Tech News

Last week, a bug was reported to the VLC bug tracker that all the connections to the update server are still done in HTTP instead of HTTPS. One of the VLC developers replied back asking the bug reporter for a threat model, and when he did not submit it, the VLC developer closed the bug and marked it as “invalid”. This is not the first time this bug has been reported. In a bug reported in 2017, a user said, “It appears that VLC's updating mechanism downloads a new VLC executable over HTTP (ie, in clear-text). Please modify the update mechanism to happen over TLS (preferably with Forward Secrecy enabled).” What are some of the implications of using HTTP over HTTPS? One of the Hacker News users said, “As a trivial example, this is a privacy leak - anyone on the network path can see what version you're upgrading to. It doesn't sound like a huge deal but we are moving to a 100% encrypted world, and it is a one character change to fix the issue. If VLC wants to keep the update over plaintext then they should justify why they want to do that, not have users justify why it should be over https. Instead, it feels like the VLC devs are having a kneejerk defensive reaction.” Along with this, there are several security threats related to software that updates over HTTP, some of which are described here: An attacker can see the contents of software update requests. They can then modify these update requests or responses to change the update behavior or outcome. They can also intercept and redirect software update requests to a malicious server. Attackers can respond to the client request with a huge amount of data that will interfere with the client’s system resulting in endless data attacks. Clients can be prevented by the attackers from being aware of interference with receiving updates by responding to client requests so slowly that automated updates never complete resulting in endless data attacks. Attackers can trick a client into installing software that is older, which is known to have critical bugs. Why VideoLAN does not see it as a big problem? Jean-Baptiste Kempf, the President, and lead VLC developer, said that some of these attacks described above are the case for nearly all download systems, “I'm sorry, but some described attacks (Slow retrieval attacks, Endless data attacks) are issues that are the case for all download system like most Linux Distributions, and that will not be fixed. Mirrors are HTTP and will stay HTTP for a few obvious reasons. Moreover, they will install binaries, so there is no security issue. Moreover, downloads are never done automatically, without user intervention.” As Kempf said, this is not just the case with VLC. A Hacker News user said, “it seems to be a common practice for highly-loaded services to outsource as many cryptographies to clients as possible.” A general-purpose package manager like Pacman uses HTTP because there is not much value in using transport-level security when the payload is cryptographically signed. Even Tesla’s firmware updates are not encrypted in transit as their updates are cryptographically signed. Oracle also followed the same policy with VirtualBox distributions and that's been fine because they signed packages. You can read more in detail on the VLC bug tracker website. dav1d 0.1.0, the AV1 decoder by VideoLAN, is here Presenting dav1d, a new lightweight AV1 decoder, by VideoLAN and FFmpeg dav1d to release soon with all features of AV1, and better performance than libaom

