An anonymous reader quotes a report from Bleeping Computer: A currently unpatched security vulnerability affecting iOS 13.3.1 or later prevents virtual private network (VPNs) from encrypting all traffic and can lead to some Internet connections bypassing VPN encryption to expose users' data or leak their IP addresses. While connections made after connecting to a VPN on your iOS device are not affected by this bug, all previously established connections will remain outside the VPN's secure tunnel as ProtonVPN disclosed.

The bug is due to Apple's iOS not terminating all existing Internet connections when the user connects to a VPN and having them automatically reconnect to the destination servers after the VPN tunnel is established. "Most connections are short-lived and will eventually be re-established through the VPN tunnel on their own," ProtonVPN explains. "However, some are long-lasting and can remain open for minutes to hours outside the VPN tunnel." During the time the connections are outside of the VPN secure communication channels, this issue can lead to serious consequences. For instance, user data could be exposed to third parties if the connections are not encrypted themselves, and IP address leaks could potentially reveal the users' location or expose them and destination servers to attacks. Until Apple provides a fix, the company recommends using Always-on VPN to mitigate this problem. "However, since this workaround uses device management, it cannot be used to mitigate the vulnerability for third-party VPN apps such as ProtonVPN," the report adds.

An anonymous reader writes: Hewlett Packard Enterprise (HPE) issued a security advisory last week warning customers about a bug in the firmware of some SAS SSDs (Serial-Attached SCSI solid-state drives) that will fail after reaching 40,000 hours of operation -- which is 4 years, 206 days, and 16 hours after the SSD has been put into operation. HPE says that based on when affected SSDs have been manufactured and sold, the earliest failures are expected to occur starting with October this year. The company has released firmware updates last week to address the issue. HPE warns that if companies fail to install the update, they risk losing both the SSD and the data. "After the SSD failure occurs, neither the SSD nor the data can be recovered," the company explained.

An anonymous reader quotes a report from Wired: Modern capitalism has never seen anything quite like the novel coronavirus SARS-CoV-2. In a matter of months, the deadly contagious bug has spread around the world, hobbling any economy in its path. [...] This economic catastrophe is blowing up the myth of the worker robot and AI takeover. We've been led to believe that a new wave of automation is here, made possible by smarter AI and more sophisticated robots. San Francisco has even considered a tax on robots -- replace a human with a machine, and pay a price. The problem will get so bad, argue folks like former presidential candidate Andrew Yang, we'll need a universal basic income to support our displaced human workers.

Yet our economy still craters without human workers, because the machines are far, far away from matching our intelligence and dexterity. You're more likely to have a machine automate part of your job, not destroy your job entirely. Moving from typewriters to word processors made workers more efficient. Increasingly sophisticated and sensitive robotic arms can now work side-by-side on assembly lines with people without flinging our puny bodies across the room, doing the heavy lifting and leaving the fine manipulation of parts to us. The machines have their strengths -- literally in this case -- and the humans have theirs. While robots can do the labor we don't want to do or can't do, such as lifting car doors on an assembly line, they're not very good at problem-solving. "Think about how you would pick up a piece of paper that's lying flat on a table. You can't grip it like you would an apple -- you have to either pinch it to get it to lift off the surface, or drag it to hang over the edge of the table," writes Matt Simon via Wired. "As a kid, you learn to do that through trial and error, whereas you'd have to program a robot with explicit instructions to do the same."

In closing, Simon writes: "Overestimating robots and AI underestimates the very people who can save us from this pandemic: Doctors, nurses, and other health workers, who will likely never be replaced by machines outright. They're just too beautifully human for that."

