Tech News

The Joint Photographic Experts Group (JPEG) had their 78th quarterly meeting earlier this year between January and February. There was a press release afterward mentioning blockchain relating to security, privacy but mainly DRM. There wasn’t much coverage on this but this can have serious implications. JPEG think that they can implement Digital Rights Management (DRM) for JPEG images. This involves automated copy protection and access control with the help of blockchain. This might actually make DRM for images work, which as of now practically doesn’t. The press release contains this text: “JPEG explores blockchain and distributed ledger technologies During the 78th JPEG meeting in Rio de Janeiro, the JPEG committee organized a special session on blockchain and distributed ledger technologies and their impact on JPEG standards. As a result, the committee decided to explore use cases and standardization needs related to blockchain technology in a multimedia context. Use cases will be explored in relation to the recently launched JPEG Privacy and Security, as well as in the broader landscape of imaging and multimedia applications. To that end, the committee created an ad hoc group with the aim to gather input from experts to define these use cases and to explore eventual needs and advantages to support a standardization effort focused on imaging and multimedia applications. To get involved in the discussion, interested parties can register to the ad hoc group’s mailing list.” Then, after six months of collaboration, the ad-hoc group produced a white paper. In the 80th conference’s press release, July 2018, they stated: “Fake news, copyright violation, media forensics, privacy and security are emerging challenges for digital media. JPEG has determined that blockchain technology has great potential as a technology component to address these challenges in transparent and trustable media transactions.” The white paper lists some challenges and opportunities in the media industry such as access and distribution, global distribution, combating piracy, and others. JPEG isn’t just working on image compression standards, they’ve also been exploring ways for per-image access control. But in case of images, the image can just be screenshotted, or a picture can take be taken at any point. In the general sense DRM protected content is perceived to be of bad quality. After six months of working on this, the white paper states “A formal call for proposals will be issued if there are enough interests and requirements of a standard or protocol are identified.” JPEG plans a free public workshop at its 81st meeting in Vancouver to be held in October. You can read a more detailed coverage for more information. Read next LedgerConnect: A blockchain app store by IBM, CLS, Barclays, Citi and 7 other banks in the trials Google Cloud Launches Blockchain Toolkit to help developers build apps easily Packt Supports Day Against DRM 2017

Another “code playground” Electron Fiddle comes into the market for enabling developers create, share, and play with small Electron experiments. Electron Fiddle attempts to bring this “fiddling effect” to Electron, a framework for creating cross-platform native applications with web technologies like JavaScript, HTML, and CSS. It provides you with a quick-start template - just change few things, choose the Electron version you want to run it with, and play around. It also gives you an option of saving it as GitHub Gist or to a local folder and anyone can try your Fiddle by just entering it in the address bar. How Electron Fiddle works? 1. Each Fiddle has three files: A Main script A renderer script An HTML file Source: GitHub 2. Choose an Electron Version: Electron Fiddle knows about all released Electron versions. Open the Preferences window to see all available versions, download them and delete the ones which you don’t need. Source: GitHub 3. Run your Fiddle: Hit the RUN button to give your Fiddle a try and start it. Source: GitHub 4. Share your Fiddle: Save your Fiddle as a public GitHub Gist - this will allow other users to load it by pasting the URL into the address bar. If they don't have Electron Fiddle, they can see and download your code directly from GitHub. Source: GitHub You can also package your Fiddle as a standalone binary or as an installer from the Tasks menu: Source: GitHub What are the features it comes with? A good coding experience It uses Monaco Editor by Microsoft, which also powers VS Code, giving users the common benefits of a modern code editor: Code highlighting Basic JavaScript error checking Refactoring Auto-completion Share your work with the community If you are eager to share your work or a bug with the Electron community, you can do that just with a click of a button. To make your Fiddle accessible to those who do not have Electron Fiddle installed, you can share it as a GitHub Gist. Compile and package your Fiddle as an app   With the help of Electron Forge, a command line interface for Electron applications, you can turn your Fiddles into binaries and share it as a app for Windows, macOS, or Linux. A good starting point, continue anywhere you like If you have just started using Electron, Electron Fiddle provides you with a basic introduction of the Fiddle and usage examples for every single Electron APIs. You can export your project with or without electron-forge and then use your favorite editor for further development. With an easy installation process you can start using and experimenting with Electron Fiddle now! You can download it from its GitHub repository. To know more, refer to the announcement on Medium by Felix Rieseberg. HTML5 and the rise of modern JavaScript browser APIs [Tutorial] How to build a weather app using Kotlin for JavaScript Firefox 60 arrives with exciting updates for web developers: Quantum CSS engine, new Web APIs and more

