Microsoft claims to have developed a system that correctly distinguishes between security and non-security software bugs 99% of the time, and that accurately identifies the critical, high-priority security bugs on average 97% of the time. From a report: In the coming months, it plans to open-source the methodology on GitHub, along with example models and other resources. Their work suggests that such a system, which was trained on a data set of 13 million work items and bugs from 47,000 developers at Microsoft stored across AzureDevOps and GitHub repositories, could be used to support human experts. It's estimated that developers create 70 bugs per 1,000 lines of code and that fixing a bug takes 30 times longer than writing a line of code, and that in the U.S., $113 billion is spent annually on identifying and fixing product defects. In the course of architecting the model, Microsoft says that security experts approved the training data and that statistical sampling was used to provide those experts a manageable amount of data to review. The data was then encoded into representations called feature vectors and Microsoft researchers designed the system using a two-step process, in which the model first learned to classify security and non-security bugs and then to apply severity labels -- critical, important, low-impact -- to the security bugs.

The EFF's staff technologist -- also an engineer on Privacy Badger and HTTPS Everywhere, writes: Twitter greeted its users with a confusing notification this week. "The control you have over what information Twitter shares with its business partners has changed," it said. The changes will "help Twitter continue operating as a free service," it assured. But at what cost?

Twitter has changed what happens when users opt out of the "Allow additional information sharing with business partners" setting in the "Personalization and Data" part of its site. The changes affect two types of data sharing that Twitter does... Previously, anyone in the world could opt out of Twitter's conversion tracking (type 1), and people in GDPR-compliant regions had to opt in. Now, people outside of Europe have lost that option. Instead, users in the U.S. and most of the rest of the world can only opt out of Twitter sharing data with Google and Facebook (type 2).
The article explains how last August Twitter discovered that its option for opting out of device-level targeting and conversion tracking "did not actually opt users out." But after fixing that bug, "advertisers were unhappy. And Twitter announced a substantial hit to its revenue... Now, Twitter has removed the ability to opt out of conversion tracking altogether."

While users in Europe are protected by GDPR, "users in the United States and everywhere else, who don't have the protection of a comprehensive privacy law, are only protected by companies' self-interest..." BoingBoing argues that Twitter "has just unilaterally obliterated all its users' privacy choices, announcing the change with a dialog box whose only button is 'OK.'"

"Soil gets its characteristic earthy smell from certain chemicals produced primarily by soil-dwelling bacteria called Streptomyces," reports New Scientist. But as for why these bacteria produce these odors, researchers at the Swedish University of Agriculture Science in Alnarp discovered that the smell seems to attract invertebrates that help the bacteria disperse their spores. From the report: Paul Becher at the Swedish University of Agricultural Sciences in Alnarp and his colleagues set up field traps in woodland containing colonies of Streptomyces. They thought that the smell may act as a signal to other organisms that they are poisonous, because some bacteria like Streptomyces can be toxic. Instead, the smell -- which comes from gases released by Streptomyces, including geosmin and 2-methylisoborneol (2-MIB) -- seems to attract invertebrates that help the bacteria disperse their spores. Becher and his team found that springtails -- tiny cousins of insects -- that feed on Streptomyces were drawn to the traps containing the bacterial colonies, but weren't drawn to control traps that didn't contain Streptomyces. By comparison, insects and arachnids weren't attracted to the traps containing Streptomyces. The findings have been reported in the journal Nature Microbiology.

Nintendo's Animal Crossing has become a place for Hong Kong protesters to congregate without flouting social distancing rules. Bloomberg reports: Animal Crossing is a simulation game where players live on an idyllic tropical island and befriend anthropomorphic animals. Players can customize their islands with in-game illustrating tools and visit each other's islands online. Pro-democracy content created for the game has gone viral on social media, including Twitter. In a tweet last week, one of Hong Kong's most well-known democracy campaigners, Joshua Wong, said he was playing the game and that the movement had shifted online. In one video posted to Twitter, a group of players use bug-catching nets to hit pictures of the city's leader Carrie Lam on a beach in the game. A nearby poster states "Free Hong Kong. Revolution Now."

