Nasty Linux Netfilter Firewall Security Hole Found

Sophos threat researcher Nick Gregory discovered a hole in Linux’s netfilter firewall program that’s “exploitable to achieve kernel code execution (via ROP [return-oriented programming]), giving full local privilege escalation, container escape, whatever you want.” ZDNet reports: Behind almost all Linux firewalls tools such as iptables; its newer version, nftables; firewalld; and ufw, is netfilter, which controls access to and from Linux’s network stack. It’s an essential Linux security program, so when a security hole is found in it, it’s a big deal. […] This problem exists because netfilter doesn’t handle its hardware offload feature correctly. A local, unprivileged attacker can use this to cause a denial-of-service (DoS), execute arbitrary code, and cause general mayhem. Adding insult to injury, this works even if the hardware being attacked doesn’t have offload functionality! That’s because, as Gregory wrote to a security list, “Despite being in code dealing with hardware offload, this is reachable when targeting network devices that don’t have offload functionality (e.g. lo) as the bug is triggered before the rule creation fails.”

This vulnerability is present in the Linux kernel versions 5.4 through 5.6.10. It’s listed as Common Vulnerabilities and Exposures (CVE-2022-25636), and with a Common Vulnerability Scoring System (CVSS) score of 7.8), this is a real badie. How bad? In its advisory, Red Hat said, “This flaw allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a privilege escalation threat.” So, yes, this is bad. Worse still, it affects recent major distribution releases such as Red Hat Enterprise Linux (RHEL) 8.x; Debian Bullseye; Ubuntu Linux, and SUSE Linux Enterprise 15.3. While the Linux kernel netfilter patch has been made, the patch isn’t available yet in all distribution releases.

Read more of this story at Slashdot.

TorGuard Settles Piracy Lawsuit, Agrees To Block Torrent Traffic On US Servers

TorGuard has settled a copyright infringement lawsuit filed by several movie companies last year. The VPN provider stood accused of failing to take action against subscribers who were pirating films. As part of the settlement, TorGuard agrees to block BitTorrent traffic on U.S. servers; however, it stresses that user privacy is in no way affected by this decision. TorrentFreak reports: “Pursuant to a confidential settlement agreement, Plaintiffs have requested, and Defendant has agreed to use commercially reasonable efforts to block BitTorrent traffic on its servers in the United States using firewall technology,” a joint statement reads. This is quite a far-reaching measure as a broad BitTorrent blockade will also affect legal traffic, which includes software updates from Twitter and Facebook. That said, people can still use BitTorrent on servers in other regions. […]

The company confirms that it’s blocking torrent traffic on U.S. servers, but that doesn’t change anything for the privacy of users. “TorGuard has not been forced to log network usage data. Due to the nature of shared IP’s and related hardware technicalities of how TorGuard’s network was built it is impossible for us to do so,” the VPN provider writes. “We have a responsibility to provide high quality uninterrupted VPN and proxy services to our client base at large while mitigating any related network abuse that should arise. This commitment to user privacy and service reliability is the reason we have taken measures to block Bittorrent traffic on servers within the United States.”

Read more of this story at Slashdot.

Twitter Rolls Back Its Decision To Force You Into the Out-of-Order Timeline

Last week, Twitter introduced a change to the timeline that “would default to showing the algorithmically served Home feed while the reverse-chronological Latest feed was accessible in a separate tab,” reports The Verge. “The change […] made it more difficult to view tweets in chronological order.” Twitter is now reverting things to the way following significant backlash. From the report: Some users shared criticism of the change almost immediately after its March 10th announcement, as the Latest feed is preferred to the Home feed for many. The out-of-sequence Home feed can, at times, be confusing, especially for people who use Twitter for updates during a breaking news event like the war in Ukraine. However, two Twitter execs noted in replies to Verge contributing editor Casey Newton that they would be working on the problem, and it appears that the original change won’t be going through as planned. “We take feedback seriously, and in this case, we heard the new pinned Home & Latest wasn’t giving you the level of control over your timeline that you want,” Twitter spokesperson Shaokyi Amdo said in a statement to The Verge.

However, based on what the execs said, it seems Twitter may be investigating other possible changes to the timeline in the future. “Giving people choice and control over their Twitter experience is super important,” Twitter’s newly named VP of consumer product, Jay Sullivan, said in a reply to Newton on March 12th. “I’ll be working on this. Stay tuned.” Sullivan added that he was hoping the platform could achieve “a nice balance for all.”

Read more of this story at Slashdot.

New CaddyWiper Data Wiping Malware Hits Ukrainian Networks

Newly discovered data-destroying malware was observed earlier today in attacks targeting Ukrainian organizations and deleting data across systems on compromised networks. BleepingComputer reports: “This new malware erases user data and partition information from attached drives,” ESET Research Labs explained. “ESET telemetry shows that it was seen on a few dozen systems in a limited number of organizations.” While designed to wipe data across Windows domains it’s deployed on, CaddyWiper will use the DsRoleGetPrimaryDomainInformation() function to check if a device is a domain controller. If so, the data on the domain controller will not be deleted. This is likely a tactic used by the attackers to maintain access inside the compromised networks of organizations they hit while still heavily disturbing operations by wiping other critical devices.

