Who’s Paying to Fix Open Source Software?

The Log4Shell exploit “exposes how a vulnerability in a seemingly simple bit of infrastructure code can threaten the security of banks, tech companies, governments, and pretty much any other kind of organization,” writes VentureBeat. But the incident also raises some questions:
Should large deep-pocketed companies besides Google, which always seems to be heavily involved in such matters, be doing more to support the cause with people and resources?

Long-time Slashdot reader frank_adrian314159 shares a related article from a programming author on Dev.To, who’d read hot takes like “Open source needs to grow the hell up.” and “Open source’ is broken”.

[T]he log4j developers had this massive security issue dumped in their laps, with the expectation that they were supposed to fix it. How did that happen? How did a group of smart, hard-working people get roped into a thankless, high-pressure situation with absolutely no upside for themselves…?

It is this communal mythology I want to talk about, this great open source brainwashing that makes maintainers feel like they need to go above and beyond publishing source code under an open source license — that they need to manage and grow a community, accept contributions, fix issues, follow vulnerability disclosure best practices, and many other things…
In reality what is happening, is that open source maintainers are effectively unpaid outsourcing teams for giant corporations.

The log4j exploit was first reported by an engineer at Alibaba — a corporation with a market capitalization of $348 billion — so the article wonders what would happen if log4j’s team had sent back a bill for the time they’d spend fixing the bug.

Some additional opinions (via the “This Week in Programming” column):

PuTTY maintainer Andrew Ducker: “The internet (and many large companies) are dependent on software maintained by people in their spare time, for free. This may not be sustainable.”
Filippo Valsorda, a Go team member at Google: “The role of Open Source maintainer has failed to mature from a hobby into a proper profession… The status quo is unsustainable…. GitHub Sponsors and Patreon are a nice way to show gratitude, but they are an extremely unserious compensation structure.”
Valsorda hopes to eventually see “a whole career path with an onramp for junior maintainers, including training, like a real profession.”

Read more of this story at Slashdot.

Google Says NSO Pegasus Zero-Click ‘Most Technically Sophisticated Exploit Ever Seen’

wiredmikey shares a report from SecurityWeek: Security researchers at Google’s Project Zero have picked apart one of the most notorious in-the-wild iPhone exploits and found a never-before-seen hacking roadmap that included a PDF file pretending to be a GIF image with a custom-coded virtual CPU built out of boolean pixel operations. If that makes you scratch your head, that was exactly the reaction from Google’s premier security research team after disassembling the so-called FORCEDENTRY iMessage zero-click exploit used to plant NSO Group’s Pegasus surveillance tool on iPhones.

“We assess this to be one of the most technically sophisticated exploits we’ve ever seen,” Google’s Ian Beer and Samuel Grob wrote in a technical deep-dive into the remote code execution exploit that was captured during an in-the-wild attack on an activist in Saudi Arabia. In its breakdown, Project Zero said the exploit effectively created “a weapon against which there is no defense,” noting that zero-click exploits work silently in the background and does not even require the target to click on a link or surf to a malicious website. “Short of not using a device, there is no way to prevent exploitation by a zero-click exploit,” the research team said.

The researchers confirmed the initial entry point for Pegasus was Apple’s proprietary iMessage that ships by default on iPhones, iPads and macOS devices. By targeting iMessage, the NSO Group hackers needed only a phone number of an AppleID username to take aim and fire eavesdropping implants. Because iMessage has native support for GIF images (especially those that loop endlessly), Project Zero’s researchers found that this expanded the attack surface and ended up being abused in an exploit cocktail that targeted a security defect in Apple’s CoreGraphics PDF parser. Within Apple’s CoreGraphics PDF parser, the NSO exploit writers abused Apple’s implementation of the open-source JBIG2, a domain specific image codec designed to compress images where pixels can only be black or white. Describing the exploit as “pretty terrifying,” Google said the NSO Group hackers effectively booby-trapped a PDF file, masquerading as a GIF image, with an encoded virtual CPU to start and run the exploit. Apple patched the exploit in September and filed a lawsuit seeking to hold NSO Group accountable.

