post published on the same day, the Grsecurity team said that it discovered that the HKSP patch was introducing a "trivially exploitable" vulnerability in the kernel code -- if the patch was to be approved.

turp182 writes: What's your story? How are you doing? What do you predict? Below is a summary of the stats I've been following, some assumptions, and an overview of my personal situation. Anyway, how you all doing?

A new set of flaws discovered in the Intel Thunderbolt port has put millions of machines at risk of local hacking. This new research by Eindhoven University's Bjorn Ruytenberg suggests that if a hacker gains access to a machine for just five minutes, they could bypass login methods to gain full data access. From a report: Thunderbolt ports are present in machines with Windows, Linux, and macOS. So, that covers a lot of computers. Ruytenberg said all Thunderbolt versions and systems shipped between 2011 to 2020 are affected and no software patch can fix these vulnerabilities. So, Intel would need to redesign silicon in order to fix these flaws. There's not much you can do here. However, with open-source software called Thunderspy, developed by Ruytenberg and their team, you can check if you're affected by the Thunderbolt bug.

An anonymous reader writes: You really can't make this stuff up, but Americans across the country, out of fear of "murder hornets," have begun killing all kinds of bees en masse. According to Doug Yanega, senior museum scientist for the Department of Entomology at UC Riverside, a national panic has led to the needless slaughter of native wasps and bees, beneficial insects whose populations are already threatened...

"Folks in China, Korea and Japan have lived side by side with these hornets for hundreds of years, and it has not caused the collapse of human society there. My colleagues in Japan, China and Korea are just rolling their eyes in disbelief at what kind of snowflakes we are..."

"I don't want to downplay this — they are logistically dangerous insects. But having people in Tennessee worry about this is just ridiculous. The only people who should be bothering experts with concerns about wasp IDs are living in the northwest quadrant of Washington (state). And really, right now, nobody else in the country should even be thinking about this stuff," he continued.
"The facts are, experts said, two dead hornets were found in Washington last December, a lone Canadian live nest was found and wiped out last September and no live hornets have yet been seen this year," reports the Associated Press.

And when they spoke to the Washington Agriculture Department entomologist working on the state's response, he issued an additional correction for all the journalists covering this story. "They are not 'murder hornets.' "They are just hornets."

An anonymous reader quotes a report from Wired: A little after 6 pm ET on Wednesday, the system started blinking red for iOS developer Clay Jones. Like many devs, Jones uses a Google product called Crashlytics to keep tabs on when his app stops working. Out of nowhere, it registered tens of thousands of crashes. It also pointed to the cause: a chunk of code that Jones' app incorporates to let people log in with their Facebook accounts. By 6:30 pm, Jones had filed a bug report about the flaw in Facebook's software development kit on GitHub, the code repository. He wasn't alone. According to widespread reports and the web monitoring service Down Detector, prominent iOS apps like TikTok, Spotify, Pinterest, Venmo, and more experienced issues on Wednesday. Many users found that they crashed whenever they tried to open the apps, whether or not they used Facebook to log in.

"Yesterday, a new release of Facebook included a change that triggered crashes in some apps using the Facebook iOS SDK for some users. We identified the issue quickly and resolved it," Facebook said in a statement. That change was quite small, given its outsized impact. "It was something like a server value -- which was supposed to provide a dictionary of things -- was changed to providing a simple YES/NO instead, without warning," says iOS developer Steven Troughton-Smith. "A change that simple can break an app that isn't prepared for it."

"Pretty much all these apps -- Pinterest, Spotify, a lot of the big ones -- use the Facebook SDK for the login button," says Jones. "You'll see 'Login With Facebook.' Everyone has it, super common, great for sign-up rates because it's just a one-click thing." And lots of apps that don't use Login With Facebook still use the SDK, which is why the issue Wednesday was so widespread. [...] The good news is that Facebook did fix the issue with haste, as far as these things go. Jones says it took about two hours for things to return to normal.

"The man behind the world's first major computer virus outbreak has admitted his guilt, 20 years after his software infected millions of machines worldwide," reports the BBC: Filipino Onel de Guzman, now 44, says he unleashed the Love Bug computer worm to steal passwords so he could access the internet without paying. He claims he never intended it to spread globally.

And he says he regrets the damage his code caused. "I didn't expect it would get to the US and Europe. I was surprised," he said in an interview for Crime Dot Com, a forthcoming book on cyber-crime.

The Love Bug pandemic began on 4 May, 2000. Victims received an email attachment entitled LOVE-LETTER-FOR-YOU. It contained malicious code that would overwrite files, steal passwords, and automatically send copies of itself to all contacts in the victim's Microsoft Outlook address book. Within 24 hours, it was causing major problems across the globe, reportedly infecting 45 million machines...