While analyzing the PE header of a malware sample discovered on the network of an undisclosed Ukrainian organization, it was also discovered that the malware was deployed in attacks the same day it was compiled. “CaddyWiper does not share any significant code similarity with HermeticWiper, IsaacWiper, or any other malware known to us. The sample we analyzed was not digitally signed,” ESET added. “Similarly to HermeticWiper deployments, we observed CaddyWiper being deployed via GPO, indicating the attackers had prior control of the target’s network beforehand.”

Read more of this story at Slashdot.

Computer History Museum Publishes Memories of the Programmer for NASA’s Moon Missions

This week Silicon Valley’s Computer History Museum posted a PDF transcript (and video excerpts) from an interview with 81-year-old Margaret Hamilton, the programmer/systems designer who in the 1960s became director of the Software Engineering Division at the MIT Instrumentation Laboratory which developed the on-board flight software for NASA’s Apollo program. Prior to that Hamilton had worked on software to detect an airplane’s radar signature, but thought, “You know, ‘I guess I should delay graduate school again because I’d like to work on this program that puts all these men on the Moon….'”

“There was always one thing that stood out in my mind, being in the onboard flight software, was that it was ‘man rated,’ meaning if it didn’t work a person’s life was at stake if not over. That was always uppermost in my mind and probably many others as well.”

Interestingly, Hamilton had originally received two job offers from the Apollo Space Program, and had told them to flip a coin to settle it. (“The other job had to do with support systems. It was software, but it wasn’t the onboard flight software.”) But what’s fascinating is the interview’s glimpses at some of the earliest days of the programming profession:

There was all these engineers, okay? Hardware engineers, aeronautical engineers and all this, a lot of them out of MIT… But the whole idea of software and programming…? Dick Batten, Dr. Batten, when they told him that they were going to be responsible for the software…he went home to his wife and said he was going to be in charge of software and he thought it was some soft clothing…

Hamilton also remembers in college taking a summer job as a student actuary at Travelers Insurance in the mid-1950s, and “all of a sudden one day word was going around Travelers that there were these new things out there called computers that were going to take away all of their jobs… Pretty soon they wouldn’t have jobs. And so everybody was talking about it. They were scared they wouldn’t have a way to make a living.

“But, of course, it ended up being more jobs were created with the computers than there were….”

Hamilton’s story about Apollo 8 is amazing…

Read more of this story at Slashdot.

Russia Shuts Down Instagram at Midnight. Users Say Farewell

Slashdot reader quonset shares this report from Reuters:

Instagram users in Russia have been notified that the service will cease as of midnight on Sunday after its owner Meta Platforms said last week it would allow social media users in Ukraine to post messages such as “Death to the Russian invaders”. An email message from the state communications regulator told users to move their photos and videos from Instagram before it was shut down, and encouraged them to switch to Russia’s own “competitive internet platforms”.

Meta, which also owns Facebook, said Friday that the temporary change in its hate speech policy applied only to Ukraine, in the wake of Russia’s Feb. 24 invasion. The company said it would be wrong to prevent Ukrainians from “expressing their resistance and fury at the invading military forces”….
The message to Instagram users from the state media regulator, Roskomnadzor, described the decision to allow calls for violence against Russians as a breach of international law. “We need to ensure the psychological health of citizens, especially children and adolescents, to protect them from harassment and insults online,” it said, explaining the decision to close down the platform.

“The tears were flowing Sunday among Russia’s airbrushed Instagram influencers, who begged their followers in farewell posts to join them on alternative social media platforms…” reports the Washington Post:
On the platform, emotions ran high Sunday among Russians who were about to lose thousands of dollars they received to promote various products, as well as access to millions of followers amassed over the years. “I’m writing this post now and crying,” Olga Buzova, a Russian reality television star, wrote, saying she hoped “it’s all not true and we will remain here….”

The ban on Instagram is the latest example of how Russia’s citizens are being isolated from the rest of the world as a result of Moscow’s war against Ukraine. Since Russian President Vladimir Putin launched the invasion on Feb. 24, his government has also pulled the plug on Russia’s opposition-oriented radio and television networks, part of a broader effort to squelch domestic dissent in response to the war. Thousands of Russians have been arrested for attempting to protest the invasion…. But perhaps no move is more isolating than removing Russians from social media platforms that connect them directly to other users around the world. Instagram counted nearly 60 million users in Russia in 2021, according to the market data firm Statista, about 40 percent of the country’s population. The platform is also a huge revenue source for its users, who rake in cash from sponsors by posting promotional content.

