"A new survey of the free and open-source software (FOSS) community conducted by the Linux Foundation suggests that contributors spend less than 3% of their time on security issues and have little desire to increase this," reports TechRepublic: Moreover, responses indicated that many respondents had little interest in increasing time and effort on security. One respondent commented that they "find the enterprise of security a soul-withering chore and a subject best left for the lawyers and process freaks," while another said: "I find security an insufferably boring procedural hindrance."

The researchers concluded that a new approach to the security and auditing of FOSS would be needed to improve security practices, while limiting the burden on contributors. Some of the most requested tools from contributors were bug and security fixes, free security audits, and simplified ways to add security-related tools to their continuous integration (CI) pipelines.

"There is a clear need to dedicate more effort to the security of FOSS, but the burden should not fall solely on contributors," read the report. "Developers generally do not want to become security auditors; they want to receive the results of audits..."

The researchers continued: "One way to improve a rewrite's security is to switch from memory-unsafe languages (such as C or C++ ) into memory-safe languages (such as nearly all other languages)," researchers said. "This would eliminate entire classes of vulnerabilities such as buffer overflows and double-frees."
Also interesting: money "scored very low in developers' motivations for contributing to open-source projects, as did a desire for recognition amongst peers," according to TechRepublic.

"Instead, developers said they were purely interested in finding features, fixes and solutions to the open-source projects they were working on. Other top motivations included were enjoyment and a desire to contribute back to the FOSS projects that they used."

Jerry Rivers shares a report from TechCrunch, adding: "...and it took the music service seven months to notice." From the report: In a data breach notification filed with the California attorney general's office, the music streaming giant said the data exposed "may have included email address, your preferred display name, password, gender, and date of birth only to certain business partners of Spotify." The company did not name the business partners, but added that Spotify "did not make this information publicly accessible." The company says the vulnerability existed as far back as April 9 but wasn't discovered until November 12. It didn't say what the vulnerability was or how user account data became exposed.

"We have conducted an internal investigation and have contacted all of our business partners that may have had access to your account information to ensure that any personal information that may have been inadvertently disclosed to them has been deleted," the letter read.

The iPhone's original -- and unofficial -- app store has sued Apple, accusing the company of having a monopoly on the distribution of apps. Cydia, an app store created and launched in 2007 by Jay "Saurik" Freeman, one of the original jailbreakers filed the lawsuit against Apple on Thursday. From a report: "Were it not for Apple's anti competitive acquisition and maintenance of an illegal monopoly over iOS app distribution, users today would actually be able to choose how and where to locate and obtain iOS apps, and developers would be able to use the iOS app distributor of their choice," the lawsuit reads. Before Apple created the App Store, Freeman and a group of iPhone hackers created an unofficial app store where users that were willing to jailbreak -- a technique to exploit one or more bug to disable the iPhone security mechanism called code-signing enforcement that allows for only Apple-approved code to run on the phone -- could download and install apps. In 2010, according to Freeman, Cydia had around 4.5 million users.

An anonymous reader shares a report: Numerous glitches reported by players as the long-awaited Cyberpunk 2077 game went live robbed creator CD Projekt of a stock surge on the back of encouraging advance-order sales figures. Poland's biggest computer-games studio sold more than eight million copies of the futuristic title prior to its official release, mainly using higher-margin digital distribution. Excitement around Wednesday's launch saw player numbers peak at more than one million, the most ever for a premier night on the Steam platform, and an industry record for a single-player production. Less positively, in excess of 17,000 Steam users gave Cyberpunk a rating of just 71%, with their complaints of bugs in the game pushing CD Projekt's shares as much as 7.5% lower.

Before the release, Cyberpunk's average rating was 91% on Metacritic, a website that aggregated journalists reviews. That less-than-perfect verdict also weighed on the stock earlier this week, paring its gains of almost 60% in 2020 as of last Friday. The stakes are high for CD Projekt as, after eight years of developing Cyberpunk, the game is the studio's only new franchise. The company said Thursday it's already working on fixes and is confident they will be resolved and that it wants to publish initial sales data before Christmas.

