Tech News

GitHub introduced ‘Hub’ that extends git command-line with extra functionality to enable developers complete their everyday GitHub tasks right from the terminal. Hub does not have any dependencies, but as it is designed to wrap git, it is recommended to have at least git 1.7.3 or newer.  Hub provides both new and some extended version of commands that already exist in git. Here are some of them: hub-am: Used to replicate commits locally from a GitHub pull request.  hub-cherry-pick: Allows cherry-picking a commit from a fork on GitHub. hub-alias: Used to show shell instructions for wrapping git.  hub-browse: Used to open a GitHub repository in a web browser. hub-create: Used to create a new repository on GitHub and add a git remote for it. hub-fork: Allows forking the current repository on GitHub and adds a git remote for it. You can see the entire list of commands on the Hub Man Page. Most of these commands are expected to be run in a context of an existing local git repository. What are the advantages of using Hub Contributing to open source: This tool makes contributing to open source much easier by providing features for fetching repositories, navigating project pages, forking repos, and even submitting pull requests, all from the command-line. Script your workflows: You can easily script your workflows and set priorities by listing and creating issues, pull requests, and GitHub releases. Easily maintain projects: It allows you to easily fetch from other forks, review pull requests, and cherry-pick URLs. Use GitHub for work: It saves your time by allowing you to open pull requests for code reviews and push to multiple remotes at once. It also supports GitHub Enterprise, however, it needs to be whitelisted.  Hub is not the only tool of its kind, there are tools like Magit Forge and Lab. Though developers think that it is convenient, some feel that it increases GitHub lock-in. "While it is pretty cool, using such tool increases general lock-in to GitHub, in terms of both habits and potential use of it for automation of processes," a user expressed its opinion on Hacker News.  Another Hacker News user suggested, “I wish there was an open standard for operations that hub allows to do and all major Git forges, including open source ones, such as Gogs/Gitea and GitLab, supported it. In that case having a command-line tool that, like Git itself, is not tied to a particular vendor, but allows to do what hub does, could have been indispensable.” To know more in detail, check out Hub’s GitHub repository. Pull Panda is now a part of GitHub; code review workflows now get better! Github Sponsors: Could corporate strategy eat FOSS culture for dinner?

Last week, a developer Tute Costa notified Ruby users that the strong_password v0.0.7 rubygem has been hijacked. The malicious actor published v0.0.7 containing the malicious code, which enabled the attacker to execute remote code in production. As of now, the thread has been tweaked and the attacker’s RubyGems account has been locked. A strong_password is an entropy-based password strength used for checking Ruby and ActiveModel. How was the strong_password v0.0.7 hijack identified? While linking line by line to each library’s changeset, Costa noticed that the strong_password has changed from 0.0.6 to 0.0.7. Although the last changes in any branch in GitHub was from 6 months ago, Costa recalled that everything was up to date. Costa then downloaded the gem from RubyGems and compared its contents with its latest copy in GitHub. He found that at the end of the lib/strong_password/strength_checker.rb version 0.0.7 there was the following message: Image Source: With a Twist Dev Costa found that a malicious actor has used an empty account, with a different name than the maintainer’s. The malicious actor has published the gem, after receiving access to the particular gem. Later, Costa forwarded this thread to the strong_password maintainer’s email in GitHub. Brian McManus, the strong_password maintainer replied, “The gem seems to have been pulled out from under me. When I login to rubygems.org I don’t seem to have ownership now. Bogus 0.0.7 release was created 6/25/2019.” How does the malicious code work? If the malicious code didn’t run before checking for the existence of the Z1 dummy constant, it injects a middleware that eval’s cookies named with an ___id suffix, only in production. It is surrounded by the empty exception handler _! function that’s defined in the hijacked gem. This opens the door to the attacker to silently execute remote codes in production. The malicious code also sends a request to a controlled domain with an HTTP header informing the infected host URLs. What is the current status of strong_password v0.0.7? Rafael França, the Ruby on Rails’ security coordinator has added [email protected] to the thread. Later André Arko, the founder of Ruby Together, tweaked the thread and locked the RubyGems account. McManus was later added back to the gem. Costa also notified users that he asked for a CVE identifier (Common Vulnerabilities and Exposures) to [email protected] and received CVE-2019-13354. He used this CVE “to announce the potential issue in production installations to the rubysec/ruby-advisory-db project and the ruby-security-ann Google Group.” The community has been praising Tute Costa for his efforts in finding out about the hijack. https://twitter.com/mjos_crypto/status/1148153570631589889 A user on Hacker News states that “In light of vulnerabilities like these, I’m glad there are developers that spend time to make their apps more secure. Thus, making us all aware that issues like these are out there. Security is almost always just put off in exchange for features and security is most of the time taken for granted. It’s about time that we start taking it seriously. Kudos to you!” Many users are also skeptical about RubyGem’s security vulnerabilities. A user on Hacker News says, “There's still a lot to learn about this incident, but most likely the RubyGems account was compromised, allowing the attacker to upload whatever they wanted. Signed releases with a web of trust would be ideal, but I doubt we'll ever see that world. A simple and pragmatic solution would be to have the next version of bundler support the ability to only install packages published with 2 factor enabled, then the next major rails version default it to on, with plenty of advanced warning in 6.x/bundler. This still has plenty of gaps, such as an attacker being able to take over even with 2 factor, and then re-enabling it with their own keys, or RubyGems.org itself being compromised. It still represents a major upgrade in security for the entire Ruby ecosystem without causing much pain to authors and users.” Another comment reads, “Rubygem should contract an external auditor (security firm), this could go way deeper. Until they perform a thorough audit I will personally stay away from this project.” Why Ruby developers like Elixir Ruby ends support for its 2.3 series How Deliveroo migrated from Ruby to Rust without breaking production

