Tech News

Back in March this year, the Brave team shared their plans of replacing their desktop Muon runtime, with a more comprehensive Chromium stack for the desktop browser. Yesterday, the team shared a report on performance improvements in Brave Core, which refers to the newly redesigned browser for desktop operating systems. It uses Chromium’s native interface and supports nearly all Chrome features and extension APIs. Brave is a free and open source web browser, founded by the inventor of Javascript and co-founder of Mozilla, with the main focus on privacy and performance. By switching to the Chromium code base, the browser has become the latest addition to the Chromium bandwagon, which now includes Google Chrome, Vivaldi, Opera, and most recently, Edge. This evaluation of Brave Core’s performance was done based on two critical metrics: how quickly it loads pages and how much resources it consumes. Brave 0.24.0 was compared against Brave Core 0.55.12 Beta release. For this comparison, they considered Alexa News Top 10, as they are frequently visited by a lot of people and are run by reputable companies that pay attention to their readers. Results of the performance comparison between Brave Core and Muon-based Brave The team arrived at the following results after comparing the upcoming Brave Core browser with the current version of Muon-based Brave on a desktop computer: Load time savings on common desktops: Brave Core showed a load time savings of 10%-34% on the tested popular media websites with the same page content and blocking. Also, it showed a 22% average and 18% median load time savings. Performance on slower processors: On slower environments, similar to today’s average Android device on a fast 3G connection, the browser showed savings ranging up to 44%. Better CPU utilization: Brave Core showed better CPU utilization with all computationally intensive tasks running faster across all tested websites and configurations. These time savings were a result of several improvements across HTML parsing, JavaScript execution, page rendering, etc. To read more in detail about the performance analysis of Brave, check out their original post. Introducing Basilisk, an open source XUL based browser and “close twin” to pre-Servo Firefox Google’s V8 7.2 and Chrome 72 gets public class fields syntax; private class fields to come soon Google Chrome announces an update on its Autoplay policy and its existing YouTube video annotations

Yesterday, Microsoft released the first preview builds of its Chromium-powered Edge browser for Windows 10. This comes after Microsoft announced last year in December that it will be adopting the Chromium open source project in the development of Microsoft Edge for desktop. You can download these preview builds for testing from the Microsoft Edge Insider site. The new builds are available through three different Microsoft Edge Insider Channels: Beta, Canary, and Developer. Canary builds are the ones that will receive updates every night. Developer builds are much more stable than the Canary builds and will be updated weekly. Beta builds are the most stable ones as compared to the three and will receive updates every 6 weeks. Source: Microsoft Right now, Microsoft is only opening the Developer and Canary channels. Though the company was not so clear about the timeline in the announcement, it does promises that the Beta builds and support for Mac and all the other supported versions of Windows will come in the future. However, there is no mention of whether this new overhauled Microsoft Edge will support Linux. In these preview builds, the team has mostly focussed on the fundamentals. So, current users will not see an extensive range of features and language support. These new Chromium-based Microsoft Edge preview builds do look strikingly similar to Google Chrome. Among the similarities include subtle design finishes, a dark mode, and the ability to manage your sign-in profile. In this Chromium-based Edge implementation, Microsoft has removed or replaced about 50 services that are included in Chromium. Some of them are Google Now, Google Cloud Messaging, and Chrome-OS related services. More details regarding the updates will be shared during a BlinkOn 10 keynote today. These preview builds also bring support for an expanded selection of extensions. Users will no longer have to just choose from the limited set of extensions available on Microsoft’s store as extensions from other third-party stores like Chrome Web Store are also supported. Since this is based on Chromium, it also comes with support for Progressive Web Apps and supports the same developer tools as Chromium. Microsoft is working closely with the team at Google and hopes to work with the broader Chromium community going forward. Their latest contributions to the Chromium open source project includes in areas like accessibility, touch, ARM64, and others. In the future, it plans to introduce smooth scrolling, a reading view free of distractions, grammar tools, and Microsoft Translator integration. Users who have tested these preview builds are finding it unsurprisingly very similar to Chrome. One of the users are Reddit remarks, “To the surprise of no one, its basically chrome. Even my google account came in logged in automatically, same recent sites etc. I wonder if the roadmap will include things like dark mode, I never used the annotations feature so can't vouch much for it. I'm yet to try to make a MS Teams call but looking good so far.” The Verge, after testing the preview builds, shared that the Chromium-powered Edge is showing even better performance than Google Chrome. Many users are also saying that instead of joining hands with Google, Microsoft could have instead gone with Firefox to make the web fair and accessible. “I wish they've would have gone with Firefox's Quantum, in order to try and at least balance out web market shares. MSFT no longer has any leverage in the web, so trying to keep it fair and accessible (no browser monopolies) should be a priority for them (especially since they have quite a few web platforms like office 365),” adds a redditor. To read the official announcement, check out the Microsoft blog. Microsoft’s #MeToo reckoning: female employees speak out against workplace harassment and discrimination Microsoft, Adobe, and SAP share new details about the Open Data Initiative Microsoft reportedly ditching EdgeHTML for Chromium in the Windows 10 default browser

