Nasty Linux Netfilter Firewall Security Hole Found

Sophos threat researcher Nick Gregory discovered a hole in Linux’s netfilter firewall program that’s “exploitable to achieve kernel code execution (via ROP [return-oriented programming]), giving full local privilege escalation, container escape, whatever you want.” ZDNet reports: Behind almost all Linux firewalls tools such as iptables; its newer version, nftables; firewalld; and ufw, is netfilter, which controls access to and from Linux’s network stack. It’s an essential Linux security program, so when a security hole is found in it, it’s a big deal. […] This problem exists because netfilter doesn’t handle its hardware offload feature correctly. A local, unprivileged attacker can use this to cause a denial-of-service (DoS), execute arbitrary code, and cause general mayhem. Adding insult to injury, this works even if the hardware being attacked doesn’t have offload functionality! That’s because, as Gregory wrote to a security list, “Despite being in code dealing with hardware offload, this is reachable when targeting network devices that don’t have offload functionality (e.g. lo) as the bug is triggered before the rule creation fails.”

This vulnerability is present in the Linux kernel versions 5.4 through 5.6.10. It’s listed as Common Vulnerabilities and Exposures (CVE-2022-25636), and with a Common Vulnerability Scoring System (CVSS) score of 7.8), this is a real badie. How bad? In its advisory, Red Hat said, “This flaw allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a privilege escalation threat.” So, yes, this is bad. Worse still, it affects recent major distribution releases such as Red Hat Enterprise Linux (RHEL) 8.x; Debian Bullseye; Ubuntu Linux, and SUSE Linux Enterprise 15.3. While the Linux kernel netfilter patch has been made, the patch isn’t available yet in all distribution releases.

Read more of this story at Slashdot.

Google Unveils Its B2B Cloud Gaming Platform Built With Stadia Tech

An anonymous reader quotes a report from Forbes: Google had plenty of news about Stadia, the consumer-facing aspect of its cloud gaming products, at its Google for Games Developer Summit. On the flip side of that is the white-label platform Google’s been working on: a way for other companies to license the game streaming tech that powers Stadia. Previously, that B2B offering was believed to be known as Google Stream. Google has now confirmed more details about the offering, including its name.

It’s now called Immersive Stream for Games (which doesn’t exactly roll off the tongue as smoothly as Google Stream). The Stadia team built it with the help of the folks at Google Cloud. The company says the service will allow companies to run their own game trials, let users play full games, offer subscription bundles or have full storefronts. In other words, publishers might be able to run their own versions of Stadia with their own libraries of games, branding and custom user interface.

We’ve seen a version of Immersive Stream for Games in action. Last year, Google teamed up with AT&T to offer people a way to play Batman: Arkham Knight for free via the cloud. Thousands of folks took advantage of the offer. AT&T plans to offer its customers access to another game soon with the help of Immersive Stream for Games. While that version of Batman: Arkham Knight was only available on desktop and laptop web browsers, the next game will run on mobile devices too. If all goes well, it could be a decent way for AT&T to show off what its 5G network can do. Immersive Stream for Games will include other features Google revealed for Stadia today, including a way to offer free trials of full games and a project aimed at making it easier to port games so they run on Stadia tech, as well as analytics. Developers and publishers can send Google an inquiry for more details.

Read more of this story at Slashdot.

Fourth Shot ‘is Necessary’, Pfizer CEO Says

An anonymous reader shares a report: While US health experts closely monitor upticks of COVID-19 cases in Europe as well as the global rise of the omicron subvariant BA.2, Pfizer is renewing calls for fourth doses of COVID-19 vaccine. In an interview Sunday on CBS’ Face the Nation, Pfizer CEO Albert Bourla said that a fourth dose — aka a second booster — is “necessary.”

“The protection what we are getting from the third [doses], it is good enough — actually, quite good for hospitalizations and deaths,” Dr. Bourla said. But, “it’s not that good against infections” with omicron, and “it doesn’t last very long.” He reported that Pfizer is “working very diligently” to come up with a new dose that will protect against all variants and provide longer-lasting protection.

