Tech News

Update: In the wake of the backlash received by the academic community, IEEE had requested clarification from the U.S. Department of Commerce on the applicability of these export control restrictions to IEEE’s publication activities. On 2nd June, they released an updated statement stating that all "employees of Huawei and its affiliates may participate as peer reviewers and editors in our publication process. All IEEE members, regardless of employer, can continue to participate in all of the activities of the IEEE." Adding fuel to the already raging US-China tech war, the US government has ‘forced’ the IEEE committee to stop Huawei employees from peer-reviewing or editing research papers. This is indeed a black day for academic progress and research, startling scientists and academicians all over the world. On 16th May, the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) took action against Huawei and over 60 of its affiliates adding them to BIS “Entity List” found in Supplement No. 4 to the EAR (U.S. Export Administration Regulations) Part 744. The BIS Entity List is a list of certain foreign entities, including businesses, research institutions, government and private organizations, and individuals (Listed Persons), that are subject to specific license requirements for the export, re-export, and in-country transfer of certain items subject to the EAR. Yesterday, IEEE released a detailed statement stating that IEEE (as a corporation organized in New York State) must comply with its legal obligations under the laws of the United States and other jurisdictions. Following the EAR, the IEEE has provided a detailed guide to IEEE volunteers, members, and staff on interacting with a Listed Person or an employee of a Listed Person who seeks to participate in IEEE activities. They have restricted Huawei from receiving or accessing materials submitted by other persons for publication until after IEEE has accepted the material for publication in accordance with IEEE’s normal publication process. Once the material has been accepted for publication, Huawei may act as editor or peer reviewer for that material. In effect, they are banned from seeing anything that is not already public or earmarked to become public. Huawei can also not participate in nonpublic meetings or communications that involve technical discussions. Huawei may continue to use an @ieee.org email account, but IEEE members are cautioned that their own communications of technical information to such addresses (or to any other email addresses of a Listed Person) may be subject to the EAR. https://twitter.com/qian_junhui/status/1133595554905124869 Huawei has joined 177 standards organizations and open source organizations and has held 183 key positions, serving on the board of directors of IEEE-SA, ETSI, WFA, and other organizations. Huawei also has a number of researchers in the IEEE holding positions such as editor-in-chief and deputy editor. Dr. Xiang Liu, a senior expert of the optical network at the Huawei Institute of Aesthetics, is the deputy editor of The Optical Society of America and Optics Express, and the editor-in-chief of the IEEE Optical Communications.  To promote the IEEE smart city standard process, Huawei successfully held the IEEE P2413 working group meeting in Shenzhen at the end of this January. This news did not go down well with academicians and researchers who appealed IEEE to not go ahead with the ban. “Standards bodies, industry associations are like multi-country organizations”, said a Hacker News user. “No single country should be able to prevent others from participating in such organizations”. IEEE’s ban has also ignited a backlash from its Chinese members and scientists, resulting in calls to boycott the organization describing the move as “anti-science” and “violating academic freedom”. Professor Haixia Zhang from Peking University sent out a letter announcing his resignation from the IEEE. In his letter, Zhang said: “As an old friend and senior IEEE member, I am really shocked to hear that IEEE is involved in 'US-Huawei Ban' for replacing all reviewers from Huawei, which is far beyond the basic line of Science and Technology which I was trained and am following in my professional career till now. As a professor, I AM NOT accept this. Therefore, I decided to quit from the IEEE NANO and IEEE JEMS editorial board until one day it comes back to our common professional integrity.” https://twitter.com/qian_junhui/status/1133657229561802752 A London-based academic also sent a letter to Professor Toshio Fukuda, president of the IEEE. If this is true, I strongly appeal to IEEE not to launch this ban. As per my understanding, IEEE is a pure academic organization, which should stay out of any political disputes. Additionally, please note that Huawei has funded a large number of IEEE conferences, journal papers, and other events. As far as I know, Huawei has not done any harm to the IEEE. Instead, IEEE has received a considerable amount of funding from Huawei. There is no reason for the IEEE to ban Huawei employees. He also quoted Article 8 of the IEEE code of ethics which states that: “We, the members of the IEEE, in recognition of the importance of our technologies in affecting the quality of life throughout the world, and in accepting a personal obligation to our profession, its members, and the communities we serve, do hereby commit ourselves to the highest ethical and professional conduct and agree to  treat