The Guardian has come forward with reports of Oracle coming under the scanner for payscale discrimination between male and female employees. On the very same day, The Register reported an affidavit has been filed against IBM for hiding the age of employees being laid off from the company from the Department of Labour. Pay scale discrimination at Oracle “Women are getting paid less across the board. These are some of the strongest statistics I’ve ever seen – amazingly powerful numbers.” -Jim Finberg, attorney for the plaintiffs On 18th January, a motion was filed against Oracle in California that alleged the company’s female employees were paid (on average) $13,000 less per year than men doing similar work, The Guardian reports. More than 4,200 women will be represented in this motion after an analysis of payroll data found that women made 3.8% less in base salaries on average, 13.2% less in bonuses, and 33.1% less in stock value as compared to male employees. The analysis also found that the payment disparities exist even for women and men with the same tenure and performance review score in the same job categories! The complaint outlines several instances from Oracle female plaintiffs who noticed the discrepancies in payment either accidentally or by chance. One of the plaintiffs saw a pay stub from a male employee that drew her attention to the wage gap between them, especially since she was the male employee’s trainer. This is not the first time that Oracle is involved in a case like this. The Guardian reports that in 2017, the US Department of Labor (DoL) filed a suit against Oracle alleging that the firm had a “systemic practice” of paying white male workers more than their counterparts in the same job titles. This led to a pay discrimination against women and black and Asian employees. Oracle dismissed these allegations and called them “without merit” stating that its pay decisions were “non-discriminatory and made based on legitimate business factors including experience and merit”. Jim Finberg, the attorney for this suite, said that none of the named plaintiffs worked at Oracle any more. Some of them left due to their frustrations over discriminatory pay. The suite also mentions that disparities in pay scale were caused because Oracle used the prior salaries of new hires to determine their compensation at the company, leading to inequalities in pay. The suit claims that Oracle was aware of its discriminatory pay and “had failed to close the gap even after the US government alleged specific problems.” The IBM Layoff Along similar lines, a former senior executive at IBM alleges in an affidavit filed on Thursday in the Southern District of New York, that her superiors directed her to hide information about the older staff being laid off by the company from the US Department of Labor. Catherine Rodgers, formerly IBM's vice president in its Global Engagement Office was terminated after nearly four decades with IBM. The Register reports that Rodgers said she believes she was fired for raising concerns that IBM was engaged in systematic age discrimination against employees over the age of 40. IBM has previously been involved in controversies of laying off older workers right after the ProPublica report of March 2018 that highlighted this fact. Rodgers, who served as VP in IBM's global engagement office and senior state executive for Nevada had access to all the people to be laid off in her group. She noticed a lot of unsettling statistics like: 1. All of the employees to be laid off from her group were over the age of 50 2. In April 2017, two employees over age 50 who had been included in the layoff, filed a request for financial assistance from the Department of Labor under the Trade Assistance Act. The DoL sent over a form asking Rodgers to state all of the employees within her group who had been laid off in the last three years along with what their ages were. This list was then reviewed with the IBM HR, and Rodgers alleges she was “directed to delete all but one name before I submitted the form to the Department of Labor. 3. Rodgers said that IBM began insisting that older staff came into the office daily. 4. Older workers were more likely to face relocation to new locations across the US. Rodgers says that after she began raising questions she got her first ever negative performance review, in spite of meeting all her targets for the year. Her workload increased without a pay rise. The plaintiffs' memorandum that accompanied the affidavit requests the court to authorize the notification of former IBM employees around the US over 40 years and lost their jobs since 2017 that they can join the legal proceedings against the company. It is bothersome to see some big names of the tech industry displaying such poor leadership morales, should these allegations prove to be true. The outcome of these lawsuits will have a significant impact on the decisions taken by other companies for employee welfare in the coming years. IBM launches Industry’s first ‘Cybersecurity Operations Center on Wheels’ for on-demand cybersecurity support IBM acquired Red Hat for $34 billion making it the biggest open-source acquisition ever Pwn2Own Vancouver 2019: Targets include Tesla Model 3, Oracle, Google, Apple, Microsoft, and more!

Last week, William de Groot, a digital forensics consultant discovered a protocol flaw in MySQL, which he alleges is the main reason behind e-commerce and government sites getting hacked via the Adminer database tool. He stated that Adminer can be “lured to disclose arbitrary files” which attackers can then misuse to fetch passwords for popular apps such as Magento and Wordpress, thus gaining control of a site’s database.  Because of this flaw, MySQL client allows MySQL server to request any local file by default. He further states that an example of such a malicious MySQL server can be found at GitHub that was “likely used to exfiltrate passwords from these hacked sites”. A reddit user also pointed out that flaw could be further exploited to steal SSH keys and crypto wallets. The only check mark is that the server has to know the full path of the file on the client to exploit this flaw. Unlike Adminer, several clients and libraries including Golang, Python, PHP-PDO,  have built-in protection for this “feature” or disable it by default. This flaw is surprisingly a part of MySQL documentation which states: Source: MySQL Documentation You can head over to Willem Groot’s blog for more insights on this news. Alternatively, head over to his Twitter thread for a more in-depth discussion on the topic. How to optimize MySQL 8 servers and clients 6 reasons to choose MySQL 8 for designing database solutions 12 most common MySQL errors you should be aware of  