Read more of this story at Slashdot.

New CaddyWiper Data Wiping Malware Hits Ukrainian Networks

Newly discovered data-destroying malware was observed earlier today in attacks targeting Ukrainian organizations and deleting data across systems on compromised networks. BleepingComputer reports: “This new malware erases user data and partition information from attached drives,” ESET Research Labs explained. “ESET telemetry shows that it was seen on a few dozen systems in a limited number of organizations.” While designed to wipe data across Windows domains it’s deployed on, CaddyWiper will use the DsRoleGetPrimaryDomainInformation() function to check if a device is a domain controller. If so, the data on the domain controller will not be deleted. This is likely a tactic used by the attackers to maintain access inside the compromised networks of organizations they hit while still heavily disturbing operations by wiping other critical devices.

While analyzing the PE header of a malware sample discovered on the network of an undisclosed Ukrainian organization, it was also discovered that the malware was deployed in attacks the same day it was compiled. “CaddyWiper does not share any significant code similarity with HermeticWiper, IsaacWiper, or any other malware known to us. The sample we analyzed was not digitally signed,” ESET added. “Similarly to HermeticWiper deployments, we observed CaddyWiper being deployed via GPO, indicating the attackers had prior control of the target’s network beforehand.”

Read more of this story at Slashdot.

Twitter Rolls Back Its Decision To Force You Into the Out-of-Order Timeline

Last week, Twitter introduced a change to the timeline that “would default to showing the algorithmically served Home feed while the reverse-chronological Latest feed was accessible in a separate tab,” reports The Verge. “The change […] made it more difficult to view tweets in chronological order.” Twitter is now reverting things to the way following significant backlash. From the report: Some users shared criticism of the change almost immediately after its March 10th announcement, as the Latest feed is preferred to the Home feed for many. The out-of-sequence Home feed can, at times, be confusing, especially for people who use Twitter for updates during a breaking news event like the war in Ukraine. However, two Twitter execs noted in replies to Verge contributing editor Casey Newton that they would be working on the problem, and it appears that the original change won’t be going through as planned. “We take feedback seriously, and in this case, we heard the new pinned Home & Latest wasn’t giving you the level of control over your timeline that you want,” Twitter spokesperson Shaokyi Amdo said in a statement to The Verge.

However, based on what the execs said, it seems Twitter may be investigating other possible changes to the timeline in the future. “Giving people choice and control over their Twitter experience is super important,” Twitter’s newly named VP of consumer product, Jay Sullivan, said in a reply to Newton on March 12th. “I’ll be working on this. Stay tuned.” Sullivan added that he was hoping the platform could achieve “a nice balance for all.”

Read more of this story at Slashdot.

TorGuard Settles Piracy Lawsuit, Agrees To Block Torrent Traffic On US Servers

TorGuard has settled a copyright infringement lawsuit filed by several movie companies last year. The VPN provider stood accused of failing to take action against subscribers who were pirating films. As part of the settlement, TorGuard agrees to block BitTorrent traffic on U.S. servers; however, it stresses that user privacy is in no way affected by this decision. TorrentFreak reports: “Pursuant to a confidential settlement agreement, Plaintiffs have requested, and Defendant has agreed to use commercially reasonable efforts to block BitTorrent traffic on its servers in the United States using firewall technology,” a joint statement reads. This is quite a far-reaching measure as a broad BitTorrent blockade will also affect legal traffic, which includes software updates from Twitter and Facebook. That said, people can still use BitTorrent on servers in other regions. […]

The company confirms that it’s blocking torrent traffic on U.S. servers, but that doesn’t change anything for the privacy of users. “TorGuard has not been forced to log network usage data. Due to the nature of shared IP’s and related hardware technicalities of how TorGuard’s network was built it is impossible for us to do so,” the VPN provider writes. “We have a responsibility to provide high quality uninterrupted VPN and proxy services to our client base at large while mitigating any related network abuse that should arise. This commitment to user privacy and service reliability is the reason we have taken measures to block Bittorrent traffic on servers within the United States.”