Dan Goodin, writing for ArsTechnica: Earlier this year, Apple patched one of the most breathtaking iPhone vulnerabilities ever: a memory corruption bug in the iOS kernel that gave attackers remote access to the entire device -- over Wi-Fi, with no user interaction required at all. Oh, and exploits were wormable -- meaning radio-proximity exploits could spread from one nearby device to another, once again, with no user interaction needed. This Wi-Fi packet of death exploit was devised by Ian Beer, a researcher at Project Zero, Google's vulnerability research arm. In a 30,000-word post published on Tuesday afternoon, Beer described the vulnerability and the proof-of-concept exploit he spent six months developing single-handedly. Almost immediately, fellow security researchers took notice.

"This is a fantastic piece of work," Chris Evans, a semi-retired security researcher and executive and the founder of Project Zero, said in an interview. "It really is pretty serious. The fact you don't have to really interact with your phone for this to be set off on you is really quite scary. This attack is just you're walking along, the phone is in your pocket, and over Wi-Fi someone just worms in with some dodgy Wi-Fi packets." Beer's attack worked by exploiting a buffer overflow bug in a driver for AWDL, an Apple-proprietary mesh networking protocol that makes things like Airdrop work. Because drivers reside in the kernel -- one of the most privileged parts of any operating system -- the AWDL flaw had the potential for serious hacks. And because AWDL parses Wi-Fi packets, exploits can be transmitted over the air, with no indication that anything is amiss.

A new bug in the PlayStation game Spider-Man: Miles Morales "turns Miles into various inanimate objects, including bricks, cardboard boxes, and even a trash can," reports GameSpot: Despite Miles' changed appearance, he can still perform many of his heroic antics, including web-swinging and beating up bad guys. It's an important lesson to all of us in these trying times: You might look like trash, but you can still do your job.
Today Engadget reports that the glitch even turns Spider-Man into a patio heater: If you've ever wanted to keep people toasty warm while fighting crime, now's your chance.

We've asked [the game's creator] Insomniac Games for comment, although it already tweeted that the hiccup was "equally embarrassing as it is heart-warming." Into the Spider-Verse's Phil Lord joked that the heater would find its way into the sequel if the team had "any self respect at all."

An anonymous reader quotes a report from ZDNet: Security researchers have discovered a major security flaw in cPanel, a popular software suite used by web hosting companies to manage websites for their customers. The bug, discovered by security researchers from Digital Defense, allows attackers to bypass two-factor authentication (2FA) for cPanel accounts. These accounts are used by website owners to access and manage their websites and underlying server settings. Access to these accounts is critical, as once compromised, they grant threat actors full control over a victim's site.

On its website, cPanel boasts that its software is currently used by hundreds of web hosting companies to manage more than 70 million domains across the world. But in a press release today, Digital Defense says that the 2FA implementation on older cPanel & WebHost Manager (WHM) software was vulnerable to brute-force attacks that allowed threat actors to guess URL parameters and bypass 2FA -- if 2FA was enabled for an account. While brute-forcing attacks, in general, usually take hours or days to execute, in this particular case, the attack required only a few minutes, Digital Defense said today. Exploiting this bug also requires that attackers have valid credentials for a targeted account, but these can be obtained from phishing the website owner. The good news is that Digital Defense has privately reported the bug, tracked as SEC-575, to the cPanel team, which has already released patches last week.

The U.K.-based security company NCC Group and consumer advocacy group Which? have found vulnerabilities in 11 "smart" doorbells sold on popular platforms like Amazon and eBay. CyberScoop reports: One flaw could allow a remote attacker to break into the wireless network by swiping login credentials. Another critical bug, which has been around for years, could enable attackers to intercept and manipulate data on the network. The investigation focused on doorbells made by often obscure vendors, but which nonetheless earned top reviews and featured prominently on Amazon and eBay. The researchers raised concerns that some of the devices were storing sensitive data, including location data and audio and video captured by the doorbell's camera, on insecure servers. One device made by a company called Victure, for example, sent a user's wireless name and password, unencrypted, to servers in China, according to the researchers.