Earlier this month, the team at Atom released Atom 1.34, a free and open source text editor that helps users to commit with a faster diff view and an ability to preview all staged changes. This release comes with improved commit preview, commit message templates and improved diffs. Improvements in Atom 1.34 Commit preview This feature will be highly useful for those who double check the specific changes that are going into each commit. While crafting commit messages, users can now draw inspiration from the diff of their staged changes. Users just have to click the ‘See All Staged Changes’ button above the commit message box, and they will be able to view their staged changes. Improved diffs The GitHub package now renders diff views with a text editor which will improve performance. Users will now be able to render large diffs faster. And the text editor key bindings will now work in diffs. Commit message templates This release now supports commit message templates. Users can now add a template on a per-project basis or globally through the git configuration. Changes in Atom 1.34 Users can view a multi-file diff of all staged changes prior to committing This release comes with added support for commit message template. This version of Atom renders git diff view with a TextEditor. This release comes with Kotlin language syntax highlighting in markdown code blocks. Major bug fixes The previous release had a bug where package searches were throwing uncaught exceptions which has been fixed now. Initially there was an error while running Bracket Matcher which has been fixed now. Users have given mixed reactions to this release. Few of the users think that the team at Atom could have worked on bigger issues related to finder reindexing and Atom-IDE packages. Few users are comparing this release with VSCode. With some users in the favor of VSCode and others supporting Atom 1.34. One user commented on HackerNews, “What makes you stick to Atom? I switched to VSCode due to Atom's terrible performance when opening huge files.” Another comment on HackerNews, reads, “I was a big fan of Atom, but it's constant performance problems combined with the fact that even after Atom's team rewriting huge parts of the project in C++, doing witchcraft and what not, made me switch to VSCode.” Another comment reads, “I'm finding VSCode's performance starts to fall apart completely where Atom performs the exact same as before.” Few users think that Atom functioned well initially but when it is used as an IDE, it falls flat. One of the users commented, “I used Atom for a couple years and raved about it's features and package management but when it came to using it as an IDE, it fell short for one reason. It doesn't have a configurable way to debug across all languages.” According to some users, Atom uses a rendering layer that doesn’t work along with the goal of a text editor, which is to be fast and responsive. While others are liking how this release auto-formats commit messages and make it easier for highlighting merge conflicts. To know more about Atom 1.34, check out the release notes. YUI 2.8: Rich Text Editor Facebook retires its open source contribution to Nuclide, Atom IDE, and other associated repos Android Studio 3.3 released with support for Navigation Editor, C++ code lint inspections, and more

Last week, GeoServer 2.14.2 was released., GeoServer is an open source software server based on Java, for sharing geospatial data. It allows users to display their spatial information to the world. It is free and can display data on popular mapping applications such as Google Earth, Google Maps, Microsoft Virtual Earth and Yahoo Maps. Improvements in GeoServer 2.14.2 In GeoServer 2.14.2, WMTS Restful binding is accessible to all users and works with workspace specific services which initially used to be limited to admins. gs:DownloadEstimator now returns a true value when estimating full raster downloads at native resolution. In GeoServer 2.14.2, KML ignores sortBy parameter while querying records. The NullPointerException is thrown while using env() function with LIKE operator in CSS filters. With this release, it’s possible to modify existing GWC blobstore via UI without renaming which was not possible initially. For GetLegendGraphic, this release allows expressions in ColorMapEntry labels. In this release, OpenLayers2 preview is not automatically triggered on IE8. New MongoDB extension has been added GeoServer 2.14.2. The style editor has been improved, it now includes side by side editing Nearest match support has been added for Web Map Service (WMS) dimension handling. Major fixes Rendering issue with JAI-EXT and Input/Output TransparentColor options has been resolved. The Complex MongoDB generated properties are now handled in this release. Check out the official blog post by GeoServer for full release notes. Getting Started with GeoServer ArangoDB 3.4 releases with a native search engine, full GeoJSON support, and more Uber’s kepler.gl, an open source toolbox for GeoSpatial Analysis

