As many as 3 million people have been infected by Chrome and Edge browser extensions that steal personal data and redirect users to ad or phishing sites, a security firm said on Wednesday. Ars Technica reports: In all, researchers from Prague-based Avast said they found 28 extensions for the Google Chrome and Microsoft Edge browsers that contained malware. The add-ons billed themselves as a way to download pictures, videos, or other content from sites including Facebook, Instagram, Vimeo, and Spotify. At the time this post went live, some, but not all, of the malicious extensions remained available for download from Google and Microsoft. Avast researchers found malicious code in the JavaScript-based extensions that allows them to download malware onto an infected computer.

In a post, the researchers wrote: "Users have also reported that these extensions are manipulating their internet experience and redirecting them to other websites. Anytime a user clicks on a link, the extensions send information about the click to the attacker's control server, which can optionally send a command to redirect the victim from the real link target to a new hijacked URL before later redirecting them to the actual website they wanted to visit. User's privacy is compromised by this procedure since a log of all clicks is being sent to these third party intermediary websites. The actors also exfiltrate and collect the user's birth dates, email addresses, and device information, including first sign in time, last login time, name of the device, operating system, used browser and its version, even IP addresses (which could be used to find the approximate geographical location history of the user)."

The researchers don't yet know if the extensions came with the malicious code preinstalled or if the developers waited for the extensions to gain a critical mass of users and only then pushed a malicious update. It's also possible that legitimate developers created the add-ons and then unknowingly sold them to someone who intended to use them maliciously. [...] The list Avast provides in its blog post includes links to download locations for both Chrome and Edge. Anyone who has downloaded one of these add-ons should remove it immediately and run a virus scan.

Twitter has been doubling down on video services within its app, building out Twitter Live and recently launching Fleets so that users can share more moving media alongside their pithy 180-word observations, links and still photos. But in the process, it appears that it may also be streamlining its bigger stable of services. From a report: Code in the Twitter app indicates that Periscope -- the live video broadcasting app that launched a thousand fluttering hearts -- may be headed into retirement. Date and other details are still unknown, but super-sleuth developer Jane Machun Wong found a line in Twitter's app code that indicated a link to a shutdown notice for Periscope (which currently does not go to a live link). There are no shutdown references in any of the code in the currently obtainable version of the Persicope app, Wong told us, but she also pointed out that the two apps do share some code -- indeed there are integrations between the two Twitter-owned apps -- and "I guess [that] is how the text in the screenshot got slipped into Twitter," she said.

RockDoctor (Slashdot reader #15,477) is a professional geologist, and asks: Did anyone feel a sudden wind through their hair at about 17:19+00:00 on Monday, particularly in the mid Pacific? No?

Good. Nobody else did. Nobody noticed the asteroid whizzing past just above the Earth's atmosphere (for certain values of "above" including "not very far" and "373km above ground"). That's the closest natural body (i.e., not a spacecraft) documented in near-Earth space which hasn't actually hit the thick-enough parts of the atmosphere to glow, fragment, make sonic booms and dent automobiles.

So, we dodged another bullet, and no windows were broken. This one probably wouldn't have done significant damage even if it had touched down in fire and fury — it was about half the size of the 2013 Chelyabinsk meteor, and so around one eighth of the energy (and potential damage). Everyone can go back to bed and sleep easy. Right?

But one tiny thing to disturb your sleep : we didn't see this one coming until after it had gone past us. Nor did we see it in it's close approaches on 2014-10-26.60152 or 2017-11-06.57008. And with another 39 projected Earth approaches before the next turn-of-century, it's pretty obvious that one day this is going to hit us.

For those who know what an MPEC is [a Minor Planet Electronic Circular], Bill Grey has written up one of his "pseudo-MPECs" with links to other work on this object here, while the actual discovery record is here. The object has been given a formal name of 2020 VT4 unless the discoverers at the ATLAS Mauna Loa Observatory choose to give it a name ("COVID", or "hair-parter", or "hats-off", perhaps. Or just "Rupert".)

Wikipedia has caught up too.