Read more of this story at Slashdot.

Computer History Museum Publishes Memories of the Programmer for NASA’s Moon Missions

This week Silicon Valley’s Computer History Museum posted a PDF transcript (and video excerpts) from an interview with 81-year-old Margaret Hamilton, the programmer/systems designer who in the 1960s became director of the Software Engineering Division at the MIT Instrumentation Laboratory which developed the on-board flight software for NASA’s Apollo program. Prior to that Hamilton had worked on software to detect an airplane’s radar signature, but thought, “You know, ‘I guess I should delay graduate school again because I’d like to work on this program that puts all these men on the Moon….'”

“There was always one thing that stood out in my mind, being in the onboard flight software, was that it was ‘man rated,’ meaning if it didn’t work a person’s life was at stake if not over. That was always uppermost in my mind and probably many others as well.”

Interestingly, Hamilton had originally received two job offers from the Apollo Space Program, and had told them to flip a coin to settle it. (“The other job had to do with support systems. It was software, but it wasn’t the onboard flight software.”) But what’s fascinating is the interview’s glimpses at some of the earliest days of the programming profession:

There was all these engineers, okay? Hardware engineers, aeronautical engineers and all this, a lot of them out of MIT… But the whole idea of software and programming…? Dick Batten, Dr. Batten, when they told him that they were going to be responsible for the software…he went home to his wife and said he was going to be in charge of software and he thought it was some soft clothing…

Hamilton also remembers in college taking a summer job as a student actuary at Travelers Insurance in the mid-1950s, and “all of a sudden one day word was going around Travelers that there were these new things out there called computers that were going to take away all of their jobs… Pretty soon they wouldn’t have jobs. And so everybody was talking about it. They were scared they wouldn’t have a way to make a living.

“But, of course, it ended up being more jobs were created with the computers than there were….”

Hamilton’s story about Apollo 8 is amazing…

Read more of this story at Slashdot.

Vanced, an Alternative to YouTube’s Official App, is Shutting Down

“We’re here to mourn the passing of YouTube Vanced,” writes the site Android Police:

If you weren’t too fond of the official YouTube app, there were many alternatives at your disposal. One of them was YouTube Vanced — a modded version of the original app that added features like ad blocking, background playback, and many more without charging users like YouTube’s Premium tier. We even put it on our list of the best indie apps you can get. It further gained popularity by bringing back dislike counts in videos just as Google removed them from their service…

The folks behind the project announced Sunday in the app’s official Telegram channel and on the Vanced Twitter account that it will be discontinued. No clear reason was given as to why it was killed off, so we can only speculate — but it’s likely due to Google’s legal department taking notice of Vanced…

Vanced was never the only alternative YouTube app. Others include open-source NewPipe, which is more lightweight than the official app. But YouTube Vanced had a huge user base, and we’ll miss it. It won’t be updated anymore, but you can still get the last version. Do it quickly, though — the download links will soon be gone.

Read more of this story at Slashdot.

Russia Shuts Down Instagram at Midnight. Users Say Farewell

Slashdot reader quonset shares this report from Reuters:

Instagram users in Russia have been notified that the service will cease as of midnight on Sunday after its owner Meta Platforms said last week it would allow social media users in Ukraine to post messages such as “Death to the Russian invaders”. An email message from the state communications regulator told users to move their photos and videos from Instagram before it was shut down, and encouraged them to switch to Russia’s own “competitive internet platforms”.

Meta, which also owns Facebook, said Friday that the temporary change in its hate speech policy applied only to Ukraine, in the wake of Russia’s Feb. 24 invasion. The company said it would be wrong to prevent Ukrainians from “expressing their resistance and fury at the invading military forces”….
The message to Instagram users from the state media regulator, Roskomnadzor, described the decision to allow calls for violence against Russians as a breach of international law. “We need to ensure the psychological health of citizens, especially children and adolescents, to protect them from harassment and insults online,” it said, explaining the decision to close down the platform.

