An anonymous reader quotes a report from The Guardian: Scientist Brad Lister returned to Puerto Rican rainforest after 35 years to find 98% of ground insects had vanished. His return to the Luquillo rainforest in Puerto Rico after 35 years was to reveal an appalling discovery. The insect population that once provided plentiful food for birds throughout the mountainous national park had collapsed. On the ground, 98% had gone. Up in the leafy canopy, 80% had vanished. The most likely culprit by far is global warming. "It was just astonishing," Lister said. "Before, both the sticky ground plates and canopy plates would be covered with insects. You'd be there for hours picking them off the plates at night. But now the plates would come down after 12 hours in the tropical forest with a couple of lonely insects trapped or none at all."

"We are essentially destroying the very life support systems that allow us to sustain our existence on the planet, along with all the other life on the planet," Lister said. "It is just horrifying to watch us decimate the natural world like this." Lister calls these impacts a "bottom-up trophic cascade", in which the knock-on effects of the insect collapse surge up through the food chain. "I don't think most people have a systems view of the natural world," he said. "But it's all connected and when the invertebrates are declining the entire food web is going to suffer and degrade. It is a system-wide effect." To understand the global scale of an insect collapse that has so far only been glimpsed, Lister says, there is an urgent need for much more research in many more habitats. "More data, that is my mantra," he said.

The Model 3 will be entered into Pwn2Own this year, the first time a car has been included in the annual high-profile hacking contest. The prize for the winning security researchers: a Model 3. TechCrunch reports: Pwn2Own, which is in its 12th year and run by Trend Micro's Zero Day Initiative, is known as one of the industry's toughest hacking contests. ZDI has awarded more than $4 million over the lifetime of the program. Pwn2Own's spring vulnerability research competition, Pwn2Own Vancouver, will be held March 20 to 22 and will feature five categories, including web browsers, virtualization software, enterprise applications, server-side software and the new automotive category. The targets, chosen by ZDI, include software products from Apple, Google, Microsoft, Mozilla, Oracle and VMware. And, of course, Tesla . Pwn2Own is run in conjunction with the CanSec West conference. There will be "more than $900,000 worth of prizes available for attacks that subvert a variety of [the Model 3's] onboard systems," reports Ars Technica. "The biggest prize will be $250,000 for hacks that execute code on the car's getaway, autopilot, or VCSEC."

"A gateway is the central hub that interconnects the car's powertrain, chassis, and other components and processes the data they send. The autopilot is a driver assistant feature that helps control lane changing, parking, and other driving functions. Short for Vehicle Controller Secondary, VCSEC is responsible for security functions, including the alarm."

Mozilla will take the next major step in disabling support for the Adobe Flash plugin later this year when it releases Firefox 69. From a report: Firefox 69 will be Mozilla's third last step to completely dropping support for the historically buggy plugin, which will reach end of life on December 31, 2020. Flash is the last remaining NPAPI plugin that Firefox supports. Mozilla flagged the change, spotted by Ghacks, in a new bug report that notes "we'll disable Flash by default in Nightly 69 and let that roll out". Firefox 69 stable will be released in early September, according to Mozilla's release calendar.

secwatcher quotes a report from Threatpost: Researchers hacked the Docker test platform called Play-with-Docker, allowing them to access data and manipulate any test Docker containers running on the host system. The proof-of-concept hack does not impact production Docker instances, according to CyberArk researchers that developed the proof-of-concept attack. "The team was able to escape the container and run code remotely right on the host, which has obvious security implications," wrote researchers in a technical write-up posted Monday.

Play-with-Docker is an open source free in-browser online playground designed to help developers learn how to use containers. While Play-with-Docker has the support of Docker, it was not created by nor is it maintained by the firm. The environment approximates having the Alpine Linux Virtual Machine in browser, allowing users to build and run Docker containers in various configurations. The vulnerability was reported to the developers of the platform on November 6. On January 7, the bug was patched. As for how many instances of Play-with-Docker may have been affected, "CyberArk estimated there were as many as 200 instances of containers running on the platform it analyzed," reports Threatpost. "It also estimates the domain receives 100,000 monthly site visitors."