There will be another close-pass, and an impact, one day. This doesn't change the odds of that happening (probability 1), but it might make it feel a little more immediate.

QAnon "was first championed by a handful of people who worked together to stir discussion of the 'Q' posts, eventually pushing the theory on to bigger platforms and gaining followers — a strategy that proved to be the key to Qanon's spread and the originators' financial gain..." reports NBC News, in an article shared by long-time Slashdot reader AmiMoJo .

"NBC News has found that the theory can be traced back to three people who sparked some of the first conversation about Qanon and, in doing so, attracted followers who they then asked to help fund Qanon 'research.'" In November 2017, a small-time YouTube video creator and two moderators of the 4chan website, one of the most extreme message boards on the internet, banded together and plucked out of obscurity an anonymous and cryptic post from the many conspiracy theories that populated the website's message board. Over the next several months, they would create videos, a Reddit community, a business and an entire mythology based off the 4chan posts of "Q," the pseudonym of a person claiming to be a high-ranking military officer. The theory they espoused would become Qanon, and it would eventually make its way from those message boards to national media stories and the rallies of President Donald Trump.

Now, the people behind that effort are at the center of a fractious debate among conspiracy enthusiasts, some of whom believe the three people who first popularized the Qanon theory are promoting it in order to make a living. Others suggest that these original followers actually wrote Q's mysterious posts...

Qanon was just another unremarkable part of the "anon" genre until November 2017, when two moderators of the 4chan board where Q posted predictions, who went by the usernames Pamphlet Anon [real name: Coleman Rogers] and BaruchtheScribe, reached out to Tracy Diaz, according to Diaz's blogs and YouTube videos. BaruchtheScribe, in reality a self-identified web programmer from South Africa named Paul Furber, confirmed that account to NBC News. "A bunch of us decided that the message needed to go wider so we contacted Youtubers who had been commenting on the Q drops," Furber said in an email... As Diaz tells it in a blog post detailing her role in the early days of Qanon, she banded together with the two moderators. Their goal, according to Diaz, was to build a following for Qanon — which would mean bigger followings for them as well... Diaz followed with dozens more Q-themed videos, each containing a call for viewers to donate through links to her Patreon and PayPal accounts. Diaz's YouTube channel now boasts more than 90,000 subscribers and her videos have been watched over 8 million times. More than 97,000 people follow her on Twitter.

Diaz, who emerged from bankruptcy in 2009, says in her YouTube videos that she now relies on donations from patrons funding her YouTube "research" as her sole source of income. Diaz declined to comment on this story. "Because I cover Q, I got an audience," Diaz acknowledged in a video that NBC News reviewed last week before she deleted it.

To reach a more mainstream audience (older people and "normies," who on their own would have trouble navigating the fringe message boards), Diaz said in her blog post she recommended they move to the more user-friendly Reddit. Archives listing the three as the original posters and moderators show they created a new Reddit community... Their move to Reddit was key to Qanon's eventual spread. There, they were able to tap into a larger audience of conspiracy theorists, and drive discussion with their analysis of each Q post. From there, Qanon crept to Facebook where it found a new, older audience via dozens of public and private groups...

As Qanon picked up steam, growing skepticism over the motives of Diaz, Rogers, and the other early Qanon supporters led some in the internet's conspiracy circles to turn their paranoia on the group. Recently, some Qanon followers have accused Diaz and Rogers of profiting from the movement by soliciting donations from their followers. Other pro-Trump online groups have questioned the roles that Diaz and Rogers have played in promoting Q, pointing to a series of slip-ups that they say show Rogers and Diaz may have been involved in the theory from the start.

Those accusations have led Diaz and Rogers to both deny that they are Q and say they don't know who Q is.

India is not done banning Chinese apps. The world's second largest internet market, which has banned over 175 apps with links to the neighboring nation in recent months, said on Tuesday it was banning an additional 43 such apps. From a report: Like with the previous orders, India cited cybersecurity concerns to block these apps. "This action was taken based on the inputs regarding these apps for engaging in activities which are prejudicial to sovereignty and integrity of India, defence of India, security of state and public order," said India's IT Ministry in a statement. The ministry said it issued the order to block these apps "based on the comprehensive reports received from Indian Cyber Crime Coordination Center, Ministry of Home Affairs." The apps that have been banned include popular short video service Snack Video, which had surged to the top of the chart in recent months, as well as e-commerce app AliExpress, delivery app Lalamove, and shopping app Taobao Live. At this point, there doesn't appear to be any Chinese app left in the top 500 apps used in India.

