bug

Auto Added by WPeMatico

NPM Fails Worldwide With 'ERR! 418 I'm a Teapot' Error

NPM Fails Worldwide With 'ERR! 418 I'm a Teapot' Error

Catalin Cimpanu, writing for BleepingComputer: Users of the NPM JavaScript package manager were greeted by a weird error yesterday evening, as their consoles and applications spewed a message of “ERR! 418 I’m a teapot” whenever they tried to update or install a new JavaScript/Node.js package. JavaScript developers from all over the world received the error, and not just in certain geographical regions. The bug did not affect all users, but only those behind a proxy server.

Read more of this story at Slashdot.

Go to Source

Posted by amiller in Blog, bug
Is Cockroach Milk the Ultimate Superfood?

Is Cockroach Milk the Ultimate Superfood?

An anonymous reader quotes a report from Global News: It may not be everyone’s cup of milk, but for years now, some researchers believe insect milk, like cockroach milk, could be the next big dairy alternative. A report in 2016 found Pacific Beetle cockroaches specifically created nutrient-filled milk crystals that could also benefit humans, the Hindustan Times reports. Others report producing cockroach milk isn’t easy, either — it takes 1,000 cockroaches to make 100 grams of milk, Inverse reports, and other options could include a cockroach milk pill. And although it has been two years since the study, some people are still hopeful. Insect milk, or entomilk, is already being used and consumed by Cape Town-based company Gourmet Grubb, IOL reports.

Jarrod Goldin, [president of Entomo Farms which launched in 2014], got interested in the insect market after the Food and Agriculture Organization of the United Nation in 2013 announced people around the world were consuming more than 1,900 insects. As his brothers were already farming insects for fishing and reptile use, Goldin thought it would be a smart business opportunity to focus on food. Goldin adds studies have shown cricket powder can be a high source of protein and B12. The PC version his company produces has 13 grams of protein per every 2 1/2 tbsps. Toronto-based registered dietitian Andy De Santis says for protein alternatives, insects are definitely in the playing field. According to ScienceAlert, Diploptera punctate is the only known cockroach to give birth to live young and has been shown to pump out a type of “milk” containing protein crystals to feed its babies. “The fact that an insect produces milk is pretty fascinating — but what fascinated researchers is the fact that a single one of these protein crystals contains more than three times the amount of energy found in an equivalent amount of buffalo milk (which is also higher in calories than regular cow’s milk).” Researchers are now working to replicate the crystals in the lab. They are working with yeast to produce the crystal in much larger quantities — “making it slightly more efficient than extracting crystals from cockroach’s guts,” reports ScienceAlert.

Read more of this story at Slashdot.

Go to Source

Posted by amiller in Blog, bug
T-Mobile Bug Let Anyone See Any Customer's Account Details

T-Mobile Bug Let Anyone See Any Customer's Account Details

An anonymous reader writes: A bug in T-Mobile’s website let anyone access the personal account details of any customer with just their cell phone number, ZDNet reported Thursday. The flaw, since fixed, could have been exploited by anyone who knew where to look — a little-known T-Mobile subdomain that staff use as a customer care portal to access the company’s internal tools. The subdomain — promotool.t-mobile.com, which can be easily found on search engines — contained a hidden API that would return T-Mobile customer data simply by adding the customer’s cell phone number to the end of the web address. Although the API is understood to be used by T-Mobile staff to look up account details, it wasn’t protected with a password and could be easily used by anyone. The returned data included a customer’s full name, postal address, billing account number, and in some cases information about tax identification numbers. The data also included customers’ account information, such as if a bill is past-due or if the customer had their service suspended.

Read more of this story at Slashdot.