The Node.js team have announced new updates about their August 2018 releases. Per their blog, new versions for each of their supported lines will be released on, or shortly after, the 15th of August, 2018. These releases will address flaws of low severity mostly incorporating a number of security fixes and an upgraded version of OpenSSL. However, the Node.js 10 Current release will not be limited to only security-related updates, as per policy for non-LTS release lines. The releases will also include disclosure of details of the flaws addressed, allowing users to assess the severity of the impact on their own applications. Upgrades to OpenSSL There are two new upgrades to OpenSSL. OpenSSL 1.1.0i and 1.0.2p will be made available on the 14th of August, 2018. These releases will cover three low severity security fixes. Out of these three, two releases are relevant to Node.js users. Client DoS due to large DH parameter: During key agreement in a TLS handshake using a DH(E) based ciphersuite, a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key, resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. ECDSA key extraction via local side-channel: The OpenSSL RSA Key generation algorithm is vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. All versions of Node.js 6.x (LTS "Boron") and 8.x (LTS "Carbon") are impacted via OpenSSL 1.0.2. OpenSSL 1.1.0 impacts all versions of Node.js 10.x (Current). All OpenSSL fixes are available on the OpenSSL git repository. Security inclusions in Node.js Apart from OpenSSL upgrades, the August 2018 upgrades also feature security inclusions: Unintentional exposure of uninitialized memory Out of bounds (OOB) write All actively supported release lines of Node.js are impacted by these flaws. Additional inclusions In addition to OpenSSL and security upgrades, the following items are also included for LTS release lines: In inspector the bind address is changed from 0.0.0.0 to 127.0.0.1 so that the bind address can be overridden by the user. This upgrade impacts Node.js 6.x (LTS "Boron") only. In test, keys/Makefile, are updated to clean and build all. This upgrade impacts the test suite for all actively supported release lines of Node.js. The announcement can be read at the Node.js Blog. You can also have a look at the current security policy. Node 10.0.0 released, packed with exciting new features Deploying Node apps on Google App Engine is now easy How is Node.js Changing Web Development?

Researchers at MIT have come up with an intriguing approach to combat ‘Glioblastoma’- a malignant tumor of the brain/spinal cord- using machine learning techniques. By reducing the toxic chemotherapy and radiotherapy that is involved in treating this cancer, the researchers aim to improve the quality of life for patients, while also reducing the various side effects caused by the former using Reinforcement learning techniques. While the prognosis for adults is no more than 5 years, medical professionals try to shrink the tumor by administering drug doses in safe amounts. However, the pharmaceuticals are so strong that patients end up suffering from their side effects. Enter Machine Learning and Artificial Intelligence to save the day. While it's no hidden truth that machine learning is being incorporated into healthcare on a huge scale, the MIT researchers have taken this to the next level. Using Reinforcement Learning as the Big Idea to train the model Media Lab researcher Gregory Yauney will be presenting a paper next week at the 2018 Machine Learning for Healthcare conference at Stanford University. This paper details how the MIT Media Lab researchers have come up with a model that could make dosing cycles less toxic but still effective. Incorporating a “self-learning” machine-learning technique, the model studies treatment regimens being used presently, and iteratively changes the measurements. In the end, it finds an ideal treatment design suited to the patient. This has proven to reduce the tumor sizes to a degree almost identical to that of original medical regimens. The model simulated trials of 50 patients and designed treatments that either reduced dosages to twice a year or skipped them all together. This was done keeping in mind that the model has to shrink the size of the tumor but at the same time ensuring that reduced dosages did not lead to harmful side effects. The model is designed to used reinforced learning (RL)- that comprises artificially intelligent “agents” that complete “actions” in an unpredictable, complex environment to reach the desired outcome. The model’s agent goes through traditionally administered regimens. It uses a combination of the drugs temozolomide (TMZ) and procarbazine, lomustine, and vincristine (PVC), administered to the patients  over weeks or months. These regimens are based on protocols that have been used clinically for ages and are based on both, animal testing and various clinical tests and scenarios. The protocols are then used by Oncologists to predict how many doses the patients have to be administered based on weight. As the model explores the regimen, it decides on one of the two actions- Initiate a dose Withhold a dose If it does administer a dose, it has to make the decision if the patient needs the entire dose, or only a portion. After a decision is taken, the model checks with another clinical model to see if the tumor’s size has changed or if it’s still the same. If the tumor’s size has reduced, the model receives a reward else it is penalised. Rewards and penalties essentially are positive and negative numbers, say +1 or – 1. The researchers also had to ensure that the model does not over-dose or give out the maximum number of doses to reduce the mean diameter of the tumor. Therefore, the model is programmed in such a way that whenever it chooses to administer all full doses, it gets penalized. Thus the model is forced to administer fewer, smaller doses. Patik Shah, a principal investigator at the Media Lab who supervised this research, further stresses on the fact that, as compared to traditional RL models that work toward a single outcome, such as winning a game, and take any and all actions that maximize that outcome, the model implemented by the MIT researchers is a  “unorthodox RL model that weighs potential negative consequences of actions (doses) against an outcome (tumor reduction)” The model is strikingly wired to find a dose that does not necessarily maximize tumor reduction, but also establishes a perfect balance between maximum tumor reduction and low toxicity for the patients. The training and testing methodology used The model was trained on 50 simulated patients -  randomly selected from a large database of glioblastoma patients. These patients had previously undergone traditional treatments. The model conducted about 20,000 trial-and-error test runs for every patient. Once training was complete, the model understood the parameters for optimal regimens. The model was then tested on 50 new simulated patients and used the above-learned parameters to formulate new regimens based on various constraints that the researchers provided. The models treatment regimen was compared to the results of a conventional regimen using both TMZ and PVC. The outcome obtained was practically similar to the results obtained after the human counterparts administered treatments. The model was also able to treat each patient individually, as well as in a single cohort, and achieved similar results (medical data for each patient was available to the researchers). In short, the model has helped to generate precision medicine-based treatments by conducting one-person trials using unorthodox machine-learning architectures. Nicholas J. Schork, a professor and director of human biology at the J. Craig Venter Institute, and an expert in clinical trial design explains  “Humans don’t have the in-depth perception that a machine looking at tons of data has, so the human process is slow, tedious, and inexact,” he further adds  “Here, you’re just letting a computer look for patterns in the data, which would take forever for a human to sift through, and use those patterns to find optimal doses.” To sum it all up,  Machine learning is again proving to be an essential asset in the medical field- helping both researchers as well as patients to view medical treatments in an all new perspective. If you would like to know more about the progress done so far, head over to MIIT news. 23andMe shares 5mn client genetic data with GSK for drug target discovery Machine learning for genomics is bridging the gap between research and clinical trials 6 use cases of Machine Learning in Healthcare

