Shortly after the premium email service Hey announced a standalone Hey Calendar app, co-founder David Heinemeier Hansson said it was rejected by Apple for violating App Store rules.

"Apple just called to let us know they're rejecting the HEY Calendar app from the App Store (in current form)," wrote DHH on X. "Same bullying tactics as last time: Push delicate rejections to a call with a first-name-only person who'll softly inform you it's your wallet or your kneecaps. Since it's clear we're never going to pay them the extortionate 30% ransom, they're back to the bullshit about 'the app doesn't do anything when you download it.' Despite the fact that after last time, they specifically carved out HEY in App Store Review Guidelines 3.1.3 (f)!" The Verge's Amrita Khalid reports: New users can't sign up for Hey Calendar directly on the app -- Basecamp, which makes Hey, makes users first sign up through a browser. Apple's App Store rules require most paid services to offer users the ability to pay and sign up through the app, ensuring the company gets up to a 30 percent cut. The controversial rule has a ton of gray areas and carve-outs (i.e. reader apps like Spotify and Kindle get an exception) and is the subject of antitrust fights in multiple countries. But as Hansson detailed on X and in a subsequent blog post, he found Apple's rejection insulting for another reason. Close to four years ago, the company rejected Hey's original iOS app for its email service for the exact same reason.

The outcome of the 2020 fight actually worked out in Hey's favor. After days of back and forth between Apple's App Store Review Board and Basecamp, the Hey team agreed to a rather creative solution suggested by Apple exec Phil Schiller. Hey would offer a free option for the iOS app, allowing new users to sign up directly. But the company had a slight twist -- users who signed up via the iOS app got a free, temporary randomized email address that worked for 14 days -- after which they had to pay to upgrade. Currently, Hey email users can only pay for an account through the browser. Following the saga with Hey, Apple made a carve-out to its App Store rules that stated that free companion apps to certain types of paid web services were not required to have an in-app payment mechanism. But, as Hansson mentions on X, a calendar app wasn't mentioned in the list of services that Apple now makes an exception for, which includes VOIP, cloud storage, web hosting -- and of course -- email. Hansson plans to fight Apple's decision without elaborating on exactly how he intends to do so.

Generative AI models like Google Bard and GitHub Copilot are increasingly being used in various industries, but users often overlook their limitations, leading to serious errors and inefficiencies. Daniel Stenberg of curl and libcurl highlights a specific problem of AI-generated security reports: when reports are made to look better and to appear to have a point, it takes a longer time to research and eventually discard it. "Every security report has to have a human spend time to look at it and assess what it means," adds Stenberg. "The better the crap, the longer time and the more energy we have to spend on the report until we close it." The Register reports: The curl project offers a bug bounty to security researchers who find and report legitimate vulnerabilities. According to Stenberg, the program has paid out over $70,000 in rewards to date. Of 415 vulnerability reports received, 64 have been confirmed as security flaws and 77 have been deemed informative -- bugs without obvious security implications. So about 66 percent of the reports have been invalid. The issue for Stenberg is that these reports still need to be investigated and that takes developer time. And while those submitting bug reports have begun using AI tools to accelerate the process of finding supposed bugs and writing up reports, those reviewing bug reports still rely on human review. The result of this asymmetry is more plausible-sounding reports, because chatbot models can produce detailed, readable text without regard to accuracy.

As Stenberg puts it, AI produces better crap. "A crap report does not help the project at all. It instead takes away developer time and energy from something productive. Partly because security work is considered one of the most important areas so it tends to trump almost everything else." As examples, he cites two reports submitted to HackerOne, a vulnerability reporting community. One claimed to describe Curl CVE-2023-38545 prior to actual disclosure. But Stenberg had to post to the forum to make clear that the bug report was bogus. He said that the report, produced with the help of Google Bard, "reeks of typical AI style hallucinations: it mixes and matches facts and details from old security issues, creating and making up something new that has no connection with reality." [...]

