Open source guru Eric Raymond warned about the possibility of security bugs in critical code which can now date back more than two decades -- in a talk titled "Rescuing Ancient Code" at last week's SouthEast Linux Fest in North Carolina. In a new interview with ITPro Today, Raymond offered this advice on the increasingly important art of "code archaeology". "Apply code validators as much as you can," he said. "Static analysis, dynamic analysis, if you're working in Python use Pylons, because every bug you find with those tools is a bug that you're not going to have to bleed through your own eyeballs to find... It's a good thing when you have a legacy code base to occasionally unleash somebody on it with a decent sense of architecture and say, 'Here's some money and some time; refactor it until it's clean.' Looks like a waste of money until you run into major systemic problems later because the code base got too crufty. You want to head that off...."

"Documentation is important," he added, "applying all the validators you can is important, paying attention to architecture, paying attention to what's clean is important, because dirty code attracts defects. Code that's difficult to read, difficult to understand, that's where the bugs are going to come out of apparent nowhere and mug you."

For a final word of advice, Raymond suggested that it might be time to consider moving away from some legacy programming languages as well. "I've been a C programmer for 35 years and have written C++, though I don't like it very much," he said. "One of the things I think is happening right now is the dominance of that pair of languages is coming to an end. It's time to start looking beyond those languages for systems programming. The reason is we've reached a project scale, we've reached a typical volume of code, at which the defect rates from the kind of manual memory management that you have to do in those languages are simply unacceptable anymore... think it's time for working programmers and project managers to start thinking about, how about if we not do this in C and not incur those crazy downstream error rates."
Raymond says he prefers Go for his alternative to C, complaining that Rust has a high entry barrier, partly because "the Rust people have not gotten their act together about a standard library."

Microsoft has published a new draft document clarifying which security bugs will get a rapid fix and which it will let stew for a later release. From a report: The document outlines the criteria the Microsoft Security Response Center uses to decide whether a reported vulnerability gets fixed swiftly, usually in a Patch Tuesday security update, or left for a later version update. Microsoft said in a blogpost the document is intended to offer researchers "better clarity around the security features, boundaries and mitigations which exist in Windows and the servicing commitments which come with them." The criteria revolve around two key questions: "Does the vulnerability violate a promise made by a security boundary or a security feature that Microsoft has committed to defending?"; and, "Does the severity of the vulnerability meet the bar for servicing?" If the answer to both questions is 'yes', the bug will be patched in a security update, but if the answer to both is 'no', the vulnerability will be considered for the next version or release of the affected product or feature.

An anonymous reader shares a report: For years, hackers could hide malware alongside legitimate Apple code and sneak it past several popular third-party security products for Mac computers, according to new research. This is not a flaw in MacOS but an issue in how third-party security tools implemented Apple's APIs. A researcher from security firm Okta found that several security products for Mac -- including Little Snitch, xFence, and Facebook's OSquery -- could be tricked into believing malware was Apple code, and let it past their defenses. "I can take malicious code and make it look like it's signed by Apple," Josh Pitts, the security researcher at Okta who discovered these bugs, told Motherboard. In a blog post published Tuesday, Pitts explained that the issue lies with how the third-party security tools implemented Apple's code-signing APIs when dealing with Mac's executable files known as Universal or Fat files.

Facebook has landed itself in yet another self-inflicted privacy debacle. As many as 14 million Facebook users who thought they were posting items that only their friends or smaller groups could see may have been posting that content to the entire world, the company said Thursday. From a report: Facebook's Chief Privacy Officer Erin Egan wrote to TechCrunch in a statement: "We recently found a bug that automatically suggested posting publicly when some people were creating their Facebook posts. We have fixed this issue and starting today we are letting everyone affected know and asking them to review any posts they made during that time. To be clear, this bug did not impact anything people had posted before -- and they could still choose their audience just as they always have. We'd like to apologize for this mistake." The bug was active from May 18th to May 27th, with Facebook able start rolling out a fix on May 22nd. It happened because Facebook was building a 'featured items' option on your profile that highlights photos and other content.