In a statement, Amazon said it requires products sold on its site to be compliant with applicable laws and regulations, and that it has tools to detect "unsafe or non-compliant products from being listed in our stores." eBay said it takes down listings that violate its safety standards, but that the devices flagged by the researchers did not meet that threshold. Victure did not immediately respond to a request for comment. The NCC Group-Which? team said they tried to contact the various vendors of the vulnerable smart doorbells, with mixed success. The unnamed vendor of one device, for example, removed an online listing for the product after the researchers shared their findings.

Romello Goodman, a software engineer at The New York Times, writing at Increment: Like a sourdough starter passed through the hands of many bakers -- some novices, some experienced -- a codebase reflects how teammates communicate with one another. It's a snapshot of our thinking and our best attempts at codifying norms and assumptions. It's a conversation in which each person contributes and is in conversation with those who came before them. With each new feature or bug report, we understand our code better. We identify areas where new logic doesn't quite fit with existing logic. We're constantly in touch with our own past decisions and those of our coworkers. We're working together, trying to harmonize and match one another's thinking patterns and assumptions. We trust one another to make decisions for the good of the team and the organization. Every piece of new code adds to the culture and cultivates our shared understanding.

If code is sourdough, we have an opportunity to better appreciate the histories and context that have gone into it. In software, we tend to think of legacy code as something that should be thrown away or rewritten, often conflating a codebase's age with its health and viability. But code doesn't age in a vacuum. If sourdough can be passed down from person to person over decades, then so can code. The preservation of decisions and experience is tied to the preservation of our codebase. Even when the code itself is no longer being updated, documentation around the logic or the underlying platform and adjacent technologies can keep a codebase and its culture vibrant. You can then pass that culture on for another team to bake with. It might just taste better than you'd expect.

CNET reports on Twitter's rocky rollout of "fleets" which disappear after 24 hours: In a blog post, Twitter said global tests of the feature indicated the tool helped people feel more comfortable joining public conversations on the service. "Those new to Twitter found Fleets to be an easier way to share what's on their mind," the company said. "Because they disappear from view after a day, Fleets helped people feel more comfortable sharing personal and casual thoughts, opinions and feelings."

And, apparently, sharing cat content. "Don't really care for fleets," one wrote, "but the fact that 90% of the ones I've seen so far have cats in them brings me joy...."

The feature's debut Tuesday brought its share of complaints about the product, with some people saying the Fleets froze, lagged or made their Twitter crash. "We're aware of some issues people may be having and are working to fix them," a Twitter spokesperson said.
"Earlier this week, Twitter officially rolled out Fleets, a new feature that — ahem — takes inspiration from Instagram Stories and Snapchat Stories," writes Android Central, "and boy do people have opinions on it."

But users should warm up to the feature eventually, experts tell NBC News: [A]lthough users lambasted Fleets...those same users began to use the function almost immediately.

While there are valid critiques of Fleets and how they could be used in regard to misinformation and harassment, experts say the users' first reaction will typically be to resist changes to a site or app that they've grown accustomed to, even though they typically adopt the change as the preferred version of the platform later on.
Yet by the weekend Twitter was already acknowledging its first major bug with fleets, exploitable "through a technical workaround where some Fleets media URLs may be accessible after 24 hours," according to The Verge: The "workaround" referenced appears to be a developer app that could scrape fleets from public accounts via Twitter's API. The Twitter API doesn't return URLs for fleets that are older than 24 hours, according to the company, and once the fix is rolled out, even if someone has a URL for active fleet, it won't work after the expiration point.
The Verge also points out that "while fleets are only visible on users' timelines for 24 hours, Twitter stores fleets on its back end for up to 30 days, longer for fleets that violate its rules and may require enforcement action, the company says."

"Security researchers are blasting Apple for a feature in the latest Big Sur release of macOS that allows some Apple apps to bypass content filters and VPNs..." reports Threatpost. "While users assumed Apple would fix the flaw before the OS emerged from beta into full release, this doesn't appear to have happened."

"Beginning with macOS Catalina released last year, Apple added a list of 50 Apple-specific apps and processes that were to be exempted from firewalls like Little Snitch and Lulu," explains Ars Technica: The undocumented exemption, which didn't take effect until firewalls were rewritten to implement changes in Big Sur, first came to light in October. Patrick Wardle, a security researcher at Mac and iOS enterprise developer Jamf, further documented the new behavior over the weekend. To demonstrate the risks that come with this move, Wardle — a former hacker for the NSA — demonstrated how malware developers could exploit the change to make an end-run around a tried-and-true security measure...