A sizeable number of Mac users are experiencing occasional system crashes after updating to macOS Catalina version 10.15.4, released a few weeks ago. From a report: The crashing issue appears to be most prominent when users attempt to make large file transfers. In a forum post, SoftRAID described the issue as a bug and said that it is working with Apple engineers on a fix for macOS 10.15.5, or a workaround. "SoftRAID said the issue extends to Apple-formatted disks: There is a serious issue with 10.15.4. It shows up in different scenarios, even on Apple disks but is more likely when there are lots of IO threads. We think it is a threading issue. So while SoftRAID volumes are hit the hardest (it's now hard to copy more than 30GB of data at a time), all systems are impacted by this. In our bug report to Apple, we used a method to reproduce the problem with ONLY Apple formatted disks. Takes longer to reproduce, but that is more likely to get a faster fix to the user base."

An anonymous reader quotes a report from Wired: Apple has a well-earned reputation for security, but in recent years its Safari browser has had its share of missteps. This week, a security researcher publicly shared new findings about vulnerabilities that would have allowed an attacker to exploit three Safari bugs in succession and take over a target's webcam and microphone on iOS and macOS devices. Apple patched the vulnerabilities in January and March updates. But before the fixes, all a victim would have needed to do is click one malicious link and an attacker would have been able to spy on them remotely.

The bugs Pickren found all stem from seemingly minor oversights. For example, he discovered that Safari's list of the permissions a user has granted to websites treated all sorts of URL variations as being part of the same site, like https://www.example.com, http://example.com and fake://example.com. By "wiggling around," as Pickren puts it, he was able to generate specially crafted URLs that could work with scripts embedded in a malicious site to launch the bait-and-switch that would trick Safari. A hacker who tricked a victim into clicking their malicious link would be able to quietly launch the target's webcam and microphone to capture video, take photos, or record audio. And the attack would work on iPhones, iPads, and Macs alike. None of the flaws are in Apple's microphone and webcam protections themselves, or even in Safari's defenses that keep malicious sites from accessing the sensors. Instead, the attack surmounts all of these barriers just by generating a convincing disguise.

Social networking giant Twitter today disclosed a bug on its platform that impacted users who accessed their platform using Firefox browsers. From a report: According to Twitter, its platform stored private files inside the Firefox browser's cache -- a folder where websites store information and files temporarily. Twitter said that once users left their platform or logged off, the files would remain in the browser cache, allowing anyone to retrieve it. The company is now warning users who share workstations or used a public computer that some of their private files may still be present in the Firefox cache. Malware present on a system could also scrape and steal this data, if ever configured to do so.

Zoom's troubled year just got worse. From a report: Now that a large portion of the world is working from home to ride out the coronavirus pandemic, Zoom's popularity has rocketed, but also has led to an increased focus on the company's security practices and privacy promises. Hot on the heels of two security researchers finding a Zoom bug that can be abused to steal Windows passwords, another security researcher found two new bugs that can be used to take over a Zoom user's Mac, including tapping into the webcam and microphone. Patrick Wardle, a former NSA hacker and now principal security researcher at Jamf, dropped the two previously undisclosed flaws on his blog Wednesday, which he shared with TechCrunch. The two bugs, Wardle said, can be launched by a local attacker -- that's where someone has physical control of a vulnerable computer. Once exploited, the attacker can gain and maintain persistent access to the innards of a victim's computer, allowing them to install malware or spyware.

Dan Goodin writes via Ars Technica: For almost three years, OpenWRT -- the open source operating system that powers home routers and other types of embedded systems -- has been vulnerable to remote code-execution attacks because updates were delivered over an unencrypted channel and digital signature verifications are easy to bypass, a researcher said. Security researcher Guido Vranken, however, recently found that updates and installation files were delivered over unencrypted HTTPs connections, which are open to attacks that allow adversaries to completely replace legitimate updates with malicious ones. The researcher also found that it was trivial for attackers with moderate experience to bypass digital-signature checks that verify a downloaded update as the legitimate one offered by OpenWTR maintainers. The combination of those two lapses makes it possible to send a malicious update that vulnerable devices will automatically install.
[...]
The researcher said that OpenWRT maintainers have released a stopgap solution that partially mitigates the risk the bug poses. The mitigation requires new installations to be "set out from a well-formed list that would not sidestep the hash verification. However, this is not an adequate long-term solution because an attacker can simply provide an older package list that was signed by the OpenWRT maintainers." From there, attackers can use the same exploits they would use on devices that haven't received the mitigation. OpenWRT maintainers didn't immediately respond to questions asking why installation and update files are delivered over HTTP and when a longer-term fix might be available. In the meantime, OpenWRT users should install either version 18.06.7 or 19.07.1, both of which were released in February. These updates provide the stopgap mitigation.

