An anonymous reader quotes a report from Wired: A little after 6 pm ET on Wednesday, the system started blinking red for iOS developer Clay Jones. Like many devs, Jones uses a Google product called Crashlytics to keep tabs on when his app stops working. Out of nowhere, it registered tens of thousands of crashes. It also pointed to the cause: a chunk of code that Jones' app incorporates to let people log in with their Facebook accounts. By 6:30 pm, Jones had filed a bug report about the flaw in Facebook's software development kit on GitHub, the code repository. He wasn't alone. According to widespread reports and the web monitoring service Down Detector, prominent iOS apps like TikTok, Spotify, Pinterest, Venmo, and more experienced issues on Wednesday. Many users found that they crashed whenever they tried to open the apps, whether or not they used Facebook to log in.

"Yesterday, a new release of Facebook included a change that triggered crashes in some apps using the Facebook iOS SDK for some users. We identified the issue quickly and resolved it," Facebook said in a statement. That change was quite small, given its outsized impact. "It was something like a server value -- which was supposed to provide a dictionary of things -- was changed to providing a simple YES/NO instead, without warning," says iOS developer Steven Troughton-Smith. "A change that simple can break an app that isn't prepared for it."

"Pretty much all these apps -- Pinterest, Spotify, a lot of the big ones -- use the Facebook SDK for the login button," says Jones. "You'll see 'Login With Facebook.' Everyone has it, super common, great for sign-up rates because it's just a one-click thing." And lots of apps that don't use Login With Facebook still use the SDK, which is why the issue Wednesday was so widespread. [...] The good news is that Facebook did fix the issue with haste, as far as these things go. Jones says it took about two hours for things to return to normal.

"The man behind the world's first major computer virus outbreak has admitted his guilt, 20 years after his software infected millions of machines worldwide," reports the BBC: Filipino Onel de Guzman, now 44, says he unleashed the Love Bug computer worm to steal passwords so he could access the internet without paying. He claims he never intended it to spread globally.

And he says he regrets the damage his code caused. "I didn't expect it would get to the US and Europe. I was surprised," he said in an interview for Crime Dot Com, a forthcoming book on cyber-crime.

The Love Bug pandemic began on 4 May, 2000. Victims received an email attachment entitled LOVE-LETTER-FOR-YOU. It contained malicious code that would overwrite files, steal passwords, and automatically send copies of itself to all contacts in the victim's Microsoft Outlook address book. Within 24 hours, it was causing major problems across the globe, reportedly infecting 45 million machines...

He claims he initially sent the virus only to Philippine victims, with whom he communicated in chat rooms, because he only wanted to steal internet access passwords that worked in his local area. However, in spring 2000 he tweaked the code, adding an auto-spreading feature that would send copies of the virus to victims' Outlook contacts using a flaw in Microsoft's Windows 95 operating system.
"It's not really a virus," wrote CmdrTaco back on May 4, 2000. "It's a trojan that proclaims its love for the recipient and requests that you open its attachment. On a first date even! It then loves you so much that it sends copies of itself to everyone in your address book and starts destroying files on your drive...

"Pine/Elm/Mutt users as always laugh maniacally as the trojan shuffles countless wasted packets over saturated backbones filling overworked SMTP servers everywhere. Sysadmins are seen weeping in the alleys."

An anonymous reader quotes a report from MacRumors: A bug has been discovered in Apple's macOS Image Capture app that needlessly eats up potentially gigabytes of storage space when transferring photos from an iPhone or iPad to a Mac. Discovered by the developers of media asset management app NeoFinder and shared in a blog post called "Another macOS bug in Image Capture," the issue occurs when Apple's Mac tool converts HEIF photos taken by iOS to more standard JPG files. This process happens when users uncheck the "Keep Originals" option in Image Capture's settings, which converts the HEIC files to JPG when copied to Mac. However, the app also inexplicably adds 1.5MBs of empty data to every single file in the process.