Microsoft says attackers are exploiting a previously undisclosed security vulnerability found in all supported versions of Windows, including Windows 10. From a report: But the software giant said there is currently no patch for the vulnerability. The security flaw, which Microsoft deems "critical" -- its highest severity rating -- is found in how Windows handles and renders fonts, according to the advisory posted Monday. The bug can be exploited by tricking a victim into opening a malicious document. Once the document is opened -- or viewed in Windows Preview -- an attacker can remotely run malware, such as ransomware, on a vulnerable device. The advisory said that Microsoft was aware of hackers launching "limited, targeted attacks," but did not say who was launching the attacks or at what scale.

McGruber shares a report from Business Insider: Facebook is blocking users from posting some legitimate news articles about the coronavirus in what appears to be a bug in its spam filters. On Tuesday, multiple Facebook users reported on Twitter that they found themselves unable to post articles from certain news outlets including Business Insider, BuzzFeed, The Atlantic, and the Times of Israel. It's not clear exactly what has gone wrong, and Facebook did not respond to a request for comment.

Alex Stamos, an outspoken former Facebook security exec, speculated that it might be caused by Facebook's shift to automated software after it sent its human content moderators home. "It looks like an anti-spam rule at FB is going haywire," he wrote on Twitter. "Facebook sent home content moderators yesterday, who generally can't [work from home] due to privacy commitments the company has made. We might be seeing the start of the machine learning going nuts with less human oversight. In a tweet, VP of Integrity Guy Rosen said: "We're on this -- this is a bug in an anti-spam system, unrelated to any changes in our content moderator workforce. We're in the process of fixing and bringing all these posts back."

An Austin, Texas based technology company is launching "artificially intelligent thermal cameras" that it claims will be able to detect fevers in people, and in turn send an alert that they may be carrying the coronavirus. Motherboard reports: Athena Security is pitching the product to be used in grocery stores, hospitals, and voting locations. It claims to be deploying the product at several customer locations over the coming weeks, including government agencies, airports, and large Fortune 500 companies. "Our Fever Detection COVID19 Screening System is now a part of our platform along with our gun detection system which connects directly to your current security camera system to deliver fast, accurate threat detection," Athena's website reads. Athena previously sold software that it claims can detect guns and knives in video feeds and then send alerts to an app or security system.

"The AI detects it, and it says I have a 99.5 degrees temperature. It notices that I have a fever, and that I am infected," an Athena employee says during a video demonstration of the product. "Since higher temperature is one of the first symptoms, these cameras can be life-saving" warning the person that they could have the virus and encouraging that person to take serious steps to self-quarantine," the representative added in an email, suggesting that the company could deploy them at polling locations. "Although many voters today are bound to get it, steps in the coming weeks could prevent them from spreading the bug to loved ones and strangers alike." The representative claimed that the software is accurate within half a degree and that it detects a dozen different parts on the body. They added the system has "no facial recognition, no personal tracking."

The Wall Street Journal reports on a new technology being developed by McLaren Technology Centre for its "Elva," a multi-million dollar, 804-horsepower two-seat roadster.

It doesn't have a windshield... In place of a windscreen, Elva will debut a technology called Active Air Management System (AAMS). When engaged, it generates two air flows streaming over the cockpit: One glances off the low, curvaceous wind deflector rising out of the front bodywork, with an energy proportional to vehicle speed. The other airflow is scooped up in a low-mounted grille intake and turned 135 degrees. Now ducted up and slightly forward, this high pressure flow intercepts the deflected airflow, bending the combined flows over the cockpit. Meanwhile, streaming air clinging to the hood wants to be drawn down, below face level, following the Elva's curving scuttle and dash.

And so the Elva's historically unique, eye-of-the-hurricane gestalt: Driver and passenger motoring at highway speeds, talking at normal volume, as warm or as cool as desired and, looking out, seeing nothing... but scenery. No helmet limiting their peripheral vision as if looking through a well-padded porthole, stifling breath and sense of smell. And no heavy, roof-supporting "A" pillars either, which clumsily bracket existence in almost all modern cars. The Elva is the motoring equivalent of a horizonless pool.

