Slashdot reader fisted quotes NetBSD.org: The NetBSD Project is pleased to announce NetBSD 8.0, the sixteenth major release of the NetBSD operating system.

This release brings stability improvements, hundreds of bug fixes, and many new features. Some highlights of the NetBSD 8.0 release are:

— USB stack rework, USB3 support added.
— In-kernel audio mixer (audio_system(9)).
— Reproducible builds
— PaX MPROTECT (W^X) memory protection enforced by default
— PaX ASLR enabled by default
— Position independent executables by default
[...]

NetBSD is free. All of the code is under non-restrictive licenses, and may be used without paying royalties to anyone.

You asked questions, we've got the answers!

Christine Peterson is a long-time futurist who co-founded the nanotech advocacy group the Foresight Institute in 1986. One of her favorite tasks has been contacting the winners of the institute's annual Feynman Prize in Nanotechnology, but she also coined the term "Open Source software" for that famous promotion strategy meeting in 1998.

Christine took some time to answer questions from Slashdot readers.

Two security researchers have revealed details about two new Spectre-class vulnerabilities, which they've named Spectre 1.1 and Spectre 1.2. From a report: Just like all the previous Meltdown and Spectre CPU bugs variations, these two take advantage of the process of speculative execution -- a feature found in all modern CPUs that has the role of improving performance by computing operations in advance and later discarding unneeded data. According to researchers, a Spectre 1.1 attack uses speculative execution to deliver code that overflows CPU store cache buffers in order to write and run malicious code that retrieves data from previously-secured CPU memory sections. Spectre 1.1 is very similar to the Spectre variant 1 and 4, but the two researchers who discovered the bug say that "currently, no effective static analysis or compiler instrumentation is available to generically detect or mitigate Spectre 1.1." As for Spectre 1.2, researchers say this bug can be exploited to write to CPU memory sectors that are normally protected by read-only flags.

Oiwan Lam, reporting for Global Voices: It has been widely reported that software and web applications made in China are often built with a "backdoor" feature, allowing the manufacturer or the government to monitor and collect data from the user's device. But how exactly does the backdoor feature work? Recent discussion among mobile phone users in mainland China has shed some light on the question.

Last month, users of Vivo NEX, a Chinese Android phone, found that when they opened certain applications on the phone, including Chinese internet giant QQ browser and travel booking app Ctrip, the mobile device's camera would self-activate. [...] One Weibo user observed that the retractable camera self-activates whenever he opens a new chat on Telegram, a messaging application designed for secured and encrypted communication.

[...] After the news of the self-activated camera bug spread, users started testing the issue on other applications and found that Baidu's voice input application has access to both the camera and voice recording function, which can be launched without users' authorization. A Vivo NEX user found that once she had installed Baidu's voice input system, it would activate the phone's camera and sound recording function whenever the user opened any application -- including chat apps, browsers -- that allows the user to input text.

dryriver shares a report from the BBC: PayPal wrote to a woman who had died of cancer saying her death had breached its rules and that it might take legal action as a consequence. The firm has since acknowledged that the letter was "insensitive," apologized to her widower, and begun an inquiry into how it came to be sent.

Lindsay Durdle died on May 31 aged 37. She had been first diagnosed with breast cancer about a year-and-a-half earlier. The disease had later spread to her lungs and brain. PayPal was informed of Mrs Durdle's death three weeks ago by her husband Howard Durdle. He provided the online payments service with copies of her death certificate, her will and his ID, as requested. He has now received a letter addressed in her name, sent to his home in Bucklebury, West Berkshire. It was headlined: "Important: You should read this notice carefully." It said that Mrs Durdle owed the company about 3,200 pounds (~$4,200) and went on to say: "You are in breach of condition 15.4(c) of your agreement with PayPal Credit as we have received notice that you are deceased... this breach is not capable of remedy." According to a PayPal staff member, there were three possible explanations for how the letter was sent: a bug, a bad letter template, or human error. PayPal is continuing to work with Mr Durdle and has written off the debt in the meantime.

