According to a report from HackenProof, a database containing resumes of over 200 million job seekers in China was exposed last month. "The leaked info included not just the name and working experience of people, but also their mobile phone number, email, marriage status, children, politics, height, weight, driver license, and literacy level as well," reports The Next Web. From the report: Bob Diachenko, Director of Cyber Risk Research at Hacken.io and bug bounty platform HackenProof, found an unprotected instance of MongoDB containing these resumes on December 28. Diachenko found the resumes in the open database search engines Shodan and BinaryEdge. The 854GB database didn't have any password protection and was open to anyone to read.

Diachenko wasn't able to identify who generated the database or who owned it, but a now-defunct GitHub code repository featured a code that used an identical data structure to the leaked database. The database contained scraped data from multiple Chinese classified websites like bj.58.com. However, in a blog post, the website's spokesperson denied the leak. Interestingly, the database was taken down as soon as Diachenko posted about the database on Twitter. Sadly, the MongoDB log showed at least a dozen IP addresses that read the instance before it went off the grid.

In the next major release of Windows 10, Microsoft will reserve 7GB of your device's storage to resolve a Windows 10 bug thrown up by Windows Update not checking whether a PC has enough storage space before launching after big updates. From a report: As Microsoft warned ahead of the Windows 10 October 2018 Update, systems that don't have enough space to install Microsoft's 'quality updates' or new versions of the OS will see an error message explaining there is insufficient storage space. That happens because Windows doesn't check if a device has enough space before initializing. Microsoft's current solution is for users to manually delete unnecessary temporary files and temporarily move important files like photos and videos to external storage devices to make enough space for the update. This problem is more acute for devices with little storage capacity, such as many of the cheap 32GB flash-drive PCs on the market today.

An anonymous reader quotes a report from USA Today: The number of monarch butterflies turning up at California's overwintering sites has dropped by about 86 percent compared to only a year ago, according to the Xerces Society, which organizes a yearly count of the iconic creatures. That's bad news for a species whose numbers have already declined an estimated 97 percent since the 1980s. Each year, monarchs in the western United States migrate from inland areas to California's coastline to spend the winter, usually between September and February. Results from the count so far show that the number of monarchs at 97 California overwintering sites has dropped from around 148,000 in 2017 to just over 20,400 this year. Counts for dozens of other sites are still being tabulated, but the outlook is troubling.

What's causing the dramatic drop-off is somewhat of a mystery. Experts believe the decline is spurred by a confluence of unfortunate factors, including late rainy-season storms across California last March, the effects of the state's yearslong drought and the seemingly relentless onslaught of wildfires that have burned acres upon acres of habitat and at times choked the air with toxic smoke. The Thomas Fire last year burned almost 300,000 acres, including areas important for monarch breeding and migration. More recently, the Woolsey Fire damaged at least four monarch butterfly overwintering sites in the Malibu area, according to Lara Drizd, a wildlife biologist with the U.S. Fish and Wildlife Service in Ventura.

An anonymous reader shares a report: Chrome OS was originally a laptop platform, but slowly it's being reworked for tablet form factors. However, as that goes on, there have been some hiccups. Most recently, many have noted the poor performance of tablet mode especially on Chrome OS products like the Pixel Slate, but it seems a fix for that lag is incoming. If you tuned into any hands-on or review coverage of Google's Pixel Slate, you're likely familiar with the performance issues many have described. In tablet mode, Chrome OS has a lot of issues with lag. This is especially evident in the multitasking screen, and it seems that is the first thing Google is looking at to fix these problems. ChromeUnboxed notes a recent bug tracker which reveals how Google plans to start fixing Chrome OS tablet mode lag in the multitasking screen. Somewhat hilariously, it seems a big reason for the poor frame rates in the animations on this screen actually comes down to how the OS renders the rounded corners on this screen.

Julia Reda is a member of Germany's Pirate Party, a member of the European Parliament, and the Vice-President of The Greens-European Free Alliance.

Thursday her official web site announced: In 2014, security vulnerabilities were found in important Free Software projects. One of the issues was found in the Open Source encryption library OpenSSL.... The issue made lots of people realise how important Free and Open Source Software is for the integrity and reliability of the Internet and other infrastructure.... That is why my colleague Max Andersson and I started the Free and Open Source Software Audit project: FOSSA... In 2017, the project was extended for three more years. This time, we decided to go one step further and added the carrying out of Bug Bounties on important Free Software projects to the list of measures we wanted to put in place to increase the security of Free and Open Source Software...

In January the European Commission is launching 14 out of a total of 15 bug bounties on Free Software projects that the EU institutions rely on.
The bounties start at 25.000,00 € -- about $29,000 USD -- rising as high as 90.000,00 € ($103,000). "The amount of the bounty depends on the severity of the issue uncovered and the relative importance of the software," Reda writes.