An anonymous reader quotes Wired: Next week, blood banks across the Netherlands are set to begin a nationwide experiment. As donations arrive — about 7,000 of them per week is the norm — they'll be screened with the usual battery of tests that keep the blood supply safe, plus one more: a test for antibodies to SARS-CoV-2, the virus that causes Covid-19. Then, in a few weeks, another batch of samples will get the same test. And after that, depending on the numbers, there could be further rounds. The blood donors should be fairly representative of Dutch adults ages 18 to 75, and most importantly, they'll all be healthy enough for blood donation — or at least outwardly so...

Identifying what proportion of the population has already been infected is key to making the right decisions about containment... [B]ecause no Covid-19-specific serological [antibody] tests have been fully vetted yet, the FDA's latest guidance is that they shouldn't be relied upon for diagnoses. But in epidemiology circles, those tests are a sought-after tool for understanding the scope of the disease. Since February — which was either three weeks or a lifetime ago — epidemiologists have been trying to get the full scope of the number of infections here in the U.S... [A]s the disease has continued to spread and a patchwork of local "stay at home" rules begins to bend the course of the disease, projecting who has the disease and where the hot spots are has become more difficult for models to capture.

Instead, you need boots-on-the-ground surveillance. In other words, to fill the gap created by a lack of diagnostic tests, you need more testing — but of a different sort. This time you have to know how many total people have already fought the bug, and how recently they've fought it. "Of all the data out there, if there was a good serological assay that was very specific about individuating recent cases, that would be the best data we could have," says Alex Perkins, an epidemiologist at the University of Notre Dame. The key, he says, is drawing blood from a representative sample that would show the true scope of unobserved infections... Another motivation to develop better blood tests is the potential to develop therapeutics from antibody-rich blood serum.
Wired is currently providing free access to stories about the coronavirus.

An anonymous reader quotes a report from TechCrunch: A school in Norway has stopped using popular video conferencing service Whereby after a naked man apparently "guessed" the link to a video lesson. According to Norwegian state broadcaster NRK, the man exposed himself in front of several young children over the video call. The theory, according to the report, is that the man guessed the meeting ID and joined the video call. One expert quoted in the story said some are "looking" for links. Last year security researchers told TechCrunch that malicious users could access and listen in to Zoom and Webex video meetings by cycling through different permutations of meeting IDs in bulk. The researchers said the flaw worked because many meetings were not protected by a passcode.

An anonymous reader quotes a report from Bleeping Computer: A currently unpatched security vulnerability affecting iOS 13.3.1 or later prevents virtual private network (VPNs) from encrypting all traffic and can lead to some Internet connections bypassing VPN encryption to expose users' data or leak their IP addresses. While connections made after connecting to a VPN on your iOS device are not affected by this bug, all previously established connections will remain outside the VPN's secure tunnel as ProtonVPN disclosed.

The bug is due to Apple's iOS not terminating all existing Internet connections when the user connects to a VPN and having them automatically reconnect to the destination servers after the VPN tunnel is established. "Most connections are short-lived and will eventually be re-established through the VPN tunnel on their own," ProtonVPN explains. "However, some are long-lasting and can remain open for minutes to hours outside the VPN tunnel." During the time the connections are outside of the VPN secure communication channels, this issue can lead to serious consequences. For instance, user data could be exposed to third parties if the connections are not encrypted themselves, and IP address leaks could potentially reveal the users' location or expose them and destination servers to attacks. Until Apple provides a fix, the company recommends using Always-on VPN to mitigate this problem. "However, since this workaround uses device management, it cannot be used to mitigate the vulnerability for third-party VPN apps such as ProtonVPN," the report adds.

