Tech News

Node v11.0.0 is released. The focus of this current release is primarily towards improving internals, and performance. It is an update to the stable V8 7.0. Build and console changes in Node v11.0.0 Build: FreeBSD 10 supported is removed. child_process: The default value of the windowsHide option is now to true. console: The console.countReset() function will emit a warning if the timer being reset does not exist. If a timer already exists, console.time() will no longer reset it. Dependency and http changes Under dependencies, the Chrome V8 engine has been updated to the v7.0. fs: The fs.read() method now needs a callback. The fs.SyncWriteStream utility was deprecated previously, it has now been removed. http: In Node v11.0.0 the http, https, and tls modules use the WHATWG URL parser by default. General changes In general changes, process.binding() has been deprecated and can no longer be used. Userland code using process.binding() should re-evaluate its use initiate migration. There is an experimental implementation of queueMicrotask() added. Internal changes Under internal changes, the Windows performance-counter support has been removed. The --expose-http2 command-line option has also been removed. In Timers, interval timers will be rescheduled even if previous interval gave an error. The nextTick queue will be run after each immediate and timer. Changes in utilities The WHATWG TextEncoder and TextDecoder APIs are now global. The util.inspect() method’s output size is limited to 128 MB by default. When NODE_DEBUG is set for either http or http2, a runtime warning will be emitted. Some other additions Some other utilities have been added like: '-z relro -z now' linker flags internal PriorityQueue class InitializeV8Platform function string-decoder fuzz test new_large_object_space heap space dns memory error test warnings when NODE_DEBUG is set as http/http2 Inspect suffix to BigInt64Array elements For more details and a complete list of changes, visit the Node website. Deno, an attempt to fix Node.js flaws, is rewritten in Rust npm at Node+JS Interactive 2018: npm 6, the rise and fall of JavaScript frameworks, and more The top 5 reasons why Node.js could topple Java

Mozilla has today released Firefox 63.0 for desktop and Android, just over a month since the release of Firefox 62.0. The release brings a range of changes. Some of these are cosmetic, some improve the user experience, while others should improve life for developers. There is no update for iOS, however - version 12.0 was released in June. What's new in Firefox 63.0 for desktop? According to the release notes, the update should have significant performance gains by moving the build infrastructure on Windows to the Clang toolchain. There's also been a small change, as the Firefox theme is now the same as the Windows 10 OS Dark and Light modes. For Mac users, Firefox should be a little faster. One of the reasons for this is that WebGL power preferences allow applications to request lower power GPUs in multi-GPU systems. This essentially means that the browser should be using resources in a much more efficient manner. Interestingly, Firefox also now has content blocking features for Mac users that will "offer users greater control over technology that can track them around the web." This feature will allow users to decide when to block tracking technologies and when to allow it. Read next: Is Mozilla the most progressive tech organization on the planet right now? For developers, meanwhile, Firefox has not only had a small facelift. The team have also decided to enable the accessibility inspector by default. This indicates how assistive technologies are becoming more and more important for web users. It also highlights that web accessibility is now a problem to be tackled head on - not ignored. What's new in Firefox 63.0 for Android? For Android users, Firefox has added support for picture-in-picture video and now uses notification channels. Read more about the new features and fixes on the Mozilla website.

GitLab 11.4 was released yesterday with new features like merge request reviews, feature flags, and many more. Merge request reviews in GitLab 11.4 This feature will allow a reviewer to draft unlimited comments in a merge request as per preference. It will ensure consistency and then submit them all as a single action. A reviewer can spread their work over many sessions as the drafts are saved to GitLab. The draft comments appear as normal individual comments once they are submitted. This allows individual team members flexibility. They can review code the way they want, it will still be compatible with the entire team. Create and toggle feature flags for applications This alpha feature gives users the ability to create and manage feature flags for software directly in the product. It is as simple as creating a new feature flag and validating it using simple API instructions. Then you have the ability to control the behavior of the software in the field via the feature flag within GitLab. Feature flags offer a feature toggle system for applications. File tree for browsing merge request diff The file tree summarizes both the structure and size of the change. It is similar to diff-stats which provides an overview of the change thereby improving navigation between diffs. Search allows reviewers to limit code review to a subset of files. This simplifies reviews by specialists. Suggest code owners as merge request approvers It is not always obvious as to which person is the best to review changes. The code owners are now shown as suggested approvers when a merge request is created or edited. This makes assigning the right person easy. New user profile page overview With GitLab 11.4, a redesigned profile page overview is introduced. It shows your activity via the familiar but shortened contribution graph. It displays the latest activities and most relevant personal GitLab projects. Set and show user status message within the user menu Setting your status is even more simple with GitLab 11.4. There is a new “Set status” item in the user menu which provides a fresh modal allowing users to set and clear their status right within context. In addition, the status you set is also shown in your user menu, on top of your full name and username. There are some more features like: Move the ability to use includes in .gitlab-ci.yml from starter to core Run all jobs only/except for modifications on a path/file Add timed incremental rollouts to Auto DevOps Support Kubernetes RBAC for GitLab managed apps Auto DevOps support for RBAC Support PostgreSQL DB operations for Auto DevOps Other improvements for searching projects, UX improvements, and Geo improvements For a complete list of features visit the GitLab website. GitLab 11.3 released with support for Maven repositories, protected environments and more GitLab raises $100 million, Alphabet backs it to surpass Microsoft’s GitHub GitLab is moving from Azure to Google Cloud in July

