Tech News

Yesterday, ICANN (Internet Corporation for Assigned Names and Numbers) announced that the root KSK roll has occurred at 1600 UTC. ICANN is an organization that ensures a stable, secure and unified global Internet by coordinating the maintenance and procedures of several databases related to the namespaces and numerical spaces of the Internet. What is a Root KSK (Key Sign Key) Rollover? The KSK is used to cryptographically sign the Zone Signing Key (ZSK), which is used by the Root Zone Maintainer to DNSSEC-sign the root zone of the Internet's DNS. Rolling the KSK means generating a new cryptographic public and private key pair and distributing the new public component to parties who operate validating resolvers including, Internet Service Providers Enterprise network administrators and other Domain Name System (DNS) resolver operators DNS resolver software developers System integrators, and Hardware and software distributors who install or ship the root's ‘trust anchor’ Maintaining an up-to-date KSK is important to ensure that DNSSEC-validating DNS resolvers continue to function following the rollover. Failure to have the current root zone KSK will mean that DNSSEC-validating DNS resolvers will be unable to resolve any DNS queries. Failure to have the current root zone KSK will mean that DNSSEC-validating DNS resolvers will be unable to resolve any DNS queries. Details of the KSK Rollover KSK Rollover operations started in October 2016 and were scheduled for October 2017. However, ICANN announced that the rollover has been postponed stating, “a significant number of resolvers used by Internet Service Providers (ISPs) and Network Operators are not yet ready for the Key Rollover.” Later, a draft plan was announced on February 1, 2018, after receiving input from the community. The date put forward to initiate the procedure was October 11, 2018. Per ICANN, the rollover is necessary to curb the rising number of cyber attacks. In an official statement, Communications Regulatory Authority said, “To further clarify, some internet users might be affected if their network operators or Internet Service Providers (ISPs) have not prepared for this change. However, this impact can be avoided by enabling the appropriate system security extensions.”. To know more about this news in detail, visit the main rollover page on ICANN’s website. RedHat shares what to expect from next week’s first-ever DNSSEC root key rollover Baidu Security Lab’s MesaLink, a cryptographic memory safe library alternative to OpenSSL Google Titan Security key with secure FIDO two factor authentication is now available for purchase

It comes as no surprise to most that Google have been one of the largest buyers of renewable energy. Over 2017 alone, Google have purchased over 7 billion kilowatt-hour (kWh) from solar panels and wind farms designed especially for their electricity consumption. In light of the IPCC 6 Climate Change report which was released just a couple of days back, Google have also released a paper discussing their efforts regarding their 24/7 carbon-free energy initiative. What does the Google paper say In line with their promise of moving towards a future driven by carbon-free energy, Google’s paper discusses the steps Google are taking to reduce their carbon footprint. Key aspects discussed in this paper, aptly titled ‘Moving toward 24x7 Carbon-Free Energy at Google Data Centers: Progress and Insights’, are: Google’s framework for using 24/7 carbon-free energy How Google are currently utilizing carbon-free energy to power their data centers across different campuses situated all over the world. Finland, North Carolina, Netherlands, Iowa, and Taiwan are some of the examples where this is being achieved. Analysis of the power usage currently and how the insights derived can be used in their journey ahead Why Google is striving for adopting a carbon-free strategy Per Google, they have been carbon-neutral since 2007, and met their goal of matching all of their global energy consumption with renewable energy. Considering the scale of Google’s business and the size of their existing infrastructure, they have always been a large consumer of electricity. Google’s business expansion plans in the near future too, in turn, could have direct effects on the environmental footprint. As such, their strategy of 24/7 carbon-free energy makes complete sense. According to Google, “Pursuing this long-term objective is important for elevating carbon-free energy from being an important but limited element of the global electricity supply portfolio today, to a resource that fully powers our operations and ultimately the entire electric grid.” This is a positive and important step by Google towards building a carbon-free future with more dependence on renewable energy sources. It will also encourage other organizations of similar scale to adopt a similar approach to reduce carbon emissions. Microsoft, for example, have already pledged a 75% reduction of their carbon footprint in the environment by 2030. Oracle have also increased their solar power usage as a part of their plan to reduce their carbon emissions. Read more: Google, Amazon, AT&T met the U.S Senate Committee to discuss consumer data privacy, yesterday Google’s new Privacy Chief officer proposes a new framework for Security Regulation Ex-googler who quit Google on moral grounds writes to Senate about company’s “Unethical” China censorship plan

