Today in Techrights
today's leftovers
One year ago today (April 19), an aircraft flew on a world beyond Earth for the first time ever.
That history-making vehicle is NASA's Ingenuity Mars helicopter, which landed inside the Red Planet's Jezero Crater with the life-hunting, sample-caching Perseverance rover on Feb. 18, 2021. Just over two months later, the 4-pound (1.8 kilograms) Ingenuity made its first foray into the Martian skies, hovering about 10 feet (3 meters) above the red dirt of a site named, appropriately enough, Wright Brothers Field.
A DOOR HAD SLAMMED SHUT for Thompson and Ritchie in March of 1969, when their employer, the American Telephone & Telegraph Co., withdrew from a collaborative project with the Massachusetts Institute of Technology and General Electric to create an interactive time-sharing system called Multics, which stood for “Multiplexed Information and Computing Service." Time-sharing, a technique that lets multiple people use a single computer simultaneously, had been invented only a decade earlier. Multics was to combine time-sharing with other technological advances of the era, allowing users to phone a computer from remote terminals and then read e-mail, edit documents, run calculations, and so forth. It was to be a great leap forward from the way computers were mostly being used, with people tediously preparing and submitting batch jobs on punch cards to be run one by one.
The removal of built-in support for the Docker Engine container runtime in the newest upcoming version of Kubernetes, the popular container-orchestration system, requires users to shift to an alternative runtime to stay up to date with future Kubernetes releases.
Oracle's Java 18 development environment has hit the streets, with Big Red promising nine enhancements including the ability to add sample source code to API documentation.
Other new features include Simple Web Server (JEP 408) for prototyping and testing, two incubating modules, as well as the preview of Pattern Matching for switch (JEP 420).
Java 18 JDK (Java Development Kit) is set to be a short-term release, supported for six months until the next one appears every March and September. The most recent long-term support release is JDK 17, which came out last September, the previous being JDK 11 from 2018.
Perforce, a Minnesota-based maker of DevOps software, on Monday announced the acquisition of Puppet, an Oregon-based maker of configuration management tools, for an undisclosed sum.
Puppet had been planning to go public in 2021 and announced management additions to help that happen in November, 2020. Ending up within the embrace of Perforce looks like Plan B, though CEO Yvonne Wassenaar in a rambling blog post makes the detour sound as if it had always been the destination.
When I started at Puppet three years ago, I saw a company with a tremendous customer base, an active open source community, an incredible reputation, products that solved some of the hardest problems in the operations space, and a passionate team that had deep values and was purpose-driven, both of which are at my core as a leader.
A young, Raleigh-born emerging tech startup is hoping to lead the open-source revolution for what some technologists are calling the “next big thing”: Web3.
IBM has been accused of trying to avoid its legal discovery obligations in Kinney v. IBM, one of many age discrimination lawsuits that have been brought against the IT titan in the past few years.
In a motion [PDF] to compel discovery filed on February 28, 2022, attorneys for the current plaintiffs – who claim [PDF] IBM fired them as part of a company-wide effort to get rid of older workers – accuse Big Blue of trying to avoid providing relevant documents by insisting that layoffs were relevant to specific corporate groups and weren't part of a company-wide scheme.
IBM must pay five times more in compensation to a customer whose £175 million ($230 million) Agile software platform contract was ripped up in 2017 following a series of failures on the project, the Court of Appeal in England has ruled.
The legal spat between Big Blue and the client, formerly known as CIS General Insurance Ltd (CISGIL), a subsidiary of Co-Op Group, pertained to a 2015 agreement to build software to manage the customer's insurance and underwriting operations.
The out-of-the-box platform provided was described by Co-Op CEO Mark Summerfield as "terrible." It was said to be unfit for purpose, and the project ultimately collapsed after payment to IBM was withheld. Co-Op was not blameless.
Free Software Licensing/Legal Coverage
The early licensing models for open source were authored from an ethical viewpoint focussed on creating and maintaining software freedoms. There are two not for profit organisations that are viewed as the reference point for the definition open source software, the Free Software Foundation and the Open Source Initiative .
Non-profit organizations often use third-party images, photos, videos, or software in their everyday operations. It is often beneficial to leverage such materials that are licensed under “open licenses” because they are free to use; however, it is important to understand the conditions and requirements of such open licenses prior to using the aforementioned materials in order to avoid potentially breaching the license. This article aims to shed some light on various open licenses and how to comply with their conditions.
Tesla decided to create their ERP and ecommerce software from scratch internally. However, at that time open source solutions were much less mature than they are now that it wasn’t an existing option. Businesses now can instead utilize open source solutions to create the system they need.
