No one likes a heart-stopping AWS bill shock so now there’s a machine learning tool to help detect cost anomalies

AWS has introduced Cost Anomaly Detection, a new feature now in beta driven by machine learning that pledges to notify admins of “unexpected or unusual spend”.

Bill shock is a problem suffered, on occasion, by small and big AWS customers alike. At the small end, there are cases like that of Chris Short, using AWS for his Content Delivery Network (CDN) to scale his website at a cost of around $23.00 per month. One morning he woke up to a bill of $2,657.68, thanks to sharing a 13.7GB file that proved unexpectedly popular. At the other end, the average organisation is over budget for cloud spend by an average of 23 per cent, as we reported here.

While puzzling out what specific cloud services will cost can be a challenge, the big cloud providers are pretty good at showing you where your money has gone with them individually. AWS has a Cost Management service which includes reports, budgets and recommendations, to which the company is now adding Cost Anomaly Detection.

Creating a Cost Monitor for AWS Anomaly Detection

Creating a Cost Monitor for AWS Anomaly Detection

This is configured by adding a Cost Monitor to an AWS account. There are four types of monitor. The generic AWS Services monitor is fully automated. The Linked Account monitor is specific to other AWS accounts linked to an organisation. A Cost Category monitor evaluates spend for a specific category as labelled by the administrator. Finally, a similar Cost Allocation Tag monitor evaluates spend for services with a specific cost tag.

Money falling from the sky

Why cloud costs get out of control: Too much lift and shift, and pricing that is ‘screwy and broken’


Once the type of Cost Monitor is selected, admins set an alert threshold, which is the minimum size of an anomaly that will be notified, the frequency of alerts from as they arise to daily or weekly, and a Simple Notification Service (SNS) through which the alerts are sent. Daily or weekly summaries are sent by email to up to 10 recipients, but admins who opt for individual summaries must go through SNS. This is inexpensive and the first 1,000 emails, or 100 SMS messages, per month are free. Each AWS account can create one AWS Service monitor and up to 101 additional cost monitors.

How good is the anomaly detection? That is the key question and one only customers will be able to answer. The detection engine runs around three times a day and after billing data is processed, which means there is some (potentially expensive) delay. It is driven by a machine learning model, indicaitng scope for both under and over-reporting, but the service is expected to improve as the model is refined.

People may wonder whether it is really in the interests of AWS to provide a service that helps customers spend less money. It is true that, like every company, the cloud providers are always trying to persuade their users to adopt new services or add premium features. That said, none of the experts we have spoken to think that there is deliberate confusion marketing – where pricing is deliberately complex so that customers spend more than they intend – or that providers like having their users waste money. The counter argument holds more sway, that the providers want satisfied customers. The current high demand for cloud services makes this position an easy one to hold.

Anomaly detection is not the complete answer to overpaying. After all, if an organisation paid more than it needed to last month, it is not an anomaly if it does so again. ®

Despite rolling a homegrown translation app with iOS 14, Apple resorts to freebie tool for Dutch Ts-and-Cs waffle

Apple is apparently so skint that it has had to resort to freebie versions of machine-based translation services for its Dutch legalese.

Spotted by a Register reader browsing the small print behind the company’s services, the text “Vertaald met (gratis versie)” can be found lurking just above the “DEFINITIE VAN APPLE” section in the terms-and-conditions doc.

For those not versed in Dutch, that means something like “Translated with (free version)”.

Apple's Dutch legalese translated with

Apple’s Dutch legalese

We’d give you our own definition of Apple, but that’s possibly how we wound up on the company’s naughty step.

DeepL Translator [PDF] was first released in August 2017, with the free service (presumably the one that has found favour within Cupertino) being supplemented by DeepL Pro in March 2018. An application to integrate with Windows and macOS arrived in September 2019.

Sadly, it appears that for Apple, maker of the $999 iPhone 11 Pro and $5,999 Mac Pro, the €39.99 per month/per user of DeepL’s “Ultimate” tier subscription is just a little too much. Even the €5.99 tier is a step too far.

Odd, because by opting for the freebie incarnation, Apple has elected to skip DeepL’s maximum data security level for its translation (with end-to-end encryption and immediate text deletion). Stranger still, the recent iOS 14 update added an Apple-built translation app to iPhones. Maybe they should have used that.

The Register contacted Apple to find out why a link to a free translation service had found its way into its terms and conditions. We’re shocked, shocked, to report that the company has yet to respond.

DeepL has also not responded to our request for comment.

A quick look at old versions of the page shows that the translation credit appeared relatively recently, presumably when the likes of Fitness+ were crowbarred in. Apple Fitness+ costs $9.99 a month, a little more than how much DeepL asks per month for its basic tier.

It could be worse. The translation-based snafu could have ended up on a road sign.

As for our reader? He noted: “The translation is rather poor, I didn’t expect this kind of work from Apple.”

If the quality of recent software from the fruity branded biz is anything to go by, this is exactly the sort of thing we’ve come to expect. ®

Uber allowed to continue operating in English capital after winning appeal against Transport for London

Uber has won an appeal against Transport for London’s decision not to renew the ride-hailing app biz’s licence for the English capital, ending a three-year tussle between the pair.

The ruling is the culmination of a hearing at Westminster Magistrates’ Court that ran a fortnight ago from 14 to 17 September, with deputy chief magistrate Tan Ikram declaring today: “Despite [Uber’s] historical failings, I find them, now, to be a fit and proper person to hold a London PHV (private hire vehicle) operator’s licence.”

He added that he did, however, “wish to hear from the advocates on conditions and on my determination as to the length of a licence”.

Uber had itself wanted a five-year licence but, as things stand, has an 18-month license.

The company has yet to comment publicly.

The head-to-head between Uber and TfL kicked off in September 2017 when the authority said private operators needed to meet “rigorous regulations” that are “designed to ensure passenger safety”, and Uber had fallen short of these.

This related to a hole in Uber’s systems that allowed unauthorised drivers to upload their pictures to official drivers’ accounts. Thousands of passenger journeys were undertaken in which the passenger thought their driver was someone else and that driver was not insured. Trips were also made by drivers TfL had previously banned as another hole in the system allowed them to create new accounts with Uber.

The way enhanced Disclosure and Barring Service checks were carried out had also concerned TfL, and the authority claimed Uber had failed to detail its use of Greyball software that could block regulatory bodies from getting full access to its app.

Tim Ward, QC for Uber London Ltd, said during the court proceedings that the company had made technical improvements, including to its governance and document systems.

Judge Ikram said that Uber had presented “no real challenge to the facts as presented by TfL” but he reckoned Uber “challenged the suggestion that breaches were not taken seriously and any suggestion of bad faith on their part”.

