Google

The Breach That Killed Google+ Wasn't a Breach At All (theverge.com) 75

An anonymous reader quotes a report from The Verge: For months, Google has been trying to stay out of the way of the growing tech backlash, but yesterday, the dam finally broke with news of a bug in the rarely used Google+ network that exposed private information for as many as 500,000 users. Google found and fixed the bug back in March, around the same time the Cambridge Analytica story was heating up in earnest. [...] The vulnerability itself seems to have been relatively small in scope. The heart of the problem was a specific developer API that could be used to see non-public information. But crucially, there's no evidence that it actually was used to see private data, and given the thin user base, it's not clear how much non-public data there really was to see. The API was theoretically accessible to anyone who asked, but only 432 people actually applied for access (again, it's Google+), so it's plausible that none of them ever thought of using it this way.

The bigger problem for Google isn't the crime, but the cover-up. The vulnerability was fixed in March, but Google didn't come clean until seven months later when The Wall Street Journal got hold of some of the memos discussing the bug. [...] Part of the disconnect comes from the fact that, legally, Google is in the clear. There are lots of laws about reporting breaches -- primarily the GDPR but also a string of state-level bills -- but by that standard, what happened to Google+ wasn't technically a breach. Those laws are concerned with unauthorized access to user information, codifying the basic idea that if someone steals your credit card or phone number, you have a right to know about it. But Google just found that data was available to developers, not that any data was actually taken. With no clear data stolen, Google had no legal reporting requirements. As far as the lawyers were concerned, it wasn't a breach, and quietly fixing the problem was good enough.

Privacy

WhatsApp Fixes Bug That Let Hackers Take Over App When Answering a Video Call (zdnet.com) 11

WhatsApp developers have fixed a bug in the Android and iOS versions of the WhatsApp mobile app that allowed hackers to take over the application when users answered an incoming video call. From a report: Natalie Silvanovich, a security researcher with Google's Project Zero security research team, discovered the WhatsApp vulnerability at the end of August. She described the vulnerability as a "memory corruption bug in WhatsApp's non-WebRTC video conferencing implementation." "Heap corruption can occur when the WhatsApp mobile application receives a malformed RTP packet," Silvanovich said in a bug report. "This issue can occur when a WhatsApp user accepts a call from a malicious peer." It is unclear how popular the video feature is on WhatsApp, which is used by more than 1.2 billion users. But in July, the company said users were spending over two billion minutes on calls (including voice) each day.
Windows

Microsoft Rereleases Windows 10 October 2018 Update, Fixes Data Deletion Bug (theverge.com) 79

An anonymous reader quotes a report from The Verge: Microsoft is re-releasing its Windows 10 October 2018 Update today, following the company pulling it offline due to data deletion issues over the weekend. The software giant says there were only a few reports of data loss, at a rate of one one-hundredth of one percent. "We have fully investigated all reports of data loss, identified and fixed all known issues in the update, and conducted internal validation," says Microsoft's John Cable, director of program management for Windows Servicing and Delivery. Microsoft is now re-releasing the Windows 10 October 2018 Update to Windows Insiders, before rolling it out more broadly to consumers. "We will carefully study the results, feedback, and diagnostic data from our Insiders before taking additional steps towards re-releasing more broadly," explains Cable.

It appears the bug that caused file deletion was related to Windows 10 users who had enabled Known Folder Redirection to redirect folders like desktop, documents, pictures, and screenshots from the default location. Microsoft introduced code in its latest update to delete the empty and duplicate known folders, but it appears they weren't always empty. Microsoft has developed fixes to address a variety of problems related to these folder moves, and these fixes are now being tested with Windows Insiders.