fairly all persons and to not engage in acts of discrimination based on race, religion, gender, disability, age, national origin, sexual orientation, gender identity, or gender expression.” https://twitter.com/MCaiyun/status/1133655126105681920 Others also chastised Trump’s administration and ridiculed the IEEE’s ban. Here are some comments from Hacker News: “This is just ridiculous. This goes way beyond what they originally intended with stopping suspected IP Theft or backdoors by Huawei. This is a black day for academic progress and research in general.” “If the US intends to rile up the Chinese population for decades to come, well I guess they're on a good path. Unbelievable.” “IEEE is just for the US, not for humanity. It should be a shame of that VISION—"IEEE is the world’s largest technical professional organization dedicated to advancing technology for the benefit of humanity.” “Shame. And if you google "IEEE Huawei", you can still find news like "celebrating the release of new standard co-operated by Huawei and IEEE" on the first page. Now their version should be changed to "IEEE is the world’s largest technical professional organization(under the guise of U.S. gov) dedicated to advancing technology for the benefit of the U.S." In the past, even physical war accelerates the development of tech(most for weapons though some could be utilized to daily life), and now politics are forcing tech to go reverse. Wonderful.” The issue between Huawei and IEEE has come amid a raging tech war between the US and China, which recently escalated when the Trump administration blacklisted Huawei over threat to national security. Huawei’s woes continued as Google also suspended all business with Huawei that requires the transfer of hardware, software and technical services. Huawei will also be limited from getting updates to Google’s Android operating system. Moreover, a number of wireless operators are ditching Huawei’s handsets. BT Group Plc won’t offer phones from Huawei when it starts Britain’s first 5G mobile network. According to a leaked memo received by BBC, UK-based chip designer ARM has told staff it must suspend business with Huawei. As US-China tech cold war escalates, Google revokes Huawei’s Android support, allows only those covered under open-source licensing. US blacklist China’s telecom giant Huawei over threat to national security Elite US universities including MIT and Stanford break off partnerships with Huawei and ZTE amid investigations in the US. China’s Huawei technologies accused of stealing Apple’s trade secrets, reports The Information

Yesterday Aleksa Sarai, Senior Software Engineer at SUSE Linux GmbH, notified users that the ‘docker cp' is vulnerable to symlink-exchange race attacks. This attack makes all the Docker versions vulnerable. This attack can be seen as a continuation of some 'docker cp' security bugs that Sarai had found and fixed in 2014. This attack was discovered by Sarai, “though Tõnis Tiigi (software engineer at Docker) did mention the possibility of an attack like this in the past (at the time we thought the race window was too small to exploit)”, he added. The basis of this attack is that FollowSymlinkInScope suffers from a fundamental TOCTOU attack. FollowSymlinkInScope is used to take a path and resolve it safely as though the process was inside the container. Once the full path is resolved, it is passed around a bit and operated later on. If an attacker adds a symlink component to the path after the resolution, but before it is operated on, then the user will end up resolving the symlink path component on the host as root. Sarai adds, “As far as I'm aware there are no meaningful protections against this kind of attack. Unless you have restricted the Docker daemon through AppArmor, then it can affect the host filesystem”. Two reproducers of the issue have been attacked, including a Docker image and an empty directory in a loop hoping to hit the race condition. The Docker image contains a simple binary that does a RENAME_EXCHANGE of a symlink to "/”. In both the scripts, the user will be trying  to copy a file to or from a path containing the swapped symlink. However, the run_write.sh script can overwrite the host filesystem in very few iterations. This is because internally Docker has a "chrootarchive" concept where the archive is extracted from within a chroot. However in Docker, it chroots into the parent directory of the archive target which can be controlled by the attacker. This makes the attacker more likely to succeed. In an attempt to come up with a better solution for this problem, Sarai is working on Linux kernel patches. This will “add the ability to safely resolve paths from within a roots”. Users are concerned with the Docker versions being vulnerable as ‘docker cp’ is a very popular command. A user on Reddit says, “This seems really severe, it basically breaks a lot of the security that docker is assumed to provide. I know that we're often told not to rely upon docker for security, but still. I guess trusted but unsecure containers where the attack is executed after startup are still safe, because the docker cp command has already been executed before the attack begins.” A user on Hacker News comments, “So from a reading of the advisory and pull request, this seems to affect a specific set of scenarios, where a malicious image is running. Not sure if there are other scenarios where this would hit as well. One to be aware of, but as with most vulnerabilities, good to understand how it can be exploited, when you're assessing mitigations” To read more details of the notification, head over to Sarai’s mailing list. Angular 8.0 releases with major updates to framework, Angular Material, and the CLI Canva faced security breach, 139 million users data hacked: ZDNet reports SENSORID attack: Calibration fingerprinting that can easily trace your iOS and Android phones, study reveals