Two days ago, the team behind Debian announced the release of Debian stable version 10 (codename - ‘buster’), which will be supported for the next 5 years. Debian 10 will use the Wayland display server by default, includes over 91% of source reproducible projects, and ships with several desktop applications and environments.  Yesterday, Debian also released the GNU/Hurd 2019, which is a port release. It is currently available for the i386 architecture with about 80% of the Debian archive. What's new in Debian 10 Wayland display server In this release, GNOME will use the Wayland display server by default, instead of Xorg. Wayland’s simple and modern design provides advantages in terms of security. The Xorg display server is installed in Debian 10, by default. Users can use the default display manager to change the display server in their session. Reproducible Builds project In Debian 10, the Reproducible Builds project plans to have over 91% of the source packages  built in bit-for-bit identical binary packages. This will work as an important verification feature for users as it will protect them against malicious attempts to tamper with compilers and build networks.  Desktop applications Debian 10 “buster” ships with several desktop applications and environments. Some of the desktop environments include: Cinnamon 3.8 GNOME 3.30 KDE Plasma 5.14 LXDE 0.99.2 Other highlights in Debian 10 AppArmor, a mandatory access control framework for restricting programs' capabilities, is installed and enabled by default for security-sensitive environments. All methods provided by Advanced Package Tool (APT) (except cdrom, gpgv, and rsh) can optionally make use of seccomp-BPF sandboxing. The https method for APT is included in the apt package and does not need to be installed separately.  Network filtering, based on the nftables framework is set by default. Starting with iptables v1.8.2, the binary package includes two variants of the iptables command line interface: iptables-nft and iptables-legacy. The UEFI (Unified Extensible Firmware Interface), which is a specification for a software program that connects a computer's firmware to its operating system, introduced in Debian 7, has been greatly improved in Debian 10.  The Secure Boot support is included in this release for amd64, i386 and arm64 architectures and will work on most Secure Boot-enabled machines. This means that users will not have to disable the Secure Boot support in the firmware configuration. The cups and cups-filters packages installed by default in Debian 10, allows users to take advantage of driverless printing.  This release includes numerous updated software packages such as Apache 2.4.38, BIND DNS Server 9.11, Chromium 73.0, Emacs 26.1, Firefox 60.7 and more.  Visit the Debian official website, for more details on Debian 10. What’s new in Debian GNU/Hurd 2019 An Advanced Configuration and Power Interface Specification (ACPI) translator has been made available, it is currently only used to shut down the system.  The LwIP TCP/IP stack, which is a widely used open-source TCP/IP stack designed for embedded systems, is now available as an option.  A Peripheral Component Interconnect (PCI) arbiter has been introduced and will be useful to properly manage PCI access, as well as to provide fine-grain hardware access.   New optimizations now include protected payloads, better paging management and message dispatch, and gsync synchronization.  Support for LLVM has also been introduced.  Besides the Debian installer, a pre-installed disk image is also available for installing ISO images.  The general reaction to both the Debian news has been positive with users praising Debian for always staying up to date with the latest features. A Redditor says, “Through the years I've seen many a "popular" distro come and go, yet Debian remains.” Another user on Hacker News adds, “I left Redhat at 8.0(long time ago, before Fedora) and started using debian/ubuntu and never looked back, in my opinion, while Redhat made a fortune by its business model, Debian and ubuntu are the true community OS, I can't ask for more. Debian has been my primary Server for the last 15 years, life is good with them. Thank you so much to the maintainers and contributors for putting so much effort into them.” Read the Debian mailing list, for more information on Debian GNU/Hurd. Debian GNU/Linux port for RISC-V 64-bits: Why it matters and roadmap Debian maintainer points out difficulties in Deep Learning Framework Packaging Debian project leader elections goes without nominations. What now?

A zero-day vulnerability in Apple's iMessage, which bricks an iPhone and survives hard resets was recently brought to light. A specific type of malformed message is sent out to a victim device, forcing users to factory-reset it again. The issue was first posted by Google Project Zero researcher, Natalie Silvanovich on the project’s issue page on April 19, 2019. Due to the usual 90-day disclosure deadline, the bug is held from public view until either 90 days had elapsed or a patch had been made broadly available to the public. On 4th July, Silvanovich revealed that the issue was fixed in the Apple iOS 12.3 update, thus making it public. Labelled as CVE-2019-8573 and CVE-2019-8664, this vulnerability causes a Mac to crash and respawn. Silvanovich says on an iPhone, this code is in Springboard and “receiving this message will cause Springboard to crash and respawn repeatedly, causing the UI not to be displayed and the phone to stop responding to input. The only way I could find to fix the phone is to reboot into recovery mode and do a restore. This causes the data on the device to be lost”. According to Forbes, “The message contains a property with a key value that is not a string, despite one being expected. Calling a method titled IMBalloonPluginDataSource _summaryText, the method assumes the key in question is a string but does not verify it is the case”.  The subsequent call for IMBalloonPluginDataSource replaceHandlewithContactNameInString calls for im_handleIdentifiers for the supposed string, which in turn results in a thrown exception.  For testing purposes, Silvanovich, in her patch update has shared three ways that she found to unbrick the device: wipe the device with 'Find my iPhone' put the device in recovery mode and update via iTunes (note that this will force an update to the latest version) remove the SIM card and go out of Wifi range and wipe the device in the menu Google Project Zero has also released instructions to reproduce the issue: install frida (pip3 install frida) open sendMessage.py, and replace the sample receiver with the phone number or email of the target device in the local directory, run: python3 sendMessage.py Users should make sure their iPhone is up to date with the latest iOS 12.3 update. Read more about the vulnerability on Google Project Zero’s issue page. Approx. 250 public network users affected during Stack Overflow's security attack Google researcher reveals an unpatched bug in Windows’ cryptographic library that can quickly “take down a windows fleet” All about Browser Fingerprinting, the privacy nightmare that keeps web developers awake at night

