Tech News

Mozilla has partnered with News subscription service Scroll, to provide a transparent news experience for publishers and users alike. They will work with Scroll to better understand how consumers react to ad-free experiences on the web and subscription-based funding models. With Scroll, they will conduct product explorations by inviting small groups of browser users at random to respond to surveys, provide feedback and potentially test proposed new features, products or services. This initiative with Scroll will help Mozilla in finding alternatives to the status quo advertising models. In a blog post, Mozilla mentioned the reason behind this initiative. “We are turning our attention towards finding a more sustainable ecosystem balance for publishers and users alike. We’re transparent and experiment with new ideas in the open, especially when those ideas could have a significant impact on how the web ecosystems works. In 2019, we will continue to explore new product features and offerings, including our ongoing focus on identifying a more sustainable ecosystem balance for both publishers and users.” In a conversation with VentureBeat, Scroll CEO Tony Haile said the company began talking with Mozilla for partnership opportunities last year. “It’s early days for this partnership, but we want to be transparent from the get-go and are hugely excited about what we might learn as we seek a better web ecosystem together,” he said. “One of the companies we’ve always looked up to most has been Mozilla. From their inception they have been dedicated to the concept of an internet that puts people first. They’ve been at the forefront of driving forward user experience on the web as well as how we think about data and privacy online. In this, they have been an inspiration to all of us at Scroll,” he added. Mozilla shares key takeaways from the Design Tools survey Mozilla partners with Ubisoft to Clever-Commit its code, an artificial intelligence assisted assistant Open letter from Mozilla Foundation and other companies to Facebook urging transparency in political ads.

Go 1.12 was released yesterday with opt-in support for TLS 1.3, improved modules support, support for windows/arm, and improved macOS & iOS forwards compatibility. The previous Go version, Go 1.11 was released in August last year. What’s new in Go 1.12? Opt-in support for TLS 1.3 Go 1.12 adds opt-in support for TLS 1.3 in the crypto/tls package. It can be enabled by adding the value tls13 = 1 to the GODEBUG environment variable. It will be enabled by default in Go 1.13. All TLS 1.2 features except TLSUnique in ConnectionState and renegotiation are available in TLS 1.3 and provide equivalent or better security and performance. TLS 1.3 cipher suites are not configurable. Since TLS 1.3 0-RTT mode involves clients keeping state regarding which servers support 0-RTT, a Go 1.12 server cannot be part of a load-balancing pool where some other servers do support 0-RTT. In TLS 1.3, the client is the last one to speak in the handshake, so if it causes an error to occur on the server, it will be returned on the client by the first Read, not by Handshake. Improved Module support The go command now supports module-aware operations outside of a module directory, provided that those operations do not need to resolve import paths relative to the current directory or explicitly edit the go.mod file. Commands such as go get, go list, and go mod download behave as if in a module with initially-empty requirements. go commands that download and extract modules are now safe to invoke concurrently. The go directive in a go.mod file now indicates the version of the language used by the files within that module. The go command will now try to use the modules mentioned in the main module's replace directives before consulting the module cache and the usual network sources. This happens when an import cannot be resolved using the active modules. Other changes Go's new windows/arm port supports running Go on Windows 10 IoT Core on 32-bit ARM chips. It also supports AIX 7.2 and later on POWER8 architectures (aix/ppc64). For macOS, Go 1.13 will require macOS 10.11 El Capitan or later. The go vet command has been rewritten so go tool vet is no longer supported. The Go tour is no longer included in the main binary distribution. The build cache is now required as a step toward eliminating $GOPATH/pkg Go 1.12 will translate the C type EGLDisplay to the Go type uintptr. The compiler's live variable analysis has improved. Wrappers generated by the compiler to implement method expressions are no longer reported by runtime.CallersFrames and runtime.Stack. The compiler toolchain now uses different conventions to call Go functions and assembly functions. Go 1.12 is the last release that will include the godoc webserver; in Go 1.13 it will be available via go get. The trace tool now supports plotting mutator utilization curves, including cross-references to the execution trace. Go 1.12 significantly improves the performance of sweeping when a large fraction of the heap remains live. These are just a select few updates. For full details about the changes in Go 1.12, you may go through the Go 1.12 release notes. Go 1.11 support announced for Google Cloud Functions! Go 1.11.3 and Go 1.10.6 released with fixes to security issues Google Cloud announces new Go 1.11 runtime for App Engine

