Tech News

Yesterday, Kali Linux’s first release for 2019 was announced. Kali Linux 2019.1 comes with a variety of changes and new features including, support for Metasploit version 5.0, kernel up to version 4.19.13, ARM updates and numerous bug fixes. Users with a Kali installation can upgrade using: root@kali:~# apt update && apt -y full-upgrade You can also download new Kali Linux ISOs directly from the official website or from the Torrent network. What’s new in Kali Linux 2019.1? Support for Metasploit 5.0 The new version of Kali Linux now supports Metasploit version 5.0, which was released last month. Metasploit 5.0 introduces multiple new features including Metasploit’s new database and automation APIs, evasion modules and libraries, expanded language support, improved performance, and more. Kali Linux 2019.1 also includes updated packages for theHarvester, DBeaver, and more. theHarvester helps Penetration testers in the early stages of the penetration test to gather emails, subdomains, hosts, employee names, open ports and banners from different public sources. DBeaver is an SQL client and a database administration tool. Updates to ARM The 2019.1 Kali release for ARM include: The operating system has an upgraded kernel (v4.19.13) that supports the use of both Banana Pi and Banana Pro single board computers. Veyron has also been moved to a 4.19 kernel The Offensive Security virtual machine and ARM images have also been updated to 2019.1 Raspberry Pi images have been simplified. Separate Raspberry Pi images are no longer there for users with TFT LCDs because Kali 2019.1 now comes with re4son’s kalipi-tft-config script on all of them.  For setting up a board with a TFT, users can run ‘kalipi-tft-config’ and follow the prompts. You can go through the changelog to know detailed bug fixes. Kali Linux 2018 for testing and maintaining Windows security – Wolf Halton and Bo Weaver [Interview] Implementing Web application vulnerability scanners with Kali Linux [Tutorial] Kali Linux 2018.2 released

Two days ago, Google astonished many people around the world with claims that they have achieved a major milestone in quantum computing, one which has largely been an unattainable feat until now. In a paper titled “Quantum supremacy using a programmable superconducting processor”, Google explains how its 53-bit quantum computer named ‘Sycamore’ took only 200 seconds to perform a sensitive computation that would otherwise take the world's fastest supercomputer 10,000 years. This, Google claims is their attainment of ‘quantum supremacy’. If confirmed, this would be the first major milestone in harnessing the principles of quantum mechanics to solve computational problems. Google’s AI Quantum team and John Martinis, physicist at the University of California are the prime contributors to this achievement. NASA Ames Research Center, Oak Ridge National Laboratory and Forschungszentrum Jülich have also helped Google in implementing this experiment. In quantum computing, quantum supremacy is the potential ability of any device to solve problems that classical computers practically cannot. According to Sundar Pichai, Google CEO, “For those of us working in science and technology, it’s the “hello world” moment we’ve been waiting for—the most meaningful milestone to date in the quest to make quantum computing a reality.” This announcement from Google comes exactly one month after the same paper was leaked online. However, following Google’s announcement, IBM is arguing “an ideal simulation of the same task can be performed on a classical system in 2.5 days with far greater fidelity.” According to IBM, as proposed by John Preskill in 2012, the original meaning of the term “quantum supremacy,” is the point where quantum computers can do things that classical computers can’t. Since, Google has not yet achieved this threshold, IBM argues that their claims are wrong. IBM says that in the published paper, Google has assumed that the RAM storage requirements in a traditional computer would be massive. However, if a different approach of using both RAM and hard drive space to store and manipulate the state vector is employed, the 10,000 years specified by Google will drop considerably. Thus, IBM refutes Google’s claims and stated that in its strictest definition, the quantum supremacy standard has not been met by anybody until now. IBM believes that “fundamentally, quantum computers will never reign “supreme” over classical computers, but will rather work in concert with them, since each have their unique strengths.”  IBM further added that the term ‘supremacy’ is currently being misunderstood and urged everybody in the community to treat Google’s claims “with a large dose of skepticism.” Read More: Has IBM edged past Google in the battle for Quantum Supremacy? Though Google has not directly responded to IBM’s accusations, in a statement to Forbes, a Google spokesperson said, “We welcome ideas from the research community on new applications that work only on NISQ-era processors like Sycamore and its successors. We’ve published our circuits so the whole community can explore this new space. We’re excited by what’s possible now that we have this unique new resource.” Although IBM is skeptical of Google’s claims, the news of Google’s accomplishment is making waves all around the world. https://twitter.com/rhhackett/status/1186949190695313409 https://twitter.com/nasirdaniya/status/1187152799055929346 Google’s experiment with the Sycamore processor To achieve this milestone, Google researchers developed Sycamore, the high-fidelity quantum logic gates processor consisting of a two-dimensional array of 54 transmon qubits. Sycamore consists of a two-dimensional grid where each qubit is connected to four other qubits. Each qubit in the processor is tunably coupled to four nearest neighbors, in a rectangular lattice and are forward-compatible for error correction. As a result, the chip has enough connectivity to let  the qubit states quickly interact throughout the entire processor. This feature of Sycamore is what makes it distinct from a classical computer. Image Source: Google blog In the Sycamore quantum processor, “Each run of a random quantum circuit on a quantum computer produces a bitstring, for example 0000101. Owing to quantum interference, some bit strings are much more likely to occur than others when we repeat the experiment many times. However, finding the most likely bit strings for a random quantum circuit on a classical computer becomes exponentially more difficult as the number of qubits (width) and number of gate cycles (depth) grow,” states John Martinis, Chief Scientist Quantum Hardware and Sergio Boixo, Chief Scientist Quantum Computing Theory, Google AI Quantum. Image Source: Google blog For the experiment, the Google researchers ran a random simplified circuit from 12 to 53 qubits with the circuit depth kept constant. Next, they checked the performance of the quantum computer using classical simulations and compared the performance of a quantum computer with a theoretical model. After verifying that the quantum system was working, the researchers ran a random hard circuit with 53 qubits and this time, allowed the circuit depth to expand until the point where the classical simulation became infeasible. At the end, it was found that this quantum computation cannot be emulated on a classical computer and hence, this opens “a new realm of computing to be explored,” says Google. The Google team is now working on quantum supremacy applications like quantum physics simulation, quantum chemistry, generative machine learning, and more. After procuring “certifiable quantum randomness”, Google is now working on testing this algorithm to develop a prototype that can provide certifiable random numbers. Leaving IBM’s accusation aside, many people are excited about Google’s great achievement. https://twitter.com/christina_dills/status/1187074109550800897 https://twitter.com/Inzilya777/status/1187102111429021696 Few people believe that Google is making a hullabaloo of a not-so-successful experiment. A user on Hacker News comments, “Summary: - Google overhyped their results against a weak baseline. This seems to be commonplace in academic publishing, especially new-ish fields where benchmarks aren't well-established. There was a similar backlash against OpenAI's robot hand, where they used simulation for the physical robotic movements and used a well-known algorithm for the actual Rubik's Cube solving. I still think it's an impressive step forward for the field.” Check out the video of Google’s demonstration of quantum supremacy below. https://youtu.be/-ZNEzzDcllU Smart Spies attack: Alexa and Google Assistant can eavesdrop or vish (voice phish) unsuspecting users, disclose researchers from SRLabs Made by Google 2019: Google’s hardware event unveils Pixel 4 and announces the launch date of Google Stadia After backlash for rejecting a uBlock Origin update from the Chrome Web Store, Google accepts ad-blocking extension

