Mozilla

The New Firefox and Ridiculous Numbers of Tabs (metafluff.com) 63

An anonymous reader shares a blog post: I've got a Firefox profile with 1691 tabs. As you would expect, Firefox handled this profile quite poorly for a long time. I got used to multi-minute startup time, waiting 15-30 seconds for tabs from external apps to show up, and all manner of non-responsive behavior. And then, quite recently, everything changed. Right now, more effort is being put into making Firefox fast than I've seen since... well, since I've been working on Firefox. And I've been at Mozilla for more than a decade. Part of this effort is a project called Quantum Flow -- a bunch of engineers making changes that directly impact Firefox responsiveness. A lot of the improvement in this particular scenario is from Kevin Jones' work on bringing the overall cost of unloaded tabs as close to zero as possible. While the major work has landed, the work continues in Bug 906076. Test scenario: I took my 1691 tab browser profile, and did a wall-clock measurement of start-up time and memory use for Firefox versions 20, 30, 40, and 50 through 56. In the result, the person found that Firefox startup time has gotten worse over time... until Firefox 51.
Ubuntu

Ubuntu 16.10 Reaches End of Life (softpedia.com) 156

prisoninmate shares a report from Softpedia: Today, July 20, 2017, is the last day when the Ubuntu 16.10 (Yakkety Yak) was supported by Canonical as the operating system now reached end of life, and it will no longer receive security and software updates. Dubbed by Canonical and Ubuntu founder Mark Shuttleworth as the Yakkety Yak, Ubuntu 16.10 was launched on October 13, 2016, and it was a short-lived release that only received nine (9) months of support through kernel updates, bug fixes, and security patches for various components. Starting today, you should no longer use Ubuntu 16.10 (Yakkety Yak) on your personal computer, even if it's up-to-date. Why? Because, in time, it will become vulnerable to all sort of attacks as Canonical won't provide security and kernel updates for this release. Therefore, all users are urged to upgrade to Ubuntu 17.04 (Zesty Zapus) immediately using the instructions here.
Android

Some OnePlus 5s Are Reportedly Rebooting After Dialing 911 (theverge.com) 59

The OnePlus 5, dubbed "the best sub-$500 phone you can buy" when it launched, is having a few problems. Earlier this month, some owners of the new device complained about a weird jelly-like effect that appears when scrolling through apps. OnePlus went on to claim that the effect is normal and not the result of any manufacturing issues. Now, a handful of users are reporting that the OnePlus 5 will reboot itself once 911 is called, preventing them from reaching emergency services. The Verge reports: Reddit user Nick Morrelli noticed the glitch after he tried to call 911 to report a building fire in Seattle, and other users have reported that the OnePlus 5 is unable to dial 911 (or 999 in the UK, as another user reported) without rebooting. While most users haven't reported having the issue, any percentage of devices not being able to reach emergency services is a major issue for OnePlus. In a statement to The Verge, OnePlus says it's looking into the problem. "We have contacted the customer and are currently looking into the issue. We ask anyone experiencing a similar situation to contact us at support@oneplus.net."
Bug

Flaw In IoT Security Cameras Leaves Millions of Devices Open To Hackers (vice.com) 53

New submitter Aliciadivo writes: A nasty vulnerability found in Axis security cameras could allow hackers to take full control of several types of Internet of Things devices, and in some cases, software programs, too. The Senrio research team found that devices and software programs using an open source software library called gSOAP to enable their product to communicate to the internet could be affected. Stephen Ridley, founder of Senrio, said: "I bet you all these other manufacturers have the same vulnerability throughout their product lines as well. It's a vulnerability in virtually every IoT device [...] Every kind of device you can possibly think of." A spokesperson for ONVIF, an electronics industry consortium that includes Axis and has includes some members that use gSOAP, said it has notified its members of the flaw, but it's not "up to each member to handle this in the way they best see fit." Also, gSOAP "is not in any way mandated by the ONVIF specifications, but as SOAP is the base for the ONVIF API, it is possible that ONVIF members would be affected." Hundreds of thousands of devices might be affected, as a search for the term "Axis" on Shodan, an engine that scours the internet for vulnerable devices, returns around 14,000 results. You can view Senrio Labs' video on the exploit (which they refer to as the "Devil's Ivy Exploit") here.
Microsoft