Last week, the team behind Material-UI released Material-UI v4 with CSS specificity, migration to Typescript and much more. The release of Material-UI v4 is influenced by two major factors. Firstly, the team analyzed the Developer survey results done in March. Secondly, the team wanted to be up to date with the latest best practices in the React community and with the Material Design Specification. What’s new in Material-UI v4? CSS specificity CSS specificity needs to be good enough and by default, Material-UI injects its style at the end of the <head> element. But styled components and few other popular styling solutions inject the style just before it and therefore loses specificity. In order to solve this problem, the team has introduced a new prop: injectFirst. Classes boilerplate In v1, the team had introduced classes API to target all the elements but they observed the use of this API for sometime and saw few users struggling. It is challenging to apply the class name on the right element and it further requires boilerplate as well. In order to improve this situation, the team changed the class name generation to output global class names and kept the classes API working as before. TypeScript All the demos have been migrated from JavaScript to TypeScript. The team has even type checked their demos which improves their TypeScript test coverage. Also, they have fixed many issues during the migration. While writing an application with TypeScript, users can now directly copy & paste the demos without the need of converting them or having to fix the errors. Improved UX The team has changed the menu organization to group all the components under a single navigation item. The team has also changed the background color to white for increasing the text contrast and readability. Tree shaking with ES modules This is the first version that supports native tree shaking with ES modules, users  can now use destructured imports while importing multiple components. To know more about this release, check out the post on Medium. Implementing autocompletion in a React Material UI application [Tutorial] Applying styles to Material-UI components in React [Tutorial] Fyne 1.0 released as a cross-platform GUI in Go based on Material Design  

Yesterday, Arm, the company that has its basic chip architecture utilized by most of the smartphones, announced new designs for its premium CPU and GPU chipsets. The first actual chips are expected before the end of the year.  The company also announced the Mali-G77 GPU, the Cortex-A77 CPU, and an energy efficient machine learning processor. https://twitter.com/Arm/status/1133029847637344256 Cortex-A77 CPU With every new generation of Arm CPUs, the Cortex A77 promises to be more power efficient and provide better raw processing performance. Cortex-A77 has been built to fit in smartphone power budgets and for improving performance. It is the second generation design that brings in substantial performance upgrade over Cortex-A76. Cortex A77 has been built for next-generation laptops and smartphones and for supporting upcoming use cases like advanced ML. It will also support the range of 5G-ready devices that are set to come to the market following the 5G rollout in 2019. Due to the combination of hardware and software optimizations, the Cortex-A77 now brings better machine learning performance. It comes with more than 20 percent integer performance, more than 35 percent FP performance and more than 15 percent more memory bandwidth improvements. Mali-G77 GPU The company brings the new Mail-G77 GPU architecture, which is the first one to be based on the company’s Valhall GPU design. It offers around 1.4x performance improvement over the G76. Mail-G77 GPU is also 30 percent more energy efficient and 60% faster at running machine learning inference and neural net workloads. Mali-G77 provides uncompromising graphics performance and brings performance improvements to complex AR and ML for driving future use cases. https://twitter.com/Arm/status/1132992854282915841 Machine learning processor Arm already offers Project Trillium, its heterogeneous machine learning compute platform for the machine learning processor. Arm has improved the energy efficiency by 2x and scaled performance up to 8 cores and 32 TOP/s since the announcement of Trillium last year. The machine learning processor is based on a new architecture that targets connected devices such as augmented and virtual reality (AR/VR) devices, smartphones, smart cameras, and drones, as well as medical and consumer electronics. This processor processes a variety of neural networks such as convolutional (CNNs) and recurrent (RNNs), for image enhancements, classification, object detection, speech recognition, and natural language understanding. It also minimizes system memory bandwidth through various compression technologies. Read Also: Snips open sources Snips NLU, its Natural Language Understanding engine The company announced, “Every new smartphone experience begins with more hardware performance and features to enable developers to unleash further software innovation.” The company further added, “For developers, the CPU is more critical than ever as it not only handles general-compute tasks, as well as much of the device’s ML, compute which must scale beyond today’s limits. The same holds true for more immersive untethered AR/VR applications, and HD gaming on the go.” To know more about this news, check out Arm community’s post. Intel discloses four new vulnerabilities labeled MDS attacks affecting Intel chips The Linux Foundation announces the CHIPS Alliance project for deeper open source hardware integration AI chipmaking startup ‘Graphcore’ raises $200m from BMW, Microsoft, Bosch, Dell  