Click through for a list of the software projects for which bug bounties will be offered.

The developer of the popular image editing tool Paint.NET, Rick Brewster, has shared his vision of what the coming year holds for his software. The 2019 roadmap for Paint.NET is an exciting one, promising migration to .NET Core, support for brushes and pressure sensitivity, and an expanded plugin system. BetaNews: Changes are on the cards for app icons and improved high-DPI support -- something that may be seen as mere aesthetic by some, but important changes by others. Switching to .NET Core could have big implications for the software, as Brewter explains: "It's clear that, in the long-term, Paint.NET needs to migrate over to .NET Core. That's where all of the improvements and bug fixes are being made, and it's obvious that the .NET Framework is now in maintenance mode. On the engineering side this is mostly a packaging and deployment puzzle of balancing download size amongst several other variables. My initial estimations shows that the download size for Paint.NET could balloon from ~7.5MB (today) to north of 40MB if .NET Core is packaged 'locally'. That's a big sticker shock... but it may just be necessary."

And, for those who're interested: the move to .NET Core will finally enable a truly portable version of Paint.NET since. Proposals for better DDS support and brushes and pressure sensitivity will be welcomed by digital artists, and there can be few users who are not excited at the prospect of an expanded plugin system.

DarkRookie2 shares a report from Ars Technica: Many users of Logitech's Harmony Hub smart home hub and remote were recently met with a nasty surprise. The device's latest firmware update, version 4.15.206, reportedly cuts off local access for Harmony Hubs. As a result, many users who created home automation and smart home systems using third-party APIs haven't been able to control many, and in some cases, all of their connected IoT devices. Logitech began pushing out firmware update 4.15.206 last week, its release notes stating that it addresses security and bug fixes. Users immediately flocked to Logitech's community forms to complain once they realized the systems they built up to control their smart home devices essentially became unresponsive. Users with Homeseer and Home Assistant APIs have reported parts of their systems broken, preventing them from controlling things like smart TVs, sound systems, and more using the Harmony Hub and its remote. In a statement to Ars, a Logitech representative confirmed that local access was removed in the latest Harmony Hub firmware update for security reasons: "The XMPP interface was used as part of the setup process and was pointed out as an insecure communication. We removed that interface as part of an effort to make to improve the Hub security. That interface was never designed to be used by third parties. The reason for the firmware update was to make the Harmony Hub more secure, therefore we do not have an official downgrade option. We recommend that users do not try to prevent the automatic firmware update process. We update the firmware as security issues are discovered, so users preventing the automatic firmware update process would not benefit from these future fixes."

Earlier this week, a former Microsoft Edge intern alleged that Google deliberately introduced bogus changes to YouTube to break the functionality of the video portal when users on Edge and other browsers tried to access the website. Google today denied the allegation. From a report: Google disputes Bakita's claims, and says the YouTube blank div was merely a bug that was fixed after it was reported. "YouTube does not add code designed to defeat optimizations in other browsers, and works quickly to fix bugs when they're discovered," says a YouTube spokesperson in a statement to The Verge. "We regularly engage with other browser vendors through standards bodies, the Web Platform Tests project, the open-source Chromium project and more to improve browser interoperability." In a statement, Microsoft said, "Google has been a helpful partner and we look forward to the journey as we work on the future of Microsoft Edge."

An anonymous reader quotes a report from Techdirt: By now, of course, you're aware that the Verizon-owned Tumblr (which was bought by Yahoo, which was bought by Verizon and merged into "Oath" with AOL and other no longer relevant properties) has suddenly decided that nothing sexy is allowed on its servers. This took many by surprise because apparently a huge percentage of Tumblr was used by people to post somewhat racy content. Knowing that a bunch of content was about to disappear, the famed Archive Team sprung into action -- as they've done many times in the past. They set out to archive as much of the content on Tumblr that was set to be disappeared down the memory hole as possible... and it turns out that Verizon decided as a final "fuck you" to cut them off. Jason Scott, the mastermind behind the Archive Team announced over the weekend that Verizon appeared to be blocking their IPs. Thankfully, it didn't take long for the Archive Team to get past the blocks. Scott tweeted on Sunday: "why look at that the archiving of tumblr restarted how did that happen must be a bug surely a crack team of activist archivists didn't see an ip block as a small setback and then turned everything up to 11."

Suspicious traffic to a Twitter user forum appears to be part of a government-backed activity coming from China and Russia, a Twitter spokesman told Reuters Monday. The company said it is yet to determine the reason for the activity, but is choosing to notify users out of an abundance of caution.

