The "popular" node.js "event-stream" library was loaded with a module stealing from Bitpay's Copay Bitcoin wallet after creator and longtime maintainer Dominic Tarr handed maintenance over to an unknown identifying itself with the text string "right9ctrl" (archived). Before the handover right9ctrl made a couple of contributions to event-stream building rapport with Tarr. After getting the keys to the repository right9ctrl added a dependency in event-stream on a new "flatmap-stream" library which had been distributed in an encrypted form, which should itself have been a warning if anyone had been bothering to read code they run. Instead it took two months for supicions to emerge.
Bitpay's Copay wallet used the even-stream library, and Bitpay was not involved in raising the alarm over this grave subversion of their product.
Yesterday left wing social engineers unleashed a wave of manufactered outrage over the SQLite project's 8 month old adoption of The Rules Of Saint Benedict in the face of demands by unspecified clients to have a Code of Conduct, any Code of Conduct at all. SQLite author D. Richard Hipp offered the following statements in response to questions on why he didn't edit down the list to a more minimalist, TrannyCoCist compatible form:
I could have edited the list down to just those aspects that seem relevant to coding, but that would put me in the position of editing and redacting Benedict of Nursia, as if I were wiser than he. And I considered that. But in the end, I thought it better to include the whole thing without change. In the preface, I tried to make clear that the introspective aspects could be safely glossed over.
Nobody is excluded from the SQLite community due to biological category or religious creed. The preface to the CoC should make this clear. The only way to get kicked out of the SQLite community is by shouting, flaming, and disrespectful behavior. In 18 years, only one person has ever been banned from the mailing list.
It remains to be seen how many Open Source projects which have bought into full TrannyCoCism will find themselves so deficient in love and humility that they believe the words of Benedict of Nursia ought to be censored, rejected, and abandoned.
Semiconductor Fabricator TMSC annouced that they were hit with a virus that multiple pieces of their production operation in Taiwan. TMSC alleges the virus entered their systems as they were installing software for a new tool. TMSC's full announcement:
Issued by: TSMC
Issued on: 2018/08/05
Hsinchu, Taiwan, R.O.C., Aug 5, 2018 – TSMC today provided an update on the Company’s computer virus outbreak on the evening of August 3, which affected a number of computer systems and fab tools in Taiwan. The degree of infection varied by fab. TSMC contained the problem and found a solution. As of 14:00 Taiwan time, about 80% of the company’s impacted tools have been recovered, and the Company expects full recovery on August 6.
TSMC expects this incident to cause shipment delays and additional costs. We estimate the impact to third quarter revenue to be about three percent, and impact to gross margin to be about one percentage point. The Company is confident shipments delayed in third quarter will be recovered in the fourth quarter 2018, and maintains its forecast of high single-digit revenue growth for 2018 in U.S. dollars given on July 19, 2018.
Most of TSMC’s customers have been notified of this event, and the Company is working closely with customers on their wafer delivery schedule. The details will be communicated with each customer individually over the next few days.
This virus outbreak occurred due to misoperation during the software installation process for a new tool, which caused a virus to spread once the tool was connected to the Company’s computer network. Data integrity and confidential information was not compromised. TSMC has taken actions to close this security gap and further strengthen security measures.
This weekend GPG developer and habitual liar Werner Koch announced a vulnerability that consumes unsanitized input allowing control characters to be called when file names are displayed (archived). The announcement and offered mitigations in conjunction with Koch's history suggest an intentional vulnerability in the software being "burned".
Today disclosure of two plaintext leaking behaviors in email clients handling OpenPGP and S/MIME encrypted messages has been released (archived). The vulnerability affecting S/MIME is baked into the S/MIME standard and may only be mitigated by abandoning S/MIME, no other mitigation is possible. Meanwhile the plaintext leaking behavior affecting OpenPGP encrypted emails requires certain common but very stupid behavior on the part of an email client and the user allowing the email client to be involved in decrypting the message.
The attack in OpenPGP encrypted email involves the message being molested on the wire in such a way the plaintext metadata surrounding the cyphertext is modified to engage your typical email client's HTML rendering engine. If the email client is allowed to be involved in decrypting the cyphertext as is common with various client "plugins", the email client can "phone home" the plaintext after decryption to the message's molester according to the spurious instructions delivered to the HTML rendering engine. The mitigation for this vulnerability is hygiene and not allowing your email client to be involved in cryptographic operations beyond sending and recieving cyphertext blobs encrypted and decrypted elsewhere.
Intel has killed its Android and iOS "Intel Remote Keyboard" app used to manage embeded computers in their line of Internet of Shit products (archived). The move was prompted by the discovery of three vulnerabilities allowing keystroke injection and arbitrary code execution. Rather than patch these vulnerabilties and the others likely to be found, Intel simply killed the app leaving their customers to find other remote management solutions.
In the absence of firm admissions of guilt, known USG influence outlets including Conde Nast publications are pleaing that the malware pushed into phuctorable MikroTik routers was part of a US Special Operations Command anti-Terrorism effort (archived, archived). Presumably this is part of the terrorist Pantsuit USG campaign to creating dialogue points for shifting the overton window on shitware.
Bram Cohen's (WOT: nonperson) venture "Bittorrent Inc." has let the full 90 day window for a remote execution vulnerability revealed through Google's irresponsible disclosure program nearly expire before issuing a supposed fix to their uTorrent software. To ensure a timely upgrade panic the details and a demonstration of the vulnerability are already available (archived).
Reluctant to relinquish its tried and true status as THE day-late-dollar-short member of not yet Great Again American automakers; Fiat Chrysler Automobiles (FCA) announced today that it would be following in the footsteps of General Motors in recalling a great many of its great trucks for a "software error" that could end in a smushy death.
Affecting RAM 1500 and 2500 trucks built from 2013-2016 as well as big mother RAM 3500 trucks built from 2014-2016, over one million units will be recalled starting next month, significantly more than the number affected by FCA's Hot Death but only a quarter of GM's numbers from 2016.
The Dodge "software error" has been implicated in at least one death to date when side airbags and seat belt pretensioners failed to activate following an underbody collision leading to a vehicle rollover. No word on whether Dodge's engineers were also responsible for bugs in other TBTF products of Not Yet Great Again. Also no word on whether Herr Trump is planning to extend his recent Executive Order to include automakers but it would be pretty sweet if he did.