Tech News

Yesterday, Epic Games, the developer of Fortnite, an online video game acknowledged the existence of a bug in the game (Fortnite). This bug could let attackers access user accounts by impersonating as real gamers and purchase V-Buck, Fortnite’s in-game currency with credit cards. This bug could also eavesdrop on record players’ in-game conversation and background home conversations. Just two months ago, researchers at Check Point Research found the vulnerabilities and informed Epic Games which then fixed the vulnerability. In a statement to Washington Post, Oded Vanunu, Check Point’s head of products vulnerability research said, "The chain of the vulnerabilities within the log-in flow provide[d] the hacker the ability to take full control of the account.” According to an analysis made by market research company SuperData, last year, with the help of Fortnite, Epic Games was leading the market for free-to-play games by earning $2.4 billion in revenue. 10 months ago, a user shared his experience on Reddit regarding his account being hacked. The hacker used all his money using his card for buying V-Bucks. The post reads, “It appears my epic games account was hacked this past weekend, and they proceeded to spend all the money they could on v-bucks (which was all of it).” The victim also added a note, “ I've never tried signing up for free v-bucks or anything of the sort. I think I've just used the same password email combo too many times and at some point it was leaked in some data breach.” In spite of refund by Epic team the online gaming world doesn’t look that safe. But this post has some comments which clearly states how scared users are. One of the users commented, “Well, after reading this I just deleted my PayPal from my Epic Games account. Definitely going to run with entering details each time instead of storing them.” The thread has some comments which suggests having a two-way verification, changing passwords frequently and using prepaid cards if possible for online games. In a statement to The Verge, Epic Games said, “We were made aware of the vulnerabilities and they were soon addressed. We thank Check Point for bringing this to our attention. As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others.” Hackers deceive players in various ways, one of which is, asking users to log into fake websites that promised to generate V-Buck. These sites ask gamers to enter their game login credentials and personal information like name, address and credit card details, which further get misused. Usually, such scams are promoted via social media campaigns that claim gamers can “earn easy cash” or “make quick money”. Check Point’s research found out a vulnerability in the game that didn’t even require the login details for the attackers to attack. An XSS (cross-site scripting) attack was responsible according to researchers, which would just require users to click on a link sent to them by the attacker. As soon as the user would click the link, their Fortnite username and password would immediately be captured by the attacker, without the need for them to enter any login credentials. According to the researchers, this bug would let hackers steal pieces of code to identify a gamer when he/she logs into the game by a third-party account such as Xbox Live or Facebook. After accessing a gamer’s account in Fortnite with these security tokens, hackers could buy weapons, in-game currency, or even cosmetic accessories. To know more about the bug in Fortnite, check out the report and YouTube video by Check Point. Hyatt Hotels launches public bug bounty program with HackerOne 35-year-old vulnerabilities in SCP client discovered by F-Secure researcher Fortnite server suffered a minor outage, Epic Games was quick to address the issue

It was last year in October when MongoDB announced that it’s switching to Server Side Public License (SSPL). Now, the news of Red Hat removing MongoDB from its Red Hat Enterprise Linux and Fedora over its SSPL license has been gaining attention. Tom Callaway, University outreach Team lead, Red Hat, mentioned in a note, earlier this week, that Fedora does not consider MongoDB’s Server Side Public License v1 (SSPL) as a Free Software License. He further explained that SSPL is “intentionally crafted to be aggressively discriminatory towards a specific class of users. To consider the SSPL to be "Free" or "Open Source" causes that shadow to be cast across all other licenses in the FOSS ecosystem, even though none of them carry that risk”. The first instance of Red Hat removing MongoDB happened back in November 2018 when its RHEL 8.0 beta was released. RHEL 8.0 beta release notes explicitly mentioned that the reason behind the removal of MongoDB in RHEL 8.0 beta is because of SSPL. Apart from Red Hat, Debian also dropped MongoDB from its Debian archive last month due to similar concerns over MongoDB’s SSPL. “For clarity, we will not consider any other version of the SSPL beyond version one. The SSPL is clearly not in the spirit of the DFSG (Debian’s free software guidelines), let alone complimentary to the Debian's goals of promoting software or user freedom”, mentioned Chirs Lamb, Debian Project Leader. Also, Debian developer, Apollon Oikonomopoulos, mentioned that MongoDB 3.6 and 4.0 will be supported longer but that Debian will not be distributing any SSPL-licensed software. He also mentioned how keeping the last AGPL-licensed version (3.6.8 or 4.0.3) without the ability to “cherry-pick upstream fixes is not a viable option”. That being said, MongoDB 3.4 will be a part of Debian as long as it is AGPL-licensed (MongoDB’s previous license). MongoDB’s decision to move to SSPL license was due to cloud providers exploiting its open source code. SSPL clearly specifies an explicit condition that companies wanting to use, review, modify or redistribute MongoDB as a service, would have to open source the software that they’re using. This, in turn, led to a debate among the industry and the open source community, as they started to question whether MongoDB is open source anymore. https://twitter.com/mjasay/status/1082428001558482944 Also, MongoDB’s adoption SSPL forces companies to either go open source or choose MongoDB’s commercial products. “It seems clear that the intent of the license author is to cause Fear, Uncertainty, and Doubt towards commercial users of software under that license” mentioned Callaway. https://twitter.com/mjasay/status/1083853227286683649 MongoDB acquires mLab to transform the global cloud database market and scale MongoDB Atlas MongoDB Sharding: Sharding clusters and choosing the right shard key [Tutorial] MongoDB 4.0 now generally available with support for multi-platform, mobile, ACID transactions and more

