"In a message to the OpenJDK community, Bruno Borges announced that Microsoft has now formally signed the Oracle Contributor Agreement and has been welcomed to the Java community," reports JAXenter: He went on to reaffirm Microsoft's commitment to Java and that the team is looking forward to giving something back to the Java community. However, the team will not just barge in with a heavy hand, but will start with smaller bug fixes and the like so they can learn how to be "good citizens within OpenJDK."

Borges, himself a former Oracle developer, is Principal Product Manager for Java at Microsoft. He presents Martijn Verburg as the Java engineering team lead who will be working together along with other partners in the Java ecosystem. Verburg is also CEO of jClarity, a leading AdoptOpenJDK contributor acquired by Microsoft in August this year, so presumably he will stay true to form and continue to contribute to the Java world, only now with Microsoft at his back...

Microsoft's acquisition of jClarity was just the latest in their efforts to gain a foothold in the Java community. There are many Java developers and Java champions who now practice their trade under Microsoft's banner... At JAX London a few weeks ago, Program Chair Sebastian Meyen opened the conference by giving a speech in which he said "Microsoft is now a Java shop". He sees this as a great development, as "it's always good when industry giants stand behind Java."

Yesterday, on late Halloween night, Google engineers delivered the best scare of the evening and released an urgent update for the Chrome browser to patch an actively exploited zero-day. From a report: "Google is aware of reports that an exploit for CVE-2019-13720 exists in the wild," Google engineers said in a blog post announcing the new v78.0.3904.87 release. The actively-exploited zero-day was described as a use-aster-free bug in Chrome's audio component. Use-after-free vulnerabilities are memory corruption bugs that occur when an application tries to reference memory that was previously assigned to it but has been freed or deleted in the meantime. This usually causes a program to crash, but can also sometimes lead to other, unintended consequences, such as code execution scenarios. Google credited Anton Ivanov and Alexey Kulaev, two malware researchers from Kaspersky, with reporting the issue. According to a blog post published after this article's publication, Kaspersky said the zero-day was being used to install malware on user devices. It was being deployed on user devices via a Korean-language news portal.

Apple's iOS 13 has had a rocky start since its release last month, with it being among the most buggy Apple software releases in recent memory. Now, iPhone owners are complaining of yet another issue that may be bug-related. From a report: A growing number of iPhone and iPad users have complained about poor RAM management on iOS 13 and iPadOS 13, leading to apps like Safari, YouTube, and Overcast reloading more frequently upon being reopened. We've lightly edited some of the comments to correct things like capitalization.

A bug in Apple's App Store removed more than 20 million ratings from apps both big and small. "The issue began on October 23, 2019 and wasn't resolved until yesterday, October 29," reports TechCrunch. "Apple hasn't yet explained how such a sizable and impactful change to app ratings occurred." From the report: This massive ratings drop was spotted by the mobile app insights platform Appfigures. The firm found that more than 300 apps from over 200 developers were affected by the sweep, which wiped out a total of 22 million app reviews from the App Store. On average, apps saw a 50% decrease in ratings in the affected countries, which included the U.S.

The U.S. was hit the hardest, however, as some 10 million ratings disappeared. But the sweep was global in nature, hitting all 155 countries Apple supports. China, the U.K., South Korea, Russia and Australia also felt a noticeable impact. A few apps were hit harder than others. Hulu, for example, lost a whopping 95% of ratings in the U.S., while Dropbox and Chase lost 85%. Several companies affected by the bug declined to comment, but told us that the rating removals weren't done at their request -- they were just as surprised as everyone else. Of the more than 300 apps that got hit, about half (154) saw a drop of more than 100 ratings, Appfigures said. Some of the impacted companies (and Appfigures) confirmed to TechCrunch the missing ratings were restored as of yesterday.