In the keynote of their developer conference L.E.A.P., which took place Wednesday, Magic Leap showed a demo of their new human-like AI. Dubbed, Mica, she can communicate with a viewer through the company’s augmented reality glasses, the Magic Leap One Creator Edition. Basically, Mica is a short-haired woman who can express facial expressions closely resembling a normal human. She does not speak but can still communicate in warm ways with the viewer. The project was presented at the Magic Leap L.E.A.P. event by Andrew Rabinovich, head of AI at Magic Leap, and John Monos, head of human-centered AI. According to the keynote, Mica is their prototype for developing systems to create digital human representations. The first prototype came up with a realistic eye gaze and eye movement. Artificial Intelligence components were then added to track users and look them in the eye. Additional AI elements were then added for body language and posture. According to Nick Whiting from Epic Games, Mica is powered by Unreal Engine 4. Magic Leap focused on creating natural facial expressions that can emote in believable ways. Their main goal was to create facial elements that connect users to her. Mica came out as an ideal interface to human-centered AI that evokes natural reactions from the users. Mica gets the interactions and intelligence to how people expect. User focus becomes the temperament for Mica, her personality traits, and mannerism are aligned to how the users are with her. VentureBeat’s correspondent was invited for a demo of Mica. Per his experience, “ I walked into a  physical room and sat in a chair. Mica was sitting at the table in the same room. She smiled at me and look at me. I was struck that she wasn’t just looking at me. She was looking in my eyes. She tilted her head from side to side. When I noticed how attentive she was, I moved my head forward and looked in her eyes. She did the same and looked at me. I moved my head back and she moved her head back too. She was mimicking some of the movements that she saw me make. She didn’t talk, but that is coming in the future.” Magic Leap’s Mica is a clear indication of what the virtual assistant future will look like for most people in the very near future. Read more about Magic Leap’s L.E.A.P conference to know what else was announced. You may also watch the keynote. Magic Leap teams with Andy Serkis’ Imaginarium Studios to enhance Augmented Reality. Understanding the hype behind Magic Leap’s New Augmented Reality Headsets. Magic Leap One, the first mixed reality headsets by Magic Leap, is now available at $2295.

The Qt team announced the release of Qt creator 4.8 beta yesterday. It includes generic programming language support and some more C++ experimental features since 4.7. Generic programming languages in Qt creator 4.8 beta In Qt Creator 4.8 Beta experimental support for language server protocol (LSP) is introduced. Many programming languages have a language server, with Go also having plans to include it. An LSP provides features like auto code complete and reference finding in IDEs. Addition of LSP means that by providing a client for the language server protocol, Qt Creator gets some support for many programming languages. Currently the Qt Creator supports code completion, highlighting of the symbol under the cursor, and jumping to the symbol definition. It also integrates diagnostics from the language server. Highlighting and indentation are still provided by the generic highlighter. The client is tested with Python for the most part. Currently, there is no support for language servers requiring special handling. C++ support There are some C++ experimental features add in this release. Editing compilation databases A compilation database is a list of files and compiler flags used to compile them. You can now open a compilation database as a project solely for editing and navigating code. You can try it by enabling the CompilationDatabaseProjectManager plugin. Clang format based indentation Auto-indentation is done via LibFormat which is the backend used by Clang format. To try this, enable the ClangFormat plugin. Cppcheck diagnostics The diagnostics generated by the Cppcheck tool is integrated into the editor. Enable the Cppcheck plugin to use it. In addition to the many fixes, the Clang code model can now jump to the symbol indicated by the auto keyword. This also allows to generate a compilation database from the information the mode model has. This can be done via Build | Generate Compilation Database. Debugging Now there is support for running multiple debuggers on one or more executables simultaneously. When multiple debuggers are running, you can switch between them with a new drop-down menu in Debug mode. More about various improvements and fixes can be found in the changelog. For further details, visit the Qt Blog. Qt creator 4.8 can be downloaded from the Qt website. Qt 3D Studio 2.1 released with new sub-presentations, scene preview, and runtime improvements How to create multithreaded applications in Qt How to Debug an application using Qt Creator

Yesterday, Google released the first production-ready version of Oboe. It is a C++ library for building real-time audio apps. One of its main benefits includes the lowest possible audio latency across the widest range of Android devices. It is similar to AndroidX for native audio. How Oboe works The communication between apps and Oboe happens by reading and writing data to streams.  This library facilitates the movement of audio data between your app and the audio inputs and outputs on your Android device. The apps are able to pass data in and out by reading from and writing to audio streams, represented by the class AudioStream. A stream consists of the following: Audio device An audio device is a hardware interface or virtual endpoint that acts as a source or sink for a continuous stream of digital audio data. For example, a built-in mic or bluetooth headset. Sharing mode The sharing mode determines whether a stream has exclusive access to an audio device that might otherwise be shared among multiple streams. Audio format This the format of the audio data in the stream. The data that is passed through a stream has the usual digital audio attributes, which developers must specify when defining a stream. These are as follows: Sample format Samples per frame Sample rate The following sample formats are allowed by Oboe: Source: GitHub What are its benefits Oboe leverages the improved performance and features of AAudio on Orea MR1 (API 27+) and also maintains backward compatibility on API 16+. The following are some of its benefits: You write and maintain less code: It uses C++ allowing you to write clean and elegant code. With Oboe you can create an audio stream in just three lines of code whereas, when using OpenSL ES the same thing requires 50+ lines. Accelerated release process: As Oboe is supplied as a source library, bug fixes can be rolled out in few days as opposed to the Android platform release cycle. Better bug handling and less guesswork: It provides workarounds for known audio bugs and has sensible default behaviour for stream properties. Open source: It is open source and maintained by Google engineers. To get started with Oboe, check out the full documentation and the code samples available on its GitHub repository. Also, read the announcement posted on the Android Developers Blog. What role does Linux play in securing Android devices? A decade of Android: Slayer of Blackberry, challenger of iPhone, mother of the modern mobile ecosystem Google announces updates to Chrome DevTools in Chrome 71