Stenberg readily acknowledges that AI assistance can be genuinely helpful. But he argues that having a human in the loop makes the use and outcome of AI tools much better. Even so, he expects the ease and utility of these tools, coupled with the financial incentive of bug bounties, will lead to more shoddy LLM-generated security reports, to the detriment of those on the receiving end.

Longtime Slashdot reader UnknowingFool writes: Microsoft has released a new software tool to remove printer software from HP that was installed without user permission or system need. A few weeks ago, users noticed that Windows Update installed HP printer software even if they did not have HP printers or printers at all. Affecting Windows 10 and 11, consumers reported that this update sometimes caused problems as it could rename their non-HP printers as HP printers causing some printing features to be inaccessible. Microsoft has not disclosed the root cause of the issue. The fix released by Microsoft requires users to download and run a dedicated troubleshooting tool available from Microsoft's support site. "There are four different versions of the troubleshooter, depending on whether you have the 32- or 64-bit version of an Arm or x86 version of Windows," notes Ars Technica. "Microsoft will also release an additional recommended troubleshooting tool 'in the coming weeks' that will fix the problem in Windows 11 upon a user's request without requiring the download of a separate tool."

He specified the JSON notation, and developed tools like JSLint and the minifier JSMin. His Wikipedia entry says he was also a senior JavaScript architect at PayPal — but he's probably better known for writing O'Reilly's book JavaScript: the Good Parts.

But Doug Crockford has a new challenge. O'Reilly's monthly tech newsletter says Crockford "has created a new programming language called Misty. It is designed to be used both by students and professional programmers."

The language's official site calls it "a dynamic, general-purpose, transitional, actor language. It has a gentle syntax that is intended to benefit students, as well as advanced features such as capability security and lambdas with lexical scoping..." The language is quite strict in its use of spaces and indentation. In most programming languages, code spacing and formatting are underspecified, which leads to many incompatible conventions of style, some promoting bug formation, and all promoting time-wasting arguments, incompatibilities, and hurt feelings. Misty instead allows only one convention which is strictly enforced. This liberates programmers to focus their attention on more important matters.

Indentation is in increments of 4 spaces. The McKeeman Form is extended by three special rules to make this possible:


indentation
The spaces required by the current nesting.

increase_indentation
Append four spaces to the indentation.

decrease_indentation
Remove four spaces from the indentation.


The indentation is the number of spaces required at the beginning of a line as determined by its nesting level.


indent
increase_indentation linebreak

outdent
decrease_indentation linebreak


The linebreak rule allows the insertion of a comment, ends the line, and checks the indentation of the next line. Multiple comments and blank lines may appear wherever a line can end.

An anonymous reader quotes a report from The Register: Two years after the Log4Shell vulnerability in the open source Java-based Log4j logging utility was disclosed, circa one in four applications are dependent on outdated libraries, leaving them open to exploitation. Research from security shop Veracode revealed that the vast majority of vulnerable apps may never have updated the Log4j library after it was implemented by developers as 32 percent were running pre-2015 EOL versions. Prior investigations from Veracode also showed that 79 percent of all developers never update third-party libraries after first introducing them into projects, and given that Log4j2 -- the specific version of Log4j affected by the vulnerability -- dates back to 2014, this could explain the large proportion of unpatched apps.

A far smaller minority are running versions that were vulnerable at the time of the Log4j vulnerability's disclosure in December 2021. Only 2.8 percent are still using versions 2.0-beta9 through 2.15.0 -- post-EOL versions that remain exposed to Log4Shell, the industry-coined moniker of the vulnerability's exploit. Some 3.8 percent are still running version 2.17, a post-patch version of the Java logger that's not exposed to Log4Shell attacks, but is vulnerable to a separate remote code execution (RCE) bug (CVE-2021-44832).

The researchers believe this illustrates a minority of developers that acted quickly when the vulnerability was first disclosed, as was the advice at the time, had returned to older habits of leaving libraries untouched. Altogether, just shy of 35 percent remain vulnerable to Log4Shell, and nearly 40 percent are vulnerable to RCE flaws. The EOL versions of Log4j are also vulnerable to three additional critical bugs announced by Apache, bringing the total to seven high and critical-rated issues. "At a surface level, the numbers above show that the massive effort to remediate the Log4Shell vulnerability was effective in mitigating risk of exploitation of the zero-day vulnerability. That should not be surprising," said Chris Eng, chief research officer at Veracode.