Go to Source

Posted by amiller in Blog, bug
Comcast Website Bug Leaks Xfinity Customer Data

Comcast Website Bug Leaks Xfinity Customer Data

An anonymous reader quotes a report from ZDNet: A bug in Comcast’s website used to activate Xfinity routers can return sensitive information on the company’s customers. The website, used by customers to set up their home internet and cable service, can be tricked into displaying the home address where the router is located, as well as the Wi-Fi name and password. Two security researchers, Karan Saini and Ryan Stevenson, discovered the bug. Only a customer account ID and that customer’s house or apartment number is needed — even though the web form asks for a full address.

ZDNet obtained permission from two Xfinity customers to check their information. We were able to obtain their full address and zip code — which both customers confirmed. The site returned the Wi-Fi name and password — in plaintext — used to connect to the network for one of the customers who uses an Xfinity router. The other customer was using his own router — and the site didn’t return the Wi-Fi network name or password.

Read more of this story at Slashdot.

Go to Source

Posted by amiller in Blog, bug
Eight New Meltdown-Like Flaws Found

Eight New Meltdown-Like Flaws Found

An anonymous reader quotes Reuters:
Researchers have found eight new flaws in computer central processing units that resemble the Meltdown and Spectre bugs revealed in January, a German computing magazine reported on Thursday. The magazine, called c’t, said it was aware of Intel Corp’s plans to patch the flaws, adding that some chips designed by ARM Holdings, a unit of Japan’s Softbank, might be affected, while work was continuing to establish whether Advanced Micro Devices chips were vulnerable… The magazine said Google Project Zero, one of the original collective that exposed Meltdown and Spectre in January, had found one of the flaws and that a 90-day embargo on going public with its findings would end on May 7…
“Considering what we have seen with Meltdown and Spectre, we should expect a long and painful cycle of updates, possibly even performance or stability issues,” said Yuriy Bulygin, chief executive officer of hardware security firm Eclypsium and a former Intel security researcher. “Hopefully, Meltdown and Spectre led to improvements to the complicated process of patching hardware.”
Neowin now reports that Intel “is expected to release microcode updates in two waves; one in May, and the other in August.”

Read more of this story at Slashdot.

Go to Source

Posted by amiller in Blog, bug
Microsoft's 'Meltdown' Patch For Windows 10 Contains a Fatal Flaw

Microsoft's 'Meltdown' Patch For Windows 10 Contains a Fatal Flaw

An anonymous reader quotes BleepingComputer: Microsoft’s patches for the Meltdown vulnerability have had a fatal flaw all these past months, according to Alex Ionescu, a security researcher with cyber-security firm Crowdstrike. Only patches for Windows 10 versions were affected, the researcher wrote today in a tweet. Microsoft quietly fixed the issue on Windows 10 Redstone 4 (v1803), also known as the April 2018 Update, released on Monday. “Welp, it turns out the Meltdown patches for Windows 10 had a fatal flaw: calling NtCallEnclave returned back to user space with the full kernel page table directory, completely undermining the mitigation,” Ionescu wrote. Ionescu pointed out that older versions of Windows 10 are still running with outdated and bypass-able Meltdown patches. Wednesday Microsoft issued a security update, but it wasn’t to backport the “fixed” Meltdown patches for older Windows 10 versions. Instead, the emergency update fixed a vulnerability in the Windows Host Compute Service Shim (hcsshim) library (CVE-2018-8115) that allows an attacker to remotely execute code on vulnerable systems.

Read more of this story at Slashdot.

Go to Source

Posted by amiller in Blog, bug
GitHub Accidentally Exposes Some Plaintext Passwords In Its Internal Logs

GitHub Accidentally Exposes Some Plaintext Passwords In Its Internal Logs

GitHub has sent an email to some of its 27 million users alerting them of a bug that exposed some user passwords in plaintext. “During the course of regular auditing, GitHub discovered that a recently introduced bug exposed a small number of users’ passwords to our internal logging system,” said the email. “We have corrected this, but you’ll need to reset your password to regain access to your account.” ZDNet reports: The email said that a handful of GitHub staff could have seen those passwords — and that it’s “unlikely” that any GitHub staff accessed the site’s internal logs. It’s unclear exactly how this bug occurred. GitHub’s explanation was that it stores user passwords with bcrypt, a stronger password hashing algorithm, but that the bug “resulted in our secure internal logs recording plaintext user passwords when users initiated a password reset.” “Rest assured, these passwords were not accessible to the public or other GitHub users at any time,” the email said. GitHub said it “has not been hacked or compromised in any way.”

