IT Consultant Fined For Daring To Expose Shoddy Security

Thomas Claburn reports via The Register: A security researcher in Germany has been fined $3,300 for finding and reporting an e-commerce database vulnerability that was exposing almost 700,000 customer records. Back in June 2021, according to our pals at Heise, an contractor identified elsewhere as Hendrik H. was troubleshooting software for a customer of IT services firm Modern Solution GmbH. He discovered that the Modern Solution code made an MySQL connection to a MariaDB database server operated by the vendor. It turned out the password to access that remote server was stored in plain text in the program file MSConnect.exe, and opening it in a simple text editor would reveal the unencrypted hardcoded credential.

With that easy-to-find password in hand, anyone could log into the remote server and access data belonging to not just that one customer of Modern Solution, but data belonging to all of the vendor’s clients stored on that database server. That info is said to have included personal details of those customers’ own customers. And we’re told that Modern Solution’s program files were available for free from the web, so truly anyone could inspect the executables in a text editor for plain-text hardcoded database passwords. The contractor’s findings were discussed in a June 23, 2021 report by Mark Steier, who writes about e-commerce. That same day Modern Solution issued a statement [PDF] — translated from German — summarizing the incident […]. The statement indicates that sensitive data about Modern Solution customers was exposed: last names, first names, email addresses, telephone numbers, bank details, passwords, and conversation and call histories. But it claims that only a limited amount of data — names and addresses — about shoppers who made purchases from these retail clients was exposed. Steier contends that’s incorrect and alleged that Modern Solution downplayed the seriousness of the exposed data, which he said included extensive customer data from the online stores operated by Modern Solution’s clients.

In September 2021 police in Germany seized the IT consultant’s computers following a complaint from Modern Solution that claimed he could only have obtained the password through insider knowledge â” he worked previously for a related firm — and the biz claimed he was a competitor. Hendrik H. was charged with unlawful data access under Section 202a of Germany’s Criminal Code, based on the rule that examining data protected by a password can be classified as a crime under the Euro nation’s cybersecurity law. In June, 2023, a Julich District Court in western Germany sided with the IT consultant because the Modern Solution software was insufficiently protected. But the Aachen regional court directed the district court to hear the complaint. Now, the district court has reversed its initial decision. On January 17, a Julich District Court fined Hendrik H. and directed him to pay court costs.

Read more of this story at Slashdot.

Modder Recreates Game Boy Advance Games Using the Audio From Crash Sounds

Kevin Purdy reports via Ars Technica: Sometimes, a great song can come from great pain. The Game Boy Advance (GBA), its software having crashed nearly two hours ago, will, for example, play a tune based on the game inside it. And if you listen closely enough — using specialty hardware and code — you can tell exactly what game it was singing about. And then theoretically play that same game. This was discovered recently by TheZZAZZGlitch, whose job is to “sadistically glitch and hack the crap out of Pokemon games. It’s “hardly a ready-to-use solution,” the modder notes, as it requires a lot of tuning specific to different source formats. So while there are certainly easier ways to get GBA data from a cartridge, none make you feel quite so much like an audio datamancer.

After crashing a GBA and recording it over four hours, the modder saw some telltale waveforms in a sound file at about the 1-hour, 50-minute mark. Later in the sound-out, you can hear the actual instrument sounds and audio samples the game contains, played in sequence. Otherwise, it’s 8-bit data at 13,100 Hz, and at times, it sounds absolutely deranged. “2 days of bugfixing later,” the modder had a Python script ready that could read the audio from a clean recording of the GBA’s crash dump. Did it work? Not without more troubleshooting. One issue with audio-casting ROM data is that there are large sections of 0-byte data in the ROM, which are hard to parse as mute sounds. After running another script that realigned sections based on their location in the original ROM, the modder’s ROM was 99.76 percent accurate but “still didn’t boot tho.” TheZZAZZGlitch later disclaimed that, yes, this is technically using known ROM data to surface unknown data, or “cheating,” but there are assumptions and guesses one could make if you were truly doing this blind.

The next fix was to refine the sound recording. By recording three times and merging them with a “majority vote” algorithm, their accuracy notched up to 99.979 percent. That output ROM booted — but with glitched text and a title screen crash. After seven different recordings are meshed and filtered for blank spaces, they achieve 100 percent parity. You can watch the video describing this feat here. Used source code is also available under the file name “gbacrashsound_dumper.zip.”

Read more of this story at Slashdot.

