Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Bug

Apple Will Finally Let Developers Respond To App Store Reviews (techcrunch.com) 50

An anonymous reader shares a TechCrunch report: Apple is finally going to give its developers a way to respond to customer reviews on its App Store and Mac App Store -- a feature that's long been available to Android developers on Google Play, much to the chagrin of the Apple developer community. According to developer documentation for the iOS 10.3 beta, when this version of Apple's mobile operating ships, developers will also be able to ask for reviews in new ways, in addition to responding to those posted publicly on the App Store. Apple's ratings and reviews system has felt antiquated, and has been a source of frustration for developers and users alike. When a customer leaves a negative review, developers couldn't respond to the criticism -- which is sometimes unwarranted -- in a way that other App Store customers could see. For example, a customer may be misunderstanding a feature, or may have complained about a bug that's been fixed in a later release.
Transportation

'IT Issue' Grounded All United Airlines Flights In The US (nbcnews.com) 115

For two and a half hours -- no take-offs. An anonymous reader quotes NBC News: All of United Airlines' domestic flights were grounded Sunday night because of a computer outage, the Federal Aviation Administration said as scores of angry travelers sounded off on social media... U.S. officials told NBC News that the Aircraft Communications Addressing and Reporting System, or ACARS, had issues with low bandwidth. No further explanation was immediately available for what United described only as "an IT issue."
An hour ago United tweeted that they'd finally lifted the stop and were "working to get flights on their way." 66 flights were cancelled just at Chicago's O'Hare Airport, the Chicago Department of Aviation told the Associated Press, and though the article doesn't identify the total number of flights affected, "Chicago-based United Airlines and United Express operate more than 4,500 flights a day to 339 airports across five continents."
Bug

Army Bug Bounty Researcher Compromises US Defense Department's Internal Network (threatpost.com) 43

Thursday the U.S. Army shared some surprising results from its first bug bounty program -- a three-week trial in which they invite 371 security researchers "trained in figuring out how to break into computer networks they're not supposed to." An anonymous reader quotes Threatpost: The Army said it received more than 400 bug reports, 118 of which were unique and actionable. Participants who found and reported unique bugs that were fixed were paid upwards of $100,000... The Army also shared high-level details on one issue that was uncovered through the bounty by a researcher who discovered that two vulnerabilities on the goarmy.com website could be chained together to access, without authentication, an internal Department of Defense website.

"They got there through an open proxy, meaning the routing wasn't shut down the way it should have been, and the researcher, without even knowing it, was able to get to this internal network, because there was a vulnerability with the proxy, and with the actual system," said a post published on HackerOne, which managed the two bounty programs on its platform. "On its own, neither vulnerability is particularly interesting, but when you pair them together, it's actually very serious."

Google

Google Pressured 90,000 Android Developers Over Insecure Apps (pcworld.com) 50

An anonymous reader quotes PCWorld: Over the past two years, Google has pressured developers to patch security issues in more than 275,000 Android apps hosted on its official app store. In many cases this was done under the threat of blocking future updates to the insecure apps...

In the early days of the App Security Improvement program, developers only received notifications, but were under no pressure to do anything. That changed in 2015 when Google expanded the types of issues it scanned for and also started enforcing deadlines for fixing many of them... Google added checks for six new vulnerabilities in 2015, all of them with a patching deadline, and 17 in 2016, 12 of which had a time limit for fixes. These issues ranged from security flaws in third-party libraries, development frameworks and advertising SDKs to insecure implementations of Android Java classes and interfaces.

100,000 applications had been patched by April of 2016, but that number tripled over the next nine months, with 90,000 developers fixing flaws in over 275,000 apps.
Microsoft

Microsoft's Security Bulletins Will End In February (computerworld.com) 39

Remember how Microsoft switched to cumulative updates? Now Computerworld points out that that's bringing another change. An anonymous reader quotes their report: Microsoft next month will stop issuing detailed security bulletins, which for nearly 20 years have provided individual users and IT professionals information about vulnerabilities and their patches... A searchable database of support documents will replace the bulletins; that database has been available, albeit in preview, since November on the portal Microsoft dubbed the "Security Updates Guide," or SUG. The documents stored in the database are specific to a vulnerability on an edition of Windows, or a version of another Microsoft product. They can be sorted and filtered by the affected software, the patch's release date, its CVE identifier, and the numerical label of the KB, or "knowledge base" support document.
Redmond Magazine reports that Microsoft still plans to continue to issue its security advisories, and to issue "out-of-band" security update releases as necessary.
Ubuntu

