Tech News

Yesterday, the W3C and FIDO alliance approved using WebAuthn as an official web standard, eliminating password-based logins. WebAuthn or Web Authentication was first introduced in November 2015 as a way of replacing passwords for securing online accounts. It is now already supported by most browsers, including Chrome, Firefox, Edge, and Safari as well as in Android and Windows 10. WebAuthn allows users to log into their internet accounts using biometrics, mobile devices, and/or FIDO security keys which offer higher security over passwords alone. WebAuthn is an important component of the FIDO Alliance’s FIDO2 set of specifications. FIDO2 is a standard that supports public key cryptography and multifactor authentication. Per the official press release, FIDO2 attempts to address traditional authentication issues in four ways: Security: FIDO2 cryptographic login credentials are unique across every website; biometrics or other secrets like passwords never leave the user’s device and are never stored on a server. This security model eliminates the risks of phishing, all forms of password theft, and replay attacks. Convenience: Users log in with simple methods such as fingerprint readers, cameras, FIDO security keys, or their personal mobile device. Privacy: Because FIDO keys are unique for each internet site, they cannot be used to track users across sites. Scalability: Websites can enable FIDO2 via an API call across all supported browsers and platforms on billions of devices consumers use every day. “Web Authentication as an official web standard is the pinnacle of many years of industry collaboration to develop a practical solution for stronger authentication on the web,” said Brett McDowell, executive director of the FIDO Alliance in a statement. “With this milestone, we're moving into a new era of ubiquitous, hardware-backed FIDO Authentication protection for everyone using the internet.” WebAuthn is already implemented on sites such as Dropbox, Facebook, GitHub, Salesforce, Stripe, and Twitter. With it becoming the official standard, it is expected to have other sites use it leading to more password-free logins across the web. Announcing W3C Publishing Working Group’s updated scope and goals Microsoft Edge introduces Web Authentication for passwordless web security It’s a win for Web accessibility as courts can now order companies to make their sites WCAG 2.0 compliant.

A new advancement in haptic robots happened when four organizations, Shadow Robot Company, SynTouch, HaptX, and ANA Holdings came together. These companies have built the “world’s first haptic robot hand” that transmits touch to the operator, the details of which they shared on Friday. Credit: Shadow Robot Company [box type="shadow" align="" class="" width=""]Haptics is one of the growing technologies in the field of human-computer interaction that deals with sensory interaction with computers. It is basically the science of applying touch sensation and control for interaction with virtual or physical applications.[/box] How haptic robot hand works? First, the HaptX Gloves capture the motion data to control the movement of the anthropomorphic dexterous hand by Shadow Robot Company. The BioTac sensors built by SynTouch are embedded in each fingertip of the robotic hand to collect tactile data. This data is used to recreate haptic feedback by the HaptX Gloves and is transmitted to the user’s hand. The system was first demonstrated in front of all the collaborating companies. In the demo,  an operator in California used a haptic glove to control a dexterous robotic hand in London, under the guidance of a team from ANA Holdings in Tokyo. When the robot started typing on the computer keyboard, the embedded tactile sensors on the robot’s fingertips recorded the press of each key. The haptic data was shared with the human operator in California through the network in real-time. The words typed by the robot were “Hello, World!”. In the demo, the telerobot was also shown doing a bunch of other things like playing Jenga, building a pyramid of plastic cups, and moving chess pieces on a chess board. Credit: Shadow Robot Company Credit: Shadow Robot Company In an email to us, explaining the applications and importance of this advancement, Kevin Kajitani, Co-Director of ANA AVATAR within ANA Holdings, said, "This achievement by Shadow Robot, SynTouch, and HaptX marks a significant milestone towards achieving the mission of Avatar X. This prototype paves the way for industry use, including medicine, construction, travel, and space exploration." Rich Walker, Managing Director of Shadow Robot Company, said, “This teleoperation system lets humans and robots share their sense of touch across the globe - it’s a step ahead in what can be felt and done remotely. We can now deliver remote touch and dexterity for people to build on for applications like safeguarding people from hazardous tasks, or just doing a job without having to fly there! It’s not touch-typing yet, but we can feel what we touch when we’re typing!” Dr. Jeremy Fishel, Co-Founder of SynTouch, said, “We know from psychophysical studies that the sense of touch is essential when it comes to dexterity and manipulation. This is the first time anyone has ever demonstrated a telerobot with such high-fidelity haptics and control, which is very promising and would not have been possible without the great engineers and technologies from this collaboration.” Jake Rubin, Founder and CEO of HaptX, said, “Touch is a cornerstone of the next generation of human-machine interface technologies. We’re honored to be part of a joint engineering effort that is literally extending the reach of humankind.” The new Bolt robot from Sphero wants to teach kids programming Is ROS 2.0 good enough to build real-time robotic applications? Spanish researchers find out. Shadow Robot joins Avatar X program to bring real-world avatars into space  