Yhcrana writes: Considering the video in the story makes it pretty simple, this is not something I would like to have happen. Apparently it is a flaw in the libraries that are being used by Oracle, Apache, and others. The Register reports: "Booby-trapped archive files can exploit vulnerabilities in a swath of software to overwrite documents and data elsewhere on a computer's file system -- and potentially execute malicious code. Specifically, the flaws, dubbed "Zip Slip" by its discoverers at security outfit Snyk, is a path traversal flaw that can potentially be exploited to perform arbitrary code execution attacks. It affects .zip, .bz2, .tar, .xz, .war, .cpio, and .7z archives.

The bugs, according to Snyk, lie in code that unpacks compressed archives, hence the "Zip Slip" title. When software does not properly check and sanitize file names within the archive, attackers can set the destination path for an unpacked file to an existing folder or file elsewhere on a system. When that file is extracted, it will overwrite the existing data in that same path."

Valve developers have recently patched a severe security flaw that affected all versions of the Steam gaming client released in the past ten years. From a report: According to Tom Court, a security researcher with Context Information Security, the one who discovered the flaw, the vulnerability would have allowed an attacker to execute malicious code on any of Steam's 15 million gaming clients. In the jargon of security researchers, this is a remote code execution (RCE) flaw because exploitation was possible via network requests, without needing access to the victim's computer. Court says an attacker was only required to send malformed UDP packets to a target's Steam client, which would have triggered the bug and allowed him to run malicious code on the target's PC.

A prominent Gartner analyst argues that Windows 10 Pro is a dead end for enterprises, citing recent changes by Microsoft to the Windows 10 support schedule. "[We] predict that Microsoft will continue positioning Windows [10] Pro as a release that is not appropriate for enterprises by reducing [...] support and limiting access to enterprise management features," Stephen Kleynhans, a research vice president at Gartner and one of the research firm's resident Windows experts, said in a report he co-authored. Computerworld reports: Last year, the Redmond, Wash. developer announced a six-month support extension for Windows 10 1511, the November 2015 feature upgrade, "to help some early enterprise adopters that are still finishing their transition to Windows as a service." In February, Microsoft added versions 1609, 1703 and 1709 -- released in mid-2016, and in April and October of 2017, respectively -- to the extended support list, giving each 24 months of support, not the usual 18. There was a catch: Only Windows 10 Enterprise (and Windows 10 Education, a similar version for public and private school districts and universities) qualified for the extra six months of support. Users running Windows 10 Pro were still required to upgrade to a successor SKU (stock-keeping unit) within 18 months to continue receiving security patches and other bug fixes.

Another component of Microsoft's current Windows 10 support strategy, something the company has labeled "paid supplemental servicing," was also out of bounds for those running Windows 10 Pro. The extra support, which Microsoft will sell at an undisclosed price, is available only to Enterprise and Education customers. Paid supplemental servicing adds 12 months to the 18 months provided free of charge.

Catalin Cimpanu, writing for BleepingComputer: Users of the NPM JavaScript package manager were greeted by a weird error yesterday evening, as their consoles and applications spewed a message of "ERR! 418 I'm a teapot" whenever they tried to update or install a new JavaScript/Node.js package. JavaScript developers from all over the world received the error, and not just in certain geographical regions. The bug did not affect all users, but only those behind a proxy server.

An anonymous reader quotes the Associated Press: Fiat Chrysler is recalling more than 5.3 million vehicles in the U.S., Canada and elsewhere because in rare but terrifying circumstances, drivers may not be able to turn off the cruise control. The company is warning owners not to use cruise control until the cars, SUVs and trucks can be fixed with a software update. Fiat Chrysler says the condition can occur if the cruise control accelerates at the same time an electrical short-circuit happens. But the brakes are designed to overpower the engine and the vehicles could still be stopped...

