April showers bring hours of patches as Microsoft delivers its Patch Tuesday fun-fest consisting of over a hundred CVEs, including four Exchange Server vulnerabilities reported to the company by the US National Security Agency (NSA). The Register reports: Forty-four different products and services are affected, mainly having to do with Azure, Exchange Server, Office, Visual Studio Code, and Windows. Among the vulnerabilities, four have been publicly disclosed and a fifth is being actively exploited. Nineteen of the CVEs have been designated critical. "This month's release includes a number of critical vulnerabilities that we recommend you prioritize, including updates to protect against new vulnerabilities in on-premise Exchange Servers," Microsoft said in its blog post. "These new vulnerabilities were reported by a security partner through standard coordinated vulnerability disclosure and found internally by Microsoft. We have not seen the vulnerabilities used in attacks against our customers.

Clicking through Microsoft's coy links to CVE-2021-28480 (9.8 severity), CVE-2021-28481 (9.8 severity), CVE-2021-28482 (8.8 severity), and CVE-2021-28483 (9.0 severity), you'll find the unspecified security partner is the NSA. Exchange Server 2013 CU23, Exchange Server 2016 CU19 and CU20, and Exchange Server 2019 CU8 and CU9 are affected by this set of problems. "NSA urges applying critical Microsoft patches released today, as exploitation of these #vulnerabilities could allow persistent access and control of enterprise networks," the signals intelligence agency said via Twitter.

Amazon delivery drivers nationwide have to sign a "biometric consent" form this week that grants the tech behemoth permission to use AI-powered cameras to access drivers' location, movement, and biometric data. From a report: If the company's delivery drivers, who number around 75,000 in the United States, refuse to sign these forms, they lose their jobs. The form requires drivers to agree to facial recognition and other biometric data collection within the trucks they drive. "Amazon may... use certain Technology that processes Biometric Information, including on-board safety camera technology which collects your photograph for the purposes of confirming your identity and connecting you to your driver account," the form reads. "Using your photograph, this Technology, may create Biometric Information, and collect, store, and use Biometric Information from such photographs." It adds that "this Technology tracks vehicle location and movement, including miles driven, speed, acceleration, braking, turns, and following distance ...as a condition of delivery packages for Amazon, you consent to the use of Technology."

When the Star Trek franchise was awarded a special Emmy in 2018, it was William "Captain Kirk" Shatner who'd co-delivered its acceptance speech, remembers ComicBook.com. "Thank you so much. 52 years. What a gift. We're grateful... Star Trek has endured because it represents an idea — one that's greater than the sum of our parts... we watch and we reach to see the best version of ourselves..."

And now three years later, they report that Shatner "will celebrate his 90th birthday back on the bridge of the USS Enterprise." Sort of... Shatner will partake in a two-day event at the Star Trek: The Original Series Set Tour site in Ticonderoga, New York. The exhibit is famed among fans for its replica of the bridge set where Shatner gave orders as Captain James T. Kirk in Star Trek: The Original Series.

The two-day event begins on July 23rd (a belated celebration coming a few months after his actual birthday in March), with the COVID-19 mask and social distancing rules still in effect... The limited $1500 all-inclusive packages will let fans participate in Shatner's 90th Birthday Dinner Celebration, take a set tour with Shatner, plus a Bridge Chat, a photo, and an autograph. Regular admission is $80 for a standard tour with a la carte photos and autographs available... The replica set is likely the closest fans will ever come to seeing Shatner return to a Starfleet bridge.
So what is William Shatner doing on Monday, the actual date of his 90th birthday? The New York Daily News reports: He's got a series airing on the History channel, he's heading overseas to shoot an episode of a television show, and is in the middle of promoting his latest feature film, a romantic comedy called "Senior Moment..."

The indie film features Shatner as Victor, a former test pilot who dates younger women and loves burning rubber behind the wheel of his beautiful 1955 Porsche.
The movie also stars Watchmen actress Jean Smart, along with Christopher Lloyd (who memorably played a Klingon in the 1984 movie Star Trek III: The Search for Spock.)