The Internet Engineering Task Force (IETF), an organization that defines internet protocols, standardized the latest version of its most important security protocols, Transport Layer Security (TLS). Introducing TLS 1.3. The latest version, TLS 1.3 i.e. RFC 8446 was published on August 10, 2018. This version is the first major overhaul of the protocol, which brings in significant security and performance improvements. https://youtu.be/HFzXrqw-UpI TLS 1.3 vs TLS 1.2 The TLS 1.2 was defined in RFC 5246 and has been in use by a majority of all web browsers for eight years. The IETF organization finalized TLS 1.3, as of March 21, 2018. One can still deploy the TLS 1.2 securely. However, many of the high profile vulnerabilities have exploited certain parts of the 1.2 protocol along with some outdated algorithms. In the new TLS 1.3, all of these problems have been resolved and the included algorithms are said to have no known vulnerabilities. In contrast to the TLS 1.2, the v1.3 has an added privacy for data exchanges. This is done by encrypting more of the negotiation handshake to protect it from eavesdroppers. This helps in protecting the identities of the participants and impedes traffic analysis. In short, the TLS 1.3 has some performance improvements such as faster speed and increased security. Companies such as Cloudfare are making the new TLS 1.3 available to their customers. What’s new in the TLS v1.3? Improved security The outdated and insecure features in the TLS 1.2 removed in the v1.3 include: SHA-1 RC4 DES 3DES AES-CBC MD5 Arbitrary Diffie-Hellman groups — CVE-2016-0701 EXPORT-strength ciphers – Responsible for FREAK and LogJam The cryptographic community was having a constant check to analyze, improve, and validate security in TLS 1.3. It also removes all primitives and features that have contributed to weak configurations and has enabled common vulnerability exploits like DROWN, Vaudenay, Lucky 13, POODLE, SLOTH, CRIME and more. Improved Speed Web performance was affected due to TLS and other encrypted connections. However, the HTTP/2 helped in overcoming this problem. Further, the new version, TLS 1.3, helps in speeding up the encrypted connections even more with features such as TLS false start and Zero Round Trip Time (0-RTT). Simply put, TLS 1.2 requires two round-trips to complete the TLS handshake. On the other hand, the v1.3 requires only one round-trip, which in turn cuts the encryption latency in half. Another interesting feature with the TLS 1.3 is, one can now send data on the first message to the server to the sites which the user has visited previously. This is called a “zero round trip.” (0-RTT). This results in improved load times. Browser support for TLS v1.3 Google has started warning their users in search console that they are moving to TLS version 1.2, as TLS 1 is no longer that safe. TLS version 1.3 is enabled in Chrome 63 for outgoing connections. Support for TLS 1.3 was added back in Chrome 56 and is also supported by Chrome for Android. https://twitter.com/screamingfrog/status/940501282653077505 TLS 1.3 is enabled by default in Firefox 52 and above (including Quantum). They are retaining an insecure fallback to TLS 1.2 until they know more about server tolerance and the 1.3 handshake. TLS 1.3 browser support The other browsers such as IE, Microsoft Edge, Opera, or Safari do not support TLS 1.3 yet. This would take some time while the protocol is being finalized and for browsers to catch up. Most of the remaining ones are in development at the moment. Read more about this in detail, on the IETF blog. Analyzing Transport Layer Protocols Communication and Network Security A new WPA/WPA2 security attack in town: Wi-fi routers watch out! Mozilla’s new Firefox DNS security updates spark privacy hue and cry