"The bigger story at the two-year anniversary, however, is that there is still room for improvement when it comes to open source software security. If Log4Shell was another example in a long series of wake-up calls to adopt more stringent open source security practices, the fact that more than one in three applications currently run vulnerable versions of Log4j shows there is more work to do.

"The major takeaway here is that organizations may not be aware of how much open source security risk they are exposed to and how to mitigate it."

"Researchers have identified a large number of bugs to do with the processing of images at boot time," writes longtime Slashdot reader jd. "This allows malicious code to be installed undetectably (since the image doesn't have to pass any validation checks) by appending it to the image. None of the current secure boot mechanisms are capable of blocking the attack." Ars Technica reports: LogoFAIL is a constellation of two dozen newly discovered vulnerabilities that have lurked for years, if not decades, in Unified Extensible Firmware Interfaces responsible for booting modern devices that run Windows or Linux. The vulnerabilities are the product of almost a year's worth of work by Binarly, a firm that helps customers identify and secure vulnerable firmware. The vulnerabilities are the subject of a coordinated mass disclosure released Wednesday. The participating companies comprise nearly the entirety of the x64 and ARM CPU ecosystem, starting with UEFI suppliers AMI, Insyde, and Phoenix (sometimes still called IBVs or independent BIOS vendors); device manufacturers such as Lenovo, Dell, and HP; and the makers of the CPUs that go inside the devices, usually Intel, AMD or designers of ARM CPUs. The researchers unveiled the attack on Wednesday at the Black Hat Security Conference in London.

As its name suggests, LogoFAIL involves logos, specifically those of the hardware seller that are displayed on the device screen early in the boot process, while the UEFI is still running. Image parsers in UEFIs from all three major IBVs are riddled with roughly a dozen critical vulnerabilities that have gone unnoticed until now. By replacing the legitimate logo images with identical-looking ones that have been specially crafted to exploit these bugs, LogoFAIL makes it possible to execute malicious code at the most sensitive stage of the boot process, which is known as DXE, short for Driver Execution Environment. "Once arbitrary code execution is achieved during the DXE phase, it's game over for platform security," researchers from Binarly, the security firm that discovered the vulnerabilities, wrote in a whitepaper. "From this stage, we have full control over the memory and the disk of the target device, thus including the operating system that will be started." From there, LogoFAIL can deliver a second-stage payload that drops an executable onto the hard drive before the main OS has even started. The following video demonstrates a proof-of-concept exploit created by the researchers. The infected device -- a Gen 2 Lenovo ThinkCentre M70s running an 11th-Gen Intel Core with a UEFI released in June -- runs standard firmware defenses, including Secure Boot and Intel Boot Guard. LogoFAIL vulnerabilities are tracked under the following designations: CVE-2023-5058, CVE-2023-39538, CVE-2023-39539, and CVE-2023-40238. However, this list is currently incomplete.

"A non-exhaustive list of companies releasing advisories includes AMI (PDF), Insyde, Phoenix, and Lenovo," reports Ars. "People who want to know if a specific device is vulnerable should check with the manufacturer."

"The best way to prevent LogoFAIL attacks is to install the UEFI security updates that are being released as part of Wednesday's coordinated disclosure process. Those patches will be distributed by the manufacturer of the device or the motherboard running inside the device. It's also a good idea, when possible, to configure UEFIs to use multiple layers of defenses. Besides Secure Boot, this includes both Intel Boot Guard and, when available, Intel BIOS Guard. There are similar additional defenses available for devices running AMD or ARM CPUs."

An anonymous reader quotes a report from Ars Technica: In an editorial for Slate published Monday, renowned security researcher Bruce Schneier warned that AI models may enable a new era of mass spying, allowing companies and governments to automate the process of analyzing and summarizing large volumes of conversation data, fundamentally lowering barriers to spying activities that currently require human labor. In the piece, Schneier notes that the existing landscape of electronic surveillance has already transformed the modern era, becoming the business model of the Internet, where our digital footprints are constantly tracked and analyzed for commercial reasons.