And meanwhile Priceline.com plans a special series of deals this week to honor Shatner's years as their spokesperson (as well as his singing in their earliest dotcom-era commercials, which revived Shatner's spoken-word singing career).

In Captain Kirk's final appearance in 1994's Star Trek: Generations, one of the last things he says is "It was fun." But it looks like in real life, William Shatner is living long and prospering.

Here's that great moment in Slashdot history when Shatner actually answered questions from Slashdot's readers. Have your own favorite William Shatner memory? Share it in the comments to help celebrate his 90th birthday!

Long-time Slashdot reader sproketboy shared a link to SvarDOS, "an open-source project that is meant to integrate the best out of the currently available DOS tools, drivers and games." From their site: DOS development has been abandoned by commercial players a very long time ago, mostly during early nineties. Nowadays, it survives solely through the efforts of hobbyists and retro-enthusiasts, but this is a highly sparse and unorganized ecosystem. SvarDOS aims to collect available DOS software, package it and make it easy to find and install applications using a network-enabled package manager (like apt-get, but for DOS and able to run even on a 8086 PC).

Once installed, SvarDOS is a minimalistic DOS system that offers only the FreeDOS kernel and the most basic tools for system administration. It is up to the user to install additional packages. Care is taken so SvarDOS remains 8086-compatible, at least in its most basic (core) configuration.

SvarDOS files are published under the terms of the MIT license. This applies only to SvarDOS-specific files, though - the packages supplied with SvarDOS may be subject to different licenses (GPL, BSD, Public Domain, Freeware...).

ArghBlarg (Slashdot reader #79,067) shares some research from a senior application security engineer at GitLab: Michael Henrikson describes his investigations into Go package manager "supply chain" attacks and found at least one very suspicious package, typosquatting on one of the most popular logging libraries. The imposter package phones home to an IP he alleges belongs to the Chinese company Tencent, a good case for always going over your package imports, in any language, and ensuring you're either a) auditing them regularly, or b) keeping frozen vendored copies which you can trust.
From the article: I honestly expected the list to be bigger, but I was of course happy to see that the Go ecosystem isn't completely infested (yet) with malicious typosquat packages...

It looks like the author utfave wants to know the hostname, operating system, and architecture of all the machines using their version of urfave/cli. The function extracts the system information and then calls out to the IP address 122.51.124.140 belonging to the Chinese company Shenzhen Tencent Computer Systems via HTTP with the system information added as URL parameters. While this code won't give them any access to systems, it's highly suspicious that they collect this information and the actor can quickly change this code to call back with a reverse shell if they identify a system to be valuable or interesting...

I think Go is in a better situation than other programming languages because the source of packages is always explicitly written every time they are used, but code editor automation could make typosquat attacks more likely to happen as the developer doesn't write the import paths manually as often.

AmiMoJo shares a report: Last month, the Linux Mint team published a post on the organization's official blog about the importance of installing security updates on machines running the Linux distribution. The essence of the post was that a sizeable number of Linux Mint devices was running outdated applications, packages or even an outdated version of the operating system itself. A sizeable number of devices run on Linux Mint 17.x, according to the blog post, a version of Linux Mint that reached end of support in April 2019. A new blog post, published yesterday, provides information on how the team plans to reduce the update reluctance of Linux Mint users. Next to showing reminders to users, Linux Mint's Update Manager may enforce some of the updates according to the blog post.

"In some cases the Update Manager will be able to remind you to apply updates. In a few of them it might even insist." Upcoming versions will provide information on the implementation, how the "insisting" part may look like, and whether the installation of updates will be enforced. All of this boils down to a single question: how far should operating system developers go when it comes to updates? BetaNews adds: "And now, it seems the Linux Mint developers are taking a page out of Microsoft's playbook by planning to force some updates on its users. Yes, folks, Linux Mint is becoming more like Windows 10."