Last week, a lot of drama had been going between Improbable and Unity, when Unity updated their TOS Clause 2.4 to restrict developers who planned to use Unity in any kind of distributed network capacity. Yesterday, in a blog post Unity improved on their  End User License Agreement to make it more open for developers. Per this new update, developers can now use any third party service that integrate into Unity. However, the choice of support of this service remains with Unity. Basically, Unity will integrate their own services, but not block developers from using competitive third-party services. [box type="shadow" align="" class="" width=""]Unity TOS Section 2.4 Unity developers are free to use any service offered to Unity developers (each, a “Third Party Service”).  Unity does not have any obligation to provide support for any Third Party Service provider or Third Party Service under this Agreement. Third Party Service providers may not, without Unity’s express written permission: (1) use a stylized version of any Unity name, trademark, logos, images or product icons, or other Unity-owned graphic symbols; (2) use a product name confusingly similar to a Unity product or that could be construed by Unity developers as being a Unity product or service; or (3) create or use any marketing materials that suggest an affiliation with, or endorsement by, Unity.  All use of Unity’s trademarks must comply with Unity’s Trademark Guidelines.[/box] Unity has also shared updates on their relationship with Improbable and has clarified that Improbable or SpatialOS is no longer blocked on their licenses and can be used for development and shipping games. “Improbable is no longer in breach by providing you a service, and that we are able to reinstate their licenses. But we do not consider them a partner, and cannot vouch for how their service works with Unity as we have no insight into their technology or how they run their business.”, they clarified in a blog post. Unity’s news has been taken positively by the developer community. Here are a few comments from a thread on hacker news. “Good move on their part, but the whole saga is a reminder of the risks of using non-free software, especially if it's a subscription. At any point, the developers can pull the rug out from under you.” “I've been following this rather closely as a company who provides backend services (so we're classified as a 3rd party service) to studios in the industry, many of whom use Unity. I'm rather surprised by this about-face, especially considering Unity had the upper hand in negotiations with Improbable. A pleasant surprise, and a much-needed one in the games industry where locked-down tech is often the norm.” Improbable says Unity blocked SpatialOS; Unity responds saying it has shut down Improbable and not Spatial OS Unity and Baidu collaborate for simulating the development of autonomous vehicles Unity 2018.3 is here with improved Prefab workflows, Visual Effect graph and more