It's worth noting that the bug only occurs when transferring photos from Apple devices, not when importing photos from digital cameras using Image Capture. NeoFinder's team says it has notified Apple of the bug, and the developers suggest anyone plagued by the issue can try using a new beta version of the third-party utility Graphic Converter, which includes an option to remove the unwanted empty data from the JPEG files.

XXongo writes: Monitoring parolees released from prison by an app on their smartphone sounds like a good idea, right? The phone has facial recognition and biometric ID, and a GPS system that knows where it is. But what if the app doesn't work? In a story on Gizmodo, the [Telmate Guardian] app's coding is "sloppy" and "irresponsible" and its default privacy settings are wildly invasive, asking for "excessive permissions" to access device data. And the app isn't even accurate on recognizing parolees, nor on knowing location, with one parolee noting that the app set off the high-pitched warning alarm and sent a notification to her parole officers telling him that she was not at home multiple times in the middle of the night, when she was in fact at home and in bed. The device also serves as a covert surveillance bug, with built-in potential to covertly record ambient audio from the phone, even in standby mode -- a feature which is not even legal in many states. "But there's nothing you can do," according to one parolee. "If you don't accept it, then you go back to prison. You're considered their property. That's how they see it."

"We're updating our bug bounty policy and payouts to make it more appealing to researchers and reflect the more hardened security stance we adopted after moving to a multi-process, sandboxed architecture," reports the Mozilla security blog: Besides rewarding duplicate submissions, we're clarifying our payout criteria and raising the payouts for higher impact bugs. Now, sandbox escapes and related bugs will be eligible for a baseline $8,000, with a high quality report up to $10,000. Additionally, proxy bypass bugs are eligible for a baseline of $3,000, with a high quality report up to $5,000...

Additionally, we'll be publishing more posts about how to get started testing Firefox — which is something we began by talking about the HTML Sanitization we rely on to prevent UXSS. By following the instructions there you can immediately start trying to bypass our sanitizer using your existing Firefox installation in less than a minute...

Lastly, we would like to let you know that we have cross-posted this to our new Attack & Defense blog. This new blog is a vehicle for tailored content specifically for engineers, security researchers, and Firefox bug bounty participants.
They point out that Firefox has one of the world's oldest bug bounty programs, dating back to 2004 -- and it's still going strong. "From 2017-2019, we paid out $965,750 to researchers across 348 bugs, making the average payout $2,775 — but as you can see in the graph below, our most common payout was actually $4,000!"

This week Python's core developer blog announced the very last production release of Python 2.7. Hackaday reports: The intention was for it to coincide with PyCon 2020, but just like so many of the events planned for the first half of the year, the in-person conference had to be canceled in favor of a virtual one due to the COVID-19 epidemic. That might have stymied the celebration somewhat, but the release of Python 2.7.18 will still be looked on as a special moment for everyone involved.
"Thank you @gutworth for being the 2.7 release manager during 11 long years," Guido van Rossum announced on Twitter.

"It's time for the CPython community to say a fond but firm farewell to Python 2," reads the announcement on the core developer's blog. Python 2.7 has been under active development since the release of Python 2.6, more than 11 years ago. Over all those years, CPython's core developers and contributors sedulously applied bug fixes to the 2.7 branch, no small task as the Python 2 and 3 branches diverged.

There were large changes midway through Python 2.7's life such as PEP 466's feature backports to the ssl module and hash randomization. Traditionally, these features would never have been added to a branch in maintenance mode, but exceptions were made to keep Python 2 users secure. Thank you to CPython's community for such dedication.

Python 2.7 was lucky to have the services of two generations of binary builders and operating system experts, Martin von Löwis and Steve Dower for Windows, and Ronald Oussoren and Ned Deily for macOS. The reason we provided binary Python 2.7 releases for macOS 10.9, an operating system obsoleted by Apple 4 years ago, or why the "Microsoft Visual C++ Compiler for Python 2.7" exists is the dedication of these individuals.