Redis Labs joins the streak of software firms tweaking their licenses to prevent cloud service providers from misusing their open source code. Today, Redis Labs announced a change in their license from Apache2 modified with Commons Clause to Redis Source Available License (RSAL). This has been the second time that the company has changed its license. Back in August 2018, Redis Labs changed the license of their Redis Modules from AGPL to Apache2 modified with Commons Clause, to ensure that open source companies would continue to contribute to their projects and maintain sustainable business in the cloud era. This move was initially received with some skepticism when some people incorrectly assumed that the Redis core went proprietary, which was wrong to assume. Relating this move to open source companies like MongoDB and Confluent, Redis Labs says that every company has taken a different approach to stop cloud providers from exploiting open source projects developed by others by packaging them into proprietary services, and using their “monopoly power to generate significant revenue streams”. Feedback from multiple users to improve their license to favor developers’ needs identified three major areas needed to be addressed: The term Apache2 modified by Commons Clause caused confusion with some users, who thought they were only bound by the Apache2 terms. Common Clause’s language included the term “substantial” as a definition for what is and what isn’t allowed- there was a lack of clarity around the meaning of this term. Some Commons Clause restrictions regarding “support” worked against Redis Lab’s intention to help grow the ecosystem around Redis Modules. Taking all of this into consideration, Redis Labs has changed the license of Redis Modules to Redis Source Available License (RSAL).   What is Redis Source Available License (RSAL)? RSAL is a software license created by Redis Labs applicable only to a certain Redis Modules running on top of open source Redis. This aims to grant equivalent rights to permissive open source licenses for the vast majority of users. This license will “allow developers to use the software; modify the source code, integrate it with an application; and use, distribute or sell their application.” The RSAL introduces just one restriction; the application cannot be a database, a caching engine, a stream processing engine, a search engine, an indexing engine or an ML/DL/AI serving engine. According to Yiftach Shoolman, Co-founder and Chief Technology Officer, Redis Labs, this movement will not have any effect on the  Redis core license and shouldn’t really affect most developers who use the company’s modules (and these modules are RedisSearch, RedisGraph, RedisJSON, RedisML, and RedisBloom). Red Hat Satellite to drop MongoDB and will support only PostgreSQL backend MongoDB switches to Server Side Public License (SSPL) to prevent cloud providers from exploiting its open source code Confluent, an Apache Kafka service provider adopts a new license to fight against cloud service providers  

Yesterday, Mozilla announced a partnership with game developing company Ubisoft to develop Clever-Commit. It is an artificial intelligence based code assistant developed by Ubisoft La Forge. Ubisoft uses the assistant internally, and with this partnership, Firefox will try to find errors in their code. About 8,000 edits are made in every Firefox release by numerous developers. Using the assistant to save bugs on them can have a large scale effect in Firefox development. The assistant combines data from the bug tracking system and the codebase. Clever-Commit will analyze the changes in code as various developers commit code to the Firefox codebase. It then looks at the previously committed code to draw comparisons and find out buggy code. The developer is notified if Clever-Commit thinks that a code commit is not proper. This means that the bug could be fixed before a commit. It can even suggest solutions to the bugs it finds. Firefox uses C++, JavaScript, and Rust; Mozilla plans to use Clever-Commit for all of them to bring faster development. Clever-Commit is not open-source and there seem to be no immediate plans to make it freely available. But this ability to make inferences from large code bases is not exclusive to Clever-Commit. Microsoft has IntelliCode in Visual Studio which has examined many GitHub repositories for best coding methods etc, IntelliSense can also be used to find bugs in the code similar to Clever-Commit. Head of French division, Mozilla, Sylvestre Ledru said in a blog post: “With a new release every 6 to 8 weeks, making sure the code we ship is as clean as possible is crucial to the performance people experience with Firefox. The Firefox engineering team will start using Clever-Commit in its code-writing, testing and release process. We will initially use the tool during the code review phase, and if conclusive, at other stages of the code-writing process, in particular during automation. We expect to save hundreds of hours of bug riskiness analysis and detection. Ultimately, the integration of Clever-Commit into the full Firefox developer workflow could help catch up to 3 to 4 out of 5 bugs before they are introduced into the code.” Clever-Commit was originally displayed by Ubisoft as Commit Assistant last year. Mozilla shares plans to bring desktop applications, games to WebAssembly and make deeper inroads for the future web Open letter from Mozilla Foundation and other companies to Facebook urging transparency in political ads The State of Mozilla 2017 report focuses on internet health and user privacy