Uber’s Head of corporate development and best known as the ‘top dealmaker’, Cameron Poetzscher has resigned from the company, yesterday. Cameron Poetzscher joined Uber as the Vice President of corporate development in 2014 and was responsible for overseeing important business deals as well as the fundraising efforts for the company. He led Uber through its $7.7 billion investment from SoftBank. Uber confirmed that the resignation is effective immediately. According to last month’s report by Wall Street Journal, Poetzscher was the subject of a sexual misconduct investigation in 2017. The investigation took place a year ago but the allegations weren't made public until September 2018 when Wall Street  Journal published a report highlighting the investigation. Per the report, an outside law firm investigated and found that Poetzscher had a pattern of making sexually suggestive comments about other co-workers, including describing “which ones he would like to sleep with.” Also, he was engaged in a consensual affair with a colleague that violated the company's policy. Poetzscher was formally disciplined in November 2017, according to the report, though some people at the company argued he should have been fired. His formal statement, after the report, said, “After some concerns were raised in 2017, an outside law firm conducted a confidential review and I was rightfully disciplined.” Also three months ago, Uber's Head of Human Resources, Liane Hornsey, had resigned from the company. Her departure came exactly a day after Reuters contacted Uber regarding an investigation based on the complaints about Liane Hornsey's handling of allegations on racial discrimination, according to the outlet. Uber’s newly appointed Financial Chief, Nelson Chai, will take up Cameron Poetzscher’s responsibilities while the firm seeks a replacement, a spokesman confirmed to the Wall Street Journal. Why Uber created Hudi, an open source incremental processing framework on Apache Hadoop? Python founder resigns – Guido van Rossum goes ‘on a permanent vacation from being BDFL’ Yet another privacy expert quits Sidewalk Labs Toronto smart-city project with doubts over its ‘privacy by design’ commitment

FreeRTOS, a popular real-time operating system kernel for embedded devices, is found to have 13 vulnerabilities, as reported by Bleeping Computers yesterday. A part of these 13 vulnerabilities results in flaws in its remote code execution. FreeRTOS supports more than 40 hardware platforms and powers microcontrollers in a diverse range of products including temperature monitors, appliances, sensors, fitness trackers, and any microcontroller-based devices. Although it works at a smaller component scale, it lacks the complexity that comes with more elaborate hardware. However, it allows processing of data as it comes in. A researcher at Zimperium, Ori Karliner, analyzed the operating system and found that all of its varieties are vulnerable to: 4 remote code execution bugs, 1 denial of service, 7 information leak, and another security problem which is yet undisclosed Here’s a full list of the vulnerabilities and their identifiers, that affect FreeRTOS: CVE-2018-16522 Remote Code Execution CVE-2018-16525 Remote Code Execution CVE-2018-16526 Remote Code Execution CVE-2018-16528 Remote Code Execution CVE-2018-16523 Denial of Service CVE-2018-16524 Information Leak CVE-2018-16527   Information Leak CVE-2018-16599 Information Leak CVE-2018-16600 Information Leak CVE-2018-16601 Information Leak CVE-2018-16602 Information Leak CVE-2018-16603 Information Leak CVE-2018-16598 Other FreeRTOS versions affected by the vulnerability FreeRTOS versions up to V10.0.1, AWS FreeRTOS up to V1.3.1, OpenRTOS and SafeRTOS (With WHIS Connect middleware TCP/IP components) are affected. Amazon has been notified of the situation. In response to this, the company has released patches to mitigate the problems. Per the report, “Amazon decided to become involved in the development of the product for the Internet-of-Things segment. The company extended the kernel by adding libraries to support cloud connectivity, security and over-the-air updates.” According to Bleeping Computers, “Zimperium is not releasing any technical details at the moment. This is to allow smaller vendors to patch the vulnerabilities. The wait time expires in 30 days.” To know more about these vulnerabilities in detail, visit the full coverage by Bleeping Computers. NSA researchers present security improvements for Zephyr and Fucshia at Linux Security Summit 2018 How the Titan M chip will improve Android security EFF kicks off its Coder’s Rights project with a paper on protecting security researchers’ rights

