Tech News

Rust 2018 RC1 was released yesterday. This new version of the Rust programming language contains features like raw identifiers, better path clarity and other additions. Some of the changes in Rust 2018 RC1 include: Raw identifiers Like many programming languages, Rust too has the concept of "keywords". These identifiers cannot be used in places like variable names, function names, and other places. With Rust 2018 RC1, raw identifiers let you use keywords where they are not allowed normally. New confirmed keywords in Rust 2018 RC1 are async, await, and try. Better path clarity One of the hardest things for people new to Rust is the module system. While there are simple and consistent rules defining the module system, their consequences can appear to be inconsistent and hard to understand. Rust 2018 RC1 introduces a few new module system features to simplify the module system and give a better picture of what is going on. extern crate is no longer needed. The crate keyword refers to the current crate. Absolute paths begin with a crate name, where again the keyword crate refers to the current crate. A foo.rs and foo/ subdirectory may coexist. mod.rs is no longer required when placing submodules in a subdirectory. Anonymous trait parameters are deprecated Parameters in trait method declarations are no longer allowed to be anonymous. In Rust 2015, the following was allowed: trait Foo { fn foo(&self, u8); } In Rust 2018 RC1, all parameters require an argument name (even if it's just _): trait Foo { fn foo(&self, baz: u8); } Non-lexical lifetimes The borrow checker has been enhanced to accept more code. This is performed via a mechanism called ‘non-lexical lifetimes’. Previously, the below code would have produced an error, but now it will compile just fine: fn main() { let mut x = 5; let y = &x; let z = &mut x; } Lifetimes follow "lexical scope". This means that the borrow from y is considered to be held until y goes out of scope at the end of main. This is the case even though y will never be used again in the code. The above code works fine, but in the older versions, the borrow checker was not able handle it. Installation To try and install Rust 2018 RC1 you need to install the Rust 1.30 beta toolchain. This beta is a little different from the normal beta, states the Rust Blog. > rustup install beta > rustc +beta --version rustc 1.30.0-beta.2 (7a0062e46 2018-09-19) The feature flags for Rust 2018 RC1 are turned on and can be used to report issues. These were only a select few changes. Other changes in this beta include Lifetime elison in impl, T: ‘a inference in structs, macro changes etc. For more information and details on the complete list of updates, read the Rust edition guide where the new features are marked as beta. Rust 1.29 is out with improvements to its package manager, Cargo Deno, an attempt to fix Node.js flaws, is rewritten in Rust Creating Macros in Rust [Tutorial]

A few days back, Bitcoin Core developers discovered a vulnerability in its Bitcoin Core software that would have allowed a miner to insert a ‘poisoned block’ in its blockchain. This would have crashed the nodes running the Bitcoin software around the world. The software patch notes state, “A denial-of-service vulnerability (CVE-2018-17144) exploitable by miners has been discovered in Bitcoin Core versions 0.14.0 up to 0.16.2.” The developers further recommended users to upgrade any of the vulnerable versions to 0.16.3 as soon as possible. CVE-2018-17144: The denial-of-service vulnerability The vulnerability was introduced in Bitcoin Core version 0.14.0, which was first released in March 2017. But the issue wasn't found until just two days ago, prompting contributors of the codebase to take action and ultimately release a tested fix within 24 hours. In a report by The Next Web, “The bug relates to its consensus code. It meant that some miners had the option to send transaction data twice, causing the Bitcoin network to crash when attempting to validate them. As such invalid blocks need to be mined anyway, only those willing to disregard block reward of 12.5BTC ($80,000) could actually do any real damage.” Also, the bug was not only in the Bitcoin protocol but also in its most popular software implementation. Some cryptocurrencies built using Bitcoin Core’s code were also affected. For example, Litecoin patched the same vulnerability on Tuesday. However, the bitcoin is far too decentralized to be brought down by any single entity. TNW also states, “While never convenient, responding appropriately to such potential dangers is crucial to maintaining the integrity of blockchain tech – especially when reversing transactions is not an option.” This vulnerability discovery, however, was a great escape from the Bitcoin collapse. To read about this news in detail, head over to The Next Web’s full coverage. A Guide to safe cryptocurrency trading Apple changes app store guidelines on cryptocurrency mining Crypto-ML, a machine learning powered cryptocurrency platform

