An anonymous reader quotes a report from Bloomberg: The U.S. airline grounded all domestic flights Tuesday to deal with a technology issue that affected some of its systems. About an hour later, Delta said it had restored all its systems, allowing the services to resume. While the carrier said there were no disruptions or safety issues with any flight, the systems failure was the third in as many years that forced Delta to shut its operations. In January last year, a 2 1/2-hour computer breakdown grounded domestic flights. Delta's worldwide computer systems failed in August 2016, causing massive cancellations. This time, international flights weren't affected, and the grounding was relatively short. Still, with limited updates on flight schedules, irate customers took to social media.

An anonymous reader quotes a report from The New York Times: Uber will pay $148 million to settle a nationwide investigation into a 2016 data breach (Warning: source may be paywalled; alternative source), in which a hacker managed to gain access to information belonging to 57 million riders and drivers. The breach included names and driver's license numbers for 600,000 drivers. Rather than disclosing the breach when it occurred, Uber paid the hacker $100,000 through its bug bounty program. [...] The ride-hailing company persuaded him to delete the data and stay quiet about it with a nondisclosure agreement. The incident became public a year later when Uber's chief executive, Dara Khosrowshahi, announced it as a "failure" and fired the two employees who had signed off on the payment.

Tony West, Uber's chief legal officer, said the settlement was part of a larger effort inside Uber to remake the company's image. He said the company had recently hired a chief privacy officer and a chief trust and security officer. The $148 million settlement announced Wednesday will be divided among all 50 states and the District of Columbia. "Companies in California and throughout the nation are entrusted with customers' valuable private information," Xavier Becerra, California's attorney general, said. "This settlement broadcasts to all of them that we will hold them accountable to protect that data."

A visual prank exposes an Achilles' heel of computer vision systems: Unlike humans, they can't do a double take. From a report: In a new study [PDF], computer scientists found that artificial intelligence systems fail a vision test a child could accomplish with ease. "It's a clever and important study that reminds us that 'deep learning' isn't really that deep," said Gary Marcus, a neuroscientist at New York University who was not affiliated with the work. The result takes place in the field of computer vision, where artificial intelligence systems attempt to detect and categorize objects. They might try to find all the pedestrians in a street scene, or just distinguish a bird from a bicycle (which is a notoriously difficult task). The stakes are high: As computers take over critical tasks like automated surveillance and autonomous driving, we'll want their visual processing to be at least as good as the human eyes they're replacing.

It won't be easy. The new work accentuates the sophistication of human vision -- and the challenge of building systems that mimic it. In the study, the researchers presented a computer vision system with a living room scene. The system processed it well. It correctly identified a chair, a person, books on a shelf. Then the researchers introduced an anomalous object into the scene -- an image of an elephant. The elephant's mere presence caused the system to forget itself: Suddenly it started calling a chair a couch and the elephant a chair, while turning completely blind to other objects it had previously seen.

"There are all sorts of weird things happening that show how brittle current object detection systems are," said Amir Rosenfeld, a researcher at York University in Toronto and co-author of the study along with his York colleague John Tsotsos and Richard Zemel of the University of Toronto. Researchers are still trying to understand exactly why computer vision systems get tripped up so easily, but they have a good guess. It has to do with an ability humans have that AI lacks: the ability to understand when a scene is confusing and thus go back for a second glance.

Apple on Monday made available to the public macOS Mojave -- aka macOS 10.14, the latest major update to its desktop operating system. From a report: Though Mojave is substantially focused on under-the-hood improvements, it includes several major changes to the Mac's Finder, as well as a small collection of apps that were ported from iOS. On the Finder side, Apple has introduced a system-wide Dark Mode, which optionally reskins the entire user interface with black or dark gray elements. Dark Mode pairs up with Dynamic Desktop, which can automatically adjust certain desktop images in sync with time of day (morning, afternoon, and evening) changes. Minutes ahead of the release, Patrick Wardle, chief researcher officer at Digita Security, tweeted a video of an apparent privacy feature bypass that's designed to prevent apps from improperly accessing a user's personal data. From a report: For years, Macs have forced apps to ask for permission before accessing your contacts and calendar after some iOS apps were caught uploading private data. Apple said at its annual developer conference this year that it would expand the feature to include apps asking for permission to access the camera, microphone, email and backups. Wardle told TechCrunch that his findings are "not a universal bypass" of the feature, but that the bug could allow a malicious app to grab certain protected data, such as a user's contacts, when a user is logged in.