A group of researchers recently disclosed seven additional attacks in the Spectre and Meltdown families. These seven attacks are said to impact the AMD, ARM, and the Intel CPUs to a certain extent. The researchers have presented an execution of these attacks in detail, in their research paper titled, ‘A Systematic Evaluation of Transient Execution Attacks and Defenses’. 2 Meltdown and 5 Spectre variants found The 7 newly found attacks include 2 new Meltdown variants namely, Meltdown-PK, and Meltdown-BR. It also includes 5 new Spectre mistraining strategies for Spectre-PHT and SpectreBTB attacks. The researchers said that these 7 new attacks have been overlooked and not been investigated so far. The researchers successfully demonstrated all seven attacks with proof-of-concept code. However, experiments to confirm six other Meltdown-attacks did not succeed. The two new Meltdown attacks include: Meltdown-PK - bypasses memory protection keys on Intel CPUs Meltdown-BR - exploits an x86 bound instruction on Intel and AMD The other Meltdown attacks  which the researchers tried and failed to exploit targeted the following internal CPU operations: Meltdown-AC - tried to exploit memory alignment check exceptions Meltdown-DE - tried to exploit division (by zero) errors Meltdown-SM - tried to exploit the supervisor mode access prevention (SMAP) mechanism Meltdown-SS - tried to exploit out-of-limit segment accesses Meltdown-UD - tried to exploit invalid opcode exception Meltdown-XD - tried to exploit non-executable memory Source: A Systematic Evaluation of Transient Execution Attacks and Defenses In order to understand the Spectre-type attacks, the researchers proposed a categorization based on, first, the prediction mechanism exploited, and second, the mistraining mechanism. Here researchers propose to combine all attacks that exploit the same microarchitectural element: Spectre-PHT: Exploits the Pattern History Table (PHT) Spectre-BTB: Exploits the Branch Target Buffer (BTB) Spectre-STL: Exploits the CPUs memory disambiguation prediction, specifically store-to-load forwarding (STLF) Spectre-RSB: Exploits the Return Stack Buffer (RSB) According to ZDNet, “Based on the experiments, the researchers found three new Spectre attacks that exploit the Pattern History Table (PHT) mechanism and two new Spectre attacks against the Branch Target Buffer (BTB).” PHT-CA-OP PHT-CA-IP PHT-SA-OP BTB-SA-IP BTB-SA-OP Defenses for these new Spectre and Meltdown attacks For each of the Spectre and Meltdown attack types, the researchers have categorized the defenses into three and two categories respectively. For Spectre-type attacks, the defense categories are: Mitigating or reducing the accuracy of covert channels used to extract the secret data. Mitigating or aborting speculation if data is potentially accessible during transient execution. Ensuring that secret data cannot be reached. For Meltdown-type attacks, the defense categories are: Ensuring that architecturally inaccessible data remains inaccessible on the microarchitectural level. Preventing the occurrence of faults. The researchers in the paper said, “We have systematically evaluated all defenses, discovering that some transient execution attacks are not successfully mitigated by the rolled out patches and others are not mitigated because they have been overlooked. Hence, we need to think about future defenses carefully and plan to mitigate attacks and variants that are yet unknown”. To know more about these newly found attacks in detail and the related experiments, head over to the research paper written by Claudio Canella et al. Intel announces 9th Gen Core CPUs with Spectre and Meltdown Hardware Protection amongst other upgrades NetSpectre attack exploits data from CPU memory SpectreRSB targets CPU return stack buffer, found on Intel, AMD, and ARM chipsets