The Pytorch team updated their official website “Pytorch.org” for PyTorch 1.0 yesterday. The new update comprises minor changes to the overall look and feel of the website. In addition to that, more information has been added under the tutorials section for converting your PyTorch models to a static graph. PyTorch is a Python-based scientific computing package which uses the power of graphics processing units. It is also one of the preferred deep learning research platforms built to offer maximum flexibility and speed. Key Updates Design Changes The layout of the webpage is still the same. But color changes have been made with additional tabs included on top of the webpage. Revamped Pytorch.org Previously, there were only five tabs, namely, get started, about, support, discuss and docs. Now, there are eight tabs included namely, Get Started, Features, Ecosystem, Blog, Tutorials, Docs, Resources, and Github. Older Python.org Updated Tutorials With new tutorial tab, additional information has been provided for users to convert their models into a static graph, which is a feature in the upcoming PyTorch 1.0 version. Added static graph support One of the main differences between TensorFlow and PyTorch is that TensorFlow uses static computational graphs while PyTorch uses dynamic computational graphs. In TensorFlow we first set up the computational graph, then execute the same graph many times. There has been an additional section under tutorials on static graphs. This implementation makes use of basic TensorFlow operations to set up a computational graph, then executes the graph many times to actually train a fully-connected ReLU network. For more details on the changes, visit the official PyTorch website. What is PyTorch and how does it work? Can a production ready PyTorch 1.0 give TensorFlow a tough time? PyTorch 0.3.0 releases, ending stochastic functions

Kubernetes 1.12 will be released on Tuesday, the 25th of September 2018. This updated release comes with improvements to security and storage, cloud provider support and other internal changes. Let’s take a look at the four domains that will be majorly impacted by this update. #1 Security Stability provided for Kubelet TLS bootstrap The Kubelet TLS bootstrap will now have a stable version. This was also covered in the blog post Kubernetes Security: RBAC and TLS. The kubelet can generate a private key and a signing request (CSR) to get the corresponding certificate. Kubelet server TLS certificate automatic rotation (Beta) The kubelets are able to rotate both client and/or server certificates. They can be automatically rotated through the respective RotateKubeletClientCertificate and RotateKubeletServerCertificate feature flags in the kubelet that are enabled by default now. Egress and IPBlock support for Network Policy NetworkPolicy objects support an egress or to section to allow or deny traffic based on IP ranges or Kubernetes metadata. NetworkPolicy objects also support CIDR IP blocks to be configured in the rule definitions. Users can combine Kubernetes-specific selectors with IP-based ones both for ingress and egress policies. Encryption at rest Data encryption at rest can be obtained using Google Key Management Service as an encryption provider. Read more about this on KMS providers for data encryption. #2 Storage Snapshot / restore volume support for Kubernetes VolumeSnapshotContent and VolumeSnapshot API resources can be provided to create volume snapshots for users and administrators. Topology aware dynamic provisioning, Kubernetes CSI topology support (Beta) Topology aware dynamic provisioning will allow a Pod to request one or more Persistent Volumes (PV) with topology that are compatible with the Pod’s other scheduling constraints- such as resource requirements and affinity/anti-affinity policies. While using multi-zone clusters, pods can be spread across zones in a specific region. The volume binding mode handles the instant at which the volume binding and dynamic provisioning should happen. Automatic detection of Node type When the dynamic volume limits feature is enabled in Kubernetes, it automatically determines the node type. Kubernetes supports the appropriate number of attachable volumes for the node and vendor. #3 Support for Cloud providers Support for Azure Availability Zones Kubernetes 1.12 brings support for Azure availability zones. Nodes within each availability zone will be added with label failure-domain.beta.kubernetes.io/zone=<region>-<AZ> and Azure managed disks storage class will be provisioned taking this into account. Stable support for Azure Virtual Machine Scale Sets This feature adds support for Azure Virtual Machine Scale Sets. This technology lets users create and manage a group of identical load balanced virtual machines. Add Azure support to cluster-autoscaler (Stable) This feature adds support for Azure Cluster Autoscaler. The cluster autoscaler allows clusters to grow as resource demands increase. The Cluster Autoscaler does this scaling  based on pending pods. #4 Better support for Kubernetes internals Easier installation and upgrades through ComponentConfig In earlier Kubernetes versions, modifying the base configuration of the core cluster components was not easily automatable. ComponentConfig is an ongoing effort to make components configuration more dynamic and directly reachable through the Kubernetes API. Improved multi-platform compatibility Kubernetes aims to support the multiple architectures, including arm, arm64, ppc64le, s390x and Windows platforms. Automated CI e2e conformance tests have been deployed to ensure compatibility moving forward. Quota by priority scopeSelector can be used to create Pods at a specific priority. Users can also control a pod’s consumption of system resources based on a pod’s priority. Apart from these four major areas that will be upgraded in Kubernetes 1.12, additional features to look out for are Arbitrary / Custom Metrics in the Horizontal Pod Autoscaler, Pod Vertical Scaling, Mount namespace propagation, and much more! To know about all the upgrades in Kubernetes 1.12, head over to Sysdig’s Blog Google Cloud hands over Kubernetes project operations to CNCF, grants $9M in GCP credits Kubernetes 1.11 is here! VMware Kubernetes Engine (VKE) launched to offer Kubernetes-as-a-Service  

