


Google Play Will Weight App Ratings To Favor Those From More Recent Releases (techcrunch.com) 60
"With this update, users will be able to better see, at a glance, the current state of the app -- meaning, any fixes and changes that made it a better experience over the years will now be taken into account when determining the rating," reports TechCrunch. "On the flip side, however, this change also means that once high-quality apps that have since failed to release new updates and bug fixes will now have a rating that reflects their current state of decline." In response to the announcement, Slashdot reader shanen writes: Basically I regard this as a good news story, though in relative terms. Of course the old data should get discounted if newer data is available. Too bad today's Google is certain to mangle the implementation, probably claiming they need more layers of secrecy to prevent more clever gaming of the new ratings system. However, the change I REALLY want to see would be more exposure of the developers' financial models for the apps. Following the money really works.

Top Cybersecurity Experts Unite to Counter Right-to-Repair FUD (securepairs.org) 49
Among the experts who are stepping forward is a who's who of the information security space, including cryptography experts Bruce Schneier of IBM and Harvard University and Jon Callas of ACLU, secure coding gurus Gary McGraw of Cigital and Chris Wysopal of Veracode, bug bounty pioneer Katie Moussouris of Luta Security, hardware hackers Joe Grand (aka KingPin) and Billy Rios of Whitescope, nmap creator Gordon "Fyodor" Lyon, Johannes Ullrich of SANS Internet Storm Center and Dan Geer, the CISO of In-Q-Tel. Together, they are calling out electronics and technology industry efforts to keep replacement parts, documentation and diagnostic tools for digital devices secret in the name of cyber security.
"False and misleading information about the cyber risks of repair is being directed at state legislators who are considering right to repair laws," said Paul Roberts, the founder of securepairs.org and Editor in Chief at The Security Ledger, an independent cyber security blog. "Securepairs.org is a voice of reason that will provide policy makers with accurate information about the security problems plaguing connected devices. We will make the case that right to repair laws will bring about a more secure, not less secure future."
"As cyber security professionals, we have a responsibility to provide accurate information and reliable advice to lawmakers who are considering Right to Repair laws," said Joe Grand of Grand Idea Studio, a hardware hacker and embedded systems security expert.
The group will counter a stealthy but well-funded industry efforts to kill off right to repair legislation where it comes up. That has included the creation of front groups like the Security Innovation Center, which has enlisted technology industry executives and academics to write opinion pieces casting right to repair laws as a giveaway to cybercriminals.
Securepairs organizers say they hope to mobilize information security professionals to help secure the right to repair in their home states: writing letters and emails and providing expert testimony about the real sources of cyber risks in connected devices.

A Glitch Is Breaking All Firefox Extensions (techcrunch.com) 311
UPDATE (5/5/2019): On Sunday Firefox released the second of two weekend updates to address the problem, tweeting that "There are some issues we're still working on, but we wanted to get this release out and get your add-ons back up & running before Monday."

Fedora 30 Linux Distro Is Here (betanews.com) 128

Security Flaw Lets Attackers Recover Private Keys From Qualcomm Chips (zdnet.com) 44

Nokia 9 Buggy Update Lets Anyone Bypass Fingerprint Scanner With a Pack of Gum (zdnet.com) 15

Red Hat Takes Over Maintenance of OpenJDK 8 and OpenJDK 11 From Oracle (infoworld.com) 55

Notre Dame Official Says 'Computer Glitch' Could Be Fire Culprit (cbsnews.com) 173

New York City Has a Y2K-Like Problem, and It Doesn't Want You To Know About It (nytimes.com) 119
City officials tried to play down the shutdown when first asked about it on Monday, speaking of it as if it were a routine maintenance issue. "The city is in the process of upgrading some components of our private wireless network," Stephanie Raphael, a spokeswoman for the Department of Information Technology and Telecommunications, said in an email on Monday. She referred to the glitch as a "brief software installation period." By Tuesday, the agency acknowledged the network shutdown, but said in an emailed statement that "no critical public safety systems are affected." Ms. Raphael admitted that technicians have been unable to get the network back up and running, adding, "We're working overtime to update the network and bring all of it back online." The problem has raised questions about whether the city had taken appropriate measures to prepare the network for the GPS rollover.

Scranos Rootkit Expands Operations From China To the Rest of the World (zdnet.com) 27

Google, Huawei Agree To Pay Owners of Faulty Nexus 6P Devices Up To $400 (theverge.com) 10
The proposal currently states that those who are eligible for the settlement could be paid up to $400 for their faulty device, while those who received a Pixel XL in a prior warranty exchange program would only be eligible for up to $10. Those who submit proper documentation for the bug will receive the most settlement money, while those without may be eligible for up to $75. For full details on submitting a claim, check out the as-filed longform notice document, which explains the process that will go into effect following court approval.

Why Aren't People Abandoning Windows For Linux? (slashgear.com) 966
- Updates on Linux are fast and "rarely call for a restart" -- and are also more complete. "Updates are typically downloaded through a 'Software Updater' application that not only checks for operating system patches, but also includes updates for the programs that you've installed from the repository."
- Windows "tries to serve a variety of markets...cramming in a scattered array of features" -- and along those lines, that Microsoft "has gradually implemented monetization schemes and methods for extracting user data." And yet you're still paying for that operating system, while Linux is less bloated and "free forever."
- "Because less people use Linux, the platform is less targeted by malware and tends to be more secure than Windows"
The article also touches on a few other points (including battery life), and predicts that problems with Windows are "bound to get worse over time and will only present more of a case for making the switch to Linux."
Long-time Slashdot reader shanen shared the article, along with some new thoughts on why people really stay with Windows:
I think the main "excuse" is the perception of reliability, which is really laughable if you've actually read the EULA. Microsoft certainly doesn't have to help anyone at all. I would argue that Windows support is neither a bug nor a feature, but just a marketing ploy.
Their original submission suggests that maybe Linux needs to buttress the perception of its reliability with a better financial model -- possibly through a new kind of crowd funding which could also be extended to all open source software, or even to journalism).