Additionally: Twitter bug leaks phone number country codes.

Cydia, the App Store for jailbroken devices, is shutting down purchases as its creator moves to shut down the store entirely in the near future. "Cydia's creator Saurik made the announcement on Reddit after a bug was discovered in the platform that may have put user data at risk," iPhonehacks reports. "This bug prompted Saurik to clarify the issue and reveal that he has been planning on shutting down Cydia for quite a while now." From the report: The founder clarifies that the bug only puts a limited number of users at risk who are logged into Cydia and browse a repository with untrusted content -- a scenario which Saurik has strongly advised against right from day one. Plus, he also says that this is not a data leak and he has not lost access to PayPal authorization tokens. Coming to the harsh reality, Saurik says that he has been looking to shut down Cydia Store before the end of this year. The reports of a data leak have acted as a catalyst to bring the timetable further up. There are multiple reasons as to why he is looking to shut down the service including the fact that he has to pay for the hefty hosting bills from his own pocket.

Saurik has already gone ahead and shut down the ability to buy jailbreak tweaks in Cydia. This means that one can no longer use the Cydia Store to buy jailbreak tweaks on a jailbroken iPhone. On the bright side, Saurik does intend to allow users to download jailbreak tweaks that they have already paid for. Saurik will also make a more formal announcement about the shutting down of Cydia sometime soon. Do note that this change relates only to Cydia Store and not Cydia the installer which is used to install tweaks on a jailbroken device. The latter will continue to work as usual.

Thursday a bug report complained that the source code for OpenJDK, the free and open-source implementation of Java, "has too many swear words." An anonymous reader writes: "There are many instances of swear words inside OpenJDK jdk/jdk source, scattered all over the place," reads the bug report. "As OpenJDK is used in a professional context, it seems inappropriate to leave these 12 instances in there, so here's a changeset to remove them."
IBM software developer (and OpenJDK team member and contributor) Adam Farley responded that "after discussion with the community, three determinations were reached":

• "Damn" and "Crap" are not swear words.

• Three of the four f-bombs are located in jszip.js, which should be corrected upstream (will follow up).

• The f-bomb in BitArray.java, as well as the rude typo in SoftChannel.java, *are* swear words and should be removed to resolve this work item.

He promised a new webrev would be uploaded to reflect these determinations, and the bug has been marked as "resolved."

In addition to relying on Windows Insiders, employees, and willing participants for testing updates, Microsoft is pushing patches before they are known to be stable to regular users too if they opt to click the "check for updates" button on their own, the company said. From a report: In a blog post by Michael Fortin, Corporate Vice President for Windows, it is made clear that home users are intentionally being given updates that are not necessarily ready for deployment. Many power users are familiar with Patch Tuesday. On the second Tuesday of each month, Microsoft pushes out a batch of updates at 10:00 a.m. Pacific time on this day containing security fixes, bug patches, and other non-security fixes. Updates pushed out as part of Patch Tuesday are known as "B" release since it happens during the second week of the month.

During the third and fourth weeks of the month are where things begin to get murky. Microsoft's "C" and "D" releases are considered previews for commercial customers and power users. No security fixes are a part of these updates, but for good reasoning. Microsoft has come out to directly say that some users are the guinea pigs for everyone else. In some fairness to Microsoft, C and D updates are typically only applied when a user manually checks for updates by clicking the button buried within Settings. However, if end users really wanted to be a part of testing the latest features, the Windows Insider Program is designed exactly for that purpose. Further reading: Windows 10's 'Check for updates' button may download beta code.

A day after hosting a pop-up store in New York City's Bryant Park to explain how privacy is the "foundation of the company," Facebook disclosed that a security flaw potentially exposed the public and private photos of as many as 6.8 million users to developers. From a report: On Friday, the Menlo Park, California-based company said in a blog post that it discovered a bug in late September that gave third-party developers the ability to access users' photos, including those that had been uploaded to Facebook's servers but not publicly shared on any of its services. The security flaw, which exposed photos for 12 days between Sept. 13 and Sept. 25, affected up to 1,500 apps from 876 developers, according to Facebook.

"We're sorry this happened," Facebook said in the post. "Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users." Facebook has not yet responded to questions about whether company representatives staffing its privacy pop-ups yesterday were aware of this security flaw as they were meeting with reporters and customers to discuss privacy. Further reading: Facebook's lead EU regulator opens probe into data breach.

A week after releasing v5.0 major update, WordPress has pushed the first security patch for its popular CMS service. ZDNet: Released hours ago, WordPress version 5.0.1 fixes seven security vulnerabilities (some of which allow site takeover) but also plugs a pretty serious privacy leak. The latter was found by the authors of the popular Yoast SEO plugin, who discovered that in some cases the activation screen for new users could end up being indexed by Google. With specially crafted Google searches, an attacker could find these pages and collect users' email addresses, and in some rare cases, default-generated passwords. This leak could have catastrophic consequences if the user has an admin role or if the user didn't change his default password, as is regularly advised.

