An anonymous reader quotes a report from The Register: A remote-code execution vulnerability in Windows Defender -- a flaw that can be exploited by malicious .rar files to run malware on PCs -- has been traced back to an open-source archiving tool Microsoft adopted for its own use. The bug, CVE-2018-0986, was patched on Tuesday in the latest version of the Microsoft Malware Protection Engine (1.1.14700.5) in Windows Defender, Security Essentials, Exchange Server, Forefront Endpoint Protection, and Intune Endpoint Protection. This update should be installed, or may have been automatically installed already on your device. The vulnerability can be leveraged by an attacker to achieve remote code execution on a victim's machine simply by getting the mark to download -- via a webpage or email or similar -- a specially crafted .rar file while the anti-malware engine's scanning feature is on. In many cases, this analysis set to happen automatically.

When the malware engine scans the malicious archive, it triggers a memory corruption bug that leads to the execution of evil code smuggled within the file with powerful LocalSystem rights, granting total control over the computer. The screwup was discovered and reported to Microsoft by legendary security researcher Halvar Flake, now working for Google. Flake was able to trace the vulnerability back to an older version of unrar, an open-source archiving utility used to unpack .rar archives. Apparently, Microsoft forked that version of unrar and incorporated the component into its operating system's antivirus engine. That forked code was then modified so that all signed integer variables were converted to unsigned variables, causing knock-on problems with mathematical comparisons. This in turn left the software vulnerable to memory corruption errors, which can crash the antivirus package or allow malicious code to potentially execute.

An anonymous reader quotes a report from Bleeping Computer: An unknown attacker has exploited a bug in the Verge cryptocurrency network code to mine Verge coins at a very rapid pace and generate funds almost out of thin air. The Verge development team is preparing a hard-fork of the entire cryptocurrency code to fix the issue and revert the blockchain to a previous state before the attack to neutralize the hacker's gains. The attack took place yesterday, and initially users thought it was a over "51% attack," an attack where a malicious actor takes control over the more than half of the network nodes, giving himself the power to forge transactions. Nonetheless, users who later looked into the suspicious network activity eventually tracked down what happened, revealing that a mysterious attacker had mined Verge coins at a near impossible speed of 1,560 Verge coins (XVG) per second, the equivalent of $78/s. The malicious mining lasted only three hours, according to the Verge team. According to users who tracked the illegally mined funds on the Verge blockchain said the hacker appears to have made around 15.6 million Verge coins, which is around $780,000.

An anonymous reader shares a report from Quartz, written by Estonian e-Resident April Rinne: In 2014, Estonia, a country previously known as much for its national singing revolution as anything else, became the first country in the world to launch an e-Residency program. Once admitted, e-Residents can conduct business worldwide as if they were from Estonia, which is a member of the EU. They are given government-issued digital IDs, can open Estonian bank and securities accounts, form and register Estonian companies, and have a front-row seat as nascent concepts of digital and virtual citizenship evolve. There is no requirement to have a physical presence in Estonia. [...] Three years in, what I find most incredible about e-Residency is that it actually works.

E-Residency was appealing to me for several reasons (none of which include dodging the law, taxes, or other civic responsibilities). I have Finnish heritage and for many years was intrigued by Finland's "smaller neighbor." And, I'd just joined an Estonian startup as an advisor. Becoming an e-Resident would allow me to receive payment from clients in Euros from any company without worrying about currency fluctuations, and to own shares in the company (previously this would have required various administrative work-arounds). [...] At a basic level, e-Residency makes working overall simpler and, ideally, more streamlined. This plays out in many ways, depending on the type of worker or organization. For example, many bona fide small- and mid-sized companies in other regions simply could not get access to European markets. The costs of entry and other requirements made it prohibitively cumbersome. E-Residency gives them a new avenue to do this; they still have to prove their merits, but the playing field is more level. For independent entrepreneurs, especially those working in different countries, Estonia makes the entire process of establishing and maintaining a small business easier, faster and more affordable. In my case, I'm able to transact, bank, and sign documents easily. I still maintain my U.S. presence -- because a non-trivial amount of my portfolio is in the U.S., and I maintain a range of local commitments and community -- but many of my fellow e-Residents have shifted their entire enterprise to Estonia. In conclusion, Rinne notes the imperfections of the residency: "multiple times I had to disable firewalls to get digital services to work, and the e-Residency team discovered a potential bug in late 2017 which led them to deactivate all ID cards until they could be updated through the internet." All in all the experience has been "useful beyond measure," Rinne writes. "It has enabled me to re-think not only how I work, but also the many ways in which the world of work itself is changing and emerging opportunities for the future."