A security researcher has found, reported and now disclosed a dozen bugs that made it easy to steal sensitive information or take over any customer's account from some of the largest web hosting companies on the internet. From a news report: In some cases, clicking on a simple link would have been enough for Paulos Yibelo, a well-known and respected bug hunter, to take over the accounts of anyone using five large hosting providers -- Bluehost, DreamHost, Hostgator, OVH and iPage. "All five had at least one serious vulnerability allowing a user account hijack," he told TechCrunch, with which he shared his findings before going public. The results of his vulnerability testing likely wouldn't fill customers with much confidence. The bugs, now fixed -- according to Yibelo's writeup -- represent cases of aging infrastructure, complicated and sprawling web-based back-end systems and companies each with a massive user base -- with the potential to go easily wrong. In all, the bugs could have been used to target any number of the collective two million domains under Endurance-owned Bluehost, Hostgator and iPage, DreamHost's one million domains and OVH's four million domains -- totaling some seven million domains.

According to a report from HackenProof, a database containing resumes of over 200 million job seekers in China was exposed last month. "The leaked info included not just the name and working experience of people, but also their mobile phone number, email, marriage status, children, politics, height, weight, driver license, and literacy level as well," reports The Next Web. From the report: Bob Diachenko, Director of Cyber Risk Research at Hacken.io and bug bounty platform HackenProof, found an unprotected instance of MongoDB containing these resumes on December 28. Diachenko found the resumes in the open database search engines Shodan and BinaryEdge. The 854GB database didn't have any password protection and was open to anyone to read.

Diachenko wasn't able to identify who generated the database or who owned it, but a now-defunct GitHub code repository featured a code that used an identical data structure to the leaked database. The database contained scraped data from multiple Chinese classified websites like bj.58.com. However, in a blog post, the website's spokesperson denied the leak. Interestingly, the database was taken down as soon as Diachenko posted about the database on Twitter. Sadly, the MongoDB log showed at least a dozen IP addresses that read the instance before it went off the grid.

In the next major release of Windows 10, Microsoft will reserve 7GB of your device's storage to resolve a Windows 10 bug thrown up by Windows Update not checking whether a PC has enough storage space before launching after big updates. From a report: As Microsoft warned ahead of the Windows 10 October 2018 Update, systems that don't have enough space to install Microsoft's 'quality updates' or new versions of the OS will see an error message explaining there is insufficient storage space. That happens because Windows doesn't check if a device has enough space before initializing. Microsoft's current solution is for users to manually delete unnecessary temporary files and temporarily move important files like photos and videos to external storage devices to make enough space for the update. This problem is more acute for devices with little storage capacity, such as many of the cheap 32GB flash-drive PCs on the market today.

An anonymous reader quotes a report from USA Today: The number of monarch butterflies turning up at California's overwintering sites has dropped by about 86 percent compared to only a year ago, according to the Xerces Society, which organizes a yearly count of the iconic creatures. That's bad news for a species whose numbers have already declined an estimated 97 percent since the 1980s. Each year, monarchs in the western United States migrate from inland areas to California's coastline to spend the winter, usually between September and February. Results from the count so far show that the number of monarchs at 97 California overwintering sites has dropped from around 148,000 in 2017 to just over 20,400 this year. Counts for dozens of other sites are still being tabulated, but the outlook is troubling.

What's causing the dramatic drop-off is somewhat of a mystery. Experts believe the decline is spurred by a confluence of unfortunate factors, including late rainy-season storms across California last March, the effects of the state's yearslong drought and the seemingly relentless onslaught of wildfires that have burned acres upon acres of habitat and at times choked the air with toxic smoke. The Thomas Fire last year burned almost 300,000 acres, including areas important for monarch breeding and migration. More recently, the Woolsey Fire damaged at least four monarch butterfly overwintering sites in the Malibu area, according to Lara Drizd, a wildlife biologist with the U.S. Fish and Wildlife Service in Ventura.

