Python

Did Programming Language Flaws Create Insecure Apps? (bleepingcomputer.com) 93

Several popular interpreted programming languages are affected by severe vulnerabilities that expose apps built on these languages to attacks, according to research presented at the Black Hat Europe 2017 security conference. An anonymous reader writes: The author of this research is IOActive Senior Security Consultant Fernando Arnaboldi, who says he used an automated software testing technique named fuzzing to identify vulnerabilities in the interpreters of five of today's most popular programming languages: JavaScript, Perl, PHP, Python, and Ruby.

Fuzzing involves providing invalid, unexpected, or random data as input to a software application. The researcher created his own fuzzing framework named XDiFF that broke down programming languages per each of its core functions and fuzzed each one for abnormalities. His work exposed severe flaws in all five languages, such as a hidden flaw in PHP constant names that can be abused to perform remote code execution, and undocumented Python methods that can be used for OS code execution. Arnaboldi argues that attackers can exploit these flaws even in the most secure applications built on top of these programming languages.

Toys

Ask Slashdot: Are There Any Good Smartwatches Or Fitness Trackers? 243

"What's your opinion on the current state of smartwatches?" asks long-time Slashdot reader rodrigoandrade. He's been researching both smartwatches and fitness trackers, and shares his own opinions: - Manufacturers have learnt from Moto 360 that people want round smartwatches that actually look like traditional watches, with a couple of glaring exceptions....

- Android Wear 2.0 is a thing, not vaporware. It's still pretty raw (think of early Android phones) but it works well. The LG Sport Watch is the highest-end device that supports it.

- LTE-enabled smartwatches finally allow you to ditch your smartphone, if you wish. Just pop you nano SIM in it and party on. The availability is still limited to a few SKUs in some countries, and they're ludicrously expensive, but it's getting there.

Keep reading for his assessment of four high-end choices -- and share your own opinions in the comments.
Intel

Intel's ME May Be Massively Infringing on Minix3's Free Software License (ipwatchdog.com) 241

Software engineer (and IP Watchdog contributor) Fredrik Ohrstrom (a.k.a. Slashdot reader anjara) writes: Almost all Free Software licenses (BSD, MIT, GPL...) require some sort of legal notice (legal attribution) given to the recipient of the software, both when the software is distributed in source and in binary forms. The legal notice usually contains the copyright holder's name and the license text. This means that it's not possible to hide and keep secret the existence of Free Software that you have stuck into your product that you distribute. If you do so, then you are not complying with the Free Software license and you are committing a copyright infringement!

This is exactly what Intel seems to have done with the Intel ME. The Minix3 operating system license requires a legal notice, but so far it seems like Intel has not given the necessary legal notices. (Probably because they want to keep the inside of the ME secret.) Thus not only is Minix3 the most installed OS on our recent x86 CPUs -- but it might also the most pirated OS on our recent x86 CPUs!

Debian

Updated Debian Linux 9.3 and 8.10 Released (debian.org) 49

An anonymous reader writes: The Debian project is pleased to announce the third update of its stable distribution Debian 9 (codename stretch). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available. The Debian project also announces the tenth update of its oldstable distribution Debian 8 (codename jessie).

Please note that the point release does not constitute a new version of Debian 9 or 8 but only updates some of the packages included. There is no need to throw away old jessie or stretch DVD/CD media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror. This stable update adds a few important corrections to packages. New installation images will be available soon at the mirrors. Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release. One can use the apt command or apt-get command to apply updates. A step-by-step update guide is posted here.

Security

Zero-Day iOS HomeKit Vulnerability Allowed Remote Access To Smart Accessories Including Locks (9to5mac.com) 37

Apple has issued a fix to a vulnerability that allowed unauthorized control of accessories, including smart locks and garage door openers. "Our understanding is Apple has rolled out a server-side fix that now prevents unauthorized access from occurring while limiting some functionality, and an update to iOS 11.2 coming next week will restore that full functionality," reports 9to5Mac. From the report: The vulnerability, which we won't describe in detail and was difficult to reproduce, allowed unauthorized control of HomeKit-connected accessories including smart lights, thermostats, and plugs. The most serious ramification of this vulnerability prior to the fix is unauthorized remote control of smart locks and connected garage door openers, the former of which was demonstrated to 9to5Mac. The issue was not with smart home products individually but instead with the HomeKit framework itself that connects products from various companies. The vulnerability required at least one iPhone or iPad on iOS 11.2, the latest version of Apple's mobile operating system, connected to the HomeKit user's iCloud account; earlier versions of iOS were not affected.
Android