It was just earlier last week when US Reps. Jackie Speier, Ilhan Omar, Rashida Tlaib, and 11 others wrote a letter demanding Google and Apple to ban Absher, a Saudi Government app, that allows Saudi men to control where the women can travel. “Keeping this application in your stores allows your companies and your American employees to be accomplices in the oppression of Saudi Arabian women and migrant workers”, reads the letter written by the US reps. to Apple and Google. However, Google has decided to keep Absher on the Google play store. Google communicated this decision to the office of representative Jackie Speier, stating that the app does not violate any agreements, reported INSIDER last week. Apple is yet to make a decision. Absher app is based on Saudi “guardian” law and comes with features aimed to restrict women’s travel to specific airports and routes. Also, in case the woman decides to flee from the country without permission, she can get instantly caught with Absher’s automatic SMS feature. This SMS feature sends instant messages to the guardian for times when she crosses borders or makes airport check-ins without permission. Google and Apple had decided to investigate and review the app under the rising pressure in mid-Feb when US Senator Ron Wyden had written to Apple and Google demanding them to remove Absher app from Google Play store. Apart from Wyden, Activist groups including Human Rights Watch and Amnesty International had also slammed Apple and Google, earlier last month, for hosting Absher. Speier told INSIDER that the responses from Google and Apple so far are ‘deeply unsatisfactory’. “As of today, the Absher app remains available in both the Apple App store and the Google Play Store. Facilitating the detention of women seeking asylum and fleeing abuse and control unequivocally causes harm. I will be following up on this issue with my colleagues," said Rep. Speier. An AI startup now wants to monitor your kids’ activities to help them grow ‘securly’ Babysitters now must pass Perdictim’s AI assessment to be “perfect” to get the job Twitter blocks Predictim, an online babysitter-rating service, for violating its user privacy policies; Facebook may soon follow suit

Last week the team at Facebook open-sourced homomorphic hashing for a secure update propagation. It is difficult to ensure consistency while propagating updates across a large network of peers. Even traditional methods aren’t useful as they can introduce compromises with respect to efficiency and scalability. To address this problem, the research team of Facebook worked on this project and released a paper based on the same. The paper focuses on formalizing the problem of secure update propagation and propose a system that allows a centralized distributor to propagate signed updates across a network. The researchers show that their system is secure against an attacker who can maliciously modify any update and its signature. The researchers have opted for a cryptographic primitive known as homomorphic hashing, introduced by Bellare, Goldreich, and Goldwasser. The researchers have also studied about the instantiation of the lattice-based homomorphic hash, LtHash of Bellare and Miccancio. which is a specific homomorphic hashing algorithm. The paper provides a detailed security analysis of the collision resistance of LtHash. It gives an idea about the implementation of LtHash using a selection of parameters that ensure security. This implementation has been deployed to secure update propagation in production at Facebook and is also included in the Folly open-source library. The challenges of securing update propagation A central distributor who is responsible for managing the master database and propagating updates to a set of subscribers in an efficient manner. To make this possible, the distributor has to be in charge of directly sending the updates to each subscribed client. As the number of subscribed clients and the rate of updates increases, this approach fails. This might saturate the network interface controller and further leaving it unable to finish distributing one update before the next one is ready to be pushed. A better approach is to delegate the propagation through the clients. Some of the subscribers can participate in forwarding the distributor’s original updates to other subscribers. According to researchers, this approach would reduce the number of connections the distributor manages and the bandwidth will remain unaffected. But the major issue is to ensure consistency. Each subscriber needs to trust a set of intermediate subscribers to have correctly propagated the original updates. The challenge is to maintain the integrity of the distributor’s updates across a network of subscribers that could alter those updates. And this is what is referred to as the secure update propagation problem. Experimental approaches by the researchers The possible solution could be that the distributor can use digital signatures to assert the authenticity and integrity of the messages it distributes. The distributor can generate a public and private key pair, publish the public key to every subscriber upon joining the network while keeping the private key secret. The signatures can then be constructed over the contents of the update or the contents of the updated database. In the case of signing each update, handling update propagation securely is for the distributor to directly sign the contents of each update that sent to its subscribers. The signature can be used to verify the contents before applying it to the database. While this approach prevents an attacker from modifying updates maliciously, it also adds complications to the handling of batch updates and offline database validation. So another approach suggested by researchers is to rely on a signature algorithm computed over the database contents after each update. But in this case, the distributor must iterate over the entire database to produce the signature. Hashing approach - LtHash An alternative approach is hashing where the distributor can use a hash function to hash the entire database into a small digest. The resulting digest can be directly signed, as opposed to having the distributor sign the database itself. The collision-resistant property of the hash function and the unforgeability of the signature algorithm ensures integrity through the sequence of updates. However, an ideal solution would allow the distributor and its subscribers to update the database hash entirely irrespective of the size of the database. This is possible with the use of homomorphic hashing. The team used LtHash, a specific homomorphic hashing algorithm based on lattice cryptography, for creating an efficiently updatable checksum of a database. The checksum, along with a signature from the distributor of the database, allows a subscriber to validate the integrity of database updates. LtHash was chosen in the favor of other homomorphic hashing algorithms for its performance and efficient implementation. LtHash can take a set of arbitrarily long elements as input, and produce a 2KB hash value as output. Two LtHash outputs can be “added” together by breaking each output into 16-bit chunks and performing component-wise vector addition modulo 216. To know more about the implementation of secure update propagation, check out the paper. Facebook announces ‘Habitat’, a platform for embodied ArtificiaI Intelligence research Facebook open sources Magma,a software platform for deploying mobile networks The Verge spotlights the hidden cost of being a Facebook content moderator, a role Facebook outsources to 3rd parties to make the platform safe for users  