“We know that over 80 percent of people in Russia on Instagram follow an account from outside of Russia,” Instagram head Adam Mosseri said in a video, according to the Post’s article.

It adds that “It is unclear how many Russians will continue to be able to access Instagram using Virtual Private Networks, or VPNs.”

Read more of this story at Slashdot.

Shoppers React as Grocers Replace Freezer Doors with Screens Playing Ads

Walgreens and other retailers replaced some fridge and freezer doors with iPad-like screens, reports CNN. “And some shoppers absolutely hate it.”
The screens, which were developed by the startup Cooler Screens, use a system of motion sensors and cameras to display what’s inside the doors — as well as product information, prices, deals and, most appealing to brands, paid advertisements. The tech provides stores with an additional revenue stream and a way to modernize the shopping experience. But for customers who just want to peek into the freezer and grab their ice cream, Walgreens risks angering them by solving a problem that shoppers didn’t know existed. The company wants to engage more people with advertising, but the reaction, so far, is annoyance and confusion.

“Why would Walgreens do this?” one befuddled shopper who encountered the screens posted on TikTok. “Who on God’s green earth thought this was a good idea?”

“The digital cooler screens at Walgreens made me watch an ad before it allowed me to know which door held the frozen pizzas,” said someone on Twitter….

Walgreens began testing the screens in 2018 and has since expanded the pilot to a couple thousand locations nationwide. Several other major retailers are launching their own tests with Cooler Screens, including Kroger, CVS, GetGo convenience stores and Chevron gas stations. “I hope that we will one day be able to expand across all parts of the store,” said Cooler Screens co-founder and CEO Arsen Avakian in an interview with CNN Business. Currently the startup has about 10,000 screens in stores, which are viewed by approximately 90 million consumers monthly, according to the company….

Politifact last month debunked a viral Facebook video that claimed “Walgreens refrigerators are scanning shoppers’ hands and foreheads for ‘the mark of the beast.'”

Avakian insists the tech is “identity-blind” and protects consumers’ privacy. The freezers have front-facing sensors used to anonymously track shoppers interacting with the platform, while internally facing cameras track product inventory…

The items on display don’t always match up with what’s inside because products are out of stock…..

“This is the future of retail and shopping,” Avakian said.

CNN notes that major corporations are backing the company Cooler Screens, which “has raised more than $100 million from backers including Microsoft and Verizon.” But long-time Slashdot reader davidwr points out it’s been done before. “Some gas stations have had video ads at the pump for years now. I boycott those stations on principle.”

And Slashdot reader quonset wonders if we’re one step closer to Futurama’s vision of a world where advertisers enter our dreams.

Read more of this story at Slashdot.

The 11,000-Member Discord Channel For People Pretending to Be VR Police Officers

On the VRChat platform, there’s a fake law-enforcement agency called The Loli Police Department, reports Input magazine.

Though it began as a joke, after four years its Discord channel now has 11,000 members, and “The tightly run community allows members to experience a fantasy version of police life and prides itself on being a source of chaotic good in the strange world of virtual reality.”

Members move through the ranks — from cadet on up — based on their activity level, which is tracked via the group’s Discord. Everything is carefully orchestrated to mimic IRL police…. Karet, a 29-year-old game developer and LPD captain from Texas, says that the hard work of volunteers allows users to roleplay police activities in a realistic environment. “We have some of our own worlds — like the hospital for our medical division, where we can pretend someone is getting treatment, or the jail where we put criminals,” says Karet, who designed the LPD station and jail.

One of Karet’s favorite things to do is mess with users at random. “Lots of people in VRChat like to sit in front of mirrors,” he says. “I will go up to the mirror and do a ‘mirror inspection.’ Then I say it’s an illegal mirror and start looking for someone to blame and arrest. They just don’t know how to handle that,” he laughs. There are other ways to get people into trouble, too. “I can pull out a bag of weed and make it look like it came out of someone’s pocket,” Karet says. “They always say it’s not theirs.”

Being a VRChat police officer comes with its share of challenges. Members are aware that their form of roleplay — which frames spot checks and fake drug busts as harmless fun — doesn’t sit well with some members of the community….

Despite the power dynamics at play, LPD members are not moderators of the VR world and ultimately can’t make much in the way of real change. “One of our new officers came to me upset because they stepped in when they saw harassment, but then they got the brunt of the attack from the harasser,” says Karet. “I commended him, but it’s not what we do. We’re just trying to have fun. So usually when we encounter something like that, we just leave the world.” Thankfully, Karet says, the LPD can help their community somewhat. “We encourage LPD officers to help out new users. It’s easy to spot them, so we often go and give them a hand, show them how things work,” he says. The LPD used to run events for this purpose, but they were recently brought to a halt. “The events are on hiatus because it became a bit cult-y. Everyone was trying to recruit people into the LPD.”

Read more of this story at Slashdot.