In the complaint filed with the National Highway Traffic Safety Administration, an owner from Olathe, Kansas, said a 2017 Dodge Journey SUV rental vehicle was being driven about 70 miles per hour with the cruise control on when the windshield wipers came on by themselves and the throttle locked up. The owner, who was not identified in the agency's complaint database, wrote that the cruise control would not disengage by tapping the brakes or turning off the button. The driver was able to slam on the brakes and get the SUV to the side of the road. "It was still running at an engine speed to support 70 mph and fighting the brakes," the driver wrote. The engine stop button also wouldn't work, but the driver was able to halt the SUV and shift into park while the brakes "smoked significantly."
The recall "includes 15 Jeep, Dodge, Chrysler and Ram models from six model years" which have automatic transmissions and gas engines, according to the Associated Press -- 4.8 million in America, plus another 490,000 in Canada and "an undetermined number" in other countries.

You can check if your vehicle is affected by this (or any other) recall by entering its VIN number at NHTSA.gov. U.S. safety officials suggest checking whether your vehicle has been recalled "at least twice per year."

An anonymous reader quotes a report from Global News: It may not be everyone's cup of milk, but for years now, some researchers believe insect milk, like cockroach milk, could be the next big dairy alternative. A report in 2016 found Pacific Beetle cockroaches specifically created nutrient-filled milk crystals that could also benefit humans, the Hindustan Times reports. Others report producing cockroach milk isn't easy, either -- it takes 1,000 cockroaches to make 100 grams of milk, Inverse reports, and other options could include a cockroach milk pill. And although it has been two years since the study, some people are still hopeful. Insect milk, or entomilk, is already being used and consumed by Cape Town-based company Gourmet Grubb, IOL reports.

Jarrod Goldin, [president of Entomo Farms which launched in 2014], got interested in the insect market after the Food and Agriculture Organization of the United Nation in 2013 announced people around the world were consuming more than 1,900 insects. As his brothers were already farming insects for fishing and reptile use, Goldin thought it would be a smart business opportunity to focus on food. Goldin adds studies have shown cricket powder can be a high source of protein and B12. The PC version his company produces has 13 grams of protein per every 2 1/2 tbsps. Toronto-based registered dietitian Andy De Santis says for protein alternatives, insects are definitely in the playing field. According to ScienceAlert, Diploptera punctate is the only known cockroach to give birth to live young and has been shown to pump out a type of "milk" containing protein crystals to feed its babies. "The fact that an insect produces milk is pretty fascinating -- but what fascinated researchers is the fact that a single one of these protein crystals contains more than three times the amount of energy found in an equivalent amount of buffalo milk (which is also higher in calories than regular cow's milk)."

Researchers are now working to replicate the crystals in the lab. They are working with yeast to produce the crystal in much larger quantities -- "making it slightly more efficient than extracting crystals from cockroach's guts," reports ScienceAlert.

An anonymous reader writes: A bug in T-Mobile's website let anyone access the personal account details of any customer with just their cell phone number, ZDNet reported Thursday. The flaw, since fixed, could have been exploited by anyone who knew where to look -- a little-known T-Mobile subdomain that staff use as a customer care portal to access the company's internal tools. The subdomain -- promotool.t-mobile.com, which can be easily found on search engines -- contained a hidden API that would return T-Mobile customer data simply by adding the customer's cell phone number to the end of the web address.

Although the API is understood to be used by T-Mobile staff to look up account details, it wasn't protected with a password and could be easily used by anyone. The returned data included a customer's full name, postal address, billing account number, and in some cases information about tax identification numbers. The data also included customers' account information, such as if a bill is past-due or if the customer had their service suspended.

An anonymous reader quotes a report from ZDNet: A bug in Comcast's website used to activate Xfinity routers can return sensitive information on the company's customers. The website, used by customers to set up their home internet and cable service, can be tricked into displaying the home address where the router is located, as well as the Wi-Fi name and password. Two security researchers, Karan Saini and Ryan Stevenson, discovered the bug. Only a customer account ID and that customer's house or apartment number is needed -- even though the web form asks for a full address.