GNU Octave team released version 5.1.0 of the popular high-level programming language, last week. GNU Octave 5.1.0 comes with general improvements, dependencies, and other changes. What’s new in GNU Octave 5.1.0? General Improvements The Octave plotting system in GNU Octave 5.1.0 supports high-resolution screens (the ones with greater than 96 DPI such as HiDPI/Retina monitors). There’s a newly added Unicode character support for files and folders in Windows. The fsolve function is modified to use larger step sizes while calculating the Jacobian of a function with finite differences, thereby, leading to faster convergence. The ranks function is recoded for performance and has now become 25X faster. It also supports a third argument that can specify resolving the ranking of tie values. Another function randi has also been recoded to produce an unbiased (all results are equally likely) sample of integers. The function isdefinite now returns true or false instead of -1, 0, or 1. The intmax, intmin, and flintmax functions can now accept a variable as input. There is no longer a need for path handling functions to perform variable or brace expansion on path elements. Also, Octave’s load-path is no longer subject to these expansions. A new printing device is available, "-ddumb", that can produce ASCII art for plots. This device has been made available only with the gnuplot toolkit. Other Changes Dependencies: The GUI now requires Qt libraries in GNU Octave 5.1.0. The minimum Qt4 version that is supported is Qt4.8.The OSMesa library is no longer used. To print invisible figures while using OpenGL graphics, the Qt QOFFSCREENSURFACE feature must be available. The FFTW library should be able to perform FFT calculations. The FFTPACK sources are removed from Octave. Matlab Compatibility: The functions such as issymmetric and ishermitian now accept an option "nonskew" or "skew" for calculating the symmetric or skew-symmetric property of a matrix. The issorted function can now use a direction option of "ascend" or "descend". You can now use clear with no arguments and it will remove only local variables from the current workspace. Global variables will no longer be visible, but will exist in the global workspace. Graphic Objects: Figure graphic objects in GNU Octave 5.1.0 now have a new property "Number" which is read-only and that can return the handle (number) of the figure. But if "IntegerHandle" is set to "off" then the property will return an empty matrix []. Patch and surface graphic objects can now use the "FaceNormals" property for flat lighting. "FaceNormals" and "VertexNormals" can now be calculated only when necessary to improve graphics performance. The "Margin" property of text-objects has a new default of 3 rather than 2. For the complete list of changes, check out the official GNU Octave 5.1.0 release notes. GNU Health Federation message and authentication server drops MongoDB and adopts PostgreSQL Bash 5.0 is here with new features and improvements GNU ed 1.15 released!