He claims he initially sent the virus only to Philippine victims, with whom he communicated in chat rooms, because he only wanted to steal internet access passwords that worked in his local area. However, in spring 2000 he tweaked the code, adding an auto-spreading feature that would send copies of the virus to victims' Outlook contacts using a flaw in Microsoft's Windows 95 operating system.
"It's not really a virus," wrote CmdrTaco back on May 4, 2000. "It's a trojan that proclaims its love for the recipient and requests that you open its attachment. On a first date even! It then loves you so much that it sends copies of itself to everyone in your address book and starts destroying files on your drive...

"Pine/Elm/Mutt users as always laugh maniacally as the trojan shuffles countless wasted packets over saturated backbones filling overworked SMTP servers everywhere. Sysadmins are seen weeping in the alleys."

An anonymous reader quotes a report from MacRumors: A bug has been discovered in Apple's macOS Image Capture app that needlessly eats up potentially gigabytes of storage space when transferring photos from an iPhone or iPad to a Mac. Discovered by the developers of media asset management app NeoFinder and shared in a blog post called "Another macOS bug in Image Capture," the issue occurs when Apple's Mac tool converts HEIF photos taken by iOS to more standard JPG files. This process happens when users uncheck the "Keep Originals" option in Image Capture's settings, which converts the HEIC files to JPG when copied to Mac. However, the app also inexplicably adds 1.5MBs of empty data to every single file in the process.

It's worth noting that the bug only occurs when transferring photos from Apple devices, not when importing photos from digital cameras using Image Capture. NeoFinder's team says it has notified Apple of the bug, and the developers suggest anyone plagued by the issue can try using a new beta version of the third-party utility Graphic Converter, which includes an option to remove the unwanted empty data from the JPEG files.

XXongo writes: Monitoring parolees released from prison by an app on their smartphone sounds like a good idea, right? The phone has facial recognition and biometric ID, and a GPS system that knows where it is. But what if the app doesn't work? In a story on Gizmodo, the [Telmate Guardian] app's coding is "sloppy" and "irresponsible" and its default privacy settings are wildly invasive, asking for "excessive permissions" to access device data. And the app isn't even accurate on recognizing parolees, nor on knowing location, with one parolee noting that the app set off the high-pitched warning alarm and sent a notification to her parole officers telling him that she was not at home multiple times in the middle of the night, when she was in fact at home and in bed. The device also serves as a covert surveillance bug, with built-in potential to covertly record ambient audio from the phone, even in standby mode -- a feature which is not even legal in many states. "But there's nothing you can do," according to one parolee. "If you don't accept it, then you go back to prison. You're considered their property. That's how they see it."

"We're updating our bug bounty policy and payouts to make it more appealing to researchers and reflect the more hardened security stance we adopted after moving to a multi-process, sandboxed architecture," reports the Mozilla security blog: Besides rewarding duplicate submissions, we're clarifying our payout criteria and raising the payouts for higher impact bugs. Now, sandbox escapes and related bugs will be eligible for a baseline $8,000, with a high quality report up to $10,000. Additionally, proxy bypass bugs are eligible for a baseline of $3,000, with a high quality report up to $5,000...

Additionally, we'll be publishing more posts about how to get started testing Firefox — which is something we began by talking about the HTML Sanitization we rely on to prevent UXSS. By following the instructions there you can immediately start trying to bypass our sanitizer using your existing Firefox installation in less than a minute...

Lastly, we would like to let you know that we have cross-posted this to our new Attack & Defense blog. This new blog is a vehicle for tailored content specifically for engineers, security researchers, and Firefox bug bounty participants.
They point out that Firefox has one of the world's oldest bug bounty programs, dating back to 2004 -- and it's still going strong. "From 2017-2019, we paid out $965,750 to researchers across 348 bugs, making the average payout $2,775 — but as you can see in the graph below, our most common payout was actually $4,000!"

This week Python's core developer blog announced the very last production release of Python 2.7. Hackaday reports: The intention was for it to coincide with PyCon 2020, but just like so many of the events planned for the first half of the year, the in-person conference had to be canceled in favor of a virtual one due to the COVID-19 epidemic. That might have stymied the celebration somewhat, but the release of Python 2.7.18 will still be looked on as a special moment for everyone involved.
"Thank you @gutworth for being the 2.7 release manager during 11 long years," Guido van Rossum announced on Twitter.

"It's time for the CPython community to say a fond but firm farewell to Python 2," reads the announcement on the core developer's blog. Python 2.7 has been under active development since the release of Python 2.6, more than 11 years ago. Over all those years, CPython's core developers and contributors sedulously applied bug fixes to the 2.7 branch, no small task as the Python 2 and 3 branches diverged.

There were large changes midway through Python 2.7's life such as PEP 466's feature backports to the ssl module and hash randomization. Traditionally, these features would never have been added to a branch in maintenance mode, but exceptions were made to keep Python 2 users secure. Thank you to CPython's community for such dedication.