Earlier this month, the Hacker News community got into a heated debate on whether “Go is Google’s language, and not the community’s”. The thread was first started by Chris Siebenmann who works at the Department of Computer Science, University of Toronto. His blog post reads, “Go has community contributions but it is not a community project. It is Google’s project.” In response to his statements, last Thursday, Ian Lance Taylor, a googler and member of the Golang team added his own views on a Google group mailing list, that don't necessarily contradict Chris’s blog post but add some nuance. Ian begins with a disclaimer: “I'm speaking exclusively for myself here, not for Google nor for the Go team.” He then reminds us that Go is an open source language considering all the source code, including for all the infrastructure support, is freely available and may be reused and changed by anyone. Go provides all developers the freedom to fork and take an existing project in a new direction.  He further explains how there are 59 Googlers and 51 non-Googlers on the committers list which includes the set of people who can commit changes to the project. He says, “so while Google is the majority, it's not an overwhelming one.” Golang has a small core committee which makes decisions Contradicting Chris’s opinion of how Golang is only run by a small set of people which prevents it from becoming the community’s language, he says, “All successful languages have a small set of people who make the final decisions. Successful languages pay attention to what people want, but to change the language according to what most people want is, I believe, a recipe for chaos and incoherence.  I believe that every successful language must have a coherent vision that is shared by a relatively small group of people.” He then adds, “Since Go is a successful language, and hopes to remain successful, it too must be open to community input but must have a small number of people who make final decisions about how the language will change over time.” This makes sense. The core team’s full-time job is to take care of the language instead of taking errant decisions based on community backlash. Google will not make or block a change in a way that kills an entire project. But this does not mean they should sit idly, ignoring the community response. Ideally, the more than a project genuinely belongs to its community, the more it will reflect what the community wants and needs. Ian defends Google as a company being a member of the Golang team, saying they are doing more work with Go at a higher level, supporting efforts like the Go Cloud Development Kit and support for Go in Google Cloud projects like Kubernetes. He also assures that executives, and upper management in general, have never made any attempt to affect how the Go language and tools and standard library are developed. “Google, apart from the core Go team, does not make decisions about the language.” What if Golang is killed? He is unsure of what will happen if someone on the core Go team decides to leave Google but wants to continue working on Go. He says, “many people who want to work on Go full time wind up being hired by Google,  so it would not be particularly surprising if the core Go team continues to be primarily or exclusively Google employees.” This reaffirms our original argument of Google having a propensity to kill its own products. While Google’s history shows that many of their dead products are actually an important step towards something better and more successful, why and how much of that logic would be directly relevant to an open source project is something worth thinking about. He further adds, “ It's also possible that someday it will become appropriate to create some sort of separate Go Foundation to manage the language.”  But did not specify what such a foundation would look like, who its members will be, and how the governance model will be like. Will Google leave it to the community to figure out the governance model suddenly by pulling off the original authors into some other exciting new project? Or would they let the authors only work on Golang in their spare time at home or at the weekends? Another common argument is on what Google has invested to keep Go thriving and if, the so-called Go foundation will be able to sustain a healthy development cycle with low monetary investments (although GitHub sponsors can, maybe, change that). A comment on Hacker News reads, “ Like it or not, Google is probably paying around $10 million a year to keep senior full-time developers around that want to work on the language. That could be used as a benchmark to calculate how much of an investment is required to have a healthy development cycle. If a community-maintained fork is created, it would need time