He added that in respect of document and insurance fraud, “Uber now seem to be at the forefront of tackling an industry-wide challenge.”

Unsurprisingly, the Licensed Taxi Drivers Association (LTDA) branded today’s decision a “disaster”.

“Uber has demonstrated time and time again that it simply can’t be trusted to put the safety of Londoners, its driver and other road users above profit. Sadly, it seems that Uber is too big to regulate effectively, but too big to fail.

“By holding up their hands and finally accepting some responsibility, Uber has managed to pull the wool over the eyes of the court and create the false impressions that it has changed for the better. A leopard doesn’t change its spots and we are clear that Uber’s underlying culture remains as toxic as it has ever been.”

The App Drivers and Couriers Union (ADCU) claimed the decision had secured the jobs of 43,000 drivers employed by Uber, but it wants to see Uber and TfL learn lessons from the case.

“Uber drivers pay the company 25 per cent of every fare and in return are entitled to expect the company to operate the business in a safe and compliant manner,” said Yaseen Aslam, ADCU president. “Instead Uber has put profit first and placed the livelihood of 43,000 workers at risk.

“It is time for the Mayor of London to break up the Uber monopoly by limiting the number of drivers allowed to register on the Uber platform. The reduced scale will give both Uber and Transport for London the breathing space necessary to ensure all compliance obligations – including workers’ rights – are met in the future.”

Following TfL’s 2017 rejection of Uber’s operator’s licence applications, the biz was granted a 15-month provisional licence in June 2018, and a further two months were granted in September 2019 before TfL decided in November last year that Uber shouldn’t get that licence back.

Updated on 29 September at 12.13 BST to add:

Following publication of this article, Uber sent us a statement:

Jamie Heywood, Uber regional general manager for Northern & Eastern Europe, said: “This decision is a recognition of Uber’s commitment to safety and we will continue to work constructively with TfL. There is nothing more important than the safety of the people who use the Uber app as we work together to keep London moving.”®

Feds warn foreign disinformation will be spamming US voters well after the November election to sow discord and doubt

In Brief Foreign-backed disinformation campaigns will spread fake news about the results of the upcoming US election in an effort to sow doubt and outrage among the American public.

This is according to an alert issued by the FBI and Department of Homeland Security this week. The two agencies believe that in the immediate aftermath of the presidential election on November 3, Americans will be bombarded with false stories about the vote tally, reports of voter fraud, and other issues that would stoke division as the country awaits official election results – a process that could take weeks.

Unlike the 2016 election, when most of the disinformation was sprayed out in the run-up to the vote, this cycle will aim to even make people question whether the results of the vote are valid, the alert states. People are urged to check their facts carefully with multiple sources and on official government websites.

“The increased use of mail-in ballots due to COVID-19 protocols could leave officials with incomplete results on election night,” the agencies warned.

“Foreign actors and cybercriminals could exploit the time required to certify and announce elections’ results by disseminating disinformation that includes reports of voter suppression, cyberattacks targeting election infrastructure, voter or ballot fraud, and other problems intended to convince the public of the elections’ illegitimacy.”

ATM skimming crew busted

The DOJ has indicted nine people it says operated a string of ATM skimmer operations netting more than $100,000 in theft.

The crew, it is said, placed “skimmer” devices over the card readers of ATMs and collected the card information of people who used the kiosks. They would then yank the skimmers and encode the data onto blank cards which they could use or sell to others.

This was done between March 2019 and June 2020 across a string of states in the southeastern US: Florida, Louisiana, Georgia, and Mississippi, as well as in New York state.

Each of the nine have now been indicted on one federal count of conspiracy to commit device fraud. Police have also reportedly arrested other suspected members of the gang.

You’re never going to believe this, but Cisco has patched some bugs

The latest patch bundle from Switchzilla is a hefty one, containing a total of 42 CVE-listed vulnerabilities across various networking gear.

Fortunately, none of the fixes are for issues deemed to be critical problems, but 29 are considered high risk and should be patched as soon as possible.p>

These include a firewall denial of service bug, a code execution flaw, and an arbitrary file overwrite in IOS XE appliances, two denial of service bugs in Aironet Access Points, and denial of service in the Catalyst 9200 series switches.

Teen hacker bags $25K payout for Instagram bug find

A 14 year-old Brazilian developer has netted himself a nice payday from Facebook, thanks to a critical bug find in Instagram.

Andres Alonso says that he stumbled upon the cross-site scripting flaw by accident while he was working on his own mobile app.

While wading through some integration code with Instagram’s AR filter creator, he figured out that someone could redirect the URL a filter links to without the user getting any notification. At the time, though, he couldn’t quite get a proof-of-concept to work and show it was a complete XSS vulnerability.

Stil, Alonso reported the issue to Facebook, whose security team confirmed that it was indeed a bug that would allow for dangerous cross-site-scripting and decided to award the teen a tidy $25,000 bounty. Facebook’s crew said the dodgy code could be used in an XSS attack against Instagram but reckoned it hadn’t been used in the wild.

“I have to thank Facebook for making a little push in my report escalating to an XSS,” he said.

It’s 2020, and we’re still trying Silk Road cases

It has been more than five years since Silk Road boss Ross Ulbricht was sent to prison for a double life sentence plus 40 years without the possibility of parole, and US authorities are still trying people tied to the notorious drugs market.

This time, it’s programmer Michael Weigand, who pled guilty to lying to federal investigators about his role in the market.

Specifically, Weigand admitted that he was actually involved in helping suss out potential security holes in the site and that he worked with both Ulbricht and Silk Road advisor Roger Thomas Clark.

Additionally, Weigand admitted to flying to London to meet one of Clark’s friends under the guise of starting a marijuana seed business, but instead going to Clark’s London residence to destroy evidence.

“When Weigand was questioned by law enforcement in 2019, he falsely claimed not to have done anything at all for Silk Road,” US Attorney Audrey Strauss. “For his various false statements, Weigand now faces potential prison time.” ®

Too many staff have privileged work accounts for no good reason, reckon IT bods

Around 40 per cent of staff in British and American corporations have access to sensitive data that they don’t need to complete their jobs, according to recent research.

In a survey commissioned by IT security firm Forcepoint of just under 900 IT professionals, 40 per cent of commercial sector respondents and 36 per cent working in the public sector said they had privileged access to sensitive data through work.

Worryingly, of that number, about a third again (38 per cent public sector and 36 per cent private) said they had access privileges despite not needing them. Overall, out of more than 1,000 respondents, just 14 per cent from the private sector thought their org was fully aware of who had the keys to their employers’ digital kingdoms.