Twitter has started notifying developers today about an API bug that accidentally shared direct messages (private messages) or protected tweets from a Twitter business account with other developers. From a report: According to a support page published today, Twitter said the bug only manifested for Twitter business accounts where the account owner used the Account Activity API (AAAPI) to allow other developers access to that account's data. Because of the bug, the AAAPI sent DMs and protected tweets to the wrong person instead of the authorized developer. Twitter said it discovered the bug on September 10, and fixed it the same day. They also said the bug was active between May 2017 and September 2018, for almost 16 months. The bug represents a serious privacy issue, especially for Twitter business accounts that use DMs to handle customer complaints that in some cases may include private user information.

A major flaw was spotted in the Bitcoin network that could have allowed miners to bring down the entire blockchain by flooding full node operators with traffic, via a Distributed Denial-of-Service (DDoS) attack. "A denial-of-service vulnerability (CVE-2018-17144) exploitable by miners has been discovered in Bitcoin Core versions 0.14.0 up to 0.16.2." the patch notes state. "It is recommended to upgrade any of the vulnerable versions to 0.16.3 as soon as possible." The Next Web reports: Developers have issued a patch for anyone running nodes, along with an appeal to update the software immediately. As far as the attack vector in question goes, there's a catch: anyone ballsy enough to try to bring down Bitcoin would have to sacrifice almost $80,000 worth of Bitcoin in order do it. The bug relates to its consensus code. It meant that some miners had the option to send transaction data twice, causing the Bitcoin network to crash when attempting to validate them. As such invalid blocks need to be mined anyway, only those willing to disregard block reward of 12.5BTC ($80,000) could actually do any real damage.

Researchers at infosec shop Securify revealed this week a vulnerability, designated CVE-2018-17153, which allows an unauthenticated attacker with network access to the device to bypass password checks and login with admin privileges. From a report:This would, in turn, give the attacker full control over the NAS device, including the ability to view and copy all stored data as well as overwrite and erase contents. If the box is accessible from the public internet, it could be remotely pwned, it appears. Alternatively, malware on a PC on the local network could search for and find a vulnerable My Cloud machine, and compromise it. According to Securify, the flaw itself lies in the way My Cloud creates admin sessions that are attached to an IP address. When an attacker sends a command to the device's web interface, as an HTTP CGI request, they can also include the cookie username=admin -- which unlocks admin access. Thus if properly constructed, the request would establish an admin login session to the device without ever asking for a password. In other words, just tell it you're the admin user in the cookie, and you're in. The researcher told TechCrunch that he reported the vulnerability to Western Digital last year, but the company "stopped responding."

An anonymous reader quotes a report from ZDNet: A zero-day vulnerability present in security cameras and surveillance equipment using Nuuo software is thought to impact hundreds of thousands of devices worldwide. Researchers from cybersecurity firm Tenable disclosed the bug, which has been assigned as CVE-2018-1149. The vulnerability cannot get much more serious, as it allows attackers to remotely execute code in the software, the researchers said in a security advisory on Monday. Nuuo, describing itself as a provider of "trusted video management" software, offers a range of video solutions for surveillance systems in industries including transport, banking, government, and residential areas.

Dubbed "Peekaboo," the zero-day stack buffer overflow vulnerability, when exploited, allows threat actors to view and tamper with video surveillance recordings and feeds. It is also possible to use the bug to steal data including credentials, IP addresses, port usage, and the make & models of connected surveillance devices. In addition, the bug could be used to fully disable cameras and surveillance products. Peekaboo specifically impacts the NVRMini 2 NAS and network video recorder, which acts as a hub for connected surveillance products. When exploited, the product permitted access to the control management system (CMS) interface, which further exposes credentials of all connected video surveillance cameras connected to the storage system.

Long-time reader theodp writes: Some education watchers have adopted a wait-and-see response to Jeff Bezos' two-pronged $2B pledge to aid the homeless and to establish preschools for low-income children (Mark Zuckerberg's The Primary School interestingly prefers 'em even younger, noting "we admit students at or before birth"). Not so Audrey Watters, who presents her misgivings in a blog post, titled, "It's Like Amazon, But for Preschool" (tl;dr: read her URL), wondering what a chain of preschools that "use the same set of principles that have driven Amazon" might look like, considering Amazon's own labor practices. She asks, "Are private preschool chains really the path we want to pursue, particularly if we believe that access to excellent early childhood education is so incredibly crucial? Can the gig economy and the algorithm ever provide high quality preschool? For all the flaws in the public school system, it's important to remember: there is no accountability in billionaires' educational philanthropy." Sharing Watters' concerns is author Anand Giridharadas, who argues in his new book Winners Take All that the wealthy pursue social change without uprooting the systems that produce inequality. Bezos has a "a stark opportunity to be a traitor to his class, to actually think about giving in ways that transform the system atop which he stands," Giridharadas said. "It is great to be a winner who gives back. It is even better to be a winner who thinks about how winners can take less."