Spying, by contrast, can take that kind of economically inspired monitoring to a completely new level: "Spying and surveillance are different but related things," Schneier writes. "If I hired a private detective to spy on you, that detective could hide a bug in your home or car, tap your phone, and listen to what you said. At the end, I would get a report of all the conversations you had and the contents of those conversations. If I hired that same private detective to put you under surveillance, I would get a different report: where you went, whom you talked to, what you purchased, what you did." Schneier says that current spying methods, like phone tapping or physical surveillance, are labor-intensive, but the advent of AI significantly reduces this constraint. Generative AI systems are increasingly adept at summarizing lengthy conversations and sifting through massive datasets to organize and extract relevant information. This capability, he argues, will not only make spying more accessible but also more comprehensive. "This spying is not limited to conversations on our phones or computers," Schneier writes. "Just as cameras everywhere fueled mass surveillance, microphones everywhere will fuel mass spying. Siri and Alexa and 'Hey, Google' are already always listening; the conversations just aren't being saved yet." [...]

In his editorial, Schneier raises concerns about the chilling effect that mass spying could have on society, cautioning that the knowledge of being under constant surveillance may lead individuals to alter their behavior, engage in self-censorship, and conform to perceived norms, ultimately stifling free expression and personal privacy. So what can people do about it? Anyone seeking protection from this type of mass spying will likely need to look toward government regulation to keep it in check since commercial pressures often trump technological safety and ethics. [...] Schneier isn't optimistic on that front, however, closing with the line, "We could prohibit mass spying. We could pass strong data-privacy rules. But we haven't done anything to limit mass surveillance. Why would spying be any different?" It's a thought-provoking piece, and you can read the entire thing on Slate.

An anonymous reader quotes a report from Wired: One of the world's most peculiar test beds stretches above Princeton, New Jersey. It's a fiber optic cable strung between three utility poles that then runs underground before feeding into an "interrogator." This device fires a laser through the cable and analyzes the light that bounces back. It can pick up tiny perturbations in that light caused by seismic activity or even loud sounds, like from a passing ambulance. It's a newfangled technique known as distributed acoustic sensing, or DAS. Because DAS can track seismicity, other scientists are increasingly using it to monitor earthquakes and volcanic activity. (A buried system is so sensitive, in fact, that it can detect people walking and driving above.) But the scientists in Princeton just stumbled upon a rather noisier use of the technology.

In the spring of 2021, Sarper Ozharar -- a physicist at NEC Laboratories, which operates the Princeton test bed -- noticed a strange signal in the DAS data. "We realized there were some weird things happening," says Ozharar. "Something that shouldn't be there. There was a distinct frequency buzzing everywhere." The team suspected the "something" wasn't a rumbling volcano -- not inNew Jersey -- but the cacophony of the giant swarm of cicadas that had just emerged from underground, a population known as Brood X. A colleague suggested reaching out to Jessica Ware, an entomologist and cicada expert at the American Museum of Natural History, to confirm it. "I had been observing the cicadas and had gone around Princeton because we were collecting them for biological samples," says Ware. "So when Sarper and the team showed that you could actually hear the volume of the cicadas, and it kind of matched their patterns, I was really excited."

Add insects to the quickly growing list of things DAS can spy on. Thanks to some specialized anatomy, cicadas are the loudest insects on the planet, but all sorts of other six-legged species make a lot of noise, like crickets and grasshoppers. With fiber optic cables, entomologists might have stumbled upon a powerful new way to cheaply and constantly listen in on species -- from afar. "Part of the challenge that we face in a time when there's insect decline is that we still need to collect data about what population sizes are, and what insects are where," says Ware. "Once we are able to familiarize ourselves with what's possible with this type of remote sensing, I think we can be really creative."