According to a report by Washington Post, last week, Federal Trade Commission (FTC) officials are planning to impose a fine of over $22.5 billion on Facebook post a year of data breaches and revelations of illegal data sharing. Per FTC, Facebook may have violated a legally binding agreement with the government to protect the privacy of users' personal data. Lately, Facebook has been in news for its data breaches and issues related to its users’ data. It has also been in news for its Trump campaigns and its manipulations with the voter details during the U.S. elections. According to the revelations made last year, over 87 million users’ data was given to Cambridge Analytica, a political consulting firm, without users’ consent. Facebook was fined £500,000 as a result of Cambridge Analytica, last October. Last year, lawmakers in the U.S. Congress summoned Mark Zuckerberg, Facebook CEO to testify for the first time where he apologized for the privacy violations. This time Facebook might have to pay more than $22.5 million, the fine which was imposed on Google for tracking users of Apple’s Safari web browser in 2012. It was the greatest fine for violating an agreement with the FTC. This might turn out to be the first major fine against Facebook in the US. The FTC agreement regarding privacy requires Facebook to seek users’ permission, before sharing the data with third parties and also inform the FTC in cases where others misuse that information. Last week, privacy advocates urged FTC to take action against Facebook. Marc Rotenberg, the executive director of the Electronic Privacy Information Center, said, “The agency now has the legal authority, the evidence, and the public support to act. There can be no excuse for further delay.” According to most Reddit users, Facebook should be strictly punished. One of the comments on Reddit reads, “It’d be better if the people responsible of doing it were sent to prison, but a big fine to their company should stop them from doing something like this again.”   Facebook open sources Spectrum 1.0.0, an image processing library for better mobile image production 3 out of 4 users don’t know Facebook categorizes them for ad targeting; with political and racial affinity being some labels: Pew Research A new privacy bill was introduced for creating federal standards for privacy protection aimed at big tech firms like Facebook, Google and Amazon

In a blog post last Friday, the MIDI Manufacturers Association (MMA) together with the Association of Music Electronics Industry (AMEI) announced prototyping of MIDI 2.0. Musical Instrument Digital Interface or otherwise commonly referred to as MIDI is a digital protocol used for recording and playing back music. It was originally designed for musical keyboards but was soon enough adopted to be used in computers. MIDI was also used in phone ringtones. The protocol was first released in 1983. Now, the MMA and in association with AMEI have settled on the specifications and features for the next generation of the music recording protocol and have named it MIDI 2.0. These two companies are now working together in order to develop prototypes based on a co-developed draft specification. There will be a ‘plugfest’ in Winter NAMM 2019 between some MIDI 2.0 prototypes to test compatibility. Some of the participating companies are Google, Yamaha, Roland, and Steinberg. The prototyping will continue through this year as the involved associations work together on launch plans of the new protocol. This includes developing a new logo and self-certification programs for both MMA and AMEI member organizations. However, during the prototyping phase, the specifications for MIDI 2.0 is exclusive to MMA and AMEI members. MIDI 2.0 brings auto-configuration, new DAW/web integrations, extended resolution, increased expressiveness, and tighter timing. While adding the new features, they will also strive to maintain backward compatibility. The new specifications will join the current MIDI specifications when they are finalized and will be available as a free download on the MIDI website. 3D Secure v2: a new authentication protocol supported by Stripe for frictionless authentication and better user experience Qt creator 4.8 beta released, adds language server protocol Golang plans to add a core implementation of an internal language server protocol

Baptiste Robert, a French security researcher who goes by the online handle Elliot Alderson, has found a vulnerability in a Wordpress plugin called Social Network Tabs. The plugin leaks user’s Twitter account information exposing them to compromise. This WordPress plugin is developed by Design Chemical, which allows websites to help users share content on social media sites. MITRE has assigned the vulnerability CVE-2018-20555. In a twitter thread, Elliot described the details of the bug on Thursday. Per Elliot, the Wordpress Plugin is leaking twice the Twitter access_token, access_token_secret, consumer_key and consumer_secret of their user which is leading to a takeover of their Twitter account.  This was caused by the few lines of code which was within the page where the Twitter widget is displayed. Anyone who viewed this code had access to see the linked Twitter handle and the access tokens. If the access token had read/write rights, the attacker was also able to take over the account and there were 127 such accounts. Elliot tested the bug by searching PublicWWW, a website source code search engine. He was able to find 539 websites using the vulnerable code. He then managed to retrieve access tokens using a script including the Twitter access_token, access_token_secret, consumer_key and consumer_secret from 539 vulnerable websites. According to Elliot, this leak compromised over 446 Twitter accounts with 2 verified accounts and multiple accounts with more than 10K+ followers. The full list of accounts is also made public by him. Elliot talked to Techcrunch about the vulnerability, saying that he had told “Twitter on December 1 about the vulnerability in the third-party plugin, prompting the social media giant to revoke the keys, rendering the accounts safe again. Twitter also emailed the affected users of the security lapse of the WordPress plugin but did not comment on the record when reached.” However, this is not the case. On January 17, he mentioned in a tweet that, “With a simple Google search query, "inurl:/inc/dcwp_twitter.php?1=", you can find that a lot of websites and so Twitter accounts are still vulnerable to this issue. This query returns 3550 results.” He has also written a scraper to automatically extract the keys from the result of this Google search query. SEC’s EDGAR system hacked; allowing hackers to allegedly make a profit of $4.1 million via insider trading Hyatt Hotels launches public bug bounty program with HackerOne Black Hat hackers used IPMI cards to launch JungleSec Ransomware, affects most of the Linux servers.