Last week, the team behind Babel announced the release of Babel 7.5.0. This release ships with improved support for a few ECMAScript proposals including the F# variant of the Stage 1 pipeline operator and an official plugin for the Stage 4 dynamic import() proposal. It also comes with an experimental TypeScript namespaces support. Following are some of the highlights from Babel 7.5.0: F# pipeline operator The pipeline operator proposal introduces a syntactic sugar (|>) for greater readability when chaining several functions together. This operator is similar to F#, OCaml, Elixir, Elm, Julia, Hack, and LiveScript, as well as UNIX pipes. Starting from the 7.0.0-beta release, Babel had the “minimal” variant of the pipeline operator proposal. Then came the “Smart” variant in Babel 7.3.0 and with this release we have the F# variant. The difference between the smart and F# variant is that the latter uses the concept of arrow functions instead of "topic references" (#). “This has the advantage of being more similar to current JavaScript, at the cost of a slightly less concise syntax,” the team explained as the advantage for this change. You can test this new variant by adding ‘@babel/plugin-proposal-pipeline-operator’ to your Babel configuration. You can also try it out in the REPL by enabling the "Stage 1" preset. Dynamic import transform Though Babel has support for parsing dynamic imports, it does not provide a consistent way to transform them. It allows parsing import(foo), but asks developers to use webpack or ‘babel-plugin-dynamic-import-node’ to transpile it. To solve this problem, Babel 7.5.0 introduces the ‘@babel/plugin-proposal-dynamic-import’ plugin, which you can use alongside one of the module transform plugins. Experimental TypeScript namespaces support When TypeScript support initially came to Babel, it did not include namespaces as they require type information that can only be provided by a full TypeScript compiler and type-checker. Starting from Babel 7.5.0, you can enable experimental support for namespaces in the TypeScript plugin using the ‘allowNamespaces’ option of ‘@babel/plugin-transform-typescript’. However, there are some limitations in this experimental support that you need to keep in mind: one, namespaces can only export immutable bindings and second, when merging multiple namespaces with the same name, their scope isn't shared. These were some of the updates in Babel 7.5.0. To know more in detail check out the official announcement and also the release notes. Babel 7 released with Typescript and JSX fragment support How to create a native mobile app with React Native [Tutorial] Meteor 1.8 addresses technical debt of 1.7 with delayed legacy builds, upgraded to Babel 7, Mongo 4

On Saturday, Ubuntu-maker Canonical Ltd’s source code repositories were compromised and used to create repositories and issues among other activities. The unknown attacker(s) used a Canonical owned GitHub account whose credentials were compromised to unauthorizedly access Canonical's Github account. According to a mirror of the hacked Canonical GitHub account, the hacker created 11 new GitHub repositories in the official Canonical account. The repositories were empty and  sequentially named CAN_GOT_HAXXD_1, `with no existing data being changed or deleted. The Ubuntu source code remains unaffected. A Canonical representative said in a statement, “There is no indication at this point that any source code or PII was affected. Furthermore, the Launchpad infrastructure where the Ubuntu distribution is built and maintained is disconnected from GitHub and there is also no indication that it has been affected.” The hack appears to be limited to a defacement, as if the hacker(s) had added malicious code to Canonical projects, then they wouldn't have drawn attention by creating new repositories in the Canonical GitHub account. The official Ubuntu forums had been hacked on three different occasions, first in July 2013, when hackers stole the details of 1.82 million users. Second in July 2016, when the data of two million users was compromised. Third, in December 2016 when Ubuntu Forums was hacked with 1.8 Million users credentials stolen. In May, this year attackers wiped many GitHub, GitLab, and Bitbucket repos with ‘compromised’ valid credentials leaving behind a ransom note. Canonical has since removed the compromised account from the Canonical organisation in GitHub and is still investigating the extent of the breach. The Ubuntu security team said it plans to post a public update after our investigation, audit and remediations are finished. Twitter was flooded with people warning others about the hack. https://twitter.com/zackwhittaker/status/1147683774492303360 https://twitter.com/gcluley/status/1147901110503575552 https://twitter.com/evanderburg/status/1147895949697568770     Ubuntu has decided to drop i386 (32-bit) architecture from Ubuntu 19.10 onwards DockerHub database breach exposes 190K customer data including tokens for GitHub and Bitbucket repositories Attackers wiped many GitHub, GitLab, and Bitbucket repos with ‘compromised’ valid credentials leaving behind a ransom note.