Last week, Jürgen Löb, a Debian user, discovered a bug in the linux-image-4.9.0-8-armmp-lpae package of the Debian system. The version of the system affected is 4.9.144-3. The user states that he updated his Lamobo R1 board with apt update; apt upgrade. However, after the update, uboot was struck at "Starting kernel" with no further output after the same. The same issue was faced by him on Bananapi 1 board. He performed the following steps to recover his system: downgrading to a backup kernel by mounting the boot partition on the sd card. dd if=boot.scr of=boot.script bs=72 skip=1 (extract script) replaced the following command in boot.script: setenv fk_kvers '4.9.0-8-armmp-lpae' with setenv fk_kvers '4.9.0-7-armmp-lpae'  (backup kernel was available on his boot            partition) Then execute: mkimage -C none -A arm -T script -d boot.script boot.scr After performing these steps he was able to boot the system with the old kernel Version and restore the previous version (4.9.130-2) with the following command: dpkg -i linux-image-4.9.0-8-armmp-lpae_4.9.130-2_armhf.deb He cross-checked the issue and said that upgrading to 4.9.144-3 again after these steps results in the above unbootable behavior. Thus concluding, that the upgrade to 4.9.144-3 is causing the said problem. Timo Sigurdsson, another Debian user stated that “I recovered both systems by replacing the contents of the directories /boot/ and /lib/modules/ with those of a recent backup (taken 3 days ago). After logging into the systems again, I downgraded the package linux-image-4.9.0-8-armmp-lpae to 4.9.130-2 and rebooted again in order to make sure no other package upgrade caused the issue. Indeed, with all packages up-to-date except linux-image-4.9.0-8-armmp-lpae, the systems work just fine. So, there must be a serious regression in 4.9.144-3 at least on armmp-lpae”. In response to this thread, multiple users replied with other instances of broken packages, like plain armmp (non-lpae) is broken for Armada385/Caiman and QEMU's. Vagrant Cascadian, another user added to the list that all of the armhf boards running this kernel failed to boot, including: imx6: Cubox-i4pro, Cubox-i4x4, Wandboard Quad exynos5: Odroid-XU4 exynos4: Odroid-U3 rk3328: firefly-rk3288 sunxi A20: Cubietruck The Debian team has not reverted back with any official response. You can head over to the debian bugs page for more information on this news. Google Project Zero discovers a cache invalidation bug in Linux memory management, Ubuntu and Debian remain vulnerable Remote Code Execution Flaw in APT Linux Package Manager allows man-in-the-middle attack Debian 9.7 released with fix for RCE flaw

On Monday, Django 2.1.2 was released, which has addressed a security issue regarding password hash disclosure. Along with that, this version fixes several other bugs in 2.1.1 and also comes with the latest string translations from Transifex. Users password hash visible to “view only” admin users In Django 2.1.1, the admin users who had permissions to change the user model could see a part of the password hash in the change form. Also, admin users with “view only” permission to the user model were allowed to see the entire hash. This could prove to be a big problem if the password is weak or your site uses weaker password hashing algorithms such as MD5 or SHA1. This vulnerability has been named CVE-2018-16984 since 13th September, 2018. This issue has been solved in this new security release. Bug fixes A  bug is fixed where lookup using F() on a non-existing model field didn't raised FieldError. The migrations loader now ignores the files starting with a tilde or underscore. Migrations correctly detects changes made to Meta.default_related_name. Support for cx_Oracle 7 is added. Quoting of unique index names is now fixed. Sliced queries with multiple columns with the same name will not result in crash on Oracle 12.1 anymore. A crash is fixed when a user with the view only (but not change) permission made a POST request to an admin user change form. To read the release notes of Django, head over to its official website. Django 2.1 released with new model view permission and more Python web development: Django vs Flask in 2018

