Google’s New Bug Bounties Include Their Custom Linux Kernel’s Experimental Security Mitigations

Google uses Linux “in almost everything,” according to the leader of Google’s “product security response” team — including Chromebooks, Android smartphones, and even Google Cloud.

“Because of this, we have heavily invested in Linux’s security — and today, we’re announcing how we’re building on those investments and increasing our rewards.”

In 2020, we launched an open-source Kubernetes-based Capture-the-Flag (CTF) project called, kCTF. The kCTF Vulnerability Rewards Program lets researchers connect to our Google Kubernetes Engine (GKE) instances, and if they can hack it, they get a flag, and are potentially rewarded.

All of GKE and its dependencies are in scope, but every flag caught so far has been a container breakout through a Linux kernel vulnerability.

We’ve learned that finding and exploiting heap memory corruption vulnerabilities in the Linux kernel could be made a lot harder. Unfortunately, security mitigations are often hard to quantify, however, we think we’ve found a way to do so concretely going forward….

First, we are indefinitely extending the increased reward amounts we announced earlier this year, meaning we’ll continue to pay $20,000 — $91,337 USD for vulnerabilities on our lab kCTF deployment to reward the important work being done to understand and improve kernel security. This is in addition to our existing patch rewards for proactive security improvements.

Second, we’re launching new instances with additional rewards to evaluate the latest Linux kernel stable image as well as new experimental mitigations in a custom kernel we’ve built. Rather than simply learning about the current state of the stable kernels, the new instances will be used to ask the community to help us evaluate the value of both our latest and more experimental security mitigations. Today, we are starting with a set of mitigations we believe will make most of the vulnerabilities (9/10 vulns and 10/13 exploits) we received this past year more difficult to exploit. For new exploits of vulnerabilities submitted which also compromise the latest Linux kernel, we will pay an additional $21,000 USD. For those which compromise our custom Linux kernel with our experimental mitigations, the reward will be another $21,000 USD (if they are clearly bypassing the mitigations we are testing). This brings the total rewards up to a maximum of $133,337 USD.

We hope this will allow us to learn more about how hard (or easy) it is to bypass our experimental mitigations…..

With the kCTF VRP program, we are building a pipeline to analyze, experiment, measure and build security mitigations to make the Linux kernel as safe as we can with the help of the security community. We hope that, over time, we will be able to make security mitigations that make exploitation of Linux kernel vulnerabilities as hard as possible.

“We don’t care about vulnerabilities; we care about exploits,” Vela told the Register. “We expect the vulnerabilities are there, they will get patched, and that’s nice and all. But the whole idea is what do to beyond just patching a couple of vulnerabilities.”
In total, Google paid out $8.7 million in rewards to almost 700 researchers across its various VPRs last year. “We are just one actor in the whole community that happens to have economic resources, financial resources, but we need the community to help us make the Kernel better,” Vela said.

“If the community is engaged and helps us validate the mitigations that we have, then, we will continue growing on top of that. But the whole idea is that we need to see where the community wants us to go with this….”

[I]t’s not always about the cash payout, according to Vela, and different bug hunters have different motivations. Some want money, some want fame and some just want to solve an interesting problem, Vela said. “We are trying to find the right combination to captivate people.”

Read more of this story at Slashdot.

Linux 6.0 Arrives With Performance Improvements and More Rust Coming

Linux creator Linus Torvalds has announced the first release candidate for the Linux kernel version 6.0, but he says the major number change doesn’t signify anything especially different about this release. ZDNet: While there is nothing fundamentally different about this release compared with 5.19, Torvalds noted that there were over 13,500 non-merge commits and over 800 merged commits, meaning “6.0 looks to be another fairly sizable release.” According to Torvalds, most of the updates are improvements to the GPU, networking and sound. Torvalds stuck to his word after releasing Linux kernel 5.19 last month, when he flagged he would likely call the next release 6.0 because he’s “starting to worry about getting confused by big numbers again.”