An anonymous reader shares a report: Chrome OS was originally a laptop platform, but slowly it's being reworked for tablet form factors. However, as that goes on, there have been some hiccups. Most recently, many have noted the poor performance of tablet mode especially on Chrome OS products like the Pixel Slate, but it seems a fix for that lag is incoming. If you tuned into any hands-on or review coverage of Google's Pixel Slate, you're likely familiar with the performance issues many have described. In tablet mode, Chrome OS has a lot of issues with lag. This is especially evident in the multitasking screen, and it seems that is the first thing Google is looking at to fix these problems. ChromeUnboxed notes a recent bug tracker which reveals how Google plans to start fixing Chrome OS tablet mode lag in the multitasking screen. Somewhat hilariously, it seems a big reason for the poor frame rates in the animations on this screen actually comes down to how the OS renders the rounded corners on this screen.

Julia Reda is a member of Germany's Pirate Party, a member of the European Parliament, and the Vice-President of The Greens-European Free Alliance.

Thursday her official web site announced: In 2014, security vulnerabilities were found in important Free Software projects. One of the issues was found in the Open Source encryption library OpenSSL.... The issue made lots of people realise how important Free and Open Source Software is for the integrity and reliability of the Internet and other infrastructure.... That is why my colleague Max Andersson and I started the Free and Open Source Software Audit project: FOSSA... In 2017, the project was extended for three more years. This time, we decided to go one step further and added the carrying out of Bug Bounties on important Free Software projects to the list of measures we wanted to put in place to increase the security of Free and Open Source Software...

In January the European Commission is launching 14 out of a total of 15 bug bounties on Free Software projects that the EU institutions rely on.
The bounties start at 25.000,00 € -- about $29,000 USD -- rising as high as 90.000,00 € ($103,000). "The amount of the bounty depends on the severity of the issue uncovered and the relative importance of the software," Reda writes.

Click through for a list of the software projects for which bug bounties will be offered.

The developer of the popular image editing tool Paint.NET, Rick Brewster, has shared his vision of what the coming year holds for his software. The 2019 roadmap for Paint.NET is an exciting one, promising migration to .NET Core, support for brushes and pressure sensitivity, and an expanded plugin system. BetaNews: Changes are on the cards for app icons and improved high-DPI support -- something that may be seen as mere aesthetic by some, but important changes by others. Switching to .NET Core could have big implications for the software, as Brewter explains: "It's clear that, in the long-term, Paint.NET needs to migrate over to .NET Core. That's where all of the improvements and bug fixes are being made, and it's obvious that the .NET Framework is now in maintenance mode. On the engineering side this is mostly a packaging and deployment puzzle of balancing download size amongst several other variables. My initial estimations shows that the download size for Paint.NET could balloon from ~7.5MB (today) to north of 40MB if .NET Core is packaged 'locally'. That's a big sticker shock... but it may just be necessary."

And, for those who're interested: the move to .NET Core will finally enable a truly portable version of Paint.NET since. Proposals for better DDS support and brushes and pressure sensitivity will be welcomed by digital artists, and there can be few users who are not excited at the prospect of an expanded plugin system.

