IOS

Apple Patches iPhone Jailbreaking Bug 36

Apple has released today an iOS security update to patch a bug the company accidentally un-patched in an earlier release, introducing a security weakness that allowed hackers to craft new jailbreaks for current iOS versions. From a report: The original bug, discovered by Ned Williamson, a Google Project Zero security engineer, allows a malicious app to exploit a "user-after-free" vulnerability and run code with system privileges in the iOS kernel. iOS version 12.4.1, released today, re-patches this bug that was initially fixed in iOS 12.3 but was accidentally unpatched in iOS 12.4, last month. Sadly, Apple's blunder didn't go unnoticed and earlier this month, a security researcher named Pwn20wnd released a public exploit based on Williamson's bug that could be used to jailbreak up-to-date iOS devices and grant users complete control over their iPhones. But while users taking a risk and jailbreaking their own devices doesn't sound that dangerous, a lesser-known fact is that malware operators and spyware vendors can also use Pwn20wnd's jailbreak as well.
Displays

Ask Slashdot: What's The Best Monitor For Development Work? 216

Long-time Slashdot reader AmiMoJo is having trouble finding a monitor that's good for writing code: The 16:10 aspect ratio, which allows for some extra vertical space that is extremely handy when viewing source code, is basically dead as far as I can tell. Dell still sell a few older models but there no 4k+ monitors with this aspect ratio.

Speaking of 4k, at 27" it's about the same PPI (pixels per inch) as my 2012 laptop with a 15" 1080p display, only bigger (around 160 PPI). It feels a bit awkward, not quite high enough to hide the pixels or render "perfect" looking fonts. 5k would be better (200 PPI), but every 5k monitor seems to have been discontinued except for one Iiyama model that seems to have quality problems.

Everyone seems to be obsessing over gaming and photography monitors now. Is there anything left for developers who don't care about 240Hz and calibrated colour, but do care about aspect ratio and text rendering quality?

Leave your suggestions in the comments. What's the best monitor for development work?
Android

Google Confirms Android 10 Will Fix 193 Security Vulnerabilities (forbes.com) 31

"Were it not for third-party components, the August Android Security Bulletin would have been the first report to be released with only a single critical vulnerability found," reports TechRepublic. "However, with the inclusion of Broadcom and Qualcomm components, there are seven in total."

Meanwhile, Forbes reports on what's being fixed in September's release of Android 10: 193 Android security vulnerabilities needed to be fixed, covering a broad swathe of elevation of privilege, remote code execution, information disclosure and denial of service categories. Two of these are in the Android runtime itself, another two in the library and 24 in the framework. The bulk, however, is split between the Android media framework with 68 vulnerabilities and the Android system with 97. All have been scored as "moderate" severity.

The good news is that all will be fixed by the default Android 10 patch level of 2019-09-01 on release of the new OS. Also on the positive news front, the security bulletin update stated that "we have had no reports of active customer exploitation or abuse of these newly reported issues."

Programming

Is Agile Becoming Less and Less Relevant? (forbes.com) 235

OneHundredAndTen shares "an interesting Forbes article that posits that Agile software development is losing relevance, it is not the silver bullet that some claimed, and it has become a sort of religion -- 'If Agile doesn't work for you, you are not doing it right.'"

Writer/data scientist Kurt Cagle even describes passing around "the holy hockey stick" while begging the scrum master for forgiveness, arguing that "like most religions it really didn't make that much sense to the outsider -- or even to the participants, when it got right down to it." Agile does not always scale well. Integration dependencies are often not tracked (or are subsumed into hierarchical stories), yet it tends to be one of the most variable aspects of any software development... [T]here are whole classes of projects where traditional Agile is counterproductive. Enterprise data projects, in particular, do not fit the criteria for being good Agile candidates... the kind of work that is being done is shifting from an engineering problem (dedicated short term projects intended to connect systems) to a curational one (mapping models via minimal technical tools).

This transition also points to what the future of Agile will end up being. In many respects we're leaving the application era of development -- applications are thinner, mostly web-based, where connectivity to both data sets and composite enterprise data will be more important than complex client-based functionality. This is also true of mobile applications -- increasingly, smart phone and tablet apps are just thin shells around mobile HTML+CSS, a sea-change from the "there's an app for that" era.

The client as relatively thin endpoint means that the environment for which Agile first emerged and for which it is most well suited -- stand-alone open source applications -- is disappearing. Today, the typical application is more likely a data stream of some sort, in which the value is not in the programming but in the data itself, with the programming consequently far simpler (and with a far broader array of existing tools) than was the case twenty or even ten years ago... While aspects of Agile will remain, the post-Agile world has different priorities and requirements, and we should expect whatever paradigm finally succeeds it to deal with the information stream as the fundamental unit of information.