Last week, as per the schedule, the ISO C++ Committee met in Kona, Hawaii to finalize the feature set for the next International Standard (IS), C++ 20. The committee has announced that C++20 is now feature complete and they are planning to finish the C++20 specification at the upcoming meeting, which is scheduled to happen in July 2019. Once the specification is complete they are planning to send the Committee Draft for review. Some of the features this draft include Modules With the introduction of modules, developers will not require to separate their files into header and source parts. The committee has now fixed internal linkage escaping modules. Coroutines The committee has gone through the coroutines proposals and has decided to go ahead with the specification. According to the specification of this feature, three keywords will be added: co_await, co_yield, and co_return. Contracts Contracts are made up of preconditions, postconditions, and assertions. These act as a basic mitigation measure when a program goes wrong because of some mismatch of expectations between parts of the programs. The committee is focused on refining the feature and renamed expects/ensures to pre/post. Concepts The concepts library include the definitions of fundamental library concepts, which are used for compile-time validation of template arguments and perform function dispatch on properties of types. Ranges The ranges library comes with components for dealing with ranges of elements including a variety of view adapters. To read the entire announcement, check out this Reddit thread. Code completion suggestions via IntelliCode comes to C++ in Visual Studio 2019 How to build Template Metaprogramming (TMP) using C++[Tutorial] Mio, a header-only C++11 memory mapping library, released!

A few researchers from Purdue University and The University of Iowa have recently found three new security flaws in 4G and 5G protocols that can easily allow intruders to intercept calls and also track user’s device location. The research paper titled, ‘Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information’ mentions the design weaknesses of the 4G/5G cellular paging protocol, which can be misused by attackers to identify victim’s presence in a particular cell area just from the victim’s soft-identity (e.g., phone number, Twitter handle) with a novel attack called ToRPEDO (TRacking via Paging mEssage DistributiOn) attack. This attack also highlights two other attacks, namely, the PIERCER and the IMSI-Cracking attack which can be carried out via the ToRPEDO attack. The researchers in the paper state, “All of our attacks have been validated in a realistic setting for 4G using cheap software-defined radio and open-source protocol stack.” According to TechCrunch, “Hussain, along with Ninghui Li and Elisa Bertino at Purdue University, and Mitziu Echeverria and Omar Chowdhury at the University of Iowa are set to reveal their findings at the Network and Distributed System Security Symposium in San Diego on Tuesday.” The three security flaws in the 4G/5G cellular paging protocols The ToRPEDO attack The researchers have presented a ToRPEDO attack that exploits a 4G/5G paging protocol weakness. This enables the attacker to verify the victim’s presence in a particular cellular area and in the process identifies the victim’s paging occasion, if the attacker already knows the phone number. ToRPEDO can enable an adversary to verify a victim’s coarse-grained location information, inject fabricated paging messages, and mount denial-of-service attacks. PIERCER attack This attack exploits a 4G paging deployment vulnerability that allows an attacker to determine a victim’s international mobile subscriber identity (IMSI) on the 4G network. IMSI-Cracking attack In this attack, the victim’s IMSI details are leaked for both 4G and 5G. The researchers, in the paper, have demonstrated how by using the ToRPEDO attack as a sub-step, attackers can retrieve a victim device’s persistent identity (i.e., IMSI) with a brute-force IMSI-Cracking attack. One of the co-authors, Syed Rafiul Hussain, told TechCrunch, “Any person with a little knowledge of cellular paging protocols can carry out this attack.” “According to Hussain, all four major U.S. operators — AT&T, Verizon (which owns TechCrunch), Sprint and T-Mobile — are affected by Torpedo, and the attacks can be carried out with radio equipment costing as little as $200”, the TechCrunch reports. Hussain said the flaws were reported to the GSMA,  an industry body that represents mobile operators. GSMA recognized the flaws, but a spokesperson was unable to provide comment when reached. It isn’t known when the flaws will be fixed. One of the users wrote on HackerNews, “Most people consider the fact that your handset will readily talk to any base station that's on the air to be a feature. Try to imagine how things would work if you had to authenticate and authorize every station on the network. It's true that anyone who gets on the air and speaks the air protocol can screw with your phone. Those people are also violating multiple laws and regulations in the course of doing so.” To know more about these flaws in detail, head over to the complete research paper. Read Next Security researchers discloses vulnerabilities in TLS libraries and the downgrade Attack on TLS 1.3 Remote Code Execution Flaw in APT Linux Package Manager allows man-in-the-middle attack Internet Outage or Internet Manipulation? New America lists government interference, DDoS attacks as top reasons for Internet Outages across the world