Early last month, the team at OpenZepplin announced their first release candidate ‘OpenZepplin 2.0 RC1’. Yesterday, the team released a completely stable, audited, and fully tested package of this framework. OpenZeppelin is an open-source framework to build secure smart contracts for Ethereum and other EVM and eWASM blockchains. This framework provides well tested and audited code to secure blockchain-based projects. It caters to a new generation of distributed applications, protocols and organizations to counter the high risks and challenges faced while writing simple and secure code that deals with real money. Features of OpenZeppelin 2.0 #1 A Stable API One of the major updates of this release is that OpenZeppelin 2.0 now comes with a stable API to deliver reliable updates. The previous releases of OpenZeppelin have almost always encountered a change in its API. This has helped the team come up with multiple ideas for the framework. The experimental contracts in the drafts/ subdirectory can, however, experience changes in their minor versions. With the growing size and complexity of smart contract systems, developers can use this framework as a predictable interface to design vulnerability free contracts. The team plans to release more information on the Stable API in the following weeks. #2 Improved test suite The team has been improving the OpenZeppelin’s test suite over time. OpenZeppelin 2.0 now has 100% test coverage.  Every line of code in the package is now automatically tested. #3 Full Independent Audit LevelK team audited the OpenZeppelin 2.0.0 Release Candidate and found some severe issues. They then went on to suggest many improvements which helped fix almost all the issues and notes reported. Users are requested to check out the LevelK Audit - OpenZeppelin 2.0 project for all the details. The audit has helped the team secure the code further and help future developers easily deploy these contracts as they are intended to be used. #4 Miscellaneous Updates In addition to a stable API and an improved test suite, the version update comes with new concepts and designs along with many renames and restructures. These include changes like Ownable contracts moving to a role based access . Derived contracts cannot access state variables directly- as they are now private - use of getters is important. This was done to increase encapsulation. The team has also removed a few contracts that are not secure enough. For instance: LimitBalance, HasNoEther, HasNoTokens, HasNoContracts, NoOwner, Destructible, TokenDestructible, and CanReclaimToken stand removed. You can check all of these upgrades as well as the entire changelog at Github. Alternatively, head over to their blog for more insights on this release. Ethereum Blockchain dataset now available in BigQuery for smart contract analytics Will Ethereum eclipse Bitcoin? The trouble with Smart Contracts

Last week, Eagle, a Taiwan based startup, launched an application that helps designers better organize and manage their digital assets. These assets allow designers to use design mockups, inspirational images, pictures, screenshots, and user interfaces, easily on their desktops. The Eagle App is similar to the image version of ‘Evernote’ application. Eagle allows the use of folders, tags, colors and many other factors to manage, categorize and sort images. When in need of these images, users may use the powerful search engine to easily locate the desired image quickly. The application also supports Mac and Windows operating systems. The Eagle app helps users to keep their design files neat and tidy. It works with formats such as JPG, PNG, GIF, EPS, TIF, SVG, Photoshop, Adobe Illustrator, Keynote, PowerPoint, MP4, PDF, CINEMA 4D, and more. Augus Chen, Founder of Eagle, says, “Eagle helps you manage pictures, screenshots, user interfaces and designs that make your lightbulb shine. If you are a designer, you will definitely love this. It’s super easy to sync it through Google Drive, Dropbox, OneDrive or any other cloud storage service. Browser plug-ins and filtering functions save a lot of time for designers.” Key Features of Eagle App include: Browser Extension to save images and screenshots from any website. Save a bunch of images at once from a website. Drag & Drop images from other apps. Handy Clipboard to copy and paste any image you like. Add Tags to any image or a group of images to find them faster Smart Folders to organize and automatically filter images by name or tags Annotate ideas and suggestions on a specific area of an image Advanced Filter to search for images based on keywords, colors, image formats, etc. To know more about Eagle App in detail, visit its official website. NGINX Hybrid Application Delivery Controller Platform improves API management, manages microservices and much more! GNOME 3.32 says goodbye to application menus Netlify raises $30 million for a new ‘Application Delivery Network’, aiming to replace servers and infrastructure management