Yesterday, Travis CI announced that its service will now be available on Windows. Travis CI is a distributed Continuous Integration service used to test and deploy projects hosted on GitHub. This is an early release and they plan to release a stable version in Q2 next year. With this update, teams can run their tests on Linux, Mac, and Windows--all in the same build. At present, users can use Windows with open source and private projects on either travis-ci.org or travis-ci.com. Travis CI plans to bring this to enterprise soon. The company says, “this is our very first full approach to Windows-support, so the tooling is light.” Laurie Voss, Chief Operating Officer, npm, Inc says, “Adding Windows support to Travis CI will provide a more stable development experience for a huge segment of the JavaScript community—32% of projects in the npm Registry use Travis CI. We look forward to continuing to work with Travis CI to reduce developer friction and empower over 10 million developers worldwide to build amazing things.” Travis Windows CI environment Windows Build Environment for Travis CI launches with support for Node.js, Rust, and Bash languages. Travis Windows CI will run a git bash shell, to maintain consistency with our other bash-based environments. This will also allow users to shell out to PowerShell as needed. In addition to this, Docker is also made available for Windows builds. Travis CI uses Chocolatey as a package manager and also has a pre-installed Visual Studio 2017 Build Tools. The Windows build environment is currently based on Windows Server 1803 for containers running Windows Server 2016 as the OS version. Travis CI in their blog post mention that they are hosting their Windows virtual machines in Google Compute Engine. Following which, they have seen some variations in their boot times. However, they plan to improve this alongside their other infrastructure-related work. The company expects to release Windows Build Environments for Enterprise before the release of the stable version. To know more about Travis CI on Windows in detail, visit their official Travis CI blog. Creating a Continuous Integration commit pipeline using Docker [Tutorial] How to master Continuous Integration: Tools and Strategies Why Agile, DevOps and Continuous Integration are here to stay: Interview with Nikhil Pathania, DevOps practitioner

Right now Android and iOS are the most widely used OSes on mobile phones. Both owned by giant corporates and there are no other offerings that are in line with public interest, privacy, or affordability. Android is owned by Google, can’t say it is pro user privacy with all the tracking they do. iOS by Apple is a very closed OS and not to mention that it isn’t exactly affordable to the masses. Apart from some OSes in the works, there is an OS called /e/ or eelo from the creator of Mandrake-Linux, focused on user privacy. Some OSes in the works Some of the mobile OSes include Tizen from Samsung which it had released only with entry level smartphones. There is also an OS in the making by Huawei. Google has also been working on a new OS called Fuchsia. It uses a new microkernel called Zicron created by Google, instead of Linux. It is also in the early stages and there is no clear indication behind the purpose of building Fuchsia when Android is ubiquitous in the market. Google was fined for $5B regarding Android antitrust earlier this year, maybe Fuchsia can come into picture here. In response to EU’s decision to fine Google, Sundar Pichai said that preventing Google from bundling its apps would “upset the balance of the Android ecosystem” and that the Android business model guaranteed zero charges for the phone makers. This seems like a warning from Google to consider licensing Android to phone makers. Will curtains be closed on Android over legal disputes? That does not seem very likely considering Android smartphones and Google’s services in these smartphones are a big source of income for Google. They would not let it go that easily and I’m not sure if the world is ready to let go of the Android OS either. It has given access to apps, information, connectivity to the large masses. However, there is growing discontent among Android users, developers and handset partners. Whether that frustration will pivot enough to create a viable market for alternative mobile OS, is something only time can tell. Either way, there is one OS called /e/ or eelo intent on displacing Android. It has made some progress but is not an OS made from scratch exactly. What is eelo? The above mentioned OSes are far from complete and owned by large corporations. Here comes eelo, it is free and open-source. It is a forked LineageOS with all the Google apps and services removed. But that’s not all, it also has a select few default applications, a new user interface, and several integrated online services. The “/e/” ROM is in Beta stage and can be installed on several devices. More devices will be supported as more contributors port and maintain for different devices. The ROM uses microG instead of Google’s core apps. It uses Mozilla NLP which will make geolocation available even when GPS signal is not available. eelo project leader, Gaël Duval states: “At /e/, we want to build an alternative mobile operating system that everybody can enjoy using, one that is a lot more respectful of user’s data privacy while offering them real freedom of choice. We want to be known as the ethical mobile operating system, built in the public interest.” BlissLauncher is included with original icons and support for widgets and auto icon sizing based on screen pixel density. There are new default applications, a mail app, an SMS app (Signal), a chat application (Telegram), along with a weather app, a note app, a tasks app and a maps app. There is an /e/ account manager in which users can choose to use a single /e/ identity (user@e.email) for all services. It will also have OTA updates. The default search engine is searX with Qwant and DuckDuckGo as alternatives. They also plant to open a project in the personal assistant area. How has the market reacted to eelo? Early testers seem happy with /e/ or alternatively called as eelo. https://twitter.com/lowpunk/status/1050032760373633025 https://twitter.com/rvuong_geek/status/1048541382120525824 There are also some negative reactions where people don’t really welcome this new “mobile OS”. A comment on reddit by user JaredTheWolfy says: “This sounds like what Cyanogen tried to do, but at least Cyanogen was original and created a legacy for the community.” Another comment by user MyNDSETER on reddit reads: “Don't trust Google with your data. Trust us instead. Oh gee ok and I'll take some stickers as well.” Yet another reddit user zdakat says: “I guess that's the android version of I made my own cryptocurrency! (by changing a few strings in Bitcoin source, or the new thing: by deploying a token on Ethereum)” You can check out a detailed article about eelo on Hackernoon, and the /e/ website. A decade of Android: Slayer of Blackberry, challenger of iPhone, mother of the modern mobile ecosystem Microsoft Your Phone: Mirror your Android phone apps on Windows Android Studio 3.2 releases with Android App Bundle, Energy Profiler, and more!