An anonymous reader quotes a report from TechCrunch: An amateur radio rig exposed to the internet and discovered by a security researcher was collecting real-time medical data and health information broadcast by hospitals and ambulances across U.K. towns and cities. The rig, operated out of a house in North London, was picking up radio waves from over the air and translating them into readable text. The hobbyist's computer display was filling up with messages about real-time medical emergencies from across the region. For some reason, the hobbyist had set up an internet-connected webcam pointed at the display. But because there was no password on the webcam, anyone who knew where to look could also see what was on the rig's computer display.

Daley Borda, a security researcher and bug bounty hunter, stumbled upon the exposed webcam. The live stream was grainy, and the quality of the images so poor that it was just possible to make out the text on the display. "You can see details of calls coming in -- their name, address, and injury," he told TechCrunch. TechCrunch verified his findings. Messages spilling across the screen appeared to direct nearby ambulances where to go following calls to the 999 emergency services. One message said a 98-year-old man had fallen at his home address. A few moments later, another message said a 49-year-old male was complaining of chest pains at a nearby residence. One after the other, messages were flooding in, describing accidents, incidents and medical emergencies, often including their home addresses. "The hobbyist was picking up and decoding pager communications from a nearby regional National Health Service trust," adds TechCrunch. These devices remain a fixture in UK hospitals and "allow anyone to send messages to one or many pagers at once by calling a dedicated phone number, often manned by an operator, which are then broadcast as radio waves over the pager network."

While the NHS still uses about 130,000 pagers, according to the UK government, it's not clear how many trusts are exposing medical information -- if at all.

nickwinlund77 shares this story from ZDNet: A recently patched security flaw in modern versions of the PHP programming language is being exploited in the wild to take over servers, ZDNet has learned from threat intelligence firm Bad Packets. The vulnerability is a remote code execution (RCE) in PHP 7, the newer branch of PHP, the most common programming language used to build websites.

The issue, tracked as CVE-2019-11043, lets attackers run commands on servers just by accessing a specially-crafted URL. Exploiting the bug is trivial, and public proof-of-concept exploit code has been published on GitHub earlier this week. Only NGINX servers with PHP-FPM enabled are vulnerable. PHP-FPM, or FastCGI Process Manager, is an alternative PHP FastCGI implementation with some additional features, and according to reports, a common server configuration option.

SmartAboutThings tipped us off to an interesting bug reported by ZDNet Thursday: For the fourth time in three months, a Symantec security product is crashing user apps, and this time it's the latest Chrome release, v78, which rolled out earlier this week, on Tuesday, October 22. According to reports on Reddit [1, 2] the Google support forums [1, 2], and in comments on the official Google Chrome blog, Symantec Endpoint Protection 14 is crashing Chrome 78 instances with an "Aw, Snap! Something went wrong while displaying this webpage" error... The errors have been plaguing users for the past two days, with the vast majority of reports coming from enterprise environments, where SEP installs are more prevalent....

According to the antivirus maker, the issues are only affecting SEP 14 users on Windows 10 RS1, Windows Server 2012, and Windows Server 2016 operating systems. Symantec users on other OS versions can fix this by updating to the latest SEP 14.2 release. Users of Microsoft Edge Chromium are also impacted, but the Chromium-based Edge version has not been officially released; hence there are almost no users impacted by this issue in the real world...

Symantec blamed the issue on Microsoft's Code Integrity security feature, which Google uses to protect the Chrome browser process. As a temporary solution, Symantec recommends that users exclude Chrome from receiving protection from their antivirus product, or modify their Chrome clients, so the browser starts without Code Integrity protections. However, this opens the browser to various attacks and is not recommended as long as users can simply use another browser until this is fixed.
ZDNet adds that the issue "should have not surprised Symantec staff, who received early warnings about this more than three months ago, according to a bug report filed in early August while Chrome 78 was still in testing in the Canary channel."