The co-founder and former CEO of Oculus, Brendan Iribe announced yesterday on his Facebook page that he’s leaving Facebook. This is the second high profile exit from Facebook within a span of a month, as Kevin Systrom, CEO, Instagram, Mike Kriege, CTO, Instagram also resigned from Facebook on 24th September.    “So much has happened since the day we founded Oculus in July 2012. I never could have imagined how much we would accomplish and how far we would come. And now, after six incredible years, I am moving on”, mentioned Iribe. It was back in March 2014 when Facebook had acquired Oculus VR for $3 billion. “I'm deeply proud and grateful for all that we've done together. We assembled one of the greatest research and engineering teams in history, delivered the first step of true virtual presence with Oculus Rift and Touch, and inspired an entirely new industry. We started a revolution that will change the world in ways we can't even envision”, writes Iribe. Another Oculus co-founder, Palmer Luckey, left Facebook in 2017. Luckey who had not mentioned anything regarding his departure from Facebook last year mentioned that “there’s a lot of people at Facebook who have been leaving that were very happy to work at Facebook in 2012 that don’t want to work at Facebook in 2018. I can’t talk about it too much, but I’ll say that it wasn’t my choice to leave,” earlier this month to CNBC. Iribe talked about how the VR and AR industry needs to improve more, specifically the hardware and core technology. Iribe believes that Oculus is the best team in the world to enhance the AR/VR experience for everyone. He also mentioned how this is his first “real” break in over 20 years and how it's time for him to recharge, reflect and be creative. Iribe also posted on twitter regarding his decision to leave: https://twitter.com/brendaniribe/status/1054426851349688320 A report from Techcrunch indicates that Iribe’s decision to leave wasn’t entirely harmonious. It could be an outcome of Facebook canceling the company’s next-generation “Rift 2” PC-powered virtual reality headset. However, Andrew “Boz” Bosworth, VP, AR/VR at Facebook denied the TechCrunch report as he tweeted: https://twitter.com/boztank/status/1054448131465605120 Bosworth also bid goodbye to Brendan on Twitter saying, “You built an incredible team and you defined the first generation of VR. Thank you for entrusting us with this work, Brendan”. Also, Nate Mitchell, co-founder & Head of Rift at Oculus, tweeted out regarding the future of Rift: https://twitter.com/natemitchell/status/1054460295697944578 “Working alongside so many talented people at Oculus and Facebook has been the most transformative experience of my career. The success of Oculus was only possible because of such an extraordinary team effort. I'd like to sincerely thank everyone that's been a part of this amazing journey, especially Mark for believing in this team and the future of VR and AR”, mentions Iribe. Oculus Connect 5 2018: Day 1 highlights include Oculus Quest, Vader Immortal and more! Oculus Go, the first stand-alone VR headset arrives! What’s new in VR Haptics?