The makers of Sublime Text have released a new Git client yesterday. Called Sublime Merge, this tool combines the user interface of Sublime Text, with a from-scratch implementation of Git. The result is a Git client with a better and familiar interface. Sublime Merge has no time limit, no metrics, and with no tracking done on your usage. It has two themes, light and dark. The evaluation version is fully functional, but does not have the dark theme. You don’t need an account for the evaluation version. Here are some of the features of Sublime Merge. An integrated merge tool An integrated merge tool allows resolving conflicts in Sublime Merge itself instead of having to open another editor. There is a 3-pane view for viewing conflicts. The changes done by you are on the left, and by others, on the right. The resolved text is displayed on a pane in the center with buttons to choose between what changes to accept. Advanced diffs For cases where necessary, Sublime Merge will display exactly which individual characters have been changed for a commit. This includes renames, moves, resolving conflicts or just looking at the commit history. It can be done simply by selecting any two commits in Sublime Merge with Ctrl+Left Mouse to show the diff between them. Key bindings There are also good keyboard usability options. The Tab key can be used to navigate through different parts of the application. Space bar can toggle expansion, and Enter can stage/unstage hunks. The Command Palette allows quick access to a large set of Git commands and is triggered by Ctrl+P. Command line integration Sublime Merge will work hand-in-hand with the command line. All repository changes are updated live and things work the same from the command line as they would from the UI. So either the GUI or the command line can be used for different functions, the choice is yours. The smerge tool that comes with Sublime Merge can be used to open repositories, blame files, and search for commits. Advanced search Sublime Merge features find-as-you-type search to find the commit with exact matches. You can search for commit messages, commit authors, file names, and even wildcard patterns. Complex search queries can also be constructed using ‘and’, ‘or’, and ‘()’ symbols for deep searches within folders. Use of real Git Working with Sublime Merge means you're working with the real Git, and not just a simplified version. Hovering over the buttons will show you which command it will run. Sublime Merge uses the same lingo as Git, and it doesn't make use of any state beyond Git itself. It uses a custom implementation of Git for reading repositories that drives high performance functionalities. However, Git itself, is directly used in Sublime Merge for repository mutating operations like staging, committing, checking out branches, etc. Downloads and licence Individual licences are lifetime with three years of updates included. For business licenses, subscription is available. Sublime Merge is in its early stages and has only been used by the makers and a small team of beta testers. Now they have invited other users to try it as well. You can download and read more about the Git Client from the Sublime Merge website. TypeScript 3.0 is finally released with ‘improved errors’, editor productivity and more GitHub introduces ‘Experiments’, a platform to share live demos of their research projects Packt’s GitHub portal hits 2,000 repositories

Facebook first announced at it’s F8 conference that it is testing a new dating feature within the proprietary Facebook app. This dating and relationships feature will allow  people to create a dating profile that is separate from their Facebook profile. Potential matches in Facebook Dating will be recommended based on dating preferences, your location, shared page likes, similarities between your Facebook profiles, and mutual friends. Starting today, Facebook is rolling out a country-wide test in Colombia of its new Dating feature. Users can browse for matches within a 100km radius. Users have to input their location, which Facebook will verify through their phone’s GPS. Although, users won’t be able to change their virtual location to browse for matches elsewhere. For now Facebook Dating is mobile-only. The app will be available entirely within Facebook’s Android and iOS apps to users 18 and older, free to use. Per Facebook guidelines, the Dating app will be available only if users opt for it. They need to create a separate dating profile which will include a more limited amount of personal information. Once you start browsing, Facebook’s recommendation algorithm will allow you to see friends of friends or people with whom you have fewer mutual friends. Your existing friends, and the people you have blocked will be excluded from the dating pool. However, you can still find a potential soulmate, in a person you’ve unfriended. When browsing, you’ll see a selection of people you can “express interest” in by tapping a photo or an answer to a question prompt. You can then add a note and send it to the person you’re interested in. The recipient can then either send a message back or ignore it. Users can send as many messages they want, but can visit only upto 100 profiles are day. Messages are limited to text and emoji for which Facebook Dating uses its own messaging interface, not Facebook Messenger. Facebook dating also allows users to expand their dating pool with the integration of Facebook Groups and Events. Users can opt in to showing their Dating profile to members of a group, they expect to find good matches in. The same goes for Facebook Events, where the feature is enabled for both upcoming and past events. If the test goes well, Facebook may roll Dating to more countries shortly in its mission to create meaningful connections. According to Product Manager, Nathan Sharp, “If Dating takes off in Colombia, it could be promoted to a more prominent place within the app, or even to an app of its own. Our goal is to make Facebook the single best place to start a relationship. It could get there eventually — but it will need to evolve along the way.” F8 AR Announcements. ACLU sues Facebook for enabling sex and age discrimination through targeted ads. Sex robots, artificial intelligence, and ethics: How desire shapes and is shaped by algorithms