Yesterday, the Mastodon team released Mastodon 2.7, which comes with major improvements to the admin interface, a new moderation warning system, and more. Mastodon is a free, open-source social network server, which is based on open web protocols like ActivityPub and OStatus. This server aims to provide users with a decentralized alternative to commercial social media silos and returns the control of the content distribution channels to the people. Profile directory The new profile directory allows users to see active posters on a given Mastodon server and filter them by the hashtags in their profile bio. With profile directory, users can find people with common interests without having to read through public timelines. A new moderation warning system This version comes with a new moderation warning system for Mastodon. Moderators can now inform users if their account is suspended or disabled. They can also send official warnings via e-mails, which are reflected in the moderator interface to keep other moderators up to date. Improvements in the administration interface Mastodon 2.7 combines administration interfaces for known servers and domain blocks into a common area. Users can see information like the number of accounts known from a particular server, the number of accounts followed from your server, the number of individuals blocked or reported, etc. A registration API A new registration API is introduced, which allows apps to directly accept new registration from their users, instead of having to send them to a web browser. Users still receive a confirmation e-mail when they sign up through the app, which contains an activation link that can open the app. New commands for managing a Mastodon server The tootctl command-line utility used for managing a Mastodon server has received two new commands: tootctl domains crawl: You can scan the Mastodon network to discover servers and aggregate statistics about Mastodon’s usage. tootctl accounts follow: You can make the users on your server follow a specified account. This command comes in handy in cases where an administrator needs to change their account. You can read the full list of improvements in Mastodon 2.7 on its website. How Dropbox uses automated data center operations to reduce server outage and downtime Obfuscating Command and Control (C2) servers securely with Redirectors [Tutorial] Fortnite server suffered a minor outage, Epic Games was quick to address the issue

On 17th January, New America published a blog post on the rising number of Internet blackouts since 2018, citing various examples for the same and hinting at political reasons behind it. The post also predicts the same trend to continue in 2019 owing to two factors- countries deliberately “turning off” the internet within their borders, and hackers attempting a distributed denial-of-service (DDoS) attack ultimately leading to internet disruptions. Amongst the various reasons listed for abruptly cutting off a country’s internet connection were-  to avoid the “chaos” that might result from presidential election results in the Democratic Republic of Congo, an attempted coup in Gabon, under the sea internet cables being mysteriously cut off in Mauritania and much more. The post also lists a history of internet blackouts, right from 2004, that were caused by the governments of various countries to possibly manipulate people and stop protests against their Presidents. All of this “internet manipulation” makes us wonder how safe would one feel in a country whose government controls a centralized internet. This also makes us ponder on the power that governments- with relatively centralized internets- have, who can literally disconnect their domestic internet networks to cut off from the rest of the globe during domestic unrest or other government-related heists. The post also points out the fact that the government controlling components of the internet- like its hardware- to disrupt the working of the same, is a sign of “censorship” and “social control”. As for the DDOS attacks against the rising IoT devices, the post highlighted how IoT devices of today largely lack in their security features and can be easily hacked into. Hackers can easily take advantage of these security loopholes and block segments of the internet, directing traffic to a single site/service until it’s overwhelmed and can no longer function. The American internet was taken down in 2016 by the Mirai botnet that worked on similar lines, being the largest DDOS attack known till date and taking down major sites like Twitter, Spotify, SoundCloud, etc. New America has also indicated that these DDOS attacks are now being associated with government controlled internet blackouts. Jason Healey and Robert Knake wrote in a recent Council on Foreign Relations report, DDoS attacks via hijacked IoT devices can “cause serious harm by allowing foreign governments to stifle free speech abroad and enabling them to shut down countries’ domestic networks or even the internet globally.” A report from the Council to Secure the Digital Economy states that, these incidents undermine “fundamental confidence and trust in the digital economy” that depends on reliable availability and performance of internet services. If these are the problems associated with a centralized form of the internet, why don’t countries switch over to a more decentralized version then? The post states that the internet has become centralized in countries where the government has dictated the buildout of infrastructure and also where there’s little market competition for internet services. Policymakers should thereby pay minute attention while creating cyber norms taking into consideration the current scenario of internet manipulation. The technical standards for IoT devices need to tighten considering the extent of harm they can cause by being manipulated by malicious actors. The post states that, currently, there exist “virtually no consensus rules” for “minimum security” on these devices, and that many industry organizations and government agencies are possibly using IoT systems that have terrible security. Outcomes of this could be vulnerability to connected infrastructure systems, open wearable-IoT-wearing government personnel to real-time GPS tracking, devices that can be easily hijacked in service of DDoS attacks and much more. Here are some interesting statistics from acessnow that list the number of outages through the years and popular reasons for the same. A recent internet shutdown has been in Zimbabwe, where access to the internet and popular social media apps like Facebook, Twitter and WhatsApp has been blocked unless a VPN is used. The country's largest telecom company, Econet, has been sending customers text messages carrying the government's orders and calling the situation "beyond our reasonable control". A "total internet shutdown" was declared for most of Friday- last week. The Sydney Morning herald stated that critics called this “an attempt to hide growing reports of a violent crackdown on protests against a dramatic fuel price increase”. Twitter has seen some interesting sentiments on the topic, where people are speculating the necessity of turning off the internet during domestic turmoil. https://twitter.com/africatechie/status/1087024506571550720 https://twitter.com/cipesaug/status/1085499607185010688 It is sad to see how this is affecting normal citizens who depend on e-cash to fund various needs https://twitter.com/tapsy_j/status/1086166247639863297 Head over to New America for more insights on why you can expect 2019 to be a year filled with many more instances of politically motivated internet shutdowns like the one faced by Zimbabwe. Ex-Google CEO, Eric Schmidt, predicts an internet schism by 2028 China Telecom misdirected internet traffic, says Oracle report Internet governance project (IGP) survey on IPV6 adoption, initial reports  