Proprietary Software and Security
As your personal gateway to the internet, your web browser is the first line of defense against malicious websites. If your internet browser is not secure, viruses and spyware can infect your computer and damage your important data.
And while a good antivirus does help, it’s always better to prevent the entry of malware in the first place rather than try to fix the damage. But what exactly can you do about it? Is there any way to check your browser for any security vulnerabilities?
Checkmarx Finds Malicious Open Source PyPi Repository [Ed: If you download malware, it will do malicious things; a lot of these issues boil down to Microsoft shipping malware]
Checkmarx, a provider of a platform for testing application security, this week disclosed it has discovered a malicious instance of a PyPi repository for Python code that has been downloaded more than 70,000 times.
When employees began bringing shiny, new smartphones into the office in the late 2000s, many business and IT leaders spotted an opportunity. They recognized the productivity-boosting potential of mobile-connected workers, and – since almost everyone had their own smartphones – hoped this digital transformation would come at a big discount for the CFO.
A few days ago, PlayStation’s account on HackerOne displayed a new awarded bounty, once again to hacker extraordinaire TheFloW, and once again for one of the top amounts in that bounty program: $10’000. The news is doing the rounds on hacking scene websites.
It’s the second bounty awarded to TheFloW by PlayStation in less than 2 weeks, and for an amount that points to a critical security flow in either the PS4, the PS5, or both. Two weeks ago, the hacker had been awarded $20’000 for another vulnerability disclosure.
Microsoft Word Not Working on Mac
Hot patches made available by Amazon Web Services (AWS) in response to the recent Log4j vulnerabilities could be exploited for privilege escalation or to escape containers, according to Palo Alto Networks.
CVE-2022-1271 is a new vulnerability affecting gzip, a widely used open source component for archiving, compressing, and decompressing files.
If you have visited the Chrome Web Store recently, you may have noticed that many extensions show up with a featured and established publisher badge on the Store.
The ValueLicensing case against Microsoft is set to proceed in the UK after a judge dismissed the Windows vendor's jurisdictional challenge and strike-out application.
Microsoft had hoped to have its UK arm struck off from the claim and suggested that Ireland would be a better place for the claim to be heard, particularly if the company was successful in getting its UK offshoot removed.
Mr Justice Picken disagreed and dismissed Microsoft's challenges, meaning that the damages claim (and Microsoft's defense) will be heard in the High Court in England and Wales.
Google is issuing fixes for two vulnerabilities in its Chrome web browser, including one flaw that is already being exploited in the wild.
The emergency updates the company issued this week impact the almost three billion users of its Chrome browser as well as those using other Chromium-based browsers, such as Microsoft Edge, Brave and Vivaldi.
It is the third such emergency update Google has had to issue for Chrome this year.
"The cyber-criminal marketplace operated by Dekhtyarchuk promoted and facilitated the sale of compromised credentials, personally identifiable information (PII), and other sensitive financial information," FBI Houston Special Agent in Charge Jim Smith said in a statement. "Cyber-criminal actors behind these marketplaces go to great length to obfuscate their true identities and often utilize other sophisticated methods to further anonymize their activities."
Atlassian has published an account of what went wrong at the company to make the data of 400 customers vanish in a puff of cloudy vapor. And goodness, it makes for knuckle-chewing reading.
The restoration of customer data is still ongoing.
Atlassian CTO Sri Viswanath wrote that approximately 45 percent of those afflicted had had service restored but repeated the fortnight estimate it gave earlier this week for undoing the damage to the rest of the affected customers. As of the time of writing, the figure of customers with restored data had risen to 49 per cent.
Got a Lenovo laptop? You might need to do a swift bit of patching judging by the latest set of vulnerabilities uncovered by security researchers at ESET.
Three vulnerabilities were reported today: CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972. The latter two are particularly embarrassing since they are related to UEFI firmware drivers used in the manufacturing process and can be used to disable SPI flash protections or the UEFI Secure Boot feature.
The four observed variants of the custom Pterodo malware – which also is known as Pteranodon – all use Visual Basic Script (VBS) droppers with similar functions. They drop a VBScripts file, use Scheduled Tasks (shtasks.exe) to ensure persistence, and download code from a C2 server.
Boffins from UC Berkeley, MIT, and the Institute for Advanced Study in the United States have devised techniques to implant undetectable backdoors in machine learning (ML) models.
Their work suggests ML models developed by third parties fundamentally cannot be trusted.
