Are Google and Facebook Surveilling Their Own Employees? (theguardian.com) 106

The Guardian just ran an article titled " 'They'll squash you like a bug': how Silicon Valley keeps a lid on leakers," which begins with the story of an employee confronted by Facebook's secretive "rat-catching" team: They had records of a screenshot he'd taken, links he had clicked or hovered over, and they strongly indicated they had accessed chats between him and the journalist, dating back to before he joined the company. "It's horrifying how much they know," he told the Guardian, on the condition of anonymity... "You get on their bad side and all of a sudden you are face to face with Mark Zuckerberg's secret police"... One European Facebook content moderator signed a contract, seen by the Guardian, which granted the company the right to monitor and record his social media activities, including his personal Facebook account, as well as emails, phone calls and internet use. He also agreed to random personal searches of his belongings including bags, briefcases and car while on company premises. Refusal to allow such searches would be treated as gross misconduct...

Some employees switch their phones off or hide them out of fear that their location is being tracked. One current Facebook employee who recently spoke to Wired asked the reporter to turn off his phone so the company would have a harder time tracking if it had been near the phones of anyone from Facebook. Two security researchers confirmed that this would be technically simple for Facebook to do if both people had the Facebook app on their phone and location services switched on. Even if location services aren't switched on, Facebook can infer someone's location from wifi access points.

The article cites a 2012 report that Microsoft read a French blogger's Hotmail account to identify a former employee who had leaked trade secrets. And it also reports that tech companies hire external agencies to surveil their employees. "One such firm, Pinkerton, counts Google and Facebook among its clients." Though Facebook and Google both deny this, "Among other services, Pinkerton offers to send investigators to coffee shops or restaurants near a company's campus to eavesdrop on employees' conversations...

Al Gidari, consulting director of privacy at the Stanford Center for Internet and Society, says that these tools "are common, widespread, intrusive and legal."

Apple's Newest iPhone X Ad Captures an Embarrassing iOS 11 Bug (theverge.com) 81

Tom Warren, writing for The Verge: If you blink during Apple's latest iPhone ad, you might miss a weird little animation bug. It's right at the end of a slickly produced commercial, where the text from an iMessage escapes the animated bubble it's supposed to stay inside. It's a minor issue and easy to brush off, but the fact it's captured in such a high profile ad just further highlights Apple's many bugs in iOS 11. 9to5Mac writer Benjamin Mayo spotted the bug in Apple's latest ad, and he's clearly surprised "that this was signed off for the commercial," especially as he highlighted it months ago and has filed a bug report with Apple.

'They'll Squash You Like a Bug': How Silicon Valley Keeps a Lid on Leakers (theguardian.com) 98

The public image of Silicon Valley's tech giants is all colourful bicycles, ping-pong tables, beanbags and free food, but behind the cartoonish facade is a ruthless code of secrecy. From a report: They rely on a combination of Kool-Aid, digital and physical surveillance, legal threats and restricted stock units to prevent and detect intellectual property theft and other criminal activity. However, those same tools are also used to catch employees and contractors who talk publicly, even if it's about their working conditions, misconduct or cultural challenges within the company. While Apple's culture of secrecy, which includes making employees sign project-specific NDAs and covering unlaunched products with black cloths, has been widely reported, companies such as Google and Facebook have long put the emphasis on internal transparency.

Zuckerberg hosts weekly meetings where he shares details of unreleased new products and strategies in front of thousands of employees. Even junior staff members and contractors can see what other teams are working on by looking at one of many of the groups on the company's internal version of Facebook. "When you first get to Facebook you are shocked at the level of transparency. You are trusted with a lot of stuff you don't need access to," said Evans, adding that during his induction he was warned not to look at ex-partners' Facebook accounts.


Microsoft Launches Bounty Program For Speculative Execution Side Channel Vulnerabilities (betanews.com) 21

An anonymous reader shares a report: Microsoft has launched a bug bounty program that will reward anyone who finds the next Meltdown or Spectre vulnerability. Known as speculative execution side channel vulnerabilities, Microsoft is willing to reward anyone who reports bugs that could cause problems like earlier in the year. The rewards on offer range from $5,000 up to $250,000 depending on the severity of the vulnerability, and the bounty program runs until the end of 2018. Microsoft says that it will operate under the principles of coordinated vulnerability disclosure.