Python 3 would be nowhere without the dedication of the wider community. Library maintainers followed CPython by maintaining Python 2 support for many years butalso threw their weight behind the Python 3 statement. Linux distributors chased Python 2 out of their archives. Users migrated hundreds of millions of lines of code, developed porting guides, and kept Python 2 in their brain while Python 3 gained 10 years of improvements.

Finally, thank you to GvR for creating Python 0.9, 1, 2, and 3.

Long live Python 3+!

"Is BGP Safe Yet" is a new site that names and shames internet service providers that don't tend to their routing. From a report: For more than an hour at the beginning of April, major sites like Google and Facebook sputtered for large swaths of people. The culprit wasn't a hack or a bug. It was problems with the internet data routing standard known as the Border Gateway Protocol, which had allowed significant amounts of web traffic to take an unexpected detour through a Russian telecom. For Cloudflare CEO Matthew Prince, it was the last straw. BGP disruptions happen frequently, generally by accident. But BGP can also be hijacked for large-scale spying, data interception, or as a sort of denial of service attack.

[...] On Friday, the company launched Is BGP Safe Yetâ, a site that makes it easier for anyone to check whether their internet service provider has added the security protections and filters that can make BGP more stable. Those improvements are most effective with wide adoption from ISPs, content delivery networks like Cloudflare, and other cloud providers. Cloudflare estimates that so far about half of the internet is more protected thanks to heavy hitters like AT&T, the Swedish telecom Telia, and the Japanese telecom NTT adopting BGP improvements. And while Cloudflare says it doesn't seem like the Rostelecom incident was intentional or malicious, Russian telecoms do have a history of suspicious BGP meddling, and similar problems will keep cropping up until the whole industry is on board.

Dropbox privately paid top hackers to find bugs in software by the videoconferencing company Zoom, then pressed it to fix them. From a report: One year ago, two Australian hackers found themselves on an eight-hour flight to Singapore to attend a live hacking competition sponsored by Dropbox. At 30,000 feet, with nothing but a slow internet connection, they decided to get a head start by hacking Zoom, a videoconferencing service that they knew was used by many Dropbox employees. The hackers soon uncovered a major security vulnerability in Zoom's software that could have allowed attackers to covertly control certain users' Mac computers. It was precisely the type of bug that security engineers at Dropbox had come to dread from Zoom, according to three former Dropbox engineers.

Now Zoom's videoconferencing service has become the preferred communications platform for hundreds of millions of people sheltering at home, and reports of its privacy and security troubles have proliferated. Zoom's defenders, including big-name Silicon Valley venture capitalists, say the onslaught of criticism is unfair. They argue that Zoom, originally designed for businesses, could not have anticipated a pandemic that would send legions of consumers flocking to its service in the span of a few weeks and using it for purposes -- like elementary school classes and family celebrations -- for which it was never intended.

[...] The former Dropbox engineers, however, say Zoom's current woes can be traced back two years or more, and they argue that the company's failure to overhaul its security practices back then put its business clients at risk. Dropbox grew so concerned that vulnerabilities in the videoconferencing system might compromise its own corporate security that the file-hosting giant took on the unusual step of policing Zoom's security practices itself, according to the former engineers, who spoke on the condition of anonymity because they were not authorized to publicly discuss their work. As part of a novel security assessment program for its vendors and partners, Dropbox in 2018 began privately offering rewards to top hackers to find holes in Zoom's software code and that of a few other companies. The former Dropbox engineers said they were stunned by the volume and severity of the security flaws that hackers discovered in Zoom's code -- and troubled by Zoom's slowness in fixing them.

Researchers from Google Brain, Intel, OpenAI, and top research labs in the U.S. and Europe joined forces this week to release what the group calls a toolbox for turning AI ethics principles into practice. From a report: The kit for organizations creating AI models includes the idea of paying developers for finding bias in AI, akin to the bug bounties offered in security software. This recommendation and other ideas for ensuring AI is made with public trust and societal well-being in mind were detailed in a preprint paper published this week. The bug bounty hunting community might be too small to create strong assurances, but developers could still unearth more bias than is revealed by measures in place today, the authors say.

