IOS

iOS 11.3.1 Fixes Bug Where Third-Party Screen Repairs Made iPhone 8 Touchscreens Stop Working (gizmodo.com) 21

The latest version of iOS 11.3.1 includes a fix for an issue where people who use third-party repair services to replace their displays had their devices become unresponsive. According to release notes, "iOS 11.3.1 improves the security of your iPhone or iPad and addresses an issue where touch input was unresponsive on some iPhone 8 devices because they were serviced with non-genuine replacement displays." Gizmodo reports: Retailers and customers alike suspected that Apple was deliberately letting the issue and other malfunctions that arose from replacing other components go unresolved in some sort of ploy to pressure customers into paying for officially licensed repair services that are more expensive. It's possible that some users indeed were forced to shell out a fair chunk of change to Apple for official repairs, in which case they might justifiably be angry that this was an issue that could be resolved with an update. iOS 11 was notoriously buggy after its release, and Apple has devoted so much effort to bug-fixing that this year's iOS 12 update will reportedly have fewer new features. Though Apple says the 11.3.1 fix will work, it also warned people to please not use third-party repair shops: "Note: Non-genuine replacement displays may have compromised visual quality and may fail to work correctly. Apple-certified screen repairs are performed by trusted experts who use genuine Apple parts. See support.apple.com for more information."
Programming

Drupal Warns of New Remote-Code Bug, the Second in Four Weeks (arstechnica.com) 44

For the second time in a month, websites that use the Drupal content management system are confronted with a stark choice: install a critical update or risk having your servers infected with ransomware or other nasties. From a report: Maintainers of the open-source CMS built on the PHP programming language released an update patching critical remote-code vulnerability on Wednesday. The bug, formally indexed as CVE-2018-7602, exists within multiple subsystems of Drupal 7.x and 8.x. Drupal maintainers didn't provide details on how the vulnerability can be exploited other than to say attacks work remotely. The maintainers rated the vulnerability "critical" and urged websites to patch it as soon as possible.
Security

Hacking a Satellite is Surprisingly Easy (theoutline.com) 197

Caroline Haskins, writing for The Outline: Hundreds of multi-ton liabilities -- soaring faster than the speed of sound, miles above the surface of the earth -- are operating on Windows-95. They're satellites, responsible for everything from GPS positioning, to taking weather measurements, to carrying cell signals, to providing television and internet. For the countries that own these satellites, they're invaluable resources. Even though they're old, it's more expensive to take satellites down than it is to just leave them up. So they stay up. Unfortunately, these outdated systems makes old satellites prime targets for cyber attacks. [...]

A malicious actor could fake their IP address, which gives information about a user's computer and its location. This person could then get access to the satellite's computer system, and manipulate where the satellite goes or what it does. Alternatively, an actor could jam the satellite's radio transmissions with earth, essentially disabling it. The cost of such an attack could be huge. If a satellite doesn't work, life-saving GPS or online information could be withheld to people on earth when they need it most. What's worse, if part of a satellite -- or an entire satellite -- is knocked out of its orbit from an attack, the debris could create a domino effect and cause extreme damage to other satellites.

Desktops (Apple)

Users Complain About Installation Issues With macOS 10.13.4 (theregister.co.uk) 90

An anonymous reader shares a report: The 10.13.4 update for macOS High Sierra is recommended for all users, and was emitted at the end of March promising to "improve stability, performance, and security of your Mac." But geek support sites have started filling up with people complaining that it had the opposite effect: killing their computer with messages that "the macOS installation couldn't be completed."

The initial install appears to be working fine, but when users go to shutdown or reboot an upgraded system, it goes into recovery mode. According to numerous reports, there doesn't appear to be anything wrong with users' Macs -- internal drives report that they're fine. And the issue is affecting a range of different Apple-branded computers from different years. Some have been successful in getting 10.13.4 to install by launching from Safe Mode, but others haven't and are deciding to roll back and stick with 10.13.3 until Apple puts out a new update that will fix whatever the issue is while claiming it has nothing to do with it.

