Bug

Is Cockroach Milk the Ultimate Superfood? (globalnews.ca) 177

An anonymous reader quotes a report from Global News: It may not be everyone's cup of milk, but for years now, some researchers believe insect milk, like cockroach milk, could be the next big dairy alternative. A report in 2016 found Pacific Beetle cockroaches specifically created nutrient-filled milk crystals that could also benefit humans, the Hindustan Times reports. Others report producing cockroach milk isn't easy, either -- it takes 1,000 cockroaches to make 100 grams of milk, Inverse reports, and other options could include a cockroach milk pill. And although it has been two years since the study, some people are still hopeful. Insect milk, or entomilk, is already being used and consumed by Cape Town-based company Gourmet Grubb, IOL reports.

Jarrod Goldin, [president of Entomo Farms which launched in 2014], got interested in the insect market after the Food and Agriculture Organization of the United Nation in 2013 announced people around the world were consuming more than 1,900 insects. As his brothers were already farming insects for fishing and reptile use, Goldin thought it would be a smart business opportunity to focus on food. Goldin adds studies have shown cricket powder can be a high source of protein and B12. The PC version his company produces has 13 grams of protein per every 2 1/2 tbsps. Toronto-based registered dietitian Andy De Santis says for protein alternatives, insects are definitely in the playing field.
According to ScienceAlert, Diploptera punctate is the only known cockroach to give birth to live young and has been shown to pump out a type of "milk" containing protein crystals to feed its babies. "The fact that an insect produces milk is pretty fascinating -- but what fascinated researchers is the fact that a single one of these protein crystals contains more than three times the amount of energy found in an equivalent amount of buffalo milk (which is also higher in calories than regular cow's milk)."

Researchers are now working to replicate the crystals in the lab. They are working with yeast to produce the crystal in much larger quantities -- "making it slightly more efficient than extracting crystals from cockroach's guts," reports ScienceAlert.
Bug

T-Mobile Bug Let Anyone See Any Customer's Account Details (zdnet.com) 37

An anonymous reader writes: A bug in T-Mobile's website let anyone access the personal account details of any customer with just their cell phone number, ZDNet reported Thursday. The flaw, since fixed, could have been exploited by anyone who knew where to look -- a little-known T-Mobile subdomain that staff use as a customer care portal to access the company's internal tools. The subdomain -- promotool.t-mobile.com, which can be easily found on search engines -- contained a hidden API that would return T-Mobile customer data simply by adding the customer's cell phone number to the end of the web address.

Although the API is understood to be used by T-Mobile staff to look up account details, it wasn't protected with a password and could be easily used by anyone. The returned data included a customer's full name, postal address, billing account number, and in some cases information about tax identification numbers. The data also included customers' account information, such as if a bill is past-due or if the customer had their service suspended.

Bug

Comcast Website Bug Leaks Xfinity Customer Data (zdnet.com) 43

An anonymous reader quotes a report from ZDNet: A bug in Comcast's website used to activate Xfinity routers can return sensitive information on the company's customers. The website, used by customers to set up their home internet and cable service, can be tricked into displaying the home address where the router is located, as well as the Wi-Fi name and password. Two security researchers, Karan Saini and Ryan Stevenson, discovered the bug. Only a customer account ID and that customer's house or apartment number is needed -- even though the web form asks for a full address.

ZDNet obtained permission from two Xfinity customers to check their information. We were able to obtain their full address and zip code -- which both customers confirmed. The site returned the Wi-Fi name and password -- in plaintext -- used to connect to the network for one of the customers who uses an Xfinity router. The other customer was using his own router -- and the site didn't return the Wi-Fi network name or password.

Software

Popular 'Gboard' Keyboard App Has Had a Broken Spell Checker For Months 54

The popular Gboard keyboard app for iOS and Android devices has a fundamental flaw. According Reddit user SurroundedByMachines, the red underline has stopped appearing for incorrectly spelled words since November of last year -- and it doesn't appear to be limited to any one device. Issues with the spell checker have been reported on multiple devices across Android and iOS. A simple Google search brings up several different threads where people have reported issues with the feature.