Last week, the Dojo community announced the release of Dojo 4.0. This version aims for better application optimization and analysis. It comes with better support for code splitting and Progressive Web Apps (PWAs), a redesigned Virtual DOM, and more. Also, TypeScript forwards-compatibility is updated from 2.7 to 3.0. Improved Dojo CLI tooling Separating an application into bundles, better know as code splitting has been possible since the previous versions of Dojo. To do this developers had to add some configuration to specify how the application should be bundled. Dojo 4.0 helps you to automatically split your application based on its top-level routes. cli-build-app, the CLI command for building optimized Dojo applications, provides this functionality out of the box. Additionally, a bundle analyzer is automatically generated when running a build in production. It will provide you even more insight into the bundles. CLI is further improved with support for externals, allowing non-modular libraries or standalone applications that cannot be bundled normally to be included in a Dojo application. Support for automatic parsing, hashing, and bundling of resources from index.html, and the inclusion of assets from the catch-all assets directory is also added. Support for old browsers by explicit opt-in Earlier, all browsers were supported by default. This behavior is now reversed and support for older browsers back to IE11 is available by explicit opt-in. This results in smaller and faster applications for newer browsers as they add support for features natively. Support for Progressive Web Apps The framework is now optimized for the PRPL pattern in order to support Progressive Web Apps (PWAs). PRPL is a pattern for structuring and serving PWAs, keeping the performance of app delivery and launch in mind. Here is what it stands for: Push critical resources for the initial URL route. Render initial route. Pre-cache remaining routes. Lazy-load and create remaining routes on demand. To get a better understanding of the PRPL pattern, you can check out the explanation on Google Developers. Updates in the Dojo Framework The @dojo/framework has also seen various updates and addition of new features: The Virtual DOM engine has been redesigned and rewritten from the ground up. This overhauled Virtual DOM comes with improved rendering performance and reduced overall size of the framework. A few improvements have been added when using the w() and v() pragmas. These include a better composition of nodes, rendering a dynamic import directly using w(), and enabling the use of meta for nodes that are passed as children to a widget. In this release, the routing system within the framework has received an improved route-matching algorithm. dojo/stores come with middleware support for Local storage in this release, and a new StoreProvider eases the injection of application state. The StoreProvider will be used as any widget to inject the store into the vdom tree using a render property. The existing Link component is refactored and an ActiveLink component is added that applies classes when the link's outlet is "active". Breaking changes The routing events are emitted after the routing navigation is completed. runAfterRenders is now private. Symbol usage in widget-core is now not allowed because symbol usage causes issues as they are unique for a specific version. In order to consolidate existing dojo/core modules, many modules have been removed. Instead, using alternatives such as a fetch polyfill is advised for consumers that need to support IE11. The Outlet is changed from a higher order component (HOC) to a standard component with a render property. Having an outlet as a HOC implies that it would be shared across the application, which generally they are not. Read the official announcement at Dojo’s official website and also check their release notes. npm at Node+JS Interactive 2018: npm 6, the rise and fall of JavaScript frameworks, and more Mozilla optimizes calls between JavaScript and WebAssembly in Firefox, making it almost as fast as JS to JS calls Vue.js 3.0 is ditching JavaScript for TypeScript. What else is new?

Yesterday, Ghacks reported that Mozilla has partnered up with a Swiss VPN provider named, ProtonVPN. They are currently testing its VPN service for a sample of Firefox 62 users in the United States and this test starts on October 24th. Users who connect to an unencrypted wireless network, visit privacy-focused websites, or streaming sites, might see a recommendation by Firefox. The recommendation confirms that Mozilla has selected ProtonVPN as the partner for this test and also shows the price of the subscription. This price matches the price that users pay for a monthly ProtonVPN subscription ($10 monthly) when they subscribe directly on the ProtonVPN website. Why use VPN? In case you are wondering what Virtual Private Network (VPN) is, it is an encrypted connection over the internet from a device to a network. This encrypted connection ensures safe transmission of sensitive and prevents unauthorized people from eavesdropping. It makes use of tunneling protocols such as PPTP, L2TP/IPSec, SSTP, and OpenVPN to establish a secure connection. With VPN, users working at home, on the road, or at a branch office can securely connect to a remote corporate server using the internet. From the user’s perspective, it is a point-to-point connection between the user's computer and a corporate server. The nature of the intermediate network is irrelevant to the user because it appears as if the data is being sent over a dedicated private link. Why is Mozilla partnering with ProtonVPN? Mozilla conducted a thorough evaluation of a long list of market-leading VPN services based on a wide variety of factors, ranging from the design and implementation of each VPN service. As a result of this evaluation, they selected ProtonVPN for this experiment. According to Mozilla ProtonVPN service offers a secure, reliable, and easy-to-use VPN service. ProtonVPN comes with the following advantages: Strong security practices for better protection against hacking attempts. It does not store or logs information about the browsing of its users. It follows the same mission as Mozilla: to improve data safety and security on the Web. Mozilla also issued an announcement yesterday, explaining their decision to partner with ProtonVPN: “Mozilla will be the partly collecting payment from Firefox users who decide to subscribe. A portion of these proceeds will be shared with ProtonVPN, to offset their costs in operating the service, and a portion will go to Mozilla. In this way, subscribers will be directly supporting Mozilla while benefiting from one of the very best VPN services on the market today.” According to Ghacks, this partnership will provide Mozilla another way of generating revenue: “Mozilla has two main intentions when it comes to the new offering. First, to add a new revenue stream that is independent of the money that the organization gets from search engine companies like Google. The affiliate revenue earned from promoting the VPN in Firefox would reduce the stranglehold that search engine companies have on Mozilla. The bulk of Mozilla's revenue comes from deals with search engine companies like Google or Yandex. The second reason is that VPNs improve user privacy and security on the Internet. VPNs like ProtonVPN include security features that block certain attacks outright and they hide the IP address of the user device.” Although this introduction of VPN can ensure better security to users browsing the internet, the monthly charge of $10 is a bit steep. Also, since Firefox will be getting a share of the $10/month revenue if users subscribe to the service, it feels like a promotion of the VPN. It would have been much better if Mozilla would have come up with their own VPN. To know more about Mozilla testing ProtonVPN, check out the full story at ghacks.net and also read Mozilla’s official announcement. Note: Yesterday, we reported that the test will begin on 22nd. We have now corrected the date according to the official announcement to 24th. We have also added based on what criteria Mozilla has selected ProtonVPN and the reason they are partnering with them. Read more To bring focus on the impact of tech on society, an education in humanities is just as important as STEM for budding engineers, says Mozilla co-founder Is Mozilla the most progressive tech organization on the planet right now? Mozilla optimizes calls between JavaScript and WebAssembly in Firefox, making it almost as fast as JS to JS calls