Carried out by the US Ponemon Institute, a research agency, the survey also found that about 23 per cent of IT pros across the board reckoned that privileged access to data and systems was handed out willy-nilly, or, as Forcepoint put it in a statement, “for no apparent reason”.

Access management is a critical topic for IT security bods, especially as COVID-19-induced remote working introduces challenges for the monitoring of data access and intra-org flows.

In a finding bound to shore up frontline workers’ opinions of each other, fully half of respondents (49 per cent public sector, 51 per cent private) expressed the view that users with elevated access privs would browse through data “because of their curiosity”, while just over 40 per cent thought their co-workers could be “pressured” to share login credentials.

More than half thought incident-based security tools yielded false positives as well as too much data “than can be reviewed in a timely fashion”, revealing that workers think gotta-log-em-all security tools may be more of an obstacle to finding and plugging system breaches – or malicious people exfiltrating valuable data.

“To effectively understand the risk posed by insiders, it takes more than simply looking at logs and configuration changes,” said Nico Popp, chief product officer at Forcepoint, in a canned statement.

“Incident-based security tools yield too many false positives; instead IT leaders need to be able to correlate activity from multiple sources such as trouble tickets and badge records, review keystroke archives and video, and leverage user and entity behaviour analytics tools. Unfortunately, these are all areas where many organizations fall short.”

The survey took responses from 755 UK and 1,128 American workers in the public and private sectors. ®

Not the Southern Rail of the stars: Rocket Lab plans frequent, regular trips to Venus from 2023

A month can be a long time in space exploration. Since we last spoke to Rocket Lab’s Peter Beck, scientists have published results that hint at life in the clouds of Venus, while Beck’s rocketeers popped a Photon demonstrator into Earth orbit.

CEO Beck talked with us about his plans for a privately funded Venus mission a month ago, but was careful with his words, laughing “otherwise I get headlines like ‘Pete’s searching for aliens'”.

The speculation generated by the Royal Astronomical Society press briefing a few short weeks later generated far more lurid copy about what might be floating about in the atmosphere of Venus. Beck’s passion for the mission remains, however, undimmed.

With Flight 14 safely away, replete with a surprise demonstrator of Rocket Lab’s Photon spacecraft, Beck was happy to go into detail on what he planned to launch to Venus in May 2023.

The mission profile is deceptively simple. The interplanetary version of the Photon will undertake a voyage of around 160-180 days to Venus. The probe will detach and, as Photon performs a flyby of the planet, plunge into the atmosphere at approximately 11 kilometres per second, transmitting data as it goes.

This is where the real fun starts.

“We get around 300 seconds of really interesting time in the region that everybody’s interested in,” explained Beck, “and the real challenge right now is the instrument. We’re going there to look for signs of life, and in order to design the instrument you have to make some assumptions about what that life is.”

Beck’s 27kg probe will indeed carry a single instrument weighing in at around 3kg, rather than the multitude of gadgets seen on other spacecraft. Instead of a single, big mission every decade or so, Beck plans to send a multitude of lighter, cheaper spacecraft, iterating the payload as results come in.

“It’s a different way of doing planetary science,” he asserted. “The approach I personally prefer is: ‘Let’s do a bunch of missions for tens of millions of dollars, and let’s do them really, really regularly, and frequently’.

“The ability to kind of increment the science is what’s really interesting. You can go there with a hypothesis, test your hypothesis, and go, ‘Well, that was wrong,’ and go back again, with a new hypothesis and iterate.”

Beck speculated that it might take 10 missions or more to conclusively prove things one way or another: “If we follow the traditional model… I haven’t got 100 years to wait, I want that question answered now!”

The numbers, in terms of the billion-dollar missions often seen heading to the stars, look good (comparatively speaking). Rocket Lab is charging NASA $10m for the lunar version of the Photon due to launch next year, including the Electron on which it will ride. The $30m-$50m for the more complex mission to Venus is, according to Beck, “a bargain”.

Of course, he would say that.

Beck expects to fly at least one more Photon before NASA’s lunar mission (“they’re just a drop-in for the kick stage,” he said, “as long as there is mass margin on the flight”) and more are planned in order to refine the design ahead of that first mission to Venus.

Having successfully returned to flight, Rocket Lab has a busy few months coming up. Its US launchpad will see its first mission once the paperwork for the abort system is complete and the second New Zealand facility is nearing completion. Additional launchpads might feature in the future if the company is asked for inclinations below 37 degrees.

It also hopes to see the Electron of Flight 17 return to Earth safely via parachute.

But looking for evidence of life on Venus is the ultimate name of the game. “What galvanised my interest in space,” said Beck, “is: ‘Are we alone? Is life in the universe unique, or is it prolific?’

“The evidence we have now is that we are the only life in the universe. If you can find life [or evidence of life] on Venus then you fundamentally change that data point.

“And if you have the capability to go and try and answer that question, it’s just totally unacceptable to not try.” ®

Stop us if you’ve heard this one before: Crypto exchange cracked, Bitcoin burgled

A cryptocurrency exchange called KuCoin says it has been cracked, with over $100m of assets misappropriated.

The Register last covered KuCoin when it was mentioned by the Bitcoin-burgling cybercrooks who hacked a bunch of prominent Twitter users.

The Seychelles-based outfit, founded in 2017, proudly boasts of its venture capital backers who clearly admire its services facilitating trading of “numerous digital assets and cryptocurrencies”. And on Saturday it advised users that it “detected some large withdrawals since September 26, 2020 at 03:05:37 (UTC+8)” and that an internal security audit revealed “part of Bitcoin, ERC-20 and other tokens in KuCoin’s hot wallets were transferred out of the exchange, which contained few parts of our total assets holdings. The assets in our cold wallets are safe and unharmed, and hot wallets have been re-deployed.”

The company also promised that any losses would be covered by insurance, but also advised that deposit and withdrawal services would be suspended pending a security review.

A later update included an FAQ in which customers asked why some of the withdrawals continued even after the first incident notification was posted. KuCoin assured customers it conducted those transactions itself and advised that restoration of withdrawal functions could take a week. In the volatile world of cryptocurrency, a week can be the difference between a win and a bust.

A Monday update, the latest, revealed the scale of the hack as KuCoin identified over $130m of assets. It also describes work among a number of crypto players to identify suspicious transactions, freeze transactions, and even lists some addresses suspected of involvement in the heist.

“KuCoin has been in touch with a growing number of industry partners to take tangible actions, thanks to all of you for your support!,” the statement concluded.

However, the latest statement does not offer any further information on the cause of the incident, remediation steps, or restoration times.