Security researchers, Noam Rotem and Ran Locar, from vpnMentor recently revealed in their report, that a Shenzhen-based Chinese IoT management platform company, Orvibo exposed its user database online without any password protection. The Elasticsearch database, which contains user data collected from smart home devices, includes ‘2 billion logs’ containing everything from user passwords to account reset codes and also a "smart" camera recorded conversations. Sample of Orvibo leaked data The data leaked included email addresses, passwords, precise geolocation, IP address, username, userID, family name and ID, smart device, device that accessed account, scheduling information, and account reset codes. Out of these, the password and password reset codes that are being logged create additional problems. Even though these had not been encrypted, they had been hashed using MD5. “Unfortunately, the MD5 algorithm used to hash these passwords isn't considered particularly secure as it has been found to contain a whole bunch of vulnerabilities”. "Orvibo does make some effort into concealing the passwords, which are hashed using MD5 without salt," the vpnMentor team said. However, saltless MD5 passwords are relatively easy to crack, which means that anyone with access to this database could hijack SmartMate accounts and possibly take control of a user's smart devices connected to a user's SmartMate-controlled smart home. The researchers said the reset codes were the most dangerous pieces of information found in the database. "These would be sent to a user to reset either their password or their email address," the report explains, continuing "with that information readily accessible, a hacker could lock a user out of their account without needing their password. Changing both a password and an email address could make the action irreversible." According to ZDNet, “The database was spotted in mid-June by the security team at vpnMentor, led by security researchers Noam Rotem and Ran Locar, who shared their findings with ZDNet last month and asked for help in notifying the vendor.” Since then, both vpnMentor and ZDNet have contacted the Chinese company to let it know about its security issue; however, at the time of writing, Orvibo has failed to respond or take any action. Forbes mentions, “The Orvibo website boasts of a secure cloud providing a "reliable smart home cloud platform," and goes on to mention how it "supports millions of IoT devices and guarantees the data safety." Geoff Tudor, general manager of Vizion.ai, told Forbes that Elasticsearch breaches are becoming almost everyday occurrences. "When first installed, Elasticsearch's API is completely open without any password protection," Tudor says, adding "all a hacker needs to do is to hit a URL with http://[serverIP]:9200 and a user can see if an Elasticsearch is operational. Then it takes a single command to search through the data stored in it..." Orvibo which claims to have  a lot of users, including private individuals with smart home systems but also hotels and other business customers. The vpnMentor report states that it found logs for users in China, Japan, Thailand, Mexico, France, Australia, Brazil, the United Kingdom, and the U.S. The report states, "With the information that has leaked. It's clear that there is nothing secure about these devices. Even having one of these devices installed could undermine, rather than enhance, your physical security." How can users secure their data and be safe? Jake Moore, a cybersecurity specialist at ESET said, “Criminal groups may have been aware of this vulnerability but it is unknown if anyone has taken advantage of this flaw yet. I'd hope it would be patched quite quickly now it is out." Moore further advises, "The best thing now for people affected is to make sure their smart device passwords are changed immediately to something long and complex along with other accounts where the same password may be reused," He further pointed out, "they may as well pull the plug on the device until it is fixed." Ilia Kolochenko, founder and CEO of web security company ImmuniWeb, can go a step further than changing their passwords and “file a legal complaint and deactivate any remote management of their homes if it is doable." Yesterday, Orvibo responded by saying that they had secured the database. They said, “Once we received this report on July 2nd, ORVIBO’s RD team took immediate actions to resolve security vulnerability”. The company said they have  taken the following solutions to resolve the issue: Resolved security vulnerability. Upgraded encryption mechanism of password. Upgrade the protection on users account and password resetting. Strengthening cooperation with professional cyber security companies to improve our system security. To know more about this news, read the complete vpnmentor report. NSA warns users of BlueKeep vulnerability; urges them to update their Windows systems Google researcher reveals an unpatched bug in Windows’ cryptographic library that can quickly “take down a windows fleet” How not to get hacked by state-sponsored actors

This month, the OpenWrt Community announced the release of OpenWrt 18.06.4, the fourth service release of the stable OpenWrt 18.06 series. This release comes with a number of bug fixes in the network and system and brings updates to the kernel and base packages. The official page reads, “Note that the OpenWrt 18.06.3 release was skipped in favor to 18.06.4 due to a last-minute 4.14 kernel update fixing TCP connectivity problems which were introduced with the first iteration of the Linux SACK (Selective Acknowledgement)vulnerability patches.” What is the OpenWrt project? The OpenWrt Project, a Linux operating system, targets embedded devices and is a replacement for the vendor-supplied firmware consisting of a wide range of wireless routers and non-network devices.  OpenWrt ​is an easily modifiable operating system for routers and is powered by a Linux kernel. It offers a fully writable filesystem with optional package management instead of creating a single, static firmware. It is useful for developers as OpenWrt provides a framework for building an application without having to create a complete firmware image and distribution around it. It also gives freedom of full customization to the users that allows them to use an embedded device in many ways. What’s new in OpenWrt 18.06.4? In this release, Linux kernel has been updated to versions 4.9.184/4.14.131 from 4.9.152/4.14.95 in v18.06.2. It also comes with SACK (Selective Acknowledgement) security fixes for the Linux kernel and WPA3 security fixes in hostapd. It further offers security fixes for Curl and the Linux kernel, and comes with MT76 wireless driver updates. In this release, there are many network and system service fixes. Many users seem to be happy about this news and they choose routers based on the fact if they are supported by OpenWrt or not. A user commented on HackerNews, “I choose my routers based on if they are supported or not by OpenWrt. And for everybody that asks my opinion, too. Because they might not need/want/know/have a desire to install OpenWrt now, but it's good to have the door open for the future.” Users are also happy with OpenWrt’s interface, a user commented, “For people asking about the user interface of OpenWrt. I think it is very well dun. I get a long with it just fine and I am blind and have to use a screen reader. A11y in Luci is grate. All the pages make sence to most people you do not have to be a networking expert.” To know more about this news, check out OpenWrt’s official page. OpenWrt 18.06.2 released with major bug fixes, updated Linux kernel and more! Mozilla re-launches Project Things as WebThings, an open platform for monitoring and controlling devices Linux use-after-free vulnerability found in Linux 2.6 through 4.20.11  

Earlier this year the team at Mozilla had announced that they were partnering with Scroll, a startup for allowing users to explore an ad-free internet without hurting publishers. Several months after this news, yesterday Mozilla teased a new landing page detailing a subscription-based service where users can get access to content from “some of the world’s greatest publishers to bring you a better journalism experience,” for $4.99 per month.  Users often have a bad experience with advertisements as it is quite disturbing and sometimes irrelevant. Ads also capture user data and predict user behaviour. These ads could also be malicious at times and clicking on them could end up storing users’ personal information. It seems Mozilla is trying to make an effort towards providing a better user experience by giving them an ad-free experience. According to a Mozilla blog post, it hit upon the new idea because it wasn’t happy with the “terrible experiences and pervasive tracking” designed to persuade users to click on ads and share their personal data. The official post reads, “We share your payment directly with the sites you read. They make more money which means they can bring you great content without needing to distract you with ads just to keep the lights on.”The idea is that users will be paying for an ad-free experience, and the money will then be distributed to publishers that users choose.  Subscribers will also get access to audio versions of articles as well as bookmarks that are synced across devices. They will also get exclusive top recommended reads and an app that would help users to find great content without the disturbance from ads. This service would be cross-platform which would allow users to read the content on a phone or a PC. Reading an article will still be ad-free in case a reader reaches the content by clicking a link from Twitter or opening a website. Mozilla is yet to share the specifics of this service and says that the initiative “will help shape our direction with respect to finding alternatives to the status quo advertising models. As always, we will continue to put users first and operate transparently as our explorations progress towards more concrete product plans” The partnership with Scroll will also help balance the digital advertising revenue, most of which is going to a handful to big companies, endangering the existence of many smaller publishers. Though, it is still not clear if the revenue generated for the publishers would be enough for them. Users have given a mixed reaction and few think that it is not a new idea and companies like Google, Patreon, and Flattr have already tried this. A user commented on HackerNews, “I mean, isn't this essentially the idea behind patreon? You batch the micropayments payments into single transactions on the credit card network to reduce the marginal cost of the fixed fees? Didn't Google already do something similar with new subscriptions? Didn't flattr do this a decade ago? It's not a new idea, and as I ranted elsewhere, is only even required because of the fixed fees on credit card transactions.” While the rest are expecting the company to opt for better partners. Another user commented, “In principle, I could be interested in this, but they'll need a much better range of partners than what currently shows up on https://scroll.com/ before it looks worthwhile to me. Less of the celebrity/pop-culture gossip, and more real news, please.” Mozilla partners with Scroll to understand consumer attitudes for an ad-free experience on the web Mozilla introduces Track THIS, a new tool that will create fake browsing history and fool advertisers Facebook has blocked 3rd party ad monitoring plugin tools from the likes of ProPublica and Mozilla that let users see how they’re being targeted by advertisers    