Kushal Das, a staff member at Freedom of the Press Foundation, privacy advocate, and a CPython core developer published a post earlier this month, titled, ‘Tracking my phone’s silent connections’. In the post, Das talks about the new system that he has built using the existing open source projects and tools, to track what his phone does, what servers it connects to and to look deeper into the network traffic from the phone. How did he start? Das mentions that his initial trial involved creating a wifi hotspot at home using a Raspberry Pi. He then started to capture all the packets from this device with the help of standard tools (dumpcap) and via the logs using Wireshark, a network protocol analyzer. This procedure, however, was only capable of capturing the data when connected to the network at home. So, to take the procedure further ahead, Das took a different approach where he chose ‘algo’ to create a VPN server. He then made use of WireGuard, a modern VPN tunnel, to connect his iPhone to the VPN. This process allowed capturing all the traffic from the phone easily on the VPN server. Analyzing the data post one week Das captured the data initially for only one week. He then started to capture pcap files into his computer, where he also wrote Python code to put the data into an SQLite database. This allowed him to query the data very fast. Das plotted a graph with all the different domains that got queried at least 10 times in a week where he observed that his phone was trying to find servers from Apple as it is an iPhone. He also noted many queries related to Twitter as he uses the Twitter app frequently. Then it was Google, for which the phone queried many other Google domains (although he only sometimes browsed through YouTube). He also observed queries to Akamai CDN service and Amazon AWS related hosts. Many data analytics related companies were also queried including dev.appboy.com. Tracking the data flow After looking at the DNS queries, Das wanted to look deeper into the actual servers that his phone communicates with. Das put together a graph of all the major companies that his phone communicates to, here’s the graph:                                                                   Major Companies Das discovered that Apple is the leading firm that takes about 44% of all the connections in his phone, and the number is 495225 times. Twitter earns the second place, with Edgecastcdn taking the third. He noticed that his phone communicated with Google servers 67344 number of times i.e. 7 times less than Apple. He then further removed big firms such as Google and Amazon from the graph and observed that the analytics companies such as nflxso.net and mparticle.com make up about 31% of the connections. The 3 other CDN companies are Akamai, CloudFront, and Cloudflare that make up 8%, 7%, and 6% each. Das mentions that he doesn’t have information about the things that these companies track on his phone which he finds scary. “Do I know what all things are these companies tracking? Nope, and that is scary enough,” said Das. Future work Das mentions that he’s looking into creating a set of tools in the future that can: Be deployed on the VPN server are user-friendly and easy to monitor block/unblock traffic from their phone. “The major part of the work is to make sure that the whole thing is easy to deploy, and can be used by someone with less technical knowledge”, states Das. For more information, check out the official blog post by Kushal Das. OpenAI team publishes a paper arguing that long term AI safety research needs social scientists China’s Huawei technologies accused of stealing Apple’s trade secrets, reports The Information UK lawmakers publish a report after 18 month long investigation condemning Facebook’s disinformation and fake news practices

The ongoing Mobile World Conference 2019 at Barcelona, has an interesting line-up of announcements, keynote speakers, summits, seminars and more. It is the largest mobile event in the world, that brings together the latest innovations and leading-edge technology from more than two thousand leading companies. The theme of this year’s conference is ‘Intelligent Connectivity’ which comprises of the combination of flexible, high-speed 5G networks, the Internet of Things (IoT), artificial intelligence (AI) and big data. Microsoft unveiled a host of new products along the same theme on the first day of the conference. Let’s have a look at some of them. #1 Microsoft HoloLens 2 AR announced! Microsoft unveiled the HoloLens 2 AR device at the Mobile World Congress (MWC). This $3,500 AR device is aimed for businesses, and not for the average person, yet. It is designed primarily for situations where field workers might need to work hands-free, such as manufacturing workers, industrial designers and those in the military, etc. This device is definitely an upgrade from Microsoft’s very first HoloLens that recognized basic tap and click gestures. The new headset recognizes 21 points of articulation per hand and accounts for improved and realistic hand motions. The device is less bulky and its eye tracking can measure eye movement and use it to interact with virtual objects. It is built to be a cloud- and edge-connected device. The HoloLens 2 field of view more than doubles the area covered by HoloLens 1. Microsoft said it has plans to announce a  follow-up to HoloLens 2 in the next year or two. According to Microsoft, this device will be even more comfortable and easier to use, and that it'll do more than the HoloLens 2. HoloLens 2 is available on preorder and will be shipping later this year. The device has already found itself in the midst of a controversy after the US Army invested $480 million in more than 100,000 headsets. The contract has stirred dissent amongst Microsoft workers. #2 Azure-powered Kinect camera for enterprise The Azure-powered Kinect camera is an “Intelligent edge device that doesn’t just see and hear but understands the people, the environment, the objects, and their actions,” according to Azure VP, Julia White. This AI-powered smart enterprise camera leverages Microsoft’s 3D imaging technology and can possibly serve as a companion hardware piece for HoloLens in the enterprise. The system has a 1-megapixel depth camera, a 12-megapixel camera and a seven-microphone array on board to help it work  with "a range of compute types, and leverage Microsoft’s Azure solutions to collect that data.” The system, priced at $399, is available for pre-order. #3 Azure Spatial Anchors Azure Spatial Anchors are launched as a part of the Azure mixed reality services. These services will help developers and business’ build cross-platform, contextual and enterprise-grade mixed reality applications. According to the Azure blog, these mixed reality apps can map, designate and recall precise points of interest which are accessible across HoloLens, iOS, and Android devices. Developers can integrate their solutions with IoT services and artificial intelligence, and protect their sensitive data using security from Azure. Users can easily infuse artificial intelligence (AI) and integrate IoT services to visualize data from IoT sensors as holograms. The Spatial Anchors will allow users to map their space and connect points of interest “to create wayfinding experiences, and place shareable, location-based holograms without any need for environmental setup or QR codes”. Users will also be able to manage identity, storage, security, and analytics with pre-built cloud integrations to accelerate their mixed reality projects. #4 Unreal Engine 4 Support for Microsoft HoloLens 2 During the  Mobile World Congress (MWC), Epic Games Founder and CEO, Tim Sweeney announced that support for Microsoft HoloLens 2 will be coming to Unreal Engine 4 in May 2019. Unreal Engine will fully support HoloLens 2 with streaming and native platform integration. Sweeney says that “AR is the platform of the future for work and entertainment, and Epic will continue to champion all efforts to advance open platforms for the hardware and software that will power our daily lives.” Unreal Engine 4 support for Microsoft HoloLens 2 will allow for "photorealistic" 3D in AR apps. Head over to Microsoft's official blog for an in-depth insight on all the products released. Unreal Engine 4.22 update: support added for Microsoft’s DirectX Raytracing (DXR) Microsoft acquires Citus Data with plans to create a ‘Best Postgres Experience’ Microsoft joins the OpenChain Project to help define standards for open source software compliance