Since the recent Cambridge Analytica data privacy scandal, Facebook has been rolling out more security and data privacy updates. "Today, however, the company announced sweeping changes to many of its most prominent APIs, restricting develop access in a number of crucial ways," reports The Verge. "Soon after, Tinder users started noting on Twitter that they had been kicked off the dating app and couldn't log back on, as those who used Facebook Login were caught in an infinite loop that appears to be related to an unknown bug." From the report: The app has been bringing up an error message to booted users, titled Facebook Permissions, stating that users need to provide more Facebook permissions in order to create or use a Tinder account. If users tap "Ask me," which is the only given option, the app requests they log into Facebook once more and the loop starts again. Roderick Hsiao, a senior software engineer at Tinder, tweeted that users could still access the service through its web browser while engineers worked on fixing the mobile client.

rh2600 writes: Four days ago, Apple's latest macOS 10.13.4 update broke DisplayLink protocol support (perhaps permanently), turning what may be hundreds of thousands of external monitors connected to MacBook Pros via DisplayLink into paperweights. Some days in, DisplayLink has yet to announce any solution, and most worryingly there are indications that this is a permanent change to macOS moving forward. Mac Rumors is reporting that "users of the popular Mac desktop extension app Duet Display are being advised not to update to macOS 10.13.4, due to 'critical bugs' that prevent the software from communicating with connected iOS devices used as extra displays." Users of other desktop extensions apps like Air Display and iDisplay are also reporting incompatibility with the latest version of macOS.

Last week, The New York Magazine found that Facebook was archiving videos users thought were deleted. The social media company is now apologizing for failing to delete the videos, blaming it on a "bug." It adds that it's in the process of deleting the content now. Gizmodo reports: Last week, New York's Select All broke the story that social network was keeping the seemingly deleted old videos. The continued existence of the draft videos was discovered when several users downloaded their personal Facebook archives -- and found numerous videos they never published. Today, Select All got a statement from Facebook blaming the whole thing on a "bug." From Facebook via New York: "We investigated a report that some people were seeing their old draft videos when they accessed their information from our Download Your Information tool. We discovered a bug that prevented draft videos from being deleted. We are deleting them and apologize for the inconvenience. We appreciate New York Magazine for bringing the issue to our attention."

An anonymous reader quotes a report from the BBC: The organization responsible for co-ordinating European air traffic says it has fixed an earlier fault which led to widespread flight delays. Eurocontrol earlier said that delays could affect up to half of all flights in Europe -- about 15,000 trips. It said the faulty system was restarted at 19:00 GMT, and normal operations had resumed. Tuesday's fault was only the second failure in 20 years, Eurocontrol said -- the last happened in 2001. The unspecified problem was with the Enhanced Tactical Flow Management System, which helps to manage air traffic by comparing demand and capacity of different air traffic control sectors. It manages up to 36,000 flights a day. Some 29,500 were scheduled on Tuesday when the fault occurred. When the system failed, Eurocontrol's contingency plan for a failure in the system deliberately reduced the capacity of the entire European network by 10%. It also added what it calls "predetermined departure intervals" at major airports.

An anonymous reader writes: A software bug in a telecom provider's phone number blacklisting system caused the largest telephony outage in US history, according to a report released by the US Federal Communications Commission (FCC) at the start of the month. The telco is Level 3, now part of CenturyLink, and the outage took place on October 4, 2016.