Yesterday, the team behind Rust announced the release of Rust 1.36.0. This release brings a stabilized 'Future' trait, NLL for Rust 2015, stabilized Alloc crate as the core allocation and collections library, a new --offline flag for Cargo, and more. Following are some of the updates in Rust 1.36.0: The stabilized 'Future' trait A ‘Future’ in Rust represents an asynchronous value that allows a thread to continue doing useful work while it waits for the value to become available. This trait has been long-awaited by Rust developers and with this release, it has been finally stabilized. “With this stabilization, we hope to give important crates, libraries, and the ecosystem time to prepare for async / .await, which we'll tell you more about in the future,” the Rust release team added. The alloc crate is stable The ‘std’ crate of the standard library provides types like Box<T> and OS functionality. But, the problem is it requires a global allocator and other OS capabilities. Beginning with Rust 1.36.0, the parts of std that are dependent on a global allocator will now be available in the ‘alloc’ crate and std will re-export these parts later. Use MaybeUninit<T> instead of mem::uninitialized Previously, the ‘mem::uninitialized’ function allowed you to bypass Rust’s memory-initialization checks by pretending to generate a value of type T without doing anything. Though the function has proven handy while lazily allocating arrays, it can be dangerous in many other scenarios as the Rust compiler just assumes that values are properly initialized. In Rust 1.36.0, the MaybeUninit<T> type has been stabilized to solve this problem. Now, the Rust compiler will understand that it should not assume that a MaybeUninit<T> is a properly initialized T. This will enable you to do gradual initialization more safely and eventually use ‘.assume_init()’. Non-lexical lifetimes (NLL) for Rust 2015 The Rust team introduced NLL in December last year when announcing Rust 1.31.0. It is an improvement to Rust’s static model of lifetimes to make the borrow checker smarter and more user-friendly. When it was first announced, it was only stabilized for Rust 2018. Now the team has backported it to Rust 2015 as well. In the future, we can expect all Rust editions to use NLL. --offline support in Cargo Previously, the Rust package manager, Cargo used to exit with an error if it needed to access the network and the network was not available. Rust 1.36.0 comes with a new flag called ‘--offline’ that makes the dependency resolution algorithm to only use locally cached dependencies, even if there might be a newer version. These were some of the updates in Rust 1.36.0. Read the official announcement to know more in detail. Introducing Vector, a high-performance data router, written in Rust Brave ad-blocker gives 69x better performance with its new engine written in Rust Introducing PyOxidizer, an open source utility for producing standalone Python applications, written in Rust

Yesterday, Apple analyst Ming-Chi Kuo in a report to MacRumors, revealed that Apple is going to include a new scissor switch keyboard in the 2019 MacBook Air. The scissor switch keyboard is expected to have glass fiber to increase its durability. This means that Apple will finally do away with the butterfly keyboard, introduced in 2015, which has always been infamous for reliability and key travel issues. The MacBook Pro will also be getting the new scissor switch keyboard, but not until 2020. The scissor-switch keyboard uses a mechanism in which the keys are attached to the keyboard via two plastic pieces that interlock in a "scissors"- like fashion, and snap to the keyboard and the key. In a statement to MacRumors, Kuo says that, “Though the butterfly keyboard is still thinner than the new scissor keyboard, we think most users can't tell the difference. Furthermore, the new scissor keyboard could offer a better user experience and benefit Apple's profits; therefore, we predict that the butterfly keyboard may finally disappear in the long term.” Kuo also states that Apple’s butterfly design was expensive to manufacture due to low yields. The scissor-switch keyboard might be costly than a regular laptop keyboard, but will be cheaper than the butterfly keyboard. The scissor-switch keyboard intends to improve typing experience of Apple users. The existing butterfly keyboard has always been a controversial product, with users complaining about its durability. The butterfly keyboard design is sensitive to dust, with even the slightest particle causing keys to jam and heat issues. Last year, a class action lawsuit was filed against Apple in a federal court in California for allegedly using the flawed butterfly keyboard design in its MacBook variants since 2015. Apple has also released a tutorial on how to clean the butterfly keyboard of the MacBook or MacBook Pro. Apple has also introduced four generations of butterfly keyboards, attempting to address user complaints about stuck keys, repeated key inputs, and even the loud clacking sound of typing when striking each keycap. In March this year, Apple officially apologised for inflicting MacBook owners with its dust-prone, butterfly-switch keyboard. This apology was in response to a critical report by the Wall Street Journal's Joanna Stern about the MacBook's butterfly-switch keyboard, which can make typing the E, R, and T keys a nightmare when writing. The new scissor-switch keyboard is thus expected to be a big sigh of relief to all MacBook customers. The new scissor-switch keyboard is the same keyboard mechanism that was present in all pre-2015 MacBooks and was quite well-received by the MacBook users back then. Though the new model is expected to be a more meaningful evolution of the previous product. Kuo says the new replacement keyboard will be supplied solely by specialist laptop keyboard maker Sunrex rather than Wistron, which currently makes the butterfly keyboards for Apple. The analyst expects the new Sunrex keyboard will go for mass production in 2020 and will make the Taiwan-based firm Apple's most important keyboard supplier. Users are relieved that Apple has finally decided to ditch the butterfly keyboard. https://twitter.com/alon_gilboa/status/1146797852242448385 https://twitter.com/danaiciocan/status/1146772468432023553 https://twitter.com/najeebster/status/1146708948139106305 A user on Hacker News says that, “Finally! It took four years to admit there is something wrong. And one more year to change upcoming laptops. It‘s unbelievable how this crap could be released. Coming from a ThinkPad to an MBP in 2015 I was disappointed by the keyboard of the MBP 2015. Then switching to an MBP 2018 I was shocked how much worse things could get” Almost all of Apple’s iCloud services were down for some users, most of yesterday; now back to operation OpenID Foundation questions Apple’s Sign In feature, says it has security and privacy risks Apple gets into chip development and self-driving autonomous tech business