Facebook has threatened to pull investment projects from Canada and Europe if the lobbying demands stated by Sheryl Sandberg, COO at Facebook were not met, The Guardian reports. Facebook was planning to build a data center in Canada to create jobs. The leaked memo, as seen by CW and the Guardian reveals that the deal was to be made only if Christian Paradis, Canada's then minister of industry, sends a letter of reassurance to Sandberg. According to her, the letter should reassure Facebook that the existence of the data center would not be used by the country to extend its legal jurisdiction over non-Canadian data held by Facebook. Sandberg told the officials from the European Union and Canada that if she did not receive any reassurances, then Facebook will consider other options for investment and growth. On the same day, Facebook received the letter from Canada guaranteeing the independence of non-Canadian data. The EU is yet to give such an assurance. Because of the company’s relationship with the Irish government, Facebook was hoping to influence the EU as well. These confidential documents apparently got leaked online. They were filed under seal as part of a lawsuit in California between Facebook and an app developer, Six4Three. These confidential documents show a global lobbying operation by Facebook that targets legislators around the world, including countries like the U.K., United States, Canada, India, and Brazil. In a statement to Business Insider, Facebook said, "Like the other documents that were cherry-picked and released in violation of a court order last year, these by design tell one side of a story and omit important context. As we've said, these selective leaks came from a lawsuit where Six4Three, the creators of an app known as Pikinis, hoped to force Facebook to share information on friends of the app's users. These documents have been sealed by a Californian court so we're not able to discuss them in detail." According to Computer Weekly, one of the original reporters of the news,  Marne Levine, then Facebook's vice-president of global public policy, wrote in one memo, "Sheryl took a firm approach and outlined that a decision on the datacentre was imminent. She emphasized that if we could not get comfort from the Canadian government on the jurisdiction issue we had other options.” Levine also described in the leaked messages as to how the Facebook staff distracted aides to Paradis so that other lobbyists could initiate a discussion with the ministers directly. This made Levine get the mobile numbers of the three government ministers. According to Levine, Sheryl Sandberg got comfortable around former UK chancellor George Osborne. The motive was to make him speak out against EU data laws, according to the leaked internal memo. This news is a real eye-opener in terms of how Facebook operates, which might also be used as an inspiration by other tech companies in countries where their data demands are not being met. This also seems to be a winning situation for Facebook as it is not only getting its demands fulfilled but also receiving enough support from the government's end in doing it. “In a lot of ways Facebook is more like a government than a traditional company,” Facebook CEO Mark Zuckerberg has said in an interview. Well, it seems Mark Zuckerberg is on his point this time. The involvement of government is a matter of concern for most of the users. One of the users commented on HackerNews, “Just for a little context, I think it's worth mentioning that this news comes to light when Canadians are thinking quite a bit about companies lobbying the gov't, as a bit of a scandal is brewing with the current liberal gov't[0].” Another user commented, “The Canadians agreed to not regulate other countries data. This seems pretty reasonable. Why should the Canadian government regulate how an American tech company handles German data? It makes a lot more sense for each country to have jurisdiction over data from (1) its own citizens, (2) residents on its soil or (3) data physically stored on its soil.” Facebook announces ‘Habitat’, a platform for embodied ArtificiaI Intelligence research Facebook open sources Magma, a software platform for deploying mobile networks The Verge spotlights the hidden cost of being a Facebook content moderator, a role Facebook outsources to 3rd parties to make the platform safe for users

Microsoft posted an update regarding the new features in Microsoft Office 365, a web-based subscription comprising premium productivity apps as part of Microsoft's Office product line, last week. “We released several new capabilities to help you stay ahead of threats, create a more productive workplace, and keep you in the flow of work”, states the Microsoft team. What’s new in Microsoft 365? Microsoft Threat Experts Microsoft has come out with a new feature called Microsoft threat experts to boost the capabilities of the security teams. Microsoft Threat experts is a ‘threat-hunting service’ that helps you track down and prioritize threats using Windows Defender Advanced Threat Protection (ATP). Microsoft threat experts service connects you with the world-class experts using the new ‘Ask a threat expert’ button, who in turn helps you work through the tough investigation challenges. Priority notifications and integration of electronic health records You can now make use of Priority notifications in Microsoft Teams to enable clinicians to focus on urgent messages to manage patient care and empower your healthcare organization. There’s also an added ability to integrate FHIR-enabled electronic health records (EHR) data within Teams. This will enable the clinicians to securely access patient records, chat with other team members, and start a video meeting. Desktop App Assure and Microsoft FastTrack Microsoft has come out with a new service called Desktop App Assure, as a part of Microsoft FastTrack that offers app compatibility services for Windows 10 and Office 365 ProPlus. FastTrack now also provides guidance on configuring Exchange Online Protection, Office 365 Advanced Threat Protection, Office 365 Message Encryption, and Data Loss Prevention policies. Security Notifications via Microsoft Authenticator You can now receive security alerts for important events on your personal Microsoft account through the Microsoft Authenticator app. Once you receive the push notification, you can quickly view your account activity and take necessary actions to protect your account. You can also add two-step verification to your account using Microsoft Authenticator for added security. New Office app for Windows 10 Users with work, school, or personal Microsoft Account can use the new Office app for Windows 10 to access the available apps, relevant files, and documents. Organizations can also integrate third-party apps, and enable users to search for documents and people across the organization. The new Office app requires a current version of Windows 10. Add data to Excel using a photo You can use the Excel app to click a picture of a printed data table on your Android device and convert the picture into a fully editable table in Excel. Using this new image recognition functionality cuts down on the need to manually enter hardcopy data. This feature has started to roll out for the Excel Android app and will support iOS soon. New file-attached tasks in Microsoft To-Do Users can now quickly attach files and photos to help make tasks more actionable. Microsoft team says that this was a highly requested feature and has been made available on all platforms and syncs across all your devices. For more information, check out the official Microsoft blog. Microsoft Office 365 now available on the Mac App Store Microsoft announces Internet Explorer 10 will reach end-of-life by January 2020 Microsoft joins the OpenChain Project to help define standards for open source software compliance