On Friday, YouTube told Buzzfeed News that it is demonetizing channels that promote anti-vaccination content. YouTube said that this type of content does not align with its policy and called it “dangerous and harmful” content. This decision comes just after the Buzzfeed News report about YouTube’s algorithm recommending videos that described vaccines as dangerous and also showed ads on these videos. In an email to Buzzfeed News, a YouTube spokesperson said, “We have strict policies that govern what videos we allow ads to appear on, and videos that promote anti-vaccination content are a violation of those policies. We enforce these policies vigorously, and if we find a video that violates them, we immediately take action and remove ads.” Recently, Youtube also faced backlash for monetizing paedophilic videos by displaying ads from big brands such as Nestle, Disney, Fortnite on them. In addition to demonetizing the anti-vaccination videos, YouTube will also be showing an information panel that will link to a Wikipedia page about “vaccine hesitancy.” YouTube also introduced information panels to prevent misinformation around measles, mumps, and rubella (MMR) vaccine. Right from the start of this year, it seems that things are not going really well for YouTube. In early January, it has to revise its policies to ban dangerous pranks and challenges. Later, it announced an update to reduce the recommendations of videos related to conspiracy, false claims about historical events, flat earth videos, etc. What did Buzzfeed News report? Very often, users visit YouTube not only for entertainment but also to get answers on their health-related questions. When the Buzzfeed News team searched for “Should I vaccinate my kids?”, they were presented with search results and recommendations for videos that were about anti-vaccination. One of the examples they shared was of a YouTube search for “immunization”  that showed a video from the Rehealthify channel that says that vaccination is important to keep children protected from certain diseases. But, just after this video, YouTube recommended a video related to anti-vaccination called  “Mom Researches Vaccines, Discovers Vaccination Horrors and Goes Vaccine Free”. In this video, a mother was sharing why she decided to stop vaccinating her children. She said, “I wasn't always that person who was going to not vaccinate, but it has to start somewhere. If you go down a road, follow the road, and see where it leads. Unless you know for sure that your child will be 100% safe, do you want to play that game? If you can’t say ‘yes’ right now, pause.” Buzzfeed News conducted a bunch of search tests from Feb 14 - Feb 20. Some search results showed videos from professional medical channels and celebrity doctors. In some tests, the Up Next recommendation videos were 100% related to anti-vaccination. Even before the Buzzfeed News report, California Rep. Adam Schiff contacted both Facebook and Google asking them to address the anti-vaccination issue. “YouTube is surfacing and recommending messages that discourage parents from vaccinating their children, a direct threat to public health, and reversing progress made in tackling vaccine-preventable diseases,” wrote Schiff in the letter. To which Facebook responded that they are taking “steps to reduce the distribution of health-related misinformation on Facebook.” Last week, Pinterest also took a strong stand against the spread of misinformation related to vaccines by blocking all “vaccination” related searches. The report also shared that YouTube was showing ads on these videos. Seven advertisers told Buzzfeed News that they were not even aware that their ads were shown on these channels. Nomad Health, a health tech company, told Buzzfeed News, “...not aware of our ads running alongside anti-vaccination videos.” These companies have asked YouTube to pull down their ads from these videos. You can read the full report on Buzzfeed News’ official website. Nestle, Disney, Fortnite pull out their YouTube ads from paedophilic videos as YouTube’s content regulation woes continue Youtube promises to reduce recommendations of ‘conspiracy theory’. Ex-googler explains why this is a ‘historic victory’ YouTube to reduce recommendations of ‘conspiracy theory’ videos that misinform users in the US  