The Association for Computing Machinery (ACM) announced Yoshua Bengio, Geoffrey Hinton, and Yann LeCun, the three pioneers in Artificial Intelligence, as winners of the 2018 Turing Award. The Turing Award was presented to the researchers for their ‘conceptual and engineering breakthroughs’ that resulted in deep neural networks become a critical component of computing. https://twitter.com/ylecun/status/1110851884624035852 https://twitter.com/geoffreyhinton/status/1110962177903640582 https://twitter.com/AndrewYNg/status/1110913633758769158 The ACM Turing Award, named after the great Alan M. Turing, a British Mathematician, is often referred to as the “Nobel Prize of Computing”. The award brings along with it a $1 million prize which will be split between the winners. Financial support is being offered by Google. ACM states that Hinton, LeCun, and Bengio, worked independently and together to develop conceptual foundations for the field. These researchers worked diligently to identify surprising phenomena via various experiments and also contributed engineering advances that effectively shows the practical advantages of deep neural networks. These deep learning methods have led to many astonishing breakthroughs in the fields of computer vision, speech recognition, natural language processing, and robotics among others. LeCun, Hinton, and Bengio stayed committed to the approach of using artificial neural networks as a tool to help computers recognize patterns and simulate human intelligence. Researchers also faced much criticism initially and their ideas were often met with skepticism. But, the researchers were determined and their ideas have resulted in major technological advances. “At the heart of this progress are fundamental techniques developed starting more than 30 years ago by this year's Turing Award winners, Yoshua Bengio, Geoffrey Hinton, and Yann LeCun”, said Jeff Dean, Google Senior Fellow, and SVP, Google AI. Dr. Hinton now works as VP and engineering fellow at Google; Dr. LeCun works as the Chief AI Scientist for Facebook, and Dr. Bengio has inked deals with IBM and Microsoft. NGI0 Consortium to award grants worth 5.6 million euro to open internet projects UC Davis students bag $500k award and the 2018 Amazon Alexa prize for creating a social conversational system Mozilla funds winners of the 2018 Creative Media Awards for highlighting unintended consequences of AI in Soceity

On August 22, the JetBrains team announced the release of Kotlin 1.3.50. Some of the major improvements in this Kotlin version include a preview of the new Duration and Time Measurement API in the standard library, using Dukat for the experimental generation of external declarations for npm dependencies in Gradle Kotlin/JS projects, a separate plugin for debugging Kotlin/Native code in IntelliJ IDEA Ultimate, and much more. The team has also worked on improving Java-to-Kotlin converter and on Java compilation support in multi-platform projects. Let us have a look at these improvements in brief. Major improvements in Kotlin 1.3.50 Changes in the standard library Experimental preview of duration and time measurement API A new duration and time measurement API is available for preview. The researchers say that if the API expects the duration stored as primitive value like Long, one can erroneously pass the value in the wrong unit, and unfortunately, the type system doesn’t help prevent that. Hence, the team created a regular class to store duration solves this problem. However, this brings another problem, i.e., additional allocations. Now the API can use the Duration type, and all the clients will need to specify the time in the desired units explicitly. This release brings support for MonoClock which represents the monotonic clock, which doesn’t depend on the system time. The monotonic clock can only measure the time difference between given time points, but doesn’t know the “current time.” The Clock interface provides a general API for measuring time intervals. MonoClock is an object implementing Clock; it provides the default source of monotonic time on different platforms. When using the Clock interface, the user explicitly marks the time of action start, and later the time elapsed from the start point. It is especially convenient if one wants to start and finish measuring time from different functions. To know more about this feature in detail, read Kotlin/KEEP on GitHub. Experimental API for bit manipulation The standard library now contains an experimental API for bit manipulation. Similar extension functions for Int, Long, Short, Byte, and their unsigned counterparts have also been added. IntelliJ IDEA support in Kotlin 1.3.50 Improvements in Java to Kotlin converter This release includes a preview of Java to Kotlin converter to minimize the amount of “red code” one has to fix manually after the conversion. This improved version of the converter tries to infer nullability more correctly based on the Java type usages in the code. The goal is to decrease the number of compilation errors and to make the produced Kotlin code more convenient to use. The new converter fixes many other known bugs, too; for instance, it now correctly handles implicit Java type casts. This new converter may become the default one in the future. To turn it on, specify the Use New J2K (experimental) flag in settings. Debugging improvements In Kotlin 1.3.50, the team has improved how the Kotlin “Variables” view chooses variables to display. As there’s a lot of additional technical information in the bytecode, the Kotlin “Variables” view highlights only the relevant variables. Local variables inside the lambda, as well as captured variables from the outer context and parameters of the outer function, are correctly displayed: Source: jetbrains.com Kotlin 1.3.50 also adds improved support for the “Evaluate expression” functionality in the debugger for many non-trivial language features, such as local extension functions or accessors of member extension properties. Users can now modify variables via “Evaluate expression”: Source: jetbrains.com Added new intentions and inspections This release includes the addition of new intentions and inspections. One of the goals of intentions is to help users learn how to write idiomatic Kotlin code. The following intention, for instance, suggests using the indices property rather than building a range of indices manually: Source: jetbrains.com Updates to Kotlin/JS Kotlin 1.3.50 adds support for building and running Kotlin/JS Gradle projects using the org.jetbrains.kotlin.js plugin on Windows. Users can now build and run projects using Gradle tasks, dependencies from NPM required in the Gradle configuration are resolved and included. Users can also try out their applications using webpack-dev-server and much more. The team has also added performance improvements for Kotlin/JS by improving the incremental compilation time for projects. With this users expect speedups of up to 30% when compared to 1.3.41. This version also shows an improved integration with NPM, which means that projects are now resolved lazily and in parallel, and support for projects with transitive dependencies between compilations in the same project has been added. Kotlin 1.3.50 also brings changes in the structure and naming of generated artifacts. Generated artifacts are now bundled in the distributions folder, and they include the version number of the project and archiveBaseName (which defaults to the project name), e.g. projectName-1.0-SNAPSHOT.js. Using Dukat for automatic conversion of TypeScript declaration files Dukat allows the automatic conversion of TypeScript declaration files (.d.ts) into Kotlin external declarations. This makes it more comfortable to use libraries from the JavaScript ecosystem in a type-safe manner in Kotlin, thus, reducing the need for manually writing wrappers for JS libraries. Kotlin/JS now ships with experimental support for Dukat integration for Gradle projects. With this integration, by running the build task in Gradle, typesafe wrappers are automatically generated for npm dependencies and can be used from Kotlin. As Dukat is still in a very early stage, its integration is disabled by default. The team has prepared an example project, which demonstrates the use of dukat in Kotlin/JS projects. Updates to Kotlin/ Native Previously, the version of Kotlin/Native differed from the version of Kotlin. However, in this version, schemes for Kotlin and Kotlin/Native are now aligned. This release uses version 1.3.50 for both Kotlin and Kotlin/Native binaries, reducing the complexity. This release brings more pre-imported Apple frameworks for all platforms, including macOS and iOS. The Kotlin/Native compiler now includes actual bitcode in produced frameworks. Several performance improvements have also made in the interop tool. The team has also announced that Null-check optimizations have been planned for Kotlin 1.4. Starting from Kotlin 1.4, "all runtime null checks will throw a java.lang.NullPointerException instead of a KotlinNullPointerException, IllegalStateException, IllegalArgumentException, and TypeCastException. This applies to: the !! operator, parameter null checks in the method preamble, platform-typed expression null checks, and the as operator with a non-null type. This doesn’t apply to lateinit null checks and explicit library function calls like checkNotNull or requireNotNull." Apart from the changes mentioned, Java compilation can now be included in Kotlin/JVM targets of a multiplatform project by calling the newly added withJava() function of the DSL. This release also adds multiple features and improvements in scripting and REPL support. To know more about these changes and other changes in detail, read Kotlin 1.3.50 official blog post. Introducing Coil, an open-source Android image loading library backed by Kotlin Coroutines Introducing Kweb: A Kotlin library for building rich web applications How to avoid NullPointerExceptions in Kotlin [Video]