The creator of vim-go, Faith Arslan, announced on his personal blog, yesterday that he is taking an “indefinite sabbatical” from his vim-go projects. He had been working on the project for the past 4.5 years. Arslan says that he won’t be maintaining vim-go anymore and is uncertain about when he’ll be coming back to work on it again. For now, he’ll only be working on a select few small projects that don’t need him to actively maintain them. “I’m working for DigitalOcean..this is my full-time job. I have a family to take care of and just like any other grown-up in the world, you do what you have to do. However, there is no place for Go tooling and editors here. It’s a hobby and passion. But if a hobby feels like it becomes a second full-time job, something is very wrong. The time has come to end this craziness.”, says Arslan. What’s interesting is that Arslan is not the first from the open source community to go on a break. This seems to be an ongoing trend in the open-source community lately which started with Guido Van Rossum, Python founder, taking a ‘permanent vacation from being BDFL’, in July. He does continue to work in his capacity as a core developer. Guido's decision to take a break stemmed from the physical, mental, and the emotional toll that his role at work had taken on him over the past years. He had mentioned that he was “tired, and need a very long break”. Arslan’s reason seems fairly similar as he said, “ For the last one year, I’m struggling to maintain my side projects. I feel like I’m burnt out. Working on a side project is fun until it becomes your second full-time job. One thing that I’m sure is, I’m not happy how my day to day life is evolving around me”.   Another recent example is Linus Torvalds, who had been working on the Linux Kernel for almost 30-years. Torvalds opened up about going on a break over his ‘hurtful’ behavior that ‘contributed to an unprofessional environment’. “I need to take a break to get help on how to behave differently and fix some issues in my tooling and workflow”, said Torvalds. Even though Linus left to take time for self-reflection and was not burnt out, it is symptomatic of the same underlying issue. When one wants to accomplish a lot in a short period of time, one tends to find efficiencies where they can. Often efficient communication may not be effective as it may come across as terse, sarcastic or uncaring. Arslan mentioned that when he first started with vim-go, it was fun, rewarding and solved a lot his problems. It was his favorite editor and enabled him to write Go inside vim, in a very efficient and productive way. As he started with vim-go, he got the chance to work on and create many other smaller Go packages and tools. Some of these such as color and struct packages even became popular. “Again, it solved many problems and back then I wanted to use Go packages that are easy to use and just works out of the box. I also really like to work on Go tooling and editors. But this is not the case for many of my projects, especially vim-go. With the popularity of all these projects, my day to day work also increased”, ” says Arslan. The problem of burnout seems epidemic in the open source community. They work long hours, neglect themselves and their personal lives, and don’t always get to see the results that they should for such hard work. Arslan mentioned that it used to take him 10-20 hours extra per week, outside of his day job, to maintain these projects. He could “no longer maintain this tempo” as every day he used to receive multiple GitHub emails regarding pull requests, issues, feedbacks, fixes, etc which was affecting his well-being. It also didn’t make any sense to him “economically”. “It’s very hard for me to do this, but trust me I’m thinking about this for a long time. I cannot continue this anymore without sacrificing my own well being”, mentions Arslan. Who will look after vim-go now? Arslan’s sabbatical won’t be affecting vim-go’s performance as he has assigned the duty of maintaining vim-go to two of the full-time contributors, namely, Martin Tournoij and Billie Cleek. Billie Cleek, who worked with Arslan at DigitalOcean will be the lead of the vim-go project. Cleek has already made hundreds of contributions to vim-go (recently added unified async support for Vim and Neovim) and is well-versed with vim-go’s code base. “I don’t know if I could find anyone else that would make a great fit than him. I’m very lucky to have someone like him. The vim-go community will be in very good hands”, said Arslan. As far as the other popular Go projects and packages are concerned, Arslan will be going over them one last time and will archive the repos such as color, structs, camelcase, images, vim-hclfmt, and many others. This means that you’ll still be able to fetch these repos and use it within your projects. Arslan believes that most of these packages are in “a very good state” and doesn’t require any more additions. That being said, there are three projects that Arslan will still be maintaining such as gomodifytags, structtag, and motion. The gomodifytags project was Arslan’s most enjoyed project so far as it had zero bugs and simple design because.  These projects will be maintained in a “sleep mode” and Arslan will only be going over “serious issues”. “I have now so much time that I’ll be spending for myself...I have a side project that I’m working for a couple of months privately..(I can) play more with my son and just hang out all day, without doing a single thing. The weekends belong to me. I no longer have to worry about the last opened pull request’s to vim-go or my other Go projects..it just feels so refreshing. I suggest everyone do the same thing, take a step back and see what’s happening around you. It’ll help you to become a better yourself”, says Arslan. Public reaction towards Arslan’s decision is majorly positive: https://twitter.com/rakyll/status/1050053991088840704 https://twitter.com/idanyliuk/status/1050053303814541312 https://twitter.com/corylanou/status/1050132111745794052 For more coverage, read Arslan’s official announcement. Golang 1.11 is here with modules and experimental WebAssembly port among other updates Why Golang is the fastest growing language on GitHub Golang 1.11 rc1 is here with experimental port for WebAssembly!