Last week, a mix of people who own Google Pixel phones and other devices running Android 9 Pie noticed that the software's Battery Saver feature had been switched on -- seemingly all by itself. And oddly, this was happening when the phones were near a full charge, not when the battery was low. From a report: Initially it was assumed that this was some kind of minor bug in the latest version of Android, which was only released a few weeks ago. Some users thought they might've just enabled Battery Saver without realizing. But it was actually Google at fault. The company posted a message on Reddit last night acknowledging "an internal experiment to test battery saving features that was mistakenly rolled out to more users than intended." So Google had remotely -- and accidentally -- changed a phone setting for a bunch of real-world customers. Several staffers at The Verge experienced the issue. "We have now rolled battery saver settings back to default. Please configure to your liking," the Pixel team wrote on Reddit before apologizing for the error.

Uber is still trying to fix a glitch that's been stopping its drivers from collecting the money they've earned for several days. An anonymous reader writes: One Uber driver says the problem's lasted over a week, and he's owed more than $1,300. "They've been continually telling us that it would be corrected within 24 hours," he told a Bay Area news station. "We still can't access the money.... We're in a situation where for a lot of us we have bills every day, we pay tolls every day, we pay gas every single day."

Now the San Diego Reader reports the issue "is forcing San Diego drivers off the road," with the shortage of drivers triggering surge pricing throughout the entire region as much as triple the usual rate. Surge pricing is also hitting riders in Dallas, according to another Uber driver's tweet, who complains "It's a shame that a $48 billion 'tech' company can't get it together.
In a statement promising they'd still pay all their drivers, Uber acknowledged their payment system was still broken, "and we sincerely regret any inconvenience."

"The glitch in the payment system also means that trip and safety issues are unable to be reported, either by the passenger, or the driver," notes the San Diego Reader, adding that the city's Uber's drivers "continue to decline to work, either staying off the road of switching to another ride-sharing service."

Lorenzo Franceschi-Bicchierai, reporting for Motherboard: In 2016, Apple's head of security surprised the attendees of one of the biggest security conference in the world by announcing a bug bounty program for Apple's mobile operating system iOS. At the beginning, Apple struggled to woo researchers and convince them to report high-value bugs. For the researchers, the main issue was that the bugs they discovered were too valuable to report to Apple, despite rewards as high as $200,000. Companies like GrayShift and Azimuth made an entire business out of exploiting vulnerabilities in Apple products, while other researchers didn't want to report bugs so they could keep doing research on iOS. But two years later, some researchers are finally reporting vulnerabilities to Apple, and the company has begun to award some researchers with bounties, Motherboard has learned.

[...] Adam Donefeld, a researcher at mobile security firm Zimperium said that he has submitted several bugs to Apple and received payments for the company. Donefeld was not part of the first batch of security researchers who were personally invited by Apple to visit its Cupertino campus and asked to join the program. But after submitting a few bugs, Donefeld told me, an Apple employee asked him if he wanted to be part of the bounty program in a phone call. "I know Apple pays people," Donefeld said in an online chat. "I'm certainly not the only payout." Another researcher, who asked to remain anonymous because they are worried about souring their relationship with Apple, said that they have submitted a few bugs and been awarded bounties, but has yet to be paid. [...] Two other researchers told Motherboard they also have concerns with or have had trouble with the program. One said they weren't paid for a bug they submitted (Motherboard could not independently confirm that the researcher did not get a payment), and another said they didn't want to participate in it at all, even after being invited. Further reading: Google Bug Hunter Urges Apple To Change Its iOS Security Culture; Asks Tim Cook To Donate $2.45 Million To Amnesty For His Unpaid iPhone Bug Bounties.