DarkRookie2 shares a report from Ars Technica: Many users of Logitech's Harmony Hub smart home hub and remote were recently met with a nasty surprise. The device's latest firmware update, version 4.15.206, reportedly cuts off local access for Harmony Hubs. As a result, many users who created home automation and smart home systems using third-party APIs haven't been able to control many, and in some cases, all of their connected IoT devices. Logitech began pushing out firmware update 4.15.206 last week, its release notes stating that it addresses security and bug fixes. Users immediately flocked to Logitech's community forms to complain once they realized the systems they built up to control their smart home devices essentially became unresponsive. Users with Homeseer and Home Assistant APIs have reported parts of their systems broken, preventing them from controlling things like smart TVs, sound systems, and more using the Harmony Hub and its remote. In a statement to Ars, a Logitech representative confirmed that local access was removed in the latest Harmony Hub firmware update for security reasons: "The XMPP interface was used as part of the setup process and was pointed out as an insecure communication. We removed that interface as part of an effort to make to improve the Hub security. That interface was never designed to be used by third parties. The reason for the firmware update was to make the Harmony Hub more secure, therefore we do not have an official downgrade option. We recommend that users do not try to prevent the automatic firmware update process. We update the firmware as security issues are discovered, so users preventing the automatic firmware update process would not benefit from these future fixes."

Earlier this week, a former Microsoft Edge intern alleged that Google deliberately introduced bogus changes to YouTube to break the functionality of the video portal when users on Edge and other browsers tried to access the website. Google today denied the allegation. From a report: Google disputes Bakita's claims, and says the YouTube blank div was merely a bug that was fixed after it was reported. "YouTube does not add code designed to defeat optimizations in other browsers, and works quickly to fix bugs when they're discovered," says a YouTube spokesperson in a statement to The Verge. "We regularly engage with other browser vendors through standards bodies, the Web Platform Tests project, the open-source Chromium project and more to improve browser interoperability." In a statement, Microsoft said, "Google has been a helpful partner and we look forward to the journey as we work on the future of Microsoft Edge."

An anonymous reader quotes a report from Techdirt: By now, of course, you're aware that the Verizon-owned Tumblr (which was bought by Yahoo, which was bought by Verizon and merged into "Oath" with AOL and other no longer relevant properties) has suddenly decided that nothing sexy is allowed on its servers. This took many by surprise because apparently a huge percentage of Tumblr was used by people to post somewhat racy content. Knowing that a bunch of content was about to disappear, the famed Archive Team sprung into action -- as they've done many times in the past. They set out to archive as much of the content on Tumblr that was set to be disappeared down the memory hole as possible... and it turns out that Verizon decided as a final "fuck you" to cut them off. Jason Scott, the mastermind behind the Archive Team announced over the weekend that Verizon appeared to be blocking their IPs. Thankfully, it didn't take long for the Archive Team to get past the blocks. Scott tweeted on Sunday: "why look at that the archiving of tumblr restarted how did that happen must be a bug surely a crack team of activist archivists didn't see an ip block as a small setback and then turned everything up to 11."

Suspicious traffic to a Twitter user forum appears to be part of a government-backed activity coming from China and Russia, a Twitter spokesman told Reuters Monday. The company said it is yet to determine the reason for the activity, but is choosing to notify users out of an abundance of caution.

Additionally: Twitter bug leaks phone number country codes.

Cydia, the App Store for jailbroken devices, is shutting down purchases as its creator moves to shut down the store entirely in the near future. "Cydia's creator Saurik made the announcement on Reddit after a bug was discovered in the platform that may have put user data at risk," iPhonehacks reports. "This bug prompted Saurik to clarify the issue and reveal that he has been planning on shutting down Cydia for quite a while now." From the report: The founder clarifies that the bug only puts a limited number of users at risk who are logged into Cydia and browse a repository with untrusted content -- a scenario which Saurik has strongly advised against right from day one. Plus, he also says that this is not a data leak and he has not lost access to PayPal authorization tokens. Coming to the harsh reality, Saurik says that he has been looking to shut down Cydia Store before the end of this year. The reports of a data leak have acted as a catalyst to bring the timetable further up. There are multiple reasons as to why he is looking to shut down the service including the fact that he has to pay for the hefty hosting bills from his own pocket.