So there you have it, dear reader: a venture-backed startup, based in a tax haven, demonstrating the future of money in all its glory.

And in the background, China deciding that its own digital currency will be run only by its biggest banks with new payment players like Alibaba not allowed anywhere near its innermost workings. ®

Inflated figures and customers who were never there. Just another data migration then

Who, Me? The Register’s Who, Me? column dips a toe into the world of high finance and iffy numbers as a reader realises that freebies aren’t always A Good Thing.

“Tom”, for that is certainly not his name, was toiling away in the machinery of a large IT consultancy back at the start of the century, dealing with data migration and specialising in SAP systems.

“The company’s Random Project Allocator™ assigned me to a project at an internet provider,” he told us. For the purposes of this story, and for reasons that will become very clear, we’re going to call them “NaughtyCo”.

“The project,” Tom went on, “was to design, build, test, and install a new non-SAP-based billing and customer service system.”

A classic “large IT consultancy” project for sure, although this was the first time Tom and his team had laid hands on it. Another company had had an earlier crack at it, but the inevitable balls-up had resulted in a pulled go-live date.

“We had been called in to sort out the testing and data migration to get it over the line,” he explained. The heroes of the hour.

Tom was tasked with leading the data migration, performing a trial cutover to make sure things would work, and then pressing the big red button for the production environment. The data would then be reconciled.

Those expecting the usual oopsie involving mixing up test and production can relax. This wasn’t Tom’s first rodeo. He did, however, find something decidedly whiffy in NaughtyCo’s data.

Portrait of Godfather-like character

We don’t need maintenance this often, surely? Pull it. Oh dear, the system’s down


Having worked out what the migration involved, Tom was dismayed to find that the previous effort was a mess of manual workarounds and what he charitably called “Excel-based wizardry” lurking behind the scenes. It was little wonder that things had been halted, and he and his team set about picking up the pieces.

It took a while, but eventually trials of the migration could be run. Tom produced a weekly report for management showing how many customers his system has successfully moved across, and how many had failed. The total came to several hundred thousand.

Unfortunately, Tom’s total was light by tens of thousands, according to a worried project manager. His figures must be wrong.

The customer count was significant since it was reported to the stock exchange and affected the value of the company. Perplexed, Tom went back to look at his figures in search of the missing customers.

“I checked the numbers and came to some interesting conclusions,” he said.

“Depending on your point of view we were both right. My figures represented the number of customers that paid money to NaughtyCo; the figure my boss was using represented the number of internet accounts. The difference was a surprisingly large number of staff accounts, test accounts, free accounts and inactive accounts.”

Well, this was a bit awkward. Feeding false information to the stock exchange smells a bit like fraud. Fortunately for Tom, “I had exposed the situation and not caused it.”

His boss was not happy and swore him to secrecy while she headed upstairs to discuss matters with the bigger bosses.

A plan was hatched. The company would spend the next few months gradually aligning the numbers reported to the stock exchange to match reality, but carefully so as to avoid frightening the horses. The tens of thousands of mystery accounts were shown the sharp end of the axe in the meantime.

As for Tom, “when we cutover to production the migration went smoothly and there were no more surprises regarding the number of customers.

“It just goes to prove the old adage that there are lies, damn lies, and statistics.”

Ever discovered an inconvenient truth? Did you nudge it under the carpet or sling it from the rooftops? Share all with an email to Who, Me? ®

Windows to become emulation layer atop Linux kernel, predicts Eric Raymond

Open-source software advocate Eric S Raymond has penned an argument that the triumph of Linux on the desktop is imminent because Microsoft will soon tire of Windows.

Raymond’s argument, posted to his blog late last week, kicked off with some frank admiration for Windows Subsystem For Linux, the tech that lets Linux binaries run under Windows. He noted that Microsoft is making kernel contributions just to improve WSL.

Raymond is also an admirer of software called “Proton“, an emulation layer that allows Windows games distributed by Steam to run under Linux.

Raymond rated Proton as “not perfect yet, but it’s getting close”.

His next item of note was Microsoft’s imminent release of its Edge browser for Linux.

That collection of ingredients, he argued, will collide with the fact that Azure is now Microsoft’s cash cow while the declining PC market means that over time Microsoft will be less inclined to invest in Windows 10.

“Looked at from the point of view of cold-blooded profit maximization, this means continuing Windows development is a thing Microsoft would prefer not to be doing,” he wrote. “Instead, they’d do better putting more capital investment into Azure – which is widely rumored to be running more Linux instances than Windows these days.”

Raymond next imagined he was a Microsoft strategist seeking maximum future profits and came to the following conclusion:

Over time, Raymond reckoned, Windows emulation would only be present to handle “games and other legacy third-party software”. And eventually Microsoft will get so focused on Azure, and so disinterested in spending money on Windows, that it will ditch even the Windows emulation layer.

“Third-party software providers stop shipping Windows binaries in favor of ELF binaries with a pure Linux API … and Linux finally wins the desktop wars, not by displacing Windows but by co-opting it.”

The end. ®

Are injection flaws the Bohemian Rhapsody of cybersecurity?

Webcast Whether you’re into cybersecurity or application development, you probably also like lists, which means you probably love the OWASP Top 10.

The list was first posted by the security non-profit back in 2003, and has been updated every few years since, securing its reputation as the first step for developers towards more secure coding.

The latest update is due this autumn, and needless to say, it comes amidst a time of extraordinary change, both in the world of infosec, and the wider world of tech and business.

Organizations are grappling with the existing challenges of digital transformation, the shift to the cloud and the continued industrialisation of cybercriminality and, more recently, the disruption caused by the sudden migration of large parts of the economy to home working.

Throw in the explosion in the use of open source components, the role of containers, and new approaches to integrating dev, sec and ops, and you’ve got a scarily wide attack surface for hackers to play with. So, before the results are read out, you really should join us on September 29, at 11am UK time for a webcast brought to you by F5 and dedicated to the OWASP Top 10.

El Reg’s broadcasting maestro Tim Phillips will be joined by F5’s senior threat research evangelist David Warburton, and together they’ll chewing over the context of this year’s upcoming list.

Yes, there will be insight on what changes to expect and whether there’s likely a new number one, or whether injection flaws are set to be the cybersec equivalent of Bryan Adams, Queen…or Drake.

But Tim and David will also dig deeper into why the OWASP Top 10 remains essential to maintaining your security posture, and how you can use it effectively to stay ahead of the curve – and the hackers and cybercriminals looking to exploit that same list of vulns.

They’ll also be exploring what the changing IT landscape – particularly that open source and cloud native shift – means for both the Top 10 and your own efforts to protect your organisation.