ES File Explorer, one of the popular file managing apps, has been exposed with a hidden web server running in the background, leaving the door open for anyone to easily access data on the device just with a simple script. A French security researcher, Baptiste Robert with the online handle Elliot Alderson, found the exposed port last week. He also disclosed his findings in a tweet, yesterday, stating that, “The surprise is: if you opened the app at least once, anyone connected to the same local network can remotely get a file from your phone.” https://twitter.com/fs0c131y/status/1085460755313508352 ES File Explorer hasn’t responded to the allegations yet. The app has more than 500 million downloads on the Google Play Store. Robert said that the app versions 4.1.9.5.2 and below have the open port. According to TechCrunch, “Using a simple script he wrote, Robert demonstrated how he could pull pictures, videos and app names — or even grab a file from the memory card — from another device on the same network. The script even allows an attacker to remotely launch an app on the victim’s device.” The server running in the background can also use an HTTP protocol to stream videos to other apps. However, this opens up a portal for the hacker to hack every single information from the Android device. This vulnerability can only affect those connected within the local network. Internet and WWW cannot be used to steal information via this exposed web-server. However, this is still a threat and an opportunity for the hacker present in the local network. To know more about this news in detail, visit GitHub. Here’s a short video demonstrating the vulnerability by Baptiste Robert. https://www.youtube.com/watch?v=z6hfgnPNBRE Ethereum community postpones Constantinople, post vulnerability detection from ChainSecurity The Angular 7.2.1 CLI release fixes a webpack-dev-server vulnerability, supports TypeScript 3.2 and Angular 7.2.0-rc.0 Microsoft urgently releases Out-of-Band patch for an active Internet Explorer remote code execution zero-day vulnerability

YouTube updates its policies to ban dangerous pranks and challenges that can be harmful to the victim of a prank or encourages people to partake in dangerous behavior. Pranks and challenges have been around on YouTube for a long time. Many of the pranks are entertaining and harmless, some challenges potentially unsafe like an extreme food eating challenge. Recently, the “Bird Box Challenge” has been popular inspired after the Netflix movie Bird Box. The challenge is to perform difficult tasks, like driving a car, blindfolded. This challenge has received media coverage not for the entertainment value but for the dangers involved. It has caused many accidents where people take this challenge. What is banned on YouTube? In the light of this challenge being harmful and dangerous to lives, YouTube bans certain content by updating its policies page. Primarily, it has banned three kinds of pranks: Challenges that can cause serious danger to life or cause death Pranks that lead the victims to believe that they’re in serious physical danger Any pranks that cause severe emotional distress in children They state in their policies page: “YouTube is home to many beloved viral challenges and pranks, but we need to make sure what’s funny doesn’t cross the line into also being harmful or dangerous.” What are the terms? Other than the points listed above there is no clear or exhaustive list of the kind of activities that are banned. The YouTube moderators may take a call to remove a video. In the next two months, YouTube will be removing any existing content that falls into this radar, however, content creators will not receive a strike. Going forward, any new content that may have objectionable content as per their policies will get the channel a ‘strike’. Three strikes in the span of three months will lead to the channel’s termination. Questionable content includes custom thumbnails or external links that display pornographic, graphic violent, malware, or spam content. So now you are less likely to see videos on driving blindfolded or eating tide pods. Google Chrome announces an update on its Autoplay policy and its existing YouTube video annotations Is the YouTube algorithm’s promoting of #AlternativeFacts like Flat Earth having a real-world impact? Worldwide Outage: YouTube, Facebook, and Google Cloud goes down affecting thousands of users

Yesterday, Google cloud announced the support for Go 1.11 (in beta) on Cloud Functions. Developers can now write Go functions that scale dynamically and seamlessly integrate with Google Cloud events. The Go language follows suite after Node.js and Python were announced as supported languages for Google Cloud Functions. Google Cloud functions ensures that developers do not have to worry about server management and scaling. Google Cloud functions scale automatically and developers only pay for the time a function runs. By using the familiar blocks of Go functions, developers can build a variety of applications like: Serverless application backends real-time data processing pipelines Chatbots video or image analysis tools And much more! The two types of Go functions that developers can use with cloud functions are the HTTP and background functions. The HTTP functions are invoked by HTTP requests, while background functions are triggered by events. The Google cloud runtime system provides support for multiple Go packages via the Go modules. Go 1.11 modules allow the integration of third-party dependencies into an application’s code. Go Developers and Google Cloud users have taken this news well. Reddit and Youtube did see a host of positive comments from users. Users have commented on Go being a good fit for cloud functions and making the process of adopting cloud functions much more easier. https://www.reddit.com/r/golang/comments/agne4o/get_going_with_cloud_functions_go_111_is_now_a/ee7sd35 https://www.reddit.com/r/golang/comments/agne4o/get_going_with_cloud_functions_go_111_is_now_a/ee84cej It is easy and efficient to deploy a Go function in Google Cloud. Check out the examples on Google Cloud’s official blog page. Alternatively, you can watch this video to know more about this announcement. Google Cloud releases a beta version of SparkR job types in Cloud Dataproc Oracle’s Thomas Kurian to replace Diane Greene as Google Cloud CEO; is this Google’s big enterprise Cloud market move? Google Cloud Storage Security gets an upgrade with Bucket Lock, Cloud KMS keys and more  