Under the right conditions the Elva's system can billow precipitation out of the way, over the car, so the occupants stay dry. Heading up the mountain to Gstaad? With the AAMS active, falling snow will swirl past but never settle... What about bugs? I asked. Will they be deflected too? "It depends on the mass of the bug," said Andrew Kay, Elva project chief engineer, being completely serious. What about stones thrown up by trucks? Overtalk...inaudible... In any event, McLaren expects all occupants will be wearing helmets on piste and will only engage the AAMS bareheaded at moderate speeds...

At 60 mph, the wind was so still I could have lit a cigarette.

Microsoft today released a patch for a vulnerability in the SMBv3 protocol that accidentally leaked online earlier this week during the March 2020 Patch Tuesday preamble. From a report: The fix is available as KB4551762, an update for Windows 10, versions 1903 and 1909, and Windows Server 2019, versions 1903 and 1909. The update fixes CVE-2020-0796, a vulnerability in Server Message Block, a protocol for sharing files, printers, and other resources on local networks and the Internet. The bug allows attackers to connect to remote systems where the SMB service is enabled and run malicious code with SYSTEM privileges, allowing for remote takeovers of vulnerable systems. Earlier this week, due to what looks like a miscommunication between Microsoft and some antivirus vendors, details about this bug leaked online.

An anonymous reader quotes SD Times: The Free Software Foundation (FSF) announced plans to launch a public code hosting and collaboration platform ("forge") this year. Members of the FSF tech team are currently reviewing ethical web-based software that will help teams work on their projects, with features like merge requests, bug tracking, and other common tools.

"Infrastructure is very important for free software, and it's unfortunate that so much free software development currently relies on sites that don't publish their source code, and require or encourage the use of proprietary software," FSF wrote in a blog post. "Our GNU ethical repository criteria aim to set a high standard for free software code hosting, and we hope to meet that with our new forge."

As of now, the team said it has been researching a list of candidate programs and analyzing them in terms of ethical and practical criteria.
The FSF blog post adds that "We plan on contributing improvements upstream for the new forge software we choose, to boost its score on those criteria...

"We'll communicate with the upstream developers to request improvements and help clarify any questions related to the ethical repository criteria."

Security researchers say that a bug in one of Intel's CPU technologies that was patched last year is actually much worse than previously thought. From a report: "Most Intel chipsets released in the last five years contain the vulnerability in question," said Positive Technologies in a report published today. Attacks are impossible to detect, and a firmware patch only partially fixes the problem. To protect devices that handle sensitive operations, researchers recommend replacing CPUs with versions that are not impacted by this bug. Only the latest Intel 10th generation chips are not vulnerable, researchers said. The actual vulnerability is tracked as CVE-2019-0090, and it impacts the Intel Converged Security and Management Engine (CSME), formerly called the Intel Management Engine BIOS Extension (Intel MEBx).

rufey writes: The free SSL certificate provider Let's Encrypt is going to revoke 2.6% of the SSL certs issued by them that are currently active, due to a bug in boulder, the Certificate Authority Authorization (CAA) software Let's Encrypt uses. Ars Technica reports: "Let's Encrypt uses Certificate Authority software called Boulder. Typically, a Web server that services many separate domain names and uses Let's Encrypt to secure them receives a single LE certificate that covers all domain names used by the server rather than a separate cert for each individual domain. The bug LE discovered is that, rather than checking each domain name separately for valid CAA records authorizing that domain to be renewed by that server, Boulder would check a single one of the domains on that server n times (where n is the number of LE-serviced domains on that server). Let's Encrypt typically considers domain validation results good for 30 days from the time of validation -- but CAA records specifically must be checked no more than eight hours prior to certificate issuance. The upshot is that a 30-day window is presented in which certificates might be issued to a particular Web server by Let's Encrypt despite the presence of CAA records in DNS that would prohibit that issuance.