Malware authors, ad farmers, and scammers are abusing a Firefox bug to trap users on malicious sites. From a report: This wouldn't be a big deal, as the web is fraught with this kind of malicious sites, but these websites aren't abusing some new never-before-seen trick, but a Firefox bug that Mozilla engineers appear to have failed to fix in the 11 years ever since it was first reported back in April 2007. The bug narrows down to a malicious website embedding an iframe inside their source code. The iframe makes an HTTP authentication request on another domain.

[...] For the past few years, malware authors, ad farmers, and scammers have been abusing this bug to lure users on sites where they show all sorts of nasties, such as tech support scams, ad farms that reload the page with new ads in a loop, pages that push users to buy fake gift cards, or sites that offer malware-laced software updates. Whenever users try to leave, the owners of these shady sites trigger the authentification modal in a loop.

Long-time Slashdot reader mspohr shares a Guardian article which argues that Apple Store employees "are underpaid, overhyped and characters in a well-managed fiction story" who "use emotional guile to sell products": When customers run into trouble with their products, geniuses are encouraged to sympathize, but only by apologizing that customers feel bad, lest they implicate Apple's products as the source of the trouble. In this gas-lit performance of a "problem free" brand philosophy, many words are actually verboten for staff. Do not use words like crash, hang, bug, or problem, employees are told. Instead say does not respond, stops responding, condition, issue, or situation. Avoid saying incompatible; instead use does not work with. Staff have reported the absurdist dialogues that can result, like when they are not allowed to tell customers that they cannot help even in the most hopeless cases, leading customers into circular conversations with employees able neither to help nor to refuse to do so....

[I]n a move so ridiculous it's almost certain to be a hit, the Genius Bar has been rebranded the "Genius Grove". Windows are opened to blur the distinction between inside and outside, and the stores are promoted as quasi-public spaces. "We actually don't call them stores any more," the new head of retail at Apple, former Burberry executive Angela Ahrendts (2017 salary: $24,216,072), recently told the press. "We call them town squares."
The article argues that since there launch in 2001, Apple Stores "have raked in more money -- in total and per square foot -- than any other retailer on the planet, transforming Apple into the world's richest company in the process."

But it also complains that Apple's wealth "flows from the privatization of publicly funded research, mixed with the ability to command the low-wage labor of our Chinese peers, sold by empathetic retailers forbidden from saying 'crash'."

Gmail users are reporting that promotional emails (meant to showcase deals, offers, and other marketing emails) from companies are ending up in their main "Primary" inbox (meant for person-to-person conversations and messages that don't appear in other tabs.). The company says it is working on a fix. From a report: Google told BuzzFeed News it's working on a fix, but it did not specify when users should expect inboxes to go back to normal. In a statement, a spokesperson said, "We are aware of an issue in Gmail causing certain promotional email to be incorrectly categorized. We are rolling out a fix shortly."

Kubernetes has become the most popular cloud container orchestration system by far, so it was only a matter of time until its first major security hole was discovered. And the bug, CVE-2018-1002105, aka the Kubernetes privilege escalation flaw, is a doozy. It's a CVSS 9.8 critical security hole. From a report: With a specially crafted network request, any user can establish a connection through the Kubernetes application programming interface (API) server to a backend server. Once established, an attacker can send arbitrary requests over the network connection directly to that backend. Adding insult to injury, these requests are authenticated with the Kubernetes API server's Transport Layer Security (TLS) credentials. Can you say root? I knew you could. Worse still, "In default configurations, all users (authenticated and unauthenticated) are allowed to perform discovery API calls that allow this escalation." So, yes, anyone who knows about this hole can take command of your Kubernetes cluster.

An anonymous reader quotes a report from Quartz: Far fewer [monarch butterflies] were heading south this year, and those that have arrived did so a month late, according to Xeres, a non-profit conservation group for invertebrates. One researcher said it was the fewest monarch butterflies in central California in 46 years. Surveyors at 97 sites found only 20,456 monarchs compared to 148,000 at the same sites last year, an 86% decline. It's possible more insects will make the journey late this year, says Xeres, but that now seems unlikely. The minimum population size before the species experiences "migration collapse" is unknown, but a 2017 modeling paper in Biological Conservation (pdf) found that 30,000 butterflies adult butterflies are probably the smallest viable population. Without this critical mass, there aren't enough insects in the western monarch population to continue one of the world's most remarkable lifecycles.