Google Puts Android Accessibility Crackdown On Hold (slashgear.com) 27

Last month, Google issued a warning to Android app developers that they will no longer be able to access Android accessibility service functions in their apps, unless they can demonstrate that those functions are specifically used to help users with "disabilities." Since a lot of password managers use the Accessibility API, as well as poplar apps like Tasker automation and Greenify battery saver, there was a large amount of backlash from developers and users alike. According to SlashGear, Google is putting the Android accessibility crackdown on hold. From the report: Google has now sent another email that basically says "we'll think about it." It is evaluating "responsible and innovative use" of those services on a case to case basis. It is also requiring developers to explicitly inform users why they are asking for accessibility permissions rather than just informing them. This, of course, puts a heavier burden on Google, as it has to be more involved in the screening of apps rather than just rely on good ol' machine learning and automation. Developers and users probably won't mind, if it means still having access to those features that make Android a platform above all the rest.
Android

Android 8.0 Oreo For Android Wear Released (9to5google.com) 9

According to a Google developer, Android 8.0 Oreo is rolling out to Android Wear devices starting today. The developer said "timing is determined by each watch's manufacturer." 9to5Google notes that there are "no major redesigns with Oreo for the wearable platform," but there are some useful tweaks. From the report: There is a new option to disable touch-to-wake called "Touch lock" in Settings that Google positions as being useful in wet conditions. Google has added the ability to control the strength of vibrations for incoming notifications. Referred to as the "Vibration pattern," options include Normal, Long, and Double. Meanwhile, there is now a toggle to manually enable the "Battery saver," instead of having to wait until the device hits a low charge. This mode disables Vibration, Location services, Wi-Fi & mobile usage, Data & app updates, and the Always-on display. Meanwhile, the update includes notification channels for apps that should provide more granular user control. Google also shared that Wear is now available in seven new countries and languages: Belgium (Dutch), Czech Republic (Czech), El Salvador (Spanish), Honduras (Spanish), Nigeria (English), Paraguay (Spanish), and Portugal (Portuguese).
Bitcoin

Bank of America Wins Patent For Crypto Exchange System (coindesk.com) 52

New submitter psnyder shares a report from CoinDesk: [The patent] outlined a potential cryptocurrency exchange system that would convert one digital currency into another. Further, this system would be automated, establishing the exchange rate between the two currencies based on external data feeds. The patent describes a potential three-part system, where the first part would be a customer's account and the other two would be accounts owned by the business running the system. The user would store their chosen cryptocurrency through the customer account. The second account, referred to as a "float account," would act as a holding area for the cryptocurrency the customer is selling, while the third account, also a float account, would contain the equivalent amount of the cryptocurrency the customer is converting their funds to. That third account would then deposit the converted funds back into the original customer account for withdrawal. The proposed system would collect data from external information sources on cryptocurrency exchange rates, and use this data to establish its own optimal rate. The patent notes this service would be for enterprise-level customers, meaning that if the bank pursues this project, it would be offered to businesses.
Operating Systems

ReactOS 0.4.7 Released (reactos.org) 91

jeditobe writes: OSNews reports that the latest version of ReactOS has been released: "ReactOS 0.4.7 has been released, and it contains a ton of fixes, improvements, and new features. Judging by the screenshots, ReactOS 0.4.7 can run Opera, Firefox, and Mozilla all at once, which is good news for those among us who want to use ReactOS on a more daily basis. There's also a new application manager which, as the name implies, makes it easier to install and uninstall applications, similar to how package managers on Linux work. On a lower level, ReactOS can now deal with Ext2, Ext3, Ext4, BtrFS, ReiserFS, FFS, and NFS partitions." General notes, tests, and changelog for the release can be found at their respective links. A less technical community changelog for ReactOS 0.4.7 is also available. ISO images are ready at the ReactOS Download page.
Chrome

Google Wants Progressive Web Apps To Replace Chrome Apps (androidpolice.com) 153

An anonymous reader quotes a report from Android Police: The Chrome Web Store originally launched in 2010, and serves a hub for installing apps, extensions, and themes packaged for Chrome. Over a year ago, Google announced that it would phase out Chrome apps on Windows, Mac, and Linux in 2018. Today, the company sent out an email to developers with additional information, as well as news about future Progressive Web App support. The existing schedule is mostly still in place -- Chrome apps on the Web Store will no longer be discoverable for Mac, Windows, and Linux users. In fact, if you visit the store right now on anything but a Chromebook, the Apps page is gone. Google originally planned to remove app support on all platforms (except Chrome OS) entirely by Q1 2018, but Google has decided to transition to Progressive Web Apps:

"The Chrome team is now working to enable Progressive Web Apps (PWAs) to be installed on the desktop. Once this functionality ships (roughly targeting mid-2018), users will be able to install web apps to the desktop and launch them via icons and shortcuts; similar to the way that Chrome Apps can be installed today. In order to enable a more seamless transition from Chrome Apps to the web, Chrome will not fully remove support for Chrome Apps on Windows, Mac or Linux until after Desktop PWA installability becomes available in 2018. Timelines are still rough, but this will be a number of months later than the originally planned deprecation timeline of 'early 2018.' We also recognize that Desktop PWAs will not replace all Chrome App capabilities. We have been investigating ways to simplify the transition for developers that depend on exclusive Chrome App APIs, and will continue to focus on this -- in particular the Sockets, HID and Serial APIs."

