Apple on Monday announced that its new App Store appeals process, first revealed at WWDC in June, is now live, meaning developers can challenge Apple over whether their app is in fact violating one of its guidelines. In addition to that, Apple says developers can also suggest changes to the App Store guidelines through a form submission on its online developer portal. From a report "For apps that are already on the App Store, bug fixes will no longer be delayed over guideline violations except for those related to legal issues. You'll instead be able to address guideline violations in your next submission," reads a note posted to Apple's developer website. "And now, in addition to appealing decisions about whether an app violates guidelines, you can suggest changes to the guidelines." These changes were introduced at WWDC on the heels of a rather public feud with software maker Basecamp, the creator of a new email service called Hey. Basecamp openly challenged Apple over whether it could distribute an iOS companion app to its email service without including in-app sign-up options, as Hey costs $99 a year and Basecamp felt it unnecessary to give Apple its standard 30 percent cut of that revenue (although Apple does only take 15 percent of in-app subscription revenue after one year of service). Apple, in response, held up the company's bug fixes and update capability.

An anonymous reader shares a report: Windows 10 May 2020 Update, otherwise known as version 2004, was released in May with at least ten known issues. Microsoft later expanded the list of the problems and acknowledged that this feature update is also plagued with a bug that breaks Drive Optimize tool. After upgrading to Windows 10 version 2004, users observed that Optimize Drives (also known as defragmentation tool) is not correctly recording the last time a drive has been optimized. As a result, when you open the tool, you will see that your SSD drive says it 'Needs Optimization' even though you've manually optimized the drives already or automatic maintenance was run this morning. Since the last optimizations times are forgotten, Windows 10's built-in maintenance tool started defragging an SSD drive much more often when you restart Windows. With Windows 10 Build 19042.487 (20H2) for Insiders, Microsoft has finally resolved all problems with the Optimize Drives (also known as defragmentation tool).

An anonymous reader writes: The FBI and local police have made tens of arrests across the tri-state area this week as part of a crackdown against multiple criminal gangs who exploited a glitch in the software of Santander ATMs to cash-out more money than was stored on cards. According to reports in local media, the bulk of the arrests took place in Hamilton (20 suspects), across towns in Morris County (19), and Sayreville (11). Smaller groups of suspects were also detained in Bloomfield, Robbinsville, and Holmdel, while reports of suspicious cash-outs were also recorded in Woodbridge, towns across the Middlesex County, Booton, Randolph, Montville, South Windsor, Hoboken, Newark, and even in New York City itself, in Brooklyn. Based on information ZDNet received from a Santander spokesperson, sources in the threat intelligence community, and details released by police departments in the affected towns, criminal gangs appear to have found a bug in the software of Santander ATMs.

Federal prosecutors have charged Uber's former chief security officer with covering up a massive 2016 data breach by arranging a $100,000 payoff to the hackers responsible for the attack. The personal data of 57 million Uber passengers and drivers was stolen in the hack. NPR reports: Prosecutors are charging the former executive Joe Sullivan with obstructing justice and concealing a felony for the alleged cover-up. Sullivan "engaged in a scheme to withhold and conceal" the breach from regulators and failed to report it to law enforcement or the public, according to a complaint filed in federal court in California on Thursday.

"Sullivan is being charged with a corporate cover-up and Sullivan is being charged with the payment of hush money to conceal something that should have been revealed," David Anderson, U.S. attorney for the Northern District of California, told NPR. Sullivan not only allegedly hid the breach from authorities, but also concealed it from many other Uber employees, including top management -- with one exception. According to the complaint, Uber's CEO at the time, Travis Kalanick, knew about the incident and about the steps Sullivan took to allegedly cover it up, including making the $100,000 payout under Uber's "bug bounty" program. Kalanick has not been charged and wouldn't comment for this story.

Like many tech companies, Uber pays so-called "white hat" hackers to test its systems for vulnerabilities. But the payment Uber made in this case was much larger than any bug bounty it had paid before, the complaint said, noting the company's program "had a nominal cap of $10,000." Uber required the hackers to sign nondisclosure agreements, also not standard practice for a bug bounty, the complaint alleged. Those agreements falsely said that the hackers did not take or store any data. "The problem is that this hush money payment was not a bug bounty," Anderson said. "We allege that this entire course of conduct reflects [Sullivan's] consciousness of guilt and desperation to conceal."