Last week, a potentially serious and unpatched security issue was revealed in the Kubernetes API server GitHub repository by StackRox. The security lapse was due to the parsing of a  Kubernetes API server deployment called YAML (Yet Another Markup Language) which is used for specifying configuration-type information. This security issue makes the cluster’s Kubernetes API service vulnerable to an attack called “billion laughs”. The billion laughs attack is a type of denial-of-service (DoS) attack. The vulnerability has got a CVE-2019-11253, however, the details of the security attack are reserved till the Kubernetes organization makes the security problem public. Kubernetes has not yet released a security patch to fix the underlying vulnerability. StackRox states, “The issue once again serves as a reminder that, like all software, Kubernetes is vulnerable to zero-day exploits. Thus, mere access to your Kubernetes API server should be treated as sensitive, regardless of how tight your application-level authorization policies (i.e., Kubernetes RBAC) are.” Read Also: CNCF-led open-source Kubernetes security audit reveals 37 flaws in Kubernetes cluster; recommendations proposed The Kubernetes cluster’s master and its resources are contacted by the Kubernetes API service which is backed by the Kubernetes apiserver. The Kubernetes apiserver accepts the incoming connections, after checking their authenticity of the entity and then applies the corresponding request handlers. One of the types of payloads that is accepted by the Kubernetes API service is exclusive to the YAML manifests and is concerned with the use of “references”. These references to nodes can be used in nodes that are themselves referenced in other nodes. This nesting of references and its subsequent expansion is the reason behind the current security vulnerability in the Kubernetes API. The Kubernetes apiserver does not perform any input validation on the uploaded YAMLs, and also does not impose hard limits on the size of the expanded file. These non-responsive actions make the Kubernetes apiserver an easy target. Thus, StackRox believes that only a clear fix to the Kubernetes apiserver code can safeguard the Kubernetes GitHub repository from this “billion laughs” attack. Read Also: Kubernetes 1.16 releases with Endpoint Slices, general availability of Custom Resources, and other enhancements StackRox recommends to protect the Kubernetes API server Users should analyze the Role-based access control (RBAC) policies of the Kubernetes to ensure that only reliable entities hold privileged access to a cluster’s resources. The cluster roles must be audited regularly. Users should be cautioned to keep the privileges of entities with low or no trust as unauthenticated users. Users should also disable any anonymous access by passing the --anonymous-auth=false flag to both the API server and the Kubelets. It should be noted that any small information like the API server version or the fact that the Kubernetes API server is running on a particular host can also be a piece of valuable information to the attacker. The Kubernetes API server endpoint should not be exposed to the internet, instead, it should be made secure using network firewalls. The API server access should only be given to trustworthy (private) subnets or VPC networks. Head over to the Stackrox page for more details on the security vulnerability of Kubernetes API. 6 Tips to Prevent Social Engineering How Chaos Engineering can help predict and prevent cyber-attacks preemptively An unpatched vulnerability in NSA’s Ghidra allows a remote attacker to compromise exposed systems GitLab 11.7 releases with multi-level child epics, API integration with Kubernetes, search filter box and more Pivotal open sources kpack, a Kubernetes-native image build service

Yesterday, at the Microsoft Build 2019, the team at Microsoft announced Windows Terminal, a new terminal application for users of command-line tools and shells like PowerShell, Command Prompt, and WSL. This terminal will be delivered via the Microsoft Store in Windows 10 and will be regularly updated. Key features of Windows Terminal Multiple tabs Windows Terminal comes with multiple tab support so users will now be able to open any number of tabs, each connected to a command-line shell or app of their choice. E.g. PowerShell, Ubuntu on WSL, Command Prompt, a Raspberry Pi via SSH, etc. Text Windows terminal uses a GPU accelerated DirectWrite/DirectX-based text rendering engine so that it displays text characters, glyphs, and symbols present within fonts on the PC. In addition, it also includes emoji, powerline symbols, CJK ideograms, icons, programming ligatures, etc. It can also render text much faster as compared to the previously used engines. Users now have the option of using their own new font. Settings and configurability Windows Terminal comes with many settings and configuration options that manage Terminal’s appearance and each of the shells/profiles that users open as new tabs. The settings are stored in a structured text file so that it makes it easy for users and/or tools to configure. With the terminal’s configuration mechanism, users will be able to create multiple “profiles” for each shell/app/tool. And these profiles can have their own combination of color themes, font styles and sizes, background blur/transparency levels, etc so that users can now create their own custom-styled Terminal. Windows Console The team further announced that they are open sourcing Windows Console which hosts the command-line infrastructure in Windows and provides the traditional Console UX. The primary goal of the console is preserving backward compatibility with existing command-line tools, scripts, etc. To know more about this news, check out Microsoft’s blog post. Microsoft introduces Remote Development extensions to make remote development easier on VS Code Docker announces collaboration with Microsoft’s .NET at DockerCon 2019 Microsoft and GitHub employees come together to stand with the 996.ICU repository    

Yesterday, at the Microsoft Ignite 2019 in Orlando, the company released the preview of its first full-stack, scalable, general open cloud ecosystem, ‘Azure Quantum’. For developers, Microsoft has specifically created the open-source Quantum Development Kit, which includes all of the tools and resources you need to start learning and building quantum solutions. Azure Quantum is a set of quantum services including pre-built solutions to software and quantum hardware, providing developers and customers access to some of the most competitive quantum offerings in the market. For this offering, Microsoft has partnered with 1QBit, Honeywell, IonQ, and QCI. With Azure Quantum service, anyone gains deeper insights about quantum computing through a series of tools and learning tutorials such as the quantum katas. It also allows developers to write programs with Q# and QDK and experiment running the code against simulators and a variety of quantum hardware. Customers can also solve complex business challenges with pre-built solutions and algorithms running in Azure. According to Wired, “Azure Quantum has similarities to a service from IBM, which has offered free and paid access to prototype quantum computers since 2016. Google, which said last week that one of its quantum processors had achieved a milestone known as “quantum supremacy” by outperforming a top supercomputer, has said it will soon offer remote access to quantum hardware to select companies.” Microsoft’s Azure Quantum model is more like the existing computing industry, where cloud providers allow customers to choose processors from companies such as Intel and AMD, says William Hurley, CEO of startup Strangeworks. This startup offers services for programmers to build and collaborate with quantum computing tools from IBM, Google, and others. With just a single program, users will be able to target a variety of hardware through Azure Quantum – Azure classical computing, quantum simulators, and resource estimators, and quantum hardware from our partners, as well as our future quantum system being built on revolutionary topological qubit. Microsoft, on its official website, announced that the Azure Quantum will be launched in private preview in the coming months. Many users are excited to try the Quantum service by Azure. https://twitter.com/Daniel_Rubino/status/1191364279339036673 To know more about Azure Quantum in detail, visit Microsoft’s official page. Are we entering the quantum computing era? Google’s Sycamore achieves ‘quantum supremacy’ while IBM refutes the claim Using Qiskit with IBM QX to generate quantum circuits [Tutorial] How to translate OpenQASM programs in IBX QX into quantum scores [Tutorial]

