An anonymous reader writes: "The Tor Project is preparing a fix for a bug that has been abused for the past years to launch DDoS attacks against dark web (.onion) websites," reports ZDNet. "Barring any unforeseen problems, the fix is scheduled for the upcoming Tor protocol 0.4.2 release." The bug has been known to Tor developers for years, and has been used to launch Slow Loris-like attacks on the web servers that run the Tor service supporting an .onion site. It works by opening many connections to the server and maxing out the CPU. Since Tor connections are CPU intensive because of the cryptography involved to support the privacy and anonymity of the network, even a a few hundreds connections are enough to bring down dark web portals. A tool to exploit the bug and to automate DDoS attacks has been around for four years, and has been used by hackers to extort dark web marketplaces all spring. At least two markets selling illegal products have shut down after refusing to pay attackers. To get the bug fixed, members of a dark web forum banded together and donated to the Tor Project to sponsor the bug's patch.

Microsoft's original co-founder Paul Allen was honored posthumously with a lifetime achievement award for philanthropy this week at the Forbes Philanthropy summit.

Bill Gates remembers Allen as "one of the most intellectually curious people I've ever known," adding "I wish more people understood just how wide-ranging his giving was," and shared his remembrances at the ceremony: Later in life, Paul gave to a huge spectrum of issues that seem unrelated at first glance. He wanted to prevent elephant poaching, improve ocean health, and promote smart cities. He funded new housing for the homeless and arts education in the Puget Sound region. In 2014 alone, he supported research into the polio virus and efforts to contain the Ebola outbreak in West Africa -- all while standing up an amazing new institute for studying artificial intelligence.

If you knew him, the logic in Paul's portfolio is easy to see. He gave to the things that he was most interested in, and to the places where he thought he could have the most impact. Even though Paul cared about a lot of different things, he was deeply passionate about each of them.
There's a picture of a young Bill Gates in the eighth grade watching Paul Allen on a teletype terminal. "The only way for us to get computer time was by exploiting a bug in the system."

"We eventually got busted, but that led to our first official partnership between Paul and me: we worked out a deal with the company to use computers for free if we would identify problems. We spent just about all our free time messing around with any machine we could get our hands on." One day -- when Paul and I were both in Boston -- he insisted that I rush over to a nearby newsstand with him. He wanted to show me the cover of the January 1975 issue of Popular Electronics. It featured a new computer called the Altair 8800, which ran on a powerful new chip. I remember him holding up the cover and saying, "This is happening without us!"

Paul always wanted to push the boundaries of science. He did it when we were testing the limits of what a chip could do at Microsoft, and he continues to do it today -- even after he's gone -- through the work of the Allen Institute. When I first heard he was creating an organization to study brain science, I thought, "Of course...."

I wish Paul had gotten to see all of the good his generosity will do. He was one of the most thoughtful, brilliant, and curious people I've ever met....

I will miss him tremendously.

Google on Thursday confirmed that a bug in its Nest security cameras could have allowed users to be spied on. The Daily Dot reports: The issue was first raised by a user on Facebook who recently sold his Nest Cam Indoor yet was still able to access its feed. The problem involves Wink, an app that lets people manage multiple smart devices regardless of their developer. The Facebook user noted that despite carrying out a factory reset on his Nest camera before selling it, his Wink account remained connected to the device, allowing him to view snapshots of the buyer's live feed.

Wirecutter tested the vulnerability on its own Nest Cam by linking it to a Wink account and then performing a factory reset. The publication also found it was receiving "a series of still images snapped every several seconds" via its Wink account. "In simpler terms: If you buy and set up a used Nest indoor camera that has been paired with a Wink hub, the previous owner may have unfettered access to images from that camera," Wirecutter says. "And we currently don't know of any cure for this problem." Google responded to the report and said it has fixed the problem. "We were recently made aware of an issue affecting some Nest cameras connected to third-party partner services via Works with Nest," a spokesperson told Wirecutter. "We've since rolled out a fix for this issue that will update automatically, so if you own a Nest camera, there's no need to take any action."

An anonymous reader writes: A recent Firefox zero-day that has made headlines across the tech news world this week was actually used in attacks against Coinbase employees, and not the company's users. Furthermore, the attacks used not one, but two Firefox zero-days, according to Philip Martin, a member of the Coinbase security team, which reported the attacks to Mozilla. One was an RCE reported by a Google Project Zero security researcher to Mozilla in April, and the second was a sandbox escape that was spotted in the wild by the Coinbase team together with the RCE, on Monday.