Windows 10 Upgrade Bug Disabled Cntrl-C In Bash (infoworld.com) 277

An anonymous reader quotes InfoWorld: A massive set of changes to the Windows Subsystem for Linux (WSL) was rolled into Windows Insider build 15002... If this is any hint, Microsoft's goal is nothing short of making it a credible alternative to other Linux distributions... Some of the fixes also implement functionality that wasn't available before to Linux apps in WSL, such as support for kernel memory overcommit and previously omitted network stack options. Other changes enhance integration between WSL and the rest of Windows...

[O]ne major issue in build 15002 is that Ctrl-C in a Bash session no longer works. Microsoft provided an uncommon level of detail for how this bug crept in, saying it had to do with synchronization between the Windows and Bash development teams. The next Insider build should have a fix. But for people doing serious work with Linux command-line apps, not having Ctrl-C is a little like driving a car when only the front brakes work.

Security

Security Experts Rebut The Guardian's Report That Claimed WhatsApp Has a Backdoor (gizmodo.com) 114

William Turton, writing for Gizmodo: This morning, the Guardian published a story with an alarming headline: "WhatsApp backdoor allows snooping on encrypted messages." If true, this would have massive implications for the security and privacy of WhatsApp's one-billion-plus users. Fortunately, there's no backdoor in WhatsApp, and according to Alec Muffett, an experienced security researcher who spoke to Gizmodo, the Guardian's story is a "major league fuckwittage." [...] Fredric Jacobs, who was the iOS developer at Open Whisper Systems, the collective that designed and maintains the Signal encryption protocol, and who most recently worked at Apple, said, "Nothing new. Of course, if you don't verify keys Signal/WhatsApp/... can man-in-the-middle your communications." "I characterize the threat posed by such reportage as being fear and uncertainty and doubt on an 'anti-vaccination' scale," Muffett, who previously worked on Facebook's engineering security infrastructure team, told Gizmodo. "It is not a bug, it is working as designed and someone is saying it's a 'flaw' and pretending it is earth shattering when in fact it is ignorable." The supposed "backdoor" the Guardian is describing is actually a feature working as intended, and it would require significant collaboration with Facebook to be able to snoop on and intercept someone's encrypted messages, something the company is extremely unlikely to do. "There's a feature in WhatsApp that -- when you swap phones, get a new phone, factory reset, whatever -- when you install WhatsApp freshly on the new phone and continue a conversation, the encryption keys get re-negotiated to accommodate the new phone," Muffett told Gizmodo. Other security experts and journalists have also criticized The Guardian's story.
Operating Systems

Consumer Reports Now Recommends MacBook Pros (macrumors.com) 164

Consumer Reports has updated their report on the 2016 MacBook Pros, and is now recommending Apple's latest notebooks. MacRumors reports: In the new test, conducted running a beta version of macOS that fixes the Safari-related bug that caused erratic battery life in the original test, all three MacBook Pro models "performed well." The 13-inch model without a Touch Bar had an average battery life of 18.75 hours, the 13-inch model with a Touch Bar lasted for 15.25 hours on average, and the 15-inch MacBook Pro with Touch Bar had an average battery life of 17.25 hours. "Now that we've factored in the new battery-life measurements, the laptops' overall scores have risen, and all three machines now fall well within the recommended range in Consumer Reports ratings," reports Consumer Reports. Consumer Reports originally denied the 2016 MacBook Pro a purchase recommendation in late December due to extreme battery life variance that didn't match up with Apple's 10 hour battery life claim. Apple worked with Consumer Reports to figure out why the magazine encountered battery life issues, which led to the discovery of an obscure Safari caching bug. Consumer Reports used a developer setting to turn off Safari caching, triggering an "obscure and intermittent bug reloading icons" that drained excessive battery. The bug, fixed by Apple in macOS Sierra 10.12.3 beta 3, is not one the average user will encounter as most people don't turn off the Safari caching option, but it's something done in all Consumer Reports tests to ensure uniform testing conditions. A fix for the issue will be available to the general public when macOS Sierra 10.12.3 is released, but users can get it now by signing up for Apple's beta testing program.
Bug