"Bias and safety bounties would extend the bug bounty concept to AI and could complement existing efforts to better document data sets and models for their performance limitations and other properties," the paper reads. "We focus here on bounties for discovering bias and safety issues in AI systems as a starting point for analysis and experimentation but note that bounties for other properties (such as security, privacy protection, or interpretability) could also be explored."

Microsoft claims to have developed a system that correctly distinguishes between security and non-security software bugs 99% of the time, and that accurately identifies the critical, high-priority security bugs on average 97% of the time. From a report: In the coming months, it plans to open-source the methodology on GitHub, along with example models and other resources. Their work suggests that such a system, which was trained on a data set of 13 million work items and bugs from 47,000 developers at Microsoft stored across AzureDevOps and GitHub repositories, could be used to support human experts. It's estimated that developers create 70 bugs per 1,000 lines of code and that fixing a bug takes 30 times longer than writing a line of code, and that in the U.S., $113 billion is spent annually on identifying and fixing product defects. In the course of architecting the model, Microsoft says that security experts approved the training data and that statistical sampling was used to provide those experts a manageable amount of data to review. The data was then encoded into representations called feature vectors and Microsoft researchers designed the system using a two-step process, in which the model first learned to classify security and non-security bugs and then to apply severity labels -- critical, important, low-impact -- to the security bugs.

The EFF's staff technologist -- also an engineer on Privacy Badger and HTTPS Everywhere, writes: Twitter greeted its users with a confusing notification this week. "The control you have over what information Twitter shares with its business partners has changed," it said. The changes will "help Twitter continue operating as a free service," it assured. But at what cost?

Twitter has changed what happens when users opt out of the "Allow additional information sharing with business partners" setting in the "Personalization and Data" part of its site. The changes affect two types of data sharing that Twitter does... Previously, anyone in the world could opt out of Twitter's conversion tracking (type 1), and people in GDPR-compliant regions had to opt in. Now, people outside of Europe have lost that option. Instead, users in the U.S. and most of the rest of the world can only opt out of Twitter sharing data with Google and Facebook (type 2).
The article explains how last August Twitter discovered that its option for opting out of device-level targeting and conversion tracking "did not actually opt users out." But after fixing that bug, "advertisers were unhappy. And Twitter announced a substantial hit to its revenue... Now, Twitter has removed the ability to opt out of conversion tracking altogether."

While users in Europe are protected by GDPR, "users in the United States and everywhere else, who don't have the protection of a comprehensive privacy law, are only protected by companies' self-interest..." BoingBoing argues that Twitter "has just unilaterally obliterated all its users' privacy choices, announcing the change with a dialog box whose only button is 'OK.'"

"Soil gets its characteristic earthy smell from certain chemicals produced primarily by soil-dwelling bacteria called Streptomyces," reports New Scientist. But as for why these bacteria produce these odors, researchers at the Swedish University of Agriculture Science in Alnarp discovered that the smell seems to attract invertebrates that help the bacteria disperse their spores. From the report: Paul Becher at the Swedish University of Agricultural Sciences in Alnarp and his colleagues set up field traps in woodland containing colonies of Streptomyces. They thought that the smell may act as a signal to other organisms that they are poisonous, because some bacteria like Streptomyces can be toxic. Instead, the smell -- which comes from gases released by Streptomyces, including geosmin and 2-methylisoborneol (2-MIB) -- seems to attract invertebrates that help the bacteria disperse their spores. Becher and his team found that springtails -- tiny cousins of insects -- that feed on Streptomyces were drawn to the traps containing the bacterial colonies, but weren't drawn to control traps that didn't contain Streptomyces. By comparison, insects and arachnids weren't attracted to the traps containing Streptomyces. The findings have been reported in the journal Nature Microbiology.