David Shayer, who worked as a software engineer at Apple for 18 years across iPod, the Apple Watch, and Apple's bug-tracking system Radar, among other projects, looks at the current iOS and macOS releases and tries to work out why they are so buggy. He writes: 1. Overloaded Feature Lists Lead to Schedule Chicken: Apple is aggressive about including significant features in upcoming products. Tight schedules and ambitious feature sets mean software engineers and quality assurance (QA) engineers routinely work nights and weekends as deadlines approach. Inevitably some features are postponed for a future release, as we saw with iCloud Drive Folder Sharing. In a well-run project, features that are lagging behind are cut early, so engineers can devote their time to polishing the features that will actually ship. But sometimes managers play "schedule chicken" since no one wants to admit in the departmental meeting that their part of the project is behind. Instead, they hope someone else working on another aspect of that feature is running even later, so they reap the benefit of the feature being delayed without taking the hit of being the one who delayed it. But if no one blinks, engineers continue to work on a feature that can't possibly be completed in time and that eventually gets pushed off to a future release.

2. Crash Reports Don't Identify Non-Crashing Bugs: If you have reporting turned on (which I recommend), Apple's built-in crash reporter automatically reports application crashes, and even kernel crashes, back to the company. A crash report includes a lot of data. Especially useful is the stack trace, which shows exactly where the code crashed, and more importantly, how it got to that point. A stack trace often enables an engineer to track down the crash and fix it. Crash reports are uniquely identified by the stack trace. The same stack trace on multiple crash reports means all those users are seeing the same crash. The crash reporter backend sorts crash reports by matching the stack traces, and those that occur most often get the highest priority. Apple takes crash reports seriously and tries hard to fix them. As a result, Apple software crashes a lot less than it used to. Unfortunately, the crash reporter can't catch non-crashing bugs. It's blind to the photos that never upload to iCloud, the contact card that just won't sync from my Mac to my iPhone, the Time Capsule backups that get corrupted and have to be restarted every few months, and the setup app on my new iPhone 11 that got caught in a loop repeatedly asking me to sign in to my iCloud account, until I had to call Apple support. (These are all real problems I've experienced.) Shayer has offered several more possible explanations in the original post.

Long-time Slashdot reader Kekke shared this article from Ars Technica: A potentially serious vulnerability in Linux may make it possible for nearby devices to use Wi-Fi signals to crash or fully compromise vulnerable machines, a security researcher said.

The flaw is located in the RTLWIFI driver, which is used to support Realtek Wi-Fi chips in Linux devices. The vulnerability triggers a buffer overflow in the Linux kernel when a machine with a Realtek Wi-Fi chip is within radio range of a malicious device. At a minimum, exploits would cause an operating-system crash and could possibly allow a hacker to gain complete control of the computer. The flaw dates back to version 3.10.1 of the Linux kernel released in 2013...

The vulnerability is tracked as CVE-2019-17666. Linux developers proposed a fix on Wednesday that will likely be incorporated into the OS kernel in the coming days or weeks. Only after that will the fix make its way into various Linux distributions.

Nico Waisman, who is a principal security engineer at Github [and discovered the bug] said he has not yet devised a proof-of-concept attack that exploits the vulnerability in a way that can execute malicious code on a vulnerable machine. "I'm still working on exploitation, and it will definitely... take some time (of course, it might not be possible)," he wrote in a direct message. "On paper, [this] is an overflow that should be exploitable. Worst-case scenario, [this] is a denial of service; best scenario, you get a shell."
The article notes that the flaw "can't be triggered if Wi-Fi is turned off or if the device uses a Wi-Fi chip from a different manufacturer."

Twitter user Kevin Bradley discovered a Lightning port hidden in the Apple TV 4K's ethernet port. There's a number of theories for why the port exists, but one of the more logical explanations is that it's simply there for Apple to use for debugging. 9to5Mac reports: While earlier Apple TV models had Micro USB and USB-C, the Apple TV 4K dropped all outwardly-facing ports other than Ethernet and HDMI. Under the hood, however, there's a hidden Lightning port, as Bradley discovered. The Lightning port is hidden in the ethernet connector on the Apple TV 4K. Bradley teased on Twitter: "None of us looked THAT closely to the hardware of the AppleTV 4K and the magic locked in the ethernet port until fairly recently."