The team behind Vue has announced Vue CLI 3.0 as the standard build tool behind Vue applications. Vue CLI 3.0 minimizes the amount of configuration developers have to go through. At its core, it provides a pre-configured build setup on top of webpack 4 with features such as hot module replacement, code-splitting, tree-shaking, efficient long term caching, etc. Vue CLI3.0 also comes with a Modern mode where developers can ship native ES2017+ bundle and legacy bundle in parallel. Developers have a Multi-page mode to build an app with multiple HTML/JS entry points. Also, they can build Vue Single-File Components into a library or native web components. Developers are also provided with optional integrations (TypeScript, PWA, Vue Router & Vuex, ESLint / TSLint / Prettier, Unit Testing via Jest or Mocha, E2E Testing via Cypress or Nightwatch) that they can use when creating a new project. Vue CLI 3.0 comes with Zero configuration In most cases, developers just need to focus on writing the code. On scaffolding a project via Vue CLI 3.0, all redundant work such as installing the Vue CLI runtime service, selected feature plugins, and the necessary config files are done automatically. Vue CLI also ships with the vue inspect command to help developers inspect the internal webpack configuration with no ejection required to make small tweaks. A powerful Plugin system Vue CLI 3.0 has an extensible Plugin system which can inject dependencies and files during the app’s scaffolding phase tweak the app’s webpack config or inject additional commands to the CLI service during development. Developers can also create their own remote preset to share their selection of plugins and options with other developers. Instant Prototyping Vue CLI 3’s vue serve command, allows developers to start prototyping with Vue single-file components, without waiting for npm install. The prototyping dev server comes with the same setup of a standard app. This allows developers to easily move the prototype *.vue file into a properly scaffolded project’s src folder to continue working on it. Modern Mode Vue CLI 3.0 has a modern mode with produces two versions of an app. First, a modern bundle targeting modern browsers that support ES modules, and second a legacy bundle targeting older browsers not supporting ES modules The modern bundle is loaded with <script type="module">, in browsers that support it. The legacy bundle is loaded with <script nomodule>, which is ignored by browsers that support ES modules. Modern mode can be activated using the following command: Vue-cli-service build --modern This release focuses on making Vue CLI as the standard build toolchain for Vue applications. However, the longer-term goal for Vue CLI is to incorporate best practices from both the present and the future into the toolchain. Vue CLI 3.0 can be tried by following the instructions from the docs. The list of all updates are available on the Vue Medium Blog. Introducing Vue Native for building native mobile apps with Vue.js Why has Vue.js become so popular? How to navigate files in a Vue app using the Dropbox API

The 21st International Conference of Black Hat USA 2018, has just concluded. It took place from August 4, 2018 – August 9, 2018 in Las Vegas, Nevada. It is one of the most anticipated conferences of the year for security practitioners, executives, business developers and anyone who is a cybersecurity fanatic and wants to expand their horizon into the world of security. Black Hat USA 2018 opened with four days of technical training followed by the two-day main conference featuring Briefings, Arsenal, Business Hall, and more. The conference covered exclusive training modules that provided a hands-on offensive and defensive skill set building opportunity for security professionals. The Briefings covered the nitty-gritties of all the latest trends in information security. The Business Hall included a network of more than 17,000 InfoSec professionals who evaluated a range of security products offered by Black Hat sponsors. Best cybersecurity Trainings  in the conference: For more than 20 years, Black Hat has been providing its attendees with trainings that stand the test of time and prove to be an asset in penetration testing. The training modules designed exclusively for Black Hat attendees are taken by industry and subject matter experts from all over the world with the goal of shaping the information security landscape. Here’s a look at a few from this year’s conference. #1 Applied Hardware attacks: Embedded and IOT systems This hands-on training was headed by Josh Datko, and Joe Fitzpatrick that: Introduced students to the common interfaces on embedded MIPS and ARM systems Taught them how to exploit physical access to grant themselves software privilege. Focussed on UART, JTAG, and SPI interfaces. Students were given a brief architectural overview. 70% hands-on labs- identifying, observing, interacting, and eventually exploiting each interface. Basic analysis and manipulation of firmware images were also covered. This two-day course was geared toward pen testers, red teamers, exploit developers, and product developers who wished to learn how to take advantage of physical access to systems to assist and enable other attacks. This course also aimed to show security researchers and enthusiasts- who are unwilling to 'just trust the hardware'- to gain deeper insight into how hardware works and can be undermined. #2 Information Operations: Influence, exploit, and counter This fast-moving class included hands-on exercises to apply and reinforce the skills learned during the course of the training. It also included a best IO campaign contest which was conducted live during the class. Trainers David Raymond and Gregory Conti covered information operations theory and practice in depth. Some of the main topics covered were IO Strategies and Tactics, Countering Information Operations and Operations Security and Counter Intelligence. Users learned about Online Personas and explored the use of bots and AI to scale attacks and defenses. Other topics included understanding performance and assessment metrics, how to respond to an IO incident, exploring the concepts of Deception and counter-deception, and Cyber-enabled IO. #3 Practical Vulnerability discovery with fuzzing: Abdul Aziz Hariri and Brian Gorenc trained students on techniques to quickly identify common patterns in specifications that produce vulnerable conditions in the network. The course covered the following- Learning the process to build a successful fuzzer, and highlight public fuzzing frameworks that produce quality results. “Real world" case studies that demonstrated the fundamentals being introduced. Leverage existing fuzzing frameworks, develop their own test harnesses, integrate publicly available data generation engines and automate the analysis of crashing test cases. This class was aimed at individuals wanting to learn the fundamentals of the fuzzing process, develop advanced fuzzing frameworks, and/or improve their bug finding capabilities. #4 Active Directory Attacks for Red and Blue teams: Nikhil Mittal’s main aim to conduct the training was to change how you test an Active Directory Environment. To secure Active Directory, it is important to understand different techniques and attacks used by adversaries against it. The AD environments lack the ability to tackle latest threats. Hence, this training was aimed towards attacking modern AD Environment using built-in tools like PowerShell and other trusted OS resources. The training was based on real-world penetration tests and Red Team engagements for highly secured environments. Some of the techniques used in the course were- Extensive AD Enumeration Active Directory trust mapping and abuse. Privilege Escalation (User Hunting, Delegation issues and more) Kerberos Attacks and Defense (Golden, Silver ticket, Kerberoast and more) Abusing cross-forest trust (Lateral movement across forest, PrivEsc and more) Attacking Azure integration and components Abusing SQL Server trust in AD (Command Execution, trust abuse, lateral movement) Credentials Replay Attacks (Over-PTH, Token Replay etc.) Persistence (WMI, GPO, ACLs and more) Defenses (JEA, PAW, LAPS, Deception, App Whitelisting, Advanced Threat Analytics etc.) Bypassing defenses Attendees also acquired a free one month access to an Active Directory environment. This comprised of multiple domains and forests, during and after the training. #5 Hands-on Power Analysis and Glitching with ChipWhisperer This course was suited for anyone dealing with embedded systems who needed to understand the threats that can be used to break even a "perfectly secure" system. Side-Channel Power Analysis can be used to read out an AES-128 key in less than 60 seconds from a standard implementation on a small microcontroller. Colin O'Flynn helped the students understand whether their systems were vulnerable to such an attack or not. The course was loaded with hands-on examples to teach them about attacks and theories. The course included a ChipWhisperer-Lite, that students could walk away with the hardware provided during the lab sessions. During the two-day course, topics covered included : Theory behind side-channel power analysis, Measuring power in existing systems, Setting up the ChipWhisperer hardware & software, Several demonstrated attacks, Understanding and demonstration glitch attacks, and Analyzing your own hardware #6 Threat Hunting with attacker TTPs A proper Threat Hunting program focused on maximizing the effectiveness of scarce network defense resources to protect against a potentially limitless threat was the main aim of this class. Threat Hunting takes a different perspective on performing network defense, relying on skilled operators to investigate and find the presence of malicious activity. This training used standard network defense and incident response (which target flagging known malware). It focussed on abnormal behaviors and the use of attacker Tactics, Techniques, and Procedures (TTPs). Trainers Jared Atkinson, Robby Winchester and Roberto Rodriquez taught students on how to create threat hunting hypotheses based on attacker TTPs to perform threat hunting operations and detect attacker activity. In addition, they used free and open source data collection and analysis tools (Sysmon, ELK and Automated Collection and Enrichment Platform) to gather and analyze large amounts of host information to detect malicious activity. They used these techniques and toolsets to create threat hunting hypotheses and perform threat hunting in a simulated enterprise network undergoing active compromise from various types of threat actors. The class was intended for defenders wanting to learn how to effectively hunt threats in enterprise networks. #7 Hands-on Hardware Hacking Training: The class, taught by Joe Grand, took the students through the process of reverse engineering and defeating the security of electronic devices. The comprehensive training covered Product teardown Component identification Circuit board reverse engineering Soldering and desoldering Signal monitoring and analysis, and memory extraction, using a variety of tools including a logic analyzer, multimeter, and device programmer. It concluded with a final challenge where users identify, reverse engineer, and defeat the security mechanism of a custom embedded system. Users interested in hardware hacking, including security researchers, digital forensic investigators, design engineers, and executive management benefitted from this class. And that’s not all! Some other trainings include-- Software defined radio, a guide to threat hunting utilizing the elk stack and machine learning, AWS and Azure exploitation: making the cloud rain shells and much more. This is just a brief overview of the BlackHat USA 2018 conference, where we have handpicked a select few trainings. You can see the full schedule along with the list of selected research papers at the BlackHat Website. And if you missed out this one, fret not. There is another conference happening soon from 3rd December to 6th December 2018. Check out the official website for details. Top 5 cybersecurity trends you should be aware of in 2018 Top 5 cybersecurity myths debunked A new WPA/WPA2 security attack in town: Wi-fi routers watch out!  