According to the FCC's investigation, the outage began after a Level 3 employee entered phone numbers suspected of malicious activity in the company's network management software. The employee wanted to block incoming phone calls from these numbers and had entered each number in fields provided by the software's GUI. The problem arose when the Level 3 technician left a field empty, without entering a number. Unbeknownst to the employee, the buggy software didn't ignore the empty field, like most software does, but instead viewed the empty space as a "wildcard" character. As soon as the technician submitted his input, Level 3's network began blocking all incoming and outgoing telephone calls — over 111 million in total.

"It seems that nearly every job posting for a software developer these days requires someone who can do it all," complains Slashdot reader datavirtue, noting a main focus on finding someone to do "front end work and back end work and database work and message queue work...." I have been in a relatively small shop that for years that has always had a few guys focused on the UI. The rest of us might have to do something on the front-end but are mostly engaged in more complex "back-end" development or MQ and database architecture. I have been keeping my eye on the market, and the laser focus on full stack developers is a real turn-off.

When was the last time you had an outage because the UI didn't work right? I can't count the number of outages resulting from inexperienced developers introducing a bug in the business logic or middle tier. Am I correct in assuming that the shops that are always looking for full stack developers just aren't grown up yet?
sjames (Slashdot reader #1,099) responded that "They are a thing, but in order to have comprehensive experience in everything involved, the developer will almost certainly be older than HR departments in 'the valley' like to hire."

And Dave Ostrander argues that "In the last 10 years front end software development has gotten really complex. Gulp, Grunt, Sass, 35+ different mobile device screen sizes and 15 major browsers to code for, has made the front end skillset very valuable." The original submitter argues that front-end development "is a much simpler domain," leading to its own discussion.

Share your own thoughts in the comments. Are "full-stack" developers a thing?

On Friday, Microsoft issued an out-of-band security update for 64-bit versions of Windows 7 and Windows Server 2008 R2. From a report: The security update -- KB4100480 -- addresses a security bug discovered by a Swedish security expert earlier this week. The bug was caused by a patch meant to fix the Meltdown vulnerability but accidentally opened the kernel memory wide open. According to Ulf Frisk, Microsoft's January 2018 Meltdown patch (for CVE-2017-5754) allowed any app to extract or write content from/to the kernel memory. This all happened because the Meltdown patch accidentally flipped a bit that controlled access permissions to kernel memory. Frisk said that the March Patch Tuesday appears to have "fixed" the issue, as he was not able to interact with kernel memory.

Developers of popular open-source CMS Drupal are warning admins to immediately patch a flaw that an attacker can exploit just by visiting a vulnerable site. From a report: The bug affects all sites running on Drupal 8, Drupal 7, and Drupal 6. Drupal's project usage page indicates that about a million sites are running the affected versions. Admins are being urged to immediately update to Drupal 7.58 or Drupal 8.5.1. Drupal issued an alert for the patch last week warning admins to allocate time for patching because exploits might arrive "within hours or days" of its security release. So far, there haven't been any attacks using the flaw, according to Drupal. The bug, which is being called Drupalgeddon2, has been assigned the official identifier CVE-2018-7600. Drupal has given it a 'highly critical' rating with a risk score of 21 out of 25 under the NIST Common Misuse Scoring System. Further reading: Drupal Fixes Drupalgeddon2 Security Flaw That Allows Hackers to Take Over Sites (BleepingComputer). Commenting on security advisory that Drupal issued last week, BleepingComputer's Catalin Cimpanu said, "In the 9 years I've been around Drupal, I've never seen them publish such an apocalyptic security advisory."

Microsoft's January and February security fixes for Intel's Meltdown processor vulnerability opened up an even worse security hole on Windows 7 PCs and Server 2008 R2 boxes. From a report: This is according to researcher Ulf Frisk, who previously found glaring shortcomings in Apple's FileVault disk encryption system. We're told Redmond's early Meltdown fixes for 64-bit Windows 7 and Server 2008 R2 left a crucial kernel memory table readable and writable for normal user processes. This, in turn, means any malware on those vulnerable machines, or any logged-in user, can manipulate the operating system's memory map, gain administrator-level privileges, and extract and modify any information in RAM. The Meltdown chip-level bug allows malicious software, or unscrupulous logged-in users, on a modern Intel-powered machine to read passwords, personal information, and other secrets from protected kernel memory. But the security fixes from Microsoft for the bug, on Windows 7 and Server 2008 R2, issued in January and February, ended up granting normal programs read and write access to all of physical memory.