Yesterday, Chris Keane, the General Manager of OpenSky announced that OpenSky is now acquired by the Alibaba Group. OpenSky is a network of businesses that empower modern global trade for SMBs and help people discover, buy, and share unique goods that match their individual taste. OpenSky will join Alibaba Group in two capacities: One of OpenSky’s team will become a part of Alibaba.com in North America B2B to serve US based buyers and suppliers. The other team will become a wholly-owned subsidiary of Alibaba Group consisting of OpenSky’s marketplace and SaaS businesses. In 2015, Alibaba Group acquired a minority ownership on OpenSky. In 2017, they collaborated with Alibaba’s B2B leadership team to solve the challenges faced by small businesses. According to Chris, both the companies share a common interest, which is to help small businesses: “It was thrilling to discover that our counterparts at Alibaba share our obsession with helping SMBs. We’ve quickly aligned on a global vision to provide access to markets and resources for businesses and entrepreneurs, opening new doors and knocking down obstacles.” In this announcement Chris also mentioned that they will be coming up with powerful concepts to serve small businesses everywhere, in the near future. To know more, read the official announcement on LinkedIn. Alibaba Cloud partners with SAP to provide a versatile, one-stop cloud computing environment Digitizing the offline: How Alibaba’s FashionAI can revive the waning retail industry Why Alibaba cloud could be the dark horse in the public cloud race