Sony Ends $10 Billion Merger With India Media Giant Zee

Sony has scrapped plans for a $10 billion merger of its Indian unit with Zee Entertainment, “ending a deal that could have created one of the South Asian nation’s biggest TV broadcasters,” reports Reuters. From the report: The collapse of the deal in content-hungry India creates more uncertainty for TV broadcaster Zee in particular as competition heats up, with Disney, also seeking to merge its Indian businesses with the media assets of billionaire Mukesh Ambani’s Reliance. Zee told Indian stock exchanges Sony was seeking $90 million in termination fees for alleged breaches of their merger agreement and emergency interim relief by “invoking arbitration.” Zee said it denies all claims made by Sony and would take appropriate legal action. Sony said in a statement certain “closing conditions” to the merger were not satisfied despite “good faith discussions” with Zee, and the companies had been unable to agree upon an extension by their Jan. 21 deadline.

“After more than two years of negotiations, we are extremely disappointed … We remain committed to growing our presence in this vibrant and fast-growing market,” it added. While neither Sony nor Zee elaborated on Monday on which conditions had been unfulfilled, a stalemate over who will lead the combined company had put the merger in danger. Zee had proposed that CEO Punit Goenka take the helm, but Sony balked after he became the subject of an investigation by India’s market regulator. Zee said on Monday Goenka had been “agreeable to step down in the interest of the merger.” A source with direct knowledge however said Sony was not keen to proceed unless Goenka backed out before the closure of the merger, rather than after the deal had been sealed as he had proposed.

Read more of this story at Slashdot.

Potential Cancer Vaccine Entering Stage 3 Trials

Slashdot reader quonset writes: After decades of study and testing, a potential vaccine for cancer may be on the horizon. Dr. Thomas Wagner, founder of Orbis Health Solutions, is using the body’s own immune system to fight the disease, with each shot personalized to the patient, according to ABC News.

From the article:

Typically, cancer cells evade a person’s immune system because it is recognized as that person’s cells. Wagner developed a tumor lysate particle only (TLPO) vaccine that uses a person’s tumor cells to identify particular parts that are then presented back in the body using the vaccine in a way that can stimulate their immune system to gain the ability to detect these cancer cells like an infection, allowing the immune system to fight the cancer itself.

“People used to ask me the question, ‘When will there be a cure for cancer?’ And I’ve been doing this for 60 years and I could never answer that question,” Wagner said. “Until recently, until the last three or four or five years.” Wagner believes this type of cancer treatment could be a key to finding the long-awaited cure for cancer, all cancers, if paired with early detection.

Wagner’s TLPO cancer vaccine has been tested in hundreds of patients with advanced forms of melanoma in Phase 2 clinical trials. The most recent data presented at an academic conference showed nearly 95% of people given only the vaccine were still alive three years after starting treatment and 64% were still disease-free. Among the most advanced forms of melanoma, disease-free survival after three years for people with stage III disease was 60% in the vaccine-only group, compared to about 39% in the placebo group. Disease-free survival for those with stage IV disease was about 68% in the vaccine-only group, and zero in the placebo group.

The most common side effects were redness or pain at the injection site, fever and fatigue after the injection – similar to other vaccines that stimulate an immune response.

Based on this data and other studies, the U.S. Food and Drug Administration has greenlit Wagner’s vaccine to start a Phase 3 clinical trial. It will be a three-year endeavor with a goal to enroll 500 people and is planned to launch sometime this year, Riley Polk, president of Orbis Health Solutions, told WLOS, an ABC News affiliate in Asheville, North Carolina.

Polk’s own father was told there were no treatment options left for his lung cancer, according to the article. That was more than 10 years ago, and “His father opted to try Wagner’s cancer vaccine and lived 10 more years before dying from something unrelated to cancer.” Polk gives ABC News this quote.

“You can tell me a lot of things, but you can’t tell me [the vaccine] doesn’t work.”

Read more of this story at Slashdot.

WSJ: Broadcom’s VMware Overhaul ‘Draws Attention of CIOs’

The Wall Street Journal reports:

Moves by Broadcom to shore up its $69 billion VMware acquisition, completed in November, include a streamlining of product bundles and new billing models — efforts in line with the chip giant’s past acquisitions, but not necessarily welcomed by all of VMware’s customers… Broadcom has also recently laid off at least hundreds of VMware workers, disclosures from the Worker Adjustment and Retraining Notification show….

VMware has approximately 330,000 customers, according to the company. Chief information officers say they are closely monitoring what comes next.