Juniper Networks saw a host of severe vulnerabilities in its hardware today. These vulnerabilities threaten to severely affect a network, including threats like Denial of Service, daemon crashes, insecure configurations, kernel crashes and many more. There were a total of 22 vulnerabilities reported on its Knowledge Center. Here is a list of some of them in Juniper's Junos OS that you need to watch out for. #1 Receiving a specifically crafted malicious MPLS packet leads to a Junos kernel crash In Juniper Networks Junos OS, a NULL Pointer Dereference vulnerability allows an attacker to cause the Junos OS kernel to crash. Target victims can be affected by Denial of Service attack just by a single malicious MPLS packet. Continued receipt of this packet will cause a sustained Denial of Service condition. This issue was encountered during production usage and multiple software have been released to resolve the issue. Many software have also been re-released, while software patches and updates have been made available to sort out the issue. Users are advised to remove MLPS configuration stanza from the interfaces at risk. #2 Memory exhaustion DOS vulnerability in Routing Protocols Daemon with Juniper Extension Toolkit support An unauthenticated network based attacker can cause a device to have severe memory exhaustion due to a vulnerability in the Routing Protocols Daemon (RPD) with Juniper Extension Toolkit (JET) support. This degrades system performance as well as impacts system availability. The issue that was found during internal, product testing, only affects devices with JET support running Junos OS 17.2R1 and subsequent releases. As of today, there are no viable workarounds for this issue. #3 Multiple vulnerabilities discovered in NTP daemon This issues discovered in NTP daemon affects all products and platforms running Junos OS. NTP.org has published security advisories for vulnerabilities resolved in ntpd (NTP daemon). The team has released software patches to resolve the above issues. Users are advised to adopt Standard security best practices (control plane firewall filters, edge filtering, access lists, etc.) to protect against any remote malicious attacks against NTP. Customers who have already applied the workaround described by the team are already protected against any remote exploitation of these vulnerabilities. #4 Invalid IP/mask learned from DHCP server might cause the device control daemon process crash The device control daemon process (dcd) of Juniper Networks Junos OS has an improper input validation weakness. This allows an attacker to cause a Denial of Service to the dcd process and interfaces and connected clients when the Junos device is requesting an IP address for itself. The good news is that Junos devices not configured to use DHCP are not vulnerable to this issue. The issue was discovered in the production stage and multiple softwares have been released to resolve the issue. #5 Stateless IP firewall filter rules stop working after reboot or upgrade Once the Junos OS device reboots or upgrades, the stateless firewall filter configuration does not work as expected. This vulnerability affects firewall filters for every address family. The affected releases of the Junos OS includes 15.1R4, 15.1R5, 15.1R6 and SRs based on these MRs as well as 15.1X8 versions prior to 15.1X8.3. The issue was encountered during production stage and doesn’t have any known workarounds. However, once the issue has occurred, it can be restored by performing "commit full". The  team has released certain softwares to resolve this specific issue. #6 Credentials exposed when using HTTP and HTTPS Firewall Pass-through User Authentication When an SRX Series device is configured to use HTTP/HTTPS pass-through authentication services, it can be affected by a man-in-the-middle attack or by authentic servers that have been subverted by malicious actors. In the initial HTTP/HTTPS session, a client sending authentication credentials is at risk that these credentials may be captured by a malicious hacker during follow-on HTTP/HTTPS requests.This vulnerability does not affect the FTP, and Telnet pass-through authentication services. The team has updated some software releases to resolve this specific issue. The workaround suggested for this vulnerability is to discontinue the use of HTTP/HTTPS Pass-through Firewall User Authentication. Users are also suggested to use web-redirect when using Pass-through Firewall User Authentication. #7 jdhcpd process crash during processing of specially crafted DHCPv6 message A jdhcpd daemon crash can occur after receiving a specially crafted DHCPv6 message destined to a Junos OS device configured as a DHCP server in a Broadband Edge (BBE) environment.  A continuous stream of DHCPv6 packets could lead to an extended denial of service condition. Junos OS 15.1 and later are only affected by this issue. Only if a device has a DHCP service configured, will the devices be vulnerable to the DHCPv6 message. The team has released software to resolve this specific issue. A workaround to this vulnerability would be to disable DHCP services if they are not needed. #8 A local authentication vulnerability may lead to full control of a vSRX instance while the system is booting. Junos OS on vSRX Series has a authentication bypass vulnerability in the initial boot sequence. This may allow an attacker to gain full control of the system without authentication when the system initially boots up. The following software releases have been updated to resolve this specific issue: Junos OS 15.1X49-D30, and all subsequent releases. As such, there are no viable workarounds for this issue. Methods which may reduce, but not eliminate, the risk of exploitation of this problem, include: Restricting  access to the hypervisor to only trusted administrators and disallowing all access to the "physical instance" of the vSRX instance while it is initially booting. This can be done  by disabling connectivity to devices hosting the instance. #9 Unauthenticated remote root access possible when RSH service is enabled A remote unauthenticated attacker can obtain root access to the device if RSH service is enabled on Junos OS and if the PAM authentication is disabled. By default, the RSH service is disabled on Junos. An undocumented CLI command allows a privileged Junos user to enable RSH service and disable PAM, and hence expose the system to unauthenticated root access. This issue is not exploitable on platforms where Junos release is based on FreeBSD 10+. This issue only affects configurations where RSH service is enabled and the PAM authentication is disabled. The team suggests that users should ensure  there is no RSH service listening on port 514.  They also suggest Utilizing common security BCPs to limit the exploitable surface by limiting access to network and device to trusted systems, administrators, networks and hosts. #10 Receiving a malformed MPLS RSVP packet leads to a Routing Protocols Daemon crash A attacker can easily cause the RPD to crash because of an error handling vulnerability in Routing Protocols Daemon (RPD) of Juniper Networks Junos OS. Continuously receiving this malformed MPLS RSVP packet will cause a sustained Denial of Service condition. This issue does not affect versions of Junos OS before 14.1R1. The team has updated the following software releases to resolve this specific issue: 14.1R8-S5, 14.1R9, 14.1X53-D130, 14.1X53-D48, 14.2R4, 15.1R1, and all subsequent releases. The team suggests removing the  MPLS configuration stanzas from interface configurations that are at risk. These are just some of the vulnerabilities that can affect the Junos OS. To know more about the other vulnerabilities reported, head over to Juniper Networks official site. Juniper networks comes up with 5G – IoT-ready routing platform, MX Series 5G ‘Peekaboo’ Zero-Day Vulnerability allows hackers to access CCTV cameras, says Tenable Research Upgrade to Git 2.19.1 to avoid a Git submodule vulnerability that causes arbitrary code execution