Planting GMOs Kills So Many Bugs That It Helps Non-GMO Crops (arstechnica.com) 282

An anonymous reader quotes a report from Ars Technica: One of the great purported boons of GMOs is that they allow farmers to use fewer pesticides, some of which are known to be harmful to humans or other species. Bt corn, cotton, and soybeans have been engineered to express insect-killing proteins from the bacterium Bacillus thuringiensis, and they have indeed been successful at controlling the crops' respective pests. They even protect the non-Bt versions of the same crop that must be planted in adjacent fields to help limit the evolution of Bt resistance. But new work shows that Bt corn also controls pests in other types of crops planted nearby, specifically vegetables. In doing so, it cuts down on the use of pesticides on these crops, as well.

Entomologists and ecologists compared crop damage and insecticide use in four agricultural mid-Atlantic states: New Jersey, Delaware, Maryland, and Virginia. Their data came from the years before Bt corn was widespread (1976-1996) and continued after it was adopted (1996-2016). They also looked at the levels of the pests themselves: two different species of moths, commonly known as the European corn borer and corn earworm. They were named as scourges of corn, but their larvae eat a number of different crops, including peppers and green beans. After Bt corn was planted in 1996, the number of moths captured for analysis every night in vegetable fields dropped by 75 percent. The drop was a function of the percentage of Bt corn planted in the area and occurred even though moth populations usually go up with temperature. So the Bt corn more than counteracted the effect of the rising temperatures we've experienced over the quarter century covered by the study.


GNOME 3.28 'Chongqing' Linux Is Here (betanews.com) 131

BrianFagioli writes: GNOME 3.28 is the latest version of GNOME 3, and is the result of 6 months' hard work by the GNOME community. It contains several major new features, as well as many smaller improvements and bug fixes. In total, the release incorporates 24105 changes, made by approximately 778 contributors.

The Project explains, "GNOME 3.28 comes with more beautiful things! First, and most significantly, GNOME's default interface font (called Cantarell) has undergone a significant update. Character forms and spacing have been evolved, so that text is more readable and attractive. Several new weights have also been added -- light and extra bold -- which are being used to produce interfaces that are both modern and beautiful. Other beautiful things include GNOME's collection of background wallpapers, which has been updated to include a lovely set of photographs, and the selection of profile pictures, which has been completely updated with attractive new images to pick from."

Unfortunately, you can't just click on a button and upgrade to GNOME 3.28 today. Actually, for the most part, you will need to wait for it to become available for your operating system. Sadly, this can take a while. Fedora users, for instance, will have to wait for a major OS upgrade for it to become available.


Raspberry Pi 3 Model B+ Launched (raspberrypi.org) 160

New submitter stikves writes: The Raspberry foundation has launched an incremental update to the Raspberry Pi 3 model B: Raspberry Pi 3 Model B+ . In addition to slight increase (200MHz) in CPU speed, and upgraded networking (802.11ac and Gigabit, albeit over USB2), one big advantage is the better thermal management which allows sustained performance over longer load periods. Further reading: TechRepublic, and Linux Journal.

One Single Malicious Vehicle Can Block 'Smart' Street Intersections In the US (bleepingcomputer.com) 98

An anonymous reader shares a BleepingComputer report: Academics from the University of Michigan have shown that one single malicious car could trick US-based smart traffic control systems into believing an intersection is full and force the traffic control algorithm to alter its normal behavior, and indirectly cause traffic slowdowns and even block street intersections. The team's research focused on Connected Vehicle (CV) technology, which is currently being included in all cars manufactured across the globe. More precisely, it targets V2I (vehicle-to-infrastructure) protocols, and more precisely the I-SIG system implemented in the US.

The Michigan research team says the I-SIG system in its current default configuration is vulnerable to basic data spoofing attacks. Researchers say this is "due to a vulnerability at the signal control algorithm level," which they call "the last vehicle advantage." This means that the latest arriving vehicle can determine the traffic system's algorithm output. The research team says I-SIG doesn't come with protection from spoofing attacks, allowing one vehicle to send repeated messages to a traffic intersection, posing as the latest vehicle that arrived at the intersection. According to simulated traffic models, the Michigan team says that around a fifth of all cars that entered a test intersection took seven minutes to traverse the traffic junction that would have normally taken only half a minute. Researchers don't believe this bug could be exploited for actual gains in the real world, but the bugs' existence shows the protocol is poorly coded, even four years after first being proved unsecured.


