An anonymous reader quotes a report from BleepingComputer: Two Google security experts have found a severe remote code execution (RCE) bug in the Windows OS, which they've described as "crazy bad." The two experts are Natalie Silvanovich and Tavis Ormandy, both working for Project Zero, a Google initiative for discovering and helping patch zero-days in third-party software products. The two didn't release in-depth details about the vulnerability, but only posted a few cryptic tweets regarding the issue. Drilled with questions by the Twitter's infosec community, Ormandy later revealed more details: the attacker and the victim don't necessarily need to be on the same LAN; the attack works on a default Windows install, meaning victims don't need to install extra software on their systems to become vulnerable; the attack is wormable (can self-replicate). The tweets came days before Microsoft's May 2017 Patch Tuesday, scheduled tomorrow, May 9. The researchers said a report is coming, alluding the vulnerability might be patched this month, and they'll be free to publish their findings.

schwit1 quotes a report from Irish Independent: The authors, led by Dr Aseem Malhotra, from Lister Hospital, Stevenage, wrote: "Despite popular belief among doctors and the public, the conceptual model of dietary saturated fat clogging a pipe is just plain wrong." Dr Malhotra and colleagues Professor Rita Redberg, from the University of California at San Francisco, and Pascal Meier from University Hospital Geneva in Switzerland and University College London, cited a "landmark" review of evidence that appeared to exonerate saturated fat. They said relative levels of "good" cholesterol, or high density lipoprotein (HDL), were a better predictor of heart disease risk than levels of low density lipoprotein (LDL), also known as "bad" cholesterol. High consumption of foods rich in saturated fat such as butter, cakes and fatty meat has been shown to increase blood levels of LDL. The experts wrote: "It is time to shift the public health message in the prevention and treatment of coronary artery disease away from measuring serum lipids (blood fats) and reducing dietary saturated fat. "Coronary artery disease is a chronic inflammatory disease and it can be reduced effectively by walking 22 minutes a day and eating real food." They pointed out that in clinical trials widening narrow arteries with stents -- stainless steel mesh devices -- failed to reduce the risk of heart attacks.

ewhac writes: Earlier this week, Burger King released a broadcast television ad that opened with an actor saying, "Ok, Google, what is the Whopper?" thereby triggering any Google Home device in hearing range to respond to the injected request with the first line from the Whopper's Wikipedia page. Google very properly responded to the injection attack by fingerprinting the sound sample and blocking it from triggering responses. However, it seems Burger King and/or its ad agency are either unwilling or congenitally incapable of getting the hint, and has released an altered version of the ad to evade Google's block. According to spokesperson Dara Schopp, BK regards the ad as a success, as it has increased the brand's "social conversation" on Twitter by some 300%. It seems that Burger King thinks that malware-laden advertising infesting webpages is a perfectly wonderful idea (in principle, at least), and has taken it to the next level by reaching through your TV speakers and directly messing with your digital devices. You may wish to consider alternate vendors for your burger needs.

An anonymous reader writes: "The Tor Browser, a heavily modified version of the Firefox browser with many privacy-enhancing features, will include more code written in the Rust programming language," reports BleepingComputer. In a meeting held last week in Amsterdam, Tor developers decided to slowly start using Rust to replace the C++ code. The decision comes after Mozilla started shipping Rust components with Firefox in 2016. Furthermore, Rust is a memory-safe(r) language than C++, the language used for Firefox and the customized Tor code, which means less memory corruption errors. Less of these errors means better privacy for all.
"Part of our interest in using safer languages like Rust in Tor is because a tiny mistake in C could have real consequences for real people," Tor developer Isis Agora Lovecruft posted on Twitter, adding "Also the barrier to entry for contributing to large OSS projects written in C is insanely high."

An anonymous reader quotes a report from Ars Technica: The rumor that Microsoft is building a version of Windows 10 that can only install apps from the Windows Store has drawn criticism before it's even official. Epic Games founder Tim Sweeney took to Twitter to attack the operating system. Although its real name is named Windows 10 Cloud, he's dubbing it "Windows 10 Crush Steam Edition." Sweeney is convinced that Microsoft wants to exercise total control over the Windows platform and destroy Valve's Steam. Last year, Sweeney attacked the Universal Windows Platform API. He claimed (incorrectly) that third-party stores such as Steam would be unable to sell and distribute UWP games, leaving them at a disadvantage relative to Microsoft's own store. He followed this statement with the claim that Microsoft would systematically modify Windows so as to make Steam work worse and worse, such that gamers grow tired of it and switch to the Windows Store. In his tweets, Sweeney recognizes that Microsoft wants to compete with Chrome OS. But he fails to understand what the company must do to actually offer that competition. He wrote that "it's great for Microsoft to compete with ChromeOS, but NOT BY LOCKING OUT COMPETING WINDOWS SOFTWARE STORES." This statement represents a failure to understand that "locking out competing Windows software stores" is, for this market, positively desirable. It's fundamental to preventing the hard-to-support free-for-all that a Windows system would otherwise represent. A later tweet does recognize the value of this lockdown, but Sweeney says that Windows 10's "great admin features to limit user software installs" should be used instead. This again suggests a misunderstanding of the target market: systems will be used with little to no supervision and with little to no administrative oversight. To compete against the Chromebook, Windows 10 Cloud needs to be locked down by default, and it must not offer any ready way to disable that lockdown. In his complaints, Sweeney also fails to consider what happens should the Chromebook threat go unaddressed: Chromebooks running Chrome OS will proliferate. These machines will not support third-party stores, they will not support Steam, and they will not support PC games at all. Sweeney may not want Microsoft to build this world, but even if Microsoft doesn't create it, Google already is doing so.