Earlier this month, Dirk Lewandowski, Professor of Information Research & Information Retrieval  at Hamburg University of Applied Sciences, Germany, published a proposal for building an index of the Web. His proposal aims to separate the infrastructure part of search engine from the services part. Search engines are our way to the web, which makes them an integral part of the Web’s infrastructure. While there are a significant number of search engines present in the market, there are only a few relevant search engines that have their own index, for example, Google, Bing, Yandex and Baidu. Other search engines that pull results from these search engines, for instance, Yahoo, cannot really be considered search engines in the true sense. The US search engine market is split between Google and Bing with roughly two thirds to one-third, respectively, In most European countries, Google covers the 90% of the market share. Highlighting the implications of Google’s dominance in the current search engine market, the report reads, “As this situation has been stable over at least the last few years, there have been discussions about how much power Google has over what users get to see from the Web, as well as about anti-competitive business practices, most notably in the context of the European Commission's competitive investigation into the search giant.” The proposal aims to bring plurality in the search engine market, not only in terms of the numbers of search engine providers but also in the number of search results users get to see when using search engines. The idea is to implement the “missing part of the Web’s infrastructure” called searchable index. The author proposes to separate the infrastructure part of the search engine from services part. This will allow multitude of services, whether existing as search engines or otherwise to be run on a shared infrastructure. The following figure shows how the public infrastructure crawls the web for indexing its content and provides an interface to the services that are built on top of the index. The indexing stage is split into basic indexing and advanced indexing. Basic indexing is responsible for providing the data in a form that services built on top of the index can easily and rapidly process the data. Though services are allowed to do their further indexing to prepare the documents, the open infrastructure also provides some advanced indexing. This provides additional information to the indexed documents, for example, semantic annotations. This advanced indexing requires an extensive infrastructure for data mining and processing. Services will be able to decide for themselves to what extent they want to rely on the pre-processing infrastructure provided by the Open Web Index. A common design principle can be adopted is allowing services a maximum of flexibility. Credits: arXiv Many users are supporting this idea. One Redditor said, “I have been wanting this for years...If you look at the original Yahoo Page when Yahoo first started out it attempted to solve this problem.I believe this index could be regionally or language based.” Some others do believe that implementing an open web index will come with its own challenges. “One of the challenges of creating a "web index" is first creating indexes of each website. "Crawling" to discover every page of a website, as well as all links to external sites, is labour-intensive and relatively inefficient. Part of that is because there is no 100% reliable way to know, before we begin accessing a website, each and every URL for each and every page of the site. There are inconsistent efforts such "site index" pages or the "sitemap" protocol (introduced by Google), but we cannot rely on all websites to create a comprehensive list of pages and to share it,” adds another Redditor. To read more in detail, check out the paper titled: The Web is missing an essential part of infrastructure: an Open Web Index. Tim Berners-Lee plans to decentralize the web with ‘Solid’, an open-source project for “personal empowerment through data” Google Cloud Next’19 day 1: open-source partnerships, hybrid-cloud platform, Cloud Run, and more Dark Web Phishing Kits: Cheap, plentiful and ready to trick you  

Yesterday, the team at Kubernetes released Kubernetes 1.14, a new update to the popular open-source container orchestration system. Kubernetes 1.14 comes with support for Windows nodes, kubectl plugin mechanism, Kustomize integration, and much more. https://twitter.com/spiffxp/status/1110319044249309184 What’s new in Kubernetes 1.14? Support for Windows Nodes This release comes with added support for Windows nodes as worker nodes. Kubernetes now schedules Windows containers and enables a vast ecosystem of Windows applications. With this release, enterprises with investments can easily manage their workloads and operational efficiencies across their deployments, regardless of the operating systems. Kustomize integration With this release, the declarative resource config authoring capabilities of kustomize are now available in kubectl through the -k flag. Kustomize helps the users in authoring and reusing resource config using Kubernetes native concepts. kubectl plugin mechanism This release comes with kubectl plugin mechanism that allows developers to publish their own custom kubectl subcommands in the form of standalone binaries. PID Administrators can now provide pod-to-pod PID (Process IDs) isolation by defaulting the number of PIDs per pod. Pod priority and preemption in this release enables Kubernetes scheduler to schedule important pods first and remove the less important pods to create room for more important ones. Users are generally happy and excited about this release. https://twitter.com/fabriziopandini/status/1110284805411872768 A user commented on HackerNews, “The inclusion of Kustomize[1] into kubectl is a big step forward for the K8s ecosystem as it provides a native solution for application configuration. Once you really grok the pattern of using overlays and patches, it starts to feel like a pattern that you'll want to use everywhere” To know more about this release in detail, check out Kubernetes’ official announcement. RedHat’s OperatorHub.io makes it easier for Kuberenetes developers and admins to find pre-tested ‘Operators’ for applications Microsoft open sources ‘Accessibility Insights for Web’, a chrome extension to help web developers fix their accessibility issues Microsoft open sources the Windows Calculator code on GitHub  