Ubisoft is Using AI To Catch Bugs in Games Before Devs Make Them (wired.co.uk) 126

AI has a new task: helping to keep the bugs out of video games. From a report: At the recent Ubisoft Developer Conference in Montreal, the French gaming company unveiled a new AI assistant for its developers. Dubbed Commit Assistant, the goal of the AI system is to catch bugs before they're ever committed into code, saving developers time and reducing the number of flaws that make it into a game before release. "I think like many good ideas, it's like 'how come we didn't think about that before?'," says Yves Jacquier, who heads up La Forge, Ubisoft's R&D division in Montreal. His department partners with local universities including McGill and Concordia to collaborate on research intended to advance the field of artificial intelligence as a whole, not just within the industry.

La Forge fed Commit Assistant with roughly ten years' worth of code from across Ubisoft's software library, allowing it to learn where mistakes have historically been made, reference any corrections that were applied, and predict when a coder may be about to write a similar bug. "It's all about comparing the lines of code we've created in the past, the bugs that were created in them, and the bugs that were corrected, and finding a way to make links [between them] to provide us with a super-AI for programmers," explains Jacquier.


AI Cheats at Old Atari Games By Finding Unknown Bugs in the Code (theverge.com) 45

An anonymous reader shares a report: AI research and video games are a match made in heaven. Researchers get a ready-made virtual environment with predefined goals they can control completely, and the AI agent gets to romp around without doing any damage. Sometimes, though, they do break things. Case in point is a paper published this week by a trio of machine learning researchers from the University of Freiburg in Germany. They were exploring a particular method of teaching AI agents to navigate video games (in this case, desktop ports of old Atari titles from the 1980s) when they discovered something odd. The software they were testing discovered a bug in the port of the retro video game Q*bert that allowed it to rack up near infinite points. As the trio describe in the paper, published on pre-print server arXiv, the agent was learning how to play Q*bert when it discovered an "interesting solution." Normally, in Q*bert, players jump from cube to cube, with this action changing the platforms' colors. Change all the colors (and dispatch some enemies), and you're rewarded with points and sent to the next level. The AI found a better way, though: "First, it completes the first level and then starts to jump from platform to platform in what seems to be a random manner. For a reason unknown to us, the game does not advance to the second round but the platforms start to blink and the agent quickly gains a huge amount of points (close to 1 million for our episode time limit)."

How Are Sysadmins Handling Spectre/Meltdown Patches? (hpe.com) 49

Esther Schindler (Slashdot reader #16,185) writes that the Spectre and Meltdown vulnerabilities have become "a serious distraction" for sysadmins trying to apply patches and keep up with new fixes, sharing an HPE article described as "what other sysadmins have done so far, as well as their current plans and long-term strategy, not to mention how to communicate progress to management." Everyone has applied patches. But that sounds ever so simple. Ron, an IT admin, summarizes the situation succinctly: "More like applied, applied another, removed, I think re-applied, I give up, and have no clue where I am anymore." That is, sysadmins are ready to apply patches -- when a patch exists. "I applied the patches for Meltdown but I am still waiting for Spectre patches from manufacturers," explains an IT pro named Nick... Vendors have released, pulled back, re-released, and re-pulled back patches, explains Chase, a network administrator. "Everyone is so concerned by this that they rushed code out without testing it enough, leading to what I've heard referred to as 'speculative reboots'..."

The confusion -- and rumored performance hits -- are causing some sysadmins to adopt a "watch carefully" and "wait and see" approach... "The problem is that the patches don't come at no cost in terms of performance. In fact, some patches have warnings about the potential side effects," says Sandra, who recently retired from 30 years of sysadmin work. "Projections of how badly performance will be affected range from 'You won't notice it' to 'significantly impacted.'" Plus, IT staff have to look into whether the patches themselves could break something. They're looking for vulnerabilities and running tests to evaluate how patched systems might break down or be open to other problems.