Python

UK Cybersecurity Agency Urges Devs To Drop Python 2 (zdnet.com) 50

Python's End-of-Life date is 129 days away, warns the UK National Cyber Security Centre (NCSC). "There will be no more bug fixes, or security updates, from Python's core developers."

An anonymous reader quotes ZDNet: The UK's cyber-security agency warned developers Thursday to consider moving Python 2.x codebases to the newer 3.x branch due to the looming end-of-life of Python 2, scheduled for January 1, 2020... "If you continue to use unsupported modules, you are risking the security of your organisation and data, as vulnerabilities will sooner or later appear which nobody is fixing."

"If you maintain a library that other developers depend on, you may be preventing them from updating to 3," the agency added. "By holding other developers back, you are indirectly and likely unintentionally increasing the security risks of others... If migrating your code base to Python 3 is not possible, another option is to pay a commercial company to support Python 2 for you," the NCSC said.

The agency warns that companies who don't invest in migrating their Python 2.x code might end up in the same position as Equifax or the WannaCry victims. "At the NCSC we are always stressing the importance of patching. It's not always easy, but patching is one of the most fundamental things you can do to secure your technology," the agency said. "The WannaCry ransomware provides a classic example of what can happen if you run unsupported software," it said. "By making the decision to continue using Python 2 past its end of life, you are accepting all the risks that come with using unsupported software, while knowing that a secure version is available."

Security

Facebook Awards $100,000 Prize For New Code Isolation Technique (zdnet.com) 13

ZDNet reports: Facebook has awarded a $100,000 prize to a team of academics from Germany for developing a new code isolation technique that can be used to safeguard sensitive data while it's being processed inside a computer. The award is named the Internet Defense Prize, and is a $100,000 cash reward that Facebook has been giving out yearly since 2014 to the most innovative research presented at USENIX, a leading security conference that takes place every year in mid-August in the US.
An anonymous reader writes: The new technique is called ERIM and leverages Intel's memory protection keys (MPKs) and binary code inspection to achieve both hardware and software-based in-process data isolation. The novelty of ERIM is that it has an near-zero performance overhead (compared to other techniques that induce a big performance dip), can be applied with little effort to new and existing applications, doesn't require compiler changes, and can run on a stock Linux kernel.
Open Source

Why Are 'Supply Chain Attacks' on Open Source Libraries Getting Worse? (arstechnica.com) 44

"A rash of supply chain attacks hitting open source software over the past year shows few signs of abating, following the discovery this week of two separate backdoors slipped into a dozen libraries downloaded by hundreds of thousands of server administrators," reports Ars Technica: The compromises of Webmin and the RubyGems libraries are only the latest supply chain attacks to hit open source software. Most people don't think twice about installing software or updates from the official site of a known developer. As developers continue to make software and websites harder to exploit, black hats over the past few years have increasingly exploited this trust to spread malicious wares by poisoning code at its source...

To be fair, closed-source software also falls prey to supply-side attacks -- as evidenced by those that hit computer maker ASUS on two occasions, the malicious update to tax-accounting software M.E.Doc that seeded the NotPetya outbreak of 2017, and another backdoor that infected users of the CCleaner hard drive utility that same year. But the low-hanging fruit for supply chain attacks seems to be open source projects, in part because many don't make multi-factor authentication and code signing mandatory among its large base of contributors.

"The recent discoveries make it clear that these issues are becoming more frequent and that the security ecosystem around package publication and management isn't improving fast enough," Atredis Partners Vice President of Research and Development HD Moore told Ars. "The scary part is that each of these instances likely resulted in even more developer accounts being compromised (through captured passwords, authorization tokens, API keys, and SSH keys). The attackers likely have enough credentials at hand to do this again, repeatedly, until all credentials are reset and appropriate MFA and signing is put in place."