Yesterday, the ninth circuit court of appeals gave a big win for web accessibility in a case against Domino’s Pizza. In 2016, a blind man filed a federal lawsuit against Domino’s stating that it wasn’t compatible with standard screen reading software which is designed to vocalize text and visual information. This did not allow him to use the pizza builder feature to personalize his order. Per his claim, Domino’s violated the Americans With Disabilities Act and should make its online presence compatible with Web Content Accessibility Guidelines. A blog post published by the National Retail Federation highlights that such lawsuits are on the rise, with 1,053 filed in the first half of last year compared to 814 in all of 2017. All of them voiced how there is a lack of clarity in how the ADA applies to the modern internet. [box type="shadow" align="" class="" width=""]Web Content Accessibility Guidelines (WCAG) is developed through the W3C process with the goal of providing a single shared standard for web content accessibility. The WCAG documents explain how to make web content more accessible to people with disabilities.[/box] Earlier, a lower court ruled in favor of Domino’s and tossed the case out of court. However, the court of appeals court reversed the ruling saying that the ADA covers websites and mobile applications and so the case is relevant. Domino’s argued that there was an absence of regulations specifically requiring web accessibility or referencing the Web Content Accessibility Guidelines. However the appellate judges explained the case was not about whether Domino’s did not comply with WCAG  “While we understand why Domino’s wants DOJ to issue specific guidelines for website and app accessibility, the Constitution only requires that Domino’s receive fair notice of its legal duties, not a blueprint for compliance with its statutory obligations,” U.S. Circuit Judges John B. Owens wrote in a 25-page opinion. The judges' panel said the case was relevant and send it back to the district court. They will talk about whether the Domino’s website and app comply with the ADA mandate to “provide the blind with effective communication and full and equal enjoyment of its products and services.” A Twitter thread by Jared Spool, applauded the court’s actions to apply web accessibility to ADA penalties and talked about the long and short term implications of this news. The first will likely come when insurance companies raise rates for any company that doesn’t meet WCAG compliance. This will create a bigger market for compliance certification firms. Insurance companies will demand certification sign-off to give preferred premiums. This will likely push companies to require WCAG understanding from the designers they hire. In the short term, we’ll likely see a higher demand for UX professionals with specialized knowledge in accessibility. In the long term, this knowledge will be required for all UX professionals. The demand for specialists will likely decrease as it becomes common practice. Also, toolkits, frameworks, and other standard platforms will build accessibility in. This will also reduce the demand for specialists, as it will become more difficult to build things that aren’t accessible. Good, accessible design will become the path of least resistance. You may go through the full appeal from the United States District Court for the Central District of California. EFF asks California Supreme Court to hear a case on government data accessibility and anonymization under CPRA 7 Web design trends and predictions for 2019 We discuss the key trends for web and app developers in 2019 [Podcast]

Valve, a US-based video game development company, shared a sneak-peek of eight new features and changes that it's planning to work on in 2019, earlier this week. Let’s have a look at some of these new features that Valve is working on shipping this year. Store discoverability One of the things that Valve is focussing on is store Discoverability. “We’re working on a new recommendation engine powered by machine-learning, that can match players to games based on their individual tastes (on steam)”, reads the valve blog post. It will be working on bringing forth more broadcasting and curating features. Valve also mentioned that it is constantly analyzing and assessing the design of Steam, its online game store. Steam China Valve is working on bringing Steam to China. The company has teamed up with Perfect World, a Chinese Game development company, to bring Steam to Chinese users. Valve will update more regarding this in the upcoming months. New Events System Valve will be focussing on upgrading the events system in Steam. This will allow users to highlight the interesting activities within games such as tournaments, streams, or weekly challenges. Steam TV and chat The Valve team is going to be expanding Steam TV beyond broadcasting the specific tournaments and special events and will provide support to all games. Additionally, it will also be shipping a new steam chat mobile app. The app will let its users share their favourite GIFs with friends. Steam PC Cafe Program Valve will also be shipping an all-new PC Cafe Program that will allow players to have a good experience while using Steam in thousands of PC Cafes Worldwide. For more information, check out the official Steamworks announcement. Valve’s Steam Play Beta uses Proton, a modified WINE, allowing Linux gamers to play Windows games SteamVR introduces new controllers for game developers, the SteamVR Input system