Last month, the npm engineering team in a white paper shared why they chose Rust to rewrite their authorization service. If you are not already aware, npm is the largest package manager that offers both an open source and enterprise registry. The npm registry boasts of about 1.3 billion package downloads per day. Looking at the huge user base, it is not a surprise that the npm engineering team has to regularly keep a check on any area that causes performance problems. Though most of the network-bound operations were pretty efficient, while looking at the authorization service, the team saw a CPU-bound task that was causing a performance bottleneck. They decided to rewrite its “legacy JavaScript implementation” in Rust to make it modern and performant. Why the npm team chose Rust? C, C++, and Java were rejected by the team as C++ or C requires expertise in memory management and Java requires the deployment of JVM and associated libraries. They were then left with two options as the alternate programming languages: Go and Rust. To narrow down on one programming language that was best suited for their authorization service, the team rewrote the service in Node.js, Go, and Rust. The Node.js rewrite was acting as a baseline to evaluate Go or Rust. While rewriting in Node.js took just an hour, given the team’s expertise in JavaScript, the performance was very similar to the legacy implementation. The team finished the Go rewrite in two days but ruled it out because it did not provide a good dependency management solution. “The prospect of installing dependencies globally and sharing versions across any Go project (the standard in Go at the time they performed this evaluation) was unappealing,” says the white paper. Though the Rust rewrite took the team about a week, they were very impressed by the dependency management Rust offers. The team noted that Rust’s strategy is very much inspired by npm’s strategy. For instance, its Cargo command-line tool is similar to the npm command-line tool. All in all, the team chose Rust because not only it matched their JavaScript-inspired expectations, it also gave better developer experience. The deployment process of the new service was also pretty straightforward, and even after deployment, the team rarely encountered any operational issues. The team also states that one of the main reasons for choosing Rust was its helpful community. “When the engineers encountered problems, the Rust community was helpful and friendly in answering questions. This enabled the team to reimplement the service and deploy the Rust version to production.” What were the downsides of choosing Rust? The team did find the language a little bit difficult to grasp at first. The team shared in the white paper, “The design of the language front-loads decisions about memory usage to ensure memory safety in a different way than other common programming languages.” Rewriting the service in Rust came with an extra burden of maintaining two separate solutions for monitoring, logging, and alerting for the existing JavaScript stack and the new Rust stack. Given that it is quite a new language, Rust currently also lacks industry-standard libraries and best practices for these solutions. Read the white paper shared by npm for more details. Mozilla engineer shares the implications of rewriting browser internals in Rust Mozilla shares key takeaways from the Design Tools survey Mozilla partners with Scroll to understand consumer attitudes for an ad-free experience on the web