An anonymous reader shares a report: Around 20% of today's top VPN solutions are leaking the customer's IP address via a WebRTC bug known since January 2015, and which apparently some VPN providers have never heard of. The discovery belongs to Paolo Stagno, a security researcher who goes by the pseudonym of VoidSec, and who recently audited 83 VPN apps on this old WebRTC IP leak. Stagno says he found that 17 VPN clients were leaking the user's IP address while surfing the web via a browser. The researcher published his results in a Google Docs spreadsheet. The audit list is incomplete because Stagno didn't have the financial resources to test all commercial VPN clients.

Catalin Cimpanu, writing for BleepingComputer: macOS High Sierra users are once again impacted by a major APFS bug after two other major vulnerabilities affected Apple's new filesystem format in the last five months. This time around, according to a report from Mac forensics expert Sarah Edwards, recent versions of macOS High Sierra are logging encryption passwords for APFS-formatted external drives in plaintext, and storing this information in non-volatile (on-disk) log files.

The issue, if exploited, could allow an attacker easy access to the encryption password of encrypted APFS external volumes, such as USB thumb drives, portable hard drives, and other external storage mediums. This bug goes against all well-established Apple development and security rules, according to which apps and utilities should use the Keychain app to store valuable information, and should definitely avoid storing passwords in cleartext. Video 1, and 2.

Formula One world champion Lewis Hamilton was left fuming after a software glitch denied him an easy win in the first race of the 2018 season on Sunday. From a report: Hamilton held a comfortable lead in Australia's Melbourne grand prix from the start. After pitting for fresh rubber ahead of the Ferraris of Kimi Raikkonen and Sebastian Vettel, Hamilton looked set for an easy win. Then both of the American Haas team's cars had to be taken off the circuit after their wheel nuts became loose. That triggered a virtual safety car (VSC). The VSC is a fairly new concept: while active, the drivers have to slow down, they cannot overtake, and they must not go below minimum times for each circuit sector. Failure to follow the rules will result in penalties. This is all done to preserve the race state while giving safety marshals time to clear debris or vehicles off the track.

While the VSC was active on Sunday, second-placed Vettel ducked into the pit lane, where the virtual car's speed rules did not apply, picked up fresh tires, and emerged ahead of Hamilton to take first place. Vettel was able to do this because Hamilton's car software miscalculated the minimum sector time according to the VSC rules, causing the Brit to slow down more than was necessary. The code thought Vettel would spend 15 seconds in the pits; the Ferrari driver and his team took just 11 seconds.

The Guardian just ran an article titled " 'They'll squash you like a bug': how Silicon Valley keeps a lid on leakers," which begins with the story of an employee confronted by Facebook's secretive "rat-catching" team: They had records of a screenshot he'd taken, links he had clicked or hovered over, and they strongly indicated they had accessed chats between him and the journalist, dating back to before he joined the company. "It's horrifying how much they know," he told the Guardian, on the condition of anonymity... "You get on their bad side and all of a sudden you are face to face with Mark Zuckerberg's secret police"... One European Facebook content moderator signed a contract, seen by the Guardian, which granted the company the right to monitor and record his social media activities, including his personal Facebook account, as well as emails, phone calls and internet use. He also agreed to random personal searches of his belongings including bags, briefcases and car while on company premises. Refusal to allow such searches would be treated as gross misconduct...