On Sunday’s release of Linux 6.0 release candidate version 1 (rc-1), he explained his reasoning behind choosing a new major version number and its purpose for developers. Again, it’s about avoiding confusion rather than signaling that the release has major new features. His threshold for changing the lead version number was .20 because it is difficult to remember incremental version numbers beyond that. “Despite the major number change, there’s nothing fundamentally different about this release – I’ve long eschewed the notion that major numbers are meaningful, and the only reason for a ‘hierarchical; numbering system is to make the numbers easier to remember and distinguish,” said Torvalds. Torvalds lamented some Rust-enabling code didn’t make it into the release. The Register adds: “I actually was hoping that we’d get some of the first rust infrastructure, and the multi-gen LRU VM, but neither of them happened this time around,” he mused, before observing “There’s always more releases. This is one of those releases where you should not look at the diffstat too closely, because more than half of it is yet another AMD GPU register dump,” he added, noting that Intel’s Gaudi2 Ai processors are also likely to produce plenty of similar kernel additions. “The CPU people also show up in the JSON files that describe the perf events, but they look absolutely tiny compared to the ‘asic_reg’ auto-generated GPU and AI hardware definitions,” he added.

Read more of this story at Slashdot.

San Francisco Restaurant Claims To Be First To Run Entirely By Robots

Mezli isn’t the first automated restaurant to roll out in San Francisco, but, at least according to its three co-founders, it’s the first to remove humans entirely from the on-site operation equation. Eater SF reports: About two years and a few million dollars later, Mezli co-founders Alex Kolchinski, Alex Gruebele, and Max Perham are days away from firing up the touch screens at what they believe to be the world’s first fully robotic restaurant. To be clear, Mezli isn’t a restaurant in the traditional sense. As in, you won’t be able to pull up a seat and have a friendly server — human, robot, or otherwise — take your order and deliver your food. Instead, Mezli works more like if a vending machine and a restaurant had a robot baby, Kolchinski describes. It’s a way to get fresh food to a lot of people, really fast (the box can pump out about 75 meals an hour), and, importantly, at a lower price; the cheapest Mezli bowl starts at $6.99.

On its face, the concept actually sounds pretty simple. The co-founders built what’s essentially a big, refrigerated shipping container and stuffed it with machines capable of portioning out ingredients, putting those ingredients into bowls, heating the food up, and then moving it to a place where diners can get to it. But in a technical sense, the co-founders say it was quite difficult to work out. Most automated restaurants still require humans in some capacity; maybe people take orders while robots make the food or, vice versa, with automated ordering and humans prepping food behind the scenes. But Mezli can run on its own, serving hundreds of meals without any human staff.

The food does get prepped and pre-cooked off-site by good old-fashioned carbon-based beings. Mezli founding chef Eric Minnich, who previously worked at Traci Des Jardins’s the Commissary and at Michelin-starred Madera at Rosewood Sand Hill hotel, says he and a lean team of just two other people can handle all the chopping, mixing, cooking, and portioning at a commissary kitchen. Then, once a day, they load all the menu components into the big blue-and-white Mezli box. Inside the box, there’s an oven that either brings the ingredients up to temp or finishes up the last of the cooking. Cutting down on labor marks a key cost-saving measure in the Mezli business model; with just a fraction of the staff, as in less than a half dozen workers, Mezli can serve hundreds of meals. “The fully robot-run restaurant begins taking orders and sliding out Mediterranean grain bowls by the end of this week with plans to celebrate a grand opening on August 28 at Spark Social,” notes Eater.

Read more of this story at Slashdot.

Impact Crater May Be Dinosaur Killer’s Baby Cousin

Researchers have discovered a second impact crater on the other side of the Atlantic that could have finished off what was left of the dinosaurs, after an asteroid known as Chicxulub slammed into what is now the Gulf of Mexico 66 million years ago. The BBC reports: Dubbed Nadir Crater, the new feature sits more than 300m below the seabed, some 400km off the coast of Guinea, west Africa. With a diameter of 8.5km, it’s likely the asteroid that created it was a little under half a kilometre across. The hidden depression was identified by Dr Uisdean Nicholson from Heriot-Watt University, Edinburgh, UK. […] “Our simulations suggest this crater was caused by the collision of a 400m-wide asteroid in 500-800m of water,” explained Dr Veronica Bray from the University of Arizona, US. “This would have generated a tsunami over one kilometre high, as well as an earthquake of Magnitude 6.5 or so. “The energy released would have been around 1,000 times greater than that from the January 2022 eruption and tsunami in Tonga.”