Google Cloud announced the release of Feast, a new open source feature store that helps organizations to better manage, store, and discover new features for their machine learning projects, last week. Feast, a collaboration project between Google Cloud and GO-JEK (an Indonesian tech startup) is an open, extensible, and a unified platform for feature storage. “Feast is an essential component in building end-to-end machine learning systems at GO-JEK. We’re very excited to release it to the open source community,” says Peter Richens, Senior Data Scientist at GO-JEK. It has been developed with an aim to find solutions for common challenges faced by Machine Learning Development teams. Some of these common challenges include: Machine Learning features not being reused (features representing similar business concepts get redeveloped many times when existing work from other teams could have been reused). Feature definitions vary (teams define features differently and many times there is no easy access to the documentation of a feature). Hard to serve up-to-date features (teams are hesitant in using real-time data). Inconsistency between training and serving (training requires historical data, whereas prediction models require the latest values. When data is broken down into various independent systems, it leads to inconsistencies as the systems then require separate tooling). Feast gets rid of these challenges by providing teams with a centralized platform that allows teams to easily reuse the features developed by another team across different projects. Also, as you add more features to the store, it becomes cheaper to build models Feast Apart from that, Feast manages the ingestion of data by unifying it from both batch and streaming sources (using Apache Beam) into the feature warehouse and feature serving stores. Users can then query features in the warehouse using the same set of feature identifiers. It also allows easy access to historical feature data for its users, which in turn, can be used to produce datasets for training models. Moreover,  Feast allows teams to capture documentation, metadata and metrics about features, allowing teams to communicate clearly about these features. Feast aims to be deployable on Kubeflow in the future and would get integrated seamlessly with other Kubeflow components such as a Python SDK for use with Kubeflow's Jupyter notebooks, and Kubeflow Pipelines. This is because Kubeflow focuses on improving packaging, training, serving, orchestration, and evaluation of models. “We hope that Feast can act as a bridge between your data engineering and machine learning teams”, says the Feast team. For more information, check out the official Google Cloud announcement. Watson-CoreML : IBM and Apple’s new machine learning collaboration project Google researchers introduce JAX: A TensorFlow-like framework for generating high-performance code from Python and NumPy machine learning programs Dopamine: A Tensorflow-based framework for flexible and reproducible Reinforcement Learning research by Google