Buggy Domain Validation Forces GoDaddy To Revoke SSL Certificates (threatpost.com) 33

msm1267 quotes a report from Threatpost: GoDaddy has revoked, and begun the process of re-issuing, new SSL certificates for more than 6,000 customers after a bug was discovered in the registrar's domain validation process. The bug was introduced July 29 and impacted fewer than two percent of the certificates GoDaddy issued from that date through yesterday, said vice president and general manager of security products Wayne Thayer. "GoDaddy inadvertently introduced the bug during a routine code change intended to improve our certificate issuance process," Thayer said in a statement. "The bug caused the domain validation process to fail in certain circumstances." GoDaddy said it was not aware of any compromises related to the bug. The issue did expose sites running SSL certs from GoDaddy to spoofing where a hacker could gain access to certificates and pose as a legitimate site in order to spread malware or steal personal information such as banking credentials. GoDaddy has already submitted new certificate requests for affected customers. Customers will need to take action and log in to their accounts and initiate the certificate process in the SSL Panel, Thayer said.
Portables (Apple)

Consumer Reports Updates Its MacBook Pro Review (consumerreports.org) 246

Reader TheFakeTimCook writes: Last month, the new MacBook Pro failed to receive a purchase recommendation from Consumer Reports due to battery life issues that it encountered during testing. Apple subsequently said it was working with Consumer Reports to understand the results, which it said do not match its "extensive lab tests or field data." According to an article from Consumer Reports, Apple has since concluded its work, and says it learned that Consumer Reports was using a "hidden Safari setting" which triggered an "obscure and intermittent bug" that led to inconsistent battery life results. With "normal user settings" enabled, Apple said Consumer Reports "consistently" achieved expected battery life. Apple stated: "We learned that when testing battery life on Mac notebooks, Consumer Reports uses a hidden Safari setting for developing web sites which turns off the browser cache. This is not a setting used by customers and does not reflect real-world usage. Their use of this developer setting also triggered an obscure and intermittent bug reloading icons which created inconsistent results in their lab. After we asked Consumer Reports to run the same test using normal user settings, they told us their MacBook Pro systems consistently delivered the expected battery life." Apple said it has fixed the Safari bug in the latest macOS Sierra beta seeded to developers and public testers this week.
Microsoft

Ask Slashdot: What Is the Best Way To Thank Users For Reporting Security Issues? 128

An anonymous Slashdot reader writes: I have worked in the IT field long enough to know that many issues can be avoided if users pay attention to pop-ups, security alerts, "from" addresses et al and not just machine gun click their way through things. Unfortunately, most users seem to have the "fuck it" mentality in terms of good security practices. Sometimes I will have users submit a ticket asking if an email is safe to open or if that strange 800 number that popped up in their browser is really Microsoft. When that happens I like to talk to them in person (when possible) to commend them and tell them how much trouble could be avoided if more users followed their example. I'm curious to know if anyone has ever worked somewhere with bug bounty type incentives for corporate users or if you have a unique way of thanking people for not trying to open Urgent_Invoice.exe.
It's funny.  Laugh.

Sonos Alarms Are Waking Users a Day Early (engadget.com) 38

Waking up to your favorite music is always nice, but it becomes rather annoying when you can'' turn off said alarm. From a report on Engadget: That's exactly what Sonos users are experiencing and one editor on our staff dealt with the headache first hand. In fact, the alarms are also going off a day early, meaning Saturday wake-up calls were playing this morning. The company posted in its forums this morning that it's looking into the issue and recommends users delete all alarms from the Sonos app for right now. As our editor and many others have experienced, deleting the alarms is the only way to make them stop. We'll have to wait for official word on the cause, but alarms set for December 31st going off on December 30th could be a New Year's or Leap Year bug. Back in 2011, Apple had a problem with iPhone alarms not working correctly on January 1st.
Android

Some Google Pixel Devices Are Shutting Down At 30% Battery (androidauthority.com) 130