Intel

System76 Will Disable Intel Management Engine On Its Linux Laptops (liliputing.com) 148

System76 is rolling out a firmware update for its recent laptops that will disable the Intel Management Engine altogether. The decision comes after a major security vulnerability was discovered that would allow an attacker with local access to execute arbitrary code. Liliputing reports: What's noteworthy in the System76 announcement is that the PC maker isn't just planning to disable Intel ME in computers that ship from now on. The company will send out an update that disables it on existing computers with 6th, 7th, or 8th-gen Intel Core processors. System76 also notes that Intel ME "provides no functionality for System76 laptop customers and is safe to disable." Right now the firmware update will only be available for computers running Ubuntu 16.04 or later or a related operating system with the System76 driver. But the company says it's working on developing a command line tool that should work on laptops running other GNU/Linux-based operating systems. System76 says it will also release an update for its desktop computers... but on those machines the update will patch the security vulnerability rather than disabling Intel ME altogether.
Android

Recent Blu Update Locks Users out of Their Phones (bleepingcomputer.com) 81

An Android update that Blu shipped to Blu One Life X2 smartphones yesterday, November 28, has locked people out of their phones. From a report: On forums, Reddit, and Blu's official Facebook page, users are complaining that after applying the update and rebooting the device, their phone won't recognize their password, PIN code, or pattern lock, even if users are 100% sure they are entering the correct data. Bleeping Computer has independently verified this bug. "I updated my BLU Life One X2 around 2 hours ago. It asks for a password in order to access Android," said one of the Blu users facing this problem. "I am completely locked out of my phone. Ever single password used is marked incorrect." After ten "failed" login attempts, the user's data is wiped from the device, according to the standard Android OS behavior.
Chrome

Microsoft Office Now Available On All Chromebooks (theverge.com) 113

Microsoft has reportedly finished testing out its Office apps on Chromebooks as a number of Chromebooks are now seeing the Office apps in the Google Play Store. Samsung's Chromebook Pro, Acer's Chromebook 15, and Acer's C771 have the Office apps available for download. The Verge reports: The apps are Android versions of Office which include the same features you'd find on an Android tablet running Office. Devices like Asus' Chromebook Flip (with a 10.1-inch display) will get free access to Office on Chrome OS, but larger devices will need a subscription. Microsoft has a rule across Windows, iOS, and Android hardware that means devices larger than 10.1 inches need an Office 365 subscription to unlock the ability to create, edit, or print documents.
Android

The Pixel 2's Dormant 'Visual Core' Chip Gets Activated In Latest Android Developer Preview (techcrunch.com) 32

The Google Pixel 2 and Pixel 2 XL both feature a custom Intel "Visual Core" co-processor, which is meant to improve speed and battery life when shooting photos with Google's HDR+ technology. The chip has been hanging out in the phone not really doing much of anything -- until now. TechCrunch reports of a new developer preview of Android 8.1 due out today that puts the chip to use. "The component is expected to further improve the handsets' cameras, which were already scoring good marks, production issues aside." From the report: According to the company, Pixel Visual Core has eight image processing unit (IPU) cores and 512 arithmetic logic units. Using machine learning, the company says it's able to speed things up by 5x, with one tenth of the energy. Access to the chip, combined with the Android Camera API means third-party photo apps will be able to take advantage of the system's speedy HDR+. Sounds swell, right? Of course, this is still just an early preview, only available to people who sign up for Google's Beta program. That means, among other things, dealing with potential bugs of an early build. Google wouldn't give us any more specific information with regards to when the feature will be unlocked for the public, but it's expected to arrive along with the 8.1 public beta in December.
Bug

iPhone Users Complain About the Word 'It' Autocorrecting To 'I.T' On iOS 11 and Later (macrumors.com) 116

An anonymous reader quotes a report from MacRumors: At least a few hundred iPhone users and counting have complained about the word "it" autocorrecting to "I.T" on iOS 11 and later. When affected users type the word "it" into a text field, the keyboard first shows "I.T" as a QuickType suggestion. After tapping the space key, the word "it" automatically changes to "I.T" without actually tapping the predictive suggestion. A growing number of iPhone users have voiced their frustrations about the issue on the MacRumors discussion forums, Twitter, and other discussion platforms on the web since shortly after iOS 11 was released in late September. Many users claim the apparent autocorrect bug persists even after rebooting the device and performing other basic troubleshooting. A temporary workaround is to tap Settings: General: Keyboard: Text Replacement and enter "it" as both the phrase and shortcut, but some users insist this solution does not solve the problem. A less ideal workaround is to toggle off auto-correction and/or predictive suggestions completely under Settings: General: Keyboard. MacRumors reader Tim shared a video that highlights the issue.
Iphone