Microsoft has begun deploying this week KB4577586, a Windows update that permanently removes the Adobe Flash Player software from Windows devices. From a report: The update was formally announced last year at the end of October when Microsoft and other browser makers were preparing for the impending Flash end-of-life, scheduled for the end of 2020. According to a support document published at the time, the update was initially supposed to be optional. System administrators who wanted to remove Flash before the EOL date could access the Microsoft Update Catalog, download the KB4577586 packages, and remove Flash to avoid any security-related issues. But this week, multiple Windows 10 users reported that Microsoft is now forcibly installing KB4577586 on their devices and removing Flash support from the OS. While users might think this would cause issues for some enterprises, it actually does not. Last year, Adobe introduced a time bomb in the Flash Player code that prevents the Flash Player app from playing content after January 12.

Fake reviews for products sold on Amazon's Marketplace are being sold online "in bulk", according to Which? The consumer group found 10 websites selling fake reviews from $7 each and incentivising positive reviews in exchange for payment or free products. From a report: It suggested the firm was facing an "uphill struggle" against a "widespread fake reviews industry". An Amazon spokesman said: "We remove fake reviews and take action against anyone involved in abuse." The retail giant's Marketplace allows other retailers to sell their goods via the Amazon website. Which? identified websites offering review services for goods for sale on Amazon Marketplace that violated the firm's terms and conditions. These included "packages" of fake reviews available for sellers to buy for about $21 individually, as well as bulk packages starting at $862 for 50 reviews and going up to $11,130 for 1,000. The group also suggested that five of the businesses it looked at had more than 702,000 "product reviewers" on their books. Product reviewers are offered small payments ranging from a few pounds up to more than $14, alongside free or discounted products. They can even take part in "loyalty schemes" and earn themselves premium goods, from children's toys to exercise equipment.

An anonymous reader quotes a report from Ars Technica: Homebrew now supports Apple Silicon natively, albeit not with every package. The volunteer Homebrew team made the announcement on the Homebrew blog alongside today's release. While the native support is not yet comprehensive, it bridges the gap significantly, and users can still run Terminal via Rosetta 2 to do what they can't yet while running natively on Apple Silicon. The Homebrew blog post says "we welcome your help" in providing bottles for all packages moving forward.

Here's the full bullet point on Apple Silicon in the Homebrew 3.0.0 release notes: "Apple Silicon is now officially supported for installations in /opt/homebrew. formulae.brew.sh formula pages indicate for which platforms bottles (binary packages) are provided and therefore whether they are supported by Homebrew. Homebrew doesn't (yet) provide bottles for all packages on Apple Silicon that we do on Intel x86_64 but we welcome your help in doing so. Rosetta 2 on Apple Silicon still provides support for Intel x86_64 in /usr/local."

Planned legislation to establish new business areas in Nevada would allow technology companies to effectively form separate local governments. From a report: Democratic Gov. Steve Sisolak announced a plan to launch so-called Innovation Zones in Nevada to jumpstart the state's economy by attracting technology firms, Las Vegas Review-Journal reported Wednesday. The zones would permit companies with large areas of land to form governments carrying the same authority as counties, including the ability to impose taxes, form school districts and courts and provide government services. The measure to further economic development with the "alternative form of local government" has not yet been introduced in the Legislature. Sisolak pitched the concept in his State of the State address delivered Jan. 19. The plan would bring in new businesses at the forefront of "groundbreaking technologies" without the use of tax abatements or other publicly funded incentive packages that previously helped Nevada attract companies like Tesla. Sisolak named Blockchains, LLC as a company that had committed to developing a "smart city" in an area east of Reno after the legislation has passed.