The question here is how an attacker managed to get hold of the details for the RCE vulnerability and use it for his attacks after the vulnerability was privately reported to Mozilla by Google. The attacker could have found the Firefox RCE on his own, he could have bribed a Mozilla/Google insider, hacked a Mozilla/Google employee and viewed details about the RCE, or hacked Mozilla's bug tracker, like another attacker did in 2015.

Artem S. Tashkinov writes: The Register reports that it is possible to crash network-facing Linux servers, PCs, smartphones and tablets, and gadgets, or slow down their network connections, by sending them a series of maliciously crafted packets. It is also possible to hamper FreeBSD machines with the same attack. Patches and mitigations are available, and can be applied by hand if needed, or you can wait for a security fix to be pushed or offered to your at-risk device. A key workaround is to set /proc/sys/net/ipv4/tcp_sack to 0. At the heart of the drama is a programming flaw dubbed SACK Panic aka CVE-2019-11477: this bug can be exploited to remotely crash systems powered by Linux kernel version 2.6.29 or higher, which was released 10 years ago.

JustAnotherOldGuy quotes Threatpost: A high-severity bug impacting two popular command-line text editing applications, Vim and Neovim, allow remote attackers to execute arbitrary OS commands. Security researcher Armin Razmjou warned that exploiting the bug is as easy as tricking a target into clicking on a specially crafted text file in either editor. Razmjou outlined his research and created a proof-of-concept (PoC) attack demonstrating how an adversary can compromise a Linux system via Vim or Neowim. He said Vim versions before 8.1.1365 and Neovim before 0.3.6 are vulnerable to arbitrary code execution...

Vim and Neovim have both released patches for the bug (CVE-2019-12735) that the National Institute of Standards and Technology warns, "allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline."

"Beyond patching, it's recommended to disable modelines in the vimrc (set nomodeline), to use the securemodelinesplugin, or to disable modelineexpr (since patch 8.1.1366, Vim-only) to disallow expressions in modelines," the researcher said.

The Microsoft Edge developer team held an AMA (Ask Me Anything) session on Reddit this week where they revealed some of their plans on current and upcoming features. From a report: The biggest tease the company dropped was its apparent willingness to release an Edge version for Linux -- a move that was once considered inconceivable. "We don't have any technical blockers to keep us from creating Linux binaries, and it's definitely something we'd like to do down the road. That being said, there is still work to make them 'customer ready' (installer, updaters, user sync, bug fixes, etc.) and something we are proud to give to you, so we aren't quite ready to commit to the work just yet. Right now, we are super focused on bringing stable versions of Edge first to other versions of Windows (as well as macOS), and then releasing our Beta channels," Edge devs said.

Yubico said today it plans to replace certain hardware security keys because of a firmware flaw that reduces the randomness of cryptographic keys generated by its devices. From a report: Affected products include models part of the YubiKey FIPS Series, a line of YubiKey authentication keys certified for use on US government networks (and others) according to the US government's Federal Information Processing Standards (FIPS). According to a Yubico security advisory published today, YubiKey FIPS Series devices that run firmware version 4.4.2 and 4.4.4 contain a bug that keeps "some predictable content" inside the device's data buffer after the power-up operation.

This "predictable content" will influence the randomness of cryptographic keys generated on the device for a short period after the boot-up, until the "predictable content" is all used up, and true random data is present in the buffer. This means that for a short period after booting up YubiKey FIPS Series devices with the affected 4.4.2 and 4.4.4 versions will generate keys that can be either recovered partially, or in full, depending on the cryptographic algorithm the key is working with for a particular authentication operation.

Russ Cox (along with Rob Pike) is the tech lead for Google's Go team and its Go project. This week he responded on the Google group golang-nuts to a blogger who'd argued that "Go is Google's language, not ours."