An anonymous reader quotes a report from XDA Developers: A few days ago, we spotted that the HP Smart App was being installed on people's PCs without their consent. Even worse, the app would reappear if users tried to uninstall it or clean-installed Windows. Now, the cause has finally been identified: a recent Windows 10 and 11 update is renaming everyone's printers to "HP LaserJet M101-M106" regardless of what model it actually is. As reported on Windows Latest, the latest update for Windows 10 and 11 seems to think that people's printers are an HP LaserJet model, regardless of their actual brand. It's believed that the bug appeared after HP pushed its latest metadata to Windows Update, but something went awry in the code and caused other printers to be labeled as HP LaserJet printers.

This explains why the HP Smart App has been sneaking onto people's computers without their consent. A key part of Windows Update is keeping third-party drivers and devices updated, including downloading any apps that the devices depend on. After the printer metadata incorrectly identified everyone's printers as HP LaserJet printers, Windows installed all the software needed for an HP printer to work smoothly, including the HP Smart App. Fortunately, the bug only affects the metadata for the printer. While the printer may show up with a different name on your system, you should still be able to send print jobs to it. Microsoft has since removed the fault metadata from Windows Update, so anyone performing a clean install from now on should get their original printer's name back and stop the HP Smart App from re-downloading. Further reading: HP Exec Says Quiet Part Out Loud When It Comes To Locking in Print Customers

The free open-source text editor Notepad++ is celebrating its 20th anniversary, the blog OMG! Ubuntu reported this week, "with a new release filled with some neat new features." In Notepad++ 8.6 (the 238th release since 2003, for those keeping count) the Windows-based code tool [which can also be used on Linux] adds to its extensive feature set with an improved multi-edit feature.

A few 3rd-party Notepad++ plugins have offered similar functionality for a while, including BetterMultiSelection. And a bug report requesting to ability to "transform the column mode to multi-caret on HOME/END/Arrow keys" led to this native addition.
Their blog post includes an animated GIF of Notepad++ multi-edit in action.

"You can install Notepad++ on Ubuntu straight from the Ubuntu Software/App Center app (it's a Snap Store). Alternatively, install the Windows build via WINE/CrossOver or, if you got the l33t skillz, build it by hand, from source."

A pull request has been merged to fix a data corruption issue in OpenZFS (the open-source implementation of the ZFS file system and volume manager). "OpenZFS 2.2.2 and 2.1.14 released with fix in place," reports a Thursday comment on GitHub.

Earlier this week, jd (Slashdot reader #1,658) wrote: All versions of OpenZFS 2.2 suffer from a defect that can corrupt the data. Attempts to mitigate the bug have reduced the likelihood of it occurring, but so far nobody has been able to pinpoint what is going wrong or why.

Phoronix reported on Monday: Over the US holiday weekend it became more clear that this OpenZFS data corruption bug isn't isolated to just the v2.2 release — older versions are also susceptible — and that v2.2.1 is still prone to possible data corruption. The good news at least is that data corruption in real-world scenarios is believed to be limited but with some scripting help the corruption can be reproduced. It's also now believed that the OpenZFS 2.2 block cloning feature just makes encountering the problem more likely.

Computer science teachers around the globe have been left scrambling to find an alternative IDE for their students, after Replit announced it was shuttering its Teams for Education plan. From a report: "To focus on improving the Replit experience for all users, we have made the difficult decision to deprecate Teams for Edu ... Teams for Edu will no longer receive new features or bug fixes, and we will suspend the creation of new Teams and Orgs," a statement from Replit, shared with educators and brought to our attention on Monday by Reg readers, declared last week. The platform provided a collaborative integrated development environment (IDE) tailored toward classrooms. It allowed students to work together on projects at the same time, similar to Google Docs, as well as automating code evaluation to streamline assessments carried out by teachers.

The decision has sparked frustration among many educators who'd invested heavily in the platform since Replit made the plan available for free in early 2022. "Computer science teachers in the last 48 hours have had to scramble to try to find alternatives as soon as possible and it will be the students that suffer," a teacher based in Asia-Pacific told The Register. "Replit was the only organization we are aware of providing online coding with instant assessment and so it was a hugely popular choice with computer science teachers." In a Xeet last week, CEO Amjad Masad acknowledged the pain the decision to shut down Teams for Education was likely to cause, but said the current system had become economically nonviable.