What's more is that nobody at Google seems to get the memo. The Reddit user who first brought this to our attention filed several bug reports, left a review, and joined the beta channel to leave feedback there, yet no response was given. "Many people have been having the issue, and it's even been escalated to the community manager," writes SurroundedByMachines. Since the app has over 500 million downloads on the Play Store alone, this issue could be frustrating a lot of users, especially those who use their phones to send work emails or write documents. Have you noticed Gboard's broken spell checker on your device? If so, you may want to look into another third-party keyboard, such as SwiftKey or Cheetah Keyboard.
Privacy

FCC Investigating LocationSmart Over Phone-Tracking Flaw (cnet.com) 19

The FCC has opened an investigation into LocationSmart, a company that is buying your real-time location data from four of the largest U.S. carriers in the United States. The investigation comes a day after a security researcher from Carnegie Mellon University exposed a vulnerability on LocationSmart's website. CNET reports: The bug has prompted an investigation from the FCC, the agency said on Friday. An FCC spokesman said LocationSmart's case was being handled by its Enforcement Bureau. Since The New York Times revealed that Securus, an inmate call tracking service, had offered the same tracking service last week, Sen. Ron Wyden, a Democrat from Oregon, called for the FCC and major wireless carriers to investigate these companies. On Friday, Wyden praised the investigation, but requested the FCC to expand its look beyond LocationSmart.

"The negligent attitude toward Americans' security and privacy by wireless carriers and intermediaries puts every American at risk," Wyden said. "I urge the FCC expand the scope of this investigation, and to more broadly probe the practice of third parties buying real-time location data on Americans." He is also calling for FCC Chairman Ajit Pai to recuse himself from the investigation, because Pai was a former attorney for Securus.

Security

A Bug in Keeper Password Manager Leads To Sparring Over 'Zero-Knowledge' Claim (zdnet.com) 47

Keeper, a password manager maker that recently and controversially sued a reporter, has fixed a bug that a security researcher claimed could have allowed access to a user's private data. From a report: The bug -- which the company confirmed and has since fixed -- filed anonymously to a public security disclosure list, detailed how anyone controlling Keeper's API server could gain access to the decryption key to a user's vault of passwords and other sensitive information. The researcher found the issue in the company's Python-powered script called Keeper Commander, which allows users to rotate passwords, eliminating the need for hardcoded passwords in software and systems.

According to the write-up, the researcher said it's possible that someone in control of Keeper's API -- such as employees at the company -- could unlock an account, because the API server stores the information used to produce an intermediary decryption key. "What seems to appear in the code of Keeper Commander from November 2015 to today is blind trust of the API server," said the researcher.

Education

Scottish Students Used Spellchecker Glitch To Cheat In Literacy Test (bbc.com) 166

Thelasko shares a report from the BBC: Schools are to be given advice on how to disable a glitch that allows pupils sitting online spelling tests to right-click their mouse and find the answer. It follows the discovery by teachers that children familiar with traditional computer spellcheckers were simply applying it to the tests. The Scottish National Standardized Assessments were introduced to assess progress in four different age groups. A spokesman said the issue was not with the Scottish National Standardized Assessments (SNSA) but with browser or device settings on some machines.

Introduced in 2017, the spelling test asks children to identify misspelt words. However, on some school computers the words were highlighted with a red line. Pupils who right-clicked on the words were then able to access the correct spelling. The web-based SNSA tool enables teachers to administer online literacy and numeracy tests for pupils in P1, P4, P7 and S3, which are marked and scored automatically. Advice is being given to schools about how to disable the spellchecking function.

Privacy

Cell Phone Tracking Firm Exposed Millions of Americans' Real-time Locations (zdnet.com) 39

Earlier this week, ZDNet shed some light on a company called LocationSmart that is buying your real-time location data from four of the largest U.S. carriers in the United States. The story blew up because a former police sheriff snooped on phone location data without a warrant, according to The New York Times. ZDNet is now reporting that the company "had a bug in its website that allowed anyone to see where a person is located -- without obtaining their consent." An anonymous reader shares an excerpt: "Due to a very elementary bug in the website, you can just skip that consent part and go straight to the location," said Robert Xiao, a PhD. student at the Human-Computer Interaction Institute at Carnegie Mellon University, in a phone call. "The implication of this is that LocationSmart never required consent in the first place," he said. "There seems to be no security oversight here." The "try" website was pulled offline after Xiao privately disclosed the bug to the company, with help from CERT, a public vulnerability database, also at Carnegie Mellon. Xiao said the bug may have exposed nearly every cell phone customer in the U.S. and Canada, some 200 million customers.