Wardle tweeted a portion of a bug report he submitted to Apple during the Big Sur beta phase. It specifically warns that "essential security tools such as firewalls are ineffective" under the change.

Apple has yet to explain the reason behind the change.

Reader shanen shares a report (and offers this commentary): When the open source concept emerged in the '90s, it was conceived as a bold new form of communal labor: digital barn raisings. If you made your code open source, dozens or even hundreds of programmers would chip in to improve it. Many hands would make light work. Everyone would feel ownership. Now, it's true that open source has, overall, been a wild success. Every startup, when creating its own software services or products, relies on open source software from folks like Jacob Thornton: open source web-server code, open source neural-net code. But, with the exception of some big projects -- like Linux -- the labor involved isn't particularly communal. Most are like Bootstrap, where the majority of the work landed on a tiny team of people. Recently, Nadia Eghbal -- the head of writer experience at the email newsletter platform Substack -- published Working in Public, a fascinating book for which she spoke to hundreds of open source coders. She pinpointed the change I'm describing here. No matter how hard the programmers worked, most "still felt underwater in some shape or form," Eghbal told me.

Why didn't the barn-raising model pan out? As Eghbal notes, it's partly that the random folks who pitch in make only very small contributions, like fixing a bug. Making and remaking code requires a lot of high-level synthesis -- which, as it turns out, is hard to break into little pieces. It lives best in the heads of a small number of people. Yet those poor top-level coders still need to respond to the smaller contributions (to say nothing of requests for help or reams of abuse). Their burdens, Eghbal realized, felt like those of YouTubers or Instagram influencers who feel overwhelmed by their ardent fan bases -- but without the huge, ad-based remuneration. Sometimes open source coders simply walk away: Let someone else deal with this crap. Studies suggest that about 9.5 percent of all open source code is abandoned, and a quarter is probably close to being so. This can be dangerous: If code isn't regularly updated, it risks causing havoc if someone later relies on it. Worse, abandoned code can be hijacked for ill use. Two years ago, the pseudonymous coder right9ctrl took over a piece of open source code that was used by bitcoin firms -- and then rewrote it to try to steal cryptocurrency.

Go SMS Pro, one of the most popular messaging apps for Android, is exposing photos, videos and other files sent privately by its users. Worse, the app maker has done nothing to fix the bug. TechCrunch reports: Security researchers at Trustwave discovered the flaw in August and contacted the app maker with a 90-day deadline to fix the issue, as is standard practice in vulnerability disclosure to allow enough time for a fix. But after the deadline elapsed without hearing back, the researchers went public. Trustwave shared its findings with TechCrunch this week.

When a Go SMS Pro user sends a photo, video or other file to someone who doesn't have the app installed, the app uploads the file to its servers, and lets the user share a web address by text message so the recipient can see the file without installing the app. But the researchers found that these web addresses were sequential. In fact, any time a file was shared -- even between app users -- a web address would be generated regardless. That meant anyone who knew about the predictable web address could have cycled through millions of different web addresses to users' files. Go SMS Pro has more than 100 million installs, according to its listing in Google Play.

Apple has updated a documentation page detailing the company's next steps to prevent last week's Gatekeeper bug from happening again. The company plans to implement the fixes over the next year. From a report: Apple had a difficult launch day last week. The company released macOS Big Sur, a major update for macOS. Apple then suffered from server-side issues. Third-party apps failed to launch as your Mac couldn't check the developer certificate of the app. That feature, called Gatekeeper, makes sure that you didn't download a malware app that disguises itself as a legit app. If the certificate doesn't match, macOS prevents the app launch. Many have been concerned about the privacy implications of the security feature. Does Apple log every app you launch on your Mac to gain competitive insights on app usage? It turns out it's easy to answer that question as the server doesn't mandate encryption. Jacopo Jannone intercepted an unencrypted network request and found out that Apple is not secretly spying on you. Gatekeeper really does what it says it does. "We have never combined data from these checks with information about Apple users or their devices. We do not use data from these checks to learn what individual users are launching or running on their devices," the company wrote.