Nintendo's Animal Crossing has become a place for Hong Kong protesters to congregate without flouting social distancing rules. Bloomberg reports: Animal Crossing is a simulation game where players live on an idyllic tropical island and befriend anthropomorphic animals. Players can customize their islands with in-game illustrating tools and visit each other's islands online. Pro-democracy content created for the game has gone viral on social media, including Twitter. In a tweet last week, one of Hong Kong's most well-known democracy campaigners, Joshua Wong, said he was playing the game and that the movement had shifted online. In one video posted to Twitter, a group of players use bug-catching nets to hit pictures of the city's leader Carrie Lam on a beach in the game. A nearby poster states "Free Hong Kong. Revolution Now."

A sizeable number of Mac users are experiencing occasional system crashes after updating to macOS Catalina version 10.15.4, released a few weeks ago. From a report: The crashing issue appears to be most prominent when users attempt to make large file transfers. In a forum post, SoftRAID described the issue as a bug and said that it is working with Apple engineers on a fix for macOS 10.15.5, or a workaround. "SoftRAID said the issue extends to Apple-formatted disks: There is a serious issue with 10.15.4. It shows up in different scenarios, even on Apple disks but is more likely when there are lots of IO threads. We think it is a threading issue. So while SoftRAID volumes are hit the hardest (it's now hard to copy more than 30GB of data at a time), all systems are impacted by this. In our bug report to Apple, we used a method to reproduce the problem with ONLY Apple formatted disks. Takes longer to reproduce, but that is more likely to get a faster fix to the user base."

An anonymous reader quotes a report from Wired: Apple has a well-earned reputation for security, but in recent years its Safari browser has had its share of missteps. This week, a security researcher publicly shared new findings about vulnerabilities that would have allowed an attacker to exploit three Safari bugs in succession and take over a target's webcam and microphone on iOS and macOS devices. Apple patched the vulnerabilities in January and March updates. But before the fixes, all a victim would have needed to do is click one malicious link and an attacker would have been able to spy on them remotely.

The bugs Pickren found all stem from seemingly minor oversights. For example, he discovered that Safari's list of the permissions a user has granted to websites treated all sorts of URL variations as being part of the same site, like https://www.example.com, http://example.com and fake://example.com. By "wiggling around," as Pickren puts it, he was able to generate specially crafted URLs that could work with scripts embedded in a malicious site to launch the bait-and-switch that would trick Safari. A hacker who tricked a victim into clicking their malicious link would be able to quietly launch the target's webcam and microphone to capture video, take photos, or record audio. And the attack would work on iPhones, iPads, and Macs alike. None of the flaws are in Apple's microphone and webcam protections themselves, or even in Safari's defenses that keep malicious sites from accessing the sensors. Instead, the attack surmounts all of these barriers just by generating a convincing disguise.

Social networking giant Twitter today disclosed a bug on its platform that impacted users who accessed their platform using Firefox browsers. From a report: According to Twitter, its platform stored private files inside the Firefox browser's cache -- a folder where websites store information and files temporarily. Twitter said that once users left their platform or logged off, the files would remain in the browser cache, allowing anyone to retrieve it. The company is now warning users who share workstations or used a public computer that some of their private files may still be present in the Firefox cache. Malware present on a system could also scrape and steal this data, if ever configured to do so.

Zoom's troubled year just got worse. From a report: Now that a large portion of the world is working from home to ride out the coronavirus pandemic, Zoom's popularity has rocketed, but also has led to an increased focus on the company's security practices and privacy promises. Hot on the heels of two security researchers finding a Zoom bug that can be abused to steal Windows passwords, another security researcher found two new bugs that can be used to take over a Zoom user's Mac, including tapping into the webcam and microphone. Patrick Wardle, a former NSA hacker and now principal security researcher at Jamf, dropped the two previously undisclosed flaws on his blog Wednesday, which he shared with TechCrunch. The two bugs, Wardle said, can be launched by a local attacker -- that's where someone has physical control of a vulnerable computer. Once exploited, the attacker can gain and maintain persistent access to the innards of a victim's computer, allowing them to install malware or spyware.