Google

At Least Two US Attorneys General Are Investigating Google+ Breach (reuters.com) 34

At least two U.S. states are investigating a breach at Alphabet's Google that may have exposed private profile data of at least 500,000 users to hundreds of external developers. From a report: The investigation follows Google's announcement on Monday that it would shut down the consumer version of its social network Google+ and tighten its data-sharing policies after a "bug" potentially exposed user data that included names, email addresses, occupations, genders and ages. "We are aware of public reporting on this matter and are currently undertaking efforts to gain an understanding of the nature and cause of the intrusion, whether sensitive information was exposed, and what steps are being taken or called for to prevent similar intrusions in the future," Jaclyn Severance, a spokeswoman for Connecticut Attorney General George Jepsen, told Reuters in an email. The New York Attorney General's office also said it was looking into the breach.
IOS

Apple Releases iOS 12.0.1 With Fixes For Wi-Fi 2.4GHz Bug, Lightning Charging Issue (macrumors.com) 84

Apple has released iOS 12.0.1, the first official update to the iOS 12 OS that brings a number of fixes, including a fix to the charging issue that was affecting some iPhone XS owners. Mac Rumors reports: Today's update fixes several high profile bugs that have been plaguing iOS 12 users. It resolves an issue that could cause some iPhone XS devices not to charge when connected to a Lightning cable, an issue that was discovered shortly after iOS 12 was released. Reports suggested multiple iOS 12 devices were affected rather than just the iPhone XS, and it's likely that if other devices are impacted, the new update solves the problem.

https://www.macrumors.com/2018/10/08/apple-releases-ios-12-0-1-update/ iOS 12.0.1 also fixes a major Wi-Fi bug that could cause some iPhone XS devices to prefer to join a 2.4GHz Wi-Fi network rather than a 5GHz Wi-Fi network, resulting in perceived slower Wi-Fi connection speeds. After this update, many users who were stuck with their phones connecting to a 2.4GHz network should see much faster Wi-Fi connection speeds as the devices once again prefer a 5GHz network. Other bug fixes in this update include a reorientation of the "123" number key on the iPad, which was moved in the iOS 12 update and swapped with the emoji/language key, a fix for a problem that could cause subtitles not to appear in some video apps, and an issue where Bluetooth could become unavailable.

Bug

Some Apple Watch Series 4 Models Are Frequently Crashing and Rebooting Due to a Daylight Saving Time Bug (macrumors.com) 110

Some Apple Watch Series 4 owners in Australia experienced crashes and reboots on Saturday due to a bug that surfaced because of the daylight saving time change. From a report: According to Reddit users hit by the Apple Watch bug, the root of the problem appears to be the Infograph Modular face's Activity complication, which displays a timeline graph with hourly data for the user's Move calories, Exercise minutes, and Stand hours. When daylight saving time (DST) lops an hour off the typical 24-hour day, the Activity complication is apparently unable to compute the change and draw the timeline graph with only 23 hours, which throws the Apple Watch into an endless reboot loop until the battery runs out.
Cellphones

Greg Kroah-Hartman: Outside Phone Vendors Aren't Updating Their Linux Kernels (linux.com) 86

"Linux runs the world, right? So we want to make sure that things are secure," says Linux kernel maintainer Greg Kroah-Hartman. When asked in a new video interview which bug makes them most angry, he first replies "the whole Spectre/Meltdown problem. What made us so mad, in a way, is we were fixing a bug in somebody else's layer!" One also interesting thing about the whole Spectre/Meltdown is the complexity of that black box of a CPU is much much larger than it used to be. Right? Because they're doing -- in order to eke out all the performance and all the new things like that, you have to do extra-special tricks and things like that. And they have been, and sometimes those tricks come back to bite you in the butt. And they have, in this case. So we have to work around that.
But a companion article on Linux.com notes that "Intel has changed its approach in light of these events. 'They are reworking on how they approach security bugs and how they work with the community because they know they did it wrong,' Kroah-Hartman said." (And the article adds that "for those who want to build a career in kernel space, security is a good place to get started...")

Kroah-Hartman points out in the video interview that "we're doing more and more testing, more and more builds," noting "This infrastructure we have is catching things at an earlier stage -- because it's there -- which is awesome to see." But security issues can persist thanks to outside vendors beyond their control. Linux.com reports: Hardening the kernel is not enough, vendors have to enable the new features and take advantage of them. That's not happening. Kroah-Hartman releases a stable kernel every week, and companies pick one to support for a longer period so that device manufacturers can take advantage of it. However, Kroah-Hartman has observed that, aside from the Google Pixel, most Android phones don't include the additional hardening features, meaning all those phones are vulnerable. "People need to enable this stuff," he said.