Steven J. Vaughan-Nichols writes at ZDNet: When Elastic, makers of the open-source search and analytic engine Elasticsearch, went after Amazon Web Services (AWS) by changing its license from the open-source Apache 2.0-license ALv2) to the non-open-source friendly Server Side Public License, I predicted "we'd soon see AWS-sponsored Elasticsearch and Kibana forks." The next day, AWS tweeted it "will launch new forks of both Elasticsearch and Kibana based on the latest Apache 2.0 licensed codebases." Well, that didn't take long!

In a blog post, AWS explained that since Elastic is no longer making its search and analytic engine Elasticsearch and its companion data visualization dashboard Kibana available as open source, AWS is taking action. "In order to ensure open source versions of both packages remain available and well supported, including in our own offerings, we are announcing today that AWS will step up to create and maintain an ALv2-licensed fork of open-source Elasticsearch and Kibana.... AWS brings years of experience working with these codebases, as well as making upstream code contributions to both Elasticsearch and Apache Lucene, the core search library that Elasticsearch is built on — with more than 230 Lucene contributions in 2020 alone... We're in this for the long haul, and will work in a way that fosters healthy and sustainable open source practices — including implementing shared project governance with a community of contributors..."

Yet another company, Logz.io, a cloud-monitoring company, and some partners have announced that it will launch a "true" open source distribution for Elasticsearch and Kibana.

Jake Edge, writing at LWN: The problems with "vendoring" in packages -- bundling dependencies rather than getting them from other packages -- seems to crop up frequently these days. We looked at Debian's concerns about packaging Kubernetes and its myriad of Go dependencies back in October. A more recent discussion in that distribution's community looks at another famously dependency-heavy ecosystem: JavaScript libraries from the npm repository. Even C-based ecosystems are not immune to the problem, as we saw with iproute2 and libbpf back in November; the discussion of vendoring seems likely to recur over the coming years. Many application projects, particularly those written in languages like JavaScript, PHP, and Go, tend to have a rather large pile of dependencies. These projects typically simply download specific versions of the needed dependencies at build time. This works well for fast-moving projects using collections of fast-moving libraries and frameworks, but it works rather less well for traditional Linux distributions. So distribution projects have been trying to figure out how best to incorporate these types of applications.

This time around, Raphael Hertzog raised the issue with regard to the Greenbone Security Assistant (gsa), which provides a web front-end to the OpenVAS vulnerability scanner (which is now known as Greenbone Vulnerability Management or gvm). "the version currently in Debian no longer works with the latest gvm so we have to update it to the latest upstream release... but the latest upstream release has significant changes, in particular it now relies on yarn or npm from the node ecosystem to download all the node modules that it needs (and there are many of them, and there's no way that we will package them individually). The Debian policy forbids download during the build so we can't run the upstream build system as is."

Hertzog suggested three possible solutions: collecting all of the dependencies into the Debian source package (though there would be problems creating the copyright file), moving the package to the contrib repository and adding a post-install step to download the dependencies, or removing gsa from Debian entirely. He is working on updating gsa as part of his work on Kali Linux, which is a Debian derivative that is focused on penetration testing and security auditing. Kali Linux does not have the same restrictions on downloading during builds that Debian has, so the Kali gsa package can simply use the upstream build process. He would prefer to keep gsa in Debian, "but there's only so much busy-work that I'm willing to do to achieve this goal". He wondered if it made more sense for Debian to consider relaxing its requirements. But Jonas Smedegaard offered another possible approach: analyzing what packages are needed by gsa and then either using existing Debian packages for those dependencies or creating new ones for those that are not available. Hertzog was convinced that wouldn't be done, but Smedegaard said that the JavaScript team is already working on that process for multiple projects.

Amazon.com is buying 11 used Boeing 767-300 planes, the first time the online retail giant has purchased, rather than leased, aircraft for its fast-growing air cargo operation. From a report: The company on Tuesday said it was buying seven aircraft from Delta Air Lines and four from WestJet Airlines. The WestJet aircraft are currently being converted from passenger to cargo use and will join Amazon's fleet this year. The Delta jets will start flying routes in 2022. By the end of next year, Amazon expects to have more than 85 planes in service, a spokesperson said. Seattle-based Amazon has rapidly expanded its air cargo operations in recent years, part of an effort to speed up delivery of packages to customers and supplement capacity from such carriers as United Parcel Service.