Microsoft Yanks Three Bad Patches Of Their Last Outlook Patch (computerworld.com) 78

An anonymous reader quotes ComputerWorld's Woody Leonhard: I just received word from Gunter Born that Microsoft has pulled three of its Outlook patches... There's no specific recommendation that you uninstall the yanked patches -- indeed, there's no description of the problems caused by the latest round -- but earlier versions of the bad patches-of-patches had a nasty habit of crashing Outlook... Microsoft still hasn't fixed any of the Office 2007 bugs it introduced in the June security patches.
If you're keeping score at home, the yanked patches are:
  • KB 4011042 - July 5, 2017, update for Outlook 2010
  • KB 3191849 - June 27, 2017, update for Outlook 2013
  • KB 3213654 - June 30, 2017, update for Outlook 2016

Programming

TechCrunch Urges Developers: Replace C Code With Rust (techcrunch.com) 492

Software engineer and TechCrunch columnist Jon Evans writes that the C programming language "gives its users far too much artillery with which to shoot their feet off" and is "no longer suitable for the world which C has built." An anonymous reader shared Evans' post: Copious experience has taught us all, the hard way, that it is very difficult, verging on "basically impossible," to write extensive amounts of C code that is not riddled with security holes. As I wrote two years ago, in my first Death To C piece... "Buffer overflows and dangling pointers lead to catastrophic security holes, again and again and again, just like yesteryear, just like all the years of yore. We cannot afford its gargantuan, gaping security blind spots any more. It's long past time to retire and replace it with another language.

"The trouble is, most modern languages don't even try to replace C... They're not good at the thing C does best: getting down to the bare metal and working at mach speed." Today I am seriously suggesting that when engineers refactor existing C code, especially parsers and other input handlers, they replace it -- slowly, bit by bit -- with Rust... we are only going to dig ourselves out of our giant collective security hole iteratively, one shovelful of better code and better tooling at a time."

He also suggests other fixes -- like using a language-theoretic approach which conceptualizes valid inputs as their own formal language, and formal verification of the correctness of algorithms. But he still insists that "C has become a monster" -- and that we must start replacing it with Rust.
Bug

24 Cores and the Mouse Won't Move: Engineer Diagnoses Windows 10 Bug (wordpress.com) 352

Longtime Slashdot reader ewhac writes: Bruce Dawson recently posted a deep-dive into an annoyance that Windows 10 was inflicting on him -- namely, every time he built Chrome, his extremely beefy 24-core (48-thread) rig would begin stuttering, with the mouse frequently becoming stuck for a little over one second. This would be unsurprising if all cores were pegged at 100%, but overall CPU usage was barely hitting 50%. So he started digging out the debugging tools and doing performance traces on Windows itself. He eventually discovered that the function NtGdiCloseProcess(), responsible for Windows process exit and teardown, appears to serialize through a single lock, each pass through taking about 200 microseconds each. So if you have a job that creates and destroys a lot of processes very quickly (like building a large application such as Chrome), you're going to get hit in the face with this. Moreover, the problem gets worse the more cores you have. The issue apparently doesn't exist in Windows 7. Microsoft has been informed of the issue and they are allegedly investigating.
Operating Systems

48-Year-Old Multics Operating System Resurrected (multicians.org) 94

"The seminal operating system Multics has been reborn," writes Slashdot reader doon386: The last native Multics system was shut down in 2000. After more than a dozen years in hibernation a simulator for the Honeywell DPS-8/M CPU was finally realized and, consequently, Multics found new life... Along with the simulator an accompanying new release of Multics -- MR12.6 -- has been created and made available. MR12.6 contains many bug and Y2K fixes and allows Multics to run in a post-Y2K, internet-enabled world.
Besides supporting dates in the 21st century, it offers mail and send_message functionality, and can even simulate tape and disk I/O. (And yes, someone has already installed Multics on a Raspberry Pi.) Version 1.0 of the simulator was released Saturday, and Multicians.org is offering a complete QuickStart installation package with software, compilers, install scripts, and several initial projects (including SysDaemon, SysAdmin, and Daemon). Plus there's also useful Wiki documents about how to get started, noting that Multics emulation runs on Linux, macOS, Windows, and Raspian systems.