Last Friday, the first release of Rails 6 was announced. Two new major frameworks are added in Rails 6.0 Beta 1 called Action Mailbox and Action Text. There are also two scalable upgrades in the form of multiple database support and parallel testing. Action Mailbox in Rails 6.0 Beta 1 This new framework guides incoming emails to controller-like mailboxes in order for processing to take place in Rails. Action Mailbox comes with ingresses for Amazon SES, Mailgun, Mandrill, Postmark, and SendGrid. Users can also manage incoming emails directly via the built-in Exim, Postfix, and Qmail ingresses. Action Text in Rails 6.0 Beta 1 This framework brings rich text and enables editing such files in Rails. The Trix editor is introduced to handle tasks like formatting to links, quotes, lists to embedded images and galleries. Trix editor has its own RichText model to save rich text generated by it. This model is associated with existing Active Record models in the application. Embedded images and other attachments are stored by default via Active Storage and they are associated with the RichText model. Multiple database support The introduction of multiple database support facilitates a single application to connect to multiple databases simultaneously. This can be done to segment certain records into their own databases for scaling or isolation. It can also be useful if you’re performing read/write splitting with replica databases to improve performance. Regardless of the applications, there’s a simple API in Rails 6.0 for this task without having to dig into Active Record internals. Support for parallel testing You can now utilize all the cores in your computer to run big test suites faster with parallel testing support. Every testing worker has a separate database and thread so all the CPUs will be utilized effectively. Webpacker is the default JavaScript bundler for Rails 6.0 via the new app/javascript directory. The asset pipeline with Sprockets for CSS and static assets integrate well while offering the best trade-off of advanced JavaScript features. Rails 6.0 will need Ruby 2.5.0 or later. Rails 6.0 Beta 2 should be out next month and the final release in April in time for the RailsConf 2019. You can look at the changelog files to know more about the changes. Ruby 2.6.0 released with a new JIT compiler GitHub addresses technical debt, now runs on Rails 5.2.1 7 Web design trends and predictions for 2019

Last week, Facebook shared that it has removed hundreds of pages, groups, and accounts for engaging in a “coordinated inauthentic behavior” on Facebook and Instagram. These accounts were found to be linked to employees of Sputnik, a news website and radio broadcast service established by a government-owned and operated news agency, Rossiya Segodnya, based in Moscow. https://twitter.com/alexstamos/status/1085914558319841280 Sputnik believes that this step by Facebook is nothing but “practically censorship”. It, in a statement, said, "The decision is clearly political in its nature and is practically censorship — seven pages belonging to our news hubs in neighboring countries have been blocked." It further added, "Sputnik editorial offices deal with news and they do it well. If this blocking is Facebook's only reaction to the quality of the media's work, then we have no questions, everything is clear here. There is still hope that common sense will prevail." The research done by the Digital Forensic Research Lab (DFRLab) revealed that the pages and accounts weren’t limited to news content. Some pages were devoted to travel in Latvia, while some were devoted to fans of the president of Tajikistan. In a blog post, The Digital Forensic Research Lab worte, “Most posts were apolitical, but some, especially in the Baltic States, were sharply political, anti-Western, and anti-NATO.” According to DFRLab the main aim of these pages or accounts was to promote Rossiya Segodnya, “the effect of these activities was promotion of Rossiya Segodnya (the state-run Russian news agency that launched Sputnik) output to a range of special-interest audiences, without stating their background or affiliation.” The main concern was that most of these pages were covert, and did not openly mentioned any connection to Rossiya Segodnya. What Facebook’s research revealed? After this investigation, Facebook took down 364 Facebook Pages and accounts as part of a network, which was found to have originated in Russia and operated in the Baltics, Central Asia, the Caucasus, and Central and Eastern European countries. These accounts were primarily focused on news, or general interest topics like weather, travel, sports, economics, or politicians. Some of the accounts and pages frequently posted about topics like anti-NATO sentiment, protest movements, and anti-corruption. This takedown is the latest in a series of actions taken by the social media platform against inauthentic pages, groups, and accounts. In November 2018, Facebook removed 107 Facebook Pages, Groups, and accounts, as well as 41 Instagram accounts. Nina Jankowicz, a Global Fellow at the U.S. government-funded Kennan Institute, tweeted that these posts consisted of inflaming news and targeted individual Ukrainian regions/cities: https://twitter.com/wiczipedia/status/1085877046016860160 She believes that detection of accounts that are linked to a “state-run propaganda arm” should have been easier for Facebook and it should invest more for the early detection of these type of accounts: https://twitter.com/wiczipedia/status/1085877051876429824 To read more in detail, check out Facebook’s original news. Facebook shares update on last week’s takedowns of accounts involved in “inauthentic behavior” Facebook open sources Spectrum 1.0.0, an image processing library for better mobile image production 3 out of 4 users don’t know Facebook categorizes them for ad targeting; with political and racial affinity being some labels: Pew Research