Since Let's Encrypt finds itself in the unenviable position of possibly having issued certificates that it should not have, it is revoking all current certificates that might not have had proper CAA record checking on Wednesday, March 4. Users whose certificates are scheduled to be revoked will need to manually force-renewal before then. If an admin does not perform this manual renewal step, browsers reaching their websites will show TLS security warnings due to the revoked certificates. Let's Encrypt certificates are issued for 90-day intervals, and Certbot automatically renews them only when 30 days or less are left on the cert -- so this could mean roughly two months of browser errors if the manual forced renewal isn't performed."

The CAB Forum, which oversees the public CAA space, has a ticket for this specific issue. According to a community post on Let's Encrypt's website, 3,048,289 of the ~116 million overall active Let's Encrypt certificates are affected.

theodp writes: On its Careers page, zero-commission online broker Robinhood explains its founders "decided it was more important to build products that would provide everyone with access to the financial markets, not just the wealthy. Two years after heading to New York, they moved back to California and built Robinhood -- a company that leverages technology to encourage everyone to participate in our financial system." But on Monday, at least, the advantage went to the wealthy. Bloomberg reports that Robinhood suffered an outage that lasted the entire U.S. trading day and prevented customers from making trades as stocks surged after last week's rout (status). Just another reminder that we're all just one technology fail away from chaos.

"Intel's security plans sound a lot like 'we're going to catch up to AMD,'" argues FOSS advocate and "mercenary sysadmin" Jim Salter at Ars Technica, citing a "present-and-future" presentation by Anil Rao and Scott Woodgate at Intel's Security Day that promised a future with Full Memory Encryption but began with Intel SGX (launched with the Skylake microarchitecture in 2015).

Salter describes SGX as "one of the first hardware encryption technologies designed to protect areas of memory from unauthorized users, up to and including the system administrators themselves." SGX is a set of x86_64 CPU instructions which allows a process to create an "enclave" within memory which is hardware encrypted. Data stored in the encrypted enclave is only decrypted within the CPU -- and even then, it is only decrypted at the request of instructions executed from within the enclave itself. As a result, even someone with root (system administrator) access to the running system can't usefully read or alter SGX-protected enclaves. This is intended to allow confidential, high-stakes data processing to be safely possible on shared systems -- such as cloud VM hosts. Enabling this kind of workload to move out of locally owned-and-operated data centers and into massive-scale public clouds allows for less expensive operation as well as potentially better uptime, scalability, and even lower power consumption.

Intel's SGX has several problems. The first and most obvious is that it is proprietary and vendor-specific -- if you design an application to utilize SGX to protect its memory, that application will only run on Intel processors... Finally, there are potentially severe performance impacts to utilization of SGX. IBM's Danny Harnik tested SGX performance fairly extensively in 2017, and he found that many common workloads could easily see a throughput decrease of 20 to 50 percent when executed inside SGX enclaves. Harnik's testing wasn't 100 percent perfect, as he himself made clear -- in particular, in some cases his compiler seemed to produce less-optimized code with SGX than it had without. Even if one decides to handwave those cases as "probably fixable," they serve to highlight an earlier complaint -- the need to carefully develop applications specifically for SGX use cases, not merely flip a hypothetical "yes, encrypt this please" switch....

After discussing real-world use of SGX, Rao moved on to future Intel technologies -- specifically, full-memory encryption. Intel refers to its version of full-memory encryption as TME (Total Memory Encryption) or MKTME (Multi-Key Total Memory Encryption). Unfortunately, those features are vaporware for the moment. Although Intel submitted an enormous Linux kernel patchset last May for enabling those features, there are still no real-world processors that offer them... This is probably a difficult time to give exciting presentations on Intel's security roadmap. Speculative prediction vulnerabilities have hurt Intel's processors considerably more than their competitors', and the company has been beaten significantly to market by faster, easier-to-use hardware memory encryption technologies as well. Rao and Woodgate put a brave face on things by talking up how SGX has been and is being used in Azure. But it seems apparent that the systemwide approach to memory encryption already implemented in AMD's Epyc CPUs -- and even in some of their desktop line -- will have a far greater lasting impact.