Dan Goodin writes via Ars Technica: For almost three years, OpenWRT -- the open source operating system that powers home routers and other types of embedded systems -- has been vulnerable to remote code-execution attacks because updates were delivered over an unencrypted channel and digital signature verifications are easy to bypass, a researcher said. Security researcher Guido Vranken, however, recently found that updates and installation files were delivered over unencrypted HTTPs connections, which are open to attacks that allow adversaries to completely replace legitimate updates with malicious ones. The researcher also found that it was trivial for attackers with moderate experience to bypass digital-signature checks that verify a downloaded update as the legitimate one offered by OpenWTR maintainers. The combination of those two lapses makes it possible to send a malicious update that vulnerable devices will automatically install.
[...]
The researcher said that OpenWRT maintainers have released a stopgap solution that partially mitigates the risk the bug poses. The mitigation requires new installations to be "set out from a well-formed list that would not sidestep the hash verification. However, this is not an adequate long-term solution because an attacker can simply provide an older package list that was signed by the OpenWRT maintainers." From there, attackers can use the same exploits they would use on devices that haven't received the mitigation. OpenWRT maintainers didn't immediately respond to questions asking why installation and update files are delivered over HTTP and when a longer-term fix might be available. In the meantime, OpenWRT users should install either version 18.06.7 or 19.07.1, both of which were released in February. These updates provide the stopgap mitigation.

An anonymous reader quotes Wired: Next week, blood banks across the Netherlands are set to begin a nationwide experiment. As donations arrive — about 7,000 of them per week is the norm — they'll be screened with the usual battery of tests that keep the blood supply safe, plus one more: a test for antibodies to SARS-CoV-2, the virus that causes Covid-19. Then, in a few weeks, another batch of samples will get the same test. And after that, depending on the numbers, there could be further rounds. The blood donors should be fairly representative of Dutch adults ages 18 to 75, and most importantly, they'll all be healthy enough for blood donation — or at least outwardly so...

Identifying what proportion of the population has already been infected is key to making the right decisions about containment... [B]ecause no Covid-19-specific serological [antibody] tests have been fully vetted yet, the FDA's latest guidance is that they shouldn't be relied upon for diagnoses. But in epidemiology circles, those tests are a sought-after tool for understanding the scope of the disease. Since February — which was either three weeks or a lifetime ago — epidemiologists have been trying to get the full scope of the number of infections here in the U.S... [A]s the disease has continued to spread and a patchwork of local "stay at home" rules begins to bend the course of the disease, projecting who has the disease and where the hot spots are has become more difficult for models to capture.

Instead, you need boots-on-the-ground surveillance. In other words, to fill the gap created by a lack of diagnostic tests, you need more testing — but of a different sort. This time you have to know how many total people have already fought the bug, and how recently they've fought it. "Of all the data out there, if there was a good serological assay that was very specific about individuating recent cases, that would be the best data we could have," says Alex Perkins, an epidemiologist at the University of Notre Dame. The key, he says, is drawing blood from a representative sample that would show the true scope of unobserved infections... Another motivation to develop better blood tests is the potential to develop therapeutics from antibody-rich blood serum.
Wired is currently providing free access to stories about the coronavirus.

An anonymous reader quotes a report from TechCrunch: A school in Norway has stopped using popular video conferencing service Whereby after a naked man apparently "guessed" the link to a video lesson. According to Norwegian state broadcaster NRK, the man exposed himself in front of several young children over the video call. The theory, according to the report, is that the man guessed the meeting ID and joined the video call. One expert quoted in the story said some are "looking" for links. Last year security researchers told TechCrunch that malicious users could access and listen in to Zoom and Webex video meetings by cycling through different permutations of meeting IDs in bulk. The researchers said the flaw worked because many meetings were not protected by a passcode.