Dr Nicholson’s team has to be cautious about tying the two impacts together. Nadir has been given a very similar date to Chicxulub based on an analysis of fossils of known age that were drilled from a nearby borehole. But to make a definitive statement, rocks in the crater itself would need to be pulled up and examined. This would also confirm Nadir is indeed an asteroid impact structure and not some other, unrelated feature caused by, for example, ancient volcanism. […] Prof Sean Gulick, who co-led the recent project to drill into the Chicxulub Crater, said Nadir might have fallen to Earth on the same day. Or it might have struck the planet a million or two years either side of the Mexican cataclysm. Scientists will only know for sure when rocks from the west African crater are inspected in the lab. “A much smaller cousin, or sister, doesn’t necessarily add to what we know about the dinosaurs’ extinction, but it does add to our understanding of the astronomical event that was Chicxulub,” the University of Texas at Austin researcher told BBC News.

Read more of this story at Slashdot.

Microsoft Employees Exposed Own Company’s Internal Logins

Multiple people who appear to be employees of Microsoft have exposed sensitive login credentials to the company’s own infrastructure on GitHub, potentially offering attackers a gateway into internal Microsoft systems, according to a cybersecurity research firm that found the exposed credentials. Motherboard reports: “We continue to see that accidental source code and credential leakages are part of the attack surface of a company, and it’s becoming more and more difficult to identify in a timely and accurate manner. This is a very challenging issue for most companies these days,” Mossab Hussein, chief security officer at cybersecurity firm spiderSilk which discovered the issue, told Motherboard in an online chat. Hussein provided Motherboard with seven examples in total of exposed Microsoft logins. All of these were credentials for Azure servers. Azure is Microsoft’s cloud computer service and is similar to Amazon Web Services. All of the exposed credentials were associated with an official Microsoft tenant ID. A tenant ID is a unique identifier linked to a particular set of Azure users. One of the GitHub users also listed Microsoft on their profile.

Three of the seven login credentials were still active when spiderSilk discovered them, with one seemingly uploaded just days ago at the time of writing. The other four sets of credentials were no longer active but still highlighted the risk of workers accidentally uploading keys for internal systems. Microsoft refused to elaborate on what systems the credentials were protecting when asked multiple times by Motherboard. But generally speaking, an attacker may have an opportunity to move onto other points of interest after gaining initial access to an internal system. One of the GitHub profiles with exposed and active credentials makes a reference to the Azure DevOps code repository. Highlighting the risk that such credentials may pose, in an apparently unrelated hack in March attackers gained access to an Azure DevOps account and then published a large amount of Microsoft source code, including for Bing and Microsoft’s Cortana assistant. “We’ve investigated and have taken action to secure these credentials,” said a Microsoft spokesperson in a statement. “While they were inadvertently made public, we haven’t seen any evidence that sensitive data was accessed or the credentials were used improperly. We’re continuing to investigate and will continue to take necessary steps to further prevent inadvertent sharing of credentials.”

Read more of this story at Slashdot.

Drought-Stricken States To Get Less From Colorado River

For the second year in a row, Arizona and Nevada will face cuts in the amount of water they can draw from the Colorado River as the West endures an extreme drought, federal officials announced Tuesday. The Associated Press reports: The cuts planned for next year will force states to make critical decisions about where to reduce consumption and whether to prioritize growing cities or agricultural areas. The cuts will also place state officials under renewed pressure to plan for a hotter, drier future and a growing population. Mexico will also face cuts. “We are taking steps to protect the 40 million people who depend on the Colorado River for their lives and livelihoods,” said Camille Touton, commissioner of the Bureau of Reclamation.

The river provides water across seven states and in Mexico and helps feed an agricultural industry valued at $15 billion a year. Cities and farms are anxiously awaiting official estimates of the river’s future water levels that will determine the extent and scope of cuts to their water supply. That’s not all. In addition to those already-agreed-to cuts, the Bureau of Reclamation said Tuesday that states had missed a deadline to propose at least 15% more cuts needed to keep water levels at the river’s storage reservoirs from dropping even more. For example, officials have predicted that water levels at Lake Mead, the nation’s largest reservoir, will plummet further. The lake is currently less than a quarter full. “The states collectively have not identified and adopted specific actions of sufficient magnitude that would stabilize the system,” Touton said.