Security researcher Patrick Wardle helped Apple fix a bug that would crash apps displaying the word "Taiwan" or the Taiwanese flag emoji. Some iPhones could be remotely crashed by something as simple as receiving a text message with the Taiwanese flag. Apple confirmed the fix in a security update Monday. Wired reports: "Basically Apple added some code to iOS with the goal that phones in China wouldn't display a Taiwanese flag," Wardle says, "and there was a bug in that code." Since at least early 2017, iOS has included that Chinese censorship function: Switch your iPhone's location setting to China, and the Taiwanese flag emoji essentially disappears from your phone, evaporating from its library of emojis and appearing as a "missing" emoji in any text that appears on the screen. That code likely represents a favor from Apple to the Chinese government, which for the last 70 years has maintained that Taiwan is a part of China and has no legitimate independent government.

But Wardle found that in some edge cases, a bug in the Taiwan-censorship code meant that instead of treating the Taiwan emoji as missing from the phone's library, it instead considered it an invalid input. That caused phones to crash altogether, resulting in what hackers call a "denial of service" attack that would let anyone crash a vulnerable device on command. Wardle's still not sure how many devices are affected, or what caused that bug to be triggered only in some iOS devices and not others, but he believes it has something to do with the phone's location and language settings. Wardle has more details of the bug on his blog.

If you've noticed that the battery life on your iPhone is not what it used to be, it's likely that the problem isn't with your iPhone or some setting or app, but a bug in iOS 11.4. From a report: Apple's support forum has been blowing up with complaints from users that battery life has been seriously curtailed since installing iOS 11.4. The problems seems to be reasonably widespread and affects the iPhone line up across the board. I've seen this issue on the iPhones that I use. It seems to be accompanied by the device running unusually hot.

Web monoculture is well and truly alive when Google cannot be bothered to make a full-featured cross-browser mobile search page. From a report: It has been over five years since Firefox really turned a corner and started to morph from its bloated memory-munching ways into the lightning-quick browser it is today. Buried in Mozilla's issue tracker is a bug that kicked off in February 2014, and is yet to be resolved: Have Google treat Firefox for Android as a first-class citizen and serve up comparable content to what the search giant hands Chrome and Safari. After years of requests, meetings, and to and fro, it has hit a point where the developers of Firefox are experimenting by manipulating the user agent string in its nightly development builds to trick Google into thinking that Firefox Mobile is a Chrome browser. Not only does Google's search page degrade for Firefox on Android, but some new properties like Google Flights have occasionally taken to outright blocking of the browser.

Public exploit code has been published for a severe vulnerability which last year affected Hewlett Packard Integrated Lights-Out 4 (HP iLO 4), a tool for remotely managing the company's servers.

HPE "silently released" patches last August, an anonymous reader reports, adding "details only emerged this spring after researchers started presenting their work at security conferences." The vulnerability is an authentication bypass that allows attackers access to HP iLO consoles. Researchers say this access can later be used to extract cleartext passwords, execute malicious code, and even replace iLO firmware. But besides being a remotely exploitable flaw, this vulnerability is also as easy as it gets when it comes to exploitation, requiring a cURL request and 29 letter "A" characters, as below:

curl -H "Connection: AAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

Because of its simplicity and remote exploitation factor, the vulnerability — tracked as CVE-2017-12542 — received a severity score of 9.8 out of 10.

A recently discovered hole in Valve's API allowed observers to generate extremely precise and publicly accessible data for the total number of players for thousands of Steam games. While Valve has now closed this inadvertent data leak, Ars can still provide the data it revealed as a historical record of the aggregate popularity of a large portion of the Steam library. From the report: The new data derivation method, as ably explained in a Medium post from The End Is Nigh developer Tyler Glaiel, centers on the percentage of players who have accomplished developer-defined Achievements associated with many games on the service. On the Steam web site, that data appears rounded to two decimal places. In the Steam API, however, the Achievement percentages were, until recently, provided to an extremely precise 16 decimal places.