First Cox points to a talk at Gophercon 2015 -- and its accompanying blog post -- which argued that Go's open source status is critical to its long-term success. He noted this week that "good ideas come from outside Google as often as they come from inside Google.... But getting to yes on every suggested new feature is not and never has been a goal." No one can speak for the entire Go community: it is large, it contains multitudes. As best we can, we try to hear all the many different perspectives of the Go community. We encourage bug reports and experience reports, and we run the annual Go user survey, and we hang out here on golang-nuts and on gophers slack precisely because all those mechanisms help us hear you better. We try to listen not just to the feature requests but the underlying problems people are having, and we try, as I said in the Gophercon talk, to find the small number of changes that solve 90% of the problems instead of the much more complex solution that gets to 99%. We try to add as little as possible to solve as much as possible.

In short, we aim to listen to everyone's problems and address as many of them as possible, but at the same time we don't aim to accept everyone's offered solutions. Instead we aim to create space for thoughtful discussions about the offered solutions and revisions to them, and to work toward a consensus about how to move forward...

The "proposal review" group meets roughly weekly to review proposal issues and make sure the process is working. We handle trivial yes and trivial no answers, but our primary job is to shepherd suggested proposals, bring in the necessary voices, and make sure discussions are proceeding constructively. We have talked in the past about whether to explicitly look for people outside Google to sit in our weekly meeting, but if that's really important, then we are not doing our job right. Again, our primary job is to make sure the issues get appropriate discussion on the issue tracker, where everyone can participate, and to lead that discussion toward a solution with broad agreement and acceptance. If you skim through any of the accepted proposals you will see how we spend most of our meetings nudging conversations along and trying to make sure we hear from everyone who has a stake in a particular decision.

It remains an explicit goal to enable anyone with a good piece of code or a good idea to be able to contribute it to the project, and we've continued to revise both the code contribution and proposal contribution docs as we find gaps. But as I said in 2015, the most important thing we the original authors of Go can do is to provide consistency of vision, to keep Go feeling like a coherent system, to keep Go Go. People may disagree with individual decisions. We may get some flat wrong. But we hope that the overall result still works well for everyone, and the decision process we have seems far more likely to preserve a coherent, understandable system than a standards committee or other process.
His conclusion? The Go language belongs to the Go community -- and, because it's open source, "the freedom to fork hopefully keeps me and the other current Go leadership honest."

Trailrunner7 shares a report: All of the current versions of Docker have a vulnerability that can allow an attacker to get read-write access to any path on the host server. The weakness is the result of a race condition in the Docker software and while there's a fix in the works, it has not yet been integrated. The bug is the result of the way that the Docker software handles some symbolic links, which are files that have paths to other directories or files. Researcher Aleksa Sarai discovered that in some situations, an attacker can insert his own symlink into a path during a short time window between the time that the path has been resolved and the time it is operated on. This is a variant of the time of check to time of use (TOCTOU) problem, specifically with the "docker cp" command, which copies files to and from containers.

"The basic premise of this attack is that FollowSymlinkInScope suffers from a fairly fundamental TOCTOU attack. The purpose of FollowSymlinkInScope is to take a given path and safely resolve it as though the process was inside the container. After the full path has been resolved, the resolved path is passed around a bit and then operated on a bit later (in the case of 'docker cp' it is opened when creating the archive that is streamed to the client)," Sarai said in his advisory on the problem. "If an attacker can add a symlink component to the path after the resolution but beforeit is operated on, then you could end up resolving the symlink path component on the host as root. In the case of 'docker cp' this gives you read and write access to any path on the host."

An anonymous reader quotes a report from The Guardian: Scientists have created the world's first living organism that has a fully synthetic and radically altered DNA code. In a two-year effort, researchers at the laboratory of molecular biology, at Cambridge University, read and redesigned the DNA of the bacterium Escherichia coli (E coli), before creating cells with a synthetic version of the altered genome. The artificial genome holds 4m base pairs, the units of the genetic code spelled out by the letters G, A, T and C. Printed in full on A4 sheets, it runs to 970 pages, making the genome the largest by far that scientists have ever built. The DNA coiled up inside a cell holds the instructions it needs to function. When the cell needs more protein to grow, for example, it reads the DNA that encodes the right protein. The DNA letters are read in trios called codons, such as TCG and TCA.