Microsoft

Microsoft Delays Windows 10 Spring Creators Update Because of 'Higher Percentage of BSODs' (bleepingcomputer.com) 108

Microsoft has admitted that it had to postpone the release of Spring Creators Update, the upcoming major update to its Windows 10 desktop operating system due to technical issues. BleepingComputer notes: More precisely, Microsoft says it encountered a higher percentage of Blue Screen of Death (BSOD) errors on PCs, the company's Insiders Program managers said in a blog post yesterday. Microsoft says that instead of shipping the Springs Creators Update faulty as it was, and then delivering an update later to fix the issues, it decided to hold off on deploying the defective build altogether. The OS maker says it will create and test a new Windows 10 build that also includes the BSOD fixes, and ship that one instead of Windows 10 Insider Preview Build 17134, the build that was initially scheduled to be launched as the Spring Creators Update on April 10, last week.
Earth

Scientists Accidentally Create Mutant Enzyme That Eats Plastic Bottles (theguardian.com) 219

Scientists have created a mutant enzyme that breaks down plastic drinks bottles -- by accident. The breakthrough could help solve the global plastic pollution crisis by enabling for the first time the full recycling of bottles. From a report: The new research was spurred by the discovery in 2016 of the first bacterium that had naturally evolved to eat plastic, at a waste dump in Japan. Scientists have now revealed the detailed structure of the crucial enzyme produced by the bug. The international team then tweaked the enzyme to see how it had evolved, but tests showed they had inadvertently made the molecule even better at breaking down the PET (polyethylene terephthalate) plastic used for soft drink bottles. "What actually turned out was we improved the enzyme, which was a bit of a shock," said Prof John McGeehan, at the University of Portsmouth, UK, who led the research. "It's great and a real finding." The mutant enzyme takes a few days to start breaking down the plastic -- far faster than the centuries it takes in the oceans. But the researchers are optimistic this can be speeded up even further and become a viable large-scale process.
Windows

Microsoft Discovers Blocking Bug and Delays the Release of Windows 10 Spring Creators Update (betanews.com) 83

The next big update for Windows 10 has been delayed while Microsoft rushes to fix a newly-discovered bug. From a report: Known variously as Windows 10 version 1803, Cumulative Update for Windows 10 Version Next, Redstone 4 and Windows 10 Spring Creators Update, it was widely thought that the update had reached RTM and was on the verge of rolling out. However, this last-minute discovery means there will be a little longer to wait.
Security

You Think Discovering a Computer Virus Is Hard? Try Naming One (wsj.com) 49

Like astronomers who discover new stars, security experts who first identify computer bugs, viruses, worms, ransomware and other coding catastrophes often get to name their finds. Such discoveries now number in the thousands each year, so crafting a standout moniker can be a serious challenge. From a report: Two years ago, German security firm SerNet GmbH figured a punchy name for their bug discovery would give the company a publicity jolt. They called it Badlock, designed a fractured-lock logo and set up a website. The marketing push backfired when some security experts decided Badlock wasn't that bad. Cynical hackers called it Sadlock. "We would not do this again," says SerNet Chief Executive Johannes Loxen of the branding blitz, which he says was overkill because a relatively small number of people were affected by Badlock. Hackers are no fans of marketing. They brand things in their own way. Puns and historic references are the name of the game. "They see it as a kind of grass-roots initiative," says Gabriella Coleman, an anthropologist who teaches courses on hacker culture at McGill University in Montreal.

Some venerable names that have stood the test of time: The Love Bug, for the worm that attacked millions of Windows personal computers in 2000, and Y2K, a turn-of-the-century programming scare that didn't live up to its hype. Many names tend more toward geekspeak. The title of hacker magazine 2600 is a tip of the hat to 2600 hertz, the frequency old-school hackers reproduced to trick AT&T phone lines into giving them free calls. Computer worm Conficker is an amalgam of "configure" and a German expletive. Code Red is named after the Mountain Dew drink researchers guzzled while investigating the worm.