In a paper that's currently being reviewed – "Planting Undetectable Backdoors in Machine Learning Models" – Shafi Goldwasser, Michael Kim, Vinod Vaikuntanathan, and Or Zamir explain how a malicious individual creating a machine learning classifier – an algorithm that classifies data into categories (eg "spam" or "not spam") – can subvert the classifier in a way that's not evident.
Brave, the browser maker, and DuckDuckGo, the web search service, have both taken aim at AMP, Google's controversial web publishing framework.
Brave on Tuesday introduced a feature called De-AMP that lets those using the Brave browser avoid Google-hosted AMP pages and go straight to publisher content on standard web pages.
WH Smith told us: "We have also informed the relevant regulators and law enforcement authorities, and we will continue to review and update our protocols based on what we learn from this incident.
More entities are reporting in-the-wild zero-day exploitation, she wrote, adding that this is a "very rough measure." Along these same lines, more vendors are noticing exploited-in-the-wild zero-day flaws in their own products. Google, as an example, discovered seven of these in its own products last year and Microsoft discovered 10, Stone wrote.
The advisory refers to the vulnerability as CVE-2022-20695 and notes that if the flaw is successfully exploited, the attacker can gain administrator privileges. Cisco has bestowed the vulnerability with a severity rating of 10.0 out of 10.0. That's as bad as it gets for those whose rating scale does not go to 11.0, otherwise known as "the call is coming from inside the house!"
"The term TraderTraitor describes a series of malicious applications written using cross-platform JavaScript code with the Node.js runtime environment using the Electron framework," the agencies warn.
Current events – such as the COVID-19 pandemic and the rising popularity of cryptocurrency – continue to work as lures to convince victims to click on a malicious links. The shift to more remote work has also added to the threat level of phishing. Employees no longer have the same security at home that they may have had in the office. VPNs and collaboration applications were used as themes in phishing campaigns, Desai said.
REvil, aka Sodinokibi, has been one of the most active — and lucrative — ransomware gangs in history. Its victims range from US nuclear weapons contractors to MSPs such as Kaseya to British VOIP providers.
Apple is finally killing off the venerable macOS Server, directing users still clinging to Profile Manager toward Mobile Device Management solutions.
The move is arguably long overdue. Much of what made macOS Server a server was deprecated in 2018 as the company announced plans to stop the likes of DHCP and DNS in its product and directed users to handy open-source alternatives.
Apple Open Directory and Profile Manager lingered on, with the latter being used for configuration management for Apple devices in an organization. Now, however, that last stub of functionality is deemed obsolete and Apple has warned that while many bits of macOS Server will live on macOS, Profile Manager will not. So the time for dodging Mobile Device Management (MDM) is up.
GitHub says it has identified and alerted developers who have had their private repositories accessed and downloaded via stolen authentication tokens.
In this multifaceted fiasco, Microsoft-owned GitHub insisted its security was not breached. Instead, we're told, "compromised OAuth user tokens from Heroku and Travis-CI-maintained OAuth applications were stolen and abused to download private repositories belonging to dozens of victim organizations that were using these apps."
Google has made changes to its Play Store policies, effectively banning third-party call-recording apps beginning May 11, claiming it seeks to close alternative use accessibility APIs for things other than accessibility.
Google has for a while blocked real call recording on Android 6 and over the microphone on Android 10. Developers have been using accessibility APIs as a workaround to enable the recording of calls on Android.
A Hive ransomware affiliate has been targeting Microsoft Exchange servers vulnerable to ProxyShell security issues to deploy various backdoors, including Cobalt Strike beacon.
Federal authorities are warning the healthcare and public health sectors of aggressive, financially motivated attacks by the Hive ransomware group, which has been
An affiliate of the aggressive Hive ransomware group is exploiting known vulnerabilities in Microsoft Exchange servers to encrypt and exfiltrate data and threaten to publicly disclose the information if the ransom isn't paid.
In a recent attack on an unnamed organization, the Hive affiliate rapidly compromised multiple devices and file servers by exploiting the ProxyShell vulnerabilities in Exchange servers, encrypting the data within 72 hours of the start of the attack, threat hunters with data security vendor Varonis Systems said in a report this week.
The attack included all the hallmarks of one associated with Hive, a ransomware-as-a-service (RaaS) group that emerged in June 2021 and has targeted a range of sectors, including healthcare, retail, nonprofits, and energy providers.
Citizen Lab has reported finding suspected surveillance software on devices associated with both the UK Prime Minister's Office and what was formerly called the British Foreign and Commonwealth Office.
The Canadian research outfit also said it had identified at least 65 individuals linked with Catalan civil society groups in Spain who were targeted by, or infected with, surveillance software. Catalonia is an autonomous region within Spain where there's an ongoing politically divisive fight for national independence.