The Cambridge team set out to redesign the E coli genome by removing some of its superfluous codons. Working on a computer, the scientists went through the bug's DNA. Whenever they came across TCG, a codon that makes an amino acid called serine, they rewrote it as AGC, which does the same job. They replaced two more codons in a similar way. More than 18,000 edits later, the scientists had removed every occurrence of the three codons from the bug's genome. The redesigned genetic code was then chemically synthesized and, piece by piece, added to E coli where it replaced the organism's natural genome. The result, reported in Nature, is a microbe with a completely synthetic and radically altered DNA code. Known as Syn61, the bug is a little longer than normal, and grows more slowly, but survives nonetheless.

Longtime Slashdot reader Andy Smith writes: Gamers enjoying the single-player campaign in The Division 2 have been bitten by a bug in the latest update that spawned a range of server connection issues. While you might expect this to affect only multiplayer games, The Division 2 controversially requires a continuous server connection for the single-player campaign to work. Since Tuesday, campaign players have reported being kicked out of the game and losing their items, skills, and mission progress. Not surprisingly, developer Massive has been inundated with complaints . The company said: "We are aware of the connectivity issues some players are experiencing. We are investigating and working on a solution."

Google today disclosed a security bug in its Bluetooth Titan Security Key that could allow an attacker in close physical proximity to circumvent the security the key is supposed to provide. From a report: The company says that the bug is due to a "misconfiguration in the Titan Security Keys' Bluetooth pairing protocols" and that even the faulty keys still protect against phishing attacks. Still, the company is providing a free replacement key to all existing users. The bug affects all Titan Bluetooth keys, which sell for $50 in a package that also includes a standard USB/NFC key, that have a "T1" or "T2" on the back.

An anonymous reader quotes a report from the BBC: Security researchers have discovered serious vulnerabilities affecting dozens of Cisco devices. The flaws allow hackers to deceive the part of the product hardware that checks whether software updates come from legitimate sources. Experts believe this could put emails sent within an organization at risk as they may use compromised routers. Messages sent externally constitute less of a risk, however, as they tend to be encrypted. The California-based firm said it is working on "software fixes" for all affected hardware.

"We've shown that we can quietly and persistently disable the Trust Anchor," Red Balloon chief executive Ang Cui, told Wired magazine. "That means we can make arbitrary changes to a Cisco router, and the Trust Anchor will still report that the device is trustworthy. Which is scary and bad, because this is in every important Cisco product. Everything." Security experts believe that the vulnerability could cause a major headache for Cisco, which has listed dozens of its products as vulnerable on its website. "We don't know how many devices could have been affected and it's unlikely Cisco can tell either," said Prof Alan Woodward, a computer security expert based at Surrey University. "It could cost Cisco a lot of money." Security firm Red Balloon has set up a website with more details on the vulnerabilities, which they are calling "Thrangycat."

Twitter today disclosed a bug in its platform that impacted the privacy of some its iOS app's users. From a report: "We have discovered that we were inadvertently collecting and sharing iOS location data with one of our trusted partners in certain circumstances," Twitter said. The company said the bug only occurred on its iOS app where users added a second Twitter account on their phones. If they allowed Twitter access to precise location data in one account, then that setting was applied to both accounts managed via the iOS app. This meant the app sent precise location data to Twitter, which then made it available to "a trusted partner during an advertising process known as real-time bidding," even for accounts users didn't agree to share such info.

Google announced today it's making a change to how its Play Store app ratings work. "[I]nstead of giving developers the choice of when ratings will reset, it will begin to weight app ratings to favor those from more recent releases," reports TechCrunch. Milena Nikolic, an engineering director leading Google Play Console, said that soon the average rating calculation for apps will be updated for all Android apps on Google Play.

"With this update, users will be able to better see, at a glance, the current state of the app -- meaning, any fixes and changes that made it a better experience over the years will now be taken into account when determining the rating," reports TechCrunch. "On the flip side, however, this change also means that once high-quality apps that have since failed to release new updates and bug fixes will now have a rating that reflects their current state of decline." In response to the announcement, Slashdot reader shanen writes: Basically I regard this as a good news story, though in relative terms. Of course the old data should get discounted if newer data is available. Too bad today's Google is certain to mangle the implementation, probably claiming they need more layers of secrecy to prevent more clever gaming of the new ratings system. However, the change I REALLY want to see would be more exposure of the developers' financial models for the apps. Following the money really works.

Long-time Slashdot reader chicksdaddy writes: Some of the world's leading cybersecurity experts have come together to counter electronics and technology industry efforts to paint proposed right to repair laws in 20 states as a cyber security risk. The experts have launched securepairs.org, a group that is galvanizing information security industry support for right to repair laws that are being debated in state capitols.