On 9th January, at CES 2019, Chinese technology giant Baidu Inc. announced the open sourcing of its edge computing platform called ‘OpenEdge’ that can be used by developers to extend cloud computing to their edge devices “Edge computing is a critical component of Baidu’s ABC (AI, Big Data and Cloud Computing) strategy. By moving the compute closer to the source of the data, it greatly reduces the latency, lowers the bandwidth usage and ultimately brings real-time and immersive experiences to end users. And by providing an open source platform, we have also greatly simplified the process for developers to create their own edge computing applications,” said Baidu VP and GM of Baidu Cloud Watson Yin. “ Baidu said that systems built using OpenEdge will automatically be enabled with features like artificial intelligence, cloud synchronization, data collection, function compute and message distribution.OpenEdge is a component of the Baidu Intelligent Edge platform (BIE). The BIE offers tools to manage edge nodes, resources such as certifications, passwords and program code and other functions. BIE is designed to run on the Baidu cloud and supports common AI frameworks such as the Baidu-developed PaddlePaddle and TensorFlow. Developers can, therefore, use Baidu’s cloud to train AI models and then deploy them to the systems that are built using OpenEdge. According to TechRepublic, OpenEdge also gives developers the ability to exchange data with Baidu ABC Intelligent Cloud, perform filtering calculation on sensitive data and provide real-time feedback control when a network connection is unstable. A company spokesperson told Techcrunch that the open-source platform will include features like data collection, message distribution and AI inference, as well as tools for syncing with the cloud. You can head over to GitHub to know more about this release. Unity and Baidu collaborate for simulating the development of autonomous vehicles Baidu releases EZDL – a platform that lets you build AI and machine learning models without any coding knowledge Baidu Apollo autonomous driving vehicles gets machine learning based auto-calibration system  

DuckDuckGo, an Internet search engine, announced that its DuckDuckGo for mobile and desktop now support  Apple's MapKit JS framework for its map and address-related searches. With the Apple MapKit JS, users can carry out improved searches, additional visual features, and enhanced satellite imagery. They can also have updated maps already in use on billions of Apple devices worldwide. https://twitter.com/DuckDuckGo/status/1085220405462200320 Apple Maps are now embedded in both DuckDuckGo’s private search results for relevant queries and are also available from the ‘Maps’ tab on any search results page. With the new Apple MapKit JS framework DuckDuckGo provides users a combination of mapping and privacy. According to a statement on their blog post, “At DuckDuckGo, we believe getting the privacy you deserve online should be as simple as closing the blinds. Naturally, our strict privacy policy of not collecting or sharing any personal information extends to this integration.” The company promises to not share any personally identifiable information such as IP address to Apple or other third parties. For local searches, where the browser tends to send user’s approximate location information, the information will be discarded by DuckDuckGo immediately after use. According to ZDNet, “DuckDuckGo did not discuss how working with Apple, which the search engine said will result in "a new standard of trust online", was better or worse from a privacy perspective than using data from the OpenStreetMap project as it did previously.” To know more about this in detail, visit DuckDuckGo’s official blog post. DuckDuckGo chooses to improve its products without sacrificing user privacy MIT’s Duckietown Kickstarter project aims to make learning how to program self-driving cars affordable Project Erasmus: Former Apple engineer builds a user interface that responds to environment light  

On Monday, the U.S President, Donald Trump signed the Foundations for Evidence-Based Policymaking (FEBP) Act, which includes the Open, Public, Electronic and Necessary (OPEN) Government Data Act (Title II). In 2017, Data Coalition, an open data trade association, together with eighty-five organizations including businesses, industry groups, and others wrote a letter to express their support for OPEN Government Data Act. This bill passed unanimously by the Senate in 2016, in 2017 it was included FEBP Act as Title II, and in December 2018 it was passed by the Congress before reaching to the president’s desk. What OPEN Government Data Act is about? The federal government has siloed huge amount of public data, which can be instead used to drive private sector innovations and improve government services. FEBP Act aims to change the way the government collects, publishes, and uses non-sensitive public information. According to the OPEN Government Data Act, which is a part of FEBP, government data should be made publicly available in open and machine-readable formats. It also states that the federal government should use open data to improve decision making. Explaining the OPEN Government Data Act, Sarah Joy Hays, Acting Executive Director of the Data Coalition said, “Title II, the OPEN Government Data Act, which our organization has been working on for over three and a half years, sets a presumption that all government information should be open data by default: machine-readable and freely-reusable.” Additionally, this Act requires federal agencies to designate a non-political employee in the agency as the Chief Data Officer (CDO). The qualifications of CDO includes training and experience in data management, governance, collection, analysis, protection, use, and dissemination to protect and de-identify confidential data. A CDO council is also established that will be responsible for promoting and encouraging data sharing agreements between agencies, identify ways in which agencies can improve upon the production of evidence for use in policymaking, and more. ACLU files lawsuit against 11 federal criminal and immigration enforcement agencies for disclosure of information on government hacking The US to invest over $1B in quantum computing, President Trump signs a law The district of Columbia files a lawsuit against Facebook for the Cambridge Analytica scandal