Larry Cashdollar, a security researcher with Akamai's SIRT (Security Intelligence Response Team), found out a vulnerability which impacts the jQuery File Upload plugin, as reported by the Bleeping Computers last week. The vulnerability received the CVE-2018-9206 identifier earlier this month. This will help people pay a more close attention to this flaw. Larry discovered the flaw together with Sebastian Tschan, also known as Blueimp, the developer of the plugin. They found out that the flaw was caused by a change introduced in Apache 2.3.9, which disabled by default the .htaccess files that stored folder-related security settings. The jQuery File Upload plugin is the second most starred jQuery project on GitHub, after the jQuery framework itself. It is immensely popular, has been forked over 7,800 times, and has been integrated into hundreds and thousands, of other projects, such as CMSs, CRMs, Intranet solutions, WordPress plugins, Drupal add-ons, Joomla components, and so on. The 8-year old issue finally found As per the investigation, the developer identified the true source of the vulnerability not in the plugin's code, but in a change made in the Apache Web Server project dating back to 2010, which indirectly affected the plugin's expected behavior on Apache servers. The actual issue dates back to November 23, 2010, just five days before Blueimp launched the first version of his plugin. On that day, the Apache Foundation released version 2.3.9 of the Apache HTTPD server. Larry, in an interview with ZDNet, said, “attackers can abuse this vulnerability to upload malicious files on servers, such as backdoors and web shells”. "I've seen stuff as far back as 2016," he added. Hackers have been actively exploiting this flaw since 2016 and kept this as low-key without anyone knowing. Larry found several YouTube videos containing tutorials on how one could exploit the jQuery File Upload plugin vulnerability to take over servers. This means that the vulnerability was widely known to hackers, even if it remained a mystery for the infosec community. According to ZDNet, “All jQuery File Upload versions before 9.22.1 are vulnerable. Since the vulnerability affected the code for handling file uploads for PHP apps, other server-side implementations should be considered safe.” Measures taken against the formerly known ‘CVE-2018-9206’ flaw Unless specifically enabled by the administrator, .htaccess files would be ignored. The two reasons for doing this were, firstly, to protect the system configuration of the administrator by disabling users from customizing security settings on individual folders. Secondly, to improve performance since the server no longer had to check the .htaccess file when accessing a directory. After Apache 2.3.9, plugins using .htaccess files to impose access restrictions no longer benefited from the custom folder access security configuration. This was also the case with jQuery File Upload, which adds files to a root directory. Now tracked as CVE-2018-9206, the coding flaw is no longer present in the latest version of jQuery File Upload. Tschan changed the code to allow only image file types GIF, JPG, JPEG, and PNG by default; he provides instructions on how to enable more content without running a security risk. Larry said, "I did test 1000 out of the 7800 of the plugin's forks from GitHub, and they all were exploitable”. The code he's been using for these tests is available on GitHub, along with a proof-of-concept for the actual flaw. To know more this in detail, head over to Bleeping Computer’s complete coverage. Upgrade to Git 2.19.1 to avoid a Git submodule vulnerability that causes arbitrary code execution Implementing Web application vulnerability scanners with Kali Linux [Tutorial] ‘Peekaboo’ Zero-Day Vulnerability allows hackers to access CCTV cameras, says Tenable Research