Facebook is trying to speed up the time it takes to roll out new software updates and debug any issues in them with a new tool called SapFix that its engineers are building. From a report: SapFix, which is still under development, is designed to generate fixes automatically for specific bugs before sending them to human engineers for approval. Facebook, which announced the tool today ahead of its Scale conference in San Jose, California, for developers building large-scale systems and applications, calls SapFix an "AI hybrid tool." It uses artificial intelligence to automate the creation of fixes for bugs that have been identified by its software testing tool Sapienz, which is already being used in production. SapFix will eventually be able to operate independently from Sapienz, but for now it's still a proof-of-concept that relies on the latter tool to pinpoint bugs first of all. SapFix can fix bugs in a number of ways, depending on how complex they are, Facebook engineers Yue Jia, Ke Mao and Mark Harman wrote in a blog post announcing the tools. For simpler bugs, SapFix creates patches that revert the code submission that introduced them. In the case of more complicated bugs, SapFix uses a collection of "templated fixes" that were created by human engineers based on previous bug fixes.

Python creator Guido van Rossum retired in July, but he's been pulled back in to resolve a debate about politically incorrect language. The Register reports: Like other open source communities, Python's minders have been asked whether they really want to continue using the terms "master" and "slave" to describe technical operations and relationships, given that the words remind some people of America's peculiar institution, a historical legacy that fires political passions to this day. Last week Victor Stinner, a Python developer who works for Red Hat, published four pull requests seeking to change "master" and "slave" in Python documentation and code to terms like "parent," "worker," or something similarly anodyne. "For diversity reasons, it would be nice to try to avoid 'master' and 'slave' terminology which can be associated to slavery," he explained in his bug report, noting that there have been complaints but they've been filed privately -- presumably to avoid being dragged into a fractious flame war. And when Python 3.8 is released, there will be fewer instances of these terms.

At this year's Open Source Summit, Linus Torvalds sat for a wide-ranging "keynote" interview with Dirk Hohndel, chief open source officer at VMWare, which has been partially transcribed below. And Linus explained, among other things, why the last merge window was harder than others: One of the issues we have is when we've had these hardware security issues, and they've kept happening now, the last year -- they're kept under wraps. So we knew about the issue for the last several months, but because it was secret and we weren't allowed to talk about it, we couldn't do our usual open development model. We do the best we can, and people really care deeply about getting a good product out, but when you have to do things in secret, and when you can't use all the nice infrastructure for development and for testing that we have for all the usual code, it just is way more painful than it should be. And then that just means that, especially when the information becomes public during what is otherwise a busy period anyway, it's just annoying...

I still love speculative execution. Don't get me wrong. I used to work for a CPU company. We did it in software, back when I worked there. I think a CPU has to do speculative execution. It's somewhat sad that then people didn't always think about or didn't always heed the warnings about what can go wrong when you take a few shortcuts in the name of making it slightly simpler for everybody, because you're going to throw away all that work anyway, so why bother to do it right. And that's when the security -- every single security problem we've had has been basically of that kind, where people knew that "Hey, this is speculative work. If something goes wrong we'll throw all the data away, so we don't need to be as careful as we would otherwise." I think it was a good lesson for the industry, but it was certainly not a fun lesson for us on the OS side, where we had to do a lot of extra work for problems that weren't our problems.

It feels somehow unfair. I mean, when we have a security bug that was our own fault, it's like, "Okay, it was us screwing up. It's fair that we have to do all the work to then fix our own bugs." But it feels slightly less fair when you have to fix somebody else's...
"The good news -- I mean the really good news, and I'm serious about this -- is that the bugs have become clearly more and more esoteric," Linus adds. "So it impacts fewer and fewer cases, and clearly hardware people at Intel and other places are now so aware of it that I'm hoping we're really getting to the dregs of the hardware security bugs, and going forward we'll have much fewer of them. I think we're going to the better days, when A.) we got the bugs fixed, and B.) people were thinking about them beforehand."

There's a lot more, so read on for more excerpts...

Since the release of Chrome 69 earlier this week, countless of users have gone on social media and Google Product Forums to complain about "blurry" or "fuzzy" text inside Chrome. ZDNet: The blurred font issue isn't only limited to text rendered inside a web page, users said, but also for the text suggestions displayed inside the address bar search drop-down, and Chrome's Developer Tools panel. [...] According to reports, the issue only manifests for Chrome 69 users on Windows. Those who rolled back to Chrome 68 stopped having problems. Users said that changing Chrome, operating system, or screen DPI settings didn't help. "Our team is investigating reports of this behavior. You can find more information in this public bug report," a Google spokesperson said last night after first user complaints started surfacing online. Some users have also expressed concerns over Chrome not showing "trivial subdomains" including www and secure lock sign in the address bar.