New submitter LeeLynx shares a report from The Register: A new group called the "Inclusive Naming Initiative" has revealed its existence and mission "to help companies and projects remove all harmful and unclear language of any kind and replace it with an agreed-upon set of neutral terms." Akamai, Cisco, the Cloud Native Computing Foundation, IBM, the Linux Foundation, Red Hat, and VMware are all participants. The group has already offered a Word replacement list that suggests alternatives to the terms whitelist, blacklist, slave, and master. There's also a framework for evaluating harmful language that offers guidance on how to make changes.

Red Hat's post announcing its participation in the Initiative links to a dashboard listing all instances of terms it wants changed and reports over 330,000 uses of "Master" and 105,000 uses of "Slave," plus tens of thousands and whitelists and blacklists. Changing them all will be a big job, wrote Red Hat's senior veep and CTO Chris Wright. "On a technical level, change has to be made in hundreds of discrete communities, representing thousands of different projects across as many code repositories," Wright wrote. "Care has to be taken to prevent application or API breakage, maintain backward compatibility, and communicate the changes to users and customers." The Initiative nonetheless hopes to move quickly, with its roadmap calling for best practices to be defined during Q1 2021, case studies to be available in Q3 2021 and a certification program delivered in Q4 2021.

An anonymous reader quotes a report from Ars Technica: Researchers have uncovered a massive hacking campaign that's using sophisticated tools and techniques to compromise the networks of companies around the world. The hackers, most likely from a well-known group that's funded by the Chinese government, are outfitted with both off-the-shelf and custom-made tools. One such tool exploits Zerologon, the name given to a Windows server vulnerability, patched in August, that can give attackers instant administrator privileges on vulnerable systems. Symantec uses the code name Cicada for the group, which is widely believed to be funded by the Chinese government and also carries the monikers of APT10, Stone Panda, and Cloud Hopper from other research organizations. The group has been active in espionage-style hacking since at least 2009 and almost exclusively targets companies linked to Japan. While the companies targeted in the recent campaign are located in the United States and other countries, all of them have links to Japan or Japanese companies.

The attacks make extensive use of DLL side-loading, a technique that occurs when attackers replace a legitimate Windows dynamic-link library file with a malicious one. Attackers use DLL side-loading to inject malware into legitimate processes so they can keep the hack from being detected by security software. The campaign also makes use of a tool that's capable of exploiting Zerologon. Exploits work by sending a string of zeros in a series of messages that use the Netlogon protocol, which Windows servers use to let users log into networks. People with no authentication can use Zerologon to access an organization's crown jewels -- the Active Directory domain controllers that act as an all-powerful gatekeeper for all machines connected to a network. Microsoft patched the critical privilege-escalation vulnerability in August, but since then attackers have been using it to compromise organizations that have yet to install the update. Both the FBI and Department of Homeland Security have urged that systems be patched immediately. Among the machines compromised during attacks discovered by Symantec were domain controllers and file servers. Company researchers also uncovered evidence of files being exfiltrated from some of the compromised machines.

Micropayments company Coil has emailed users its new privacy policy but placed hundreds of their addresses in the "To:" field and therefore breached their privacy. From a report: The mail had the Subject line "Updates to Coil's Terms and Privacy Policy" and offered links to the document. The Register has read it and can report that while it reveals that Coil seeks permission to share users' details with service providers, partners, and "related entities." We cannot find a clause that resembles: "We reserve the right to expose your email address to countless other Coil users in the 'To:' field of an email."