Last week, the Internet Corporation for Assigned Names and Numbers (ICANN) decided to call for the full deployment of the Domain Name System Security Extensions (DNSSEC) across all unsecured domain names. ICANN took this decision because of the increasing reports of malicious activity targeting the DNS infrastructure. According to ICANN, there is an ongoing and significant risk to key parts of the Domain Name System (DNS) infrastructure. The DNS that converts numerical internet addresses to domain names, has been the victim of various attacks by the use of different methodologies. https://twitter.com/ICANN/status/1099070857119391745?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Etweet Last month security company FireEye revealed that hackers associated with Iran were hijacking DNS records, by rerouting users from a legitimate web address to a malicious server in order to steal passwords. This “DNSpionage” campaign, was targeting governments in the United Arab Emirates and Lebanon. The Homeland Security’s Cybersecurity Infrastructure Security Agency had warned that U.S. agencies were also under attack. In its first emergency order amid a government shutdown, the agency ordered federal agencies to take action against DNS tampering. David Conrad, ICANN’s chief technology officer told the AFP news agency that the hackers are “going after the Internet infrastructure itself.” ICANN is urging domain owners for deploying DNSSEC, which is a more secure version of DNS and is difficult to manipulate. DNSSEC cryptographically signs data which makes it more difficult to be spoofed. Some of the attacks target the DNS where the addresses of intended servers are changed with addresses of machines controlled by the attackers. This type of attack that targets the DNS only works when DNSSEC is not in use. ICANN also reaffirms its commitment towards engaging in collaborative efforts for ensuring the security, stability, and resiliency of the internet’s global identifier systems. This month, ICANN offered a checklist of recommended security precautions for members of the domain name industry, registries, registrars, resellers, and related others, to proactively take steps to protect their systems. ICANN aims to assure that internet users reach their desired online destination by preventing “man in the middle” attacks where a user is unknowingly re-directed to a potentially malicious site. Few users have previously been a victim of DNS hijacking and think that this move won’t help them out. One user commented on HackerNews, “This is nonsense, and possibly crossing the border from ignorant nonsense to malicious nonsense.” Another user said, “There is in fact very little evidence that we "need" the authentication provided by DNSSEC.” Few others think that this might work as a good solution. A comment reads, “DNSSEC is quite famously a solution in search of a problem.” To know more about this news, check out ICANN’s official post. Internet governance project (IGP) survey on IPV6 adoption, initial reports Root Zone KSK (Key Sign Key) Rollover to resolve DNS queries was successfully completed RedHat shares what to expect from next week’s first-ever DNSSEC root key rollover

BMW has open-sourced its code to RAMSES ( Rendering Architecture for Multi-Screen EnvironmentS) under the GENIVI in-vehicle infotainment alliance. The code is under the Mozilla Public License 2.0 and will be useful to developers interested in distributed 3D rendering. RAMSES implements a distributed system for rendering 3D content with a focus on ensuring high performance in terms of bandwidth and resource consumption. According to KTelegram, RAMSES is designed to optimize the rendering of content from the entertainment systems, containing several screens. It is a layer that applies a client-server model for the rendering. One process generates the 3D content and the other process is engaged in its rendering. Rendering can be performed on another device or in a virtual environment.  RAMSES provides piping around existing OpenGL implementations and supports different versions of OpenGL (OpenGL ES 3.0+, OpenGL 4.2, 4.5, etc.) RAMSES also provides its own low-level API which encapsulates and packages the commands and resources to minimize traffic between the client and the server. This allows the transmission of high-quality 3D content over conventional networks for display, without delays and gaps. Google open sources Filament – a physically based rendering engine for Android, Windows, Linux and macOS Facebook releases DeepFocus, an AI-powered rendering system to make virtual reality more Real Meet Carlo, a web rendering surface for Node applications by the Google Chrome team