The researcher said he started looking at LocationSmart's website following ZDNet's report this week, which followed from a story from The New York Times, which revealed how a former police sheriff snooped on phone location data without a warrant. The sheriff has pleaded not guilty to charges of unlawful surveillance. He said one of the APIs used in the "try" page that allows users to try the location feature out was not validating the consent response properly. Xiao said it was "trivially easy" to skip the part where the API sends the text message to the user to obtain their consent. "It's a surprisingly simple bug," he said.

Google

Google Fixes Issue That Broke Millions of Web-Based Games in Chrome (bleepingcomputer.com) 37

Google this week rolled out an update to Chrome to patch a bug that had rendered millions of web-based games useless. From a report: The bug was introduced in mid-April when Google launched Chrome 66. One of this release's features was its ability to block web pages with auto-playing audio. [...] Not all games were affected the same. For some HTML5 games, users could re-enable audio by interacting with the game's canvas via a click-to-play interaction. Unfortunately, older games and those that weren't coded with such policy remained irrevocably broken, no matter what Chrome options users tried to modify in their settings sections. [...] With today's release of Chrome for Desktop v66.0.3359.181, Google has now fixed this issue, but only temporarily. John Pallett, a product manager at Google, admitted that Google "didn't do a good job of communicating the impact of the new autoplay policy to developers using the Web Audio API." He said, for this reason, the current version of Chrome, v66, will no longer automatically mute Web Audio objects.
Robotics

Researchers Create First Flying Wireless Robotic Insect (newatlas.com) 64

An anonymous reader quotes a report from New Atlas: You might remember RoboBee, an insect-sized robot that flies by flapping its wings. Unfortunately, though, it has to be hard-wired to a power source. Well, one of RoboBee's creators has now helped develop RoboFly, which flies without a tether. Slightly heavier than a toothpick, RoboFly was designed by a team at the University of Washington -- one member of that team, assistant professor Sawyer Fuller, was also part of the Harvard University team that first created RoboBee. That flying robot receives its power via a wire attached to an external power source, as an onboard battery would simply be too heavy to allow the tiny craft to fly. Instead of a wire or a battery, RoboFly is powered by a laser. That laser shines on a photovoltaic cell, which is mounted on top of the robot. On its own, that cell converts the laser light to just seven volts of electricity, so a built-in circuit boosts that to the 240 volts needed to flap the wings. That circuit also contains a microcontroller, which tells the robot when and how to flap its wings -- on RoboBee, that sort of "thinking" is handled via a tether-linked external controller. The robot can be seen in action here.
Security

Malware Found In the Ubuntu Snap Store (linuxuprising.com) 90

An anonymous reader quotes a report from Linux Uprising: Oh, snap! Just because some packages are available to install directly from the Ubuntu Software Center doesn't make them safe. This is proved by a recent discovery of malware in some snap packages from the Ubuntu Snaps Store.

At least two of the snap packages, 2048buntu and hextris, uploaded to the Ubuntu Snaps Store by user Nicolas Tomb, contained malware. All packages by Nicolas have since been removed from the Ubuntu Snaps Store, "pending further investigations." The report comes from a bug which mentions that the 2048buntu snap package (and other packages by Nicolas Tomb) contains a hidden cryptocurrency miner inside.