An anonymous reader writes: Hewlett Packard Enterprise (HPE) issued a security advisory last week warning customers about a bug in the firmware of some SAS SSDs (Serial-Attached SCSI solid-state drives) that will fail after reaching 40,000 hours of operation -- which is 4 years, 206 days, and 16 hours after the SSD has been put into operation. HPE says that based on when affected SSDs have been manufactured and sold, the earliest failures are expected to occur starting with October this year. The company has released firmware updates last week to address the issue. HPE warns that if companies fail to install the update, they risk losing both the SSD and the data. "After the SSD failure occurs, neither the SSD nor the data can be recovered," the company explained.

An anonymous reader quotes a report from Wired: Modern capitalism has never seen anything quite like the novel coronavirus SARS-CoV-2. In a matter of months, the deadly contagious bug has spread around the world, hobbling any economy in its path. [...] This economic catastrophe is blowing up the myth of the worker robot and AI takeover. We've been led to believe that a new wave of automation is here, made possible by smarter AI and more sophisticated robots. San Francisco has even considered a tax on robots -- replace a human with a machine, and pay a price. The problem will get so bad, argue folks like former presidential candidate Andrew Yang, we'll need a universal basic income to support our displaced human workers.

Yet our economy still craters without human workers, because the machines are far, far away from matching our intelligence and dexterity. You're more likely to have a machine automate part of your job, not destroy your job entirely. Moving from typewriters to word processors made workers more efficient. Increasingly sophisticated and sensitive robotic arms can now work side-by-side on assembly lines with people without flinging our puny bodies across the room, doing the heavy lifting and leaving the fine manipulation of parts to us. The machines have their strengths -- literally in this case -- and the humans have theirs. While robots can do the labor we don't want to do or can't do, such as lifting car doors on an assembly line, they're not very good at problem-solving. "Think about how you would pick up a piece of paper that's lying flat on a table. You can't grip it like you would an apple -- you have to either pinch it to get it to lift off the surface, or drag it to hang over the edge of the table," writes Matt Simon via Wired. "As a kid, you learn to do that through trial and error, whereas you'd have to program a robot with explicit instructions to do the same."

In closing, Simon writes: "Overestimating robots and AI underestimates the very people who can save us from this pandemic: Doctors, nurses, and other health workers, who will likely never be replaced by machines outright. They're just too beautifully human for that."

Microsoft says attackers are exploiting a previously undisclosed security vulnerability found in all supported versions of Windows, including Windows 10. From a report: But the software giant said there is currently no patch for the vulnerability. The security flaw, which Microsoft deems "critical" -- its highest severity rating -- is found in how Windows handles and renders fonts, according to the advisory posted Monday. The bug can be exploited by tricking a victim into opening a malicious document. Once the document is opened -- or viewed in Windows Preview -- an attacker can remotely run malware, such as ransomware, on a vulnerable device. The advisory said that Microsoft was aware of hackers launching "limited, targeted attacks," but did not say who was launching the attacks or at what scale.

McGruber shares a report from Business Insider: Facebook is blocking users from posting some legitimate news articles about the coronavirus in what appears to be a bug in its spam filters. On Tuesday, multiple Facebook users reported on Twitter that they found themselves unable to post articles from certain news outlets including Business Insider, BuzzFeed, The Atlantic, and the Times of Israel. It's not clear exactly what has gone wrong, and Facebook did not respond to a request for comment.

Alex Stamos, an outspoken former Facebook security exec, speculated that it might be caused by Facebook's shift to automated software after it sent its human content moderators home. "It looks like an anti-spam rule at FB is going haywire," he wrote on Twitter. "Facebook sent home content moderators yesterday, who generally can't [work from home] due to privacy commitments the company has made. We might be seeing the start of the machine learning going nuts with less human oversight. In a tweet, VP of Integrity Guy Rosen said: "We're on this -- this is a bug in an anti-spam system, unrelated to any changes in our content moderator workforce. We're in the process of fixing and bringing all these posts back."

An Austin, Texas based technology company is launching "artificially intelligent thermal cameras" that it claims will be able to detect fevers in people, and in turn send an alert that they may be carrying the coronavirus. Motherboard reports: Athena Security is pitching the product to be used in grocery stores, hospitals, and voting locations. It claims to be deploying the product at several customer locations over the coming weeks, including government agencies, airports, and large Fortune 500 companies. "Our Fever Detection COVID19 Screening System is now a part of our platform along with our gun detection system which connects directly to your current security camera system to deliver fast, accurate threat detection," Athena's website reads. Athena previously sold software that it claims can detect guns and knives in video feeds and then send alerts to an app or security system.