The article concludes that "everyone knows that Spectre and Meltdown patches are just Band-Aids," with some now looking at buying new servers. One university systems engineer says "I would be curious to see what the new performance figures for Intel vs. AMD (vs. ARM?) turn out to be."

'Critical' T-Mobile Bug Allowed Hackers To Hijack Users' Accounts (vice.com) 16

An anonymous reader quotes a report from Motherboard: The vulnerability was found and reported by a security researcher on December 19 of last year, but it hasn't been revealed until now. Within a day, T-Mobile classified it as "critical," patched the bug, and gave the researcher a $5,000 reward. That's good news, but it's unclear how long the site was vulnerable and whether any malicious hackers found and exploited the bug before it was fixed. The newly disclosed bug allowed hackers to log into T-Mobile's account website as any customer. "It's literally like logging into your account and then stepping away from the keyboard and letting the attacker sit down," Scott Helme, a security researcher who reviewed the bug report, told Motherboard in an online chat. Shortly after we published this story, a T-Mobile spokesperson sent us a statement: "This bug was confidentially reported through our Bug Bounty program in December and fixed within a matter of hours," the emailed statement read. "We found no evidence of customer information being compromised."

Botched npm Update Crashes Linux Systems, Forces Users to Reinstall (bleepingcomputer.com) 256

Catalin Cimpanu, reporting for BleepingComputer: A bug in npm (Node Package Manager), the most widely used JavaScript package manager, will change ownership of crucial Linux system folders, such as /etc, /usr, /boot. Changing ownership of these files either crashes the system, various local apps, or prevents the system from booting, according to reports from users who installed npm v5.7.0. -- the buggy npm update. Users who installed this update -- mostly developers and software engineers -- will likely have to reinstall their system from scratch or restore from a previous system image.

Hackers Hijacked Tesla's Amazon Cloud Account To Mine Cryptocurrency 29

An unidentified hacker or hackers broke into a Tesla-owned Amazon cloud account and used it to "mine" cryptocurrency, security researchers said. The breach also exposed proprietary data for the electric carmaker. From a report: The researchers, who worked for RedLock, a 3-year-old cybersecurity startup, said they discovered the intrusion last month while trying to determine which organization left credentials for an Amazon Web Services (AWS) account open to the public Internet. The owner of the account turned out to be Tesla, they said. "We weren't the first to get to it," Varun Badhwar, CEO and cofounder of RedLock, told Fortune on a call. "Clearly, someone else had launched instances that were already mining cryptocurrency in this particular Tesla environment." The incident is the latest in a string of so-called cryptojacking attacks, which involve thieves hijacking unsuspecting victims' computers to generate virtual currencies like Bitcoin. The schemes have seen a resurgence in popularity as cryptocurrency prices have soared over the past year. In a statement, Tesla said, "We maintain a bug bounty program to encourage this type of research, and we addressed this vulnerability within hours of learning about it. The impact seems to be limited to internally-used engineering test cars only, and our initial investigation found no indication that customer privacy or vehicle safety or security was compromised in any way."

Enthusiasts have Turned the Nintendo Switch into a Functional Linux Tablet (theverge.com) 96

An anonymous reader shares a report: A couple of weeks ago, the fail0verflow hacking collective showed a still image on Twitter of a Nintendo Switch booting Linux. They're one of a small handful of hacker teams who are teasing exploits of the Nvidia Tegra hardware inside the Switch. But now fail0verflow has video of a full-on Linux distro running on the hacked Switch, complete with touchscreen support, a fully operational web browser, and even a GPU-powered demo application. On Twitter, fail0verflow claims the bug they're exploiting to sidestep the Switch's security can't be patched on currently released hardware, and doesn't require a modchip. But as for now there aren't any details on how to do this yourself at home.

Apple Updates All of Its Operating Systems To Fix App-crashing Bug (engadget.com) 70

It took a few days, but Apple already has a fix out for a bug that caused crashes on each of its platforms. From a report: The company pushed new versions of iOS, macOS and watchOS to fix the issue, which was caused when someone pasted in or received a single Indian-language character in select communications apps -- most notably in iMessages, Safari and the app store. Using a specific character in the Telugu language native to India was enough to crash a variety of chat apps, including iMessage, WhatsApp, Twitter, Facebook Messenger, Gmail and Outlook, though Telegram and Skype were seemingly immune.