As for getting the Lightning port itself to work, Steven Barker said in a tweet that this is proving to be "difficult." The Lightning port is stuck at the very back of the ethernet port. Ultimately, it's not really clear what the Lightning port discovery could mean. One thing it could lead towards is the expansion of jailbreak capabilities for the Apple TV 4K, though Bradley cautions: "Just because we know it's lightning doesn't mean anything past that. Just because we find a way in doesn't mean anything will DEFINITELY be released due to what we discover. The barrier for entry might be way too high."

Scientists have uncovered a glitch in a piece of code that could have yielded incorrect results in over 100 published studies that cited the original paper. From a report: The glitch caused results of a common chemistry computation to vary depending on the operating system used, causing discrepancies among Mac, Windows, and Linux systems. The researchers published the revelation and a debugged version of the script, which amounts to roughly 1,000 lines of code, last week in the journal Organic Letters. "This simple glitch in the original script calls into question the conclusions of a significant number of papers on a wide range of topics in a way that cannot be easily resolved from published information because the operating system is rarely mentioned," the new paper reads. "Authors who used these scripts should certainly double-check their results and any relevant conclusions using the modified scripts in the [supplementary information]." Yuheng Luo, a graduate student at the University of Hawai'i at Manoa, discovered the glitch this summer when he was verifying the results of research conducted by chemistry professor Philip Williams on cyanobacteria. The aim of the project was to "try to find compounds that are effective against cancer," Williams said.

An anonymous reader shares a report: More than a year has passed since Bloomberg Businessweek grabbed the lapels of the cybersecurity world with a bombshell claim: that Supermicro motherboards in servers used by major tech firms, including Apple and Amazon, had been stealthily implanted with a chip the size of a rice grain that allowed Chinese hackers to spy deep into those networks. Apple, Amazon, and Supermicro all vehemently denied the report. The NSA dismissed it as a false alarm. The Defcon hacker conference awarded it two Pwnie Awards, for "most overhyped bug" and "most epic fail." And no follow-up reporting has yet affirmed its central premise.

But even as the facts of that story remain unconfirmed, the security community has warned that the possibility of the supply chain attacks it describes is all too real. The NSA, after all, has been doing something like it for years, according to the leaks of whistle-blower Edward Snowden. Now researchers have gone further, showing just how easily and cheaply a tiny, tough-to-detect spy chip could be planted in a company's hardware supply chain. And one of them has demonstrated that it doesn't even require a state-sponsored spy agency to pull it off -- just a motivated hardware hacker with the right access and as little as $200 worth of equipment.

Long-time Slashdot reader Artem S. Tashkinov quotes Wired: More than a year has passed since Bloomberg Businessweek grabbed the lapels of the cybersecurity world with a bombshell claim: that Supermicro motherboards in servers used by major tech firms, including Apple and Amazon, had been stealthily implanted with a chip the size of a rice grain that allowed Chinese hackers to spy deep into those networks. Apple, Amazon, and Supermicro all vehemently denied the report. The NSA dismissed it as a false alarm. The Defcon hacker conference awarded it two Pwnie Awards, for "most overhyped bug" and "most epic fail." And no follow-up reporting has yet affirmed its central premise.

But even as the facts of that story remain unconfirmed, the security community has warned that the possibility of the supply chain attacks it describes is all too real. The NSA, after all, has been doing something like it for years, according to the leaks of whistle-blower Edward Snowden. Now researchers have gone further, showing just how easily and cheaply a tiny, tough-to-detect spy chip could be planted in a company's hardware supply chain. And one of them has demonstrated that it doesn't even require a state-sponsored spy agency to pull it off -- just a motivated hardware hacker with the right access and as little as $200 worth of equipment.

An anonymous reader quotes a report from Ars Technica: Comcast's data-usage meter gave thousands of customers inaccurate readings for two months because of a software bug, causing the broadband provider to incorrectly charge about 2,000 users for exceeding their monthly data caps. Comcast has admitted the error and told Ars it is giving refunds and additional credits of $50 each to customers who paid data overage fees that shouldn't have been assessed.