"I went out and bought all the top of the line phones based on kernel 4.4 to see which one actually updated. I found only one company that updated their kernel," he said. "I'm working through the whole supply chain trying to solve that problem because it's a tough problem. There are many different groups involved -- the SoC manufacturers, the carriers, and so on. The point is that they have to push the kernel that we create out to people."

"The good news," according to Linux.com, "is that unlike with consumer electronics, the big vendors like Red Hat and SUSE keep the kernel updated even in the enterprise environment. Modern systems with containers, pods, and virtualization make this even easier. It's effortless to update and reboot with no downtime."
Microsoft

Microsoft Joins 5th Annual Open Source 'Hacktoberfest' (microsoft.com) 30

An anonymous reader writes: This October will see the fifth annual Hacktoberfest, "a month-long celebration of open source software run by DigitalOcean in partnership with GitHub and Twilio." Basically you sign up any time in October, then submit five quality pull requests to public GitHub repositories to win a t-shirt and stickers. (Issues and commits don't count, only pull requests created after October 1st -- but pull requests will still count even if they're not accepted or merged, "unless they are spam, irrelevant, or tagged as invalid.") "No contribution is too small -- bug fixes and documentation updates are valid ways of participating."
Here's Microsoft's own announcement about the event from their Open Source blog: We're excited to announce that we're participating in this year's Hacktoberfest! An annual celebration of all things open source, Hacktoberfest launched as a partnership between DigitalOcean and GitHub in 2014 and rallies a global community of contributors, with last year's event drawing more than 30K participants and nearly 240K pull requests.

This October, we'll recognize anyone who submits a pull request to one of our open source projects with a special limited-edition T-shirt (more details below)... Our projects span nearly all areas of computing, from developer tools and frameworks like .NET Core, Microsoft Cognitive Toolkit, Visual Studio Code, and Visual Studio Tools for Xamarin to Kubernetes tooling like Draft and the Service Fabric container orchestrator. Any contributions are welcome, so explore our GitHub repos, find something that interests you, and submit your first (or 100th) pull request.

Microsoft's t-shirt design includes a cameo appearance by.... Clippy, Microsoft's widely beloved default assistant for Office 2000/XP/2003.
Windows

Microsoft Pulls Windows 10 October Update (zdnet.com) 139

Amid reports of users facing a number of issues after updating their computers to Windows 10 October 2018 Update, Microsoft said Saturday it was pausing the rollout of the latest version of its Windows 10 desktop operating system. ZDNet: In a support document updated today, October 6, the Redmond-based OS maker said it took this decision after users complained that v1809 had deleted files after the update. We have paused the rollout of the Windows 10 October 2018 Update (version 1809) for all users as we investigate isolated reports of users missing some files after updating. Microsoft employs a gradual rollout scheme, and not all Windows 10 users have received its latest bi-annual OS update. The October 2018 Update is no longer available for download, and Microsoft urges users who manually downloaded a Windows 10 installation package to wait until new installation media is available. "We will provide an update when we resume rolling out the Windows 10 October 2018 Update to customers," Microsoft said.
Facebook

Facebook Bug Prevented Users From Deleting Their Accounts (venturebeat.com) 49

Emil Protalinski, reporting for VentureBeat: Until just a few days ago, some Facebook users could not delete their accounts -- the option to do so simply didn't work. After VentureBeat reached out to Facebook regarding the issue, an engineer was able to squash the bug.

Two weeks ago, I got an email from a VentureBeat reader who couldn't delete his Facebook account. He claimed there were others also having issues -- no matter what they tried, they simply could not delete Facebook. I didn't believe him at first. [...] I did my due diligence. The least I could do was help him delete his account. Upon request, the reader was gracious enough to let me log into his Facebook account so I could see for myself. No matter what I tried, and regardless of which browser I used, the Facebook help page for deleting your account would not load when logged into his account.
The reporter contacted a Facebook spokesperson, who after looking into the matter concluded that a bug prevented some people with "a large number of posts" from deleting their accounts. Facebook says it has resolved the issue.
Amiga