This added precision means that many Achievement percentages can only be factored into specific whole numbers. (This is useful since each game's player count must be a whole number.) With multiple Achievements to check against, it's possible to find a common denominator that works for all the percentages with high reliability. This process allows for extremely accurate reverse engineering of the denominator representing the total player base for an Achievement percentage. As Glaiel points out, for instance, an Achievement earned by 0.012782207690179348 percent of players on his game translates precisely to 8 players out of 62,587 without any rounding necessary (once some vagaries of floating point representation are ironed out). Ars has shared the Achievement-derived player numbers in their report; there's also a handy CSV file. Some of the titles with the most total unique players include Team Fortress 2 (50,191,347 player estimate), Counter-Strike: Global Offensive (46,305,966 player estimate), PLAYERUNKNOWN'S BATTLEGROUNDS (36,604,134 player estimate), Unturned (27,381,399 player estimate), and Left 4 Dead 2 (23,143,723 player estimate).

sombragris writes: Stylish, a popular extension available for Chrome and Firefox which allows for easy customization of any website, now phones home and shares its users' browser history with its corporate parent, according to blogger Robert Heaton. This prompted Firefox to ban the extension from its addons site and prompt all users to disable it. The discussion can be seen in the relevant bug report. In Heaton's words:

Stylish is no longer a well-meaning product with your best interests at heart. If you use and like Stylish, please uninstall it and switch to an alternative like Stylus, an offshoot from the good old version of Stylish that works in much the same way, minus the spyware.

Google too has pulled the extension from its extension store. This is not the first time Stylish is at the centre of a privacy debacle

Catalin Cimpanu, writing for BleepingComputer: The release of Google Chrome 67 has reopened a "download bomb" bug that was exploited by tech support scammers last winter, and which had been fixed with the release of Chrome 65 in March 2018. Furthermore, the issue also appears to affect other browsers as well, such as Firefox, Vilvadi, Opera, and Brave, according to tests carried out by Bleeping Computer. The "download bomb" trick is a technique that involves initiating hundreds or thousands of downloads to freeze a browser on a specific page. Across the years, there have been multiple variations of download bombs, and they have often been used by tech support scammers to trap users on shady sites that tried to lure victims into calling a tech support number to have their browser unlocked. Over the winter, security researchers from Malwarebytes noticed a tech support scam campaign that employed a new "download bomb" technique to trap users on its shady sites.

Some Samsung smartphones are randomly sending pictures from the device to a user's contacts without explicit permission, according to users and media outlets. From a report: Users are complaining about the issue on Reddit and the company's official forums. One user says his phone sent all his photos to his girlfriend. The messages are being sent through Samsung's default texting app Samsung Messages, and the photos are being sent as SMS messages. According to reports, the Messages app does not even show users that files have been sent; many just find out after they get a response from the recipient of the random photos sent to them. Samsung told the news outlet it was aware of the issue and was looking into it.

An anonymous reader quotes a report from Gizmodo: Facebook disclosed a new "bug" on Monday that temporarily let some users who'd been blocked on the service send messages to the people who had blocked them. The bug also let some previously-blocked users view posts that were shared "to a wider audience," such as publicly or with friends of friends, Facebook said. Facebook's privacy boss Erin Egan apologized for the error, writing in a blog that the company is reaching out to "over 800,000" users about the screw-up. The "blocking bug" was active between May 29 and June 5, for eight days, though the company now says Messenger should be acting normally. According to Egan's post: "[the bug] did not reinstate any friend connections that had been severed; 83% of people affected by the bug had only one person they had blocked temporarily unblocked; and Someone who was unblocked might have been able to contact people on Messenger who had blocked them."