Comcast engineers found that the problem began after the company started rolling out a new billing system in early August. The data meter was apparently still collecting accurate data, but the numbers were being reported in the new billing system incorrectly. Comcast said it's still trying to figure out if the bug is in the meter software, the billing software, or in the interaction between the two. What Comcast knows for certain, the spokesperson said, is that the problem was fixed when it rolled back to the previous version of its billing software on October 2. Comcast's statement to Ars said: "While updating our data usage meter to a new system, a software error occurred resulting in a small number of our customers being billed incorrectly. We're very sorry for inconveniencing our customers and here's what we're doing to address it: We fixed the technical issue, we're proactively crediting the accounts affected, and we're giving those customers an additional $50 credit to make it right."

"On Friday, Gizmodo uncovered shocking new evidence that Facebook is using its platform to suppress stories about CEO Mark Zuckerberg..." reports Gizmodo, adding "or maybe his janky, busted-ass website is just bugging out again for no reason. It's hard to say, really. That's sort of the problem..." For some reason, a story about Zuckerberg we posted to our Facebook page was hidden from many readers. The post was fully visible through web browsers in incognito mode, but an unclear percentage of users were told, "Sorry, this content is not available," when they tried to view it while signed in. In short, lots of people (including several Gizmodo staffers and at least one of their parents) could not see the story.

By Friday afternoon, the issue seemed to resolve itself just as mysteriously. Was it a bug, a moderation error, or something more nefarious? Personally, I find it hard to imagine Zuckerberg furiously refreshing Gizmodo's page, just waiting to slam the giant red button on his desk labeled "WRONGTHINK." But it's easy to see why some people believe similar (if less cinematic) conspiracy theories. When Facebook acts strangely -- which is fairly often! -- users have to draw their own conclusions about what's happening. Like most big tech companies, Facebook doesn't offer a phone number to call if you're having issues. If you want a response from a social network about your specific problem, your best bet is to be a journalist, a celebrity, or someone else with the power to give headaches. To understand their experiences with social media, then, most people are left with two choices: trust the system (lol) or develop their own, potentially very wacky, explanations...

Some may believe -- as Zuckerberg himself seems to -- that companies like Facebook are just too big to explain every little thing they do to their millions of users. Maybe so, but is it any surprise, then, that no one fucking trusts them?

Microsoft appears to be porting its Edge browser to Linux, reports ZDNet: "We on the MS Edge Dev team are fleshing out requirements to bring Edge to Linux, and we need your help with some assumptions," wrote Sean Larkin, a member of Microsoft's Edge team....

Chrome, of course, is already available for Linux, so Microsoft should be able to deliver Chromium-based Edge to Linux distributions with minimal fuss.... [I]n June Microsoft Edge developers said there are "no technical blockers to keep us from creating Linux binaries" and that it is "definitely something we'd like to do down the road". Despite Chrome's availability on Linux, the Edge team noted there is still work to be done on the installer, updaters, user sync, and bug fixes, before it could be something to commit to properly.
Slashdot reader think_nix shared a link to the related survey that the Edge team has announced on Twitter. "If you're a dev who depends on Linux for dev, testing, personal browsing, please take a second to fill out this survey."

"Attackers are exploiting a zero-day vulnerability in Google's Android mobile operating system that can give them full control of at least 18 different phone models," reports Ars Technica, "including four different Pixel models, a member of Google's Project Zero research group said on Thursday night." The post also says there's evidence the vulnerability is being actively exploited.

An anonymous reader quotes Ars Technica: Exploits require little or no customization to fully root vulnerable phones. The vulnerability can be exploited two ways: (1) when a target installs an untrusted app or (2) for online attacks, by combining the exploit with a second exploit targeting a vulnerability in code the Chrome browser uses to render content. "The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device," Stone wrote. "If the exploit is delivered via the Web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox...."