This all happens right here on El Reg. All you need to do is register here, and we’ll serve up Tim and David, to a screen near you, whether it’s at work, at home or somewhere in between.

Putin to Trump: Let’s collude to stop election hacking

Russia has taken the unusual step of posting a proposal for a new information security collaboration with the United States of America, including a no-hack pact applied to electoral affairs.

The document, titled “Statement by President of Russia Vladimir Putin on a comprehensive program of measures for restoring the Russia – US cooperation in the filed [sic] of international information security”, opens by saying “one of today’s major strategic challenges is the risk of a large-scale confrontation in the digital field” before adding: “A special responsibility for its prevention lies on the key players in the field of ensuring international information security (IIS).”

Russia therefore wants to reach agreement with the USA on “a comprehensive program of practical measures to reboot our relations in the field of security in the use of information and communication technologies (ICTs)”.

Putin suggested four actions could set the ball rolling:

  • Resuming “regular full-scale bilateral interagency high-level dialogue on the key issues of ensuring IIS”.
  • Establishing and maintaining “continuous and effective functioning of the communication channels between competent agencies of our States through Nuclear Risk Reduction Centers, Computer Emergency Readiness Teams and high-level officials in charge of the issues of IIS within the bodies involved in ensuring national security, including that of information”.
  • Jointly developing “a bilateral intergovernmental agreement on preventing incidents in the information space similarly to the Soviet-American Agreement on the Prevention of Incidents On and Over the High Seas in force since 25 May 1972”. That agreement aimed to reduce the chance of a maritime incident between the then-USSR and the USA, and included de-escalation measures to stop an incident going nuclear.
  • Exchanging “guarantees of non-intervention into internal affairs of each other, including into electoral processes, inter alia, by means of the ICTs and high-tech methods”.

Russia stands accused of interfering in the 2016 US presidential election with widespread use of fake social media accounts. The USA’s Federal Bureau of Investigations last week warned: “Foreign actors and cybercriminals could create new websites, change existing websites, and create or share corresponding social media content to spread false information in an attempt to discredit the electoral process and undermine confidence in US democratic institutions.” On 17 September FBI director Christopher Ray testified before the House Homeland Security Committee Events and named Russia as a nation already interfering in this year’s elections (video below).

Youtube Video

It is unclear if Russia’s document elicited a public response from the USA.

The two nations sought a cyber-détente in 2017, when Putin and Trump discussed a Cyber Security unit with unspecified functions and purposes.

The effort was quickly explained away as a policy thought bubble that was floated without any accompanying detail. The idea deflated soon afterwards, leaving the two nations in their current state of uneasy enmity… ®

TikTok wins reprieve as judge rules it can stay in American iOS, Android app stores for now

Made-in-China social video app TikTok has convinced a US judge it should remain in American app stores for the foreseeable future – dodging a ban that would have seen it expelled from Google Play and Apple’s app store from midnight on Sunday US time.

A Sunday order [PDF] by justice Carl J Nichols of the United States District Court for the District of Columbia granted an injunction sought by TikTok to keep its software available for new downloads or updates.

Downloads and updates to existing installations are among the “prohibited transactions” that the Trump administration says no US business will be allowed to conduct with TikTok and Tencent’s WeChat messaging service. Other prohibitions would prevent US carriers from carrying traffic to and from the apps.

TikTok last week sought an injunction against the ban on grounds that it violates constitutional rights to free speech and to petition the US government. WeChat already secured a stay of execution on similar grounds.

Justice Nichols’ order doesn’t explain why he decided to grant the injunction and his reasons for doing so are in a separate document that is currently sealed. His order therefore calls on the administration and TikTok to meet on Monday, US time, to read his reasoning and decide if it can be unsealed and released to the public.

The parties were also ordered to meet by Wednesday, 30 September, and “file a Joint Status Report proposing a schedule for further proceedings” and “address any other issues that they believe will be helpful to the Court”.

The order isn’t a huge win for TikTok because it could still lose in another court and still faces likely expulsion from the USA if the administration doesn’t sign off on its deal to be acquired by Oracle, WalMart and others.

US president Donald Trump has offered not-entirely-consistent views on whether the deal should be allowed to proceed, and is now rather busy trying to secure an unusually speedy confirmation of a Supreme Court Justice, preparing for the first of three presidential debates and fending off a bombshell report of systematic tax evasion – all while managing the most severe public health crisis in a century. ®

US finds new Huawei to hurt China with new sanctions at top chip maker SMIC

The US government has told American companies that make semiconductor manufacturing kit that they must obtain a licence to export their products to China’s largest chip maker, the Semiconductor Manufacturing International Corporation (SMIC).

The US Department of Commerce said American exports to SMIC pose an “unacceptable risk” of being used for “military end use”, according to a copy of a letter seen by the Financial Times. The news was subsequently reported by several newswires that said they, too, had seen the document.

SMIC has worked for several US-based fabless silicon designers, including Qualcomm, Broadcom, and Texas Instruments, among others. Huawei is thought to be another client, and SMIC has also applied to continue supplying the controversial company.

Although the Department of Commerce directive is aimed at American businesses, it may extend to include foreign companies that use US technology, such as Japan’s Tokyo Electron, which supplies chip-making kit such as etching machines and film deposition equipment to SMIC. Nikon and Canon have also promoted semiconductor exposure devices to Chinese clients.

The rules have the potential to derail China’s push to become self-sufficient in semiconductors and reduce its dependence on US technology. Under the “Made in China 2025” strategy, the country aims to make 70 per cent of its semiconductors locally, up from less than 20 per cent now. SMIC, one of the country’s “national champions”, is considered the flagbearer of the plan.

The impact of the new rules depends on which SMIC suppliers Washington decides to target. In the worst-case scenario, the US could use the rules to cut off SMIC from US chip-making kit and software entirely. The Reg suspects that the US will not deprive American businesses of all trade, but will make it hard for SMIC to make advanced products that could help China’s government or military.

SMIC’s current mainstay chips are made on 55nm to 65nm processes, but it can also produce more advanced 14nm silicon. Analysts believe the company is two generations behind rival Taiwan Semiconductor Manufacturing Company, which produces chips using 5nm tech for the smartphone market.

In response to the directive, SMIC said it “has no relationship with the Chinese military, and does not manufacture for any military end user or end uses”. The company said it had not received any formal notification of the sanctions. ®

Exercise-tracking app Strava to give away data sweated out after four billion runs, rides and rambles

Exercise-tracking app Strava, notorious for inadvertently revealing the location of military bases, will share a four-billion-record-strong dataset generated by its users in the name of assisting cities to plan for expected post-pandemic bicycle and walking booms.