Two Major Cydia Hosts Shut Down as Jailbreaking Fades in Popularity (macrumors.com) 90

Joe Rossignol, writing for MacRumors: ModMy last week announced it has archived its default ModMyi repository on Cydia, which is essentially an alternative App Store for downloading apps, themes, tweaks, and other files on jailbroken iPhone, iPad, and iPod touch devices. ZodTTD/MacCiti also shut down this month, meaning that two out of three of Cydia's major default repositories are no longer active as of this month. ModMy recommends developers in the jailbreaking community use the BigBoss repository, which is one of the last major Cydia sources that remains functional. The closure of two major Cydia repositories is arguably the result of a declining interest in jailbreaking, which provides root filesystem access and allows users to modify iOS and install unapproved apps on an iPhone, iPad, or iPod touch. When the iPhone and iPod touch were first released in 2007, jailbreaking quickly grew in popularity for both fun and practical reasons. Before the App Store, for example, it allowed users to install apps and games. Jailbreaking was even useful for something as simple as setting a wallpaper, not possible on early iOS versions.
Open Source

Linux Pioneer Munich Confirms Switch To Windows 10 (techrepublic.com) 336

The German city of Munich, once seen as a open-source pioneer, has decided to return to Windows. Windows 10 will be rolled out to about 29,000 PCs at the city council, a major shift for an authority that has been running Linux for more than a decade. From a report: Back in 2003 the council decided to to switch to a Linux-based desktop, which came to be known as LiMux, and other open-source software, despite heavy lobbying by Microsoft. But now Munich will begin rolling out a Windows 10 client from 2020, at a cost of about Euro 50m ($59.6m), with a view to Windows replacing LiMux across the council by early 2023. Politicians who supported the move at a meeting of the full council today say using Windows 10 will make it easier to source compatible applications and hardware drivers than it has been using a Linux-based OS, and will also reduce costs associated with running Windows and LiMux PCs side-by-side.
Wine

Ask Slashdot: What Are Your Greatest Successes and Weaknesses With Wine (Software)? 252

wjcofkc writes: As a distraction, I decided to get the video-editing software Filmora up and running on my Ubuntu box. After some tinkering, I was able to get it installed, only to have the first stage vaporize on launch. This got me reflecting on my many hits and misses with Wine (software) over the years. Before ditching private employment, my last job was with a software company. They were pretty open minded when I came marching in with my System76 laptop, and totally cool with me using Linux as my daily driver after quickly getting the Windows version of their software up and running without a hitch. They had me write extensive documentation on the process. It was only two or three paragraphs, but I consider that another Wine win since to that end I scored points at work. Past that, open source filled in the blanks. That was the only time I ever actually needed (arguably) for it to work. Truth be told, I mostly tinker around with it a couple times a year just to see what does and does not run. Wine has been around for quite awhile now, and while it will never be perfect, the project is not without merit. So Slashdot community, what have been your greatest successes and failures with Wine over the years?
Security

Ask Slashdot: How Are So Many Security Vulnerabilities Possible? 354

dryriver writes: It seems like not a day goes by on Slashdot and elsewhere on the intertubes that you don't read a story headline reading "Company_Name Product_Name Has Critical Vulnerability That Allows Hackers To Description_Of_Bad_Things_Vulnerability_Allows_To_Happen." A lot of it is big brand products as well. How, in the 21st century, is this possible, and with such frequency? Is software running on electronic hardware invariably open to hacking if someone just tries long and hard enough? Or are the product manufacturers simply careless or cutting corners in their product designs? If you create something that communicates with other things electronically, is there no way at all to ensure that the device is practically unhackable?
Security

Sacramento Regional Transit Systems Hit By Hacker (cbslocal.com) 35

Zorro shares a report from CBS Local: Sacramento Regional Transit is the one being taken for a ride on this night, by a computer hacker. That hacker forced RT to halt its operating systems that take credit card payments, and assigns buses and trains to their routes. The local transit agency alerted federal agents following an attack on their computers that riders may not have noticed Monday. "We actually had the hackers get into our system, and systematically start erasing programs and data," Deputy General Manager Mark Lonergan. Inside RT's headquarters, computer systems were taken down after the hacker deleted 30 million files. The hacker also demanded a ransom in bitcoin, and left a message on the RT website reading "I'm sorry to modify the home page, I'm good hacker, I just want to help you fix these vulnerability."

Slashdot Top Deals