Google has patched on Wednesday a major security bug impacting the Gmail and G Suite email servers. From a report: The bug could have allowed a threat actor to send spoofed emails mimicking any Gmail or G Suite customer. According to security researcher Allison Husain, who found and reported this issue to Google in April, the bug also allowed attachers to pass the spoofed emails as compliant with SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting, and Conformance), two of the most advanced email security standards. However, despite having 137 days to fix the reported issue, Google initially delayed patches past the disclosure deadline, planning to fix the bug somewhere in September. Google engineers changed their mind yesterday after Husain published details about the bug on her blog, including proof-of-concept exploit code.

An anonymous reader quotes a report from Wired: Findings published on Thursday by the security firm Check Point reveal that Alexa's Web services had bugs that a hacker could have exploited to grab a target's entire voice history, meaning their recorded audio interactions with Alexa. Amazon has patched the flaws, but the vulnerability could have also yielded profile information, including home address, as well as all of the "skills," or apps, the user had added for Alexa. An attacker could have even deleted an existing skill and installed a malicious one to grab more data after the initial attack. [...] For an attacker to exploit the vulnerabilities, they would need first to trick targets into clicking a malicious link, a common attack scenario. Underlying flaws in certain Amazon and Alexa subdomains, though, meant that an attacker could have crafted a genuine and normal-looking Amazon link to lure victims into exposed parts of Amazon's infrastructure. By strategically directing users to track.amazon.com -- a vulnerable page not related to Alexa, but used for tracking Amazon packages -- the attacker could have injected code that allowed them to pivot to Alexa infrastructure, sending a special request along with the target's cookies from the package-tracking page to skillsstore.amazon.com/app/secure/your-skills-page.

At this point, the platform would mistake the attacker for the legitimate user, and the hacker could then access the victim's full audio history, list of installed skills, and other account details. The attacker could also uninstall a skill the user had set up and, if the hacker had planted a malicious skill in the Alexa Skills Store, could even install that interloping application on the victim's Alexa account. Both Check Point and Amazon note that all skills in Amazon's store are screened and monitored for potentially harmful behavior, so it's not a foregone conclusion that an attacker could have planted a malicious skill there in the first place. Check Point also suggests that a hacker might be able to access banking data history through the attack, but Amazon disputes this, saying that information is redacted in Alexa's responses. "The security of our devices is a top priority, and we appreciate the work of independent researchers like Check Point who bring potential issues to us," an Amazon spokesperson told WIRED in a statement. "We fixed this issue soon after it was brought to our attention, and we continue to further strengthen our systems. We are not aware of any cases of this vulnerability being used against our customers or of any customer information being exposed."

O'Reilly media's Vice President of Content Strategy (also the coauthor of Unix Power Tools) recently explored why several popular programming languages wound up on the "most dreaded" list in StackOverflow's annual developer survey: There's no surprise that VBA is #1 disliked language. I'll admit to complete ignorance on Objective C (#2), which I've never had any reason to play with. Although I'm a Perl-hater from way back, I'm surprised that Perl is so widely disliked (#3), but some wounds never heal. It will be interesting to see what happens after Perl 7 has been out for a few years. Assembly (#4) is an acquired taste (and isn't a single language)...
But he eventually suggests that both C and Java might be on the list simply because they have millions of users, citing a quote from C++ creator Bjarne Stroustrup: "there are only two kinds of languages: the ones people complain about and the ones nobody uses." Dislike of a language may be "guilt by association": dislike of a large, antiquated codebase with minimal documentation, and an architectural style in which every bug fixed breaks something else. Therefore, it's not surprising to see languages that used to be widely used but have fallen from popularity on the list... Java has been the language people love to hate since its birth. I was at the USENIX session in which James Gosling first spoke about Java (way before 1.0), and people left the room talking about how horrible Java was — none of whom had actually used the language because it hadn't been released yet...

If there's one language on this list that's associated with gigantic projects, it's Java. And there are a lot of things to dislike about it — though a lot of them have to do with bad habits that grew up around Java, rather than the language itself. If you find yourself abusing design patterns, step back and look at what you're doing; making everything into a design pattern is a sign that you didn't understand what patterns are really for... If you start writing a FactoryFactoryFactory, stop and take a nice long walk. If you're writing a ClassWithAReallyLongNameBecauseThatsHowWeDoIt, you don't need to. Java doesn't make you do that... I've found Java easier to read and understand than most other languages, in part because it's so explicit — and most good programmers realize that they spend more time reading others' code than writing their own.
He also notes that Python only rose to #23 on the "most dreaded" languages list, speculating developers may appreciation its lack of curly braces, good libraries, and Jupyter notebooks. "Python wins the award for the most popular language to inspire minimal dislike. It's got a balanced set of features that make it ideal for small projects, and good for large ones."