Update: Included Google’s recent plan of action after facing backlash by Nest users.   At this year’s Google I/O developer conference, Google announced that it is bringing all the Nest and Google Home products under one brand “Google Nest”. As a part of this effort, Nest announced on Tuesday that it will be discontinuing the Works with Nest API by August 30, 2019, in favor of Works with Google Assistant. “We want to unify our efforts around third-party connected home devices under a single developer platform – a one-stop shop for both our developers and our customers to build a more helpful home. To accomplish this, we’ll be winding down Works with Nest on August 31, 2019, and delivering a single unified experience through the Works with Google Assistant program,” wrote Nest in a post. Google with this change aims to make the whole smart home experience for users more secure and unified. Over the next few months, users with Nest accounts will need to migrate to Google Accounts, which will serve as a single front-end for using products across Nest and Google. Along with providing a unified experience, Google also promises to be transparent about the data it collects, which it mentioned in an extensive document published on Tuesday. The document titled “Google Nest commitment to privacy in the home” describes how its connected smart home devices work and also lays out Google’s approach for managing user data. Though Google is promising improved security and privacy with this change, this will also end up breaking some existing third-party integrations. And, one of them is IFTTT (If This, Then That), a software platform with which you can write “applets” that allow devices from different manufacturers to talk to each other. We can use IFTTT for things like automatically adjusting the thermostat when the user comes closer to their house based on their phone location, turning Philips Hue smart lights on when a Nest Cam security camera detects motion, and more. Developers who work with Works with Nest API are recommended to visit the Actions on Google Smart Home developer site to learn how to integrate smart home devices or services with the Google Assistant. What Nest users think about this decision? Though Google is known for its search engine and other online services, it is also known for abandoning and killing its products in a trice. This decision of phasing out Works with Nest has left many users infuriated who have brought Nest products. https://twitter.com/IFTTT/status/1125930219305615360 “The big problem here is that there are a lot of people that have spent a lot of money on buying quality hardware that isn't just for leisure, it's for protection. I'll cite my 4 Nest Protects and an outdoor camera as an example. If somehow they get "sunsetted" due to some Google whim, fad or Because They Can, then I'm going to be pretty p*ssed, to say the least. Based on past experience I don't trust Google to act in the users' interest,” said one Hacker News user. Some other users think that this change could be for better, but the timeline that Google has decided is pretty stringent. A Hacker News user commented on a discussion triggered by this news, “Reading thru it, it is not as brutal as it sounds, more than they merged it into the Google Assistant API, removing direct access permission to the NEST device (remember microphone-gate with NEST) and consolidating those permissions into Assistant. Whilst they are killing it off, they have a transition. However, as far as timelines go - August 2019 kill off date for the NEST API is brutal and not exactly the grace period users of connected devices/software will appreciate or in many cases with tech designed for non-technical people - know nothing until suddenly in August find what was working yesterday is now not working.” Google’s reaction to the feedback by Nest users As a response to the backlash by Nest users, Google published a blog post last week sharing its plan of action. According to this plan, users’ existing devices and integrations will continue to work with their Nest accounts. However, they will not have access to any new features that will be available through their Google account. Google further clarified that it will stop taking any new Works with Nest connection requests from August 31, 2019. “Once your WWN functionality is available on the WWGA platform you can migrate with minimal disruption from a Nest Account to a Google Account,” the blog post reads. Though Google did share its plans regarding the third-party integrations, it was pretty vague about the timelines. It wrote, “One of the most popular WWN features is to automatically trigger routines based on Home/Away status. Later this year, we'll bring that same functionality to the Google Assistant and provide more device options for you to choose from. For example, you’ll be able to have your smart light bulbs automatically turn off when you leave your home.” It further shared that it has teamed up with Amazon and other partners for bringing custom integrations to Google Nest. Read the official announcement on Nest’s website. Google employees join hands with Amnesty International urging Google to drop Project Dragonfly What if buildings of the future could compute? European researchers make a proposal. Google to allegedly launch a new Smart home device