An email sent to users over the weekend reminded users that Strava doesn’t just let them record their bike rides and track personal best efforts, but also sells the resulting data to urban planners as a product called “Metro” that’s touted as just the thing to inform development decisions about cycling and pedestrian infrastructure.

The email to users referred to a post in which the company said: “Across the globe, athletes have uploaded over four billion activities to Strava. When the community contributes their activities to Metro, they become a critical part of the world’s largest collection of human-powered transport information.”

The post added some age-of-COVID commentary: “The vast majority of cities are experiencing a boom in human-powered transportation. Vehicle traffic has plummeted, while bike sales have soared. Urban planners, now with empty streets and far less demand for parking, have inspiringly blank canvases.”

Strava reckons planners also have a mandate to create bold designs and that its users have not just made themselves a part of its product but helped to create social capital.

 garmin screenie

Fitness freaks flummoxed as massive global Garmin outage leaves them high and dry for hours


Your humble hack knows more than a few cyclists who will probably accept that argument because cycling infrastructure is often spotty, while remaining sanguine about Strava’s problematic potential leakage of users’ home addresses.

Strava points out that users can opt out of having their data collected for the ever-growing Metro dataset. However, collection for Metro appears to be on by default in the Strava app and the opt-out feature is a couple of layers below the everyday UI.

The company won’t share Metro data with just anyone, but mentions urban planners and bicycle advocacy groups as among those it will authorise to use the trove. ®

Bad boys bad boys, what you gonna do? Los Angeles Police Department found fibbing about facial recognition use

In brief The Los Angeles Police Department has run facial recognition algorithms a whopping 29,817 times over a decade in an attempt to identify suspected criminals captured in CCTV footage, despite promising it wouldn’t.

Officers used software built by DataWorks Plus, the same biometrics company whose technology led to two wrongful arrests by the Detroit Police Department, according to the Los Angeles Times who discovered the setup. Technically the LAPD does not have its own tools, it instead outsources the use of machine-learning algorithms through a database of mugshots compiled by the Los Angeles County Sheriff’s Department.

LAPD has consistently denied using the controversial technology, but it had, in fact, run machine learning algorithms nearly 30,000 times over a time span between November 2009, and September 2020. “We actually do not use facial recognition in the department,” an LAPD spokesperson previously told the LA Times last year, though adding it had only been deployed in “a few limited instances.”

Experts have repeatedly called for a moratorium on technology as it often struggles with identifying women and people with darker skin more accurately than causasian men, leading to racial biases.

Want to work with the CIA?

Uncle Sam’s Central Intelligence Agency has launched a new division focused on the research and development of bleeding-edge technologies to help it spy on other nations.

It’s interested in all sorts of trendy ideas across different areas, from AI and autonomous robots to virtual reality and blockchain. The launch of CIA Labs opens up an official channel to seek partnerships with experts working outside of the agency, like other federal research organizations or academic institutions.

“Some phenomenal innovations have come from CIA over the years, and with CIA Labs, we’re now better positioned to optimize developments and further invest in our scientists and technologists,” Dawn Meyerriecks, head of CIA’s Directorate of Science and Technology, said in a statement this week. “In an evolving threat landscape, CIA Labs will help us maintain our competitive edge and protect our nation.”

Salaries for federal employees are notoriously low, compared to the private sector, making it difficult to attract and retain talent. CIA Labs gives its officers a way to boost pay by promising them the rights to obtain patents and licensing of their IP, effectively commercializing their technology. Profits are capped at $150,000 per year, according to MIT Tech Review.

AI algorithms to detect YouTube videos that need to be rated 18+

YouTube is using AI algorithms to automatically determine if a particular video deserves an age restriction rating or not.

Content that contains things like swear words, nudity, violence, or drug use is slapped with a warning that orders users to log into their YouTube accounts to verify their age. Users under the age of 18 are prevented from pressing play on the moderated video. Now, YouTube wants AI to help it flag naughty videos.

“Going forward, we will build on our approach of using machine learning to detect content for review, by developing and adapting our technology to help us automatically apply age-restrictions,” the Alphabet-owned video sharing platform said this week. “Uploaders can appeal the decision if they believe it was incorrectly applied.”

YouTube also said that it expected more uploaded content to be age-restricted. Younger teens or children trying to access a particular video via a third-party website will be directed to the platform and be forced to watch it.

AI might help YouTube add age restrictions on its videos more quickly, but it’s not a foolproof method of keeping kids away. The easiest way to game the system is to just make an account using a fake birthday, duh. ®

FYI: Mind how you go. We’re more or less oblivious to 75% of junk in geosynchronous orbits around Earth

Three quarters of the orbital debris floating among satellites in geosynchronous orbits around Earth is not being tracked, an astronomical survey has revealed.

The small bits of space junk identified by the study are often overlooked; they’re faint, small, and in a region that’s monitored less intensively than low-Earth orbit. As a result, scientists probing geosynchronous orbits above the equator found that the majority of debris located 36,000km out remains uncatalogued. That could be a problem – or more specifically, a danger – for any spacecraft placed in those orbits.

James Blake, first author of the survey published in Advances in Space Research said that the debris is probably from old bits of metal that have broken off from ancient satellites from collisions, or from fuel explosions. “We can take an educated guess on where the debris is coming from,” he told The Register.


Research into deflecting potentially world-destroying asteroids is apparently not a ‘national priority’ for the UK


“Recently, commercial surveys have observed a few cases of ‘anomalies’ exhibited by satellites. Examples include AMC-9, Telkom 1 and Intelsat 29e, all situated within the geosynchronous region. The imaged debris may have originated from similar ‘break-ups’, that can be caused by collisions with other objects, or onboard malfunctions like fuel tank explosions.

“Another potential cause can be general deterioration of satellites over time. Space is a harsh environment, so bits of the spacecraft exterior may shed over time. Only in that last couple of decades have we started to worry about the debris in high altitudes, and so that leaves a lot of time beforehand for break-ups to have occurred unnoticed.”

The team used the Isaac Newton Telescope in the Canary Islands to detect the space junk, using a method that relies on reflected sunlight to see the dim flecks of reflected light form debris, and scanned the sky in strips above and below the geosynchronous region. Individual bits of debris were analyzed using software to map out their overall shape, motion, and brightness.

Blake and his colleagues discovered that a lot of the shards appeared to be tumbling in space. The debris trapped in the geosynchronous region is likely to build up over time, as there are no natural processes like atmospheric drag that could dislodge them from their orbits, increasing the chances of impacting satellites currently operating around Earth.