Intel's slides about their own upcoming full memory encryption are labeled "innovations," but they look a lot more like catching up to their already-established competition.

Apache Tomcat servers released in the last 13 years are vulnerable to a bug named Ghostcat that can allow hackers to take over unpatched systems. From a report: Discovered by Chinese cybersecurity firm Chaitin Tech, Ghostcat is a flaw in the Tomcat AJP protocol. AJP stands for Apache JServ Protocol and is a performance-optimized version of the HTTP protocol in binary format. Tomcat uses AJP to exchange data with nearby Apache HTTPD web servers or other Tomcat instances. Tomcat's AJP connector is enabled by default on all Tomcat servers and listens on the server's port 8009. Chaitin researchers say they discovered a bug in AJP that can be exploited to either read or write files to a Tomcat server.

Facebook filed today a federal lawsuit in a California court against OneAudience, a New Jersey-based data analytics firm. From a report: The social networking giant claims that OneAudience paid app developers to install its Software Development Kit (SDK) in their apps, and later used the control it had over the SDK's code to harvest data on Facebook users. According to court documents obtained by ZDNet, the SDK was embedded in shopping, gaming, and utility-type apps, some of which were made available through the official Google Play Store. "After a user installed one of these apps on their device, the malicious SDK enabled OneAudience to collect information about the user from their device and their Facebook, Google, or Twitter accounts, in instances where the user logged into the app using those accounts," the complaint reads. "With respect to Facebook, OneAudience used the malicious SDK -- without authorization from Facebook -- to access and obtain a user's name, email address, locale (i.e. the country that the user logged in from), time zone, Facebook ID, and, in limited instances, gender," Facebook said. Twitter was the first to expose OneAudience's secret data harvesting practices on November 26, last year.

Hackers have found a bug in PayPal's Google Pay integration and are now using it to carry out unauthorized transactions via PayPal accounts. From a report: Since last Friday, users have reported seeing mysterious transactions pop up in their PayPal history as originating from their Google Pay account. Issues have been reported on numerous platforms, such as PayPal's forums, Reddit, Twitter, and Google Pay's Russian and German support forums. Victims reported that hackers abused Google Pay accounts to buy products using linked PayPal accounts. According to screenshots and various testimonies, most of the illegal transactions are taking place at US stores, and especially at Target stores across New York. Most of the victims appear to be German users.

Bug bounty platform HackerOne paid out $40 million in bounties in 2019, roughly equal to the total for all previous years combined. From a report: Moreover, the company announced that its community almost doubled in the past year to 600,000 registered hackers. The announcement comes as the cybersecurity industry struggles with a workforce shortage, which is in turn compounded by growing cyberattacks that could cost the industry $6 trillion by 2021. As companies invest significant resources in battling external threats, HackerOne aims to pay good actors to find bugs before bad actors enter the fray, reducing the need for costly remediation measures further down the line.

Founded in 2012, HackerOne essentially connects companies with security researchers, or "white hat hackers," who receive cash incentives to find and report software vulnerabilities. The San Francisco-based company has raised north of $100 million since its inception, including a $36.4 million tranche a few months back, and has paid out $82 million in bounties since its inception. According to HackerOne, U.S.-based hackers earned 19% of all bounties in 2019, followed by hackers in India (10%), Russia (8%), China (7%), Germany (5%), and Canada (4%). These figures were released as part of HackerOne's annual hacker report, which included a survey of 3,150 hackers.