Last week, Paul Fazzone, GM Cloud Native Applications, announced the launch of VMware Essential PKS “as a modular approach to cloud-native operation”. VMware Essential PKS includes upstream Kubernetes, reference architectures to help design decisions, and expert support to guide users through upgrades, maintenance and reactively troubleshoot when needed. Paul notes that more than 80% of containers run on virtual machines (VMs), with the percentage growing every year. This launch keeps up with the main objective of establishing VMware as the leading enabler of Kubernetes and cloud-native operation. Features of Essential PKS #1 Modular Approach Customers who have specific technological requirements for networking, monitoring, storage, etc. can build a more modular architecture on upstream Kubernetes. VMware Essential PKS will help these customers access upstream Kubernetes with proactive support.  The only condition being that these organizations should either have the in-house expertise to work with those components, the intention to grow that capability or the willingness to use an expert team. #2 Application portability Customers will be able to use the latest version of upstream Kubernetes, ensuring that they are never locked into a vendor-specific distribution. #3 Flexibility This service allows customers to implement a multi-cloud strategy that lets them choose tools and clouds as per their preference to build a flexible platform on upstream Kubernetes for their workloads. #4  Open-source community support VMware contributes to multiple SIGs and open-source projects that strengthen key technologies and fill up the gaps in the Kubernetes ecosystem. #5 Cloud native ecosystem support and guidance Customers will be able to access 24x7, SLA-driven support for Kubernetes and key open-source tooling. VMware experts will partner with customers to help them with architecture design reviews and help them evaluate networking, monitoring, backup, and other solutions to build a production-grade open source Kubernetes platform. The Kubernetes community has received this news with enthusiasm. https://twitter.com/cmcluck/status/1100506616124719104 https://twitter.com/edhoppitt/status/1100444712794615808 In November, VMware announced it was buying Heptio at VMworld. Heptio products work with upstream Kubernetes and help enterprises realize the impact of Kubernetes on their business. According to FierceTelecom, “PKS Essentials takes the Heptio approach of building a more modular, customized architecture for deploying software containers on upstream Kubernetes but with VMware support.” Rancher Labs announces ‘K3s’: A lightweight distribution of Kubernetes to manage clusters in edge computing environments CNCF releases 9 security best practices for Kubernetes, to protect a customer’s infrastructure Tumblr open sources its Kubernetes tools for better workflow integration

A Security researcher from Google’s Project Zero team recently revealed a high severity flaw in the macOS kernel that allows a copy-on-write (COW) behavior, a resource-management technique, also referred to as shadowing. The researcher informed Apple about the flaw back in November 2018, but the company is yet to fix it even after exceeding the 90-day deadline. This is the reason why the bug is now being made public with a "high severity" label. According to a post on Monorail, the issue tracking tool is for chromium-related projects, “The copy-on-write behavior works not only with anonymous memory but also with file mappings. This means that, after the destination process has started reading from the transferred memory area, memory pressure can cause the pages holding the transferred memory to be evicted from the page cache. Later, when the evicted pages are needed again, they can be reloaded from the backing filesystem.” “This means that if an attacker can mutate an on-disk file without informing the virtual management subsystem, this is a security bug. MacOS permits normal users to mount filesystem images. When a mounted filesystem image is mutated directly (e.g. by calling pwrite() on the filesystem image), this information is not propagated into the mounted filesystem”, the post further reads. According to a Google project member, “We've been in contact with Apple regarding this issue, and at this point no fix is available. Apple is intending to resolve this issue in a future release, and we're working together to assess the options for a patch. We'll update this issue tracker entry once we have more details.” A user commented on HackerNews, “Given the requirements that a secondary process should even be able to modify a file that is already open, I guess the expected behavior is that the 1st process's version should remain cached in memory while allowing the on-disk (CoW) version to be updated? While also informing the 1st process of the update and allowing the 1st process to reload/reopen the file if it chooses to do so. If this is the intended/expected behavior, then it follows that pwrite() and other syscalls should inform the kernel and cause prevent the origional cache from being flushed.” To know more about this news, head over to the bug issue post. Drupal releases security advisory for ‘serious’ Remote Code Execution vulnerability Google’s home security system, Nest Secure’s had a hidden microphone; Google says it was an “error” Firedome’s ‘Endpoint Protection’ solution for improved IoT security