Microsoft’s new "immutable storage" feature for Azure Blobs, is now generally available. Financial Services organizations regulated by the Securities and Exchange Commission (SEC), Commodity Futures Trading Commission (CFTC), Financial Industry Regulatory Authority (FINRA), and others are required to retain business-related communications in a Write-Once-Read-Many (WORM) or immutable state. This ensures that the data is non-erasable and non-modifiable for a specific retention interval. Healthcare, insurance, media, public safety, and legal services industries will also benefit a great deal from this feature. Through configurable policies, users can only create and read Blobs, and not modify or delete them. There is no additional charge for using this feature. Immutable data is priced in the same way as mutable data. Read Also: Microsoft introduces ‘Immutable Blob Storage’, a highly protected object storage for Azure Upgrades that accompany this feature are: #1 Regulatory compliance Immutable storage for Azure Blobs will help financial institutions and related industries to store data immutably. Microsoft will soon release a technical white paper with details on how the feature addresses regulatory requirements. Head over to the Azure Trust Center for detailed information about compliance certifications. #2 Secure document retention The immutable storage feature for Azure Blobs service ensures that data cannot be modified or deleted by any user- even with administrative privileges. #3 Better Legal Hold Users can now store sensitive information related to a litigation, criminal investigation, and more in a tamper-proof state for the desired duration. #4 Time-based retention policy support Users can set policies to store data immutably for a specified interval of time. #5 Legal hold policy support When users do not know the data retention time, they can set legal holds to store data until the legal hold is cleared. #6 Support for all Blob tiers WORM policies are independent of the Azure Blob Storage tier and will apply to all the tiers. Therefore, Customers can store their data in the most cost-optimized tier for their workloads immutably. #7 Blob Container level configuration Users can configure time-based retention policies and legal hold tags at the container level. Simple container level settings can create time-based retention policies, lock policies, extend retention intervals, set legal holds, clear legal holds etc. 17a-4, LLC, Commvault , HubStor,Archive2Azure are among the few Microsoft partners that support Azure Blob immutable storage. To know how to upgrade to this feature, head over to the Microsoft Blog Why did last week’s Azure cloud outage happen? Here’s Microsoft’s Root Cause Analysis Summary Microsoft announces Azure DevOps, makes Azure pipelines available on GitHub Marketplace Machine Learning as a Service (MLaaS): How Google Cloud Platform, Microsoft Azure, and AWS are democratizing Artificial Intelligence  

X-Lab, Baidu’s security lab focused on researching and developing industry-leading security solutions, today released the latest version of MesaLink, a cryptographic memory safe library for securing end-to-end communications. Encrypted communication is a cornerstone of Internet security, as it provides protection from vulnerabilities for a wide variety of applications like cloud computing, blockchain, autonomous driving and Internet of Things. Existing solutions for securing end-to-end communications are implemented with programming languages like C/C++, which makes them particularly susceptible to memory safety vulnerabilities. Heartbleed Bug, for example, is a serious memory safety vulnerability in OpenSSL cryptographic software library that allows attackers to steal information protected by encryption. “OpenSSL, one of the most prominent implementations of the SSL/TLS protocol, has been protecting the Internet for the past two decades,” said Tao Wei, Chief Security Scientist at Baidu, Inc. “It has made a significant contribution to the evolution of the Internet. However, cryptography and protocol implementations of SSL/TLS are complex, and SSL/TLS is nearly impossible to implement without vulnerabilities. When Heartbleed was discovered in 2014, it affected two-thirds of the Internet, causing detrimental loss around the globe. Heartbleed is considered one of the most serious vulnerabilities since the commercialization of the Internet.” MesaLink, unlike OpenSSL, is based on Baidu’s advanced Hybrid Memory Safety Model, which has revolutionized memory safety systems at the software architecture level. MesaLink is well-guarded against a whole class of memory safety vulnerabilities and withstands most exploits. MesaLink aims to be a drop-in replacement for the widely adopted OpenSSL library. By providing OpenSSL-compatible APIs, it enables developers of preexisting projects to smoothly transition to MesaLink. For example, curl, a popular library for transferring data, recently integrated MesaLink, which now easily extends its presence into a wide variety of applications where OpenSSL used to dominate. Another promising example is with Android, in which MesaLink is able to transparently establish secure communications for any installed app without changing a single line of code. Beyond memory safety and OpenSSL compatibility, MesaLink also provides competitive performance. With secure and efficient cryptographic APIs, MesaLink reduces the time to estasblish a trusted communication channel between the client and server, providing a faster web browsing experience to users. “Heartbleed is an example of why C/C++ cannot meet the memory safety expectations in SSL/TLS implementations,” add Wei. “To eliminate vulnerabilities like Heartbleed, the MesaLink project was created. We expect MesaLink could be the next OpenSSL that protects secure communication on the Internet for the foreseeable future.” MesaLink has already been adopted in products like smart TVs and set-top boxes. As part of Baidu's Open AI System Security Alliance and AIoT Security Solutions, it has enabled more than 2 million smart TVs to securely connect to the cloud. Baidu releases EZDL – a no-code platform for building AI and machine learning models Baidu Apollo autonomous driving vehicles get machine learning based auto-calibration system Baidu announces ClariNet, a neural network for text-to-speech synthesis