Saurik has already gone ahead and shut down the ability to buy jailbreak tweaks in Cydia. This means that one can no longer use the Cydia Store to buy jailbreak tweaks on a jailbroken iPhone. On the bright side, Saurik does intend to allow users to download jailbreak tweaks that they have already paid for. Saurik will also make a more formal announcement about the shutting down of Cydia sometime soon. Do note that this change relates only to Cydia Store and not Cydia the installer which is used to install tweaks on a jailbroken device. The latter will continue to work as usual.

Thursday a bug report complained that the source code for OpenJDK, the free and open-source implementation of Java, "has too many swear words." An anonymous reader writes: "There are many instances of swear words inside OpenJDK jdk/jdk source, scattered all over the place," reads the bug report. "As OpenJDK is used in a professional context, it seems inappropriate to leave these 12 instances in there, so here's a changeset to remove them."
IBM software developer (and OpenJDK team member and contributor) Adam Farley responded that "after discussion with the community, three determinations were reached":

• "Damn" and "Crap" are not swear words.

• Three of the four f-bombs are located in jszip.js, which should be corrected upstream (will follow up).

• The f-bomb in BitArray.java, as well as the rude typo in SoftChannel.java, *are* swear words and should be removed to resolve this work item.

He promised a new webrev would be uploaded to reflect these determinations, and the bug has been marked as "resolved."

In addition to relying on Windows Insiders, employees, and willing participants for testing updates, Microsoft is pushing patches before they are known to be stable to regular users too if they opt to click the "check for updates" button on their own, the company said. From a report: In a blog post by Michael Fortin, Corporate Vice President for Windows, it is made clear that home users are intentionally being given updates that are not necessarily ready for deployment. Many power users are familiar with Patch Tuesday. On the second Tuesday of each month, Microsoft pushes out a batch of updates at 10:00 a.m. Pacific time on this day containing security fixes, bug patches, and other non-security fixes. Updates pushed out as part of Patch Tuesday are known as "B" release since it happens during the second week of the month.

During the third and fourth weeks of the month are where things begin to get murky. Microsoft's "C" and "D" releases are considered previews for commercial customers and power users. No security fixes are a part of these updates, but for good reasoning. Microsoft has come out to directly say that some users are the guinea pigs for everyone else. In some fairness to Microsoft, C and D updates are typically only applied when a user manually checks for updates by clicking the button buried within Settings. However, if end users really wanted to be a part of testing the latest features, the Windows Insider Program is designed exactly for that purpose. Further reading: Windows 10's 'Check for updates' button may download beta code.

A day after hosting a pop-up store in New York City's Bryant Park to explain how privacy is the "foundation of the company," Facebook disclosed that a security flaw potentially exposed the public and private photos of as many as 6.8 million users to developers. From a report: On Friday, the Menlo Park, California-based company said in a blog post that it discovered a bug in late September that gave third-party developers the ability to access users' photos, including those that had been uploaded to Facebook's servers but not publicly shared on any of its services. The security flaw, which exposed photos for 12 days between Sept. 13 and Sept. 25, affected up to 1,500 apps from 876 developers, according to Facebook.

"We're sorry this happened," Facebook said in the post. "Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users." Facebook has not yet responded to questions about whether company representatives staffing its privacy pop-ups yesterday were aware of this security flaw as they were meeting with reporters and customers to discuss privacy. Further reading: Facebook's lead EU regulator opens probe into data breach.

A week after releasing v5.0 major update, WordPress has pushed the first security patch for its popular CMS service. ZDNet: Released hours ago, WordPress version 5.0.1 fixes seven security vulnerabilities (some of which allow site takeover) but also plugs a pretty serious privacy leak. The latter was found by the authors of the popular Yoast SEO plugin, who discovered that in some cases the activation screen for new users could end up being indexed by Google. With specially crafted Google searches, an attacker could find these pages and collect users' email addresses, and in some rare cases, default-generated passwords. This leak could have catastrophic consequences if the user has an admin role or if the user didn't change his default password, as is regularly advised.