Stack overflow has expanded its Code of Conduct which previously focused on just “Being Nice” to include more virtues around kindness, collaboration, and mutual respect. Recently, there has been many supporters of the idea that Stack Overflow is a “toxic wasteland”. https://twitter.com/aprilwensel/status/974859164747931650 There is also a Reddit thread, from six months ago, where people have shared their woes on Stack Overflow being too toxic. This Code of Conduct is a formal, far less ambiguous and a more informative way of Stack Overflow to regulate belittling language and condescension. It is applicable to everyone using Stack Overflow and the Stack Exchange network, including the team, moderators, and anyone posting to Q&A sites or chat rooms. The Be Nice policy, since its inception in 2008, was a single guiding principle that everyone was expected to follow. However, just two words turned out to be too little, too ambiguous and later, in 2014, a revised version of the policy was released to reflect Stack Exchange as a better community than what was believed on the Internet. The revised version also added instructions on how to report rare cases of bad behavior.  However, this still was not specific enough to meet the needs of a much larger dynamic site Stack Overflow was growing to be. This is when, they decided to launch a more formal policy, one that covers “Be nice, here’s how, here’s why, and here’s what to do if someone isn’t.” The main tenets of the new code are: If you’re here to get help, make it as easy as possible for others to help you. If you’re here to help others, be patient and welcoming. Offer support if you see someone struggling or otherwise in need of help. Be clear and constructive when giving feedback, and be open when receiving it. Be kind and friendly. Avoid sarcasm and be careful with jokes, as tone can be hard to decipher online. The code also denounces subtle put-downs or unfriendly language, name-calling or personal attacks, bigotry, and harassment. Source: Stack Overflow In case someone is guilty of breaking the code of conduct, there are three stages: Warning: For most first-time misconduct, moderators will remove the offending content and send a warning. Account Suspension: For repetitive misconduct, moderators will impose a temporary suspension Account Expulsion: For very rare cases, moderators will expel people who display a pattern of harmful destructive behavior towards the community. The Stack Overflow team plans to assess the CoC by taking feedback, every 6 months, from both new and experienced users about their recent experiences on the site. They have also added a code of conduct tag which members can use on Meta Stack Exchange to ask questions about or propose changes to the CoC. You can go through the entire Code of Conduct on Stack Overflow. 10 predictable findings from Stack Overflow’s 2018 survey Stack Overflow Developer Survey 2018: A Quick Overview 4 surprising things from Stack Overflow’s 2018 survey 96% of developers believe developing soft skills is important