"Ubuntu developers have fixed a series of vulnerabilities that made it easy for standard users to gain coveted root privileges," reports Ars Technica: "This blog post is about an astonishingly straightforward way to escalate privileges on Ubuntu," Kevin Backhouse, a researcher at GitHub, wrote in a post published on Tuesday. "With a few simple commands in the terminal, and a few mouse clicks, a standard user can create an administrator account for themselves."

The first series of commands triggered a denial-of-service bug in a daemon called accountsservice, which as its name suggests is used to manage user accounts on the computer... With the help of a few extra commands, Backhouse was able to set a timer that gave him just enough time to log out of the account before accountsservice crashed. When done correctly, Ubuntu would restart and open a window that allowed the user to create a new account that — you guessed it — had root privileges...

The second bug involved in the hack resided in the GNOME display manager, which among other things manages user sessions and the login screen. The display manager, which is often abbreviated as gdm3, also triggers the initial setup of the OS when it detects no users currently exist. "How does gdm3 check how many users there are on the system?" Backhouse asked rhetorically. "You probably already guessed it: by asking accounts-daemon! So what happens if accounts-daemon is unresponsive....?"

The vulnerabilities could be triggered only when someone had physical access to, and a valid account on, a vulnerable machine. It worked only on desktop versions of Ubuntu.
"This bug is now tracked as CVE-2020-16125 and rated with a high severity score of 7.2 out of 10. It affects Ubuntu 20.10, Ubuntu 20.04, and Ubuntu 18.04..." reports Bleeping Computer.

They add that the GitHub security research who discovered the bugs "reported them to Ubuntu and GNOME maintainers on October 17, and fixes are available in the latest code."

An anonymous reader shares an excerpt from Wired: On Monday morning, when representatives from the drug company Pfizer said that its Covid-19 vaccine appears to be more than 90 percent effective, stocks soared, White House officials rushed to (falsely) claim credit, and sighs of relief went up all around the internet. [...] The arrival of an effective vaccine to fight SARS-CoV-2 less than a year after the novel coronavirus emerged would smash every record ever set by vaccine makers. "Historic isn't even the right word," says Larry Corey of the Vaccine and Infectious Disease Division at the Fred Hutchinson Cancer Center. A renowned virologist, Corey has spent the last three decades leading the search for a vaccine against the virus that causes AIDS. He's never seen an inoculation developed for a new bug in under five years, let alone one. "It's never happened before, never, not even close," he says. "It's just an amazing accomplishment of science."

And perhaps even more monumental is the kind of vaccine that Pfizer and BioNTech are bringing across the finish line. The active ingredient inside their shot is mRNA -- mobile strings of genetic code that contain the blueprints for proteins. Cells use mRNA to get those specs out of hard DNA storage and into their protein-making factories. The mRNA inside Pfizer and BioNTech's vaccine directs any cells it reaches to run a coronavirus spike-building program. The viral proteins these cells produce can't infect any other cells, but they are foreign enough to trip the body's defense systems. They also look enough like the real virus to train the immune system to recognize SARS-CoV-2, should its owner encounter the infectious virus in the future. Up until now, this technology has never been approved for use in people. A successful mRNA vaccine won't just be a triumph over the new coronavirus, it'll be a huge leap forward for the science of vaccine making.

[I]n the last decade, the field has started to move away from this see-what-sticks approach toward something pharma folks call "rational drug design." It involves understanding the structure and function of the target -- like say, the spiky protein SARS-CoV-2 uses to get into human cells -- and building molecules that can either bind to that target directly, or produce other molecules that can. Genetic vaccines represent an important step in this scientific evolution. Engineers can now design strands of mRNA on computers, guided by algorithms that predict which combination of genetic letters will yield a viral protein with just the right shape to prod the human body into producing protective antibodies. In the last few years, it's gotten much easier and cheaper to make mRNA and DNA at scale, which means that as soon as scientists have access to a new pathogen's genome, they can start whipping up hundreds or thousands of mRNA snippets to test -- each one a potential vaccine. The Chinese government released the genetic sequence of SARS-CoV-2 in mid-January. By the end of February, BioNTech had identified 20 vaccine candidates, of which four were then selected for human trials in Germany. [...] Genetic vaccines might be proving they can work -- but it's still not definitive, and they may not yet work for everyone. That's why experts say it's so crucial to continue supporting ongoing trials for the more than 60 other vaccine candidates still in various stages of human testing. What older technologies lack in terms of speed, they make up for in durability.