Alphabet's drone delivery unit Wing criticized Trump administration rules issued this week mandating broadcast-based remote identification of drones, saying they should be revised to allow for internet-based tracking. From a report: On Monday, the Federal Aviation Administration (FAA) issued rules that will allow small drones to fly over people and at night in the United States and mandate remote identification technology for nearly all drones. The rules eliminate requirements that drones, known formally as unmanned aerial vehicles, be connected to the internet to transmit location data but requires them to broadcast remote ID messages via radio frequency broadcast. "This approach creates barriers to compliance and will have unintended negative privacy impacts for businesses and consumers," Wing said Thursday in a blog post, adding "an observer tracking a drone can infer sensitive information about specific users, including where they visit, spend time, and live and where customers receive packages from and when." Wing added that "American communities would not accept this type of surveillance of their deliveries or taxi trips on the road. They should not accept it in the sky."

References to decades-old computer software are included in the new Brexit agreement, including a description of Netscape Communicator and Mozilla Mail as being "modern" services. From a report: Experts believe officials must have copied and pasted chunks of text from old legislation into the document. The references are on page 921 of the trade deal, in a section on encryption technology. It also recommends using systems that are now vulnerable to cyber-attacks. The text cites "modern e-mail software packages including Outlook, Mozilla Mail as well as Netscape Communicator 4.x." The latter two are now defunct - the last major release of Netscape Communicator was in 1997. The document also recommends using 1024-bit RSA encryption and the SHA-1 hashing algorithm, which are both outdated and vulnerable to cyber-attacks.

The U.S. Federal Aviation Administration (FAA) on Monday said it is issuing long-awaited rules to allow for small drones to fly over people and at night, a significant step toward their use for widespread commercial deliveries. From a report: The FAA is also requiring remote identification of most drones, which are formally known as unmanned aerial vehicles, to address security concerns. "The new rules make way for the further integration of drones into our airspace by addressing safety and security concerns," said FAA Administrator Steve Dickson in a statement. "They get us closer to the day when we will more routinely see drone operations such as the delivery of packages." The race has been on for companies to create drone fleets to speed deliveries.

One day after they were uploaded, RubyGems discovered and removed two malicious packages that had been designed to steal cryptocurrency from unsuspecting users by installing a clipboard hijacker, reports Bleeping Computer, citing research by open-source security firm Sonatype.

Fortunately, while the packages were downloaded a total of 142 times, "At this time, none of the cryptocurrency addresses have received any funds." These packages were masquerading as a bitcoin library and a library for displaying strings with different color effects. A clipboard hijacker monitored the Windows clipboard for cryptocurrency addresses, and if one is detected, replaces it with an address under the attacker's control. Unless a user double-checks the address after they paste it, the sent coins will go to the attacker's cryptocurrency address instead of the intended recipient...

The base64 encoded string is a VBS file that is executed to create another malicious VBS file and configure it to start automatically when a user logs into Windows. This VBS script is the clipboard hijacker and is stored at C:\ProgramData\Microsoft Essentials\Software Essentials.vbs to impersonate the old Microsoft Security Essentials security software. The clipboard hijacking script monitors the Windows clipboard every second and check if it contains a Bitcoin address, an Ethereum address, or a raw Monero address.

A mysterious hacker sed a cyber-attack to force-open the doors of 2,732 package delivery lockers across Moscow. ZDNet reports: The attack, which took place on Friday afternoon, December 4, targeted the network of PickPoint, a local delivery service that maintains a network of more than 8,000 package lockers across Moscow and Saint Petersburg. Russians can order products online and choose to have any of their orders delivered to a PickPoint locker instead of their home address. Once the package arrives, users receive an email or mobile notification, and they can show up and pick up their orders using the PickPoint app. However, the same system that allows users to open lockers and retrieve their packages was attacked on Friday.