An anonymous reader quotes a report from Ars Technica: This Sunday, November 19, makes a full 25 years since the original Half-Life first hit (pre-Steam) store shelves. To celebrate the anniversary, Valve has uploaded a feature-packed "25th anniversary update" to the game on Steam, and made the title free to keep if you pick it up this weekend. Valve's 25th Anniversary Update page details a bevy of new and modernized features added to the classic first-person shooter, including:

- Four new multiplayer maps that "push the limits of what's possible in the Half-Life engine"
- New graphics settings, including support for a widescreen field-of-view on modern monitors and OpenGL Overbright lighting (still no official ray-tracing support, though-leave that to the modders)
- "Proper gamepad config out of the box" (so dust off that Gravis Gamepad Pro)
- Steam networking support for easier multiplayer setup
- "Verified" support for Steam Deck play ("We failed super hard" on the first verification attempt, Valve writes)
- Proper UI scaling for resolutions up to 3840x1600
- Multiplayer balancing updates (because 25 years hasn't been enough to perfect the meta)
- New entity limits that allow mod makers to build more complex mods
- A full software renderer for the Linux version of the game
- Various bug fixes
- "Removed the now very unnecessary 'Low video quality. Helps with slower video cards' setting"

In addition, the new update includes a host of restored and rarely seen content, including:

- Three multiplayer maps from the "Half-Life: Further Data" CD-ROM: Double Cross, Rust Mill, and Xen DM
- Four restored multiplayer models: Ivan the Space Biker, Proto-Barney (from the alpha build), a skeleton, and Too Much Coffee Man (from "Further Data")
- Dozens of "Further Data" sprays to tag in your multiplayer matches
- The original Half-Life: Uplink demo in playable form

Michael Larabel reports via Phoronix: Guardrails have been in place where the Firefox browser has enabled Wayland by default (when running on recent GTK versions) but as of today that code has been removed... Firefox will try to move forward with stable releases where Wayland will ship by default! Mozilla Bug 1752398 to "ship the Wayland backend to release" has been closed this evening! After the ticket was open for the past two years, it's now deemed ready to hopefully ship enabled for Firefox 121!

This patch drops the "early beta or earlier" check to let Wayland support be enabled by default when running on recent GTK versions (GTK 3.24.30 threshold). Firefox 121 is due for release around 19 December and if all continues to hold, it will finally ship with the Wayland back-end enabled by default as another big step forward.

An anonymous reader quotes a report from Ars Technica: Intel on Tuesday pushed microcode updates to fix a high-severity CPU bug that has the potential to be maliciously exploited against cloud-based hosts. The flaw, affecting virtually all modern Intel CPUs, causes them to "enter a glitch state where the normal rules don't apply," Tavis Ormandy, one of several security researchers inside Google who discovered the bug, reported. Once triggered, the glitch state results in unexpected and potentially serious behavior, most notably system crashes that occur even when untrusted code is executed within a guest account of a virtual machine, which, under most cloud security models, is assumed to be safe from such faults. Escalation of privileges is also a possibility.

The bug, tracked under the common name Reptar and the designation CVE-2023-23583, is related to how affected CPUs manage prefixes, which change the behavior of instructions sent by running software. Intel x64 decoding generally allows redundant prefixes -- meaning those that don't make sense in a given context -- to be ignored without consequence. During testing in August, Ormandy noticed that the REX prefix was generating "unexpected results" when running on Intel CPUs that support a newer feature known as fast short repeat move, which was introduced in the Ice Lake architecture to fix microcoding bottlenecks. The unexpected behavior occurred when adding the redundant rex.r prefixes to the FSRM-optimized rep mov operation. [...]