AmigaOS 3.1.4 For Classic Amigas Released (hyperion-entertainment.com) 69

Mike Bouma shares the announcement from Hyperior Entertainment, which holds exclusive rights to AmigaOS: The new, cleaned-up, polished Amiga operating system for your 68K machine fixes all the small annoyances that have piled up over the years. Originally intended as a bug-fix release, it also modernizes many system components previously upgraded in OS 3.9. Contrary to its modest revision number, AmigaOS 3.1.4 is arguably as large an upgrade as OS 3.9 was, and surpasses it in stability and robustness. Over 320K of release notes cover almost every aspect of your favorite classic AmigaOS -- from bootmenu to datatypes. Some of the highlights mentioned include: Over 20 Kickstart ROM modules and many more disk-based core OS components were fixed, updated, or added; Support for large hard disks; A modernized Workbench; and A colorful, professionally designed icon set is included, along with the traditional four-color icons.
Security

Some Apple Laptops Shipped With Intel Chips In 'Manufacturing Mode' (zdnet.com) 36

An anonymous reader writes: Apple has quietly fixed a security issue affecting some laptops that shipped with Intel chips that were mistakenly left configured into "manufacturing mode." The issue was discovered by two security researchers bug hunting for security flaws in Intel's Management Engine. While digging around through the tens of ME configuration options, the two spotted a feature that they believed could lead to problems, if left enabled by accident on Intel chips.

The configuration they eyed was named Manufacturing Mode, and it's an Intel ME option that desktop, server, laptop, or mobile OEMs can enable for Intel chips and use it for testing ME's remote management features. As the name implies, this configuration option should be enabled only on manufacturing lines to enable automated configuration and testing operations, but disabled before shipping the end product. Leaving an Intel ME chip in Manufacturing Mode allows attackers to change ME settings and disable security controls, opening a chip for other attacks.

The two researchers said they only tested Lenovo and Apple laptops for the presence of Intel ME chips in Manufacturing Mode. Other laptops or computers may also be affected. Instructions on how to spot Intel ME chips in Manufacturing Mode and how to disable it are available here. Apple fixed the issue in June, with the release of macOS High Sierra 10.13.5, and Security Update 2018-003 for macOS Sierra and El Capitan.

Iphone

Some iPhone XS, XS Max Devices Are Experiencing Charging Issues (theverge.com) 50

Poor cellular reception doesn't appear to be the only issue affecting some new iPhone XS and XS Max owners. "Dozens of users have reported charging issues with their iPhone XS and XS Max devices, and shared their experiences on the MacRumors forums and Apple's support forums," reports The Verge. From the report: Specifically, users are experiencing issues where phones will not charge if the Lightning cable is plugged in while the device is asleep. The problem appears to be a software bug -- perhaps related to the phone's USB accessory settings -- and requires iPhones to be unlocked (or at least have the screen lit up) in order to begin charging. Tech vlogger Lewis Hilsenteger demonstrated the issues on nine different iPhone X, XS, and XS Max devices on his YouTube channel Unbox Therapy. Some iPhones respond immediately to being plugged into a charger, while others have to be tapped to awaken, and others freeze up. If you are experiencing this issue, you should find relief by upgrading to the iOS 12.1 beta, which apparently eliminates the problem entirely. "For now, others suggest going into Settings, FaceID and Passcode, scrolling down to 'Allow access when locked' and turning on USB Accessories," reports The Verge.
Linux

Linux Kernel Finally Nearing Support For The Apple Magic Trackpad 2, Thanks To a Google Employee (phoronix.com) 52

Michael Larabel, writing for Phoronix: Apple announced the Magic Trackpad 2 almost three years ago to the day while the mainline Linux kernel will finally be supporting this multi-touch device soon. The Magic Trackpad 2 is a wired/wireless touchpad with haptic feedback support and is a much larger touchpad compared to the original Magic Trackpad. There unfortunately hasn't been any mainline Linux kernel support for the Magic Trackpad 2, but some out-of-tree options. [...] However, as seen by this bug report there have been plenty of people since 2015 interested in using the Magic Trackpad 2 on Linux. Fortunately, Sean O'Brien of Google's Chrome OS team has been working on Magic Trackpad 2 support with a focus on getting it mainlined. The patch, which was also reviewed by other Google/ChromeOS developers, is now up to its third and perhaps final revision.
Programming

