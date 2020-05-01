Proprietary Software (In)Security
Study Reveals Hidden Behaviors Of Mobile Apps
Fresh from a report (PDF) jointly published by authors from The Ohio State University, New York University, and CISPA Helmholtz Center for Information Security comes word that 12,706 apps surveyed with a new static analysis technique called InputScope had hidden backdoors, hidden master passwords, secret access keys, hidden blacklist words, and secret commands embedded within them. These vulnerabilities allow users to access admin-only functions, or attackers to gain access to user information and user accounts.
An article on ZDNet dug further into the report. The authors had surveyed 100,000 of the most popular apps in the Google Play store (based on the number of installations), the top 20,000 apps hosted on third party app stores, and 30,000 apps that came preinstalled on Samsung handsets.
Overall, they found that nearly 6,900 apps from the Google Play store had hidden backdoors or functions. Nearly 1,100 apps from the third party app stores had hidden backdoors. Meanwhile, nearly 4,800 preinstalled apps from Samsung handsets (almost 16%) featured hidden backdoors.
More than 4,000 apps (total) featured hidden "bad word" filters to filter out curse words, racial slurs, political words (even the names of some political leaders), gambling, cult references, pornography, and drugs.
The authors of the report did not divulge the names of the apps where they found these security issues, in order to protect the users of those apps from malicious actors. The app developers were all notified of the findings, but not all of the app developers responded.
Anti-virus on Windows 10 and Mac could contain a dangerous flaw, security experts warn
The weakness could allow cyber criminals to delete files and cause crashes on your machine – allowing them to install malware. Dubbed “Symlink Races,” the technique uses symbolic links to align malicious files to legitimate ones on your PC.
This happens during the brief time after the software has scanned a file for viruses, but before it has been removed by the anti-virus.
It's a clever way of scamming the very applications designed to keep your machine safe from malware and scams. Most worrying of all, Rack911 has warned anti-virus users that taking advantage of the bug to attack a Windows 10, macOS or Linux machine is "trivial".
One billion certificates later, Let's Encrypt's crazy dream to secure the web is coming true
'I love you': How a badly-coded computer [sic] virus caused billions in damage and exposed vulnerabilities which remain 20 years on [iophk: Windows TCO]
This account of the virus is based on interviews with law enforcement and investigators involved in the original case, contemporaneous CNN reporting and reports by the FBI, Philippines police and the Pentagon.
Multiple attempts to reach Onel de Guzman for this article, including through his family and former lawyer, were unsuccessful. De Guzman has not commented publicly on the case since 2000, and his current whereabouts are unknown.
today's howtos
Review: Ubuntu 20.04
Ubuntu, along with its many community flavours, is one of the world's mostly widely used Linux distributions. Ubuntu ships four official editions (Desktop, Server, Cloud, and a minimal Core). There are additional community editions which provide alternative desktop and configuration options. Just over a week ago, Canonical launched Ubuntu 20.04 which offers five years of support for official editions and three years of support for community editions. The new Ubuntu release includes version 5.4 of the Linux kernel and support for WireGuard. The Desktop edition ships with GNOME 3.36 as the default desktop and includes experimental support for installing the operating system on the ZFS advanced filesystem. The release announcement mentions that, along with ZFS, Ubuntu will offer “state saving” of the filesystem using a tool called Zsys. From the context, it sounds as though “state saving” here means taking filesystem snapshots as we are also told ZFS integrates with the GRUB boot loader in order to allow users to rollback system changes. (This is a similar feature to the boot environments provided by openSUSE and FreeBSD.) This version of Ubuntu ships with Python 3.8, though Python 2.7 (while unsupported upstream) is available in the distribution's repositories. The Desktop edition of Ubuntu is a 2.5GB download. Booting from the supplied media will, if we do not interfere, load a graphical environment where we can choose to try a live desktop environment or immediately launch Ubuntu's Ubiquity installer. At the start of the boot process we can press a key to bring up a menu where we can preemptively choose to run the live desktop or load the installer directly. (Practically this does not make a difference and just means we are making our choice to try or install the distribution from a text-based boot menu rather than a graphical welcome screen.) While the operating system is loading it performs an integrity check on the local media to make sure the operating system was not corrupted during the download. We can optionally skip the media check by pressing Ctrl-C.
Pandemic Driving People to GNU/Linux
Contributing to KDE is easier than you think – Phabricator patches using the web interface
This post will be ridiculously brief and simple, albeit filled with screenshots. As usual: This is a series of blog posts explaining different ways to contribute to KDE in an easy-to-digest manner. The purpose of this series originated from how I feel about asking users to contribute back to KDE. I firmly believe that showing users how contributing is easier than they think is more effective than simply calling them out and directing them to the correct resources; especially if, like me, said user suffers from anxiety or does not believe they are up to the task, in spite of their desire to help back. Last time I explained how translators with a developer account have a really straightforward workflow and how the entire localization process for KDE works. I’ve also posted a little article I made some time ago on how to create a live-test environment to translate Scribus more easily, given that Scribus might become a KDE application in the future. This post explains the process of sending your first patch to KDE. This tutorial, of course, is only useful for small patches, likely those which alter only one file, as the web interface is convenient for such cases but not when there is a ton of files from the same project.