The original submission points out that "This revival of Multics allows hobbyists, researchers and students the chance to experience first hand the system that inspired UNIX."
Microsoft

Microsoft's Last 'Bug Bash' Before Windows 10 Fall Creators Update (betanews.com) 80

Mark Wilson quotes BetaNews: With the launch of Windows 10 Fall Creators Update Build 16237 to the Fast Ring yesterday, Microsoft wheeled in numerous fixes and new features. At the same time, the company also announced that the second Bug Bash for the next big update to Windows 10 is about to take place. This is the last Bug Bash that will take place before the release of the final version of Windows 10 Fall Creators Update, and it will see an intense period of testing with the help of Windows Insiders. Things kick off on Friday, July 14 and continue for more than a week.

Of course, the whole idea of the insider program is to help Microsoft to home in on bugs and get them fixed before software is released to the masses, but the Bug Bash steps things up a notch. Participants will be asked to take part in quests to check specific elements of the operating system as Microsoft draws closer to pushing out this latest feature update.

This build includes "read out loud" functionality for PDFs, support for emoji 5.0 -- and now when you relaunch Edge after it crashes, your tabs will be restored automatically.
Data Storage

OneDrive Has Stopped Working On Non-NTFS Drives (arstechnica.com) 130

An anonymous reader quotes a report from Ars Technica: OneDrive users around the world have been upset to discover that with its latest update, Microsoft's cloud file syncing and storage system no longer works with anything other than disks formatted with the NTFS file system. Both older file systems, such as FAT32 and exFAT, and newer ones, such as ReFS, will now provoke an error message when OneDrive starts up. To continue to use the software, files will have to be stored on an NTFS volume. While FAT disks can be converted, ReFS volumes must be reformatted and wiped. This has left various OneDrive users unhappy. While NTFS is the default file system in Windows, people using SD cards to extend the storage on small laptops and tablets will typically use exFAT. Similarly, people using Storage Spaces to manage large, redundant storage volumes will often use ReFS. The new policy doesn't change anything for most Windows users, but those at the margins will feel hard done by. Microsoft said in a statement that it "discovered a warning message that should have existed was missing when a user attempted to store their OneDrive folder on a non-NTFS filesystem -- which was immediately remedied." According to Ars, Microsoft's position, apparently, is that OneDrive should always have warned about these usage scenarios and that it's only a bug or an oversight that allowed non-NTFS volumes to work.
Iphone

iPhone Bugs Are Too Valuable To Report To Apple (vice.com) 96

An anonymous reader writes: Last year, Apple launched a long-awaited bug bounty program to reward friendly hackers who report flaws in the iPhone to the company. Despite inviting some of the best hackers in the world to join, it's a bit of a flop so far. The iPhone's security is so tight that it's hard to find any flaws at all, which leads to sky-high prices for bugs on the grey market. Researchers I spoke to are reluctant to report bugs both because they are so valuable and because reporting some bugs may actually prevent them from doing more research. "People can get more cash if they sell their bugs to others," said Nikias Bassen, a security researcher for the company Zimperium, and who joined Apple's program last year. "If you're just doing it for the money, you're not going to give [bugs] to Apple directly." Patrick Wardle, a former NSA hacker who now specializes in MacOS research and was invited to the Apple bug bounty program, agreed. He said that iOS bugs are "too valuable to report to Apple."
Bug