Yesterday, the Grafana team made Grafana 5.3 stable. This version comes with several enhancements and new features including built-in support for Google Stackdriver, improved TV and Kiosk mode, a new query builder for Postgres, and more. Built-in support for Google Stackdriver Grafana 5.3 provides built-in support for Google Stackdriver to enable visualizing the Stackdriver metrics in Grafana. Google Stackdriver is a monitoring service that aggregates metrics, logs, and events from infrastructure. It gives developers and operators a rich set of observable signals that speed root-cause analysis and reduce mean time to resolution (MTTR). You just have to create a GCE Service account that has access to the Stackdriver API scope. After that download the Service Account key file from Google and upload it on the Stackdriver datasource config page in Grafana and you should have a secure server-to-server authentication setup. Easily accessible TV and Kiosk Mode Now a view mode icon is displayed in the top bar to easily cycle through different view modes. Choosing the first view mode will hide the sidebar and most of the buttons in the top bar. In the second view mode, the top bar will be completely hidden and only the dashboard is visible. Notification reminders Now it is possible to set reminders so that you are continuously alerted until the problem is fixed. This is done on the notification channel itself and will affect all alerts that use that channel. Introducing a new Postgres query builder Grafana 5.3 provides a new graphical query builder for Postgres. This query builder makes it easier for both advanced users and beginners to work with time-series in Postgres. You can find it in the metrics tab in Graph or Singlestat panel’s edit mode. Improved OAuth support for Gitlab It comes with a new OAuth integration for Gitlab that enables configuration to only authenticate users that are a member of certain Gitlab groups. With this integration, you can now use Gitlab OAuth with Grafana in a shared environment without giving everyone access to Grafana Variables with free text support A new variable type named, Text box is introduced which makes it easier and more convenient to provide free text input to a variable. This new variable type will display as a free text input field with an optional pre-filled default value. Read the full changelog on Grafana’s official website and also check its GitHub repository. Predictive Analytics with AWS: A quick look at Amazon ML Apache Kafka 2.0.0 has just been released Installing and Configuring X-pack on Elasticsearch and Kibana