Apache Web Server Bug Grants Root Access On Shared Hosting Environments (zdnet.com) 85
"First of all, it is a LOCAL vulnerability, which means you need to have some kind of access to the server," Charles Fol, the security researcher who discovered this vulnerability told ZDNet in an interview yesterday. This means that attackers either have to register accounts with shared hosting providers or compromise existing accounts. Once this happens, the attacker only needs to upload a malicious CGI script through their rented/compromised server's control panel to take control of the hosting provider's server to plant malware or steal data from other customers who have data stored on the same machine. "The web hoster has total access to the server through the 'root' account. If one of the users successfully exploits the vulnerability I reported, he/she will get full access to the server, just like the web hoster," Fol said. "This implies read/write/delete any file/database of the other clients."

Microsoft Bounty Program Offers Larger Rewards For Bug Hunters (betanews.com) 18

Google's Second Android Q Beta Brings Us 'Bubbles' Multitasking (arstechnica.com) 42

Microsoft's Collaboration On Google's Chromium Brings a New Feature To Chrome (mspoweruser.com) 95
Now MSPoweruser reports Microsoft has indeed started collaborating on Chromium -- making suggestions like caret browsing and a native high-contrast mode -- and at least one of Microsoft's suggestions is already coming to Chrome. it looks like there is one feature that Chromium approved which will be making its way to Chrome soon. According to a new bug (via Techdows) filing on Chromium, Google is working on bringing text suggestions for hardware keyboard to Chrome soon. The feature will allow users to get suggestions as they type which is currently available on Windows 10 and on Microsoft Edge.
Google has just started working on the feature and has set the priority to 2 which suggests that the feature should be available sooner than later.

Casino Accused of Withholding Bug Bounty, Then Assaulting 'Ethical Hacker' (arstechnica.com) 65
What happened next is in dispute. Wheeler says that Atrient COO Jessie Gill got in a confrontation with him and yanked off his conference lanyard; Gill insists he did no such thing, and he accused Wheeler of attempted extortion.
The debacle culminated in legal threats and a lot of mudslinging, with live play-by-play commentary as it played out on Twitter.
Ars Technica calls the story "practically a case study in the problems that can arise with vulnerability research and disclosure," adding "the vast majority of companies have no clear mechanism for outsiders to share information about security gaps."
A security research director at Rapid7 joked his first reaction was "man, I wish a vendor would punch me for disclosure. Boy, that beats any bug bounty." But they later warned, "It's on us as an industry not only to train corporate America on how to take disclosure, but also we need to do a little more training for people who find these bugs -- especially today, in an era where bug outings are kind of normal now -- to not expect someone to be necessarily grateful when one shows up."

Tesla Cars Keep More Data Than You Think (cnbc.com) 57
But the researchers' findings highlight how Tesla is full of contradictions on privacy and cybersecurity. On one hand, Tesla holds car-generated data closely, and has fought customers in court to refrain from giving up vehicle data. Owners must purchase $995 cables and download a software kit from Tesla to get limited information out of their cars via "event data recorders" there, should they need this for legal, insurance or other reasons. At the same time, crashed Teslas that are sent to salvage can yield unencrypted and personally revealing data to anyone who takes possession of the car's computer and knows how to extract it. The contrast raises questions about whether Tesla has clearly defined goals for data security, and who its existing rules are meant to protect. A Tesla spokesperson said in a statement to CNBC: "Tesla already offers options that customers can use to protect personal data stored on their car, including a factory reset option for deleting personal data and restoring customized settings to factory defaults, and a Valet Mode for hiding personal data (among other functions) when giving their keys to a valet. That said, we are always committed to finding and improving upon the right balance between technical vehicle needs and the privacy of our customers."
The report serves as a reminder for Tesla owners to factory reset their cars before handing them off to a junk yard or other reseller because that other party may not reset your car for you. "Tesla sometimes uses an automotive auction company called Manheim to inspect, recondition and sell used cars," reports CNBC. "A former Manheim employee, who asked to remain anonymous, confirmed that employees do not wipe the cars' computers with a factory reset."
The researchers were able to obtain phonebooks "worth of contact information from drivers or passengers who had paired their devices, and calendar entries with descriptions of planned appointments, and e-mail addresses of those invited." The data also showed the drivers' last 73 navigation locations, as well as crash-related information. The Model 3 that one of the researchers bought for research purposes contained a video showing the car speeding out of the right lane into the trees off the left side of a dark two-lane route. "GPS and other vehicle data reveals that the accident happened in Orleans, Massachusetts, on Namequoit Road, at 11:15 pm on Aug 11, and was severe enough that airbags deployed," the report adds.

Critical Magento SQL Injection Flaw Could Soon Be Targeted By Hackers (csoonline.com) 14
UPDATE: Onilab, an official Magento development partner, has a blog post explaining how you can update your store to the latest version of Magento.