Yesterday, Google announced Flutter Release Preview 2, during the keynote of Google Developer Days in Shanghai. This is the final preview before the Google team releases Flutter 1.0. In this preview release, they have expanded support for the "Cupertino" themed controls and executing Dart code in the background and reduced the package size. Flutter is Google’s new open-source mobile app SDK using which you can quickly create high-quality native interfaces on iOS and Android. What’s new in Flutter Release Preview 2? Extended support for Cupertino themed controls After getting the feedback on Flutter Release Preview 1, this release is designed with keeping Apple interface guidelines in mind. They have expanded support for the "Cupertino" themed controls in Flutter, with an extensive library of widgets and classes. Some of the added iOS-themed widgets are: CupertinoApp, a convenience widget that wraps a number of widgets that are commonly required for an iOS-design targeting application. CupertinoTimerPicker is used to show countdown duration with hour, minute and second spinners. CupertinoSegmentedControl displays the widgets provided in the Map of children in a horizontal list. It is used to select between a number of mutually exclusive options. CupertinoActionSheet is used for a specific style of alert that presents the user with a set of two or more choices related to the current context. Support for executing Dart code in the background In this release, support has been added for executing Dart code in the background, even while the application is suspended.   Reduced package size The application package size is now reduced by up to 30% on both Android and iOS. A minimal Flutter app on Android now weighs just 4.7 MB when built in release mode, and they are continually working towards identifying further potential optimizations. How to upgrade to Flutter Release Preview 2? If you're using the beta release already, you can upgrade to Flutter Release Preview 2 just by running the following: $ flutter upgrade Follow the instructions mentioned on the Flutter blog for upgrading to Flutter Release Preview 2. To know more about Flutter Preview 2 in detail, check out the official announcement by Google. Google Flutter moves out of beta with release preview 1 Google’s Dart hits version 2.0 with major changes for developers Is Google planning to replace Android with Project Fuchsia?

Twitter Inc. disclosed that it is learning to defend against a new cyber attack technique, Silhouette, that discovers the identity of logged-in twitter users. This issue was reported to Twitter first in December 2017 through their vulnerability rewards program by a group of researchers from Waseda University and NTT. The researchers submitted a draft of their paper for the IEEE European Symposium on Security and Privacy in April 2018. Following this, Twitter’s security team prioritized the issue and routed it to several relevant teams and also contacted several other at-risk sites and browser companies to urgently address the problem. The researchers too recognized the significance of the problem and formed a cross-functional squad to address it. The Silhouette attack This attack exploits variability during the time taken by web pages to load. This threat is established by exploiting a function called ‘user blocking’ that is widely adopted in (Social Web Services) SWSs. Here the malicious user can also control the visibility of pages from legitimate users. As a preliminary step, the malicious third party creates personal accounts within the target SWS (referred to below as “signaling accounts”) and uses these accounts to systematically block some users on the same service thereby constructing a combination of non-blocked/blocked users. This pattern can be used as information for uniquely identifying user accounts. At the time of identification execution, that is, when a user visits a website on which a script for identifying account names has been installed, that user will be forced to communicate with pages of each of those signaling accounts. This communication, however, is protected by the Same-Origin Policy*5, so the third party will not be able to directly obtain the content of a response from such a communication. The action taken against Silhouette attack The Waseda University and NTT researchers provided various ideas for mitigating the issue in their research paper. The ideal solution was to use the SameSite attribute for the twitter login cookies. This would mean that requests to Twitter from other sites would not be considered logged-in requests. If the requests aren't logged-in requests, identity can't be detected. However, this feature was an expired draft specification and it had only been implemented by Chrome. Although Chrome is one of biggest browser clients by usage, Twitter needed to cover other browsers as well. Hence, they decided to look into other options to mitigate this issue. Twitter decided to reduce the response size differences by loading a page shell and then loading all content with JavaScript using AJAX. Page-to-page navigation for the website already works this way. However, the server processing differences were still significant for the page shell, because the shell still needed to provide header information and those queries made a noticeable impact on response times. Twitter’s CSRF protection mechanism for POST requests checks if the origin and referer headers of the request are sourced from Twitter. This proved effective in addressing the vulnerability, but it prevented this initial load of the website. Users might load Twitter from a Google search result or by typing the URL into the browser. To address this case, Twitter created a blank page on their site which did nothing but reload itself. Upon reload, the referer would be set to twitter.com, and so it would load correctly. There is no way for non-Twitter sites to follow that reload. The blank page is super-small, so while a roundtrip load is incurred, it doesn't impact load times too much. With this solution, Twitter was able to apply it to various high-level web stacks. There were a bunch of other considerations twitter had to make. Some of them include: They supported a legacy version of Twitter (known internally as M2) that operates without the need for JavaScript. They also made sure that the reloading solution didn't require JavaScript. They made use of CSP for security to make sure that their blank reloading page followed Twitter’s own CSP rules, which can vary from service to service. Twitter needed to pass through the original HTTP referrer to make sure metrics were still accurately attributing search engine referrals. They had to make sure the page wasn't cached by the browser, or the blank page would reload itself indefinitely. Thus, they used cookies to detect those loops, showing a short friendly message and a manual link if the page appeared to be reloading more than once. Implementing the SameSite cookie on major browsers Although Twitter has implemented the mitigation, they have discussed this issue with other major browser vendors regarding the SameSite cookie attribute. All major browsers have now implemented SameSite cookie support. This includes Chrome, Firefox, Edge, Internet Explorer 11, and Safari. Rather than adding the attribute to Twitter’s existing login cookie, they added two new cookies for SameSite, to reduce the risk of logout should a browser or network issue corrupt the cookie when it encounters the SameSite attribute. Adding the SameSite attribute to a cookie is not at all time-consuming. One just needs to add "SameSite=lax" to the set-cookie HTTP header. However, Twitter's servers depend on Finagle, which is a wrapper around Netty, which does not support extensions to the Cookie object. As per a Twitter post, “When investigating, we were surprised to find a feature request from one of our own developers the year before! But because SameSite was not an approved part of the spec, there was no commitment from the Netty team to implement. Ultimately we managed to add an override into our implementation of Finagle to support the new cookie attribute.” Read more about this in detail on Twitter’s blog post. The much loved reverse chronological Twitter timeline is back as Twitter attempts to break the ‘filter bubble’ Building a Twitter news bot using Twitter API [Tutorial] Facebook, Twitter open up at Senate Intelligence hearing, the committee does ‘homework’ this time