GitHub, open sourced the GitHub Load Balancer (GLB) Director on August 8, 2018. GLB Director is a Layer 4 load balancer which scales a single IP address across a large number of physical machines. It also minimizes connection disruption during any change in servers. Apart from open sourcing the GLB Director, GitHub has also shared details on the Load balancer design. GitHub had first released its GLB on September 22, 2016. The GLB is GitHub’s scalable load balancing solution for bare metal data centers. It powers a majority of GitHub’s public web and Git traffic, and GitHub’s critical internal systems such as its highly available MySQL clusters. How GitHub Load Balancer Director works GLB Director is designed for use in data center environments where multiple servers can announce the same IP address via BGP. Further, the network routers shard traffic amongst those servers using ECMP routing. The ECMP shards connections per-flow using consistent hashing and by addition or removal of nodes. This will cause some disruption to traffic as the state isn't stored for each flow. A split L4/L7 design is typically used to allow the L4 servers to redistribute these flows back to a consistent server in a flow-aware manner. GLB Director implements the L4 (director) tier of a split L4/L7 load balancer design. The GLB design The GLB Director does not replace services like haproxy and nginx, but rather is a layer in front of these services (or any TCP service) that allows them to scale across multiple physical machines without requiring each machine to have unique IP addresses. Source: GitHub GLB Director only processes packets on ingress. It then encapsulates them inside an extended Generic UDP Encapsulation packet. Egress packets from proxy layer servers are sent directly to clients using Direct Server Return. Read more about the GLB Director in detail on the GitHub Engineering blog post. Microsoft’s GitHub acquisition is good for the open source community Snapchat source code leaked and posted to GitHub Why Golang is the fastest growing language on GitHub GitHub has added security alerts for Python

Qml.Net is a C# library for cross-platform GUI development with native dependency. It exposes the required object types to host a QML engine. In Qml.NET, Qml and JavaScript together form the UI layer. It can be thought of as the view in MVC. Qml.Net features The PInvoke code in this .NET library is hand-crafted by developer Paul Knopf to ensure appropriate memory management and pointer ownership semantics. He is pretty confident about the library and mentions in his blog “I’d bet you couldn’t generate a segfault, even if you wanted to.” In Qml.Net C# objects can be registered to be treated as QML components. You can then interoperate with them as you would with regular JavaScript objects. The registered C# objects serve as a portal through which the QML world can interact with your .NET objects. This has an added benefit of keeping your business/UI concerns separate cleanly. There will also be no chatty PInvoke calls for rendering. It is a great match. A pre-compiled portable installation of Qt and the native C wrapper is available for Windows, OSX, and Linux. Developers wouldn’t have to bother with C/C++. All you need to know is QML, C#, and JavaScript; QML if fairly simple. QML can’t really be classified as a language, in the semantic sense. More appropriately it can be considered as a combination of JSON and JavaScript. Qml.Net support and working Qml.Net will work with any .NET language including popular C# and functional languages like F#. Your libraries will reference the pure .NET NuGet package, Qml.Net. The host process (Program.Main) references the native NuGet packages. This is dependent on the OS you are on: Qml.Net.WindowsBinaries Qml.Net.OSXBinaries Qml.Net.LinuxBinaries Paul currently only tests his own models that are C# objects registered with the QML engine. They are specific to each control/page. Since Microsoft's announcement of .NET Core, there hasn’t been any clear idea on cross-platform GUI development. Although Microsoft plans to support WPF in .NET Core 3.0, it will be limited to Windows machines. With community involvement and support, Qml.net can be a potential game changer. You can head to the GitHub repository and also view some hosted examples to get a better idea. Read next Exciting New Features in C# 8.0 .NET Core completes move to the new compiler – RyuJIT Microsoft Azure's new governance DApp: An enterprise blockchain without mining

