Red Hat Takes Over Maintenance of OpenJDK 8 and OpenJDK 11 From Oracle (infoworld.com) 55
Notre Dame Official Says 'Computer Glitch' Could Be Fire Culprit (cbsnews.com) 173
New York City Has a Y2K-Like Problem, and It Doesn't Want You To Know About It (nytimes.com) 119
City officials tried to play down the shutdown when first asked about it on Monday, speaking of it as if it were a routine maintenance issue. "The city is in the process of upgrading some components of our private wireless network," Stephanie Raphael, a spokeswoman for the Department of Information Technology and Telecommunications, said in an email on Monday. She referred to the glitch as a "brief software installation period." By Tuesday, the agency acknowledged the network shutdown, but said in an emailed statement that "no critical public safety systems are affected." Ms. Raphael admitted that technicians have been unable to get the network back up and running, adding, "We're working overtime to update the network and bring all of it back online." The problem has raised questions about whether the city had taken appropriate measures to prepare the network for the GPS rollover.
Scranos Rootkit Expands Operations From China To the Rest of the World (zdnet.com) 27
Google, Huawei Agree To Pay Owners of Faulty Nexus 6P Devices Up To $400 (theverge.com) 10
The proposal currently states that those who are eligible for the settlement could be paid up to $400 for their faulty device, while those who received a Pixel XL in a prior warranty exchange program would only be eligible for up to $10. Those who submit proper documentation for the bug will receive the most settlement money, while those without may be eligible for up to $75. For full details on submitting a claim, check out the as-filed longform notice document, which explains the process that will go into effect following court approval.
Why Aren't People Abandoning Windows For Linux? (slashgear.com) 966
- Updates on Linux are fast and "rarely call for a restart" -- and are also more complete. "Updates are typically downloaded through a 'Software Updater' application that not only checks for operating system patches, but also includes updates for the programs that you've installed from the repository."
- Windows "tries to serve a variety of markets...cramming in a scattered array of features" -- and along those lines, that Microsoft "has gradually implemented monetization schemes and methods for extracting user data." And yet you're still paying for that operating system, while Linux is less bloated and "free forever."
- "Because less people use Linux, the platform is less targeted by malware and tends to be more secure than Windows"
The article also touches on a few other points (including battery life), and predicts that problems with Windows are "bound to get worse over time and will only present more of a case for making the switch to Linux."
Long-time Slashdot reader shanen shared the article, along with some new thoughts on why people really stay with Windows:
I think the main "excuse" is the perception of reliability, which is really laughable if you've actually read the EULA. Microsoft certainly doesn't have to help anyone at all. I would argue that Windows support is neither a bug nor a feature, but just a marketing ploy.
Their original submission suggests that maybe Linux needs to buttress the perception of its reliability with a better financial model -- possibly through a new kind of crowd funding which could also be extended to all open source software, or even to journalism).
Apache Web Server Bug Grants Root Access On Shared Hosting Environments (zdnet.com) 85
"First of all, it is a LOCAL vulnerability, which means you need to have some kind of access to the server," Charles Fol, the security researcher who discovered this vulnerability told ZDNet in an interview yesterday. This means that attackers either have to register accounts with shared hosting providers or compromise existing accounts. Once this happens, the attacker only needs to upload a malicious CGI script through their rented/compromised server's control panel to take control of the hosting provider's server to plant malware or steal data from other customers who have data stored on the same machine. "The web hoster has total access to the server through the 'root' account. If one of the users successfully exploits the vulnerability I reported, he/she will get full access to the server, just like the web hoster," Fol said. "This implies read/write/delete any file/database of the other clients."
Microsoft Bounty Program Offers Larger Rewards For Bug Hunters (betanews.com) 18
Google's Second Android Q Beta Brings Us 'Bubbles' Multitasking (arstechnica.com) 42
Microsoft's Collaboration On Google's Chromium Brings a New Feature To Chrome (mspoweruser.com) 95
Now MSPoweruser reports Microsoft has indeed started collaborating on Chromium -- making suggestions like caret browsing and a native high-contrast mode -- and at least one of Microsoft's suggestions is already coming to Chrome. it looks like there is one feature that Chromium approved which will be making its way to Chrome soon. According to a new bug (via Techdows) filing on Chromium, Google is working on bringing text suggestions for hardware keyboard to Chrome soon. The feature will allow users to get suggestions as they type which is currently available on Windows 10 and on Microsoft Edge.
Google has just started working on the feature and has set the priority to 2 which suggests that the feature should be available sooner than later.
Casino Accused of Withholding Bug Bounty, Then Assaulting 'Ethical Hacker' (arstechnica.com) 65
What happened next is in dispute. Wheeler says that Atrient COO Jessie Gill got in a confrontation with him and yanked off his conference lanyard; Gill insists he did no such thing, and he accused Wheeler of attempted extortion.
The debacle culminated in legal threats and a lot of mudslinging, with live play-by-play commentary as it played out on Twitter.
Ars Technica calls the story "practically a case study in the problems that can arise with vulnerability research and disclosure," adding "the vast majority of companies have no clear mechanism for outsiders to share information about security gaps."