Yesterday, GitHub announced that it now supports Web Authentication (WebAuthn) for security keys. In addition to time-based one-time password (TOTP) applications and text messages, you can now also configure two-factor authentication using a security key. https://twitter.com/github/status/1164240757278027779 WebAuthn is a standard by W3C that uses a public key instead of passwords or SMS texts for registering and authentication. It leverages strong authenticators that come built into devices like Windows Hello or Apple’s Touch ID. The purpose behind WebAuthn is not only to address security problems like phishing and data breaches but also significantly increase ease of use. Citing the reason behind bringing this support, Lucas Garron, GitHub’s Security Engineer, wrote in the announcement, “Account security is critical for GitHub. Although we support strong authentication options, many people still don’t use a password manager or two-factor authentication because individual passwords have always been the easiest choice.” You will be able to use physical security keys on GitHub if you are using the following: Firefox and Chrome-based browsers on Windows, macOS, Linux, and Android Edge users on Windows Brave on iOS using the new YubiKey 5Ci Safari Technology Preview on macOS GitHub also allows using your laptop or phone as a security key if you do not want to carry an actual physical key. For this, you are required to register your device first. People using Microsoft Edge on Windows can register their device using Windows Hello with facial recognition, fingerprint reader, or PIN. Chrome users on macOS can use Touch ID, while on Android they can use the fingerprint reader to register their device. Currently, security keys are secondary to authentication with a TOTP application or a text message. As more platforms start supporting security keys, GitHub plans to eventually make them the primary second factor. “Because platform support is not yet ubiquitous, GitHub currently supports security keys as a supplemental second factor. But we’re evaluating security keys as a primary second factor as more platforms support them. In addition, WebAuthn can make it possible to support login using your device as a “single-factor” security key with biometric authentication instead of a password,” Garron said. This announcement got mixed reactions from users. While some think that security keys are future of online authentication, others believe that we are better off with just a plain username-and-password authentication. The concerns users have for fingerprints and other biometric means for authentication is that they are not really a secret and if in case they are compromised there is no way to reset them. https://twitter.com/probonopd/status/1164241777089548289 Those supportive of this step are excited about the ease of use WebAuthn brings. A user on Hacker News commented, "This is fantastic. I look forward to finally having much easier authentication on the web. Imagine browsers syncing between devices a single encryption key that will authenticate you to all sites, which you can easily back up to a piece of paper." Another user suggested, "In a somewhat related vein: it would be really fantastic if Github allowed the same SSH key (in my case: a Yubikey-resident SSH key) on multiple accounts; we use separate accounts for different clients, and Github's refusal to allow an SSH key to be used on multiple accounts means I can't use Yubikey SSH keys for those." If you’d like to add support for security keys as an authentication option for your web service, you can use a JSON. Check out the official announcement by GitHub to know in detail. GitHub deprecates and then restores Network Graph after GitHub users share their disapproval DockerHub database breach exposes 190K customer data including tokens for GitHub and Bitbucket repositories Apache Software Foundation finally joins the GitHub open source community  

Last week the Apache Flink community announced the release of Apache Flink 1.9.0. The Flink community defines the project goal as “to develop a stream processing system to unify and power many forms of real-time and offline data processing applications as well as event-driven applications.” In this release, they have made a huge step forward in that effort, by integrating Flink’s stream and batch processing capabilities under a single, unified runtime. There are significant features in this release, namely batch-style recovery for batch jobs and a preview of the new Blink-based query engine for Table API and SQL queries. The team also announced the availability of the State Processor API, one of the most frequently requested features that enables users to read and write savepoints with Flink DataSet jobs. Additionally, Flink 1.9 includes a reworked WebUI and previews of Flink’s new Python Table API and it is integrated with the Apache Hive ecosystem. Let us take a look at the major new features and improvements: New Features and Improvements in Apache Flink 1.9.0 Fine-grained Batch Recovery The time to recover a batch (DataSet, Table API and SQL) job from a task failure is significantly reduced. Until Flink 1.9, task failures in batch jobs were recovered by canceling all tasks and restarting the whole job, i.e, the job was started from scratch and all progress was voided. With this release, Flink can be configured to limit the recovery to only those tasks that are in the same failover region. A failover region is the set of tasks that are connected via pipelined data exchanges. Hence, the batch-shuffle connections of a job define the boundaries of its failover regions. State Processor API Up to Flink 1.9, accessing the state of a job from the outside was limited to the experimental Queryable State. In this release the team introduced a new, powerful library to read, write and modify state snapshots using the batch DataSet API. In practice, this means: Flink job state can be bootstrapped by reading data from external systems, such as external databases, and converting it into a savepoint. State in savepoints can be queried using any of Flink’s batch APIs (DataSet, Table, SQL), for example to analyze relevant state patterns or check for discrepancies in state that can support application auditing or troubleshooting. The schema of state in savepoints can be migrated offline, compared to the previous approach requiring online migration on schema access. Invalid data in savepoints can be identified and corrected. The new State Processor API covers all variations of snapshots: savepoints, full checkpoints and incremental checkpoints. Stop-with-Savepoint Cancelling with a savepoint is a common operation for stopping/restarting, forking or updating Flink jobs. However, the existing implementation did not guarantee output persistence to external storage systems for exactly-once sinks. To improve the end-to-end semantics when stopping a job, Flink 1.9 introduces a new SUSPEND mode to stop a job with a savepoint that is consistent with the emitted data. You can suspend a job with Flink’s CLI client as follows: bin/flink stop -p [:targetDirectory] :jobId The final job state is set to FINISHED on success, allowing users to detect failures of the requested operation. Flink WebUI Rework After a discussion about modernizing the internals of Flink’s WebUI, this component was reconstructed using the latest stable version of Angular — basically, a bump from Angular 1.x to 7.x. The redesigned version is the default in Apache Flink 1.9.0, however there is a link to switch to the old WebUI. Preview of the new Blink SQL Query Processor After the donation of Blink to Apache Flink, the community worked on integrating Blink’s query optimizer and runtime for the Table API and SQL. The team refactored the monolithic flink-table module into smaller modules. This resulted in a clear separation of well-defined interfaces between the Java and Scala API modules and the optimizer and runtime modules. Other important changes in this release: The Table API and SQL are now part of the default configuration of the Flink distribution. Previously, the Table API and SQL had to be enabled by moving the corresponding JAR file from ./opt to ./lib. The machine learning library (flink-ml) has been removed in preparation for FLIP-39. The old DataSet and DataStream Python APIs have been removed in favor of FLIP-38. Flink can be compiled and run on Java 9. Note: that certain components interacting with external systems (connectors, filesystems, reporters) may not work since the respective projects may have skipped Java 9 support. The binary distribution and source artifacts for this release are now available via the Downloads page of the Flink project, along with the updated documentation. Flink 1.9 is API-compatible with previous 1.x releases for APIs annotated with the @Public annotation. You can review the release notes to know about the detailed list of changes and new features to upgrade Flink setup to Flink 1.9.0. Apache Flink 1.8.0 releases with finalized state schema evolution support Apache Flink founders data Artisans could transform stream processing with patent-pending tool Apache Flink version 1.6.0 released!