Read more of this story at Slashdot.

Apple Delays Corporate Return To Offices Indefinitely

Long-time Slashdot reader ttyler shares a tweet from NBC News tech reporter Zoe Schiffer: Tim Cook just sent out an email delaying Apple’s return to work to a date ‘yet to be determined. He also said the company is giving every corporate employee $1,000 to spend on home office equipment. MacRumors adds: There is no word on when employees will be expected to go back to work, and for now, those who are able to do so will continue to work from home. The delay will be welcome news to Apple employees who have been dreading the return to corporate offices, but Apple does plan to have employees come back at some point. Apple executives have made it clear since the beginning of the pandemic that employees will eventually need to return work. “Video conference calling has narrowed the distance between us, to be sure, but there are things it simply cannot replicate,” Cook said back in June.

When it is safe for employees to return to the office, Apple is planning for a hybrid work schedule. Employees will be expected to be in the office three days a week, but will have the option of working from home for two days a week. Apple also plans to allow employees to work remotely for up to one month per year, giving them more time to travel and be closer to loved ones. Because employees will need to continue to work from home, Cook said that Apple is giving every corporate employee $1,000 to spend on home office equipment.

Read more of this story at Slashdot.

USPS Built and Secretly Tested a Blockchain-Based Mobile Voting System Before 2020

An anonymous reader quotes a report from The Washington Post: The U.S. Postal Service pursued a project to build and secretly test a blockchain-based mobile phone voting system before the 2020 election (Warning: may be paywalled; alternative source), experimenting with a technology that the government’s own cybersecurity agency says can’t be trusted to securely handle ballots. The system was never deployed in a live election and was abandoned in 2019, Postal Service spokesman David Partenheimer said. That was after cybersecurity researchers at the University of Colorado at Colorado Springs conducted a test of the system during a mock election and found numerous ways that it was vulnerable to hacking.

The project appears to have been conducted without the involvement of federal agencies more closely focused on elections, which were then scrambling to make voting more secure in the wake of Russian interference in the 2016 contest. Those efforts focused primarily on using paper ballot so the voter could verify their vote was recorded accurately and there would be a paper trail for auditors — something missing from any mobile phone or Internet-based system. The project appears to have been conducted without the involvement of federal agencies more closely focused on elections, which were then scrambling to make voting more secure in the wake of Russian interference in the 2016 contest. Those efforts focused primarily on using paper ballot so the voter could verify their vote was recorded accurately and there would be a paper trail for auditors — something missing from any mobile phone or Internet-based system.

The Postal Service system allowed people to cast votes on an Internet-connected mobile app similar to how they might add items to an online shopping cart or fill out an online survey. The votes were designed to be anonymous and to be recorded in multiple digital locations simultaneously. The idea is that each of those digital records would act as a check to verify the accuracy of the other records. This is essentially the same method that cryptocurrencies such as bitcoin use to ensure transactions are accurately recorded. But the system didn’t protect against the numerous ways hackers might fake or corrupt votes, the University of Colorado researchers said. Those include impersonating voters, attacking the blockchain system itself so votes can’t be trusted, flooding the system with information so it becomes too overwhelmed to function, and using techniques that undermine voters’ privacy and the secrecy of the ballot. The researchers were able to successfully perform all those hacks during a mock election held on campus. “The Postal Service was awarded a public patent for the concept in August 2020, but had not previously revealed that it built a prototype system or tested it,” the report notes.

Read more of this story at Slashdot.