Python 2.7 was lucky to have the services of two generations of binary builders and operating system experts, Martin von Löwis and Steve Dower for Windows, and Ronald Oussoren and Ned Deily for macOS. The reason we provided binary Python 2.7 releases for macOS 10.9, an operating system obsoleted by Apple 4 years ago, or why the "Microsoft Visual C++ Compiler for Python 2.7" exists is the dedication of these individuals.

Python 3 would be nowhere without the dedication of the wider community. Library maintainers followed CPython by maintaining Python 2 support for many years butalso threw their weight behind the Python 3 statement. Linux distributors chased Python 2 out of their archives. Users migrated hundreds of millions of lines of code, developed porting guides, and kept Python 2 in their brain while Python 3 gained 10 years of improvements.

Finally, thank you to GvR for creating Python 0.9, 1, 2, and 3.

Long live Python 3+!

"Is BGP Safe Yet" is a new site that names and shames internet service providers that don't tend to their routing. From a report: For more than an hour at the beginning of April, major sites like Google and Facebook sputtered for large swaths of people. The culprit wasn't a hack or a bug. It was problems with the internet data routing standard known as the Border Gateway Protocol, which had allowed significant amounts of web traffic to take an unexpected detour through a Russian telecom. For Cloudflare CEO Matthew Prince, it was the last straw. BGP disruptions happen frequently, generally by accident. But BGP can also be hijacked for large-scale spying, data interception, or as a sort of denial of service attack.

[...] On Friday, the company launched Is BGP Safe Yetâ, a site that makes it easier for anyone to check whether their internet service provider has added the security protections and filters that can make BGP more stable. Those improvements are most effective with wide adoption from ISPs, content delivery networks like Cloudflare, and other cloud providers. Cloudflare estimates that so far about half of the internet is more protected thanks to heavy hitters like AT&T, the Swedish telecom Telia, and the Japanese telecom NTT adopting BGP improvements. And while Cloudflare says it doesn't seem like the Rostelecom incident was intentional or malicious, Russian telecoms do have a history of suspicious BGP meddling, and similar problems will keep cropping up until the whole industry is on board.

Dropbox privately paid top hackers to find bugs in software by the videoconferencing company Zoom, then pressed it to fix them. From a report: One year ago, two Australian hackers found themselves on an eight-hour flight to Singapore to attend a live hacking competition sponsored by Dropbox. At 30,000 feet, with nothing but a slow internet connection, they decided to get a head start by hacking Zoom, a videoconferencing service that they knew was used by many Dropbox employees. The hackers soon uncovered a major security vulnerability in Zoom's software that could have allowed attackers to covertly control certain users' Mac computers. It was precisely the type of bug that security engineers at Dropbox had come to dread from Zoom, according to three former Dropbox engineers.

Now Zoom's videoconferencing service has become the preferred communications platform for hundreds of millions of people sheltering at home, and reports of its privacy and security troubles have proliferated. Zoom's defenders, including big-name Silicon Valley venture capitalists, say the onslaught of criticism is unfair. They argue that Zoom, originally designed for businesses, could not have anticipated a pandemic that would send legions of consumers flocking to its service in the span of a few weeks and using it for purposes -- like elementary school classes and family celebrations -- for which it was never intended.

[...] The former Dropbox engineers, however, say Zoom's current woes can be traced back two years or more, and they argue that the company's failure to overhaul its security practices back then put its business clients at risk. Dropbox grew so concerned that vulnerabilities in the videoconferencing system might compromise its own corporate security that the file-hosting giant took on the unusual step of policing Zoom's security practices itself, according to the former engineers, who spoke on the condition of anonymity because they were not authorized to publicly discuss their work. As part of a novel security assessment program for its vendors and partners, Dropbox in 2018 began privately offering rewards to top hackers to find holes in Zoom's software code and that of a few other companies. The former Dropbox engineers said they were stunned by the volume and severity of the security flaws that hackers discovered in Zoom's code -- and troubled by Zoom's slowness in fixing them.

Researchers from Google Brain, Intel, OpenAI, and top research labs in the U.S. and Europe joined forces this week to release what the group calls a toolbox for turning AI ethics principles into practice. From a report: The kit for organizations creating AI models includes the idea of paying developers for finding bias in AI, akin to the bug bounties offered in security software. This recommendation and other ideas for ensuring AI is made with public trust and societal well-being in mind were detailed in a preprint paper published this week. The bug bounty hunting community might be too small to create strong assurances, but developers could still unearth more bias than is revealed by measures in place today, the authors say.

"Bias and safety bounties would extend the bug bounty concept to AI and could complement existing efforts to better document data sets and models for their performance limitations and other properties," the paper reads. "We focus here on bounties for discovering bias and safety issues in AI systems as a starting point for analysis and experimentation but note that bounties for other properties (such as security, privacy protection, or interpretability) could also be explored."