How Microsoft Rewrote Its C# Compiler in C# and Made It Open Source (medium.com) 85

Mads Torgersen, the lead designer of C# at Microsoft, remembers "Project Roslyn," which built an open-source, cross-platform compiler for C# and Visual Basic.NET "in the deepest darkness of last decade's corporate Microsoft: We would build a language engine! A unified, public API to C# code: We would redefine the meaning of "compiler". Of course, once you are building an API for the broad C# community, it is kind of a slam-dunk that it should be a .NET API, implemented in C#. So, the old dream of "bootstrapping" C# in C# was fulfilled almost as an accidental side benefit. Roslyn was thus born out of an openness mindset: sharing the inner workings of the C# language for the world to programmatically consume.

This in and of itself was a bit of a bold proposition in what was still a pervasively closed culture at Microsoft: We would share this intellectual property for free? We would empower tool builders that weren't us to better compete with us? The arguments that won the day for us here were about strengthening the ecosystem and becoming the best tooled language on the planet. They were about long-term growth of C# and .NET, versus short term monetization and protection of assets for Microsoft. So even without having mentioned open source, signing up for the cost and risk of the Roslyn project was a big and bold step for Microsoft....

F# released already in 2010 with an open source license and its own foundation -- the F# Software Foundation. The vibrant community that grew up around it soon became the envy of us all. Our team pushed strongly to have an open source production license for Roslyn, and finally a company-wide infrastructure emerged to make it real. By 2012, Microsoft had created Microsoft Open Tech; an organization specifically focused on open source projects. Roslyn moved under Microsoft Open Tech and officially became open source... C# language design and compiler implementation are now completely open processes, with lots of non-Microsoft participation, including whole language features being built by external contributors.

Torgersen's article says C# now enjoys "the scaling of effort via contribution of features and bug fixes, but also the insight and course correction we get through the instant, daily feedback loop that open source provides.

"It's been a long and wild journey, and one that to me is symbolic of the massive changes that Microsoft has undergone over the last decade."
Facebook

Hacker Proclaims He'll Live-Stream an Attempt To Delete Mark Zuckerberg's Facebook Page This Sunday (bloomberg.com) 51

An indie Taiwanese hacker has proclaimed he'll broadcast an attempt to wipe out Mark Zuckerberg's Facebook page this Sunday -- live. From a report: Self-professed bug bounty-hunter Chang Chi-yuan, who ferrets out software flaws in return for cash, says he'll live-stream an endeavor to delete the billionaire's account at 6 p.m. local time from his own Facebook page. He didn't get into details or respond to an online query. "Broadcasting the deletion of FB founder Zuck's account," the lanky youngster, who turns 24 this year based on past interviews, told his 26,000-plus followers on Facebook this week. "Scheduled to go live." Cyber-enthusiasts from India to the U.S. routinely expose loopholes in corporate websites and software, earning small financial rewards. It's unusual however for so-called white-hat hackers to do so in real time. Chang, a minor celebrity at home who's gone on talk shows to discuss his exploits, was reportedly sued by a local bus operator after infiltrating their systems and buying a ticket for just NT$1 (3 cents). He's published a gamut of claims -- none of which could be independently verified -- including attacks on Apple and Tesla. And his Facebook account was listed among eight "special contributors" in Line's 2016 bug-hunters' hall of fame. Update: He has backpedalled on the claim.
Software

Delta Computer Glitches Force Flight Halts Third Year In a Row (bloomberg.com) 69

An anonymous reader quotes a report from Bloomberg: The U.S. airline grounded all domestic flights Tuesday to deal with a technology issue that affected some of its systems. About an hour later, Delta said it had restored all its systems, allowing the services to resume. While the carrier said there were no disruptions or safety issues with any flight, the systems failure was the third in as many years that forced Delta to shut its operations. In January last year, a 2 1/2-hour computer breakdown grounded domestic flights. Delta's worldwide computer systems failed in August 2016, causing massive cancellations. This time, international flights weren't affected, and the grounding was relatively short. Still, with limited updates on flight schedules, irate customers took to social media.
Businesses