After the TensorFlow 1.13.0-rc0 release last month, the TensorFlow team is out with another update 1.13.0-rc2, unveiling major features and updates. The new release explores minor bug fixes, improvements, and other changes. Let’s have a look at the noteworthy features in TensorFlow 1.13.0-rc2. Major Improvements TensorFlow Lite has moved from contrib to core. TensorFlow GPU binaries are built against CUDA 10 and TensorRT 5.0. There’s newly added support for Python3.7 on all operating systems. NCCL has been moved to core. Behavioral and other changes Conversion of python floating types to uint32/64 in tf.constant is not allowed. The gain argument of convolutional orthogonal initializers has consistent behavior with the tf.initializers.orthogonal initializer. Subclassed Keras models can be saved via tf.contrib.saved_model.save_keras_model. LinearOperator.matmul now returns a new LinearOperator. Performance of GPU cumsum/cumprod has improved by up to 300x. Support has been added for weight decay in most TPU embedding optimizers, including AdamW and MomentumW. Tensorflow/contrib/lite has been moved to tensorflow/lite. An experimental Java API is added to inject TensorFlow Lite delegates. Support has been added for strings in TensorFlow Lite Java API. All the occurences of tf.contrib.estimator.DNNLinearCombinedEstimator has been replaced with tf.estimator.DNNLinearCombinedEstimator. Regression_head has been updated to the new Head API for Canned Estimator V2. XLA HLO graphs can be rendered as SVG/HTML. Bug Fixes Documentation has been updated with the details regarding the rounding mode used in quantize_and_dequantize_v2. OpenSSL compatibility has been fixed by avoiding EVP_MD_CTX_destroy. CUDA dependency has been upgraded to 10.0. All occurences of tf.contrib.estimator.InMemoryEvaluatorHook and tf.contrib.estimator.make_stop_at_checkpoint_step_hook have been replaced with tf.estimator.experimental.InMemoryEvaluatorHook and tf.estimator.experimental.make_stop_at_checkpoint_step_hook. tf.data.Dataset.make_one_shot_iterator() has been deprecated in V1, removed from V2, and tf.compat.v1.data.make_one_shot_iterator() has instead been added. keep_prob is deprecated and Dropout now takes rate argument. NUMA-aware MapAndBatch dataset has been added. Apache Ignite Filesystem plugin has been added to support accessing Apache IGFS. For more information, check out the official TensorFlow 1.13.0-rc2 release notes TensorFlow 2.0 to be released soon with eager execution, removal of redundant APIs, tf function and more Building your own Snapchat-like AR filter on Android using TensorFlow Lite [ Tutorial ] TensorFlow 1.11.0 releases

Yesterday, the team at GitHub released Git 2.21 with a new date format, improved performance and bug fixes from over 60 contributors. What’s new in Git 2.21? Performance and internal implementation It is now possible to clean-up the code with optimization for the codepath that checks non-existence of loose objects. The "strncat()" function is now counted amongst the banned functions. This release comes with portability updates for the HPE NonStop platform. The loose object cache used for optimizing existence look-up has also been updated. The flaky tests can now be repeatedly run under load with the “--stress" option. Human-readable dates with --date=human This release comes with git log that displays the date for each authored commit. In this release, the timestamps will be displayed in Git’s “default” format (for example, “Tue Feb 12 09:00:33 2019 -0800”). Although Git 2.21 comes with a new date format --date=human which makes it possible to frequently switch between the human and machine-readable formats while putting together a pipeline. Multi-pack indexes Git 2.21 can create a multi-pack index file instead of repacking and this index file acts as a listing of objects residing in multiple packs while removing the need to perform expensive repacks. Delta reuse with bitmaps Git now comes with bitmaps and gives an optional on-disk data structure to record the sets of objects “reachable” from each commit. On the availability of this data, users can query it to quickly determine whether the client has a base object. This would result in server generating smaller packs that are produced more quickly for a faster experience. Enhanced repositories In Git 2.21, the repositories can now enumerate alternate tips, and make the corresponding transaction much faster. Major Fixes The corner cases in merge-recursive have been fixed. The Refspecs configured with "git -c var=val clone" which did not propagate to the resulting repository, have now been corrected. Now there is no need of configured username/email under user.useConfigOnly for creating commits. In this release, the http-backend CGI process now cleans up the child processes. Users seem to be excited about this release. One of the comments on HackerNews reads, “Few Detecting files that differ only in case being cloned onto a case-insensitive file system is a great feature.” To know more about this news, check out the release notes. GitHub launches draft pull requests GitHub increases its reward payout model for its bug bounty program GitLab considers moving to a single Rails codebase by combining the two existing repositories