Google representatives wrote in an email: "Pixel 3 and 3a devices are not vulnerable to this issue, and Pixel 1 and 2 devices will be protected with the October Security Release, which will be delivered in the coming days. Additionally, a patch has been made available to partners in order to ensure the Android ecosystem is protected against this issue."

The use-after-free vulnerability originally appeared in the Linux kernel and was patched in early 2018 in version 4.14, without the benefit of a tracking CVE. That fix was incorporated into versions 3.18, 4.4, and 4.9 of the Android kernel. For reasons that weren't explained in the post, the patches never made their way into Android security updates.

A faulty Google Chrome update is likely to blame for the issue Monday that resulted in Mac Pro workstations being rendered unusable at a number of Hollywood studios. "We recently discovered that a Chrome update may have shipped with a bug that damages the file system on MacOS machines," the company wrote in a forum post. "We've paused the release while we finalize a new update that addresses the problem." Variety reports: Reports of Mac Pro workstations refusing to reboot started to circulate among video editors late Monday. At the time, the common denominator among impacted machines seemed to be the presence of Avid's Media Composer software. The issue apparently knocked out dozens of machines at multiple studios, with one "Modern Family" reporting that the show's entire editing team was affected. Avid's leadership updated users of its software throughout the day, advising them to back up their work and not to reboot their machines.

The real culprit was apparently a recent release of Google's Keystone software, which is included in its Chrome browser to automatically download updates of the browser. On computers that had Apple's System Integrity Protection disabled, the update corrupted the computer's file system, making it impossible to reboot. System Integrity Protection is an Apple technology that is meant to ensure that malicious software doesn't corrupt core system files. Google advised affected users on how to uninstall the Chrome update, and also suggested that most users may not be at risk at all. "If you have not taken steps to disable System Integrity Protection and your computer is on OS X 10.9 or later, this issue cannot affect you," the forum post reads. A possible connection to Chrome was first detailed on the Mr. Macintosh blog Tuesday afternoon. As for why several Hollywood studios were hit the hardest, one theory suggests it's because many of the video editors had to disable System Integrity Protection in order to work with external audio and video devices that are common in professional editing setups.

Variety also suggests that the hardware dongles used for licensing Avid may have played some role in the shut-downs.

Apple is warning users of a bug in iOS 13 and iPadOS involving third-party keyboards. From a report: In a brief advisory posted Tuesday, the tech giant said the bug impacts third-party keyboards which have the ability to request "full access" permissions. iOS 13 was released last week. Both iOS 13.1 and iPadOS 13.1, the new software version for iPads, are out today. Third-party keyboards can either run as standalone, or with "full access" they can talk to other apps or get internet access for additional features, like spell check. But "full access" also allows the keyboard maker to capture to its servers keystroke data or anything you type -- like emails, messages or passwords. This bug, however, may allow third-party keyboards to gain full access permissions -- even if it was not approved.

An anonymous reader quotes a report from The New York Times: AgriProtein is among a small number of start-ups that are using insect larvae to produce protein-rich ingredients for animal feed. This nascent industry could help feed a growing human population in a way that's less damaging to the environment. Protix opened one of the world's largest insect farms in June in the Netherlands, while other producers, including Enviroflight, Ynsect and AgriProtein, are building large facilities to turn billions of insects into animal protein every month. Large farming companies like Cargill and Wilbur-Ellis are also investing in this sector. By breeding insects in vertical farms, these companies can produce large amounts of feed in less space than traditional farms, their proponents say. Proponents say this industry makes sense from a biological standpoint because insects are part of the natural diet of many animals, especially chicken and fish.

Despite the possibilities, the insect protein industry faces many challenges. Regulatory hurdles have hampered its growth in Europe and the United States, where black soldier fly products can be used to feed poultry and some fish species but not other animals, and there is no regulatory approval for the use of other insect species for this purpose. But companies are confident that regulators in the United States will lift those restrictions soon. The report notes that black soldier fly larvae is favored by the "insect protein" industry because it "can become 200 times bigger after eating organic waste for 10 days."