"Despite Microsoft's assurances, Windows 10 1803 isn't ready for prime time," writes ComputerWorld's Woody Leonhard, adding "Microsoft's patches in June took on some unexpected twists..." Win10 1803 was declared fully fit for business, a pronouncement that was followed weeks later by fixes for a few glaring, acknowledged bugs -- and stony silence for other known problems. We're continuing the two-big-cumulative-updates-a-month pace for all supported versions of Windows 10. The second cumulative update frequently fixes bugs introduced by the first cumulative update. Microsoft may think that Win10 (1803) is ready for widespread deployment, but there are a few folks who would take issue with that stance...

Tuesday, Microsoft finally released a fix for two big bugs that have dogged Win10 1803 since its inception... In practice, life isn't so simple. WSUS (the Windows Update Server software) isn't "seeing" KB 4284848, as of late Wednesday afternoon -- which may be a good thing. Along with the second cumulative update this month, there are additional releases to fix the Servicing Stack, and a new "Compatibility update" that, per the documentation, is designed to make it easier to upgrade Win10 1803 Enterprise to Win10 1803 Enterprise (not a typo)...

One problem that has been acknowledged -- but only by a Microsoft Agent on an Answers Forum post -- says that installing 1803 can clobber your peer-to-peer network. That certainly matches my experience.
Woody concludes, "If you think Win10 1803 is ready for prime time, you're welcome to give it a try."

Many doctors now are likely to wear everyday clothes, or blue or green "scrubs", which are said to reduce eye strain in brightly-lit operating theatres. White coats are reckoned to be capable of spreading diseases as easily as clothing of any other colour, especially when long sleeves brush against multiple surfaces. Many clinics and hospitals now have a "bare below the elbows" policy for staff, whether in uniform or their own clothes. This is also supposed to encourage more thorough handwashing. What, though, if the clothes worn by medical staff could actively help prevent bugs being passed around? From a report: Some metals, such as gold and silver, have natural antibacterial properties and are used to coat certain solid items, such as medical implants. But putting metallic coatings onto stretchy and foldable fabrics is tricky, and those coatings can quickly be swept away in a washing machine. What is needed, reckons Liu Xuqing of the University of Manchester, in England, is a way to make antibacterial coatings for fabrics that, quite literally, hold tight.

Instead of gold or silver, Dr Liu's metal of choice is copper. This exhibits the same bug-killing properties but has the benefit of being an awful lot cheaper than those two precious metals, making a commercial coating process easier to devise. Working with colleagues from two Chinese institutions, Northwest Minzu University in Lanzhou and Southwest University in Chongqing, Dr Liu has been treating samples of fabric with a chemical process that grafts what is called a "polymer brush" onto their surfaces. As the name suggests, when viewed at a resolution of a few nanometres (billionths of a metre) through an electron microscope, the polymer strands look like tiny protruding bristles. That done they use a second chemical procedure to coat the bristles with a catalyst.

After this, they immerse the fabric in a copper-containing solution from which the catalyst causes the metal to precipitate and form tiny particles that anchor themselves to the polymer brush. Indeed, they bond so tightly that Dr Liu compares the resulting coating to reinforced concrete. Yet the process takes place at such a minute scale on the surface of the fabric that it should not affect the feel or quality of the finished material.

Almost all Android devices released since 2012 are vulnerable to RAMpage bug, an international team of academics has revealed today. From a report: The vulnerability, tracked as CVE-2018-9442, is a variation of the Rowhammer attack. Rowhammer is a hardware bug in modern memory cards. A few years back researchers discovered that when someone would send repeated write/read requests to the same row of memory cells, the write/read operations would create an electrical field that would alter data stored on nearby memory. In the following years, researchers discovered that Rowhammer-like attacks affected personal computers, virtual machines, and Android devices. Through further researcher, they also found they could execute Rowhammer attacks via JavaScript code, GPU cards, and network packets.