Microsoft had initially come up with Windows IoT which was formerly known as Windows Embedded. It was rebranded with the release of Windows 10 where Microsoft introduced twelve versions of Windows 10 that varied in features delivered, use cases, and the devices they supported. With that said, Microsoft gained a fighting place in the world of IoT with Windows 10 IoT which consists of two products catering to different customer bases: Windows 10 IoT Core and Windows 10 IoT Enterprise. Since IoT has to still evolve amongst major enterprises, we will focus on Window 10 IoT Core today. Windows 10 IoT Core is an optimized version of Windows 10 that is designed for smaller devices with or without a display that run on both ARM and x86/x64 devices. It is created to work on devices such as Raspberry Pi, Arduino, and other popular single board computers while it also utilizes the extensible Universal Windows Platform (UWP) API to build great solutions. The IoT domain has always been popular with traditional open source operating systems such as Linux distributions. Since the past couple of years, Windows has started to find its way into this domain and have proven to be an advantageous alternative in many ways. Initially setting up Windows 10 IoT Core to install the image and get started was a task. Recently Microsoft has focused on alleviating these small pain points and has got things sorted for Windows users. When it comes to developing IoT applications, open source distros lack making beautiful user interfaces possible. But with Windows this can be achieved thanks to Visual Studio. Visual Studio has always been a great environment to code in and if you are strong with C#, this can definitely be your go to platform. I emphasize on Windows users because  if you are looking at using or developing on Windows 10 IoT Core you would strictly need Windows 10 which isn’t open source. Well, this might never change. No doubt Microsoft wants to sell its software keeping its existing user happy. This would only be possible when Microsoft services work well only in its own environment. I’m sure you are wondering what could you possibly build with Windows 10 IoT Core and Raspberry Pi or Arduino. These are some breathtaking project ideas that you might be interested in building: Obstacle avoiding robot: This could be your basic project that can help you getting used to the new ecosystem you have adopted. Room light and temperature manager: Next, you can get some home automation tweaks that will help you automate your room environment.   Personal car data monitor: This can be an intermediate project where your IoT application can reveal the health of your vehicle before you start your ride.   Pet feeder: Lastly, you can take up something that involves Cloud platforms where you can feed your pet while your in office or at your neighbours instead of letting them starve. IoT is at such a stage now where the virtual world of Information Technology is connected to the read world. Initially this was possible only through Linux-based ecosystem, but with Windows 10 IoT coming into picture there has been quite a shift observed in the IoT market. Users have observed that in spite running on smaller devices Windows 10 IoT has managed to offer most of the essential features from parent Windows 10.  The world may still seem like a Linux base and deploying Python programs may look easier but it’s best to keep your options open and in this case you have a trusted platform, Windows. 5 reasons to choose AWS IoT Core for your next IoT project Should you go with Arduino Uno or Raspberry Pi 3 for your next IoT project? Splunk Industrial Asset Intelligence (Splunk IAI) targets Industrial IoT marketplace

Today, StackRox, a company providing threat protection for containers and Kubernetes, announced the availability of the StackRox App for the Sumo Logic Continuous Intelligence Platform. The StackRox App for Sumo Logic provides customers with critical insights into misconfigurations and security events for their container and Kubernetes environments directly within their Sumo Logic Dashboard. Using this app, different security teams can view StackRox data regarding vulnerabilities, misconfigurations, runtime threats, and other policy violations within Sumo Logic and streamline their remediation efforts. John Coyle, vice president of business development for Sumo Logic, said, "We're excited to launch our Kubernetes security integration with StackRox since it will enable customers to gain unparalleled insights and operational metrics in a single dashboard to ensure their cloud-native environments are continuously protected.” "The StackRox Kubernetes-native container security platform provides unique context on misconfigurations, risk profiling, and runtime incidents that will enable our joint customers to more quickly identify and address security issues," Coyle further added. The StackRox App for Sumo Logic provides several key metrics such as vulnerabilities, runtime threats, and compliance violations across container and Kubernetes environments through the following dashboards: StackRox Overview:  This offers a snapshot of key metrics about an organization’s overall Kubernetes and container security posture StackRox Image Violations: These display information from StackRox’s image scanning and vulnerability management capabilities and prioritizes security issues in container images based on rich context derived from Kubernetes StackRox Kubernetes Violations: These highlight prioritized list of misconfigurations of Kubernetes components based on more than 70 DevOps and Security best practices StackRox Runtime Violations: These provide insights into threats and other suspicious activity at runtime based on continuous monitoring of every single container within Kubernetes environments Richard Reinders, manager of security operations for Looker, a joint StackRox and Sumo Logic customer said, “StackRox gives us a Kubernetes-centric single pane of glass view into the security posture of our multi-cloud infrastructure. Having StackRox’s unique Kubernetes security insights available directly on our Sumo Logic Dashboard provides us with a single place to view security and compliance details alongside our operational analytics for our cloud-native infrastructure. This integration also allows us to use a single, consistent, security event detection and response pipeline.” To more about the StackRox App for Sumo Logic head over to its official website. Other interesting news in security CNCF-led open-source Kubernetes security audit reveals 37 flaws in Kubernetes cluster; recommendations proposed Over 47K Supermicro servers’ BMCs are prone to USBAnywhere, a remote virtual media vulnerability Espressif IoT devices susceptible to WiFi vulnerabilities can allow hijackers to crash devices connected to enterprise networks