Bitcoin

Employees Connect Nuclear Plant To the Internet So They Can Mine Cryptocurrency 29

Ukrainian authorities are investigating a potential security breach at a local nuclear power plant after employees connected parts of its internal network to the internet so they could mine cryptocurrency. From a report: The investigation is being led by the Ukrainian Secret Service (SBU), who is looking at the incident as a potential breach of state secrets due to the classification of nuclear power plants as critical infrastructure. Investigators are examining if attackers might have used the mining rigs as a pivot point to enter the nuclear power plant's network and retrieve information from its systems, such as data about the plant's physical defenses and protections. According to authorities, the incident took place in July at the South Ukraine Nuclear Power Plant, located near the city of Yuzhnoukrainsk, in southern Ukraine. It's unknown how the scheme was discovered, but on July 10 the SBU raided the nuclear power plant, from where it seized computers and equipment specifically built for mining cryptocurrency.
Security

Security Researchers Find Several Bugs In Nest Security Cameras (vice.com) 6

An anonymous reader quotes a report from Motherboard: Hackers could have logged into your Nest Cam IQ Indoor and watch whatever was happening in your home by taking advantage of a vulnerability found by security researchers. The hackers could have also prevented you from using the camera, or use access to it to break into your home network. Researchers Lilith Wyatt and Claudio Bozzato of Cisco Talos discovered the vulnerabilities and disclosed them publicly on August 19. The two found eight vulnerabilities that are based in the Nest implementation of the Weave protocol. The Weave protocol is designed specifically for communications among Internet of Things or IoT devices.

Nest has provided a firmware update that the company says will fix the vulnerabilities. The vulnerabilities apply to version 4620002 of the Nest Cam IQ indoor device. You can check the version of your camera on the Nest app. Nest says that the updates will happen automatically if your camera is connected to the internet. "We've fixed the disclosed bugs and started rolling them out to all Nest Camera IQs," Google said in a statement to ZDNet. "The devices will update automatically so there's no action required from users."

Security

Valve Says Turning Away Researcher Reporting Steam Vulnerability Was a Mistake (arstechnica.com) 27

An anonymous reader quotes a report from Ars Technica: In an attempt to quell a controversy that has raised the ire of white-hat hackers, the maker of the Steam online game platform said on Thursday it made a mistake when it turned away a researcher who recently reported two separate vulnerabilities. In its statement, Valve Corporation references HackerOne, the reporting service that helps thousands of companies receive and respond to vulnerabilities in their software or hardware. Valve's new HackerOne program rules specifically provide that "any case that allows malware or compromised software to perform a privilege escalation through Steam, without providing administrative credentials or confirming a UAC dialog, is in scope. Any unauthorized modification of the privileged Steam Client Service is also in scope."

The statement and the policy change from Valve came two days after security researcher Vasily Kravets, an independent researcher from Moscow, received an email telling him that Valve's security team would no longer receive his vulnerability reports through the HackerOne bug-reporting service. Valve turned Kravets away after he reported a steam vulnerability that allowed hackers who already had a toe-hold on a vulnerable computer to burrow into privileged parts of an operating system. Valve initially told Kravets such vulnerabilities were out of scope and gave no indication that the one Vasily reported would be fixed. The company later publicly denied that the issue was a vulnerability by incorrectly claiming that the exploit required hackers to have physical access to a vulnerable computer. The company went so far as to dispute the vulnerability in the advisory issued by the National Institute of Standards and Technology.

Ruby

Backdoor Code Found In 11 Ruby Libraries (zdnet.com) 36

Maintainers of the RubyGems package repository have yanked 18 malicious versions of 11 Ruby libraries that contained a backdoor mechanism and were caught inserting code that launched hidden cryptocurrency mining operations inside other people's Ruby projects. ZDNet reports: The malicious code was first discovered yesterday inside four versions of rest-client, an extremely popular Ruby library. According to an analysis by Jan Dintel, a Dutch Ruby developer, the malicious code found in rest-client would collect and send the URL and environment variables of a compromised system to a remote server in Ukraine. "Depending on your set-up this can include credentials of services that you use e.g. database, payment service provider," Dintel said.

The code also contained a backdoor mechanism that allowed the attacker to send a cookie file back to a compromised project, and allow the attacker to execute malicious commands. A subsequent investigation by the RubyGems staff discovered that this mechanism was being abused to insert cryptocurrency mining code. RubyGems staff also uncovered similar code in 10 other projects. All the libraries, except rest-client, were created by taking another fully functional library, adding the malicious code, and then re-uploading it on RubyGems under a new name. All in all, all the 18 malicious library versions only managed to amass 3,584 downloads before being removed from RubyGems.

Encryption

Moscow's Blockchain Voting System Cracked a Month Before Election (zdnet.com) 53

An anonymous reader quotes a report from ZDNet: A French security researcher has found a critical vulnerability in the blockchain-based voting system Russian officials plan to use next month for the 2019 Moscow City Duma election. Pierrick Gaudry, an academic at Lorraine University and a researcher for INRIA, the French research institute for digital sciences, found that he could compute the voting system's private keys based on its public keys. This private keys are used together with the public keys to encrypt user votes cast in the election. Gaudry blamed the issue on Russian officials using a variant of the ElGamal encryption scheme that used encryption key sizes that were too small to be secure. This meant that modern computers could break the encryption scheme within minutes.