An anonymous reader quotes a report from Android Authority: It seems that some Pixel devices are affected by the same infamous shutdown bug that plagued the Nexus 6P where the device would prematurely turn off at 25 to 35 percent. The Huawei Nexus 6P has finally received the Nougat update. But ever since, Google's last ever Nexus device has been on the news, and for all the wrong reasons. Among the problems was a shutdown bug: the phone would shut down when the battery is at 30 percent or so. Well, it looks like the issue isn't unique to those Nexus 6P users. A few Reddit users are reporting that their Pixel devices are also suffering from the same shutdown bug. Some Pixel phones would prematurely shut down at or around 30 percent and would not turn back on until a charger is connected. A user by the name of vrski_15, who started the thread explains: "Twice in last 5 days, has the phone shutdown abruptly while I am in middle of something. In both instances, battery was between 25-35%, and the phone under normal conditions should have lasted for at least next 3-4 hours." With the Nexus 6P, Huawei first ruled that this was not a hardware problem but a software-related one. However, users found that the problem persisted even after downgrading to Android Marshmallow. This led Huawei to investigate further with Google, and although the company hasn't revealed the cause yet, it is probably related to the problem that these Pixel users have been experiencing.
Bug

Nevada Website Bug Leaks Thousands of Medical Marijuana Dispensary Applications (zdnet.com) 55

An anonymous reader quotes a report from ZDNet: Nevada's state government website has leaked the personal data on over 11,700 applicants for dispensing medical marijuana in the state. Each application, eight pages in length, includes the person's full name, home address, citizenship, and even their weight and height, race, and eye and hair color. The applications also include the applicant's citizenship, their driving license number (where applicable), and social security number. Security researcher Justin Shafer found the bug in the state's website portal, allowing anyone with the right web address to access and enumerate the thousands of applications. Though the medical marijuana portal can be found with a crafted Google search query, we're not publishing the web address out of caution until the bug is fixed. A spokesperson for the Nevada Dept. Health and Human Services, which runs the medical marijuana application program, told ZDNet that the website has been pulled offline to limit the vulnerability. The spokesperson added that the leaked data was a "portion" of one of several databases.
Government

FDA Releases New Cybersecurity Guidelines For Medical Devices (theverge.com) 40

An anonymous reader quotes a report from The Verge: The U.S. Food and Drug Administration released its recommendations for how medical device manufacturers should maintain the security of internet-connected devices, even after they've entered hospitals, patient homes, or patient bodies. Unsecured devices can allow hackers to tamper with how much medication is delivered by the device -- with potentially deadly results. First issued in draft form last January, this guidance is more than a year in the making. The 30-page document (PDF) encourages manufacturers to monitor their medical devices and associated software for bugs, and patch any problems that occur. But the recommendations are not legally enforceable -- so they're largely without teeth. The FDA issued an earlier set of recommendations in October 2014 (PDF), which recommended ways for manufacturers to build cybersecurity protections into medical devices as they're being designed and developed. Today's guidance focuses on how to maintain medical device cybersecurity after devices have left the factory. The guidelines lay out steps for recognizing and addressing ongoing vulnerabilities. And they recommend that manufacturers join together in an Information Sharing and Analysis Organization (ISAO) to share details about security risks and responses as they occur. Most patches and updates intended to address security vulnerabilities will be considered routine enhancements, which means manufacturers don't have to alert the FDA every time they issue one. That is, unless someone dies or is seriously harmed because of a bug -- then the manufacturer needs to report it. Dangerous bugs identified before they harm or kill anyone won't have to be reported to the FDA as long as the manufacturer tells customers and device users about the bug within 30 days, fixes it within 60 days, and shares information about the vulnerability with an ISAO.
PHP

Millions of Websites Vulnerable Due To Security Bug In Popular PHP Script (bleepingcomputer.com) 104