schwit1 shares this angry commentary from a CNET senior editor: Maybe you're delivering a presentation to a huge audience. Maybe you're taking an online test. Maybe you just need to get some work done on a tight deadline. Windows doesn't care. Windows will take control of your computer, force-feed it updates, and flip the reset switch automatically — and there's not a damn thing you can do about it, once it gets started.

If you haven't saved your work, it's gone. Your browser tabs are toast. And don't expect to use your computer again soon; depending on the speed of your drive and the size of the update, it could be anywhere from 10 minutes to well over an hour before your PC is ready for work. As far as I'm concerned, it's the single worst thing about Windows. It's only gotten worse in Windows 10. And when I poked around Microsoft, the overarching message I received was that Microsoft has no interest in fixing it.
The editor recalls rebooting his Windows laptop while listening to a speech by Steve Jobs in 2010. (The reboot locked his computer for 20 minutes while updates were installed, "the first of three occasions that a forced Windows update would totally destroy my workflow at a critical moment.") He shares stories from other frustrated Windows users, urges readers to send him more anecdotes, and argues that Microsoft has even begun "actively getting rid of ways to keep users from disabling automatic updates."

President Obama commuted Chelsea Manning's prison sentence yesterday, reducing her time required to serve behind bars from 35 years to just over seven years. Prior to the commutation, WikiLeaks' Julian Assange pledged to surrender himself to U.S. authorities if Manning was pardoned. Roughly 24 hours have passed since the news broke and it appears that Assange will not hand himself in to the Department of Justice. The Independent reports: Mr Assange's lawyers initially seemed to suggest that promise would be carried through -- telling reporters that he stood by his earlier comments -- but it appears now that Mr Assange will stay inside the embassy. The commitment to accept extradition to the U.S. was based on Ms Manning being released immediately, Mr Assange's lawyer told The Hill. Ms Manning won't actually be released until May -- to allow for a standard 120-day transition period, which gives people time to prepare and find somewhere to live, an official told The New York Times for its original report about Ms Manning's clemency. "Mr. Assange welcomes the announcement that Ms. Manning's sentence will be reduced and she will be released in May, but this is well short of what he sought," Barry Pollack, Assange's U.S.-based attorney, told the site. "Mr. Assange had called for Chelsea Manning to receive clemency and be released immediately."

An anonymous reader writes: The latest Adobe Acrobat Reader security update (15.023.20053), besides delivering security updates, also secretly installs the Adobe Acrobat extension in the user's Chrome browser. There is no mention of this "special package" on Acrobat's changelog, and surprise-surprise, the extension comes with anonymous data collection turned on by default. Bleeping Computer reports: "This extension allows users to save any web page they're on as a PDF file and share it or download it to disk. The extension is also Windows-only, meaning Mac and Linux Chrome users will not receive it. The extension requests the following permissions: Read and change all your data on the websites you visit; Manage your downloads; Communicate with cooperating native applications. According to Adobe, extension users 'share information with Adobe about how [they] use the application. The information is anonymous and will help us improve product quality and features,' Adobe also says. 'Since no personally identifiable information is collected, the anonymous data will not be meaningful to anyone outside of Adobe.'"

IBM Chief Executive Ginni Rometty has pledged to "hire about 25,000 professionals in the next four years in the United States" as she and other technology executives prepared to meet with President-elect Donald Trump on Wednesday. Reuters reports: IBM had nearly 378,000 employees at the end of 2015, according to the company's annual report. While the firm does not break out staff numbers by country, a review of government filings suggests IBM's U.S. workforce declined in each of the five years through 2015. When asked why IBM planned to increase its U.S. workforce after those job cuts, company spokesman Ian Colley said in an email that Rometty had laid out the reasons in her USA Today piece. Her article did not acknowledge that IBM had cut its U.S. workforce, although it called on Congress to quickly update the Perkins Career and Technical Education Act that governs federal support for vocational education. "We are hiring because the nature of work is evolving," she said. "As industries from manufacturing to agriculture are reshaped by data science and cloud computing, jobs are being created that demand new skills -- which in turn requires new approaches to education, training and recruiting." She said IBM intended to invest $1 billion in the training and development of U.S. employees over the next four years. Pratt declined to say if that represented an increase over spending in the prior four years.