"And what shall we say about JavaScript, sixteenth on the list? I've got nothing. It's a language that grew in a random and disordered way, and that programmers eventually learned could be powerful and productive... A language that's as widely used as JavaScript, and that's only 16th on the list of most dreaded languages, is certainly doing something right. But I don't have to like it."

American's National Security Agency (NSA) "has shared new guidance with U.S. military and intelligence personnel, suggesting they take additional precautions to safeguard their location data," reports Engadget. "The agency argues the information devices and apps collect can pose a national security threat."

Ars Technica reports: The National Security Agency is recommending that some government workers and people generally concerned about privacy turn off find-my-phone, Wi-Fi, and Bluetooth whenever those services are not needed, as well as limit location data usage by apps. "Location data can be extremely valuable and must be protected," an advisory stated. "It can reveal details about the number of users in a location, user and supply movements, daily routines (user and organizational), and can expose otherwise unknown associations between users and locations."

NSA officials acknowledged that geolocation functions are enabled by design and are essential to mobile communications. The officials also admit that the recommended safeguards are impractical for most users. Mapping, location tracking of lost or stolen phones, automatically connecting to Wi-Fi networks, and fitness trackers and apps are just a few of the things that require fine-grained locations to work at all. But these features come at a cost. Adversaries may be able to tap into location data that app developers, advertising services, and other third parties receive from apps and then store in massive databases. Adversaries may also subscribe to services such as those offered by Securus and LocationSmart, two services that The New York Times and KrebsOnSecurity documented, respectively. Both companies either tracked or sold locations of customers collected by the cell towers of major cellular carriers.

Not only did LocationSmart leak this data to anyone who knew a simple trick for exploiting a common class of website bug, but a Vice reporter was able to obtain the real-time location of a phone by paying $300 to a different service. The New York Times also published this sobering feature outlining services that use mobile location data to track the histories of millions of people over extended periods.

The advisory also warns that tracking often happens even when cellular service is turned off, since both Wi-Fi and Bluetooth can also track locations and beam them to third parties connected to the Internet or with a sensor that's within radio range.
Long-time Slashdot reader AmiMoJo shares some of the agency's other recommendations:

• Enter airplane mode when not using the device
• Minimize web browsing on your device and do not allow browsers to access location services
• Use an anonymous VPN
• Minimize location information stored in the cloud

A security researcher was awarded a $6,000 bug bounty payout after he found Instagram retained photos and private direct messages on its servers long after he deleted them. From a report: Independent security researcher Saugat Pokharel found that when he downloaded his data from Instagram, a feature it launched in 2018 to comply with new European data rules, his downloaded data contained photos and private messages with other users that he had previously deleted. It's not uncommon for companies to store freshly deleted data for a time until it can be properly scrubbed from its networks, systems and caches. Instagram said it takes about 90 days for deleted data to be fully removed from its systems. But Pokharel found that his ostensibly deleted data from more than a year ago was still stored on Instagram's servers, and could be downloaded using the company's data download tool. Pokharel reported the bug in October 2019 through Instagram's bug bounty program. The bug was fixed earlier this month, he said.

A two-day-old decentralized cryptocurrency called YAM collapsed this week after its creators revealed that a software bug had effectively vetoed human governance. From a report: "At approximately 6PM UTC, on Wednesday, August 12, we discovered a bug in the YAM rebasing contract that would mint far more YAM than intended to sell to the Uniswap YAM/yCRV pool, sending a large amount of excess YAM to the protocol reserve," the YAM project explained in a post on Thursday. "Given YAM's governance module, this bug would render it impossible to reach quorum, meaning no governance action would be possible and funds in the treasury would be locked."

The bug followed from this line of code... totalSupply = initSupply.mul(yamsScalingFactor);
...which was supposed to beâ¦
totalSupply = initSupply.mul(yamsScalingFactor).div(BASE);

YAM, a decentralized finance experiment, implements a governance system (for making protocol changes) based on supposed smart contracts that allocates votes based on assets. [...] The code flaw locked up about $750,000 worth of Curve (yCRV) tokens in the YAM treasury, assets intended to serve as a reserve currency to support the value of YAM tokens.