Data Glitch Sets Tech Company Stock Prices At $123.47 (theverge.com) 52

For one moment on Monday evening, the prices of several stocks on Nasdaq -- including those of Amazon, Apple, eBay, Google, and Microsoft -- were all priced exactly the same, $123.47. From a report: In a statement obtained by the Financial Times, Nasdaq said the culprit was "improper use of test data" that was picked up by third party financial data providers. The exchange said it was "working with third party vendors to resolve this matter." The issue was replicated across major financial websites, including Bloomberg, Google Finance, and Yahoo Finance, and it's not known when it all started.
Bug

'Severe' Systemd Bug Allowed Remote Code Execution For Two Years (itwire.com) 551

ITWire reports: A flaw in systemd, the init system used on many Linux systems, can be exploited using a malicious DNS query to either crash a system or to run code remotely. The vulnerability resides in the daemon systemd-resolved and can be triggered using a TCP payload, according to Ubuntu developer Chris Coulson. This component can be tricked into allocating less memory than needed for a look-up. When the reply is bigger it overflows the buffer allowing an attacker to overwrite memory. This would result in the process either crashing or it could allow for code execution remotely. "A malicious DNS server can exploit this by responding with a specially crafted TCP payload to trick systemd-resolved in to allocating a buffer that's too small, and subsequently write arbitrary data beyond the end of it," is how Coulson put it.
Affected Linux vendors have pushed out patches -- but the bug has apparently been present in systemd code since June of 2015. And long-time Slashdot reader walterbyrd also reports a recently-discovered bug where systemd unit files that contain illegal usernames get defaulted to root.
Open Source

Linus Explains What Surprises Him After 25 Years Of Linux (linux.com) 181

Linus Torvalds appeared in a new "fireside chat" with VMware Head of Open Source Dirk Hohndel. An anonymous reader writes: Linus explained what still surprises him about Linux development. "Code that I thought was stable continually gets improved. There are things we haven't touched for many years, then someone comes along and improves them or makes bug reports in something I thought no one used. We have new hardware, new features that are developed, but after 25 years, we still have old, very basic things that people care about and still improve... Our processes have not only worked for 25 years, we still have a very strong maintainer group... And as these maintainers get older and fatter, we have new people coming in."

Linus also says he's surprised by the widespread popularity of Git. "I expected it to be limited mostly to the kernel -- as it's tailored to what we do... In certain circles, Git is more well known than Linux." And he also shares advice if you want to get started as an open source developer. "I'm not sure my example is the right thing for people to follow. There are a ton of open source projects and, if you are a beginning programmer, find something you're interested in that you can follow for more than just a few weeks... If you can be part of a community and set up patches, it's not just about the coding, but about the social aspect of open source. You make connections and improve yourself as a programmer."

Linus also says that "I really like what I'm doing. I like waking up and having a job that is technically interesting and challenging without being too stressful so I can do it for long stretches; something where I feel I am making a real difference and doing something meaningful not just for me."
Bug

Researcher Finds Critical OpenVPN Bug Using Fuzzing (zdnet.com) 47

"Guido Vranken recently published 4 security vulnerabilities in OpenVPN on his personal blog," writes long-time Slashdot reader randomErr -- one of which was a critical remote execution bug. Though patches have been now released, there's a lesson to be learned about the importance of fuzzing -- bug testing with large amounts of random data -- Guido Vranken writes: Most of these issues were found through fuzzing. I hate admitting it, but...the arcane art of reviewing code manually, acquired through grueling practice, are dwarfed by the fuzzer in one fell swoop; the mortal's mind can only retain and comprehend so much information at a time, and for programs that perform long cycles of complex, deeply nested operations it is simply not feasible to expect a human to perform an encompassing and reliable verification.
ZDNet adds that "OpenVPN's audits, carried out over the past two years, missed these major flaws. While a handful of other bugs are found, perhaps OpenVPN should consider adding fuzzing to their internal security analysis in the future."