A group of journalists has built a browser extension, called Simple Search, to show you what Google search would look like without the information panels, shopping boxes, and search ads. The Verge reports: Introducing the extension, Maddy Varner and Sam Morris describe it as a conscious throwback to an earlier version of Google search, before the integration of the Knowledge Graph and its accompanying information boxes. "The extension lets you travel back to a time when online search operated a little differently," they write. "Nowadays, you don't always have to click any of the 'blue links' to get information related to your search -- Google gives you what it thinks is important in info boxes of information pulled from other websites." The extension works on Google and Bing searches and is available for both Firefox and Chrome browsers.

An Alphabet X innovation lab project has been working on a high-speed wireless optical communications network that uses beams of light instead of cables or radio waves, and folks in Kenya will be the first to benefit from the fruits of these labors. New Atlas reports: Project Taara, a part of Alphabet's X moonshot factory, has been working on a wireless optical technology that could deliver high-speed, high-capacity connectivity to remote areas using a network of light emitters and receivers. The initiative has now partnered with the Econet Group to install its technology in Sub-Saharan Africa, starting with Kenya. Rather than rely on cables to carry data, which can prove challenging or costly to roll out in the region, Project Taara will send information at up to 20 Gbps using a narrow, invisible beam of light. The beam is transmitted between Taara terminals to create a network of line-of-sight data links, with up to 20 km (12 mi) between two links possible.

There does need to be a constant flow of data between the links, so engineers place the terminals high above ground on poles, rooftops and towers. The technology has already undergone pilot testing in Kenya (and India) and will now roll out from existing Liquid Telecom (a subsidiary of Econet) fiber optic networks to serve remote areas beyond the reach of traditional solutions -- such as over bodies of water, through forests, national parks and post-conflict zones. It is hoped that the optical network could also help to plug coverage gaps of cell towers and Wi-Fi hotspots.

An anonymous reader quotes a report from Gizmodo: Steve Bannon has been outed for his involvement in running a network of misinformation pages on Facebook. Who could have possibly seen this coming. Facebook has talked a big game about monitoring election misinformation, and yet the independent activist network Avaaz said it had to alert the company to the pages before it removed them for coordinated inauthentic behavior. The group didn't need an army of 35,000 moderators to figure this out, and yet Facebook consistently fails to spot the troublemakers that journalists and researchers with less funding and staff seem to keep spotting. As they say: makes you think. Avaaz said that it alerted Facebook to the pages on Friday night. By that time, in aggregate, Avaaz says the top seven pages -- Brian Kolfage, Conservative Values, The Undefeated, We Build the Wall Inc, Citizens of the American Republic, American Joe, and Trump at War -- had collectively gained over 2.45 million followers. In some cases, Bannon and Brian Kolfage, co-conspirator in the "We Build the Wall, Inc." fundraiser/alleged scam, were co-admins.

Avaaz campaign director Fadi Quran told Gizmodo that its team identified the Bannon ring by running an "influencer analysis," keeping tabs on frequent guests on Bannon's podcasts and pages affiliated with Bannon's former "We Build the Wall" grift. Avaaz, which is comprised of 40 investigators and data analysts, has kept tabs on habitual misinformers and their coordinated sharing through custom software. They noticed that the Bannon-related pages tended to publish content at the same time and linked to the Populist Press, an even more right-wing Drudge Report copycat trafficking in disproven election fraud claims. The pages avoided warning labels by laundering links through the Populist Press domain rather post the original URLs for stories Facebook had already flagged as misinformation. Avaaz says they'd previously alerted Facebook to a network of 180 Bannon-connected pages and groups which have been sharing misinformation. "We're a small team run with small donations," Quran told Gizmodo. "If we can spot this stuff, a multi-billion dollar company with tens of thousands of employees focused on the election and disinformation most certainly can. We are tired of doing their job for them."

Quran added that Avaaz has been alerting Facebook to its problems all year. "If 2016 was an accident," Quran added, "2020 has been negligence."

While the RIAA has objected to a tool for downloading online videos, EFF senior activist Elliot Harmon responds with this question. "Who died and put them in charge of YouTube?"