Microsoft employees are outraged over the company’s $480 million deal with the U.S. Army to provide them with Hololens2, Microsoft’s latest augmented-reality headsets, to be used on the battlefield. Although Microsoft won the contract in November, it was last Friday, that Microsoft workers took to Twitter to express their concerns. In an open letter, addressed to Microsoft CEO Satya Nadella, and president and chief legal officer Brad Smith, employees wrote that the deal has "crossed the line" and "is designed to help people kill." https://twitter.com/MsWorkers4/status/1099066343523930112 This is not the first time tech workers have stood up in solidarity against tech giants over discrepancies in business or policies. Last year, ‘Employees of Microsoft’ asked Microsoft not to bid on US Military’s Project JEDI in an open letter. Google employees also protested against the companies’ censored search engine in China, codenamed Project Dragonfly. In October 2018, an Amazon employee has spoken out against Amazon selling its facial recognition technology, named, Rekognition to the police departments across the world. Yesterday, Microsoft unveiled the HoloLens2 AR device at the Mobile World Congress (MWC) in Barcelona. They also signed a contract with US military services called Integrated Visual Augmentation System. Per the terms of the deal, the AR headsets will be used to insert holographic images into the wearer’s field of vision. The contract’s stated objective is to “rapidly develop, test, and manufacture a single platform that Soldiers can use to Fight, Rehearse, and Train that provides increased lethality, mobility, and situational awareness necessary to achieve overmatch against our current and future adversaries," the letter said. What are Microsoft employees saying? The letter which was signed by more than 100 Microsoft employees, was published on an internal message board and circulated via email to employees at the company on Friday. The letter condemned the IVAS contract demanding for its cancellation and a call for stricter ethical guidelines. “We are alarmed that Microsoft is working to provide weapons technology to the US Military, helping one country's government ‘increase lethality’ using tools we built. We did not sign up to develop weapons, and we demand a say in how our work is used,” the letter said. Aligning Hololens2 with military turns “warfare into a simulated ‘video game,’ further distancing soldiers from the grim stakes of war and the reality of bloodshed,” adds the letter. In October, Brad Smith defended Microsoft's work with the military, via a blog post, "First, we believe that the people who defend our country need and deserve our support. And second, to withdraw from this market is to reduce our opportunity to engage in the public debate about how new technologies can best be used in a responsible way. We are not going to withdraw from the future." He also suggested that employees concerned about working on unethical projects “would be allowed to move to other work within the company”.  This statement ignores “the problem that workers are not properly informed of the use of their work”, the letter stated. Netizens are also in solidarity with Microsoft employees and criticize the military involvement. https://twitter.com/tracy_karin/status/1099880041721352192 https://twitter.com/Durrtydoesit/status/1099840664978817024 https://twitter.com/cgallagher036/status/1099826879090118657 A comment on Hacker news reads, “Whether you agree with this sentiment or not, people waking up to ethical questions in our field is unquestionably a good thing. It's important to ask these questions.” Rights groups pressure Google, Amazon, and Microsoft to stop selling facial surveillance tech to the government. ‘Employees of Microsoft’ ask Microsoft not to bid on US Military’s Project JEDI in an open letter. The new tech worker movement: How did we get here? And what comes next?

Last week, Swiss Post’s recently launched online voting system’s source code was leaked. The experts who examined the code reported that the system is poorly designed and makes it difficult to audit the code for security and configure it to operate securely. Swiss Post, Switzerland's national postal service also launched a fully verifiable system and a bug bounty program to test the system’s resilience to attacks this month. According to Motherboard report, “critics are already expressing concern about the system’s design and about the transparency around the public test.” Nathalie Dérobert, a spokeswoman for Swiss Post, said the public intrusion test is not meant to be an audit of the code “or to prove the security of the Swiss Post online voting system.” Instead, it’s meant to help inform the developers about improvements they need to make. In an email, Dérobert wrote, “Security is a process and even if the source code passed numerous previous security audits, we expected criticism and even outright negative comments. After all, that is the whole point of publishing the source code: we want a frank response and an honest discussion about the merits and shortcomings of our work… [W]e are determined to take up the negative comments, discuss them with our developing partner Scytl and to get in touch with the people where we see a benefit.” As for the public test of the new online system, more than 2,000 people have registered. The test will take place from February 25 to March 24. As per the rules, the bug bounty program will pay 20,000 Swiss francs to anyone who can manipulate votes in the mock election or 30,000 to 50,000 francs if they manage to manipulate votes without being detected. The Swiss Post is making the source code for the software available to participants. However, the code wasn’t supposed to be open to just anyone to examine. Swiss Post responded to the publication of the code, saying the source code was not leaked as it was already available to anyone who wanted to see it—as long as they registered with Swiss Post. Swiss Post also wrote that there is no NDA or confidentiality agreement around publishing information about the source code or citing parts of the code, but the statement did not say anything about the Scytl technical documents themselves and the architecture and protocol information that is contained in them. Cryptography experts, after examining the allegedly leaked code said: “the system is a poorly constructed and convoluted maze that makes it difficult to follow what’s going on and effectively evaluate whether the cryptography and other security measures deployed in the system are done properly.” Sarah Jamie Lewis, a former security engineer for Amazon and a former computer scientist for England’s GCHQ intelligence agency, said, “Most of the system is split across hundreds of different files, each configured at various levels. I’m used to dealing with Java code that runs across different packages and different teams, and this code somewhat defeats even my understanding.” Lewis said that the system uses cryptographic solutions that are fairly new to the field and that have to be implemented in very specific ways to make the system auditable, but the design the programmers chose thwarts this. “Someone could wire the thing in the wrong place and suddenly the system is compromised. And when you’re talking about code that is supposed to be protecting a national election, that is not a statement someone should be able to make”, Lewis added. The voting system was developed by Swiss Post and the Barcelona-based company Scytl, which was formed by a group of academics who spun it off of their research work at the Universidad Autónoma de Barcelona (Autonomous University of Barcelona) in 2001. “Local cantons, or states, in Switzerland are the ones who administer elections and would be responsible for the configuration. Scytl claims the system uses end-to-end encryption that only the Swiss Electoral Board would be able to decrypt. But there are reasons to be concerned about such claims”, Motherboard reports. Matthew Green, a noted cryptographer teaching cryptography at Johns Hopkins University, said that the system is highly complex and “at this point, I think the only appropriate way to evaluate it is through a professional evaluation by someone trained in this sort of advanced cryptography. And even then I’d be concerned, given the stakes.” To know more about this news, head over to Motherboard’s complete coverage. Drupal releases security advisory for ‘serious’ Remote Code Execution Vulnerability Google’s home security system, Nest Secure’s had a hidden microphone; Google says it was an “error” Firedome’s ‘Endpoint Protection’ solution for improved IoT security