After the release of RxDB 8.0.0-beta.1 earlier this month, the RxDB community released RxDB 8.0.0 yesterday. The focus of this release is better defaults and improved performance with broadcast-channel for communication. RxDB is a reactive, offline-first, multiplatform database for JavaScript. What’s new in RxDB 8.0.0? Breaking changes RxDB has upgraded to pouchdb 7.0.0, its latest version As disableKeyCompression was not used by many users, it is now disabled by default and has been renamed as keyCompression RxDatabase.collection() now only takes the json-schema as schema-attribute In order to comply with the json-schema-standard, it is not allowed to set the required fields using required: true, instead you can use required: ['myfield'] Setters and save() are no more allowed on non-temporary documents. To change document-data, use RxDocument.atomicUpdate(), RxDocument.atomicSet(), or RxDocument.update(). The document methods, RxDocument.synced$ and RxDocument.resync() are removed middleware-hooks contain plain json as first parameter and RxDocument as second You can now set QueryChangeDetection by adding the boolean field queryChangeDetection: true when creating the database Additional Improvements RxDocument.atomicSet() RxCollection.awaitPersistence() Option for CORS to server-plugin All methods of RxDocument are bound to the instance Added RxReplicationState.denied$, which emits when a document failed to replicate Added RxReplicationState.alive$, which emits true or false depending if the replication is alive - data is transmitting properly between databases Miscellaneous changes Performance is improved by enabling cross-instance communication with broadcast-channel Upgraded to eslint 5 and babel 7 To read the full list of changes, check out RxDB’s GitHub repository. Introducing TimescaleDB 1.0, the first OS time-series database with full SQL support Introducing Watermelon DB: A new relational database to make your React and React Native apps highly scalable MongoDB 4.0 now generally available with support for multi-platform, mobile, ACID transactions and more