After the release of Boost 1.67.0 in April earlier this year, Boost 1.68.0 is now out with a new library named YAP and few updates in the libraries such as, Beast, Fusion, and GIL to name a few. Boost provides peer-reviewed portable C++ source libraries for generic programming, concurrency programming, metaprogramming, data structures, testing, and many more tasks and structures. YAP: The new expression template library YAP is an expression template library that aims to help developers in writing optimized and maintainable code. Some of its features include: Member and non-member functions on ExpressionTemplates and Expressions can be added with compact macros. A reference template that models ExpressionTemplate exists for prototyping or experimentation. The evaluation done by Boost.YAP closely matches the semantics of built-in C++ expressions, enabling clearer understanding of the semantics of expression evaluation. Expressions can be transformed explicitly in a user-defined way with the help of overloaded call operators in a transform class. The evaluate(transform(expr)) idiom is expected to be one of the most common ways of using YAP to manipulate and evaluate expressions. Boost.YAP provides functions that manipulate expressions or their subexpressions. Updated libraries in Boost 1.68.0 Beast: An executor work guard is added in all composed operations used in the implementation. To avoid crashes related to asynchronous completion handlers, users are encouraged to upgrade. Fusion: A workaround is added for ambiguous call of fusion::deque constructor on GCC 4.4/c++0x. A bug with C-style array is now fixed. Fixed a fusion::for_each signature to take functor by value. This may break existing code with non-copyable (non-movable) functor. Unintentional MPL placeholder substitution bug on fusion::transform is now fixed. GIL: C++11-compliant compiler is now required by the library. Its I/O extensions have been entirely rewritten. Math: Added support for arbitrary precision complex valued quadrature and hence contour integration. Added support for contour integrals. Performance of polynomial addition is improved. Multi-index Containers: Containers of moveable but non-copyable elements can now be serialized. The default constructor of multi_index_container is no longer explicit. Test: The master_test_suite_t object is no more copyable. Dataset test case can now use command line parameters. Uuid: Breaking change: sha1 detail namespace header redirection for backwards compatibility was removed. Added support for std::hash. Added support for move semantics on random generators. Properly handle EINTR when acquiring entropy. Use getrandom(2) instead of getentropy(3) on linux. These were some of the updates in Boost 1.68.0. To know more, head over to their official site. Working with shaders in C++ to create 3D games Understanding the Dependencies of a C++ Application Getting Inside a C++ Multithreaded Application

Open source contributors from TensorFlow Community has successfully released TensorFlow 1.10 loaded with numerous features, multiple bug fixes and improvements. Let’s have a look at the key improvements added to the TensorFlow framework. New Features and Improvements: Runtime tf.lite now supports complex64 tf.data gets Bigtable integration tf.estimator.train_and_evaluate enhanced with improved local run behaviour Added restriction support in RunConfig for speeding up training and clean shutdown assurance. Moved Distributions and Bijectors from tf.contrib.distributions to Tensorflow Probability (TFP) Added new endpoints like tf.debugging, tf.dtypes, tf.image, tf.io, tf.linalg, tf.manip, tf.math, tf.quantization, tf.strings Breaking Changes: tf.contrib.distributions deprecation in the process and to be removed by the end of year Dropping off official support for cmake Support to Bazel from TensorFlow 1.11 onwards Bug Fixes and Miscellaneous Changes: tf.contrib.data.group_by_reducer() is now available via the public API Added drop_remainder argument to tf.data.Dataset.batch() and tf.data.Dataset.padded_batch() Custom savers for Estimator included in EstimatorSpec useful during export Supports sparse_combiner in canned Linear Estimators. Added batch normalization to DNNClassifier, DNNRegressor, and DNNEstimator. Added ranking support and center bias option for boosted trees. You can visit TensorFlow official release page on Github to review the full release notes on the complete list of added features and changes. Why Twitter (finally!) migrated to Tensorflow Build and train an RNN chatbot using TensorFlow Implementing feedforward networks with TensorFlow

The Apache Flink community released its 1.6.0 version yesterday. Apache Flink 1.6.0 release is the seventh major release in the 1.x.y series. This Flink version is API-compatible with the previous 1.x.y releases for APIs annotated with the @Public annotation. Apache Flink 1.6.0 enables users to seamlessly run fast data processing and also build data-driven, data-intensive applications effortlessly. Features and Improvements in Apache Flink 1.6.0 In this version, the Flink community has added a Jepsen based test suite (FLINK-9004). This suite validates the behavior of Flink’s distributed cluster components under real-world faults. It is the community’s first step towards a higher test coverage for Flink’s fault tolerance mechanisms. The other major features include, An improved State Support for Flink The support for State TTL feature allows one to specify a time-to-live (TTL) for Flink state. One the TTL exceeds, Flink will no longer give access to the respective state values. The expired data is cleaned up on access such that the operator keyed state doesn’t grow infinitely and it won’t be included in subsequent checkpoints. This feature fully complies with new data protection regulations (e.g. GDPR). With the scalable Timers Based on RocksDB, Flink’s timer state can now be stored in RocksDB, allowing the technology to support significantly bigger timer state since it can go out of core/spill to disk. One can perform fast timer deletions with Flink’s improvised internal timer data structure such that the deletion complexity is reduced from O(n) to O(log n). This significantly improves Flink jobs using timers. Extended Deployment Options in Flink 1.6.0 Flink 1.6.0 provides an easy-to-use container entrypoint to bootstrap a job cluster. Combining this entrypoint with a user-code jar creates a self-contained image which automatically executes the contained Flink job when deployed. With a fully RESTified job submission, the Flink client can now send all job-relevant content via a single POST call to the server. This allows a much easier integration with cluster management frameworks and container environments since opening custom ports is no longer necessary. SQL and Table API enhancements The SQL Client CLI now supports the registration of user-defined functions, which improves the CLI’s expressiveness. This is because SQL queries can be enriched with more powerful custom table, aggregate, and scalar functions. The Apache Flink 1.6.0 now supports Batch Queries in SQL Client CLI,  INSERT INTO Statements in SQL Client CLI, and SQL Avro. Table sinks can now be defined in a YAML file using string-based properties without having to write a single line of code, in this release. New Kafka Table Sink uses the new unified APIs and supports both JSON and Avro formats. Improved Expressiveness of SQL and Table API where SQL aggregate functions support the DISTINCT keyword. Queries such as COUNT(DISTINCT column) are supported for windowed and non-windowed aggregations. Both SQL and Table API now include more built-in functions such as MD5, SHA1, SHA2, LOG, and UNNEST for multisets. Hardened CEP Library The CEP operator’s internal NFA state is now backed by Flink state supporting larger use cases. More Expressive DataStream Joins Flink 1.6.0 adds support for interval joins in the DataStream API. With this feature it is now possible to join together events from different streams to each other. Intra-Cluster Mutual Authentication Flink’s cluster components now enforce mutual authentication with their peers. This allows only Flink components to talk to each other, making it difficult for malicious actors to impersonate Flink components in order to eavesdrop on the cluster communication. Read more about this release in detail in Apache Flink 1.6.0 release notes. Implementing fault-tolerance in Spark Streaming data processing applications with Apache Kafka How to get started with Azure Stream Analytics and 7 reasons to choose it Performing Vehicle Telemetry job analysis with Azure Stream Analytics tools  