Google Project Zero, the Google security team that finds bugs in all popular software, has disclosed what it classes a high-severity flaw on GitHub after the code-hosting site asked for a double extension on the normal 90-day disclosure deadline. From a report: The bug in GitHub's Actions feature -- a developer workflow automation tool -- has become one of the rare vulnerabilities that wasn't properly fixed before Google Project Zero's (GPZ) standard 90-day deadline expired. Over 95.8% of flaws are fixed within the deadline, according to Google's hackers. GPZ is known to be generally strict with its 90-day deadline, but it appears GitHub was a little lax in its responses as the deadline approached after Google gave it every chance to fix the bug. As detailed in a disclosure timeline by GPZ's Felix Wilhelm, the Google security team reported the issue to GitHub's security on July 21 and a disclosure date was set for October 18. According to Wilhelm, Actions' workflow commands are "highly vulnerable to injection attacks."

iFixit: After exhaustive testing, comparing notes with multiple repair technicians, and reviewing leaked Apple training documents, we've found that the iPhone 12 camera is entirely unreliable when swapped between iPhones. This latest fault, along with indications from Apple's repair guides, makes it more clear than ever: Apple, by design or neglect or both, is making it extremely hard to repair an iPhone without their blessing. This may be a bug that Apple eventually fixes. There is even precedent for iPhone parts misbehaving when swapped between phones.

But it is also possible that Apple is planning on locking out all unauthorized iPhone camera and screen repairs. Apple's internal training guides tell authorized technicians that, starting with the 12 and its variants, they will need to run Apple's proprietary, cloud-linked System Configuration app to fully repair cameras and screens. We are very concerned about this possibility.

"Google released an update to its Chrome browser that patches a zero-day vulnerability in the software's FreeType font rendering library that was actively being exploited in the wild, Threatpost reported this week: Security researcher Sergei Glazunov of Google Project Zero discovered the bug which is classified as a type of memory-corruption flaw called a heap buffer overflow in FreeType. Glazunov informed Google of the vulnerability on Monday. Project Zero is an internal security team at the company aimed at finding zero-day vulnerabilities.

By Tuesday, Google already had released a stable channel update, Chrome version 86.0.4240.111, that deploys five security fixes for Windows, Mac & Linux — among them a fix for the zero-day, which is being tracked as CVE-2020-15999 and is rated as high risk. "Google is aware of reports that an exploit for CVE-2020-15999 exists in the wild," Prudhvikumar Bommana of the Google Chrome team wrote in a blog post announcing the update Tuesday... "The fix is also in today's stable release of FreeType 2.10.4," Ben Hawkes, technical lead for the Project Zero team, tweeted. Meanwhile, security researchers took to Twitter to encourage people to update their Chrome browsers immediately to avoid falling victim to attackers aiming to exploit the flaw...

In addition to the FreeType zero day, Google patched four other bugs — three of high risk and one of medium risk — in the Chrome update released this week... So far in the last 12 months Google has patched three zero-day vulnerabilities in its Chrome browser.

This week the Verge reported: If you ask Chrome to delete all cookies and site data whenever you quit the browser, it's reasonable to expect that this policy applies to all websites. Recently, though, a bug in the browser meant data wasn't being removed for two sites in particular: Google and YouTube.

This problem was first documented by iOS developer Jeff Johnson on his blog. Johnson found that in Chrome version 86.0.4240.75, "local storage" data for Google.com and YouTube.com stuck around even after restarting the browser. We've been able to replicate similar behavior... The Register notes that Chrome's behavior could allow Google to stash cookie-style data as site data, allowing it to track users even when they think they're being careful by deleting their cookie and site data every time they close the browser.

In a statement, Google said it was aware of the issue and was working on a fix... At least one of the affected sites, YouTube, appears to have already been fixed. After we upgraded the Chrome browser to version 86.0.4240.111, YouTube's local storage data seems to successfully purge after a restart, although the data from Google.com still sticks around.