Yesterday, the Vice News, in an investigative piece reported that China is forcing tourists who cross certain borders into Xinjiang, a western region of China to install an Android app that shares their personal information with the authorities. This news comes after in April it was reported that China is forcing residents of Xinjiang to install a similar Android app.  Since 2016, China has been conducting mass surveillance on the 13 million ethnic Uyghurs and other Turkic Muslims in Xinjiang. According to a report by Human Rights Watch, up to one million people are being held in “political education” camps. The residents have been subject to mass arbitrary detention, restrictions on movement, and religious oppression. All this is happening under the Chinese government’s Strike Hard Campaign against Violent Terrorism. China is taking mass surveillance to the next level by installing the surveilling Android app on tourists’ phones. Tourists crossing the border are taken to a clean, sterile environment to get searched. They have to go through several stages of scrutiny and security that takes around half a day. Their phones are seized and the malware called BXAQ or Fengcai is installed.  What the analysis of BXAQ, the Android malware, revealed The Vice News, Guardian, and New York Times teamed up to commission several technical analyses on the app to understand its inner workings. Cybersecurity firm Cure53, researchers from CitizenLab and Ruhr University Bochum also analyzed the code that included names like "CellHunter" and "MobileHunter." The Vice News shared a copy of the malware installed in their tourists’ phones with Süddeutsche Zeitung, a German news publishing company and Motherboard, which is available on the Motherboard’s GitHub account. Unlike normal apps that we install via app stores, this app is installed by sideloading. Once installed, it collects information like phone’s calendar entries, phone contacts, call logs, and text messages. The app goes as far as scanning all the apps installed on the subject’s phone and extracts usernames from some of them. All this collected data goes to a server, according to expert analysis. People with iPhones were also not spared from the scrutiny. Their iPhones were unlocked and connected via a USB cable to a hand-held device.  The app’s code also has hashes for over 73,000 different files that the malware scans for.  The team and researchers who were analyzing the app managed to uncover the inputs of around 1,300 of them by searching for connected files on VirusTotal, a file search engine.  Many of the files that the malware scans contain extremist content. However, it also scans for parts of the innocuous Islamic material, academic books on Islam by leading researchers, and even a music file from Japanese metal band Unholy Grave. The report revealed that one of the scanned files was The Syrian Jihad, written by Charles Lister, who is a senior fellow and director of the Countering Terrorism and Extremism program at the Middle East Institute.  When the Vice News told this to the writer he was surprised, to say the least. He wrote in an email, "This is news to me! I’ve never had any criticism for the book—in fact, in all honesty, the opposite. Instead, I suspect China’s authorities would find anything with the word 'jihad' in the title to be potentially suspicious. The book covers, albeit minimally, the role of Turkistan Islamic Party in Syria, which may also be a point of sensitivity for Beijing. I’ve met with and engaged with Chinese officials to brief them on these issues, so I’m not aware of any problem Beijing would have with me." What Human Rights Defenders and other governments are saying about China’s domestic surveillance China has been widely criticized for its dystopian digital dictatorship. Maya Wang, China senior researcher at Human Rights Watch told the Vice News that the Chinese government often relates harmless religious activities with terrorism. She said, "The Chinese government, both in law and practice, often conflates peaceful religious activities with terrorism. Chinese law defines terrorism and extremism in a very broad and vague manner. For example, terrorism charges can stem from mere possession of 'items that advocate terrorism,' even though there is no clear definition of what these materials may be." This extreme use of cutting edge technologies for social control has also raised concern among other governments. On Tuesday, the United States and Germany condemned China during a closed-door United Nations Security Council meeting.  A U.S. State Department official told the Reuters, “The United States is alarmed by China’s highly repressive campaign against Uighurs, ethnic Kazakhs, Kyrgyz, and other Muslims in Xinjiang, and efforts to coerce members of its Muslim minority groups residing abroad to return to China to face an uncertain fate.” The Chinese officials in the meeting responded that this matter is purely internal and U.S. and Germany are making "unwarranted criticism”. China’s U.N. Ambassador Ma Zhaoxu said that the United States and Germany do not have any right to raise the issue in the Security Council. When asked about the state-run detention camp, Xinjiang vice-governor Erkin Tuniyaz said they are just vocational centers that are built to “save” people from extremist influences. What role tech plays in enabling such dystopia China has stepped up surveillance in every part of the country, and the extreme case is in Xinjiang. These steps, it says are taken to counter security threats and religious extremism. What has changed over the years is that these surveillance measures have become smarter. Today, Xinjiang has a massive security presence along with millions of surveillance technologies tracking every move you make. The technologies like facial-recognition cameras, iris and body scanners at checkpoints, mandatory apps like the one we discussed earlier that monitor messages and data flow on Uyghurs' smartphones are everywhere. Tech giants including Alibaba Group, Huawei are working with the government to come up with such systems. The data from the surveillance systems matched with your personal data determine your “social credit score”. This social credit system is a way of monitoring the citizens’ behavior to determine their rank in society. According to the Chinese government, it aims to reinforce the idea, “keeping trust is glorious and breaking trust is disgraceful.” If your score is high your life is convenient, if not you will have limited options for traveling, schooling, and other basic needs.  Not only China, but other countries are also stepping towards mass surveilling its citizens. For instance, the Trump administration is forcing its tourists to give away a list of all their social media accounts and all their email accounts.  https://twitter.com/BrennanCenter/status/1146253731232669697 Read the investigate piece by the Vice News to know more in detail. Following EU, China releases AI Principles As US-China tech cold war escalates, Google revokes Huawei’s Android support, allows only those covered under open source licensing Silicon Valley investors envy China’s 996 work culture; but tech workers stand in solidarity with their Chinese counterparts  