Firefox has fixed a bug that was being exploited in the wild by tech support scammers to create artificial mouse cursors and prevent users from easily leaving malicious sites. From a report: The bug was discovered being abused online by UK cyber-security firm Sophos and reported to Mozilla earlier this year. A bugfix was provided and has been live in Firefox since version 79.0, released last week. he bug is a classic "evil cursor" attack and works because modern browsers allow site owners to modify how the mouse cursor looks while users are navigating their websites. This type of customization might look useless, but it's often used for browser-based games, browser augmented reality, or browser virtual reality experiences. However, custom cursors have been a major problem for the regular web. In evil cursor attacks, malicious websites tamper with cursor settings in order to modify where the actual cursor is visible on screen, and where the actual click area is.

An anonymous reader shares a report: For at least the last two months, a key Instagram feature, which algorithmically pushes users toward supposedly related content, has been treating hashtags associated with President Donald Trump and presumptive Democratic presidential nominee Joe Biden in very different ways. Searches for Biden also return a variety of pro-Trump messages, while searches for Trump-related topics only returned the specific hashtags, like #MAGA or #Trump -- which means searches for Biden-related hashtags also return counter-messaging, while those for Trump do not. Earlier this week, a search on Instagram for #JoeBiden would have surfaced nearly 390,000 posts tagged with the former vice president's name along with related hashtags selected by the platform's algorithm. Users searching Instagram for #JoeBiden might also see results for #joebiden2020, as well as pro-Trump hashtags like #trump2020landslide and #democratsdestroyamerica.

A similar search for #DonaldTrump on the platform, however, provided a totally different experience. Besides showing 7 million posts tagged with the president's name, Instagram did not present any related hashtags that would have pushed users toward different content or promoted alternative viewpoints. The difference between these two results, which an Instagram spokesperson told BuzzFeed News was a "bug," prevented hashtags including #Trump and #MAGA from being associated with potentially negative content. Meanwhile, Instagram hashtags associated with the Democratic presidential candidate -- #JoeBiden and #Biden, for example -- were presented alongside content that included overtly pro-Trump content and attacks on the former vice president.

Twitter says a security bug may have exposed the private direct messages of its Android app users, but said that there was no evidence that the vulnerability was ever exploited. From a report: The bug could have allowed a malicious Android app running on the same device to siphon off a user's direct messages stored in the Twitter app by bypassing Android's in-built data permissions. But, Twitter said that the bug only worked on Android 8 (Oreo) and Android 9 (Pie), and has since been fixed. A Twitter spokesperson told TechCrunch that the bug was reported by a security researcher "a few weeks ago" through HackerOne, which Twitter uses for its bug bounty program. "Since then, we have been working to keep accounts secure," said the spokesperson. "Now that the issue has been fixed, we're letting people know." Twitter said it waited to let its users know in order to prevent someone from learning about the issue and taking advantage of it before it was fixed.

Microsoft has revealed it has awarded security researchers $13.7m for reporting bugs in Microsoft software since July last year. From a report: Microsoft's bug bounties are one of the largest source of financial awards for researchers probing software for flaws and, importantly, reporting them to the relevant vendor rather than selling them to cybercriminals via underground markets or exploit brokers who distribute them to government agencies. The Redmond company has 15 bug-bounty programs through which researchers netted $13.7m between July 1, 2019 and June 30, 2020. That figure is triple the $4.4m it awarded in the same period the previous year. [...] Microsoft's total annual bug-bounty payouts are now much larger than Google's awards for security flaws in its software, which totaled $6.5m in calendar year 2019. That figure was double the previous year's payouts from the ad and search giant, which called it a "record-breaking year."

"Microsoft's new Edge browser started randomly crashing when users typed into the address bar," reported the Verge on Thursday.

"The issues appear to have affected Edge users who had selected Google as the default search engine." Microsoft investigated the problem and now says it's believed to have been resolved. The Microsoft Edge crashes started at around 7PM ET, and were affecting macOS and Windows users. Microsoft resolved the problems after around four hours of crashes, but it's not clear why they were only limited to Google search users in Edge.

If users switched to Microsoft's Bing search engine within Edge, the crashes never occured.

PAjamian writes: A recently released Red Hat update for the BootHole Vulnerability (firehose link) is causing systems to become unbootable. It is widely reported that updates to the shim, grub2 and kernel packages in RHEL and CentOS 7 and 8 are leaving various systems that use secure boot unbootable. Current recommendations are to avoid updating your system until the issue is resolved, or at least avoid updating the shim, grub2 and kernel packages. Update, shared by PAjamian: Red Hat is now recommending that users do not apply grub2, fwupd, fwupdate or shim updates until new packages are available.