Yesterday, Brave, the company co-founded by ex-Mozilla CEO, Brendan Eich, launched version 1.0 of its browser for Windows, macOS, Linux, Android and iOS. In a browser market where users have to compromise on their privacy, Brave is positioning itself as a fast option that preserves users’ privacy with strong default settings, as well as a crypto currency-centric private ads and payment platform that allows users to reward content creators. “Surveillance capitalism has plagued the Web for far too long and we’ve reached a critical inflection point where privacy-by-default is no longer a nice-to-have, but a must-have. Users, advertisers, and publishers have finally had enough, and Brave is the answer. Brave 1.0 is the browser reimagined, transforming the Web to put users first with a private, browser-based ads and payment platform. With Brave, the Web can be a rewarding experience for all, without users paying with their privacy.” said Brendan Eich, co-founder and CEO of Brave Software. “Either we all accept the $330 billion ad-tech industry treating us as their products, exploiting our data, piling on more data breaches and privacy scandals, and starving publishers of revenue; or we reject the surveillance economy and replace it with something better that works for everyone. That’s the inspiration behind Brave,” he added. The company also announced last month that Brave has about 8 million monthly active users. Brave offers a privacy-first approach to its users that natively blocks trackers, invasive ads, and device fingerprinting. This leads to substantial improvements in speed, privacy, security, performance, and battery life. It has default settings to block phishing, malware, and malvertising. Embedded plugins, which have proven to be an ongoing security risk, are disabled by default in Brave. Browsing data always stays private and on the user’s device, which means Brave will never see or store the data on its servers or sell user data to third-parties. Brave 1.0 key features Additionally Brave 1.0 offers some unique features to its users: Brave Rewards program to fund open web – By activating Brave Reward, users can support their favorite publishers and content creators and integrate Brave wallet on both desktop and mobile. This feature allows users to send Basic Attention Tokens (BAT) as tips for great content, either directly as they browse or by defaulting to recurring monthly payments to continuously support websites you visit frequently. There are over 300,000 verified websites on-boarded on Brave for this program including The Washington Post, The Guardian, Wikipedia, YouTube, Twitch, Twitter, GitHub and more. Brave Ads compensate users for their attention – Brave has a new blockchain-based advertising model that enables privacy and gives 70% of its revenue share in the form of Basic Attention Tokens (BAT) to users who view the Brave ads. These ads are a part of private ad network and Brave Rewards program. It allows users to opt-in to view relevant privacy-preserving ads in exchange for earning BAT. When users opt into Brave Rewards, Brave ads are enabled by default. As per the content viewed by a user, ad matching happens directly on the user’s device, so their data is never sent to anyone, and they see rewarding ads without mass surveillance. Users can also transfer their earned BAT from the wallet and convert into digital assets and fiat currencies, but they need to complete the verification process with Uphold, a digital money platform. Brave Shields for automatic ad and tracker blocking – Brave Shields, this feature is enabled by default and is customizable from the address bar. It blocks invasive third-party ads, trackers, and autoplay videos immediately – without needing to install any additional programs. On Hacker News, users have appreciated the way Brave browser operates and rewards its content consumers as well as the creators. One of them has explained its functioning in detail, “I've been using Brave rewards, both as a user and a content maker. It's really great, and I feel this may be a reasonable alternative to the invasive trackers+ads we have today. For the uninitiated, Brave lets users opt-in to Brave rewards: - You set your browser to reward content creators with Basic Attention Token (BAT). You set a budget (e.g. 10 BAT/month), and Brave distributes it the sites you use most, e.g. if you watch a particular YouTube channel 30% of your browsing time, it will send 30% of 10 BAT each month to that content creator. - As a user, you can get paid in BAT. You tell Brave if you're willing to see ads, and how often. If so, you get paid in BAT, which you can then distribute to content creators. Brave ads are different: rather than intrusive in-page ads, Brave ads show up as a notification in your operating system outside of the page. This prevents slow downs of the page, keeping your browsing focused, while still allowing support of content creators. And of course, Brave ads are optional and opt-in.” You can download Brave for free, by visiting official Brave page, Google Playstore or the App Store. Google is circumventing GDPR, reveals Brave’s investigation for the Authorized Buyers ad business case Brave ad-blocker gives 69x better performance with its new engine written in Rust Edge, Chrome, Brave share updates on upcoming releases, recent milestones, and more at State of Browsers event Brave launches its Brave Ads platform sharing 70% of the ad revenue with its users Brave Privacy Browser has a ‘backdoor’ to remotely inject headers in HTTP requests: HackerNews

As any JavaScript framework community grows, it becomes difficult to navigate which avenues developers have to look for solutions to problems they have encountered. FeathersJS has continually been at the forefront of JavaScript discussions since its inception, as illustrated in the annual State of JS survey. We created FeathersJS Resources as a hub, or rather a starting point, to assist people in the Feathers community find what they may be searching for. There are many resource lists available, however, we noticed a lacking of curated examples. Our goal with this list is to provide an up-to-date account of which libraries are maintained, projects are active, and examples of FeathersJS in the wild. Our general rules for curation are as follows: projects on npm must have been published in the past two years; projects on GitHub must have been updated in the past two years; projects should be well documented; articles and tutorials should be topical to the FeathersJS community; examples should use FeathersJS as a part of their stack; support channels should be qualified by the FeathersJS core team. Not to overestimate our abilities to keep track of all projects in the ecosystem, we have a channel for people to submit projects for review, which can be added to the Feathers Resources site. With the above criteria, we have broken the list into several categories which will certainly be expanded as time goes on. A few notable examples from each category are: Articles and Tutorials How we debug Feathers APIs using Postman Author Juan Orozco details a general process, conventions, and steps on how Aquil.io uses Postman to develop and debug APIs with Feathers. A few gotchas are elaborated and patterns on how Aquil.io rapidly develops APIs are explained. Read article Build a CRUD App Using React, Redux and FeathersJS Author Michael Wanyoike takes readers through getting a contact manager application set up with Feathers, Create React App, and MongoDB. The benefits of following conventions in REST and a bit of Feathers background is explained with a concrete example. Read article Tools feathers-hooks-common feathers-hooks-common is a suite of hooks allowing developers to architect common processes in a composable fashion. Readable hook flows are created such as: iff(isProvider('external'), disallow()). Learn more feathers-sync feathers-sync allows for scaling Feathers APIs and keeping socket events in sync through an intermediary data source, such as Redis. With this project, a modifying request, such as a POST, may ping a single server while the {service}::created event will be relayed to all other servers in the cluster and their corresponding subscribers. Learn more Support Feathers Slack channel The official channel for FeathersJS discussions. Open to the public and staffed by the core team. The core maintainer and author, David Luecke, is typically available to answer in depth questions regarding the usage of Feathers. Slack channel Office hours Members of the FeathersJS core team and experts at Aquil.io are available for questions that may require a call or a screen share to debug or discuss issues the community is facing. Developers at Aquil.io have been power users of Feathers since 2014 and have experience in many of the nuances in real-world settings. Visit aquil.io Our hope is this list provides a bit of direction, if you are new to the community, and a place to quickly find support if you need it. The above is a sample, but be sure to read the full list at feathersresources.dev. If you want to check out what I’m working on or have web development needs, visit Aquil.io. Originally published at https://aquil.io on September 28, 2020. Tools, projects, and examples for FeathersJS developers in 2020 was originally published in DailyJS on Medium, where people are continuing the conversation by highlighting and responding to this story.