He asks the question in a new video "explainer" on the controversy, and argues in a new piece at EFF.org that the youtube-dl tool "doesn't infringe on any RIAA copyrights." RIAA's argument relies on a different section of the DMCA, Section 1201. DMCA 1201 says that it's illegal to bypass a digital lock in order to access or modify a copyrighted work. Copyright holders have argued that it's a violation of DMCA 1201 to bypass DRM even if you're doing it for completely lawful purposes; for example, if you're downloading a video on YouTube for the purpose of using it in a way that's protected by fair use. (And thanks to the way that copyright law has been globalized via trade agreements, similar laws exist in many other jurisdictions too.) RIAA argues that since youtube-dl could be used to download music owned by RIAA-member labels, no one should be able to use the tool, even for completely lawful purposes.

This is an egregious abuse of the notice-and-takedown system, which is intended to resolve disputes over allegedly infringing material online. Again, youtube-dl doesn't use RIAA-member labels' music in any way. The makers of youtube-dl simply shared information with the public about how to perform a certain task — one with many completely lawful applications.
Harmon wants to hear from people using youtube-dl for lawful purposes. And he also links to an earlier EFF piece arguing that DMCA 1201 "is incredibly broad, apparently allowing rightsholders to legally harass any 'trafficker' in code that lets users re-take control of their devices from DRM locks..."

And EFF's concern over DMCA 1201 has been ongoing: DMCA 1201 has been loaded with terrible implications for innovation and free expression since the day it was passed. For many years, EFF documented these issues in our "Unintended Consequences" series; we continue to organize and lobby for temporary exemptions to its provisions for the purposes of cellphone unlocking, restoring vintage videogames and similar fair uses, as well as file and defend lawsuits in the United States to try and mitigate its damage. We look forward to the day when it is no longer part of U.S. law.

But due to the WIPO Copyright Treaty, the DMCA's anti-circumvention provisions infest much of the world's jurisdictions too, including the European Union via the Information Society Directive 2001/29/EC.

AmiMoJo writes: Link previews are a ubiquitous feature found in just about every chat and messaging app, and with good reason. They make online conversations easier by providing images and text associated with the file that's being linked. Unfortunately, they can also leak our sensitive data, consume our limited bandwidth, drain our batteries, and, in one case, expose links in chats that are supposed to be end-to-end encrypted. Among the worst offenders, according to research published on Monday, were messengers from Facebook, Instagram, LinkedIn, and Line. [...] Facebook Messenger and Instagram both downloaded a 2.6GB test file, as well as executing arbitrary Javascript code on their servers. When informed of this Facebook (which owns Instagram) said that was the intended behaviour, even though it could be used to e.g. hijack their servers for cryptocurrency mining. The three best messaging platforms were Signal, WhatsApp, Threema and iMessage, at least in terms of properly protecting your personal data.

An anonymous reader quotes a report from Ars Technica: Link previews are a ubiquitous feature found in just about every chat and messaging app, and with good reason. They make online conversations easier by providing images and text associated with the file that's being linked. Unfortunately, they can also leak our sensitive data, consume our limited bandwidth, drain our batteries, and, in one case, expose links in chats that are supposed to be end-to-end encrypted. Among the worst offenders, according to research published on Monday, were messengers from Facebook, Instagram, LinkedIn, and Line. More about that shortly.

The researchers behind Monday's report, Talal Haj Bakry and Tommy Mysk, found that Facebook Messenger and Instagram were the worst offenders. As the chart below shows, both apps download and copy a linked file in its entirety -- even if it's gigabytes in size. Again, this may be a concern if the file is something the users want to keep private. It's also problematic because the apps can consume vast amounts of bandwidth and battery reserves. Both apps also run any JavaScript contained in the link. That's a problem because users have no way of vetting the security of JavaScript and can't expect messengers to have the same exploit protections modern browsers have.

LinkedIn performed only slightly better. Its only difference was that, rather than copying files of any size, it copied only the first 50 megabytes. Haj Bakry and Mysk reported their findings to Facebook, and the company said that both apps work as intended. Meanwhile, when the Line app opens an encrypted message and finds a link, it appears to send the link to the Line server to generate a preview. "We believe that this defeats the purpose of end-to-end encryption, since LINE servers know all about the links that are being sent through the app, and who's sharing which links to whom," Haj Bakry and Mysk wrote. Discord, Google Hangouts, Slack, Twitter, and Zoom also copy files, but they cap the amount of data at anywhere from 15MB to 50MB. [This chart] provides a comparison of each app in the study.