Attackers have been exploiting vulnerabilities in MikroTik routers to forward network traffic to a handful of IP addresses under their control. "The bug is in Winbox management component and allows a remote attacker to bypass authentication and read arbitrary files," reports Bleeping Computer. "Exploit code is freely available from at least three sources from at least three sources." From the report: 360Netlab announced in a blog post today that more than 7,500 MikroTik routers across the world are currently delivering their TZSP (TaZmen Sniffer Protocol) traffic to nine external IP addresses. According to the researchers, the attacker modified the device's packet sniffing settings to forward the data to their locations. "37.1.207.114 is the top player among all the attackers. A significant number of devices have their traffic going to this destination," Qihoo experts inform.

The analysis shows that the attacker is particularly interested in ports 20, 21, 25, 110, and 144, which are for FTP-data, FTP, SMTP, POP3, and IMAP traffic. An unusual interest is in traffic from SNMP (Simple Network Management Protocol) ports 161 and 162, which researchers cannot explain at the moment. The largest number of compromised devices, 1,628, is in Russia, followed by Iran (637), Brazil (615), India (594) and Ukraine (544). The researchers say that security outfits in the affected countries can contact them at netlab[at]360.cn for a full list of IPs.

This week in Vancouver, Linux kernel developer Greg Kroah-Hartman criticized Intel's slow initial response to the Spectre and Meltdown bugs in a talk at the Open Source Summit North America. An anonymous reader quotes eWeek: Kroah-Hartman said that when Intel finally decided to tell Linux developers, the disclosure was siloed.... "Intel siloed SUSE, they siloed Red Hat, they siloed Canonical. They never told Oracle, and they wouldn't let us talk to each other." For an initial set of vulnerabilities, Kroah-Hartman said the different Linux vendors typically work together. However, in this case they ended up working on their own, and each came up with different solutions. "It really wasn't working, and a number of us kernel developers yelled at [Intel] and pleaded, and we finally got them to allow us to talk to each other the last week of December [2017]," he said. "All of our Christmas vacations were ruined. This was not good. Intel really messed up on this," Kroah-Hartman said...

"The majority of the world runs Debian or they run their own kernel," Kroah-Hartman said. "Debian was not allowed to be part of the disclosure, so the majority of the world was caught with their pants down, and that's not good." To Intel's credit, Kroah-Hartman said that after Linux kernel developers complained loudly to the company in December 2017 and into January 2018, it fixed its disclosure process for future Meltdown- and Spectre-related vulnerabilities... "Intel has gotten better at this," he said.

An interesting side effect of the Meltdown and Spectre vulnerabilities is that Linux and Windows developers are now working together, since both operating systems face similar risks from the CPU vulnerabilities. "Windows and Linux kernel developers now have this wonderful back channel. We're talking to each other and we're fixing bugs for each other," Kroah-Hartman said. "We are working well together. We have always wanted that."

"Using the newly minted Linux 4.19 feature code, fresh benchmarks were carried out looking at the performance cost of Spectre/Meltdown/Foreshadow mitigations on Intel Xeon v. AMD EPYC CPUs," writes an anonymous Slashdot reader: Workloads affected by these CPU vulnerabilities mainly deal with I/O and frequent kernel calls while CPU bound tests are still found to be minimally impacted. When toggling these mitigations on Linux 4.19, Intel Xeon CPUs were found to be 10~15% slower with the default kernel while AMD EPYC CPUs dropped to about 5% slower.

Earlier this month, computer programmer John McAfee released "the world's first un-hackable storage for cryptocurrency & digital assets" -- a $120 device, called the Bitfi wallet, that McAfee claimed contained no software or storage. McAfee was so sure of its security that it launched with a bug bounty inviting researchers to try and hack the wallet in return for a $250,000 award. Lo and behold, a researcher by the name of Andrew Tierney managed to hack the wallet, but Bitfi declined to pay out, arguing that the hack was outside the scope of the bounty. TechCrunch is now reporting that Tierney has managed to hack the Bitfi wallet again. An anonymous reader shares the report: Security researchers have now developed a second attack, which they say can obtain all the stored funds from an unmodified Bitfi wallet. The Android-powered $120 wallet relies on a user-generated secret phrase and a "salt" value -- like a phone number -- to cryptographically scramble the secret phrase. The idea is that the two unique values ensure that your funds remain secure. But the researchers say that the secret phrase and salt can be extracted, allowing private keys to be generated and the funds stolen. Using this "cold boot attack," it's possible to steal funds even when a Bitfi wallet is switched off. Within an hour of the researchers posting the video, Bitfi said in a tweeted statement that it has "hired an experienced security manager, who is confirming vulnerabilities that have been identified by researchers."