ZDNet obtained permission from two Xfinity customers to check their information. We were able to obtain their full address and zip code -- which both customers confirmed. The site returned the Wi-Fi name and password -- in plaintext -- used to connect to the network for one of the customers who uses an Xfinity router. The other customer was using his own router -- and the site didn't return the Wi-Fi network name or password.

The popular Gboard keyboard app for iOS and Android devices has a fundamental flaw. According Reddit user SurroundedByMachines, the red underline has stopped appearing for incorrectly spelled words since November of last year -- and it doesn't appear to be limited to any one device. Issues with the spell checker have been reported on multiple devices across Android and iOS. A simple Google search brings up several different threads where people have reported issues with the feature.

What's more is that nobody at Google seems to get the memo. The Reddit user who first brought this to our attention filed several bug reports, left a review, and joined the beta channel to leave feedback there, yet no response was given. "Many people have been having the issue, and it's even been escalated to the community manager," writes SurroundedByMachines. Since the app has over 500 million downloads on the Play Store alone, this issue could be frustrating a lot of users, especially those who use their phones to send work emails or write documents. Have you noticed Gboard's broken spell checker on your device? If so, you may want to look into another third-party keyboard, such as SwiftKey or Cheetah Keyboard.

The FCC has opened an investigation into LocationSmart, a company that is buying your real-time location data from four of the largest U.S. carriers in the United States. The investigation comes a day after a security researcher from Carnegie Mellon University exposed a vulnerability on LocationSmart's website. CNET reports: The bug has prompted an investigation from the FCC, the agency said on Friday. An FCC spokesman said LocationSmart's case was being handled by its Enforcement Bureau. Since The New York Times revealed that Securus, an inmate call tracking service, had offered the same tracking service last week, Sen. Ron Wyden, a Democrat from Oregon, called for the FCC and major wireless carriers to investigate these companies. On Friday, Wyden praised the investigation, but requested the FCC to expand its look beyond LocationSmart.

"The negligent attitude toward Americans' security and privacy by wireless carriers and intermediaries puts every American at risk," Wyden said. "I urge the FCC expand the scope of this investigation, and to more broadly probe the practice of third parties buying real-time location data on Americans." He is also calling for FCC Chairman Ajit Pai to recuse himself from the investigation, because Pai was a former attorney for Securus.

Keeper, a password manager maker that recently and controversially sued a reporter, has fixed a bug that a security researcher claimed could have allowed access to a user's private data. From a report: The bug -- which the company confirmed and has since fixed -- filed anonymously to a public security disclosure list, detailed how anyone controlling Keeper's API server could gain access to the decryption key to a user's vault of passwords and other sensitive information. The researcher found the issue in the company's Python-powered script called Keeper Commander, which allows users to rotate passwords, eliminating the need for hardcoded passwords in software and systems.

According to the write-up, the researcher said it's possible that someone in control of Keeper's API -- such as employees at the company -- could unlock an account, because the API server stores the information used to produce an intermediary decryption key. "What seems to appear in the code of Keeper Commander from November 2015 to today is blind trust of the API server," said the researcher.

Thelasko shares a report from the BBC: Schools are to be given advice on how to disable a glitch that allows pupils sitting online spelling tests to right-click their mouse and find the answer. It follows the discovery by teachers that children familiar with traditional computer spellcheckers were simply applying it to the tests. The Scottish National Standardized Assessments were introduced to assess progress in four different age groups. A spokesman said the issue was not with the Scottish National Standardized Assessments (SNSA) but with browser or device settings on some machines.

Introduced in 2017, the spelling test asks children to identify misspelt words. However, on some school computers the words were highlighted with a red line. Pupils who right-clicked on the words were then able to access the correct spelling. The web-based SNSA tool enables teachers to administer online literacy and numeracy tests for pupils in P1, P4, P7 and S3, which are marked and scored automatically. Advice is being given to schools about how to disable the spellchecking function.