A powerful antibiotic that kills some of the most dangerous drug-resistant bacteria in the world has been discovered using artificial intelligence. The Guardian reports: To find new antibiotics, the researchers first trained a "deep learning" algorithm to identify the sorts of molecules that kill bacteria. To do this, they fed the program information on the atomic and molecular features of nearly 2,500 drugs and natural compounds, and how well or not the substance blocked the growth of the bug E coli. Once the algorithm had learned what molecular features made for good antibiotics, the scientists set it working on a library of more than 6,000 compounds under investigation for treating various human diseases. Rather than looking for any potential antimicrobials, the algorithm focused on compounds that looked effective but unlike existing antibiotics. This boosted the chances that the drugs would work in radical new ways that bugs had yet to develop resistance to.

Jonathan Stokes, the first author of the study, said it took a matter of hours for the algorithm to assess the compounds and come up with some promising antibiotics. One, which the researchers named "halicin" after Hal, the astronaut-bothering AI in the film 2001: A Space Odyssey, looked particularly potent. Writing in the journal Cell, the researchers describe how they treated numerous drug-resistant infections with halicin, a compound that was originally developed to treat diabetes, but which fell by the wayside before it reached the clinic. Tests on bacteria collected from patients showed that halicin killed Mycobacterium tuberculosis, the bug that causes TB, and strains of Enterobacteriaceae that are resistant to carbapenems, a group of antibiotics that are considered the last resort for such infections. Halicin also cleared C difficile and multidrug-resistant Acinetobacter baumannii infections in mice. Three days after being set loose on a database of about 1.5 billion compounds, the algorithm returned a shortlist of 23 potential antibiotics, of which two appear to be particularly potent.

"[The senior researcher] now wants to use the algorithm to find antibiotics that are more selective in the bacteria they kill," adds The Guardian. "This would mean that taking the antibiotic kills only the bugs causing an infection, and not all the healthy bacteria that live in the gut. More ambitiously, the scientists aim to use the algorithm to design potent new antibiotics from scratch."

An anonymous reader quotes a report from ZDNet: WordPress site owners who use commercial themes provided by ThemeGrill are advised to update one of the plugins that come installed with these themes in order to patch a critical bug that can let attackers wipe their sites. The vulnerability resides in ThemeGrill Demo Importer, a plugin that ships with themes sold by ThemeGrill, a web development company that sells commercial WordPress themes. The plugin, which is installed on more than 200,000 sites, allows site owners to import demo content inside their ThemeGrill themes so they'll have examples and a starting point on which they can build their own sites.

However, in a report published yesterday, WordPress security firm WebARX says that older versions of the ThemeGrill Demo Importer are vulnerable to remote attacks from unauthenticated attackers. Remote hackers can send a specially crafted payload to vulnerable sites and trigger a function inside the plugin. The vulnerable function resets the site's content to zero, effectively wiping the content of all WordPress sites where a ThemeGrill theme is active, and the vulnerable plugin is installed. Furthermore, if the site's database contains a user named "admin," then the attacker is granted access to that user with full administrator rights over the site.

Slashdot reader golden_donkey quotes Forbes: Are you booting up your Windows 10 machine and discovering you can't log in to your profile? It appears you're not alone. Reports are increasing across Twitter and Microsoft forums that following the most recent Patch Tuesday update (KB4532693), users are complaining that their profiles and desktop files are missing, and that custom icons and wallpaper have all been reset to their default state...

The KB4532693 update is allegedly causing much more serious headaches for some users. A newer report by Windows Latest cites multiple users in their comments section complaining that the data is nowhere to be found and allegedly not recoverable.
Microsoft has now "yanked KB4524244 from its update servers..." reports ZDNet, "after acknowledging reports of 'an issue affecting a sub-set of devices.'" Microsoft says customers who have successfully installed the update don't need to take any further steps. Those who have configured PCs to defer installation of updates by at least four days should also be unaffected.

For those who are experiencing issues related to this update, Microsoft recommends uninstalling the update.
Forbes also shared a video "on a related note." Its title? "How To Choose A Linux Distro That's Right For You..."