The whole world of social media has had a meltdown this week. After a major outage on Facebook, and it’s family of apps, Apple’s iCloud service was also down for most of yesterday. Users reported trouble signing into iCloud and accessing their accounts. Other Apple services like Photos, Mail, Backup, Find My Friends, Contacts, Calendars, also witnessed downtime. Apple Stores are also reportedly affected by the outage and not currently able to process transactions. Apple’s system status page noted the downtime across various iCloud services. https://twitter.com/wildrustic/status/1146820719277477890 https://twitter.com/TomSchmitz/status/1146815544391114752 https://twitter.com/SBenovitz/status/1146831989657542659 Apple Pay and Apple Cash: Apple Pay card holders were unable to add, suspend, delete, or use existing cards in Apple Pay. Some users were also not be able to set up Apple Cash, send and receive money, or transfer to bank with Apple Cash. Find my friend: Users were unable to find the location of their friends or devices, list registered devices, play a sound on their device, remotely wipe a device, or put the device in lost mode. Find my iPhone: Users may have been unable to find the location of their friends or devices, list registered devices, play a sound on their device, remotely wipe a device, or put the device in lost mode. iCloud: Issues were found in Account & Sign In, iWork, iCloud Backup, Bookmarks & Tabs, Calendar, Contacts, Drive, Keychain, Mail, Notes, Reminders, and Storage Upgrades Developer tools and third-party apps were also affected. According to 9to5Mac, a user who was trying to get her iPhone fixed at an Apple Store was told that the outage is nationwide (She was from the U.S). However down detector, an outage tracking website reported that issues were also observed in some parts of Europe, Canada, Mexico, and Brazil. Source: downdetector All services have since been resolved. Source: Apple What is surprising is that Apple has not informed or warned its users about the outage. There was no tweet or update released. Only the status page was updated. Facebook, Instagram and WhatsApp suffered a major outage yesterday; people had trouble uploading and sending media files. Cloudflare suffers 2nd major internet outage in a week. This time due to globally deploying a rogue regex rule. Why did Slack suffer an outage on Friday?