An anonymous reader quotes a report from Forbes: Around 104,852 women had their photos uploaded to a bot, on the WhatsApp-like text messaging app Telegram, which were then used to generate computer-generated fake nudes of them without their knowledge or consent, researchers revealed on Tuesday. These so-called "deepfake" images were created by an ecosystem of bots on the messaging app Telegram that could generate fake nudes on request, according to a report released by Sensity, an intelligence firm that specializes in deepfakes.

The report found that users interacting with these bots were mainly creating fake nudes of women they know from images taken from social media, which is then shared and traded on other Telegram channels. The Telegram channels the researchers examined were made up of 101,080 members worldwide, with 70% coming from Russia and other eastern European countries. A small number of individuals targeted by the bot appear to be underage. According to the report, the bots received significant advertising on the Russian social media website VK. However, the Russian social platform's press team told Forbes that these communities or links were not promoted using VK's advertising tools, adding "VK doesn't tolerate such content or links... and blocks communities that distribute them."

As part of efforts to stop the spread of false information about the coronavirus pandemic, Wikipedia and the World Health Organization announced a collaboration on Thursday: The health agency will grant the online encyclopedia free use of its published information, graphics and videos. The collaboration is the first between Wikipedia and a health agency. From a report: "We all consult just a few apps in our daily life, and this puts W.H.O. content right there in your language, in your town, in a way that relates to your geography," said Andrew Pattison, a digital content manager for the health agency who helped negotiate the contract. "Getting good content out quickly disarms the misinformation." Since its start in 2001, Wikipedia has become one of the world's 10 most consulted sites; it is frequently viewed for health information. The agreement puts much of the W.H.O.'s material into the Wikimedia "commons," meaning it can be reproduced or retranslated anywhere, without the need to seek permission -- as long as the material is identified as coming from the W.H.O. and a link to the original is included.

"Equitable access to trusted health information is critical to keeping people safe and informed," said Tedros Adhanom Ghebreyesus, the W.H.O.'s director general. His agency translates its work into six official languages, which do not include, for example, Hindi, Bengali, German or Portuguese, so billions of people cannot read its documents in their native or even second language. Wikipedia articles, by contrast, are translated into about 175 languages. The first W.H.O. items used under the agreement are its "Mythbusters" infographics, which debunk more than two dozen false notions about Covid-19. Future additions could include, for example, treatment guidelines for doctors, said Ryan Merkley, chief of staff at the Wikimedia Foundation, which produces Wikipedia. If the arrangement works out, it could be extended to counter misinformation regarding AIDS, Ebola, influenza, polio and dozens of other diseases, Mr. Merkley said, "But this was something that just had to happen now." Eventually, live links will be established that would, for example, update global case and death numbers on Wikipedia as soon as the W.H.O. posts them, Mr. Pattison said.

CNBC reports: On September 24th, physician Dr. Ali Vaziri was unpleasantly surprised by a mobile alert from his bank, which said he had just purchased a $4,280 upgrade for his Tesla Model 3. The large transaction, he quickly surmised, was a "butt dial" or accidental purchase made through the Tesla app on his iPhone. "My phone was in my jeans," Vaziri told CNBC. "I took it out, put it on this charger that comes with your Tesla and that's it. A minute later? I got the text. I've never purchased anything through the Tesla app before...."

Moments after he received the mobile alert from his bank, Vaziri called his local Tesla store and service center. They couldn't help directly, but gave him the number for a customer service hotline. He called the number, and requested a refund. Instead of processing the doctor's refund request on the spot, the customer service rep told Vaziri to click on the refund button in his Tesla app to process his request. Vaziri informed them there was no such button in the Tesla app, just some text and a link to the refund policy. An e-mail he received from Tesla confirming the unauthorized purchase contained only vague information about a refund, and no buttons to click or links to a page where he could process a refund request either. The email, which Vaziri shared with CNBC, drove him to Tesla's support web site, which in turn told him to call his local service center.