A security research director at Rapid7 joked his first reaction was "man, I wish a vendor would punch me for disclosure. Boy, that beats any bug bounty." But they later warned, "It's on us as an industry not only to train corporate America on how to take disclosure, but also we need to do a little more training for people who find these bugs -- especially today, in an era where bug outings are kind of normal now -- to not expect someone to be necessarily grateful when one shows up."
Tesla Cars Keep More Data Than You Think (cnbc.com) 57
But the researchers' findings highlight how Tesla is full of contradictions on privacy and cybersecurity. On one hand, Tesla holds car-generated data closely, and has fought customers in court to refrain from giving up vehicle data. Owners must purchase $995 cables and download a software kit from Tesla to get limited information out of their cars via "event data recorders" there, should they need this for legal, insurance or other reasons. At the same time, crashed Teslas that are sent to salvage can yield unencrypted and personally revealing data to anyone who takes possession of the car's computer and knows how to extract it. The contrast raises questions about whether Tesla has clearly defined goals for data security, and who its existing rules are meant to protect. A Tesla spokesperson said in a statement to CNBC: "Tesla already offers options that customers can use to protect personal data stored on their car, including a factory reset option for deleting personal data and restoring customized settings to factory defaults, and a Valet Mode for hiding personal data (among other functions) when giving their keys to a valet. That said, we are always committed to finding and improving upon the right balance between technical vehicle needs and the privacy of our customers."
The report serves as a reminder for Tesla owners to factory reset their cars before handing them off to a junk yard or other reseller because that other party may not reset your car for you. "Tesla sometimes uses an automotive auction company called Manheim to inspect, recondition and sell used cars," reports CNBC. "A former Manheim employee, who asked to remain anonymous, confirmed that employees do not wipe the cars' computers with a factory reset."
The researchers were able to obtain phonebooks "worth of contact information from drivers or passengers who had paired their devices, and calendar entries with descriptions of planned appointments, and e-mail addresses of those invited." The data also showed the drivers' last 73 navigation locations, as well as crash-related information. The Model 3 that one of the researchers bought for research purposes contained a video showing the car speeding out of the right lane into the trees off the left side of a dark two-lane route. "GPS and other vehicle data reveals that the accident happened in Orleans, Massachusetts, on Namequoit Road, at 11:15 pm on Aug 11, and was severe enough that airbags deployed," the report adds.
Critical Magento SQL Injection Flaw Could Soon Be Targeted By Hackers (csoonline.com) 14
UPDATE: Onilab, an official Magento development partner, has a blog post explaining how you can update your store to the latest version of Magento.
macOS 10.14.4 Mail Client Has Broken Gmail Access For Some Users (apple.com) 48
As Windows 10 19H1 Update Approaches, Microsoft Says Version 1809 is Now Ready For 'Broad Deployment' (onmsft.com) 58
Senators Demand To Know Why Election Vendors Still Sell Voting Machines With 'Known Vulnerabilities' (techcrunch.com) 169
Their primary concern is that the three companies have more than 90 percent of the U.S. election equipment market share but their voting machines lack paper ballots or auditability, making it impossible to know if a vote was accurately counted in the event of a bug. Yet, these are the same devices tens of millions of voters will use in the upcoming 2020 presidential election. ES&S spokesperson Katina Granger said it will respond to the letter it received. The ranking Democrats say paper ballots are "basic necessities" for a reliable voting system, but the companies still produce machines that don't produce paper results.
Multiple US Airlines Hit By Flight Check-in and Booking Systems Outage (nbcbayarea.com) 41
Google Fixes Chrome 'Evil Cursor' Bug Abused by Tech Support Scam Sites (zdnet.com) 56
Which Programming Language Has The Most Security Vulnerabilities? (techrepublic.com) 330
An anonymous reader quotes TechRepublic: To answer this question, the report compiled information from WhiteSource's database, which aggregates information on open source vulnerabilities from sources including the National Vulnerability Database, security advisories, GitHub issue trackers, and popular open source projects issue trackers. Researchers focused in on open source security vulnerabilities in the seven most widely-used languages of the past 10 years to learn which are most secure, and which vulnerability types are most common in each...
The most common vulnerabilities across most of these languages are Cross-SiteScripting (XSS); Input Validation; Permissions, Privileges, and Access Control; and Information Leak / Disclosure, according to the report.
Across the seven most widely-used programming languages, here's how the vulnerabilities were distributed:
- C (47%)
- PHP (17%)
- Java (11%)
- JavaScript (10%)
- Python (5%)
- C++ (5%)
- Ruby (4%)
But the results are full of disclaimers -- for example, that C tops the list because it's the oldest language with "the highest volume of written code" and "is also one of the languages behind major infrastructure like Open SSL and the Linux kernel."
The report also notes a "substantial rise" across all languages for known open source security vulnerabilities over the last two years, attributing this to more awareness about vulnerable components -- thanks to more research, automated security tools, and "the growing investment in bug bounty programs" -- as well as the increasing popularity of open source software. And it also reports a drop in the percentage of critical vulnerabilities for most languages -- except JavaScript and PHP.
The report then concludes that "the Winner Of Most Secure Programming Language is...no one and everyone...! It is not about the language itself that makes it any more or less secure, but how you use it. If you are mitigating your vulnerabilities throughout the software development lifecycle with the proper management approach, then you are far more likely to stay secure."
Coincidentally, WhiteSource sells software which monitors open source components throughout the software development lifecycle to provide alerts about security (and licensing) issues.