Intel's official bulletin lists two classes of affected products: those that were already fixed and those that are fixed using microcode updates released Tuesday. An exhaustive list of affected CPUs is available here. As usual, the microcode updates will be available from device or motherboard manufacturers. While individuals aren't likely to face any immediate threat from this vulnerability, they should check with the manufacturer for a fix. People with expertise in x86 instruction and decoding should read Ormandy's post in its entirety. For everyone else, the most important takeaway is this: "However, we simply don't know if we can control the corruption precisely enough to achieve privilege escalation." That means it's not possible for people outside of Intel to know the true extent of the vulnerability severity. That said, anytime code running inside a virtual machine can crash the hypervisor the VM runs on, cloud providers like Google, Microsoft, Amazon, and others are going to immediately take notice.

An anonymous reader quotes a report from The Record: One of the nation's largest private radiology companies agreed to pay a $450,000 fine after a 2021 ransomware attack led to the exposure of sensitive information from nearly 200,000 patients. In an agreement announced on Wednesday, New York Attorney General Letitia James said US Radiology failed to remediate a vulnerability announced by security company SonicWall in January 2021. US Radiology used the company's firewall to protect its network and provide managed services for many of its partner companies, including the Windsong Radiology Group, which has six facilities across Western New York.

The vulnerability highlighted by the attorney general -- CVE-2021-20016 -- was used by ransomware gangs in several attacks. US Radiology was unable to install the firmware patch for the zero-day because its SonicWall hardware was at an end-of-life stage and was no longer supported. The company planned to replace the hardware in July 2021, but the project was delayed "due to competing priorities and resource restraints." The vulnerability was never addressed, and the company was attacked by an unnamed ransomware gang on December 8, 2021.

An investigation determined that the hacker was able to gain access to files that included the names, dates of birth, patient IDs, dates of service, provider names, types of radiology exams, diagnoses and/or health insurance ID numbers of 198,260 patients. The data exposed during the incident also included driver's license numbers, passport numbers, and Social Security numbers for 82,478 New Yorkers. [...] In addition to the $450,000 penalty, the company will have to upgrade its IT network, hire someone to manage its data security program, encrypt all sensitive patient information and develop a penetration testing program. The company will have to delete patient data "when there is no reasonable business purpose to retain it" and submit compliance reports to the state for two years. "When patients visit a medical facility, they deserve confidence in knowing that their personal information will not be compromised when they are receiving care," said Attorney General James. "US Radiology failed to protect New Yorkers' data and was vulnerable to attack because of outdated equipment. In the face of increasing cyberattacks and more sophisticated scams to steal private data, I urge all companies to make necessary upgrades and security fixes to their computer hardware and systems."

In a rare move, Apple hit pause on development of next year's software updates for the iPhone, iPad, Mac and other devices so that it could root out glitches in the code. From a report: The delay, announced internally to employees last week, was meant to help maintain quality control after a proliferation of bugs in early versions, according to people with knowledge of the decision. Rather than adding new features, company engineers were tasked with fixing the flaws and improving the performance of the software, said the people, who asked not to be identified because the matter is private.

Apple's software -- famous for its clean interfaces, easy-to-use controls and focus on privacy -- is one of its biggest selling points. That makes quality control imperative. But the company has to balance a desire to add new features with making sure its operating systems run as smoothly as possible. [...] When looking at new operating systems due for release next year, the software engineering management team found too many "escapes" -- an industry term for bugs missed during internal testing. So the division took the unusual step of halting all new feature development for one week to work on fixing the bugs. With thousands of different Apple employees working on a range of operating systems and devices -- that need to work together seamlessly -- it's easy for glitches to crop up.

"Microsoft Exchange is impacted by four zero-day vulnerabilities that attackers can exploit remotely to execute arbitrary code or disclose sensitive information on affected installations," reports Bleeping Computer, citing disclosures Thursday from Trend Micro's Zero Day Initiative, who reported them to Microsoft on September 7th and 8th, 2023.

In an email to the site, a Microsoft spokesperson said customers who applied the August Security Updates are already protected from the first vulnerability, while the other three require attackers to have prior access to email credentials. (And for two of them no evidence was presented that it can be leveraged to gain elevation of privilege.)