Microsoft

Microsoft Removes Antivirus Registry Key Check for All Windows Versions (bleepingcomputer.com) 49

Microsoft has decided to remove a mandatory "registry key requirement" it introduced in the aftermath of the Meltdown and Spectre vulnerability disclosure. BleepingComputer: Microsoft used this registry key to prevent Windows updates from being installed on computers running antivirus software incompatible with the Meltdown and Spectre patches. Antivirus vendors were supposed to create this registry key on users' computers to signal that they've updated their product and will not interfere with Microsoft's patches. This was a big issue because incompatible antivirus products would crash and BSOD Windows systems. [...] The OS maker removed the registry key check for Windows 10 computers last month, in March, and has announced yesterday that the key is no longer necessary for other Windows operating system versions -- 7, 8, 8.1, Server 2008, and Windows Server 2012.
Facebook

Facebook Launches Bug Bounty Program To Report Data Thieves (cnet.com) 66

Facebook on Tuesday launched a data abuse bug bounty program, just hours ahead of CEO Mark Zuckerberg's testimony to the Senate judiciary and commerce committees in Washington, DC. The bug bounty program is asking for people to report any apps that abuse data on Facebook, and it offers a reward based on how severe the abuse is. From a report: "While there is no maximum, high impact bug reports have garnered as much as $40,000 for people who bring them to our attention," Collin Greene, Facebook's head of product security, said in a post. The new program comes almost a month after the New York Times and the UK's Observer and Guardian papers revealed that Cambridge Analytica, a voter profiling firm, took advantage of a Facebook app to siphon off personal information on 87 million people. The scandal has fanned the flames of a backlash against Facebook by lawmakers and users.
Security

Linux: Beep Command Can Be Used to Probe for the Presence of Sensitive Files (bleepingcomputer.com) 109

Catalin Cimpanu, writing for BleepingComputer: A vulnerability in the "beep" package that comes pre-installed with Debian and Ubuntu distros allows an attacker to probe for the presence of files on a computer, even those owned by root users, which are supposed to be secret and inaccessible. The vulnerability, tracked as CVE-2018-0492, has been fixed in recent versions of Debian and Ubuntu (Debian-based OS). At its core, the bug is a race condition in the beep utility that allows the OS to emit a "beep" sound whenever it is deemed necessary. Security researchers have discovered a race condition in the beep package that allows an attacker to elevate his code to root-level access.
Microsoft

Microsoft Modifies Open-Source Code, Blows Hole In Windows Defender (theregister.co.uk) 71

An anonymous reader quotes a report from The Register: A remote-code execution vulnerability in Windows Defender -- a flaw that can be exploited by malicious .rar files to run malware on PCs -- has been traced back to an open-source archiving tool Microsoft adopted for its own use. The bug, CVE-2018-0986, was patched on Tuesday in the latest version of the Microsoft Malware Protection Engine (1.1.14700.5) in Windows Defender, Security Essentials, Exchange Server, Forefront Endpoint Protection, and Intune Endpoint Protection. This update should be installed, or may have been automatically installed already on your device. The vulnerability can be leveraged by an attacker to achieve remote code execution on a victim's machine simply by getting the mark to download -- via a webpage or email or similar -- a specially crafted .rar file while the anti-malware engine's scanning feature is on. In many cases, this analysis set to happen automatically.

When the malware engine scans the malicious archive, it triggers a memory corruption bug that leads to the execution of evil code smuggled within the file with powerful LocalSystem rights, granting total control over the computer. The screwup was discovered and reported to Microsoft by legendary security researcher Halvar Flake, now working for Google. Flake was able to trace the vulnerability back to an older version of unrar, an open-source archiving utility used to unpack .rar archives. Apparently, Microsoft forked that version of unrar and incorporated the component into its operating system's antivirus engine. That forked code was then modified so that all signed integer variables were converted to unsigned variables, causing knock-on problems with mathematical comparisons. This in turn left the software vulnerable to memory corruption errors, which can crash the antivirus package or allow malicious code to potentially execute.

Bitcoin

Hacker Uses Exploit To Generate Verge Cryptocurrency Out of Thin Air (bleepingcomputer.com) 85

An anonymous reader quotes a report from Bleeping Computer: An unknown attacker has exploited a bug in the Verge cryptocurrency network code to mine Verge coins at a very rapid pace and generate funds almost out of thin air. The Verge development team is preparing a hard-fork of the entire cryptocurrency code to fix the issue and revert the blockchain to a previous state before the attack to neutralize the hacker's gains. The attack took place yesterday, and initially users thought it was a over "51% attack," an attack where a malicious actor takes control over the more than half of the network nodes, giving himself the power to forge transactions. Nonetheless, users who later looked into the suspicious network activity eventually tracked down what happened, revealing that a mysterious attacker had mined Verge coins at a near impossible speed of 1,560 Verge coins (XVG) per second, the equivalent of $78/s. The malicious mining lasted only three hours, according to the Verge team. According to users who tracked the illegally mined funds on the Verge blockchain said the hacker appears to have made around 15.6 million Verge coins, which is around $780,000.
The Internet