Security

26% of Companies Ignore Security Bugs Because They Don't Have the Time to Fix Them (bleepingcomputer.com) 90

Catalin Cimpanu, writing for BleepingComputer: A survey compiled last month at the RSA security conference reveals that most companies are still behind with proper security practices, and some of them even intentionally ignore security flaws for various reasons ranging from lack of time to lack of know-how. The survey, which compiled answers from 155 security professionals from the companies present at the RSA conference, revealed that only 47% of organizations patch vulnerabilities as soon as they are known. Most worrisome is that some companies wait quite some time before applying patches, exposing their IT infrastructure to attacks. More precisely, 16% wait for one month, while 8% said they only apply patches once or twice a year.
Security

Multiple OS Vendors Release Security Patches After Misinterpreting Intel Docs (bleepingcomputer.com) 81

Almost all major OS vendors released security patches yesterday after a researcher discovered that some OS makers have misinterpreted an Intel CPU debug feature and left their systems open to attacks. From a report: The vulnerability is in how the OS vendors implemented a hardware debug mechanism for Intel x86-64 architectures -- and more specifically the MOV SS and POP SS instructions. "In certain circumstances after the use of certain Intel x86-64 architecture instructions, a debug exception pointing to data in a lower ring (for most operating systems, the kernel Ring 0 level) is made available to operating system components running in Ring 3," the CERT/CC team explained in an advisory published yesterday. Explained in layman's terms, "this may allow an attacker to utilize operating system APIs to gain access to sensitive memory information or control low-level operating system functions." Operating systems that mishandle this debug exception and had their systems open to attacks include Apple, Microsoft, FreeBSD, Red Hat, Ubuntu, SUSE Linux, and other Linux distros based on the Linux Kernel -- which is also affected.
Security

Drupal Sites Fall Victims To Cryptojacking Campaigns (bleepingcomputer.com) 27

An anonymous reader shares a report: After the publication of two severe security flaws in the Drupal CMS, cybercrime groups have turned their sights on this web technology in the hopes of finding new ground to plant malware on servers and make money through illegal cryptocurrency mining. [...] Now, as time passes by, more malware campaigns targeting Drupal sites are getting off the ground -- and two of them have been spotted the past week.

The most recent of these campaigns has been discovered by US security researcher Troy Mursch. The researcher discovered a group that gained access to Drupal sites and hid a version of the Coinhive in-browser cryptocurrency miner inside a file named "jquery [dot] once [dot] js?v=1.2," loaded on each of the compromised sites. Mursch initially tracked down the infected files to over 100,000 domains, then narrowed down the results to 80,000 domains, and finally confirmed the infection on at least 348 sites where the in-browsing mining operation was actually taking place.

Security

After Equifax Breach, Major Firms Still Rely on Same Flawed Software (zdnet.com) 62

Last year's massive data breach at Equifax should have been a wake-up call for the entire industry. But a year after the patches were released, some of the world's wealthiest companies are still using, or have since introduced the same flawed software. From a report: Thousands of companies have downloaded vulnerable versions of Apache Struts, a popular web server software used across the Fortune 100 to provide web applications in Java. It's often used to power both front- and back-end applications -- including Equifax's public website. The bug used in the Equifax hack was fixed in March 2017, but Equifax never installed the patches. Since those patches were made available, data seen by ZDNet shows that least 10,800 companies downloaded vulnerable versions of the software. The data, provided by Sonatype, an open-source automation firm, shows that over half of the Fortune Global 100 are using vulnerable versions of the software. Although the firm wouldn't name the affected companies, a quarter of them are based in North America. The data showed that seven are tech giants, and 15 are financial services or insurance firms.
Bug

Eight New Meltdown-Like Flaws Found (reuters.com) 82

An anonymous reader quotes Reuters: Researchers have found eight new flaws in computer central processing units that resemble the Meltdown and Spectre bugs revealed in January, a German computing magazine reported on Thursday. The magazine, called c't, said it was aware of Intel Corp's plans to patch the flaws, adding that some chips designed by ARM Holdings, a unit of Japan's Softbank, might be affected, while work was continuing to establish whether Advanced Micro Devices chips were vulnerable... The magazine said Google Project Zero, one of the original collective that exposed Meltdown and Spectre in January, had found one of the flaws and that a 90-day embargo on going public with its findings would end on May 7...

"Considering what we have seen with Meltdown and Spectre, we should expect a long and painful cycle of updates, possibly even performance or stability issues," said Yuriy Bulygin, chief executive officer of hardware security firm Eclypsium and a former Intel security researcher. "Hopefully, Meltdown and Spectre led to improvements to the complicated process of patching hardware."