Blockstream, a Blockchain-based solution startup, has launched a new Blockchain service called Liquid Network. The Liquid Network is an implementation of an advanced technology called Sidechain. It is a blockchain-based distributed network that provides secure and fast transactions for cryptocurrency traders. What is sidechain? Sidechains are complementary to existing blockchain technology that help in securely transferring the digital entities (assets, tokens, etc.) from one blockchain to other blockchain and vice versa. The sidechain is associated with the main blockchain through a channel that enables the transfer between the two ledgers. The Sidechain then carries additional details of the transaction and thus provides an additional layer of security to the blockchain-based transactions. An important underlying technology associated with Sidechain is “Federation”. A federation is a group that acts as an intermediate to verify all the transactions that happen in Sidechain. Liquid network Liquid network, popularly known as "an inter-exchange settlement network" is built on the top of Bitcoin network. The liquid is based on the concept of Bitcoin sidechain but not exactly sidechain, as it involves more privacy in overseeing the transaction through its network. The liquid network enables a fast transaction by emphasizing on trading mass exchanges through the blockchain ledger. With these functionalities, the Liquid network is said to be bringing in the use of blockchain in production. The main features of the Liquid network are: Liquid Bitcoin (L-BTC): Helps companies provide end-user security for and speedy transfer of Bitcoin with settlements. Issues Assets: This brings Bitcoin features like tokenization, reward points, and attested assets for removing the need for dedicated wallet software. Confidential Transaction technology ensures the privacy of the transfer data by making sure that only transacting parties are overseeing the network. As of its launch on 10 October '18, 23 cryptocurrency companies are using the Liquid network for transactions. The launch of a truly private blockchain network is expected to enable financial institutes in tokenization of various assets like gold, bonds, cryptocurrencies, securities, among others. 9 recommended blockchain online courses JPEG committee wants to apply blockchain to image sharing Google Cloud Launches Blockchain Toolkit to help developers build apps easily

Walt, an alternative syntax for WebAssembly text format, was introduced today. It allows developers to use JavaScript syntax to write to as “close to the metal” as possible. Its ultimate goal is to make WebAssembly accessible to regular JavaScript programmers. Written 100% in JavaScript it requires no LLVM/binary toolkits. What Walt tries to solve? Writing zero-overhead, optimized WebAssembly code is difficult. You need to write very plain C code, compile that to .wast and then optimize that result. Then, finally, you're ready to compile that into the final WebAssembly binary. Walt attempts to take C/Rust out of the equation and write “as close to the metal” as possible without losing readability. How it solves the problem? What Walt does is, it provides a thin layer of syntax sugar on top of .wat text format. This improved syntax will give developers direct control over the WebAssembly output. This means that there should be minimal to none post optimization to be done to the wast code generated. For example, here is what a .walt module, which exports a recursive Fibonacci function, looks like: Source: GitHub When this code is passed through the Walt compiler, you get a buffer which can be used to create a WebAssembly module with a fibonacci export. Al this is done with familiar JS syntax and without any external binary toolkits. What are some of its use cases? Anyone who is interested in WebAssembly but is not familiar with system languages can get a quick start with Walt. It can be used in the following scenarios: Web/Node libraries Games Web VR/AR Projects depending on heavy real-time computation from complex UIs to 3D visualizations To know more about Walt and how you can get started with it, check out its GitHub repository. Introducing Wasmjit: A kernel mode WebAssembly runtime for Linux Unity Benchmark report approves WebAssembly load times and performance in popular web browsers Why is everyone going crazy over WebAssembly?

The Origin DApp is a decentralized marketplace on the blockchain mainnet. It launched last week and is in the beta stage. Purpose of the Origin DApp Large organizations like Airbnb or Uber often charge 20-30% as commission for providing a service. One of the goals of Origin mainnet is to host such services that are peer-to-peer. This will eliminate the middleman and the cost of services will go down. Think of it like Craigslist, but Ethereum based and decentralized on a blockchain network. Your account would be your Ethereum wallet. To transact on the Origin DApp, a crypto wallet needs to be attached to your browser. For doing this, the Metamask extension is a good option which available for both Chrome and Firefox. Also, communication is done via Origin Messaging directly between the seller and the buyer. Features of Origin DApp Some of the important features of this DApp are: Smart contract for the marketplace The marketplace contract implements transactions in multiple steps, dispute management, and optional affiliate commissions. It uses ETH and/or any ERC-20 tokens as currency. The Origin token OGN is an ERC-20 token integrated with the marketplace smart contracts. The token is meant to incentivize behaviors that will bootstrap the network and also protect against negative behaviors. The Origin token is meant to reward behaviors that will help the network flourish and safeguard against bad actions. Search You can use the search bar at the top to query listing data by keyword, category, and price. The listings are loaded directly from the blockchain. Resolving conflicts In case of a conflict between a seller and buyer, there is a workflow for dispute resolution. As of now, Origin is the only arbitrator on the platform, but more decentralized solutions are expected in the future. Future work Currently, listings like rentals, ticketing, and e-commerce are not supported. There is no mobile app, advanced search, and no JS SDK for third-party developers to build DApps on the platform. Future plans include enabling third-party developer partners to build on Origin, improving user experience, launching a mobile app/wallet, support for more types of listings, and hardening the infrastructure for greater security and scalability. Since Origin is in the beta stage, currently there are no push or email notifications available. There is a team to resolve any disputes. There needs to be enough abstraction to hide away the complexities of using a service on a blockchain to see mainstream adoption. It can take years for that to happen, for a regular cabbie or hotel owner to understand and use a ‘decentralized marketplace’. For more details, visit the Origin post on Medium and the beta website. To get started, here’s a demo video. Vitalik Buterin says Ethereum 2.0 research has stabilized and might launch next year Ethereum Constantinople hard fork to move Ethereum from PoW (proof-of-work) to PoS (proof-of-stake) model Vitalik Buterin’s new consensus algorithm to make Ethereum 99% fault tolerant