Android Studio 3.3 has been released, earlier this week with official support for Navigation Editor, Project Marble, improved incremental Java compilation when using annotation processors, C++ code lint inspections etc. Other features include an updated new project wizard and usability fixes for each of the performance profilers. Overall, this release addresses over 200 users reported bugs. This release includes support for navigation editor, a visual editor for constructing XML resources using the Jetpack Navigation Component. Developers can build predictable interactions between the screens and content areas of an app with the Navigation Editor and the Navigation Component. The Network profiler in Android Studio 3.3 now formats common text types found in network payloads by default, including HTML, XML and JSON.   New Project Wizard for Android Studio has been updated to support the range of device types, programming languages, and new frameworks in a streamlined manner. Android Studio 3.3 includes Intellij 2018.2.2 and also bundles Kotlin 1.3.11. It also supports Clang-Tidy for C++ static code analysis. Android Studio 3.3 decreases build time by improving support for incremental Java compilation when using annotation processors. This release comes with a new feature to help clean up unused settings & cache directories. For better user feedback, it includes in-product sentiment buttons for quick feedback. The plugin uses Gradle's new task creation API to avoid initializing and configuring tasks that are not required to complete the current build. Android Studio 3.3 supports Android app bundle to build and deploy Google Play Instant experiences from a single Android Studio project. Android Emulator 28.0 now supports the ability to launch multiple instances of the same Android Virtual Device (AVD). The default Memory Profiler capture mode on Android 8.0 Oreo (API level 26) and higher devices are changed to sample for allocations periodically. You may check out the Android Studio release notes, Android Gradle plugin release notes, and the Android Emulator release notes for more details. Android Studio 3.2 releases with Android App Bundle, Energy Profiler, and more! Android Studio 3.2 Beta 5 out, with updated Protobuf Gradle plugin What is Android Studio and how does it differ from other IDEs?

At the 33rd conference of the Association for the Advancement of Artificial Intelligence (AAAI), Amazon Alexa researchers in collaboration with researchers from University of Texas will be presenting a paper that describes a new method for compressing neural networks which will, in turn, increase the performance of the network. Yesterday, on the Amazon Blog, Anish Acharya and Rahul Goel, both applied scientists at Amazon Alexa AI, explained how huge neural networks tend to slow down the performance of a system. The proposed paper called ‘"Online Embedding Compression for Text Classification using Low Rank Matrix Factorization”, includes a method to compress embedding tables that often compromises the NLU network’s performance thus slowing down AI based systems like Alexa. This will help Alexa perform more and more complex tasks in milliseconds. The researchers covered the following topics within the paper: A compression method for deep NLP models to reduce the memory footprint using low-rank matrix factorization of the embedding layer. This lead to accuracy through further fine tuning. They depicted that their method outperformed baselines like fixed-point quantization and offline embedding compression for sentence classification. They provide an analysis of inference time for their method Introduce CALR, a novel learning rate scheduling algorithm for gradient descent based optimization. They further depicted how CALR outperformed other popular adaptive learning rate algorithms on sentence classification. Steps taken to obtain optimal performance of the Network The blog lists in short, the steps taken by the researchers to compress the neural network: A set of pre trained word embeddings called ‘Glove’ was used for this experiment. Glove takes into consideration a words co-occurrence in huge bodies of training data and assesses words’ meanings. The team started with a model initialized with large embedding space, performed a low rank projection of the embedding layer using Singular Value Decomposition (SVD) and continuing training to regain any lost accuracy. The aim of the experiment was integrating the embedding table into the neural network to use task-specific training data. This would not only to fine-tune the embeddings but also customize the compression scheme as well. SVD was used to reduce the embeddings’ dimensionality. This broke down their initial embedding matrix into two smaller embedding matrices with a reduction of parameters to almost 90%. One of these matrices poses as one layer of a neural network and the second matrix as the layer above it. Between the layers are connections with associated “weights.” which can be readjusted by the training process. These determine how much influence the outputs of the lower layer have on the computations performed by the higher one. The paper describes a new procedure for selecting the network’s “learning rate”. They vary the ‘cyclical learning rate’ procedure to  escape the local minima condition that gets introduced. This technique is called the cyclically annealed learning rate, which gives better performance than either the cyclical learning rate or a fixed learning rate. Results and conclusion The system developed by the researchers could shrink a neural network by 90 percent for both LSTM and DAN models, while reducing its accuracy by less than 1%. They compared their model to two alternatives. One in which the embedding table is compressed before network training begins and the other is simple quantization, in which all of the values in the embedding vector are rounded to a limited number of reference values. On testing their approach across a range of compression rates, on different types of neural networks, using different data sets, they found that their system outperformed the other approaches used in the experiment. You can read the research paper for more details on the experiments and acquired results. Researchers build a deep neural network that can detect and classify arrhythmias with cardiologist-level accuracy Researchers design ‘AnonPrint’ for safer QR-code mobile payment: ACSC 2018 Conference Researchers introduce a machine learning model where the learning cannot be proved  