One of Estonia's First 'e-Residents' Explains What It Means To Have Digital Citizenship 76

An anonymous reader shares a report from Quartz, written by Estonian e-Resident April Rinne: In 2014, Estonia, a country previously known as much for its national singing revolution as anything else, became the first country in the world to launch an e-Residency program. Once admitted, e-Residents can conduct business worldwide as if they were from Estonia, which is a member of the EU. They are given government-issued digital IDs, can open Estonian bank and securities accounts, form and register Estonian companies, and have a front-row seat as nascent concepts of digital and virtual citizenship evolve. There is no requirement to have a physical presence in Estonia. [...] Three years in, what I find most incredible about e-Residency is that it actually works.

E-Residency was appealing to me for several reasons (none of which include dodging the law, taxes, or other civic responsibilities). I have Finnish heritage and for many years was intrigued by Finland's "smaller neighbor." And, I'd just joined an Estonian startup as an advisor. Becoming an e-Resident would allow me to receive payment from clients in Euros from any company without worrying about currency fluctuations, and to own shares in the company (previously this would have required various administrative work-arounds). [...] At a basic level, e-Residency makes working overall simpler and, ideally, more streamlined. This plays out in many ways, depending on the type of worker or organization. For example, many bona fide small- and mid-sized companies in other regions simply could not get access to European markets. The costs of entry and other requirements made it prohibitively cumbersome. E-Residency gives them a new avenue to do this; they still have to prove their merits, but the playing field is more level. For independent entrepreneurs, especially those working in different countries, Estonia makes the entire process of establishing and maintaining a small business easier, faster and more affordable. In my case, I'm able to transact, bank, and sign documents easily. I still maintain my U.S. presence -- because a non-trivial amount of my portfolio is in the U.S., and I maintain a range of local commitments and community -- but many of my fellow e-Residents have shifted their entire enterprise to Estonia.
In conclusion, Rinne notes the imperfections of the residency: "multiple times I had to disable firewalls to get digital services to work, and the e-Residency team discovered a potential bug in late 2017 which led them to deactivate all ID cards until they could be updated through the internet." All in all the experience has been "useful beyond measure," Rinne writes. "It has enabled me to re-think not only how I work, but also the many ways in which the world of work itself is changing and emerging opportunities for the future."
Facebook

Facebook's Privacy Fixes Have Broken Tinder (theverge.com) 73

Since the recent Cambridge Analytica data privacy scandal, Facebook has been rolling out more security and data privacy updates. "Today, however, the company announced sweeping changes to many of its most prominent APIs, restricting develop access in a number of crucial ways," reports The Verge. "Soon after, Tinder users started noting on Twitter that they had been kicked off the dating app and couldn't log back on, as those who used Facebook Login were caught in an infinite loop that appears to be related to an unknown bug." From the report: The app has been bringing up an error message to booted users, titled Facebook Permissions, stating that users need to provide more Facebook permissions in order to create or use a Tinder account. If users tap "Ask me," which is the only given option, the app requests they log into Facebook once more and the loop starts again. Roderick Hsiao, a senior software engineer at Tinder, tweeted that users could still access the service through its web browser while engineers worked on fixing the mobile client.
Displays

Latest macOS Update Disables DisplayLink, Rendering Thousands of Monitors Dead (displaylink.com) 331

rh2600 writes: Four days ago, Apple's latest macOS 10.13.4 update broke DisplayLink protocol support (perhaps permanently), turning what may be hundreds of thousands of external monitors connected to MacBook Pros via DisplayLink into paperweights. Some days in, DisplayLink has yet to announce any solution, and most worryingly there are indications that this is a permanent change to macOS moving forward. Mac Rumors is reporting that "users of the popular Mac desktop extension app Duet Display are being advised not to update to macOS 10.13.4, due to 'critical bugs' that prevent the software from communicating with connected iOS devices used as extra displays." Users of other desktop extensions apps like Air Display and iDisplay are also reporting incompatibility with the latest version of macOS.
Bug