Larry Cashdollar, a security researcher with Akamai's SIRT (Security Intelligence Response Team), found out a vulnerability which impacts the jQuery File Upload plugin, as reported by the Bleeping Computers last week. The vulnerability received the CVE-2018-9206 identifier earlier this month. This will help people pay a more close attention to this flaw. Larry discovered the flaw together with Sebastian Tschan, also known as Blueimp, the developer of the plugin. They found out that the flaw was caused by a change introduced in Apache 2.3.9, which disabled by default the .htaccess files that stored folder-related security settings. The jQuery File Upload plugin is the second most starred jQuery project on GitHub, after the jQuery framework itself. It is immensely popular, has been forked over 7,800 times, and has been integrated into hundreds and thousands, of other projects, such as CMSs, CRMs, Intranet solutions, WordPress plugins, Drupal add-ons, Joomla components, and so on. The 8-year old issue finally found As per the investigation, the developer identified the true source of the vulnerability not in the plugin's code, but in a change made in the Apache Web Server project dating back to 2010, which indirectly affected the plugin's expected behavior on Apache servers. The actual issue dates back to November 23, 2010, just five days before Blueimp launched the first version of his plugin. On that day, the Apache Foundation released version 2.3.9 of the Apache HTTPD server. Larry, in an interview with ZDNet, said, “attackers can abuse this vulnerability to upload malicious files on servers, such as backdoors and web shells”. "I've seen stuff as far back as 2016," he added. Hackers have been actively exploiting this flaw since 2016 and kept this as low-key without anyone knowing. Larry found several YouTube videos containing tutorials on how one could exploit the jQuery File Upload plugin vulnerability to take over servers. This means that the vulnerability was widely known to hackers, even if it remained a mystery for the infosec community. According to ZDNet, “All jQuery File Upload versions before 9.22.1 are vulnerable. Since the vulnerability affected the code for handling file uploads for PHP apps, other server-side implementations should be considered safe.” Measures taken against the formerly known ‘CVE-2018-9206’ flaw Unless specifically enabled by the administrator, .htaccess files would be ignored. The two reasons for doing this were, firstly, to protect the system configuration of the administrator by disabling users from customizing security settings on individual folders. Secondly, to improve performance since the server no longer had to check the .htaccess file when accessing a directory. After Apache 2.3.9, plugins using .htaccess files to impose access restrictions no longer benefited from the custom folder access security configuration. This was also the case with jQuery File Upload, which adds files to a root directory. Now tracked as CVE-2018-9206, the coding flaw is no longer present in the latest version of jQuery File Upload. Tschan changed the code to allow only image file types GIF, JPG, JPEG, and PNG by default; he provides instructions on how to enable more content without running a security risk. Larry said, "I did test 1000 out of the 7800 of the plugin's forks from GitHub, and they all were exploitable”. The code he's been using for these tests is available on GitHub, along with a proof-of-concept for the actual flaw. To know more this in detail, head over to Bleeping Computer’s complete coverage. Upgrade to Git 2.19.1 to avoid a Git submodule vulnerability that causes arbitrary code execution Implementing Web application vulnerability scanners with Kali Linux [Tutorial] ‘Peekaboo’ Zero-Day Vulnerability allows hackers to access CCTV cameras, says Tenable Research

Soundtracking feature for Facebook stories has finally been rolled out! Facebook rolled out its soundtracking feature for Stories, on Wednesday. This feature helps you to choose from a catalog of songs, the section of the track you want, and overlaying it on a Story. It also allows you to share these clips to your News Feed. It’s now available on iOS and Android in Czech Republic, Australia,Germany, Great Britain, Ireland, Portugal, Spain, Italy, Luxembourg, New Zealand, Belgium, France,  Sweden, Switzerland and the United States. Facebook is experimenting with a video music app called Lasso As reported by TechCrunch, FB is working towards building a new app called Lasso which is a video music app. It is a standalone product where users can record and share videos of themselves while lip syncing or dancing to popular songs. This app could possibly be a strong competition to Musically, which was a hit amongst teens and pre-teens even before it was acquired by Chinese tech giant ByteDance for around $1 billion and rolled into the company’s TikTok app in November, 2017. Since 2016, Facebook has been investigating on the teen music app space. Earlier this year, Facebook secured licensing deals with all the major music record labels. The brains behind this product are Facebook’s video team and Watch team under the leadership of principal lead product designer, Brady Voss. FB’s experiments with a Lip Sync Live feature for live streaming Karaoke The company has also began experimenting with a Lip Sync Live feature for live streaming karaoke and finally yesterday, Facebook opened it for Pages and began showing some lyrics for few songs on screen. It also plans to allow its users to pin their favorite songs to their profile. so the one visiting the profile can listen to the them. Nick Clegg, ex-deputy PM of the UK, is joining FB as its Head of Global Affairs Following Instagram founders, Brendan Iribe, Oculus co-founder, leaves FB Facebook says only 29 million and not 50 million users were affected by last month’s security breach