“Much of the drive has been to focus on low-Earth orbit, much closer to the surface of the earth. The consequently smaller volume of this region means that it’s more densely populated and so satellites there are more at risk,” he said.

“However, the geosynchronous region is also a very important region for many services, mainly communications and navigation. These are typically very expensive to manufacture, launch and operate, so there is certainly incentive to investigate threatening debris in their vicinity,” he told us. ®

First they came for chess, then Go… and now, oh for crying out loud, AI systems can beat us at curling

Video Machines have been able to beat human players at chess for years and now they have trounced their creators at “chess on ice,” as curling practitioners sometimes refer to their sport.

Curling involves sliding hefty polished stones on a sheet of ice toward a target area, sometimes with spin so the stone curls. It’s similar to various boules games and shuffleboard, but may involve an additional element: a team member “sweeping” the ice to shift the stone’s trajectory toward its target.

A robot dubbed Curly recently played four matches, without sweeping, against a top-ranked Korean women’s curling team and the Korean national wheelchair curling team.

It – or they, since Curly consists of a thrower unit that gathers visual data near the target area, and external computers – played wheelchair-style, because sweeping is complicated for people in wheelchairs and for robots. And it won three of its four matches.

Solo pilot photo via Shutterstock

So long, Top Gun… AI software waxes US F-16 pilot’s tail 5-0 during virtual dogfight drills


As described in an article [subscription required] published on Wednesday in the journal Science Robotics, Curly’s creators managed this feat by training the robot to adapt to variable environmental conditions on the fly using a deep reinforcement learning (DRL) algorithm.

“Curly performs adaptive actions that can respond to the environment changes that occur continuously with every shot,” explain authors Dong-Ok Won, Klaus-Robert Müller, and Seong-Whan Lee in their paper. “These changes have a notable influence on the performance if not compensated appropriately in a continuous manner.”

Creating Curly required the system’s designers to model environmental factors (like temperature, humidity, and friction), internal factors (the robot’s ability to accurately carry out commands), and changes in the playing area (like the presence of other stones).

The Curly system includes an AI model that plans strategy (where to aim the stone), an adaption DRL model to adjust to environmental changes, and the two robot units – the thrower and the skip robots.

The skip robot – the “skipper” who stands in the “house” (target area) and directs the thrower – acquires the coordinates of the stones on the ice sheet and transmits them to the AI model, which passes the data to the curling simulator to formulate an optimal throw. The throw strategy gets passed to the adaptation DRL model for any necessary dynamic adjustments. Then the chosen target coordinates get passed to the thrower, which ideally will push its stone to the calculated spot, as you can see here:

Youtube Video

At about 1.3m accuracy, Curly is competitive with the results posted by national wheelchair curling teams (0.8m to 1.3m) in the Paralympic Winter Games of 2018. It’s not quite as good as the 0.2m to 0.8m accuracy at the Olympic Winter Games 2018, where sweeping was allowed.

Even so, the numbers suggest that human players ought to have prevailed and the paper’s authors offer several theories about why they didn’t. They suggest that either that the players were too relaxed – Curly didn’t make them feel competitive – or were too nervous, giving the robot an edge.

They also speculate that the AI strategy module may have offered better guidance than what human players came up with because the AI considers rare events and uncertainties in a way that people don’t.

Regardless, the boffins hope their research will help other robot designers create systems that can incorporate real-time feedback into their operations. ®

Alphabet promises to no longer bung tens of millions of dollars to alleged sex pest execs who quit mid-probe

Google will no longer pay top execs fat severance packages not only if they are fired for sexual harassment but also if they leave mid-investigation into their behavior, it announced on Friday.

“We’re building on our current practice of prohibiting severance for anyone terminated for any form of misconduct, and expanding the prohibition to anyone who is the subject of a pending investigation for sexual misconduct or retaliation,” Google’s veep of people operations Eileen Naughton said in a statement.

“Managers will also receive guidance instructing them on how misconduct should impact an employee’s performance evaluation, compensation decisions, and promotion outcomes.”

Man handing another person a paycheck

Alphabet board smacked with sueball for paying off Google execs accused of sexual harassment


The changes were made as its parent company Alphabet reached a settlement to end a shareholder lawsuit brought against it last year, CNBC reported Friday. That complaint accused Google of inappropriately writing huge checks to staff who ejected from the company after facing allegations of sexual misconduct. The payoffs dented Google financially and wrecked its reputation, it was claimed.

For instance, the search giant’s co-founders Larry Page and Sergey Brin signed off on a $90m payment to Andy Rubin, a Google senior veep, well-known for leading the development of Android, who stepped down amid allegations he pressured a female subordinate into performing oral sex on him and claims of him keeping sex bondage videos on his work computer.

A similar situation unfolded when its chief legal officer David Drummond decided to leave in January. Jennifer Blakely, who was a senior contracts manager in Google’s legal department, said in a blog post in August last year she had an affair with Drummond back in 2004 when he was still married. A few years after Blakely gave birth to their son, Drummond left their relationship and later married a woman who had left Google and then rejoined the biz.

Although he was not given any pay off when he quit at the turn of 2020, he had sold large amounts of stock valued at more than $70m every month over the course of three months leading up to his exit.

Fast forward to today, and Alphabet has promised to spend $310m on programs aimed at increasing the diversity and equity in its workforce, as well as putting together a Diversity, Equity and Inclusion (DEI) Advisory Council that will investigate how well the company is withholding its DEI commitments every quarter.

“Recent years have involved a lot of introspection and work to make sure we’re providing a safe and inclusive workplace for every employee. That doesn’t stop here and you’ll receive reports on our progress as we move forward,” added Naughton.

“I’m grateful to everyone, especially our employees and shareholders, for providing us with feedback, and for making sure that the way we tackle these vital issues is better today than it was in the past.” ®

Error-bnb: Techies scramble to fix Airbnb website bug that let strangers read each others’ account messages

Airbnb says it has fixed a baffling bug in its website that briefly caused some of its users to be shown messages belonging to others when viewing their account inboxes.

The rent-out-your-home app maker said the problem occurred on Thursday between 0930 and 1230 PT, and affected punters who were logged into its desktop or mobile site as opposed to its smartphone app. During that time, users said that when trying to view their inboxes, they were instead randomly shown the contents of other users’ inboxes. These included private messages and booking confirmations with things like stay details and addresses.

While it seemed to be Airbnb hosts publicly reporting encountering the blunder, the biz would not confirm exactly who had been hit, only saying it was “a small subset of users” who had their inboxes shown to strangers. We’re leaning toward believing this was a classic web caching gaffe, in which people were shown inbox pages and messages incorrectly cached by Airbnb’s web servers.