Mio, a cross-platform header-only C++11 memory mapping library with an MIT license, got released yesterday. Mio has been created with an objective of getting easily integrated into any C++ project. It uses a memory-mapped file IO without the need to pull in Boost libraries. The users faced issues with the Boost.Iostreams library as it didn’t work efficiently with respect to memory mapping. However, Mio has a lot of advantages over Boost.Iostreams. Advantages of Mio over Boost.Iostreams With Mio, the support for establishing a memory mapping with an already open file handle/descriptor became possible, which otherwise didn’t work with the Boost.Iostreams. Mio makes the memory mapping process easier by accepting any offset and finding the nearest page boundary. Whereas, Boost.Iostreams requires the user to pick offsets exactly at page boundaries, which may lead to errors. Boost.Iostreams implements a memory mapped file IO with a std::shared_ptr to provide shared semantics, even when it is not needed. This may lead to an overhead of the heap allocation, which may not be required. On the other hand, Mio solves this problem with its two use-cases, one that is move-only, which is a zero-cost abstraction over the system specific mapping functions and the other one which is similar to its Boost.Iostreams counterpart, with shared semantics. How does the memory mapping in Mio work? The three ways to map a file into memory are: Use the constructor, which throws on failure: mio::mmap_source mmap(path, offset, size_to_map Use the factory function: std::error_code error; mio::mmap_source mmap = mio::make_mmap_source(path, offset, size_to_map, error); Use the map member function: std::error_code error; mio::mmap_source mmap; mmap.map(path, offset, size_to_map, error); In each of the cases, you can either provide some string type for the file's path or you can simply use an existing, valid file handle. Mio does not check if the provided file descriptor has the same access permissions as the desired mapping, so the mapping process might fail. Such errors are reported via the std::error_code out parameter which is passed to the mapping function. CMake: A build system to help Mio As Mio is a header-only library, it has no compiled components. CMake build system assists Mio, by providing easy testing, installation, and subproject composition on many platforms and operating systems. In Testing When Mio is configured as the highest level CMake project, the suite of executables is built by default. Mio's test executables are integrated with the CMake test driver program, CTest. In Installation The CMake's find package intrinsic function helps Mio's build system to provide an installation target and support for downstream consumption to an arbitrary location. This can be specified by defining CMAKE_INSTALL_PREFIX at the time of configuration.  CMake will install Mio to conventional location based on the platform operating system in the absence of a user specification. Read more about Mio, in detail on the official GitHub page. Google releases Oboe, a C++ library to build high-performance Android audio apps Graph Nets – DeepMind’s library for graph networks in Tensorflow and Sonnet Ebiten 1.8, a 2D game library in Go, is here with experimental WebAssembly support and newly added APIs

Earlier this year in May, the Center for Democracy and Technology (CDT) held a discussion at RightsCon in Toronto with popular VPN service providers: IVPN, Mullvad, TunnelBear, VyprVPN, and ExpressVPN. They together formulated a list of eight questions that describes the basic commitments VPNs can make to signal their trustworthiness and positive reputation which is called Signals of Trustworthy VPNs. CDT is a Washington, D.C.-based non-profit organization which aims to strengthen individual rights and freedom by defining, promoting, and influencing technology policy and the architecture of the internet. What was the goal behind the discussion between CDT and VPN providers? The goal of these questions is to improve transparency among VPN services and to help resources like That One Privacy Site and privacytools.io provide better comparisons between different services. Additionally, it will provide a way for users to easily compare privacy, security, and data use practices of VPNs. This initiative will also encourage VPNs to deploy measures that will meaningfully improve the privacy and security of individuals using their services. The questions that they have come up with tries to provide users clarity in three areas: Corporate accountability and business models Privacy practices Data security protocols and protections You can find the entire list of the questions at CDT’s official website. What are the key recommendations by CDT for VPN providers? The following are few of the best practices for VPN providers in order to build trust in their users: VPN providers should share information about the company’s leadership team, which can help users know more about the reputation of who they are trusting with their online activities. Any VPN provider should be able to share their place of legal incorporation and the laws they operate under. They should provide detailed information about their business model, specifically whether subscriptions are the sole source of a service’s revenue. They should clearly define what exactly they mean by “logging”. This information will include both connection and activity logging practices, as well as whether the VPN provider aggregates this information. Users should be aware of the approximate retention periods for any log data. VPN providers put in place procedures for automatically deleting any retained information after an appropriate period of time. This period of time should be disclosed and the length of time should also be justified. VPN providers can also implement bug bounty programs. This will encourage third parties to identify and report vulnerabilities they might come across when using the VPN service. Independent security audits should be conducted to identify technical vulnerabilities. To know more about the CDT’s recommendations and the eight questions, check out their official website. Apple bans Facebook’s VPN app from the App Store for violating its data collection rules What you need to know about VPNFilter Malware Attack IBM launches Industry’s first ‘Cybersecurity Operations Center on Wheels’ for on-demand cybersecurity support