A team of researchers from Ulsan National Institute of Science and Technology (UNIST) in South Korea has developed an ultrathin, and transparent wearable device that is capable of turning your skin into a loudspeaker. The device has been created to help the hearing and speech impaired people. However, it has potential applications in other domains such as wearable IoT sensors, and healthcare devices.                                                Skin-attachable NM  loudspeaker This new device is created with conductive hybrid nanomembranes (NMs) with nanoscale thickness, comprising an orthogonal silver nanowire array embedded in a polymer matrix. This helps substantially enhance the electrical as well as mechanical properties of ultrathin polymer NMs. There is no loss in the optical transparency because of the orthogonal array structure. “Here, we introduce ultrathin, conductive, and transparent hybrid NMs that can be applied to the fabrication of skin-attachable NM loudspeakers and microphones, which would be unobtrusive in appearance because of their excellent transparency and conformal contact capability” as mentioned in the research paper. Hybrid NMs help significantly enhance the electrical and mechanical properties of ultrathin polymer NMs, which can then be intimately attached to the human skin. After this, the nanomembrane is used as a loudspeaker which can be attached to almost anything to produce sounds. The researchers also introduced a similar device, which acts as a microphone that can be connected to smartphones and computers for unlocking voice-activated security systems. Skin-attachable and transparent NM loudspeaker The researchers fabricated a skin-attachable loudspeaker using hybrid NMs. This speaker is capable of emitting thermoacoustic sound with the help of temperature-induced oscillation of the surrounding air. This temperature oscillation is caused by Joule heating of the orthogonal AgNW array upon the application of an AC voltage. The sound emitted from the NM loudspeaker is then analyzed with the help of an acoustic measurement system. “We used a commercial microphone to collect and record the sound produced by the loudspeaker. To characterize the sound generation of the loudspeaker, we confirmed that the sound pressure level (SPL) of the output sound increases linearly as the distance between the microphone and the loudspeaker decreases” reads the research paper. Wearable and transparent NM microphone The researchers also designed a wearable and transparent microphone using hybrid NMs combined with micropatterned PDMS (NM microphone). This microphone is capable of detecting sound and recognizing a human voice. These wearable microphones are sensors, which are attached to a speaker's neck for sensing the vibration of the vocal folds.                                        Skin-attachable NM Microphone The skin-attachable NM microphone comprises a hybrid NM mounted to a micro pyramid-patterned polydimethylsiloxane (PDMS) film. This sandwich-like structure helps precisely detect the sound and vibration of the vocal cords by the generation of a triboelectric voltage. The triboelectric voltage results from the coupling effect of the contact electrification as well as electrostatic induction. This sensor works by converting the frictional force that is generated by the oscillation of the transparent conductive nanofiber into electric energy. The sensitivity of the NM microphone in response to sound emissions is evaluated by fabricating two device structures, such as a freestanding hybrid NM, integrated with a holey PDMS film (NM microphone), and another fully adhered to a planar PDMS film without a hole. “As a proof-of-concept demonstration, our NM microphone was applied to a personal voice security system requiring voice-based identification applications. The NM microphone was able to accurately recognize a user’s voice and authorize access to the system by the registrant only” reads the research paper.   For more details, check out the official research paper. Now Deep reinforcement learning can optimize SQL Join Queries, says UC Berkeley researchers MIT’s Transparency by Design Network: A high-performance model that uses visual reasoning for machine interpretability Swarm AI that enables swarms of radiologists, outperforms specialists or AI alone in predicting Pneumonia

Earlier this week, Tenable Inc announced that its research team had discovered a zero-day vulnerability dubbed as 'Peekaboo' in NUUO software. NUUO licenses its software to at least 100 other brands including Sony, CISCO, Sony, Cisco Systems, D-Link, Panasonic and many more. The vulnerable device is NVRMini2, which is a network-attached storage device and network video recorder. The vulnerability would allow cybercriminals to view, disable or otherwise manipulate video footage using administrator privileges. To give you a small gist of the situation, hackers could replace live feed of video surveillance with a static image of the area. This could assist criminals to enter someone’s premises- undetected by the CCTV! Cameras with this bug could be manipulated and taken offline, worldwide. And this is not the first time that NUUO devices have been affected by a vulnerability. Just last year, there were reports of the NUUO NVR devices being specifically targeted by the Reaper IoT Botnet. "The Peekaboo flaw is extremely concerning because it exploits the very technology we rely on to keep us safe" - Renaud Deraison, co-founder and chief technology officer, Tenable Vulnerabilities discovered by Tenable The vulnerabilities -CVE-2018-1149, CVE-2018-1150, are tied to NUUO NVRMini2 webserver software. #1 CVE-2018-1149: Allows an attacker to sniff out affected gear This vulnerability assists attackers to sniff out affected gear using Shodan. The attacker can trigger a buffer-overflow attack that allows them to access the camera’s web server Common Gateway Interface (CGI). This interface acts as a gateway between a remote user and the web server. The attack delivers a really large cookie file to the CGI handle. The CGI, therefore, does not validate the user’s input properly, allowing them to access the web server portion of the camera. #2 CVE-2018-1150: Takes advantage of Backdoor functionality This bug takes advantage of the backdoor functionality in the NUUO NVRMini2 web server. When the back door PHP code is enabled, it allows an unauthenticated attacker to change the password for any registered user except administrator of the system. ‘Peekaboo’ affects firmware versions older than 3.9.0, Tenable states that NUUO was notified of this vulnerability in June. NUUO was given 105 days to issue a patch before publicly disclosing the bugs. Tenable’s GitHub page provides more details on potential exploits tested with one of NUUO’s NVRMini2 devices. NUUO is planning to issue a security patch. Meanwhile, users are advised to restrict access to their NUUO NVRMini2 deployments. Owners of devices connected directly to the internet are especially at risk. Affected end users are urged to disconnect these devices from the internet until a patch is released. For more information on Peekaboo, head over to the Tenable Research Advisory blog post. Alarming ways governments are using surveillance tech to watch you Windows zero-day vulnerability exposed on ALPC interface by a vulnerability researcher with ‘no formal degrees’ IoT botnets Mirai and Gafgyt target vulnerabilities in Apache Struts and SonicWall  