“Any CIO that’s not taking stock of what they have and mentally considering alternatives and monitoring what else is out there is probably not doing their job,” said Jay Ferro, executive vice president and chief information, technology and product officer at clinical research data-management company Clario. All these changes, plus past remarks by Broadcom that its go-to-market strategy is to focus completely on the needs and priorities of its top 600 customers, has left some CIOs rethinking the relationship. Price increases and degrading levels of support are among their biggest concerns. “I’m not one of their top, probably 600 customers, so they’ve been very clear to me where I fit in that pecking order,” said Todd Florence, CIO of trucking company Estes Express Lines. Florence said he’s started looking into alternatives. “It certainly doesn’t make you feel good, like you’re going to get lots of support going forward….”

Goya Foods CIO Suvajit Basu said he is thinking about how to reduce the food company’s reliance on VMware as the sole and longtime dominant provider of virtualization for the data center. “They’re going to increase their prices or change their licensing so the customer pays more,” he said. “And I think this is starting to hit us right now….” Forrester estimates that in 2024, 20% of VMware customers will begin the process of exiting VMware in favor of alternatives.

On the other hand, a group VP at market researcher IDC tells the Journal that on the upside, now VMware and Broadcom will have to engage more actively with customers on the value of new produces included in their bundles…

Read more of this story at Slashdot.

Most CEOs Won’t Priorities Return-to-Office Policies, Survey Finds

The pandemic may have proved to employeers that remote and flexible-work arrangements were viable — and changed the way we work forever. Axios writes:

Just 6 out of 158 U.S. CEOs said they’ll prioritize bringing workers back to the office full-time in 2024, according to a new survey released by the Conference Board. Executives are increasingly resigned to a world where employees don’t come in every day, as hybrid work arrangements — mixing work from home and in-office — become the norm for knowledge workers. “Maintain hybrid work,” was cited as a priority by 27% of the U.S. CEOs who responded to the survey, conducted in October and November. A separate survey of chief financial officers by Deloitte, conducted in November, found that 65% of CFOs expect their company to offer a hybrid arrangement this year.

“Remote work appears likely to be the most persistent economic legacy of the pandemic,” write Goldman Sachs economists in a recent note. About 20%-25% of workers in the U.S. work from home at least part of the week, according to data Goldman cites. That’s below a peak of 47% during the pandemic but well above its prior average of around 3%.

“The battle is over,” said Diana Scott, human capital center leader at The Conference Board. “There are so many other issues CEOs are facing.” Headlines about CEOs determined to get butts in seats get attention, but they are the exception, says Brian Elliott, the cofounder of Future Forum, a future of work think tank. “There are a lot more CEOs that are actually quietly becoming more flexible….” Though the labor market has softened, employers still do care about keeping employees satisfied — and they don’t want to fight with them. “It’s not worth the fight,” says Elliott.

Read more of this story at Slashdot.

NPM Users Download 2.1B Deprecated Packages Weekly, Say Security Researchers

The cybersecurity site SC Media reports that NPM registry users “download deprecated packages an estimated 2.1 billion times weekly, according to a statistical analysis of the top 50,000 most-downloaded packages in the registry.”

Deprecated, archived and “orphaned” NPM packages can contain unpatched and/or unreported vulnerabilities that pose a risk to the projects that depend on them, warned the researchers from Aqua Security’s Team Nautilus, who published their findings in a blog post on Sunday… In conjunction with their research, Aqua Nautilus has released an open-source tool that can help developers identify deprecated dependencies in their projects.

Open-source software may stop receiving updates for a variety of reasons, and it is up to developers/maintainers to communicate this maintenance status to users. As the researchers pointed out, not all developers are transparent about potential risks to users who download or depend on their outdated NPM packages. Aqua Nautilus researchers kicked off their analysis after finding that one open-source software maintainer responded to a report about a vulnerability Nautilus discovered by archiving the vulnerable repository the same day. By archiving the repository without fixing the security flaw or assigning it a CVE, the owner leaves developers of dependent projects in the dark about the risks, the researchers said…

Taking into consideration both deprecated packages and active packages that have a direct dependency on deprecated projects, the researchers found about 4,100 (8.2%) of the top 50,000 most-downloaded NPM packages fell under the category of “official” deprecation. However, adding archived repositories to the definition of “deprecated” increased the number of packages affected by deprecation and deprecated dependencies to 6,400 (12.8%)… Including packages with linked repositories that are shown as unavailable (404 error) on GitHub increases the deprecation rate to 15% (7,500 packages), according to the Nautilus analysis. Encompassing packages without any linked repository brings the final number of deprecated packages to 10,600, or 21.2% of the top 50,000. Team Nautilus estimated that under this broader understanding of package deprecation, about 2.1 billion downloads of deprecated packages are made on the NPM registry weekly.

Read more of this story at Slashdot.