Earlier this month, the Windows 10 October update had problems with files being deleted off users’ computers. After which Microsoft had to pause the mass rollout of Windows 10 update for October. After the issue was reported, Microsoft took steps, did testing with the Windows Insider community for finding the reasons and fixing this bug. But now there is another bug which can cause you to lose your files. Many people having installed the Windows 10 October update have reported an issue where ZIP operations are not working as intended. Windows fails to notify as to which files should be overwritten. On unzipping files to a folder, if other copies of those files already exist in that folder, Windows 10 usually asks whether those existing copies should be overwritten. This does not happen anymore after the update and Windows just overwrites the files. The user is not even informed that the files are overwritten. Accidental overwrites are highly likely if the user doesn’t get any prompt or information. There can be situations where a modified file, for example, is overwritten with something original from the ZIP file. However, this happens only with the built-in Windows file manager. On using a third party tool to work with compressed files, however, this bug does not happen. Wazhai, a Reddit user sums up the issue nicely: “The issue is that in 1809, overwriting files by extracting from an archive using File Explorer doesn’t result in an overwrite prompt dialogue and also doesn’t replace any files at all; it just fails silently. There are also some reports that it did overwrite items, but did so silently without asking.” There is also another scenario but not widely reported where the file extraction seems to happen, but no files are updated. This bug was discussed on Reddit over the weekend and can be read on a Reddit thread, visit their website. Microsoft pulls Windows 10 October update after it deletes user files Microsoft fixing and testing the Windows 10 October update after file deletion bug Microsoft Your Phone: Mirror your Android phone apps on Windows

Ann Cavoukian, Ontario’s former Privacy Commissioner stepped down from her role as a consultant at Google’s sister company Sidewalk Labs, last Friday. Sidewalk Labs has collaborated with Waterfront TO, an organization responsible for revitalization projects along the Toronto waterfront in Canada. The collaboration includes developing a 12-acre hi-tech neighborhood, called Quayside, on the shore of Lake Ontario. Cavoukian is not the only one. Saadia Muzaffar, tech entrepreneur, and founder of TechGirls Canada, also stepped down, earlier this month, from her advisory role, over “profound concerns” about the Quayside project. She also mentioned how Waterfront Toronto showed "apathy and a lack of leadership regarding shaky public trust". This project comprises implementing internet-connected devices such as pedestrian counters, and air-quality sensors among others to track energy consumption, noise, traffic, and pollution. This project, however, has sparked debate and criticism over the concern that people’s privacy is getting compromised as the company collects all their data via sensors. Sidewalk Labs came out with a digital governance framework last week to “set a new model for responsible data use in cities — anchored by an independent Civic Data Trust”. Cavoukian’s decision to resign from the project seems to be the result of this recent digital governance framework.  As per the proposal, Sidewalk Labs would be committed to “de-identifying” (wiping of the personal info) the data but it is in no power to control what the third-parties do with that data. This is different from what Cavoukian was advocating (Privacy by Design) and did not approve of it. “Sidewalk Labs has committed to implement, as a company, the principles of Privacy by Design. Though that question is settled, the question of whether other companies involved in the Quayside project would be required to do so is unlikely to be worked out soon and may be out of Sidewalk Labs’ hands," Sidewalk spokesman, Dan Levitan mentioned in an e-mailed statement as reported by the Globe and Mail. As per Cavoukian’s privacy by design principles (considered a global standard), it embeds the “privacy measures into the design of a project, asking questions such as: “What is the minimum data you really need to accomplish the goal?” and “Do you need personal information, or can you accomplish it with de-identified data?”. The main feature of this framework is that on collecting personal information via surveillance cameras and sensors, all kinds of personally identifying information (PII) gets anonymized automatically at the source. Although the proposal states that “No one should own urban data — it should be made freely and publicly available“, it’s not quite immediately clear who would be leading the governance body to handle all the data. “Just think of the consequences: If personally identifiable data are not de-identified at source, we will be creating another central database of personal information (controlled by whom?), that may be used without data subjects’ consent, that will be exposed to the risks of hacking and unauthorized access,” wrote Cavoukian in her resignation letter as reported by the Globe and Mail. Cavoukian mentioned that she would return back to the project only if Waterfront Toronto confirms that all the parties involved in the project wanting to use the public data would de-identify the personal data at its source. “We can sell dangerous surveillance systems to police or we can stand up for what’s right. We can’t do both,” says a protesting Amazon employee Did you know Facebook shares the data you share with them for ‘security’ reasons with advertisers? Facebook finds ‘no evidence that hackers accessed third party Apps via user logins’, from last week’s security breach