In November, last year, the React Native team shared a roadmap for React Native to provide better support to its users and collaborators outside of Facebook. The team is planning to open source some of the internal tools and improve the widely used tools in the open source community. Yesterday, they shared updates on the progress they have made in the two months since the release of the roadmap. Per the team, the goals were to “reduce outstanding pull requests, reduce the project's surface area, identify leading user problems, and establish guidelines for community management.” Updates to Pull Requests The number of open pull requests was reduced to 65. The average number of pull requests opened per day increased from 3.5 to 7. Almost two-thirds of pull requests were merged and one-third of the pull requests closed. Out of all the merged pull requests, only six caused issues; four only affected internal development and two were caught in the release candidate state. Cleaning up for leaner core The developers are planning on reducing the surface area of React Native by removing non-core and unused components. The community response on helping with the Lean Core project was massive. The maintainers jumped in for fixing long-standing issues, adding tests, and supporting long-requested features. Examples of such projects are WebView that has received many pull requests since their extraction and the CLI that is now maintained by members of the community and received much-needed improvements and fixes. Helping people upgrade to newer versions of React Native One of the highest voted problems was the developer experience of upgrading to newer versions of React Native. The team is planning on recommending CocoaPods by default for iOS projects which will reduce churn in project files when upgrading React Native. This will make it easier for people to install and link third-party modules. The team also acknowledged contributions from members of the community. One maintainer, Michał Pierzchała from Callstack helped in improving the react-native upgrade by using rn-diff-purge under the hood. Releasing React Native 0.59 For future releases, the team plans to: work with community members to create a blog post for each major release show breaking changes directly in the CLI when people upgrade to new versions reduce the time it takes to make a release by increasing automated testing and creating an improved manual test plan These plans will also be incorporated in the upcoming React Native 0.59 release. It is currently published as a release candidate and is expected to be stable within the next two weeks. What’s next The team will now focus on managing pull requests while also starting to reduce the number of outstanding GitHub issues. They will continue to reduce the surface area of React Native through the Lean Core project. They also plan to address five of the top community problems and work on the website and documentation. React Native 0.59 RC0 is now out with React Hooks, and more Changes made to React Native Community’s GitHub organization in 2018 for driving better collaboration The React Native team shares their open source roadmap, React Suite hits 3.4.0

Yesterday, at the ongoing Code BEAM SF event, the formation of Erlang Ecosystem Foundation (EFF) was announced. Its founding members, Jose Valim, Peer Stritzinger, Fred Hebert, Miriam Pena, and Francesco Cesarini spoke about its journey, importance, and goals. The proposal for creating EEF was submitted last year in December to foster the Erlang and Elixir ecosystem. https://twitter.com/CodeBEAMio/status/1101310225804476416 Code BEAM SF, formerly known as Erlang & Elixir Factory, is a two-day event commenced on Feb 28. This conference brings together the best minds in the Erlang and Elixir communities to discuss the future of these technologies. The purpose of the Erlang Ecosystem Foundation EEF is a non-profit organization for driving the further development and adoption of Erlang, Elixir, LFE, and other technologies based on BEAM, the Erlang virtual machine. Backed by companies like Cisco, Erlang solutions, Ericsson, and others, this foundation aims to grow and support a diverse community around the Erlang and Elixir Ecosystem. This foundation will encourage the development of technologies and open source projects based on BEAM languages. “Our goal is to increase the adoption of this sophisticated platform among forward-thinking organizations. With member-supported Working Groups actively contributing to libraries, tools, and documentation used regularly by individuals and companies relying on the stability and versatility of the ecosystem, we actively invest in critical pieces of technical infrastructure to support our users in their efforts to build the next generation of advanced, reliable, real-time applications,” says the official EEF website. EEF will also be responsible for sponsoring the working groups to help them solve the challenges users of BEAM technology might be facing, particularly in areas such as documentation, interoperability, and performance. To know more about Erlang Ecosystem Foundation in detail, visit its official website. Erlang turns 20: Tracing the journey from Ericsson to Whatsapp Elixir 1.7, the programming language for Erlang virtual machine, releases Introducing Mint, a new HTTP client for Elixir

Last week, Red Hat launched OperatorHub.io in collaboration with Microsoft, Google Cloud, and Amazon Web Services, as a “public registry” for finding services backed by the Kubernetes Operator. According to the RedHat blog, the Operator pattern automates infrastructure and application management tasks using Kubernetes as the automation engine. Developers have shown a growing interest in Operators owing to features like accessing automation advantages of public cloud, enable the portability of the services across Kubernetes environments, and much more. RedHat also comments that the number of Operators available has increased but it is challenging for developers and Kubernetes administrators to find available Operators that meet their quality standards. To solve this challenge, they have come up with OperatorHub.io. Features of OperatorHub.io OperatorHub.io is a common registry to “publish and find available Operators”. This is a curation of Operator-backed services for a base level of documentation. It also includes active communities or vendor-backing to show maintenance commitments, basic testing, and packaging for optimized life-cycle management on Kubernetes. The platform will enable the creation of more Operators as well as an improvement to existing Operators. This is a centralized repository that helps users and the community to organize around Operators. Operators can be successfully listed on OperatorHub.io only when then show cluster lifecycle features and packaging that can be maintained through the Operator Framework’s Operator Lifecycle Management, along with acceptable documentation for intended users. Operators that are currently listed in OperatorHub.io include Amazon Web Services Operator, Couchbase Autonomous Operator, CrunchyData’s PostgreSQL, MongoDB Enterprise Operator and many more. This news has been accepted by the Kubernetes community with much enthusiasm. https://twitter.com/mariusbogoevici/status/1101185896777281536 https://twitter.com/christopherhein/status/1101184265943834624 This is not the first time that RedHat has tried to build on the momentum for the Kubernetes Operators. According to TheNewStack, last year, the company acquired CoreOS last year and went on to release Operator Framework, an open source toolkit that “provides an SDK, lifecycle management, metering, and monitoring capabilities to support Operators”. RedHat shares what to expect from next week’s first-ever DNSSEC root key rollover Red Hat announces CodeReady Workspaces, the first Kubernetes-Native IDE for easy collaboration among developers RedHat shares what to expect from next week’s first-ever DNSSEC root key rollover  