"The AI detects it, and it says I have a 99.5 degrees temperature. It notices that I have a fever, and that I am infected," an Athena employee says during a video demonstration of the product. "Since higher temperature is one of the first symptoms, these cameras can be life-saving" warning the person that they could have the virus and encouraging that person to take serious steps to self-quarantine," the representative added in an email, suggesting that the company could deploy them at polling locations. "Although many voters today are bound to get it, steps in the coming weeks could prevent them from spreading the bug to loved ones and strangers alike." The representative claimed that the software is accurate within half a degree and that it detects a dozen different parts on the body. They added the system has "no facial recognition, no personal tracking."

The Wall Street Journal reports on a new technology being developed by McLaren Technology Centre for its "Elva," a multi-million dollar, 804-horsepower two-seat roadster.

It doesn't have a windshield... In place of a windscreen, Elva will debut a technology called Active Air Management System (AAMS). When engaged, it generates two air flows streaming over the cockpit: One glances off the low, curvaceous wind deflector rising out of the front bodywork, with an energy proportional to vehicle speed. The other airflow is scooped up in a low-mounted grille intake and turned 135 degrees. Now ducted up and slightly forward, this high pressure flow intercepts the deflected airflow, bending the combined flows over the cockpit. Meanwhile, streaming air clinging to the hood wants to be drawn down, below face level, following the Elva's curving scuttle and dash.

And so the Elva's historically unique, eye-of-the-hurricane gestalt: Driver and passenger motoring at highway speeds, talking at normal volume, as warm or as cool as desired and, looking out, seeing nothing... but scenery. No helmet limiting their peripheral vision as if looking through a well-padded porthole, stifling breath and sense of smell. And no heavy, roof-supporting "A" pillars either, which clumsily bracket existence in almost all modern cars. The Elva is the motoring equivalent of a horizonless pool.

Under the right conditions the Elva's system can billow precipitation out of the way, over the car, so the occupants stay dry. Heading up the mountain to Gstaad? With the AAMS active, falling snow will swirl past but never settle... What about bugs? I asked. Will they be deflected too? "It depends on the mass of the bug," said Andrew Kay, Elva project chief engineer, being completely serious. What about stones thrown up by trucks? Overtalk...inaudible... In any event, McLaren expects all occupants will be wearing helmets on piste and will only engage the AAMS bareheaded at moderate speeds...

At 60 mph, the wind was so still I could have lit a cigarette.

Microsoft today released a patch for a vulnerability in the SMBv3 protocol that accidentally leaked online earlier this week during the March 2020 Patch Tuesday preamble. From a report: The fix is available as KB4551762, an update for Windows 10, versions 1903 and 1909, and Windows Server 2019, versions 1903 and 1909. The update fixes CVE-2020-0796, a vulnerability in Server Message Block, a protocol for sharing files, printers, and other resources on local networks and the Internet. The bug allows attackers to connect to remote systems where the SMB service is enabled and run malicious code with SYSTEM privileges, allowing for remote takeovers of vulnerable systems. Earlier this week, due to what looks like a miscommunication between Microsoft and some antivirus vendors, details about this bug leaked online.

An anonymous reader quotes SD Times: The Free Software Foundation (FSF) announced plans to launch a public code hosting and collaboration platform ("forge") this year. Members of the FSF tech team are currently reviewing ethical web-based software that will help teams work on their projects, with features like merge requests, bug tracking, and other common tools.

"Infrastructure is very important for free software, and it's unfortunate that so much free software development currently relies on sites that don't publish their source code, and require or encourage the use of proprietary software," FSF wrote in a blog post. "Our GNU ethical repository criteria aim to set a high standard for free software code hosting, and we hope to meet that with our new forge."

As of now, the team said it has been researching a list of candidate programs and analyzing them in terms of ethical and practical criteria.
The FSF blog post adds that "We plan on contributing improvements upstream for the new forge software we choose, to boost its score on those criteria...

"We'll communicate with the upstream developers to request improvements and help clarify any questions related to the ethical repository criteria."