EU’s proposed copyright bill has received major oppositions from Europeans for its Articles 11 and 13, also known as the “censorship machines” rule and the “link tax” rule. Major European countries including Germany, Italy, and the Netherlands, have been quite vocal about their resistance to support the latest version of the proposal. Following which, EU has canceled today’s negotiations for a final vote on the copyright directive. Article 13 of the directive will require “information society service providers” – user-generated information and content platforms – to use “recognition technologies” to protect against copyright infringement. Article 11 gives large press organizations more control over how their content is shared and linked to online. It has been called the “link tax” – it could mean that you would need a license to link to content. According to news sites, this law would allow them to charge internet giants like Facebook and Google that link to their content. Further reading: What the EU Copyright Directive means for developers – and what you can do Apparently, multiple countries including Germany, Italy, the Netherlands, and Poland voted against the latest text put forth by Romania earlier this week. MEP Julia Reda has confirmed this news. In a blog post, she writes, “A total of 11 countries voted against the compromise text proposed by the Romanian Council presidency earlier this week. All of these governments are known for thinking that either Article 11 or Article 13, respectively, are insufficiently protective of users’ rights. At the same time, some rightsholder groups who are supposed to benefit from the Directive are also turning their backs on Article 13.” https://twitter.com/Senficon/status/1086335378141966336 Last week, EFF also urged people from Sweden, Germany, Luxembourg, and Poland to contact their ministers to convey their concern about Article 13 and 11. The outcome of today’s Council vote shows that public attention to copyright reform is having an effect. This means that the bill could receive a significant overhaul when it’s gonna come for vote, which would also result in a delay in implementation. It won’t, however, imply that the Copyright Directive is rejected. Ahead of EU’s vote on new copyright rules, EFF releases 5 key principles to guide copyright policy Reddit takes stands against the EU copyright directives; greets EU redditors with ‘warning box’ GitHub updates developers and policymakers on EU copyright Directive at Brussels

In a blog post, the ESLint team talks about the future of ESLint on TypeScript. Earlier, the TypeScript team talked about their future and including ESLint into their repository to improve compatibility between the two. Based on the feedback from the TypeScript community, it was discovered that the linting experience was not that good in TypeScript. They then announced support for both ESLint and TSLint. The former worked well with TypeScript while TSLint would cause duplicate work and induce some breaking changes. Also, some lint rules were not present in TSLint. Hence the focus has been on incorporating ESLint. Many members from the ESLint team have been working to improve its compatibility with TypeScript. The focus of this earlier work was on the TypeScript parser and typescript-eslint-parser. Other than that there were efforts also on eslint-plugin-typescript which was maintained by individual team members. The Typescript parser will become an important part in the integration of the two and the ESLint teams want to ensure its proper maintenance. The typescript-eslint project A key contributor working on ESLint compatibility in TypeScript, James Henry started the typescript-eslint project as a centralized repository. It contains all things pertaining to TypeScript ESLint compatibility and will be housing TypeScript parser, eslint-plugin-typescript, and other utilities that aid in the TypeScript ESLint integration. However, the ESLint team itself won’t be formally a part of this project but seem to be supportive of Henry’s efforts. ESLint’s future in TypeScript The ESLint official team will no longer maintain the typescript-eslint-parser. The repository is now archived and there will be no future released of typescript-eslint-parser in npm. Users who are using typescript-eslint-parser are advised to switch to @typescript-eslint/parser. The typescript-eslint repository will be updated for any new developments on ESLint support in TypeScript. Announcing ‘TypeScript Roadmap’ for January 2019- June 2019 TypeScript 3.2 released with configuration inheritance and more Introducing ReX.js v1.0.0 a companion library for RegEx written in TypeScript