What an attacker can do with these encryption keys is currently unknown, since the voting system's protocols weren't yet available in English, so Gaudry couldn't investigate further. "Without having read the protocol, it is hard to tell precisely the consequences, because, although we believe that this weak encryption scheme is used to encrypt the ballots, it is unclear how easy it is for an attacker to have the correspondence between the ballots and the voters," the French researcher said. "In the worst case scenario, the votes of all the voters using this system would be revealed to anyone as soon as they cast their vote."
The Moscow Department of Information Technology promised to fix the reported issue. "We absolutely agree that 256x3 private key length is not secure enough," a spokesperson said in an online response. "This implementation was used only in a trial period. In few days the key's length will be changed to 1024."

However, a public key of a length of 1024 bits may not be enough, according to Gaudry, who believes officials should use one of at least 2048 bits instead.
The Courts

Flaws in Cellphone Evidence Prompt Review of 10,000 Verdicts in Denmark (nytimes.com) 36

The authorities in Denmark say they plan to review over 10,000 court verdicts because of errors in cellphone tracking data offered as evidence. From a report: The country's director of public prosecutions on Monday also ordered a two-month halt in prosecutors' use of cellphone data in criminal cases while the flaws and their potential consequences are investigated. "It's shaking our trust in the legal system," Justice Minister Nick Haekkerup said in a statement. The first error was found in an I.T. system that converts phone companies' raw data into evidence that the police and prosecutors can use to place a person at the scene of a crime. During the conversions, the system omitted some data, creating a less-detailed image of a cellphone's whereabouts. The error was fixed in March after the national police discovered it. In a second problem, some cellphone tracking data linked phones to the wrong cellphone towers, potentially connecting innocent people to crime scenes, said Jan Reckendorff, the director of public prosecutions.

"It's a very, very serious case," Mr. Reckendorff told Denmark's state broadcaster. "We cannot live with incorrect information sending people to prison." The authorities said that the problems stemmed partly from police I.T. systems and partly from the phone companies' systems, although a telecom industry representative said he could not understand how phone companies could have caused the errors. The national police determined that the flaws applied to 10,700 court cases dating to 2012, but it is unclear whether the faulty data was a decisive factor in any verdicts. The justice minister set up a steering group to track the extent of the legal problems they may have caused and to monitor the reviews of cases that may have been affected.

Security

Intel, Google, Microsoft, and Others Launch Confidential Computing Consortium for Data Security (venturebeat.com) 44

Major tech companies including Alibaba, Arm, Baidu, IBM, Intel, Google Cloud, Microsoft, and Red Hat today announced intent to form the Confidential Computing Consortium to improve security for data in use. From a report: Established by the Linux Foundation, the organization plans to bring together hardware vendors, developers, open source experts, and others to promote the use of confidential computing, advance common open source standards, and better protect data. "Confidential computing focuses on securing data in use. Current approaches to securing data often address data at rest (storage) and in transit (network), but encrypting data in use is possibly the most challenging step to providing a fully encrypted lifecycle for sensitive data," the Linux Foundation said today in a joint statement. "Confidential computing will enable encrypted data to be processed in memory without exposing it to the rest of the system and reduce exposure for sensitive data and provide greater control and transparency for users."

The consortium also said the group was formed because confidential computing will become more important as more enterprise organizations move between different compute environments like the public cloud, on-premises servers, or the edge. To get things started, companies made a series of open source project contributions including Intel Software Guard Extension (SGX), an SDK for code protection at the hardware layer.

Security

Researcher Publishes Second Steam Zero Day After Getting Banned on Valve's Bug Bounty Program (zdnet.com) 64

A Russian security researcher has published details about a zero-day in the Steam gaming client. This is the second Steam zero-day the researcher has made public in the past two weeks. From a report: However, while the security researcher reported the first one to Valve and tried to have it fixed before public disclosure, he said he couldn't do the same with the second because the company banned him from submitting further bug reports via its public bug bounty program on the HackerOne platform. The entire chain of events behind the public disclosure of these two zero-days has caused quite a drama and discussions in the infosec community. All the negative comments have been aimed at Valve and the HackerOne staff, with both being accused of unprofessional behavior. Security researchers and regular Steam users alike are mad because Valve refused to acknowledge the reported issue as a security flaw, and declined to patch it.
Privacy

MoviePass Exposed Thousands of Unencrypted Customer Card Numbers (techcrunch.com) 14