A group of over 85 coalition groups sent letters to Google, Amazon, and Microsoft, yesterday, urging the companies to not sell their facial surveillance technology to the government. The letter, penned down by the likes of the American Civil Liberties Union (ACLU), the Refugee and Immigrant Center for Education and Legal Services (RAICES), and the Electronic Frontier Foundation (EFF) among others, intends to make it clear to the tech giants about how their decision can deeply impact the safety and trust of its community members. The letter talks about the dangers of facial surveillance technology and how it provides the government with an “unprecedented ability to track who we are, where we go, what we do, and who we know”.  It states that face recognition tech would not only provide the government with the power to target immigrants, religious minorities, and people of colour, but it will also develop a constant fear of being watched by the government among the public. The groups requested the companies to take responsibility for their decision and to commit to not selling face surveillance to the government.“Systems built on face surveillance will amplify and exacerbate historical and existing bias that harms these and other over-policed and over-surveilled communities”, states the letter. In a letter written to Microsoft, the group mentions that Brad Smith, President, Microsoft, acknowledged the dangers of face surveillance in a speech and blog post published in December 2018. But, despite Smith acknowledging the dangers, the letter states that he then proposed “wholly inadequate safeguards” for face surveillance in his blog post. The group does not approve of these safeguards as they believe that it is not enough to stop the government from widespread monitoring and tracking of the public. “Microsoft has a responsibility to do more than speak about ethical principles; it must also act in accordance with those principles”, states the letter. Speaking of the letter written to Google, the group acknowledges the fact that Google announced that it will not sell its facial recognition product unless the dangers associated with the tech are addressed, in December 2018. “By finalizing its commitment not to sell a face surveillance product, Google would also be safeguarding the trust of its workers, shareholders, and customers. It’s time for Google to fully commit to not releasing a face recognition product that could be used by governments”, reads the letter. However, when it comes to Amazon, the group notes that the company has been continually turning deaf ears to the protests and warnings from the consumers, employees, members of Congress, etc, over its facial recognition product. The letter points out that over 150,000 consumers have signed petitions asking Amazon to stop providing Rekognition, its facial recognition service, to governments. Back in October 2018, an anonymous Amazon employee spoke out against Amazon selling Rekognition to the police departments across the world, over a letter. Similarly, a group of seven House Democrats sent a letter to Amazon CEO Jeff Bezos in November 2018, demanding concerns and questions about Rekognition’s possible impact on citizens. Moreover, emails obtained by The Daily Beast in October 2018 showed that officials from Amazon met with ICE to sell its facial recognition technology in June 2018. “By continuing to sell your face surveillance product to government entities, Amazon is gravely threatening the safety of community members, ignoring the protests of its own workers, and undermining public trust in its business”, states the letter. The letter also notes that Amazon’s inaction towards the concerns related to face surveillance is quite contrasting compared to the actions taken by its competitors (Google and Microsoft). “We are at a crossroads with face surveillance, and the choices made by these companies now will determine whether the next generation will have to fear being tracked by the government for attending a protest, going to their place of worship, or simply living their lives”, states the letter. Check out the letters written to Google, Amazon, and Microsoft. Australia’s Facial recognition and identity system can have “chilling effect on freedoms of political discussion, the right to protest and the right to dissent”: The Guardian report AWS updates the face detection, analysis and recognition capabilities in Amazon Rekognition ACLU files lawsuit against 11 federal criminal and immigration enforcement agencies for disclosure of information on government hacking