Using a yet-to-be-identified exploit, a mysterious hacker forced open the doors for a third of PickPoint's lockers, leaving thousands of packages exposed to theft across Moscow. The reason for the attack has yet to be discovered, but in press releases over the weekend, PickPoint said it notified authorities. The Russian company said it is currently working to restore its network, which has been damaged during the attack. It also remains unclear if packages were stolen from lockers. As the company highlighted in a press release on Saturday, this appears to be "the world's first targeted cyberattack against a post-gateway network."

All the videos have now appeared online for the talks at this year's virtual EmacsConf 2020, "the conference about the joy of Emacs, Emacs Lisp, and memorizing key sequences." And among them are an appearance by 67-year-old Richard Stallman, reminding the audience he'd created the first Emacs editor in 1976 "with some help from Guy Steele," then created GNU Emacs in 1984.

Stallman was there to tell the history of the GNU Emacs Lisp Package Archive (and the licensing issues involved) — and how it's ultimately led to the creation of the NonGNU ELPA. "The fundamental plan of NonGNU ELPA is that we won't ask for copyright assignments for those packages, so we won't be able to put them into core Emacs, at least not easily — but we will have some control over how we distribute them. We can put any package into NonGNU ELPA as long as its free software.

"If we like it, we can set up that way for users to get it. We can put the package in exactly as it is, if there's no problem at all with it. We can make an arrangement with the package's developers to work on it with us and maintain it directly for distribution by NonGNU ELPA. But if they are not interested, we can put it in ourselves, and if we need to make any changes we can do so. So NonGNU ELPA is not meant to be just a way that others can distribute their packages. Its meant at least in a minimal, technical sense to work with GNU Emacs, and we will make changes if necessary so that it works smoothly with GNU Emacs...

"The idea is to have a single Git repository where you can download various packages, but they won't be maintained there. Each of those packages will be copied automatically from some other place, probably some other people have the right access to work on it. This way we can avoid giving a gigantic number of people access to it.

"So far NonGNU ELPA is just a plan. We need people to implement the plan, so if you'd like to help, please write to me. I think this is a very important step for progress, and it's got to be implemented. Thanks, and happy hacking."
Stallman provided a status update on NonGNU ELPA as part of the 46-minute Q&A that followed.

"The creation of it has started. There's an archive and you can download packages. There's a repository to put it in... Still working out the procedures, how to make the arrangements with developers, etc."

But he also answered questions on other topics. Some highlights:

Q: Which distro of GNU/Linux do you use? guix? or something else?

RMS: Trisquel.

Q: If you knew that you would get hit by a bus tomorrow, say because of a fortune-teller, what would you leave behind in terms of advice for stewardship of Emacs and its future?

RMS: Focus on keeping the community strong in defending freedom.

If given the choice to have more people developing the software or defending the software, choose the latter.

Guard your soul carefully... :P

Q: Would you mind sharing your Emacs configuration files?

RMS: Configuration files are personal and will not be shared.

The security team behind the "npm" repository for JavaScript libraries removed two npm packages this Monday for containing malicious code that installed a remote access trojan (RAT) on the computers of developers working on JavaScript projects. From a report: The name of the two packages was jdb.js and db-json.js., and both were created by the same author and described themselves as tools to help developers work with JSON files typically generated by database applications. Both packages were uploaded on the npm package registry last week and were downloaded more than 100 times before their malicious behavior was detected by Sonatype, a company that scans package repositories on a regular basis. According to Sonatype's Ax Sharma, the two packages contained a malicious script that executed after web developers imported and installed any of the two malicious libraries. The post-install script performed basic reconnaissance of the infected host and then attempted to download and run a file named patch.exe that later installed njRAT, also known as Bladabindi, a very popular remote access trojan that has been used in espionage and data theft operations since 2015.