Some employees switch their phones off or hide them out of fear that their location is being tracked. One current Facebook employee who recently spoke to Wired asked the reporter to turn off his phone so the company would have a harder time tracking if it had been near the phones of anyone from Facebook. Two security researchers confirmed that this would be technically simple for Facebook to do if both people had the Facebook app on their phone and location services switched on. Even if location services aren't switched on, Facebook can infer someone's location from wifi access points.
The article cites a 2012 report that Microsoft read a French blogger's Hotmail account to identify a former employee who had leaked trade secrets. And it also reports that tech companies hire external agencies to surveil their employees. "One such firm, Pinkerton, counts Google and Facebook among its clients." Though Facebook and Google both deny this, "Among other services, Pinkerton offers to send investigators to coffee shops or restaurants near a company's campus to eavesdrop on employees' conversations...

Al Gidari, consulting director of privacy at the Stanford Center for Internet and Society, says that these tools "are common, widespread, intrusive and legal."

Tom Warren, writing for The Verge: If you blink during Apple's latest iPhone ad, you might miss a weird little animation bug. It's right at the end of a slickly produced commercial, where the text from an iMessage escapes the animated bubble it's supposed to stay inside. It's a minor issue and easy to brush off, but the fact it's captured in such a high profile ad just further highlights Apple's many bugs in iOS 11. 9to5Mac writer Benjamin Mayo spotted the bug in Apple's latest ad, and he's clearly surprised "that this was signed off for the commercial," especially as he highlighted it months ago and has filed a bug report with Apple.

The public image of Silicon Valley's tech giants is all colourful bicycles, ping-pong tables, beanbags and free food, but behind the cartoonish facade is a ruthless code of secrecy. From a report: They rely on a combination of Kool-Aid, digital and physical surveillance, legal threats and restricted stock units to prevent and detect intellectual property theft and other criminal activity. However, those same tools are also used to catch employees and contractors who talk publicly, even if it's about their working conditions, misconduct or cultural challenges within the company. While Apple's culture of secrecy, which includes making employees sign project-specific NDAs and covering unlaunched products with black cloths, has been widely reported, companies such as Google and Facebook have long put the emphasis on internal transparency.

Zuckerberg hosts weekly meetings where he shares details of unreleased new products and strategies in front of thousands of employees. Even junior staff members and contractors can see what other teams are working on by looking at one of many of the groups on the company's internal version of Facebook. "When you first get to Facebook you are shocked at the level of transparency. You are trusted with a lot of stuff you don't need access to," said Evans, adding that during his induction he was warned not to look at ex-partners' Facebook accounts.

An anonymous reader shares a report: Microsoft has launched a bug bounty program that will reward anyone who finds the next Meltdown or Spectre vulnerability. Known as speculative execution side channel vulnerabilities, Microsoft is willing to reward anyone who reports bugs that could cause problems like earlier in the year. The rewards on offer range from $5,000 up to $250,000 depending on the severity of the vulnerability, and the bounty program runs until the end of 2018. Microsoft says that it will operate under the principles of coordinated vulnerability disclosure.

An anonymous reader quotes a report from Ars Technica: One of the great purported boons of GMOs is that they allow farmers to use fewer pesticides, some of which are known to be harmful to humans or other species. Bt corn, cotton, and soybeans have been engineered to express insect-killing proteins from the bacterium Bacillus thuringiensis, and they have indeed been successful at controlling the crops' respective pests. They even protect the non-Bt versions of the same crop that must be planted in adjacent fields to help limit the evolution of Bt resistance. But new work shows that Bt corn also controls pests in other types of crops planted nearby, specifically vegetables. In doing so, it cuts down on the use of pesticides on these crops, as well.

Entomologists and ecologists compared crop damage and insecticide use in four agricultural mid-Atlantic states: New Jersey, Delaware, Maryland, and Virginia. Their data came from the years before Bt corn was widespread (1976-1996) and continued after it was adopted (1996-2016). They also looked at the levels of the pests themselves: two different species of moths, commonly known as the European corn borer and corn earworm. They were named as scourges of corn, but their larvae eat a number of different crops, including peppers and green beans. After Bt corn was planted in 1996, the number of moths captured for analysis every night in vegetable fields dropped by 75 percent. The drop was a function of the percentage of Bt corn planted in the area and occurred even though moth populations usually go up with temperature. So the Bt corn more than counteracted the effect of the rising temperatures we've experienced over the quarter century covered by the study.