Two US Senators Urge Federal Investigations Into Facebook About Safety – and Ad Reach

Two leading U.S. Senators “are urging federal regulators to investigate Facebook over allegations the company misled advertisers, investors and the public about public safety and ad reach on its platform,” reports CNBC:

On Thursday, Senator Warren urged the heads of the Department of Justice and Securities and Exchange Commission to open criminal and civil investigations into Facebook or its executives to determine if they violated U.S. wire fraud and securities laws. A day earlier, Senator Cantwell, chair of the Senate Commerce Committee, encouraged the Federal Trade Commission to investigate whether Facebook, now called Meta, violated the agency’s law against unfair or deceptive business practices. Cantwell’s letter was made public on Thursday…

In her letter to the FTC, Cantwell focused on Facebook’s claims about the safety of its products, in addition to the allegedly inflated ad projections… She suggested the agency investigate Facebook and, depending what the evidence shows, pursue monetary relief for advertisers and disgorgement of allegedly ill-gotten gains.
Senator Warren points to a whistleblower’s recent allegations that Facebook misled both investors and advertising customers about their ad reach, according to the article. But Warren’s letter also argued the possibility Facebook violated securities law with “breathtakingly illegal conduct by one of the world’s largest social media companies,” according to the article.

And in addition, Warren “wrote that evidence increasingly suggests executives were aware the metric ‘was meaningfully and consistently inflated.'”

Bloomberg adds this quote from Senator Cantwell’s letter:
“A thorough investigation by the Commission and other enforcement agencies is paramount, not only because Facebook and its executives may have violated federal law, but because members of the public and businesses are entitled to know the facts regarding Facebook’s conduct as they make their decisions about using the platform.”

Read more of this story at Slashdot.

Apple Launches AirTags and Find My Detector App For Android, In Effort To Boost Privacy

Apple has released a new Android app called Tracker Detect, designed to help people who don’t own iPhones or iPads to identify unexpected AirTags and other Find My network-equipped sensors that may be nearby. CNET reports: The new app, which Apple released on the Google Play store Monday, is intended to help people look for item trackers compatible with Apple’s Find My network. “If you think someone is using AirTag or another device to track your location,” the app says, “you can scan to try to find it.” If the Tracker Detector app finds an unexpected AirTag that’s away from its owner, for example, it will be marked in the app as “Unknown AirTag.” The Android app can then play a sound within 10 minutes of identifying the tracker. It may take up to 15 minutes after a tracker is separated from its owner before it shows up in the app, Apple said.

If the tracker identified is an AirTag, Apple will offer instructions within the app to remove its battery. Apple also warns within the app that if the person feels their safety is at risk because of the item tracker, they should contact law enforcement. […] The Tracker Detect app, which Apple first discussed in June, requires users to actively scan for a device before it’ll be identified. Apple doesn’t require users have an Apple account in order to use the detecting app. If the AirTag is in “lost mode,” anyone with an NFC-capable device can tap it and receive instructions for how to return it to its owner. Apple said all communication is encrypted so that no one, including Apple, knows the location or identity of people or their devices.

Read more of this story at Slashdot.

South Korea To Test AI-Powered Facial Recognition To Track COVID-19 Cases

South Korea will soon roll out a pilot project to use artificial intelligence, facial recognition and thousands of CCTV cameras to track the movement of people infected with the coronavirus, despite concerns about the invasion of privacy. Reuters reports: The nationally funded project in Bucheon, one of the country’s most densely populated cities on the outskirts of Seoul, is due to become operational in January, a city official told Reuters. The system uses an AI algorithms and facial recognition technology to analyze footage gathered by more than 10,820 CCTV cameras and track an infected person’s movements, anyone they had close contact with, and whether they were wearing a mask, according to a 110-page business plan from the city submitted to the Ministry of Science and ICT (Information and Communications Technology), and provided to Reuters by a parliamentary lawmaker critical of the project.

The Bucheon official said the system should reduce the strain on overworked tracing teams in a city with a population of more than 800,000 people, and help use the teams more efficiently and accurately. […] The Ministry of Science and ICT said it has no current plans to expand the project to the national level. It said the purpose of the system was to digitize some of the manual labour that contact tracers currently have to carry out. The Bucheon system can simultaneously track up to ten people in five to ten minutes, cutting the time spent on manual work that takes around half an hour to one hour to trace one person, the plan said.

Read more of this story at Slashdot.