“The tears were flowing Sunday among Russia’s airbrushed Instagram influencers, who begged their followers in farewell posts to join them on alternative social media platforms…” reports the Washington Post:
On the platform, emotions ran high Sunday among Russians who were about to lose thousands of dollars they received to promote various products, as well as access to millions of followers amassed over the years. “I’m writing this post now and crying,” Olga Buzova, a Russian reality television star, wrote, saying she hoped “it’s all not true and we will remain here….”

The ban on Instagram is the latest example of how Russia’s citizens are being isolated from the rest of the world as a result of Moscow’s war against Ukraine. Since Russian President Vladimir Putin launched the invasion on Feb. 24, his government has also pulled the plug on Russia’s opposition-oriented radio and television networks, part of a broader effort to squelch domestic dissent in response to the war. Thousands of Russians have been arrested for attempting to protest the invasion…. But perhaps no move is more isolating than removing Russians from social media platforms that connect them directly to other users around the world. Instagram counted nearly 60 million users in Russia in 2021, according to the market data firm Statista, about 40 percent of the country’s population. The platform is also a huge revenue source for its users, who rake in cash from sponsors by posting promotional content.

“We know that over 80 percent of people in Russia on Instagram follow an account from outside of Russia,” Instagram head Adam Mosseri said in a video, according to the Post’s article.

It adds that “It is unclear how many Russians will continue to be able to access Instagram using Virtual Private Networks, or VPNs.”

Read more of this story at Slashdot.

The 11,000-Member Discord Channel For People Pretending to Be VR Police Officers

On the VRChat platform, there’s a fake law-enforcement agency called The Loli Police Department, reports Input magazine.

Though it began as a joke, after four years its Discord channel now has 11,000 members, and “The tightly run community allows members to experience a fantasy version of police life and prides itself on being a source of chaotic good in the strange world of virtual reality.”

Members move through the ranks — from cadet on up — based on their activity level, which is tracked via the group’s Discord. Everything is carefully orchestrated to mimic IRL police…. Karet, a 29-year-old game developer and LPD captain from Texas, says that the hard work of volunteers allows users to roleplay police activities in a realistic environment. “We have some of our own worlds — like the hospital for our medical division, where we can pretend someone is getting treatment, or the jail where we put criminals,” says Karet, who designed the LPD station and jail.

One of Karet’s favorite things to do is mess with users at random. “Lots of people in VRChat like to sit in front of mirrors,” he says. “I will go up to the mirror and do a ‘mirror inspection.’ Then I say it’s an illegal mirror and start looking for someone to blame and arrest. They just don’t know how to handle that,” he laughs. There are other ways to get people into trouble, too. “I can pull out a bag of weed and make it look like it came out of someone’s pocket,” Karet says. “They always say it’s not theirs.”

Being a VRChat police officer comes with its share of challenges. Members are aware that their form of roleplay — which frames spot checks and fake drug busts as harmless fun — doesn’t sit well with some members of the community….

Despite the power dynamics at play, LPD members are not moderators of the VR world and ultimately can’t make much in the way of real change. “One of our new officers came to me upset because they stepped in when they saw harassment, but then they got the brunt of the attack from the harasser,” says Karet. “I commended him, but it’s not what we do. We’re just trying to have fun. So usually when we encounter something like that, we just leave the world.” Thankfully, Karet says, the LPD can help their community somewhat. “We encourage LPD officers to help out new users. It’s easy to spot them, so we often go and give them a hand, show them how things work,” he says. The LPD used to run events for this purpose, but they were recently brought to a halt. “The events are on hiatus because it became a bit cult-y. Everyone was trying to recruit people into the LPD.”

Read more of this story at Slashdot.