Guido adds on his blog, "This was a labor of love. Nobody paid me to do this. If you appreciate this effort, please donate BTC..."
Operating Systems

32TB of Windows 10 Internal Builds, Core Source Code Leak Online (theregister.co.uk) 201

According to an exclusive report via The Register, "a massive trove of Microsoft's internal Windows operating system builds and chunks of its core source code have leaked online." From the report: The data -- some 32TB of installation images and software blueprints that compress down to 8TB -- were uploaded to betaarchive.com, the latest load of files provided just earlier this week. It is believed the data has been exfiltrated from Microsoft's in-house systems since around March. The leaked code is Microsoft's Shared Source Kit: according to people who have seen its contents, it includes the source to the base Windows 10 hardware drivers plus Redmond's PnP code, its USB and Wi-Fi stacks, its storage drivers, and ARM-specific OneCore kernel code. Anyone who has this information can scour it for security vulnerabilities, which could be exploited to hack Windows systems worldwide. The code runs at the heart of the operating system, at some of its most trusted levels. In addition to this, hundreds of top-secret builds of Windows 10 and Windows Server 2016, none of which have been released to the public, have been leaked along with copies of officially released versions.
Businesses

IT Services Company Wipro Forces 600 Employees To Work In Bed Bug Infested Office (11alive.com) 127

McGruber writes: Information Technology Services CorporationWipro's 600-employee call center in Chamblee, Georgia is in infected with bed bugs according to Atlanta television station 11Alive. The facilities manager admits there is a bed bug problem and it's been an issue since late May. Employees told the tv station that the bugs are all over the three floors -- and they're biting. But employees are being told they still must go to work. Kwanita Holmes sent 11Alive photos of what she said is a bed bug bite on her arm: "We're at work 8 hours a day and we're getting munched on all day," she said. Wipro said it's paying for in-home bed bug consultations and treatments for employees.
Linux

Linus Torvalds Says Linux Still Surprises and Motivates Him (linux.com) 78

Linus Torvalds: What I find interesting is code that I thought was stable continually gets improved. There are things we haven't touched for many years, then someone comes along and improves them or makes bug reports in something I thought no one used. We have new hardware, new features that are developed, but after 25 years, we still have old, very basic things that people care about and still improve. I really like what I'm doing. I like waking up and having a job that is technically interesting and challenging without being too stressful so I can do it for long stretches; something where I feel I am making a real difference and doing something meaningful not just for me. I occasionally have taken breaks from my job. The 2-3 weeks I worked on Git to get that started for example. But every time I take a longer break, I get bored. When I go diving for a week, I look forward to getting back. I never had the feeling that I need to take a longer break.
Open Source

Opus 1.2 Released 22

jmv writes: The Opus audio codec, used in WebRTC and now included in all major web browsers, gets another major upgrade with the release of version 1.2. This release brings quality improvements to both speech and music, while remaining fully compatible with RFC 6716. There are also optimizations, new options, as well as many bug fixes. This Opus 1.2 demo describes a few of the upgrades that users and implementers will care about the most. It includes audio samples comparing to previous versions of the codec, as well as speed comparisons for x86 and ARM.
Government

Using Texts as Lures, Government Spyware Targets Mexican Journalists and Their Families (nytimes.com) 54

Mexico's most prominent human rights lawyers, journalists and anti-corruption activists have been targeted by advanced spyware sold to the Mexican government on the condition that it be used only to investigate criminals and terrorists, reports the New York Times. From the report: The targets include lawyers looking into the mass disappearance of 43 students (alternative source), a highly respected academic who helped write anti-corruption legislation, two of Mexico's most influential journalists and an American representing victims of sexual abuse by the police. The spying even swept up family members, including a teenage boy. Since 2011, at least three Mexican federal agencies have purchased about $80 million worth of spyware created by an Israeli cyberarms manufacturer. The software, known as Pegasus, infiltrates smartphones to monitor every detail of a person's cellular life -- calls, texts, email, contacts and calendars. It can even use the microphone and camera on phones for surveillance, turning a target's smartphone into a personal bug.

Slashdot Top Deals