“On Thursday, a technical issue resulted in a small subset of users inadvertently viewing limited amounts of information from other users’ accounts,” an Airbnb spinner told The Register.

“We fixed the issue quickly and are implementing additional controls to ensure it does not happen again. We don’t believe any personal information was misused and at no point was payment information accessible.”

people peer into camera. photo by shutterstock

Airbnb host thrown in the clink after guest finds hidden camera inside Wi-Fi router


So far, this appears to be a technical goof rather than foul play. Airbnb does not believe the issue was the result of any sort of network intrusion or app exploit. The biz is, however, reviewing whether it will be needing to file any privacy breach notifications under data protection laws.

Still, this will all be of little comfort to folks who had their private messages and booking details exposed to complete strangers. A quick glance at the Airbnb message board on Reddit from Thursday morning shows just how stressful the brief leak was for many users.

“I am seeing other people’s (hosts’) messages,” wrote Reddit user Autocasa. “This is clearly a concerning security link.”

“I’m logging in as a host and it’s welcoming me with a different name and inboxes. My co-host is setting a completely different inbox,” wrote Reddit user Callagem, who noted that Airbnb support was less than helpful. “We’re on the phone with Airbnb who at first was just like, clear your cookies.”

In some cases, the hosts were turning to one another to try and figure out what was going on. “Just had another host call me and advise they have access to my account (wondering if I had access to theirs),” reported Reddit user cagreen151. “Every time I refresh, it’s a new account/inbox.”

Similarly, users were flustered on Twitter:

Airbnb told us the issue should not happen again. If you have any information that might suggest otherwise, please get in touch. ®

IT guy whose job was to stop ex-staff running amok on the network is jailed for running amok on the network

An IT guy, who was tasked with locking out ex-employees from the company network, has been jailed after he logged in after being fired and wiped an office’s computer storage drives.

Shannon Stafford, 50, was sent down for 12 months and a day by US federal district Judge Catherine Blake on Thursday. He will also have to pay his former bosses restitution totaling $193,258.10.

Following a four-day trial in Maryland, a jury in November found Stafford, of Crofton, Maryland, guilty [verdict, charges PDF] of intentional damage to a computer and attempted intentional damage to a computer.


Holy smokes! Ex-IT admin gets two years prison for trashing Army chaplains’ servers


The case stems from the 2015 dismissal of Stafford at an unnamed business described by the Feds only as “a global company with thousands of employees and offices around the world.” After a decade of working in tech support at the organization’s Washington DC office, he was promoted in 2014 to an IT management role: specifically, technical site lead. By March 2015, though, he was demoted back to the helpdesk for poor performance, and eventually fired that August.

” As part of his duties, Stafford had access to the system login credentials of other employees and was authorized to use them in the course of performing his technical support duties,” prosecutors noted.

“Stafford was also responsible for disabling company users’ network access credentials at the end of their employment.”

On the day he was terminated, Stafford didn’t return his work-issued MacBook Pro, went home, and that evening used the laptop and his home internet connection to repeatedly attempt to log into the company’s network using his credentials and those of a former colleague. A couple of days later, in the early hours, he managed to get into his office PC remotely using the coworker’s details. From there he was able to “delete all of the file storage drives used by the Washington office, then changed the password to access the storage management system,” the Dept of Justice said.

The prosecutors went on:

Three days later, he tried again to log in using others’ credentials and failed. A couple of days passed and the company warned Stafford to knock it off and leave the biz alone. He continued to try to log in, and at one point tried to get into the Baltimore office’s network to also nuke its files, and was he was later nabbed by the Feds.

The one-year-and-a-day prison term marks a halfway point between the two years prosecutors had sought. Once his sentence is complete, Stafford will be subject to a further three years of supervised release, and is unlikely to be hired again as an IT worker. ®

Not Particularly Mortifying: IEEE eggheads probe npm registry, say JavaScript libs not as insecure as feared

For the past few years, the security of JavaScript software packages available through the Node Package Manager, or npm, has been the subject of skepticism as a result of blunders, brouhahas, and tepid countermeasures.

But several computer scientists affiliated with the IEEE say that npm packages aren’t really as risky as has been suggested.

In a paper titled, “On the Threat of npm Vulnerable Dependencies in Node.js Applications,” distributed through ArXiv, boffins Mahmoud Alfadel, Diego Elias Costa, Mouafak Mokhallalati, Emad Shihab, and Bram Adams argue that the dangers of integrating npm libraries into Node.js applications are overstated.

The npm Registry stores software libraries or packages that developers add to apps based on Node.js to implement specific functions. It exists so developers don’t have to reinvent the wheel every time they want, for example, to add a routine for pulling URLs from blocks of text; they can just install the URL-grabbing code, via the npm command-line interface, that some other developer wrote and uploaded to the npm Registry.

The registry hosts around 1.4 million packages, and if the security risks of relying on unaudited third-party code aren’t sufficient to set off alarm bells, consider that many of these packages depend on other npm packages. So a coding error or a malicious commit in one of these libraries has the potential to affect dependent libraries and all the apps that require a vulnerable package.

Examples of how things have gone wrong include the tampering with npm’s event-stream module in 2018 to make it steal cryptocurrency, a similar situation that arose with electron-native-notify last year, and the left-pad debacle in 2016.

Image by Arak Rattanawijittakorn

If you want to hijack widely used JavaScript packages, try phishing for devs through these DMARC-shaped holes in key Node.js domains


The security challenges facing NPM, Inc, the company managing the npm ecosystem, were further complicated by financial resources that didn’t keep pace with its popularity, at least until it was purchased by Microsoft’s GitHub earlier this year.

Node.js’s problems, security and otherwise, even prompted Ryan Dahl, creator of Node.js, to develop a successor runtime called Deno that attempts to provide a better security model, among other improvements.

Yet, the IEEE boffins, after analyzing 6,673 actively used Node.js apps, have found the security situation is not quite as bad as security vendors claim. There are a lot of vulnerabilities in npm packages but most are not that severe.

“Our findings show that although 67.93 per cent of the examined applications depend on at least one vulnerable package, 94.91 per cent of the vulnerable packages in those affected applications are classified as having low threat,” they said in their paper.

What’s more, among the few apps with high threat dependencies (3.03 per cent), the vast majority (90.8 per cent) had fixes available that had not been applied.

The boffins suggest that the fault here should be assigned to app developers, for not updating their app dependencies to the latest, safest versions, rather than the package maintainer.

“[A] major implication of our study is that application developers need to take updates pushed from their dependencies seriously, or at least actively track their dependencies, since those can lead to very serious effects,” the paper concludes. ®