Yesterday, Harry Sintonen, researcher at F-Secure, discovered 35-year-old vulnerabilities associated with SCP (Secure Copy Protocol) client, a network protocol, that uses Secure Shell (SSH) for data transfer between hosts on a network. These SCP clients are susceptible to a malicious SCP server, which could perform unauthorized changes to the target directory. In 2000, a directory traversal bug was found in the SCP client in SSH, which got fixed then. Vulnerabilities discovered One of the vulnerabilities associated with SCP clients lets the attackers write arbitrary malicious files to the target directory on the client machine. The attackers can change the permissions on the directory to allow further compromises. Another vulnerability is that the SCP clients are failing to verify how valid is the object returned to it after a download request. The consequences are severe as an attacker who controls the server can easily drop arbitrary files into the directory from which the user runs SCP (similar to a man-in-the-middle attack). The list of major vulnerabilities discovered are: CWE-20: SCP client improper directory name validation [CVE-2018-20685] With the help of empty ("D0777 0 \n") or dot ("D0777 0 .\n") directory name, the SCP client permits the server to modify permissions of the target directory. CWE-20: SCP client missing received object name validation [CVE-2019-6111] Since the SCP implementation has been derived from 1983 rcp (1), the server can choose which files/directories are sent to the client. According to the post by Sintonen, “A malicious SCP server can overwrite arbitrary files in the SCP client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example overwrite .ssh/authorized_keys).” This vulnerability is known as CVE-2018-20684 in WinSCP. CWE-451: SCP client spoofing via object name [CVE-2019-6109] The object name can be used to manipulate the client output as there is a missing character encoding in the progress display. For example to employ ANSI codes to hide additional files being transferred. CWE-451: SCP client spoofing via stderr [CVE-2019-6110] A malicious server can manipulate the client output by accepting and displaying arbitrary stderr output from the SCP server. These vulnerabilities affect the SCP client implementations in Red Hat, Debian, and SUSE Linux, OpenSSH version 7.9 and earlier, and few versions of WinSCP. How to overcome these vulnerabilities? For OpenSSH Users can switch to sftp or apply the https://sintonen.fi/advisories/scp-name-validator.patch for hardening scp against server-side manipulation attempts. A note by Sintonen : This patch may cause problems if the the remote and local shells don't agree on the way glob() pattern matching works. YMMV. For WinSCP One can upgrade to WinSCP 5.14 or later versions. There are no fixes available for PuTTY yet and users are refraining from using PuTTY. One of the users commented on HackerNews, “I strongly discourage anyone from using PuTTY, not for this reason, but for its weird and nonstandard handling of SSH keys.” Users are now more skeptical to deal with the network while downloading their files and transferring them. Most of us highly rely on SSH as we think it is secure and trusted, but should we continue trusting it? Is it advisable to blindly trust and not take preventive measure beforehand? One of the users commented on HackerNews, “We trust a lot of things, and maybe we shouldn't. I use SCP infrequently and on machines that I control, so that's a level of risk I'm comfortable with.” Another user commented on the HackerNews thread, “The argument that you trusted this server enough to connect to it and download a file, therefore you clearly should trust it enough to permit it to execute arbitrary executables on your machine, is false in both cases.” Another user advises accessing data in offline mode by shutting down the instance and connecting the storage as secondary storage on another instance. The user further suggests discarding the storage as soon as the work is done. The data can also be downloaded at the hypervisor level. Another comment on HackerNews reads, “You can't physically access the disk, but you often can download a snapshot or disk image, which is created at the hypervisor level.” To know more about the vulnerabilities, check out the post by Sintonen advisories. OpenSSH, now a part of the Windows Server 2019 OpenSSH 7.9 released OpenSSH 7.8 released!