To this date, Vaziri says, Tesla customer service has not provided him with a refund, nor has the call center provided him with so much as a confirmation number or e-mail to acknowledge his calls about the refund. Instead, he processed a stop payment request through his credit card company.

Google has added a new feature that lets you figure out what song is stuck in your head by humming, whistling or singing -- a much more useful version of the kind of song-matching audio feature that it and competitors like Apple's Shazam have offered previously. From a report: As of today, users will be able to open either the latest version of the mobile Google app, or the Google Search widget, and then tap the microphone icon, and either verbally ask to search a song or hit the 'Search a song button' and start making noises. The feature should be available to anyone using Google in English on iOS, or across over 20 languages already on Android, and the company says it will be growing that user group to more languages on both platforms in the future. Unsurprisingly, it's powered behind the scenes by machine learning algorithms developed by the company. Google says that it's matching tech won't require you to be a Broadway star or even a choir member -- it has built-in abilities to accommodate for various degrees of musical sensibility, and will provide a confidence score as a percentage alongside a number of possible matches. Clicking on any match will return more info about both artist and track, as well as music videos, and links that let you listen to the full song in the music app of your choice.

The Senate Judiciary Committee plans to issue a subpoena on Tuesday to Twitter Chief Executive Jack Dorsey after the social-media company blocked a pair of New York Post articles that made new allegations about Democratic presidential nominee Joe Biden, which his campaign has denied. From a report: The subpoena would require the Twitter executive to testify on Oct. 23 before the committee, according to the Republicans who announced the hearing. GOP lawmakers are singling out Twitter because it prevented users from posting links to the articles, which the Post said were based on email exchanges with Hunter Biden, the Democratic candidate's son, provided by allies of President Trump. Those people in turn said they received them from a computer-repair person who found them on a laptop, according to the Post.

"This is election interference, and we are 19 days out from an election," Sen. Ted Cruz (R., Texas), a committee member who discussed the subpoena with Senate Judiciary Committee Chairman Lindsey Graham (R., S.C.), told reporters. "Never before have we seen active censorship of a major press publication with serious allegations of corruption of one of the two candidates for president."

An anonymous reader quotes a report from Ars Technica: Google and Intel are warning of a high-severity Bluetooth flaw in all but the most recent version of the Linux Kernel. While a Google researcher said the bug allows seamless code execution by attackers within Bluetooth range, Intel is characterizing the flaw as providing an escalation of privileges or the disclosure of information. The flaw resides in BlueZ, the software stack that by default implements all Bluetooth core protocols and layers for Linux. Besides Linux laptops, it's used in many consumer or industrial Internet-of-things devices. It works with Linux versions 2.4.6 and later. So far, little is known about BleedingTooth, the name given by Google engineer Andy Nguyen, who said that a blog post will be published "soon." A Twitter thread and a YouTube video provide the most detail and give the impression that the bug provides a reliable way for nearby attackers to execute malicious code of their choice on vulnerable Linux devices that use BlueZ for Bluetooth.

Intel, meanwhile, has issued this bare-bones advisory that categorizes the flaw as privilege-escalation or information-disclosure vulnerability. The advisory assigned a severity score of 8.3 out of a possible 10 to CVE-2020-12351, one of three distinct bugs that comprise BleedingTooth. "Potential security vulnerabilities in BlueZ may allow escalation of privilege or information disclosure," the advisory states. "BlueZ is releasing Linux kernel fixes to address these potential vulnerabilities." Intel, which is a primary contributor to the BlueZ open source project, said that the most effective way to patch the vulnerabilities is to update to Linux kernel version 5.9, which was published on Sunday. Those who can't upgrade to version 5.9 can install a series of kernel patches the advisory links to. Maintainers of BlueZ didn't immediately respond to emails asking for additional details about this vulnerability. Ars Technica points out that since BleedingTooth requires proximity to a vulnerable device, there's not much reason for people to worry about this vulnerability. "It also requires highly specialized knowledge and works on only a tiny fraction of the world's Bluetooth devices," it adds.