EU Competition Commissioner Margrethe Vestager confirmed that they are doing a preliminary antitrust investigation into Amazon’s business practices on Wednesday. This development was revealed during a press conference hosted to discuss the decision taken on Luxemburg McDonald’s state aid case. Vestager clarified that it is not yet a formal investigation, but the committee is asking questions about how Amazon is using its data. Nevertheless, they have begun probing around, seeking answers to whether Amazon data, collected for legitimate purposes, is also used to give Amazon a competitive advantage over the smaller merchants. The issue, says Vestager, is whether Amazon is using data from the merchants it hosts on its site to secure an advantage in selling products against those same retailers. The regulators want to know whether that data could give Amazon an edge over competitors by providing insight into consumer behavior. “Well, do you then also use this data to do your own calculations? As to what is the new big thing? What is it that people want? What kind of offers do they like to receive? What makes them buy things? And that has made us start a preliminary… antitrust investigation into Amazon’s business practices.” She added that EU regulators have started gathering information on the issue and have sent “quite a number of questionnaires” to merchants and others in order to understand the issue better. Amazon has all the right to fear this investigation. Vestager has the power to fine companies up to 10 percent of their global turnover for breaching EU antitrust rules. Earlier this year, in July, EU had slapped Google with a $5 billion fine for the Android anticompetitive practices. Investors and insiders have been looking for ways to break the company up for a long time. President Donald Trump had also hinted at antitrust action against Amazon, in July. Amazon is yet to comment on this development. What the EU Copyright Directive means for developers – and what you can do Amazon calls Senator Sanders’ claims about ‘poor working conditions’ as “inaccurate and misleading” Amazon hits $1 trillion market value milestone yesterday, joining Apple Inc

Yesterday, the Next.js researchers announced that the latest version--v7-- of its React Framework is now production-ready. The Next.js 7 has had 26 canary releases and 3.4 million downloads so far. Alongwith the 7th version release, they have also launched a completely redesigned nextjs.org. This version is power-packed with faster boot and re-compilation improvements, better error reporting, static CDN support and much more. Key highlights of the Next.js 7 DX Improvements The Next.js 7 includes many significant improvements to the build and debug pipelines. With the inclusion of webpack 4, Babel 7 and improvements and optimizations on the codebase, Next.js can now boot up to 57% faster during development. Also, due to the new incremental compilation cache, any changes made by the user into the code will build 40% faster. While developing and building users will now see a better real time feedback with the help of webpackbar. Better error reporting with react-error-overlay Until now, users would render the error message and its stack trace. From this version, react-error-overlay has been used to enrich the stack trace with: Accurate error locations for both server and client errors Highlights of the source to provide context A full rich stack trace react-error-overlay makes it easy to open the text editor by just clicking on a specific code block. Upgraded compilation pipeline: Webpack 4 and Babel 7 Webpack 4 This version of Next.js is now powered by the latest webpack 4, with numerous improvements and bugfixes including: Support for .mjs source files Code splitting improvements Better tree-shaking (removal of unused code) support Another new feature is WebAssembly support. Here’s an example of how Next.js can even server-render WebAssembly. With webpack 4, a new way of extracting CSS from bundles called mini-extract-css-plugin is introduced. @zeit/next-css, @zeit/next-less, @zeit/next-sass, and @zeit/next-stylus are now powered by mini-extract-css-plugin. Babel 7 Next.js 7 now uses the stable version of Babel (Babel 7). For a full list of changes in Babel 7, head over to its release notes. Some of the main features of Babel 7 are: Typescript support, for Next.js you can use @zeit/next-typescript Fragment syntax <> support babel.config.js support overrides property to apply presets/plugins only to a subset of files or directories Standardized Dynamic Imports Starting with Next.js 7, it no longer has the default import() behavior. This means users get full import() support out of the box. This change is fully backwards-compatible as well. Making use of a dynamic component remains as simple as: import dynamic from 'next/dynamic' const MyComponent = dynamic(import('../components/my-component')) export default () => {  return <div>    <MyComponent />  </div> } Static CDN support With Next.js 7 the directory structure of .next is changed to match the url structure: https://cdn.example.com/_next/static/<buildid>/pages/index.js // mapped to: .next/static/<buildid>/pages/index.js While researchers also recommend using the proxying type of CDN, this new structure allows users of a different type of CDN to upload the .next directory to their CDN. Smaller initial HTML payload As Next.js pre-renders HTML, it wraps pages into a default structure with <html>, <head>, <body> and the JavaScript files needed to render the page. This initial payload was previously around 1.62kB. With Next.js 7 the initial HTML payload has been optimized, it is now 1.5kB, a 7.4% reduction, making your pages leaner. React Context with SSR between App and Pages Starting from Next.js 7 there is support for the new React context API between pages/_app.js and page components. Previously it was not possible to use React context in between pages on the server side. The reason for this was that webpack kept an internal module cache instead of using require.cache. The Next.js developers have written a custom webpack plugin that changes this behavior to share module instances between pages. In doing so users can not only use the new React context but also reduce Next.js's memory footprint when sharing code between pages. To know more about these and other features in detail, visit the Next.js 7 blog. low.js, a Node.js port for embedded systems Browser-based Visualization made easy with the new P5.js Deno, an attempt to fix Node.js flaws, is rewritten in Rust