Uber Settles Data Breach Investigation For $148 Million (nytimes.com) 18

An anonymous reader quotes a report from The New York Times: Uber will pay $148 million to settle a nationwide investigation into a 2016 data breach (Warning: source may be paywalled; alternative source), in which a hacker managed to gain access to information belonging to 57 million riders and drivers. The breach included names and driver's license numbers for 600,000 drivers. Rather than disclosing the breach when it occurred, Uber paid the hacker $100,000 through its bug bounty program. [...] The ride-hailing company persuaded him to delete the data and stay quiet about it with a nondisclosure agreement. The incident became public a year later when Uber's chief executive, Dara Khosrowshahi, announced it as a "failure" and fired the two employees who had signed off on the payment.

Tony West, Uber's chief legal officer, said the settlement was part of a larger effort inside Uber to remake the company's image. He said the company had recently hired a chief privacy officer and a chief trust and security officer. The $148 million settlement announced Wednesday will be divided among all 50 states and the District of Columbia. "Companies in California and throughout the nation are entrusted with customers' valuable private information," Xavier Becerra, California's attorney general, said. "This settlement broadcasts to all of them that we will hold them accountable to protect that data."

AI

Machine Learning Confronts the Elephant in the Room (quantamagazine.org) 151

A visual prank exposes an Achilles' heel of computer vision systems: Unlike humans, they can't do a double take. From a report: In a new study [PDF], computer scientists found that artificial intelligence systems fail a vision test a child could accomplish with ease. "It's a clever and important study that reminds us that 'deep learning' isn't really that deep," said Gary Marcus, a neuroscientist at New York University who was not affiliated with the work. The result takes place in the field of computer vision, where artificial intelligence systems attempt to detect and categorize objects. They might try to find all the pedestrians in a street scene, or just distinguish a bird from a bicycle (which is a notoriously difficult task). The stakes are high: As computers take over critical tasks like automated surveillance and autonomous driving, we'll want their visual processing to be at least as good as the human eyes they're replacing.

It won't be easy. The new work accentuates the sophistication of human vision -- and the challenge of building systems that mimic it. In the study, the researchers presented a computer vision system with a living room scene. The system processed it well. It correctly identified a chair, a person, books on a shelf. Then the researchers introduced an anomalous object into the scene -- an image of an elephant. The elephant's mere presence caused the system to forget itself: Suddenly it started calling a chair a couch and the elephant a chair, while turning completely blind to other objects it had previously seen.

"There are all sorts of weird things happening that show how brittle current object detection systems are," said Amir Rosenfeld, a researcher at York University in Toronto and co-author of the study along with his York colleague John Tsotsos and Richard Zemel of the University of Toronto. Researchers are still trying to understand exactly why computer vision systems get tripped up so easily, but they have a good guess. It has to do with an ability humans have that AI lacks: the ability to understand when a scene is confusing and thus go back for a second glance.

Desktops (Apple)

Apple Releases macOS Mojave Featuring Dark Mode and Other Features; Earlier Today a Security Researcher Published 0Day Bypass For a Privacy Bug in the new OS 72

Apple on Monday made available to the public macOS Mojave -- aka macOS 10.14, the latest major update to its desktop operating system. From a report: Though Mojave is substantially focused on under-the-hood improvements, it includes several major changes to the Mac's Finder, as well as a small collection of apps that were ported from iOS. On the Finder side, Apple has introduced a system-wide Dark Mode, which optionally reskins the entire user interface with black or dark gray elements. Dark Mode pairs up with Dynamic Desktop, which can automatically adjust certain desktop images in sync with time of day (morning, afternoon, and evening) changes. Minutes ahead of the release, Patrick Wardle, chief researcher officer at Digita Security, tweeted a video of an apparent privacy feature bypass that's designed to prevent apps from improperly accessing a user's personal data. From a report: For years, Macs have forced apps to ask for permission before accessing your contacts and calendar after some iOS apps were caught uploading private data. Apple said at its annual developer conference this year that it would expand the feature to include apps asking for permission to access the camera, microphone, email and backups. Wardle told TechCrunch that his findings are "not a universal bypass" of the feature, but that the bug could allow a malicious app to grab certain protected data, such as a user's contacts, when a user is logged in.

Slashdot Top Deals