Updated: Mentioned MalwareTech's article, which shows a bigger picture of how YouTube’s ban can suppress education and the aspirants may turn to other shady websites to learn hacking, which is highly lethal. A month ago, in June, YouTube, in their blog post said, “The openness of YouTube’s platform has helped creativity and access to information thrive. It’s our responsibility to protect that, and prevent our platform from being used to incite hatred, harassment, discrimination, and violence.” YouTube said it plans to moderate content on its platform via three ways: By removing more hateful and supremacist content from the platform by banning supremacists, which will remove Nazis and other extremists who advocate segregation or exclusion based on age, gender, race, religion, sexual orientation, or veteran status. Reducing the spread of “borderline content and harmful misinformation” such as videos promoting a phony miracle cure for a serious illness, or claiming the earth is flat, etc. and recommend videos from more authoritative sources, like top news channels, in its “next watch” panel. Will suspend channels that repeatedly brush up against its hate speech policies from the YouTube Partner program. This means they will not be able to run ads on their channel or use other monetization features like Super Chat, which lets channel subscribers pay creators directly for extra chat features Following those lines, a few days ago, YouTube decided that it will ban all “instructional hacking and phishing” videos and listed it as “harmful or dangerous content” prohibited on its platform. YouTube mentioned that videos that demonstrate how to bypass secure computer systems or steal user credentials and personal data will be pulled from the platform. This recent addition to YouTube’s content policy is a big blow to all users in the infosec industry watching such videos for educational purposes or to develop their skills and also to the infosec Youtube content creators who make a living on maintaining dedicated channels on cybersecurity. The written policy first appears in the Internet Wayback Machine's archive of web history in an April 5, 2019 snapshot. According to The Register, "Lack of clarity about the permissibility of cyber-security related content has been an issue for years. In the past, hacking videos in years past could be removed if enough viewers submitted reports objecting to them or if moderators found the videos violated other articulated policies. Now that there's a written rule, there's renewed concern about how the policy is being applied". Kody Kinzie, a security researcher, educator, and owner of the popular ethical hacking and infosec YouTube channel, Null Byte, tweeted that on Tuesday they could not upload a video because of the rule. He said the video was created for the US July 4th holiday to demonstrate launching fireworks over Wi-Fi. https://twitter.com/KodyKinzie/status/1146196570083192832 After refraining Kinzie from uploading videos, he said that YouTube started to flag and remove his existing content and also issued a further strike on his channel. https://twitter.com/fuzz_sh/status/1146197679434883074 https://twitter.com/KodyKinzie/status/1146202025513771010 "I'm worried for everyone that teaches about infosec and tries to fill in the gaps for people who are learning," Kinzie said via Twitter. "It is hard, often boring, and expensive to learn cybersecurity." A lot of learners and the infosec community responded in support of Null Byte. YouTube then reversed its decision and removed the strikes, thereby restoring the channel to full functionality. https://twitter.com/myexploit2600/status/1146327656658550785 https://twitter.com/KodyKinzie/status/1146566379962695681 The YouTube policy page includes a list for content creators on things they should be careful of while uploading content. However, this is not a new policy and Youtube highlights, “the article now includes more examples of content that violates this policy. There are no policy changes.” According to Boing Boing, “This may sound like a commonsense measure but consider: the "bad guys" can figure this stuff out on their own. The two groups that really benefit from these disclosures are: Users, who get to know which systems they should and should not trust; and Developers, who learn from other developers' blunders and improve their own security.” A YouTube spokesperson told The Verge that Kody Kinzie’s channel was flagged by mistake and the videos have since been reinstated. “With the massive volume of videos on our site, sometimes we make the wrong call,” the spokesperson said. “We have an appeals process in place for users, and when it’s brought to our attention that a video has been removed mistakenly, we act quickly to reinstate it.” Dale Ruane, a hacker and penetration tester who runs a YouTube channel called DemmSec, told The Register via email that he believes this policy has always existed in some form. "But recently I've personally noticed a lot more people having issues where videos are being taken down," he said. "It seems adding video tags or titles which could be interpreted as malicious results in your video being 'dinged,'” he said. "For example, I made a video about a tool which basically provided instructions of how to phish a Facebook user. That video was taken down by YouTube after a couple of weeks." He also said, "I think the way in which this policy is written is far too broad. I also find the policy extremely hypocritical from a company (Google) that has a history of embracing 'hacker' culture and claims to have the goal of organizing the world's information." YouTube has recently taken actions towards content moderation, like taking down videos fighting white supremacy alongside white supremacist content. Also, on May 30th Vox host Carlos Maza tweeted a thread that pointed to a pattern of homophobic harassment from conservative pundit Steven Crowder on Youtube. In one of his comments, Crowder referred to Maza as a “little queer,” “lispy queer,” and “the gay Vox sprite.” After several days of investigation, YouTube said that Crowder did not violate the platform’s policies, but the company did not provide any insight into its process, and it chose to issue an unsigned statement via a reply to Maza on Twitter. Following YouTube’s decision, some Google employees said this does not send a positive message to everyone. An employee said, “This kind of makes me feel like it would be okay if my coworkers started calling me a lispy queer”. “...It’s the latest in a long series of really, really shitty behavior and double-talking on the part of my employer as pertains to anything to do with queer shit.” After a lot of opposition from people, YouTube opted to demonetize Crowder’s channel, citing “widespread harm to the YouTube community resulting from the ongoing pattern of egregious behavior.” The company has now also promised to “evolve its policies” on harassment in response to widespread backlash to these moves. A lot of YouTube creators have publicly derided the company for its decision calling it an unsurprising move from a platform they feel has failed to properly address harassment. Also, the recent taking down of videos that benefit a lot of users to develop skills with a fear that it can be misused, is not a correct move too. Hackers can implement a lot of stuff without the help of these videos. Youtube banning videos may not make the platform more secure, nor will it prevent attackers from exploiting defects. MalwareTech in its blog post mentions, “when it comes to hacking, it matters not what is taught, but how and by whom. Context is extremely important, especially with a potential audience of young and impressionable teens. Hacking tutorials will always be available no matter what, the only real question is where”. In its post, MalwareTech has also shown a bigger picture of how YouTube’s ban can suppress education and the aspirants may turn to other shady websites to learn hacking, which is highly lethal. FTC to investigate YouTube over mishandling children’s data privacy YouTube disables all comments on videos featuring children in an attempt to curb predatory behavior and appease advertisers Facebook fined $2.3 million by Germany for providing incomplete information about hate speech content

On Tuesday, Apple released iOS 13 beta 3, which came with an interesting feature called FaceTime Attention Correction. This feature aims to fix a long-standing issue of maintaining eye contact in FaceTime calls with the help of augmented reality. Mike Rundle, an app designer was the first to spot the feature while testing the latest iOS 13.  https://twitter.com/flyosity/status/1146136279647772673 Back in 2017, he predicted that this feature will be a reality in “years to come.” https://twitter.com/flyosity/status/1146136649883107328 While FaceTiming, users naturally tend to look at the person they are talking to instead of looking at the camera. As a result, to the person who is on the other side, it will appear as if you are not maintaining eye contact. This feature, when enabled, adjusts your gaze so that it appears to be on camera. This helps you maintain eye contact while still letting you keep your gaze on the person you are talking to.  Many Twitter users speculated that the FaceTime Attention Correction feature is powered by Apple's ARKit framework. It creates a 3D face map and depth map of the user through the front-facing TrueDepth camera. It then determines where the eyes are and adjusts them accordingly. The TrueDepth camera system is the same camera system used for Animoji, unlocking the phone, and even the augmented reality features we see in FaceTime. https://twitter.com/schukin/status/1146359923158089728 To enable this feature, one can go to Settings > FaceTime after installing the latest iOS 13 developer beta 3. On Twitter, people also speculated that it is only available on iPhone XS, iPhone XS Max, and iPhoneXR devices for now. It is unclear whether Apple plans to roll out the feature more broadly in the future. It would be interesting to see whether this feature works when there are multiple people in the frame.  https://twitter.com/WSig/status/1146149222665900033 Users have mixed feelings for this feature. While some developers who tested this out felt that it is a little creepy, others thought that this is a remarkable solution for the eye contact problem.  A Hacker News user expressed his concern, “I can't help but think all this image recognition/manipulation tech being silently applied is a tad creepy. IMHO going beyond things like automatic focus/white balance or colour adjustments, and identifying more specific things to modify, crosses the line from useful to creepy.” Another Hacker News user said in support of the feature, “I fail to see how this is creepy (outside of potential uncanny valley issues in edge cases). There is a toggle to disable it, and this is something that most average non-savvy users would either want by default or wouldn't even notice happening (because the end result will look natural to most).”  OpenID Foundation questions Apple’s Sign In feature, says it has security and privacy risks Apple gets into chip development and self-driving autonomous tech business Declarative UI programming faceoff: Apple’s SwiftUI vs Google’s Flutter