Last month, the state of Illinois passed a Biometric privacy bill where a person can claim damages when their fingerprint is used without consent. Now, Cisco and Microsoft propose ideas for biometric privacy. The Cisco proposal states: ‘Ensure interoperability between different privacy protection regimes.’ This could threaten GDPR. ‘Avoid fracturing of legal obligations for data privacy through a uniform federal law that aligns with the emerging global consensus.’ This means gelling multiple levels of law systems, like state national into one, so a violation would go through only one level of a lawsuit. ‘Reassure customers that enforcement of privacy rights will be robust without costly and unnecessary litigation.’ Litigation is expensive, for individuals and more so for corporates, this can make it less expensive for the corporations. Microsoft is lobbying for a federal bill on facial recognition in Washington, according to a Bloomberg report. Bradd Smith, President at Microsoft, told Bloomberg: “Opening up the software for third-party testing is one of the key parts of the bill”. If the Washington bill is passed, it will affect companies like Amazon, Microsoft and any other companies that use personal data with a consumer base above 100,000. Meanwhile, Amazon has not made any comments on the bill as it’s still being modified. Cisco and Microsoft supporting federal privacy bills would sound like good news, but it’s not. If a new federal privacy bill is supported by a company, it would be designed to provide leeway to the company on how the rules regarding data collection and usage are set. According to a New York Times report from August last year, “In recent months, Facebook, Google, IBM, Microsoft and others have aggressively lobbied officials in the Trump administration and elsewhere to start outlining a federal privacy law, according to administration officials and the companies. The law would have a dual purpose, they said: It would overrule the California law and instead put into place a kinder set of rules that would give the companies wide leeway over how personal digital information was handled.” The Illinois Biometric Information Privacy Act is a good way forward for the consumers and should set an example of respecting user privacy. This may seem too strict but maybe that’s what is needed at this point. Biometric Information Privacy Act: It is now illegal for Amazon, Facebook or Apple to collect your biometric data without consent in Illinois ACLU files lawsuit against 11 federal criminal and immigration enforcement agencies for disclosure of information on government hacking The district of Columbia files a lawsuit against Facebook for the Cambridge Analytica scandal

Few days back I wrote about how the cloud collaboration with Google could overturn Cisco’s dwindling fortunes. Seems like the internet tech pioneer is now back into full throttle. It has a reason to remind the world what it did with internet, after all. And no prizes in guessing that it intends to do the same with the next generation tech sensation – artificial intelligence. To start with, let’s be honest with the daily corporate meetings – it’s boring. Meetings after meetings – every Monday, every other day, client meetings, internal meetings, vendor meetings – and possible all kinds of stakeholders meetings that are ‘serious’ stuffs. Devoid of smile. Enter Cisco Spark Assistant. As you set up your office meetings, AI takes over with a simple, “Hey, Spark.” Basically bots have entered your meeting rooms. "During the next few years, AI meeting bots will be joining our work teams. When they do, people will be able to ditch the drudgery of meeting setup and other logistics to become more creative than ever," says Cisco SVP and GM Rowan Trollope, "The future of great meetings is Spark with AI and our partners have an incredible opportunity to help customers take advantage of this game-changing technology." Cisco Spark Assistant is the latest in the series of innovations on the Cisco Spark platform. The announcement was made at Cisco Partner Summit, and the company said the world's first enterprise-ready voice assistant for meetings will see a phased rollout. Early next year, it will be available first on the Cisco Spark Room Series portfolio, including the new flagship Cisco Spark Room 70. In May, Cisco had entered a $125 million deal to buy MindMeld. The new service leverages machine learning technology out of that acquisition. So how it is going to bring down the hassles? The Assistant will let you speak commands to Spark-registered devices, and it’s kind of going to be a zero-touch meeting scenario. Just tell the AI bots what you want it do. From ‘Hey, Spark. Let's get started.’ and ‘Hey, Spark. Call Wilson’s meeting room.’ to ‘Hey, Spark. End the meeting.’ All without lifting a finger. Apart from machine learning, speech recognition technology and natural language understanding, Cisco said it has also applied its deep knowledge of meetings, honed over time: “Because we deliver 50 billion minutes of meetings every year. With this, we optimized the AI for the conference room.” Don’t forget since the time you started your first job, you have always seen a Cisco conference phone in every meeting room. In future, Cisco plans to further enhance the service based on the feedback from early trials. The Assistant could become smarter with added capabilities to assign action items and prepare minutes of the meeting. “Spark Assistant takes advantage of our meeting room endpoints' industry-first advancements such as intelligent proximity, speaker tracking and real-time face recognition. These let it see and hear. As a result, Cisco Spark Assistant knows who enters the room, who leaves the room and who is speaking,” the company said in its official announcement. The initial focus looks clearly on simplifying everyday meetings. And voice commands promise to streamline the things. Above all, they definitely induce an ‘interactive’ incentive to drive away your Monday blues.