Coinhive, an in-browser Monero cryptocurrency miner, announced that it would be shutting down all its operations next week on March 8, 2019. Users will be given time until April 30th for withdrawing any remaining Monero from their accounts. Launched in 2017, Coinhive service provided ways to mine cryptocurrency in the background of a website, turning visitors’ processing power directly into cash. The company in their blog post mentioned reasons for the service closure including the fall in the value of Monero over the past year. Coinhive said, "The drop in hash rate (over 50%) after the last Monero hard fork hit us hard. So did the 'crash' of the cryptocurrency market with the value of XMR depreciating over 85% within a year. The company further mentions, “This and the announced hard fork and algorithm update of the Monero network on March 9 has led us to the conclusion that we need to discontinue Coinhive." Security researcher Troy Mursch said, “Coinhive had a market share of 62 percent in August 2018.” According to an academic paper, the company was making in an estimated $250,000 per month up until last summer, the ZDNet reports. https://twitter.com/bad_packets/status/1030201187381927936 Jérôme Segura, malware researcher at Malwarebytes told ZDNet “While 'cryptojacking' or 'drive-by mining' dominated the threat landscape in late 2017 and early 2018, it took a backseat for the rest of the year, with the notable exception of some campaigns powered by a large number of compromised IoT devices (i.e. MikroTik exploits).” “Some sites were upfront with visitors about their use of the software, most notably the news website Salon and UNICEF, but countless others either didn’t disclose the fact they were using it or saw the Javascript code added without their knowledge as part of a “cryptojacking” malware attack. Eventually, ad-blockers and anti-virus software learned to identify and block such code, so that users could avoid having their CPUs used and their batteries drained by the software”, The Verge reports. To know more about the Coinhive closure in detail, head over to Coinhive’s official blog post. Hackers are our society’s immune system – Keren Elazari on the future of Cybersecurity Winbox vulnerability in MicroTik routers forwarding traffic to attackers, say researchers at NetLabs 360 Cryptojacking is a growing cybersecurity threat, report warns

Yesterday, Diane Hosfelt, a Research Engineer at Mozilla, shared what she and her team experienced when rewriting Firefox internals in Rust. Taking Quantum CSS as a case study, she touched upon the potential security vulnerabilities that could have been prevented if it was written in Rust from the very beginning. Why Mozilla decided to rewrite Firefox internal in Rust? Quantum CSS is a part of Mozilla’s Project Quantum, under which it is rewriting Firefox internals to make it faster. One of the major parts of this project is Servo, an engine designed to provide better concurrency and parallelism. To achieve these goals Mozilla decided to rewrite Servo in Rust, replacing C++. Rust is very similar to C++ in some ways while being different in terms of the abstractions and data structures it uses. It was created by Mozilla keeping concurrency safety in mind. Its type and memory-safe property make programs written in Rust thread-safe. What type of bugs does Rust prevent? Overall Rust prevents bugs related to memory, bounds, null/uninitialized variables, or integer by default. Hosfelt mentioned in her blog post, “Due to the overlap between memory safety violations and security-related bugs, we can say that Rust code should result in fewer critical CVEs (Common Vulnerabilities and Exposures).” However, there are some types of bugs that Rust does not address like correctness bugs. According to Hosfelt, Rust is a good option in the following cases: When your program involves processing of untrusted input safely When you want to use parallelism for better performance When you are integrating isolated components into an existing codebase You can go through the blog post by Diane Hosfelt on Mozilla’s website. Mozilla shares key takeaways from the Design Tools survey Mozilla partners with Scroll to understand consumer attitudes for an ad-free experience on the web Mozilla partners with Ubisoft to Clever-Commit its code, an artificial intelligence assisted assistant