Mozilla says it's working on fixing a bug in Firefox for Android that keeps the smartphone camera active even after users have moved the browser in the background or the phone screen was locked. From a report: A Mozilla spokesperson told ZDNet in an email this week that a fix is expected for later this year in October. The bug was first spotted and reported to Mozilla a year ago, in July 2019, by an employee of video delivery platform Appear TV. The bug manifests when users chose to video stream from a website loaded in Firefox instead of a native app. Mobile users often choose to stream from a mobile browser for privacy reasons, such as not wanting to install an intrusive app and grant it unfettered access to their smartphone's data. Mobile browsers are better because they prevent websites from accessing smartphone data, keeping their data collection to a minimum. The Appear TV developer noticed that Firefox video streams kept going, even in situations when they should have normally stopped.

Since WannaCry and NotPetya struck the internet just over three years ago, the security industry has scrutinized every new Windows bug that could be used to create a similar world-shaking worm. Now one potentially "wormable" vulnerability -- meaning an attack can spread from one machine to another with no human interaction -- has appeared in Microsoft's implementation of the domain name system protocol, one of the fundamental building blocks of the internet. From a report: As part of its Patch Tuesday batch of software updates, Microsoft today released a fix for a bug discovered by Israeli security firm Check Point, which the company's researchers have named SigRed. The SigRed bug exploits Windows DNS, one of the most popular kinds of DNS software that translates domain names into IP addresses. Windows DNS runs on the DNS servers of practically every small and medium-sized organization around the world. The bug, Check Point says, has existed in that software for a remarkable 17 years. Check Point and Microsoft warn that the flaw is critical, a 10 out of 10 on the common vulnerability scoring system, an industry standard severity rating. Not only is the bug wormable, Windows DNS software often runs on the powerful servers known as domain controllers that set the rules for networks. Many of those machines are particularly sensitive; a foothold in one would allow further penetration into other devices inside an organization.

On top of all of that, says Check Point's head of vulnerability research Omri Herscovici, the Windows DNS bug can in some cases be exploited with no action on the part of the target user, creating a seamless and powerful attack. "It requires no interaction. And not only that, once you're inside the domain controller that runs the Windows DNS server, expanding your control to the rest of the network is really easy," says Omri Herscovici. "It's basically game over." Check Point found the SigRed vulnerability in the part of Windows DNS that handles a certain piece of data that's part of the key exchange used in the more secure version of DNS known as DNSSEC. That one piece of data can be maliciously crafted such that Windows DNS allows a hacker to overwrite chunks of memory they're not meant to have access to, ultimately gaining full remote code execution on the target server. (Check Point says Microsoft asked the company not to publicize too many details of other elements of the technique, including how it bypasses certain security features on Windows servers.)

"Microsoft's LinkedIn was sued by a New York-based iPhone user on Friday for allegedly reading and diverting users' sensitive content from Apple Inc's Universal Clipboard application," reports Reuters. According to Apple's website, Universal Clipboard allows users to copy text, images, photos, and videos on one Apple device and then paste the content onto another Apple device. According to the lawsuit filed in San Francisco federal court by Adam Bauer, LinkedIn reads the Clipboard information without notifying the user. LinkedIn did not immediately respond to Reuters request for comment.

According to media reports from last week, 53 apps including TikTok and LinkedIn were reported to be reading users' Universal Clipboard content, after Apple's latest privacy feature started alerting users whenever the clipboard was accessed with a banner saying "pasted from Messages..."

A LinkedIn executive had said on Twitter last week that the company released a new version of its app to end this practice... According to the complaint, LinkedIn has not only been spying on its users, it has been spying on their nearby computers and other devices, and it has been circumventing Apple's Universal Clipboard timeout.

AI researchers have created a language-model testing tool that discovers major bugs in commercially available cloud AI offerings from Amazon, Google, and Microsoft. Yesterday, a paper detailing the CheckList tool received the Best Paper award from organizers of the Association for Computational Linguistics (ACL) conference. From a report: NLP models today are often evaluated based on how they perform on a series of individual tasks, such as answering questions using benchmark data sets with leaderboards like GLUE. CheckList instead takes a task-agnostic approach, allowing people to create tests that fill in cells in a spreadsheet-like matrix with capabilities (in rows) and test types (in columns), along with visualizations and other resources. Analysis with CheckList found that about one in four sentiment analysis predictions by Amazon's Comprehend change when a random shortened URL or Twitter handle is placed in text, and Google Cloud's Natural Language and Amazon's Comprehend makes mistakes when the names of people or locations are changed in text. "The [sentiment analysis] failure rate is near 100% for all commercial models when the negation comes at the end of the sentence (e.g. 'I thought the plane would be awful, but it wasn't'), or with neutral content between the negation and the sentiment-laden word," the paper reads.