Yesterday, npm Inc., the provider of the world’s largest software registry, announced npm Enterprise, which will be your company’s very own npm registry. This new service is designed for private registry hosting, workflow integrations, and provides compliance features for large companies. Bryan Bogensberger, CEO of npm Inc, said in a statement, “Approximately 100% of the world’s enterprises acquire over 97% of their JavaScript from the npm Public Registry, making the introduction of npm Enterprise essential for the professionalization of JavaScript development. With npm Enterprise, we are giving JavaScript developers the npm tools they love while providing the enterprise with enhanced visibility, security, and control. The result: happiness throughout organizations everywhere.” The npm Enterprise service comes with the following features and advantages: Companies will have a “companyname.npme.io” website with support for industry-standard SSO authentication to control developer access and other permissions. Allows easy code discovery and sharing within a company. You can securely deploy a package. Access to unlimited Orgs and scopes. Orgs allows a team of contributors to read, write, and publish public or private scoped packages. Users will able to access all the packages that are available in the public registry. It provides audit reports that contain tables of information about security vulnerabilities in your project’s dependencies. With the help of these audit reports, you can fix the vulnerability or troubleshoot further. To avoid any kind of conflict, teams can use the unlimited namespaces npm Enterprise comes with to share and manage code. The npm Enterprise service provides three roles: Billing Manager, Admin user, and End-user. The admin users will have the most far-reaching permissions on the Enterprise instance. They will manage instance settings, Orgs, users, and packages. The billing manager will be responsible for updating the payment method for your Enterprise instance. To learn more about npm Enterprise, visit npm’s official website. npm JavaScript predictions for 2019: React, GraphQL, and TypeScript are three technologies to learn npm v6 is out! npm at Node+JS Interactive 2018: npm 6, the rise and fall of JavaScript frameworks, and more

Drupal released a security advisory for a highly critical remote execution (CVE-2019-6340) in its software. Samuel Mortenson, a member of the Drupal Security Team reports that an arbitrary PHP code execution is possible due to a lack of data sanitization in certain field types linked to non-form sources.  Drupal issued the warning a day before Wednesday’s patch release. According to Drupal's blog, a particular site will be affected either if the site has the Drupal 8 core RESTful Web Services (rest) module enabled, allowing PATCH or POST requests, or if the site has another web services module enabled, for instance, JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. To address this vulnerability, Drupal has released security updates for contributed modules for Drupal 7 and Drupal 8. Drupal has also released Drupal 8.6.10 and Drupal 8.5.11 without any core update for Drupal 7. The team has also advised users to install any available security updates for contributed projects after updating Drupal core. Besides this, the blog also states that to immediately mitigate the vulnerability, users can disable all web services modules, or configure their web server(s) to not allow PUT/PATCH/POST requests to web services resources. According to ZDNET, Drupal is the third most popular CMS for website publishing and accounts for about three percent of the world's billion-plus websites. Hackers could use this vulnerability to potentially hijack a Drupal site and take control of a web server and all the websites supported by it. To know more about this announcement visit Drupal’s blog. Drupal 9 will be released in 2020, shares Dries Buytaert, Drupal’s founder Google’s home security system, Nest Secure’s had a hidden microphone; Google says it was an “error” Security researchers discloses vulnerabilities in TLS libraries and the downgrade Attack on TLS 1.3