Read more of this story at Slashdot.

Go to Source

Posted by amiller in Blog, bug
Code Published for Triggering a BSOD on Windows Computers — Even If They're Locked

Code Published for Triggering a BSOD on Windows Computers — Even If They're Locked

“A Romanian hardware expert has published proof-of-concept code on GitHub that will crash most Windows computers within seconds, even if the computer is in a locked state,” writes BleepingComputer. An anonymous reader quotes their report:
The code exploits a vulnerability in Microsoft’s handling of NTFS filesystem images and was discovered by Marius Tivadar, a security researcher with Bitdefender. The expert’s proof-of-concept code contains a malformed NTFS image that users can take and place on a USB thumb drive. Inserting this USB thumb drive in a Windows computer crashes the system within seconds, resulting in a Blue Screen of Death (BSOD). “Auto-play is activated by default,” Tivadar wrote in a PDF document detailing the bug and its impact…
Tivadar contacted Microsoft about the issue in July 2017, but published the PoC code today after the OS maker declined to classify the issue as a security bug. Microsoft downgraded the bug’s severity because exploiting it requires either physical access or social engineering (tricking the user).

Read more of this story at Slashdot.

Go to Source

Posted by amiller in Blog, bug
Uber Tightens Bug Bounty Extortion Policies Following 2016 Data Breach

Uber Tightens Bug Bounty Extortion Policies Following 2016 Data Breach

lod123 shares a report from Threatpost: Uber is tightening policies around its bug-bounty program after a 2016 data breach exposed deep flaws in its policies around handling extortion. With the updates, Uber’s HackerOne bug bounty policies more thoroughly outline “good-faith vulnerability research and disclosure,” and contain language defining what constitutes unacceptable behavior, stating that the company wants researchers “to hunt for bugs, not user data.”

One newly outlined policy makes it clear that Uber won’t take legal action against researchers — as long as they report vulnerabilities with no strings attached. “You should never illegally or in bad faith leverage the existence of a vulnerability or access to sensitive or confidential information, such as making extortionate demands or ransom requests, or trying to shake us down. In other words, if you find a vulnerability, report it to us with no conditions attached,” the policy said. Uber has made additional changes to its program to offer researchers an additional $500 if they include a fully scripted proof-of-concept (PoC) in their original report.

Read more of this story at Slashdot.

Go to Source

Posted by amiller in Blog, bug
Software Bug Behind Biggest Telephony Outage In US History

Software Bug Behind Biggest Telephony Outage In US History

An anonymous reader writes: A software bug in a telecom provider’s phone number blacklisting system caused the largest telephony outage in US history, according to a report released by the US Federal Communications Commission (FCC) at the start of the month. The telco is Level 3, now part of CenturyLink, and the outage took place on October 4, 2016. According to the FCC’s investigation, the outage began after a Level 3 employee entered phone numbers suspected of malicious activity in the company’s network management software. The employee wanted to block incoming phone calls from these numbers and had entered each number in fields provided by the software’s GUI. The problem arose when the Level 3 technician left a field empty, without entering a number. Unbeknownst to the employee, the buggy software didn’t ignore the empty field, like most software does, but instead viewed the empty space as a “wildcard” character. As soon as the technician submitted his input, Level 3’s network began blocking all incoming and outgoing telephone calls — over 111 million in total.

Read more of this story at Slashdot.

Go to Source

Posted by amiller in Blog, bug