Recompiling is unlikely to be a catch-all solution for a recently unveiled Intel CPU vulnerability known as TLBleed, the details of which were leaked on Friday, the head of the OpenBSD project Theo de Raadt says. iTWire reports: The details of TLBleed, which gets its name from the fact that the flaw targets the translation lookaside buffer, a CPU cache, were leaked to the British tech site, The Register; the side-channel vulnerability can be theoretically exploited to extract encryption keys and private information from programs. Former NSA hacker Jake Williams said on Twitter that a fix would probably need changes to the core operating system and were likely to involve "a ton of work to mitigate (mostly app recompile)." But de Raadt was not so sanguine. "There are people saying you can change the kernel's process scheduler," he told iTWire on Monday. "(It's) not so easy."

He said that Williams was lacking all the details and not thinking it through. "They actually have sufficient detail to think it through: the article says the TLB is shared between hyperthreading CPUs, and it is unsafe to share between two different contexts. Basically you can measure evictions against your own mappings, which indicates the other process is touching memory (you can determine the aliasing factors)." De Raadt said he was still not prepared to say more, saying: "Please wait for the paper [which is due in August]."

Bethesda, the video game publisher behind Fallout and The Elder Scrolls, is suing Warner Bros. and Fallout Shelter co-developer Behavior Interactive over the recently released Westworld, alleging that the mobile game based on HBO's TV series is a "blatant rip-off" of Fallout Shelter. Polygon reports: In a suit filed in a Maryland U.S. District Court, Bethesda alleges that Westworld -- developed by Behaviour and released this week for Android and iOS -- "has the same or highly similar game design, art style, animations, features and other gameplay elements" as Fallout Shelter. Fallout Shelter was originally released in 2015 for mobile devices. The game was later ported to Nintendo Switch, PlayStation 4, Windows PC and Xbox One.

Bethesda said in its suit that Behaviour uses "the same copyrighted computer code created for Fallout Shelter in Westworld," alleging that a bug evident in an early version of Fallout Shelter (which was later fixed) also appears in Westworld. Bethesda alleges the companies "copied Fallout Shelter's features and then made cosmetic modifications for Westworld's 'western' theme."

"Despite its low profile, OpenStreetMap is arguably one of the most important projects for the future of free software," argues Glyn Moody, author of Rebel Code: Linux And The Open Source Revolution, in a new Linux Journal article shared by long-time Slashdot reader carlie: The rise of mobile phones as the primary computing device for billions of people, especially in developing economies, lends a new importance to location and movement. Many internet services now offer additional features based on where users are, where they are going and their relative position to other members of social networks. Self-driving cars and drones are two rapidly evolving hardware areas where accurate geographical information is crucial. All of those things depend upon a map in critical ways, and they require large, detailed datasets. OpenStreetMap is the only truly global open alternative to better-known, and much better-funded geodata holdings, such as Google Maps.

The current dominance of the latter is a serious problem for free software -- and freedom itself. The data that lies behind Google Maps is proprietary. Thus, any open-source program that uses Google Maps or other commercial mapping services is effectively including proprietary elements in its code. For purists, that is unacceptable in itself. But even for those with a more pragmatic viewpoint, it means that open source is dependent on a company for data that can be restricted or withdrawn at any moment....

Although undoubtedly difficult, creating high-quality map-based services is a challenge that must be tackled by the Open Source community if it wants to remain relevant in a world dominated by mobile computing. The bad news is that at the moment, millions of people are happily sending crucial geodata to proprietary services like Waze, as well as providing free bug-fixes for Google Maps. Far better if they could be working with equal enthusiasm and enjoyment on open projects, since the resulting datasets would be freely available to all, not turned into corporate property. The good news is that OpenStreetMap provides exactly the right foundation for creating those open map-based services, which is why supporting it must become a priority for the Open Source world.