Earlier this week, ZDNet shed some light on a company called LocationSmart that is buying your real-time location data from four of the largest U.S. carriers in the United States. The story blew up because a former police sheriff snooped on phone location data without a warrant, according to The New York Times. ZDNet is now reporting that the company "had a bug in its website that allowed anyone to see where a person is located -- without obtaining their consent." An anonymous reader shares an excerpt: "Due to a very elementary bug in the website, you can just skip that consent part and go straight to the location," said Robert Xiao, a PhD. student at the Human-Computer Interaction Institute at Carnegie Mellon University, in a phone call. "The implication of this is that LocationSmart never required consent in the first place," he said. "There seems to be no security oversight here." The "try" website was pulled offline after Xiao privately disclosed the bug to the company, with help from CERT, a public vulnerability database, also at Carnegie Mellon. Xiao said the bug may have exposed nearly every cell phone customer in the U.S. and Canada, some 200 million customers.

The researcher said he started looking at LocationSmart's website following ZDNet's report this week, which followed from a story from The New York Times, which revealed how a former police sheriff snooped on phone location data without a warrant. The sheriff has pleaded not guilty to charges of unlawful surveillance. He said one of the APIs used in the "try" page that allows users to try the location feature out was not validating the consent response properly. Xiao said it was "trivially easy" to skip the part where the API sends the text message to the user to obtain their consent. "It's a surprisingly simple bug," he said.

Google this week rolled out an update to Chrome to patch a bug that had rendered millions of web-based games useless. From a report: The bug was introduced in mid-April when Google launched Chrome 66. One of this release's features was its ability to block web pages with auto-playing audio. [...] Not all games were affected the same. For some HTML5 games, users could re-enable audio by interacting with the game's canvas via a click-to-play interaction. Unfortunately, older games and those that weren't coded with such policy remained irrevocably broken, no matter what Chrome options users tried to modify in their settings sections. [...] With today's release of Chrome for Desktop v66.0.3359.181, Google has now fixed this issue, but only temporarily. John Pallett, a product manager at Google, admitted that Google "didn't do a good job of communicating the impact of the new autoplay policy to developers using the Web Audio API." He said, for this reason, the current version of Chrome, v66, will no longer automatically mute Web Audio objects.

An anonymous reader quotes a report from New Atlas: You might remember RoboBee, an insect-sized robot that flies by flapping its wings. Unfortunately, though, it has to be hard-wired to a power source. Well, one of RoboBee's creators has now helped develop RoboFly, which flies without a tether. Slightly heavier than a toothpick, RoboFly was designed by a team at the University of Washington -- one member of that team, assistant professor Sawyer Fuller, was also part of the Harvard University team that first created RoboBee. That flying robot receives its power via a wire attached to an external power source, as an onboard battery would simply be too heavy to allow the tiny craft to fly. Instead of a wire or a battery, RoboFly is powered by a laser. That laser shines on a photovoltaic cell, which is mounted on top of the robot. On its own, that cell converts the laser light to just seven volts of electricity, so a built-in circuit boosts that to the 240 volts needed to flap the wings. That circuit also contains a microcontroller, which tells the robot when and how to flap its wings -- on RoboBee, that sort of "thinking" is handled via a tether-linked external controller. The robot can be seen in action here.

An anonymous reader quotes a report from Linux Uprising: Oh, snap! Just because some packages are available to install directly from the Ubuntu Software Center doesn't make them safe. This is proved by a recent discovery of malware in some snap packages from the Ubuntu Snaps Store.

At least two of the snap packages, 2048buntu and hextris, uploaded to the Ubuntu Snaps Store by user Nicolas Tomb, contained malware. All packages by Nicolas have since been removed from the Ubuntu Snaps Store, "pending further investigations." The report comes from a bug which mentions that the 2048buntu snap package (and other packages by Nicolas Tomb) contains a hidden cryptocurrency miner inside.