On Tuesday, the GitHub team announced that they will be making life easy for developers by getting Git right into our editor. The insights on this extension will be announced on Day 2 (17th October, 2019) of the two-day GitHub Universe conference. GitHub, in collaboration with the Visual Studio Code Team at Microsoft will brief users about this update during their talk Cross Company Collaboration: Extending GitHub to a New IDE. Sarah Guthals, the Engineering Manager at GitHub in her post mentions, “We’ve been working since 2015 to provide a GitHub experience that meets you where you spend the majority of your time: in your editor.” What’s in store for developers from different communities? For .NET developers In 2015, GitHub brought all Visual Studio developers an extension that supports GitHub.com and GitHub Enterprise engagements within the editor. Sarah says, “today you can complete an entire pull request review without ever leaving Visual Studio.” For the Atom community GitHub also support a first class Git and GitHub experience for Atom developers. Users can now access basic Git operations like staging, commiting, and syncing, alongside more complex collaboration with the recently-released pull request experience. For game developers Unity game developers can now use Git within Unity for the first time to clone and sync with GitHub.com and lock files. The Conflux : GitHub and Visual Studio Code In the talk which will be presented in the coming week, Visual Studio Code team at Microsoft and the editor tools team at GitHub will share their experience on how both these teams began exploring the possibility of an integration between their two products. The team at Microsoft started to design a pull request experience within Visual Studio Code, while the GitHub team prototyped one modeled after the same experience in the Visual Studio IDE. This brought users an integrated GitHub experience in Visual Studio Code supported by the Visual Studio Code API. This new extension gives developers the ability to: Authenticate with GitHub within VS Code (for GitHub.com and GitHub Enterprise) List pull requests associated with your current repository, view their description, and browse the diffs of changed files Validate pull requests by checking them out and testing them without having to leave VS Code GitHub applies machine intelligence to its GitHub security alerts Github also announced that it has built a machine learning model that can scan text associated with public commits (the commit message and linked issues or pull requests) to filter out those related to possible security upgrades. With such smaller batch of commits, the model uses the diff to understand how required version ranges have changed. Further, it aggregates across a specific timeframe to get a holistic view of all dependencies that a security release might affect. Finally, the model outputs a list of packages and version ranges it thinks require an alert and currently aren’t covered by any known CVE in their system. To know more about these updates, visit the GitHub blog. Also know more about GitHub and Visual Studio Code integration in Sarah Guthals’ GitHub post. GitHub’s new integration for Jira Software Cloud aims to provide teams a seamless project management experience 4 myths about Git and GitHub you should know about 7 tips for using Git and GitHub the right way

The Google Chrome team announced new updates and changes to the Chrome DevTools in Chrome 71, today.  The latest update explores features such as hovering over a Live Expression to highlight the DOM node, storing DOM nodes as global variables, Initiator and priority information in HAR imports and exports, and Picture-in-Picture breakpoints among others. Let’s discuss these features in the latest update to DevTools in Chrome 71. Hovering over Live Expression to highlight DOM node Now when an Expression evaluates to a DOM node, hovering over the Live Expression will result in highlighted DOM node in the viewport. Storing DOM nodes as global variables You can now store DOM nodes as a global variable. All you need to do is run an expression in the console that evaluates to a node. Then right-click the result and select Store as the global variable. Alternatively, you can also right-click the node in the DOM Tree and then select Store as a global variable. Initiator and priority information available in HAR imports and exports DevTools now comprises initiator and priority information in the HAR file on exporting a HAR file. Once done importing the HAR files back into DevTools, the Initiator and Priority columns gets populated. The _initiator field offers information behind the cause of the requested resource. The _priority field states the priority level that the browser assigned to the resource. Accessing Command Menu from the Main Menu Command Menu provides a fast way to access DevTools panels, tabs, and features. Now, you can open the Command Menu directly from the Main Menu. Click the main button on the main menu and select Run command. “Add to homescreen" now called "Trigger beforeinstallprompt" There’s an Add to homescreen button on the Manifest tab which is renamed to Trigger beforeinstallprompt as it is more semantically accurate. For more information, check out the official update notes. Chrome 69 privacy issues: automatic sign-ins and retained cookies; Chrome 70 to correct these Google announces Chrome 67 packed with powerful APIs, password-free logins, PWA support, and more Google Chrome’s 10th birthday brings in a new Chrome 69