The PostgreSQL team released an update yesterday to the versions 10.5, 9.6.10, 9.5.14, 9.4.19, 9.3.24 of its database system. The latest update focuses on fixing two security issues and bugs detected in the past three months. PostgreSQL is a popular open source relational database management system that offers reliability, correctness, robustness, and performance measures. It runs on all major operating systems such as Linux, UNIX (AIX, BSD, HP-UX, SGI IRIX, Mac OS X, Solaris, Tru64), and Windows. Let’s discuss the highlights of the recent major update. Security Issues The recent release focuses on fixing two major security issues: Certain host connection parameters defeat client-side security defenses There was an internal issue in Libpq, a client connection API for PostgreSQL. When trying to reconnect, all the connection state variables couldn’t be reset. Specifically, the state variable that helps determine whether or not a password is needed for a connection would not be reset. This allowed the users of features requiring libpq, namely, the dblink or postgres_fdw extensions, to login to servers they should not be able to access. To check if your database has either extension installed, run the following  from your PostgreSQL shell: \dx dblink|postgres_fdw Memory disclosure and missing authorization in insert An attacker can issue CREATE TABLE. This allows the arbitrary bytes of server memory to be easily read with the help of an upsert (INSERT ... ON CONFLICT DO UPDATE) query. By default, any user can easily exploit that. A user with specific INSERT privileges and an UPDATE privilege on at least one column in a given table is capable of updating other columns with the help of a view and an upsert query. Major Bug Fixes There was an issue in VACUUM,  leading to data corruption in certain system catalog tables, this has been fixed with the latest update. There are a lot of performance improvements made allowing to replay the write-ahead logs. SQL-standard FETCH FIRST syntax has been fixed to allow parameters ($n), as the standard expects. Performance regression related to POSIX semaphores has been fixed for multi-CPU systems running Linux or FreeBSD. libpq has been fixed for cases where hostaddr is used. To get complete information on other bug fixes and improvements, check out the official PostgreSQL release notes. Handling backup and recovery in PostgreSQL 10 [Tutorial] How to perform data partitioning in PostgreSQL 10 6 index types in PostgreSQL 10 you should know  

Google is making its mark in facial recognition technology. After two successful forays in facial identification patents in August 2017 and January 2018, Google is back with another charter. This time its huge and plans to use machine-learning technology for facial recognition of publicly available personal photos on the internet. It’s no secret that Google can crawl trillions of websites at once. Using this as an advantage, the new patent allows Google to source pictures and identify faces from personal communications, social networks, collaborative apps, blogs and much more! Why is facial recognition gaining importance? The internet is buzzing with people clicking and uploading their images. Whether it be profile pictures or group photographs, images on social networks is all the rage these days.  Apart from this, facial recognition also comes in handy while performing secure banking and financial transactions. ATMs and banks use this technology to make sure the user is who he/she says they are. From criminal tracking to identifying individuals in huge masses of people- facial recognition has applications everywhere! Clearly, Google has been taking full advantage of this tech. First, in the “Reverse Image Search” system, that allowed users to upload an image of a public figure to Google, the results would be a “best Guess” about who appears in the photo. And now, with the new patent, users can identify photos of less famous individuals. Imagine uploading a picture of a fifth-grade friend and coming back with the result of his/her email ID or occupation or for that matter, where they lives! The Workings of the Google Brain The process is simple and straightforward. First, the user uploads a photo, screenshot or scanned image The system analyzes the image and comes up with  both visually similar, and a potential match using advanced image recognition Google will find the best possible match  based partially on the data it pulled from your social accounts and other collaborative apps plus the aforementioned data sources The process of recognizing an image adopted by Google Source: CBInsights While all of this does sound exciting, there is a dark side left to be explored. Imagine you are out going about your own business. Someone who you don't even know happens to click your picture. This could later be used to find out all your personal details like where you live, what you do for a living, what your email address. All because everything is available on your social media accounts and on the internet these days!  Creepy much? This is where basic ethics and privacy concerns come into play. The only solace here is that the patent states, in certain scenarios, a person would have to opt-in to have his/identity appear in search results. Need to know more? Check out the perspective on thenextweb.com. Admiring the many faces of Facial Recognition with Deep Learning Google’s second innings in China: Exploring cloud partnerships with Tencent and others Google’s Smart Display – A push towards the new OS, Fuchsia