An anonymous reader writes from a report via BleepingComputer: A security flaw discovered in a common PHP class allows knowledgeable attackers to execute code on a website that uses a vulnerable version of the script, which in turn can allow an attacker to take control over the underlying server. The vulnerable library is PHPMailer, a PHP script that allows developers to automate the task of sending emails using PHP code, also included with WordPress, Drupal, Joomla, and more. The vulnerability was fixed on Christmas with the release of PHPMailer version 5.2.18. Nevertheless, despite the presence of a patched version, it will take some time for the security update to propagate. Judging by past incidents, millions of sites will never be updated, leaving a large chunk of the Internet open to attacks. Even though the security researcher who discovered the flaw didn't publish any in-depth details about his findings, someone reverse-engineered the PHPMailer patch and published their own exploit code online, allowing others to automate attacks using this flaw, which is largely still unpatched due to the holiday season.
Android

Some Pixels Have Problems (techtimes.com) 69

An anonymous reader quotes Tech Times: Pixel owners have so far reported on camera issues, audio issues, LTE band 4 connectivity problems and others, but the random freezing remains among the most persistent ones. While most previous issues have already received a fix, users have been complaining about the Google Pixel or Pixel XL randomly freezing since November and it seems Google has yet to get to the bottom of this. The official Pixel User Community forum has a long thread on the matter and the discussion started a good while back [in early November]...

[U]sers reporting on the Pixel Community Forum run different apps and they haven't found a common denominator just yet, and some don't have any third-party apps at all, further suggesting that the issue might not be caused by a third-party app. On the other hand, some Pixel owners got rid of this issue by uninstalling a third-party app called Live360 Family Locator, but others didn't even have the app installed and still experienced the issues.

Despite the problems, "most Pixel owners thus far have been quite pleased with their device," notes BGR -- though Softpedia also reports on some users complaining about "static and distorted sounds when at the three highest volume levels."
Twitter

Twitter Admits It Recently Overcharged For Ads (cnn.com) 24

An anonymous reader quotes a CBS report about more bad news for Twitter: The microblogging service has acknowledged that it inadvertently overcharged some advertisers for video ads, capping off a year that has featured a failed sale of the company, the departure of six of its 10 top executives and a nearly 30% drop in its stock price. As Business Insider reported, a bug in a recent version of Twitter's Android App inflated some metrics by as much as 35% for video ad campaigns that ran between November 7 and December 12.

The San Francisco-based company issued refunds to the affected advertisers, which in many cases were for minimal amounts of money, a person familiar with the situation said. "The impact was limited given this happened only on Android clients over the course of a month," the San Francisco-based company said in a statement. "This was a technical error, not a policy or definition issue, so it has been resolved."

One analyst told CBS, "I don't think this as fatal as it is embarrassing."
Businesses

At Apple, Mac Is Getting Far Less Attention - How It Handled the New MacBook Pro Is a Living Proof (bloomberg.com) 230

Apple CEO Tim Cook may have assured employees that the company is committed to Mac computers, but people working in the Mac team say the company now pays far less attention to the computer lineup, according to Bloomberg's Mark Gurman, who has been right just about every time with Apple scoops. From his report: Interviews with people familiar with Apple's inner workings reveal that the Mac is getting far less attention than it once did. They say the Mac team has lost clout with the famed industrial design group led by Jony Ive and the company's software team. They also describe a lack of clear direction from senior management, departures of key people working on Mac hardware and technical challenges that have delayed the roll-out of new computers. While the Mac generates about 10 percent of Apple sales, the company can't afford to alienate professional designers and other business customers. After all, they helped fuel Apple's revival in the late 1990s. In a stinging critique, Peter Kirn, founder of a website for music and video creators, wrote: "This is a company with no real vision for what its most creative users actually do with their most advanced machines." If more Mac users switch, the Apple ecosystem will become less sticky -- opening the door to people abandoning higher-value products like the iPhone and iPad. The report also sheds light on battery issues in the new MacBook Pro lineup that many have complained about. From the report: In the run-up to the MacBook Pro's planned debut this year, the new battery failed a key test, according to a person familiar with the situation. Rather than delay the launch and risk missing the crucial holiday shopping season, Apple decided to revert to an older design. The change required roping in engineers from other teams to finish the job, meaning work on other Macs languished, the person said. The new laptop didn't represent a game-changing leap in battery performance, and a software bug misrepresented hours of power remaining. Apple has since removed the meter from the top right-hand corner of the screen.

Slashdot Top Deals