Facebook Blames a 'Bug' For Not Deleting Your Seemingly Deleted Videos (gizmodo.com) 66

Last week, The New York Magazine found that Facebook was archiving videos users thought were deleted. The social media company is now apologizing for failing to delete the videos, blaming it on a "bug." It adds that it's in the process of deleting the content now. Gizmodo reports: Last week, New York's Select All broke the story that social network was keeping the seemingly deleted old videos. The continued existence of the draft videos was discovered when several users downloaded their personal Facebook archives -- and found numerous videos they never published. Today, Select All got a statement from Facebook blaming the whole thing on a "bug." From Facebook via New York: "We investigated a report that some people were seeing their old draft videos when they accessed their information from our Download Your Information tool. We discovered a bug that prevented draft videos from being deleted. We are deleting them and apologize for the inconvenience. We appreciate New York Magazine for bringing the issue to our attention."
Bug

Half of European Flights Delayed Due To System Failure (bbc.com) 12

An anonymous reader quotes a report from the BBC: The organization responsible for co-ordinating European air traffic says it has fixed an earlier fault which led to widespread flight delays. Eurocontrol earlier said that delays could affect up to half of all flights in Europe -- about 15,000 trips. It said the faulty system was restarted at 19:00 GMT, and normal operations had resumed. Tuesday's fault was only the second failure in 20 years, Eurocontrol said -- the last happened in 2001. The unspecified problem was with the Enhanced Tactical Flow Management System, which helps to manage air traffic by comparing demand and capacity of different air traffic control sectors. It manages up to 36,000 flights a day. Some 29,500 were scheduled on Tuesday when the fault occurred. When the system failed, Eurocontrol's contingency plan for a failure in the system deliberately reduced the capacity of the entire European network by 10%. It also added what it calls "predetermined departure intervals" at major airports.
Bug

Software Bug Behind Biggest Telephony Outage In US History (bleepingcomputer.com) 106

An anonymous reader writes: A software bug in a telecom provider's phone number blacklisting system caused the largest telephony outage in US history, according to a report released by the US Federal Communications Commission (FCC) at the start of the month. The telco is Level 3, now part of CenturyLink, and the outage took place on October 4, 2016.

According to the FCC's investigation, the outage began after a Level 3 employee entered phone numbers suspected of malicious activity in the company's network management software. The employee wanted to block incoming phone calls from these numbers and had entered each number in fields provided by the software's GUI. The problem arose when the Level 3 technician left a field empty, without entering a number. Unbeknownst to the employee, the buggy software didn't ignore the empty field, like most software does, but instead viewed the empty space as a "wildcard" character. As soon as the technician submitted his input, Level 3's network began blocking all incoming and outgoing telephone calls — over 111 million in total.

Programming

Ask Slashdot: Are 'Full Stack' Developers a Thing? 371

"It seems that nearly every job posting for a software developer these days requires someone who can do it all," complains Slashdot reader datavirtue, noting a main focus on finding someone to do "front end work and back end work and database work and message queue work...." I have been in a relatively small shop that for years that has always had a few guys focused on the UI. The rest of us might have to do something on the front-end but are mostly engaged in more complex "back-end" development or MQ and database architecture. I have been keeping my eye on the market, and the laser focus on full stack developers is a real turn-off.

When was the last time you had an outage because the UI didn't work right? I can't count the number of outages resulting from inexperienced developers introducing a bug in the business logic or middle tier. Am I correct in assuming that the shops that are always looking for full stack developers just aren't grown up yet?

sjames (Slashdot reader #1,099) responded that "They are a thing, but in order to have comprehensive experience in everything involved, the developer will almost certainly be older than HR departments in 'the valley' like to hire."

And Dave Ostrander argues that "In the last 10 years front end software development has gotten really complex. Gulp, Grunt, Sass, 35+ different mobile device screen sizes and 15 major browsers to code for, has made the front end skillset very valuable." The original submitter argues that front-end development "is a much simpler domain," leading to its own discussion.

Share your own thoughts in the comments. Are "full-stack" developers a thing?

Slashdot Top Deals