Among the experts who are stepping forward is a who's who of the information security space, including cryptography experts Bruce Schneier of IBM and Harvard University and Jon Callas of ACLU, secure coding gurus Gary McGraw of Cigital and Chris Wysopal of Veracode, bug bounty pioneer Katie Moussouris of Luta Security, hardware hackers Joe Grand (aka KingPin) and Billy Rios of Whitescope, nmap creator Gordon "Fyodor" Lyon, Johannes Ullrich of SANS Internet Storm Center and Dan Geer, the CISO of In-Q-Tel. Together, they are calling out electronics and technology industry efforts to keep replacement parts, documentation and diagnostic tools for digital devices secret in the name of cyber security.

"False and misleading information about the cyber risks of repair is being directed at state legislators who are considering right to repair laws," said Paul Roberts, the founder of securepairs.org and Editor in Chief at The Security Ledger, an independent cyber security blog. "Securepairs.org is a voice of reason that will provide policy makers with accurate information about the security problems plaguing connected devices. We will make the case that right to repair laws will bring about a more secure, not less secure future."

"As cyber security professionals, we have a responsibility to provide accurate information and reliable advice to lawmakers who are considering Right to Repair laws," said Joe Grand of Grand Idea Studio, a hardware hacker and embedded systems security expert.

The group will counter a stealthy but well-funded industry efforts to kill off right to repair legislation where it comes up. That has included the creation of front groups like the Security Innovation Center, which has enlisted technology industry executives and academics to write opinion pieces casting right to repair laws as a giveaway to cybercriminals.

Securepairs organizers say they hope to mobilize information security professionals to help secure the right to repair in their home states: writing letters and emails and providing expert testimony about the real sources of cyber risks in connected devices.

Did you just open Firefox only to find all of your extensions disabled and/or otherwise not working? You're not alone, and it's nothing you did. From a report: Reports are pouring in of a glitch that has spontaneously disabled effectively all Firefox extensions. Each extension is now being listed as a "legacy" extension, alongside a warning that it "could not be verified for use in Firefox and has been disabled." A ticket submitted to Mozilla's Bugzilla bug tracker first hit at around 5:40 PM Pacific, and suggests the sudden failure is due to a code signing certificate built into the browser that expired just after 5 PM (or midnight on May 4th in UTC time). Because the glitch stems from an underlying certificate, re-installing extensions won't work -- if you try, you'll likely just be met with a different error message. Getting extensions back for everyone is going to require Mozilla to issue a patch.
UPDATE (5/5/2019): On Sunday Firefox released the second of two weekend updates to address the problem, tweeting that "There are some issues we're still working on, but we wanted to get this release out and get your add-ons back up & running before Monday."

Fedora 30, the newest release of the venerable Linux distribution that serves (in part) as the staging environment for Red Hat Enterprise Linux, was released Tuesday, bringing with it a number of improvements and performance optimizations. From a report: he most exciting aspect, for workstation/desktop users at least, is the update to GNOME 3.32. Of course, that is hardly the only notable update -- the DNF package manager is getting a performance boost, for instance. In other words, this is a significant operating system upgrade that should delight both existing Fedora users and beginners alike. "Fedora 30 brings enhancements to all editions with updates to the common underlying packages, from bug fixes and performance tweaks to new versions. In Fedora 30, base updates include Bash shell 5.0, Fish 3.0, the GNU Compiler Collection (GCC) 9 and Ruby 2.6. Fedora 30 also now uses the zchunk format for data compression within the DNF repository. When metadata is compressed using zchunk DNF will only download the differences between earlier copies of metadata and the current versions, saving on resources and increasing efficiency," says The Fedora Project.

Devices using Qualcomm chipsets, and especially smartphones and tablets, are vulnerable to a new security bug that can let attackers retrieve private data and encryption keys that are stored in a secure area of the chipset known as the Qualcomm Secure Execution Environment (QSEE). From a report: Qualcomm has deployed patches for this bug (CVE-2018-11976) earlier this month; however, knowing the sad state of Android OS updates, this will most likely leave many smartphones and tablets vulnerable for years to come. The vulnerability impacts how the Qualcomm chips (used in hundreds of millions of Android devices) handles data processed inside the QSEE.