Today, Reuters reported that Google has won an approval from U.S. regulators for deploying a radar-based motion sensing device known as project Soli. According to the report, the Federal Communications Commission (FCC) specified in an order late on Monday that it will grant Google a waiver for operating the Soli sensors at higher power levels than currently allowed. The FCC said, “the decision will serve the public interest by providing for innovative device control.” These Soli sensors help in capturing motion in 3D space with a radar beam for enabling touchless control of functions that help users with mobility and speech impairments. According to Google, the Soli sensor can allow users to press an invisible button between the thumb and index fingers or a virtual dial that turns by rubbing a thumb against the index finger. Google says“even though these controls are virtual, the interactions feel physical and responsive”, as the feedback is generated by the haptic sensation of fingers touching. According to Google, the virtual tools can approximate the precision of natural human hand motion and the Soli sensor can be embedded in wearables, computers, phones, and vehicles including aircraft. Last year in March, Google asked the FCC to allow its short-range interactive motion-sensing Soli radar to operate in the 57 to 64 GHz frequency band at power levels consistent with European Telecommunications Standards Institute standards. In July, Facebook Inc raised concerns that the Soli sensors operating in the spectrum band at higher power levels might have issues coexisting with other technologies. In September, post the discussions, Reuters writes, Google and Facebook collectively told the FCC agreeing that the sensors could operate at higher than currently allowed power levels without interference. In September, Facebook told FCC that it expected a “variety of use cases to develop with respect to new radar devices, including Soli.” Users are excited about this news and are appreciating Google’s efforts towards experimenting something new. One user commented on HackerNews, “Go big or go home. That's one thing I like about Google/Alphabet. Not being afraid to try completely new things outside the normal comfort zone of their traditional product space, and aiming for the most radical potentially game-changing ones at that.” Another user commented on Reddit, “Will be interesting to see if this makes it into new watches/phones by the end of the year.” This news was first reported by  Reuters. Google Cloud releases a beta version of SparkR job types in Cloud Dataproc Google shares initiatives towards enforcing its AI principles; employs a formal review structure for new projects France to levy digital services tax on big tech companies like Google, Apple, Facebook, Amazon in the new year  

Last week, the CEO and CXO of elementary OS, Cassidy James Blaede announced the release of elementary OS 5.1, code named ‘Hera’. elementary OS is an Ubuntu-based desktop distribution, which promises to be a “fast, open, and privacy-respecting” replacement to macOS and Windows.  Building upon the solid foundations laid out by its predecessor Juno, Hera brings several new features including native support for Flatpak, a faster AppCentre storefront, accessibility features, among other updates. Key updates in elementary OS 5.1 Hera Brand new greeter and onboarding In elementary OS 5.1 Hera, the greeter and onboarding have seen major changes in order to give users an improved first-run experience. In addition to looking better, the redesigned greeter addresses some of the key reported issues including keyboard focus issues, HiDPI issues, and better localization. Hera also ships with a new Onboarding app that gives you a quick introduction to key features and also takes care of common first-run tasks like managing privacy settings. Native Flatpak support and AppCenter updates elementary OS 5.1 Hera comes with native support for Flatpack, an application sandboxing and distribution framework. It enables developers to create one application and distribute it to different Linux desktop distributions.  Hera includes a new core elementary OS utility called Sideload that allows users to sideload Flatpak apps. Any updates to the sideloaded apps will appear in AppCenter and apps from any user-added Flatpak remotes will show up in AppCenter as uncurated apps. Along with the Flatpak support, Blaede shared that it is now “up to 10× faster in Hera, loading the homepage and featured apps blazingly fast.” Accessibility improvements A bunch of accessibility features has landed in elementary OS 5.1 Hera. System Settings are now more accessible to all users. Discoverability of performance and keyboard shortcut has been improved. Sound settings has a new approach to handling external devices and there is a “Flash screen” option for event alerts to better manage whether alerts are audible, visual, both, or neither. The Mouse & Touchpad settings in elementary OS 5.1 Hera are now organized into sections based on different behavior. Several accessibility settings like long-press secondary click, reveal pointer, double-click speed, and control pointer using keypad have been exposed. Also, the touchpad settings now has an “Ignore when mouse is connected” toggle. Many developers have already started trying out this release. A Hacker News user shared their first impressions on a discussion regarding this release, “I installed this on my XPS 13 this morning, and it's really nice. It has a lot of overall polish that most DE's are missing, it looks and feels cohesive. It installed without any issues, and I had no problem with my Ubuntu-leaning dotfiles. I will probably keep this for the near future, it's very pleasant.” These were some of the updates in elementary OS 5.1 Hera. Check out the official announcement to know more about this release. Redox OS will soon permanently run rustc, the compiler for the Rust programming language, says Redox creator Jeremy Soller Nate Chamberlain talks about the Microsoft Enterprise Mobility and Security suite and becoming M365 certified Microsoft technology evangelist Matthew Weston on how Microsoft PowerApps is democratizing app development [Interview]