Twitter has made a serious effort as of late to limit hate speech on its social media site, especially after Election Day where "biased graffiti, assaults and other incidents have been reported in the news." The company now faces President-elect Donald Trump, who has used Twitter for the past 18 months as a megaphone for his views and rants, which many would consider as "hate speech." According to the American Bar Association, hate speech is "speech that offends, threatens, or insults groups, based on race, color, religion, national origin, sexual orientation, or other traits." Quartz reports: While Trump's deceptive tweets may not violate Twitter's rules against harassment, threats and "hateful conduct," Twitter is still keeping an eye on his account for more egregious offenses. This week, the company told Slate it would consider banning key government officials, even the president, if its rules against hate speech or other language were violated. "The Twitter Rules prohibit violent threats, harassment, hateful conduct, and multiple account abuse, and we will take action on accounts violating those policies," a spokesperson wrote. Twitter confirmed with Quartz that everyone, including government officials, were subject to the policy: "The Twitter Rules apply to all accounts," a spokesman wrote. Trump may not have crossed that line yet, but he hasn't exactly refrained from making incendiary claims. Most recently, he claimed that Abdul Razak Ali Artan, who allegedly carried out an attack injuring 11 students at Ohio State University, "should not have been in our country." Artan was a legal permanent U.S. resident, whose family had fled Somalia for Pakistan in 2007. He arrived in the States in 2014.

Mark Wilson quotes a report from BetaNews: Right-wing website Breitbart -- the darling of the so-called alt-right movement (which it defines as being "younger people who are anti-globalists, very nationalist [and] terribly anti-establishment") -- has been blocked by a leading ad exchange. The site, home to Milo Yiannopoulos (also known as @Nero and banned from Twitter) will no longer be permitted to sell ad space via AppNexus. The move comes after an audit by AppNexus found that Breitbart was in violation of its policies on hate speech and incitement to violence. AppNexus's spokesperson Joshua Zeitz told the BBC: "We use a number of third-party standards to determine what is and isn't hate speech, and if we detect a pattern of speech that could incite violence or discrimination against a minority group, we determine that to be non-compliant and we simply won't serve ads against it. I'm not going to put the examples out there because I'm not going to engage in a tit-for-tat on what is compliant." Bloomberg, which was the first publication to report on the news, noted that AppNexus' investors included Microsoft, News Corp and Sir Martin Sorrell's WPP.

"Most software, even critical system software, is insecure Swiss cheese held together with duct tape, bubble wrap, and bobby pins..." writes TechCrunch. An anonymous reader quotes their article: Everything is terrible because the fundamental tools we use are, still, so flawed that when used they inevitably craft terrible things... Almost all software has been bug-ridden and insecure for so long that we have grown to think that this is the natural state of code. This learned helplessness is not correct. Everything does not have to be terrible...

Vast experience has shown us that it is unrealistic to expect programmers to write secure code in memory-unsafe languages...as an industry, let's at least set a trajectory. Let's move towards writing system code in better languages, first of all -- this should improve security and speed. Let's move towards formal specifications and verification of mission-critical code.
Their article calls for LangSec testing, and applauds the use of languages like Go and Rust over memory-unsafe languages like C. "Itâ(TM)s not just systemd, not just Linux, not just software; the whole industry is at fault."

An anonymous reader quotes a report from VentureBeat: Microsoft has announced a big change for how the Cortana search box in Windows 10 will work going forward: all searches will be powered by Bing and all links will open with the Edge browser. This is a server-side change going into effect today. Once it takes effect on your Windows 10 computer, Cortana will no longer be able to serve up results from third-party search providers, like Google or Yahoo, nor take you to a third-party browser, such as Google Chrome or Mozilla Firefox. Ryan Gavin, Microsoft's general manager of search and Cortana, said in a Windows blog post announcing the change, "Unfortunately, as Windows 10 has grown in adoption and usage, we have seen some software programs circumvent the design of Windows 10 and redirect you to search providers that were not designed to work with Cortana. The result is a compromised experience that is less reliable and predictable. The continuity of these types of task completion scenarios is disrupted if Cortana can't depend on Bing as the search provider and Microsoft Edge as the browser. The only way we can confidently deliver this personalized, end-to-end search experience is through the integration of Cortana, Microsoft Edge and Bing -- all designed to do more for you."