Neowin now reports that Intel "is expected to release microcode updates in two waves; one in May, and the other in August."
Bug

Microsoft's 'Meltdown' Patch For Windows 10 Contains a Fatal Flaw (bleepingcomputer.com) 106

An anonymous reader quotes BleepingComputer: Microsoft's patches for the Meltdown vulnerability have had a fatal flaw all these past months, according to Alex Ionescu, a security researcher with cyber-security firm Crowdstrike. Only patches for Windows 10 versions were affected, the researcher wrote today in a tweet. Microsoft quietly fixed the issue on Windows 10 Redstone 4 (v1803), also known as the April 2018 Update, released on Monday.

"Welp, it turns out the Meltdown patches for Windows 10 had a fatal flaw: calling NtCallEnclave returned back to user space with the full kernel page table directory, completely undermining the mitigation," Ionescu wrote. Ionescu pointed out that older versions of Windows 10 are still running with outdated and bypass-able Meltdown patches.

Wednesday Microsoft issued a security update, but it wasn't to backport the "fixed" Meltdown patches for older Windows 10 versions. Instead, the emergency update fixed a vulnerability in the Windows Host Compute Service Shim (hcsshim) library (CVE-2018-8115) that allows an attacker to remotely execute code on vulnerable systems.

Twitter

Twitter Says Glitch Exposed 'Substantial' Number of Users' Passwords In Plain Text (reuters.com) 107

Twitter is urging its more than 330 million users to change their passwords after a glitch exposed some in plain text on its internal computer network. Reuters is first to report the news: The social network said an internal investigation had found no indication passwords were stolen or misused by insiders, but that it urged all users to consider changing their passwords "out of an abundance of caution." The blog did not say how many passwords were affected. Here's what Twitter has to say about the bug: "We mask passwords through a process called hashing using a function known as bcrypt, which replaces the actual password with a random set of numbers and letters that are stored in Twitter's system. This allows our systems to validate your account credentials without revealing your password. This is an industry standard. Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again."

The social networking service is asking users to change their password "on all services where you've used this password." You can do so via the password settings page.
Windows

Ask Slashdot: Any Idiosyncrasies of the New Windows 10 April 2018 Update? 149

shanen wants to know if anyone else has noticed any idiosyncrasies of the new Windows 10 April 2018 update, which was released on April 30th (global rollout on May 8): Only two machines so far [are running the new version of Windows 10], but I already noticed a few peculiarities. Do you have any to share? Here are mine so far:

1. Microsoft prefers tightly linking the machine to a Microsoft account, for example via Outlook.com. If you have a machine that is not linked that way, the antivirus software will now attempt to force a link to a Microsoft account. And what is that new PIN supposed to be about?
2. Accessing a gateway on the wrong private network can produce a hard freeze, forcing a hard reset from the power down state. Possibly a serious security vulnerability to the point where I'm not sure I should share the details in public.

Anything you've noticed about the new Windows 10? (Now I have to get back to dealing with the new OS X update and the latest Ubuntu...)
Some of the new features include the ability to resume past activities in timeline, a file sharing feature with nearby devices, a rebuilt Game Bar with a new Fluent design UI, and a diagnostic data viewing tool in the Security and Privacy section. If you want to get the update before the global rollout, you can do so via Check for Updates under Windows Update.
Security

A Critical Security Flaw in Popular Industrial Software Put Power Plants At Risk (zdnet.com) 41

A severe vulnerability in a widely used industrial control software could have been used to disrupt and shut down power plants and other critical infrastructure. From a report: Researchers at security firm Tenable found the flaw in the popular Schneider Electric software, used across the manufacturing and power industries, which if exploited could have allowed a skilled attacker to attack systems on the network. It's the latest vulnerability that risks an attack to the core of any major plant's operations at a time when these systems have become a greater target in recent years. The report follows a recent warning, issued by the FBI and Homeland Security, from Russian hackers. The affected Schneider software, InduSoft Web Studio and InTouch Machine Edition, acts as middleware between industrial devices and their human operators. It's used to automate the various moving parts of a power plant or manufacturing unit, by keeping tabs on data collection sensors and control systems. But Tenable found that a bug in that central software could leave an entire plant exposed.

Slashdot Top Deals