Read more of this story at Slashdot.

New US Privacy Law May Give Telecoms Free Pass On $200 Million Fines

An anonymous reader quotes a report from Motherboard: The American Data Privacy and Protection Act (ADPPA), a new federal privacy bill that has actually a chance of becoming law, is designed to introduce new privacy protections for Americans. But it may also have the side effect of wiping out $200 million worth of fines proposed against some of the country’s biggest telecommunications companies as part of a major location-data selling scandal in which the firms sold customer data that ended up in the hands of bounty hunters and other parties. The issue centers around the ADPPA’s shift of enforcement for privacy related matters from the Federal Communications Commission (FCC), which proposed the fines, to the Federal Trade Commission (FTC). The news highlights the complex push and pulls when developing privacy legislation, and some of the pitfalls along the way.

The FCC proposed the $200 million fines in February 2020. The fines came after Motherboard revealed that the carriers sold phone location data to a complex supply chain of companies which then provided it to hundreds of bounty hunters and other third parties, including someone that allowed Motherboard to track a phone for just $300. The fines also came after The New York Times and the office of Sen. Ron Wyden found that the carriers sold location data in a similar method to a company called Securus, which allowed law enforcement officials to track the location of phones without a warrant. A former sheriff abused the tool to spy on judges and other officials. The offending telecoms — AT&T, T-Mobile, Sprint, Verizon — said they stopped the sale of location data at varying points in time in response to the investigations. The FCC then found that the carriers broke the law by selling such data.

FCC Press Secretary Paloma Perez told Motherboard in an emailed statement that “our real-time location information is some of the most sensitive data there is about us, and it deserves the highest level of privacy protection. That is why the FCC has proposed more than $200 million in fines against the nation’s largest wireless carriers for selling their customers’ location data. Through our continued oversight we have ensured that these carriers are no longer monetizing their consumers’ real-time location in this way, and we are continuing our investigation into these practices and expect to reach a conclusion very soon.” In July FCC Chairwoman Jessica Rosenworcel sent letters to a host of U.S. telecommunications, tech, and retail companies to ask about their use of location data.

Read more of this story at Slashdot.

WeWork’s Former CEO Has a New Startup, Reportedly Valued At More Than $1 Billion

Nearly three years after Adam Neumann stepped down as CEO of WeWork following a failed attempt to take the company public, he is said to once again be in charge of a billion-dollar real estate startup. CNN Business reports: Andreessen Horowitz, the prominent venture capital firm known for its early investments in Twitter and Airbnb, has pumped about $350 million into Neumann’s newest venture, called Flow, according to The New York Times, citing unnamed sources briefed on the deal. The investment valued the startup at more than $1 billion, according to the report. In a blog post Monday, Marc Andreessen, cofounder and general partner at the VC firm, announced the investment, without disclosing financial details. He also explained his thinking for backing Flow, a residential real estate company, and Neumann despite the founder’s high-profile fall from grace at WeWork.

“Adam is a visionary leader who revolutionized the second largest asset class in the world — commercial real estate — by bringing community and brand to an industry in which neither existed before,” Andreessen wrote in his post Monday. “Adam, and the story of WeWork, have been exhaustively chronicled, analyzed, and fictionalized — sometimes accurately. For all the energy put into covering the story, it’s often under appreciated that only one person has fundamentally redesigned the office experience and led a paradigm-changing global company in the process: Adam Neumann.” It’s not immediately clear how Flow seeks to revolutionize the residential housing industry. Flow currently has a bare bones website, with the slogan “Live life in flow” and two words stating it will launch in 2023.

Andreessen positioned the new company as a long-awaited solution to the nation’s “housing crisis.” He used a mix of jargon-filled terms — “community-driven, experience-centric service” — to explain how the new startup would “create a system where renters receive the benefits of owners.” “We think it is natural that for his first venture since WeWork, Adam returns to the theme of connecting people through transforming their physical spaces and building communities where people spend the most time: their homes,” Andreessen wrote. “Residential real estate — the world’s largest asset class — is ready for exactly this change.”

Read more of this story at Slashdot.