"We've reviewed these reports and have found that they have either already been addressed, or do not meet the bar for immediate servicing under our severity classification guidelines and we will evaluate addressing them in future product versions and updates as appropriate."

From Bleeping Computer's report: ZDI disagreed with this response and decided to publish the flaws under its own tracking IDs to warn Exchange admins about the security risks... All these vulnerabilities require authentication for exploitation, which reduces their severity CVSS rating to between 7.1 and 7.5... It should be noted, though, that cybercriminals have many ways to obtain Exchange credentials, including brute-forcing weak passwords, performing phishing attacks, purchasing them, or acquiring them from info-stealer logs...

ZDI suggests that the only salient mitigation strategy is to restrict interaction with Exchange apps. However, this can be unacceptably disruptive for many businesses and organizations using the product. We also suggest implementing multi-factor authentication to prevent cybercriminals from accessing Exchange instances even when account credentials have been compromised.

"Earlier this month, the California Department of Food and Agriculture quarantined 69 square miles of metro L.A. after invasive and destructive Mediterranean fruit flies were found at a home in the Leimert Park neighborhood," notes The Hill. Officials are now planning to use small planes to drop millions of fruit flies over Los Angeles in an effort to eradicate an invasive and destructive species of the insects. From the report: Jay Van Rein, a spokesperson for the CDFA, told SFGATE that officials plan to drop approximately 250,000 sterile male fruit flies per square mile in the quarantine area every week for six months, or perhaps longer. The sterile males mate with the females, which fail to produce offspring, reducing the population over time. Van Rein says the Preventative Release Program (PRP), as it's called, has been used effectively to manage invasive species since 1996.

The quarantine radius includes parts of downtown and South L.A., Hyde Park, Baldwin Hills, Culver City, Inglewood, Pico-Robertson and Mid-Wilshire. Those who live within the zone are urged not to transport any fruits or vegetables from their property and to double-bag them in plastic before tossing them in the trash. The Mediterranean fruit fly is very tiny -- only about 1/4 inch in length -- but they can potentially cause hundreds of millions of dollars in damage to crops if left unchecked, officials said. When a female lays eggs in a fruit or vegetable, they hatch into maggots that tunnel through it and cause rot.

Richard Speed reports via The Register: Asahi Linux, a project to port Linux to Apple Silicon Macs, has reported a combination of bugs in Apple's macOS that could leave users with hardware in a difficult-to-recover state. The issues revolve around how recent versions of macOS handle refresh rates, and MacBook Pro models with ProMotion displays (the 14 and 16-inch versions) are affected. According to the Asahi team, the bugs lurk in the upgrade and boot process and, when combined, can create a condition where a machine always boots to a black screen, and a Device Firmware Update (DFU) recovery is needed.

Asahi Linux's techies have looked into the issue, having first suspected it had something to do with either having an Asahi Linux installation on a Mac and then upgrading to macOS Sonoma or installing Asahi Linux after a Sonoma upgrade. However, the issue appears to be unconnected to the project. The team said: "As far as we can tell, ALL users who upgraded to Sonoma the normal way have an out-of-date or even broken System RecoveryOS, and in particular MacBook Pro 14" and 16" owners are vulnerable to ending up with a completely unbootable system." While this might sound alarming, the team was at pains to assure users that data was not at risk and only certain versions of macOS were affected -- Sonoma 14.0+ and Ventura 13.6+.

The first bug is related to macOS Sonoma using the previously installed version as System Recovery, which can cause problems when an older RecoveryOS runs into newer firmware. The second occurs if a display is configured to a refresh rate other than ProMotion. According to the Asahi Linux team, the system will no longer be able to boot into old macOS installs or Asahi Linux. "This includes recovery mode when those systems are set as the default boot OS, and also System Recovery at least until the next subsequent OS upgrade." The team noted: "Even users with just 13.6 installed single-boot are affected by this issue (no Asahi Linux needed).

"We do not understand how Apple managed to release an OS update that, when upgraded to normally, leaves machines unbootable if their display refresh rate is not the default. This seems to have been a major QA oversight by Apple."