New submitter sizzlinkitty writes: Movie ticket subscription service MoviePass has exposed tens of thousands of customer card numbers and personal credit cards because a critical server was not protected with a password. Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk, found an exposed database on one of the company's many subdomains. The database was massive, containing 161 million records at the time of writing and growing in real time. Many of the records were normal computer-generated logging messages used to ensure the running of the service -- but many also included sensitive user information, such as MoviePass customer card numbers. These MoviePass customer cards are like normal debit cards: they're issued by Mastercard and store a cash balance, which users who sign up to the subscription service can use to pay to watch a catalog of movies.
Chrome

Apple, Google, and Mozilla Block Kazakhstan's HTTPS Intercepting Certificate (zdnet.com) 80

Apple, Google, and Mozilla have moved in to ban a root certificate the Kazakhstan government used in the past month to spy on its citizens' web traffic. From a report: Starting today, Chrome, Firefox, and Safari will show errors if any HTTPS web traffic is encrypted with the Kazakh government's root or leaf certificates. This coordinated action will ensure the safety of Kazakh users who were forced last month by their local Kazakh ISPs to install this certificate under the threat of not being allowed to use the internet otherwise. Kazakh ISPs forced their customers to install the government's root certificate after the Kazakh government issued a decree and said the measure was "aimed at enhancing the protection of citizens, government bodies and private companies from hacker attacks, Internet fraudsters and other types of cyber threats." But in reality, the Kazakh government abused this root certificate installed in millions of users browsers to intercept and decrypt HTTPS traffic users were making to 37 domains, such as such Facebook, Google, Twitter, Instagram, and YouTube.
Security

The First Lightning Security Key For iPhones Is Here, and It Works With USB-C, Too (theverge.com) 51

Yubico is releasing the $70 YubiKey 5Ci, the first security key that can plug into your iPhone's Lightning port or a USB-C port, and it's compatible with popular password vaults LastPass and 1Password out of the box. The Verge reports: That means you may not have to remember your password for your bank ever again -- just plug the YubiKey into your iPhone, use it to log into the 1Password app, and get that bank password. At launch, it'll support these well-known password managers and single sign-on tools: 1Password, Bitwarden, Dashlane, Idaptive, LastPass, and Okta. And when using the Brave browser for iOS, the YubiKey 5Ci can be used as an easier way to log into Twitter, GitHub, 1Password's web app, and a couple other services.

Notably, the 5Ci doesn't work with the newest iPad Pros at all, despite having a USB-C connector that fits. And you can't just plug the Lightning side of the 5Ci into an iPhone and expect it to work with any service that supports the FIDO authentication protocol -- our passwordless future isn't here just yet. Yubico tells The Verge that services have to individually add support for Lightning connector on the 5Ci into their apps.

Google

Google's Clickless Era (axios.com) 52

For the first time last month, a majority of all browser-based Google searches resulted in zero clicks, according to a new study from software company Sparktoro. From a report: The report's author notes that Google's functionality has changed to keep users within the Google ecosystem, not to always refer them outside of it. "We've passed a milestone in Google's evolution from search engine to walled-garden," he writes. On mobile, where the majority of search traffic takes place, organic searches have fallen about 20%, and have instead been replaced by paid searches and "zero click" searches, or search queries that result in snippets of information being presented, removing the need for a user to click into a link. In January 2016, the report notes, more than half of mobile searches ended without a click. Today, it's almost two-thirds.
Programming

Bitbucket Dropping Support For Mercurial 42

Bitbucket, once one of the largest Mercurial repository hosting sites, said Tuesday it plans to remove Mercurial features and repositories from its platform on June 1, 2020. In a blog post, Bitbucket wrote: As we surpass 10 million registered users on the platform, we're at a point in our growth where we are conducting a deeper evaluation of the market and how we can best support our users going forward. After much consideration, we've decided to remove Mercurial support from Bitbucket Cloud and its API. Bitbucket will stop letting users create new Mercurial repositories starting February 1, 2020, and start removing all the Mercurial repositories four months later. So you will want to backup your repositories and switch to a different platform in the coming months. A different user pointed out, "Another shitty aspect of bitbucket dropping mercurial support and deleting all the old repositories in 2020: all yt pull request discussions from before 2017 are going to be deleted. There's valuable context for how the code got written in those discussions." Several users have expressed their concerns over this decision. Sebastien Jodogne, CSO at Osimis, said, "This is an extremely concerning decision that endangers diversity in the computer science industry by pushing the de facto hegemony of git."

For those of you affected by this, you can consider a number of platforms including SourceForge to host and manage your repositories.

Slashdot Top Deals