Facebook Admits SMS Notifications Sent Using Two-Factor Number Was Caused by Bug (theverge.com) 50

Facebook has clarified the situation around SMS notifications sent using the company's two-factor authentication (2FA) system, admitting that the messages were indeed caused by a bug. From a report: In a blog post penned by Facebook Chief Security Officer Alex Stamos, the company says the error led it to "send non-security-related SMS notifications to these phone numbers." Facebook uses the automated number 362-65, or "FBOOK," as its two-factor authentication number, which is a secure way of confirming a user's identity by sending a numeric code to a secondary device like a mobile phone. That same number ended up sending users Facebook notifications without their consent. When users would attempt to get the SMS notifications to stop, the replies were posted to their own Facebook profiles as status updates.

Apple's Software 'Problem' and 'Fixing' It (learningbyshipping.com) 99

According to media reports, Apple is planning to postpone some new features for iOS and macOS this year to focus on improving reliability, stability and performance of the existing versions. Steven Sinofsky, a former President of the Windows Division, shared his insights into the significance of this development: Several important points are conflated in the broad discussion about Apple and software: Quality, pace of change, features "versus" quality, and innovation. Scanning the landscape, it is important to recognize that in total the work Apple has been doing across hardware, software, services, and even AI/ML, in total -- is breathtaking and unprecedented in scope, scale, and quality. Few companies have done so much for so long with such a high level of consistency. This all goes back to the bet on the NeXT code base and move to Intel for Mac OS plus the iPod, which began the journey to where we are today.

[...] What is lost in all of this recent discussion is the nuance between features, schedule, and quality. It is like having a discussion with a financial advisor over income, risk, and growth. You don't just show up and say you want all three and get a "sure." On the other hand, this is precisely what Apple did so reliably over 20 years. But behind the scenes there is a constant discussion over balancing these three legs of the tripod. You have to have all of them but you "can't" but you have to. This is why they get paid big $.

[...] A massive project like an OS (+h/w +cloud) is like a large investment portfolio and some things will work (in market) and others won't, some things are designed to return right away, some are safe bets, some are long term investments. And some mistakes... Customers don't care about any of that and that's ok. They just look for what they care about. Each evaluates through their own lens. Apple's brilliance is in focusing mostly on two audiences -- Send-users and developers -- tending to de-emphasize the whole "techie" crowd, even IT. When you look at a feature like FaceID and trace it backwards all the way to keychain -- see how much long term thought can go into a feature and how much good work can go unnoticed (or even "fail") for years before surfacing as a big advantage. That's a long term POV AND focus. This approach is rather unique compared to other tech companies that tend to develop new things almost independent of everything else. So new things show up and look bolted on the side of what already exists. (Sure Apple can do that to, but not usually). All the while while things are being built the team is just a dev team and trying to come up with a reliable schedule and fix bug. This is just software development.


Skype Can't Fix a Nasty Security Bug Without a Massive Code Rewrite (zdnet.com) 151

ZDNet reports of a security flaw in Skype's updater process that "can allow an attacker to gain system-level privileges to a vulnerable computer." If the bug is exploited, it "can escalate a local unprivileged user to the full 'system' level rights -- granting them access to every corner of the operating system." What's worse is that Microsoft, which owns Skype, won't fix the flaw because it would require the updater to go through "a large code revision." Instead, Microsoft is putting all its resources on building an altogether new client. From the report: Security researcher Stefan Kanthak found that the Skype update installer could be exploited with a DLL hijacking technique, which allows an attacker to trick an application into drawing malicious code instead of the correct library. An attacker can download a malicious DLL into a user-accessible temporary folder and rename it to an existing DLL that can be modified by an unprivileged user, like UXTheme.dll. The bug works because the malicious DLL is found first when the app searches for the DLL it needs. Once installed, Skype uses its own built-in updater to keep the software up to date. When that updater runs, it uses another executable file to run the update, which is vulnerable to the hijacking. The attack reads on the clunky side, but Kanthak told ZDNet in an email that the attack could be easily weaponized. He explained, providing two command line examples, how a script or malware could remotely transfer a malicious DLL into that temporary folder.

Slashdot Top Deals