and monetary investment similar to what Google is doing just to maintain and develop non-controversial features. Question is: Is this assessment sensible and if so, is the community able or willing to make this kind of investment?” In general, though, most people/developers agreed with Ian. Here are a few responses from the same mailing list: “I just want to thank Ian for taking the time to write this. I've already got the idea that it worked that way, but my own deduction process, but it's good to have a confirmation from inside.” “Thank you for writing your reply Ian. Since it's a rather long post I don't want to go through it point by point, but suffice it to say that I agree with most of what you've written.” Read Ian’s post on Google Forums. Is Golang truly community driven and does it really matter? Go User Survey 2018 results: Golang goes from strength to strength, as more engineers than ever are using it at work. GitHub releases Vulcanizer, a new Golang Library for operating Elasticsearch

Last Friday, ZDNet reported about Canva’s data breach. Canva is a popular Sydney-based startup which offers a graphic design service. According to the hacker, who directly contacted ZDNet, data of roughly 139 million users has been compromised during the breach. Responsible for the data breach is a hacker known as GnosticPlayers online. Since February this year, they have put up the data of 932 million users on sale, which are reportedly stolen from 44 companies around the world. "I download everything up to May 17," the hacker said to ZDNet. "They detected my breach and closed their database server." Source: ZDNet website In a statement on the Canva website, the company confirmed the attack and has notified the relevant authorities. They also tweeted about the data breach on 24th May as soon as they discovered the hack and recommended their users to change their passwords immediately. https://twitter.com/canva/status/1132086889408749573 “At Canva, we are committed to protecting the data and privacy of all our users and believe in open, transparent communication that puts our communities’ needs first,” the statement said. “On May 24, we became aware of a security incident. As soon as we were notified, we immediately took steps to identify and remedy the cause, and have reported the situation to authorities (including the FBI). “We’re aware that a number of our community’s usernames and email addresses have been accessed.” Stolen data included details such as customer usernames, real names, email addresses, and city & country information. For 61 million users, password hashes were also present in the database. The passwords where hashed with the bcrypt algorithm, currently considered one of the most secure password-hashing algorithms around. For other users, the stolen information included Google tokens, which users had used to sign up for the site without setting a password. Of the total 139 million users, 78 million users had a Gmail address associated with their Canva account. Canva is one of Australia's biggest tech companies. Founded in 2012, since the launch, the site has shot up the Alexa website traffic rank, and has been ranking among the Top 200 popular websites. Three days ago, the company announced it raised $70 million in a Series-D funding round, and is now valued at a whopping $2.5 billion. Canva also recently acquired two of the world's biggest free stock content sites -- Pexels and Pixabay. Details of Pexels and Pixabay users were not included in the data stolen by the hacker. According to reports from Business Insider, the community was dissatisfied with how Canva responded to the attack. IT consultant Dave Hall criticized the wording Canva used in a communication sent to users on Saturday. He believes Canva did not respond fast enough. https://twitter.com/skwashd/status/1132258055767281664 One Hacker News user commented , “It seems as though these breaches have limited effect on user behaviour. Perhaps I'm just being cynical but if you are aren't getting access and you are just getting hashed passwords, do people even care? Does it even matter? Of course names and contact details are not great. I get that. But will this even effect Canva?” Another user says, “How is a design website having 189M users? This is astonishing more than the hack!” Facebook again, caught tracking Stack Overflow user activity and data Ireland’s Data Protection Commission initiates an inquiry into Google’s online Ad Exchange services Adobe warns users of “infringement claims” if they continue using older versions of its Creative Cloud products

Last week, Torkel Ödegaard co-founder of Grafana released the stable version Grafana 6.2. This version has improved security, enhanced provisioning workflow, a new Bar Gauge panel, Elasticsearch 7 support, and lazy loading of panels, among other things. Improved Security Datasources will now store passwords and basic auth passwords in ‘secureJsonData’ which will be encrypted by default. Browser caching is now disabled for full page requests, which will enable mitigation of risky sensitive information. Upgrade notes is provided to migrate existing data sources to use encrypted storage. Provisioning Environment variables can now support and reload configs without restarting Grafana. This feature will not allow deletion of provisioned dashboards. Instead, when a user tries to delete or save a provisioned dashboard, a relative file path to the file is shown in the dialog. Bar Gauge Panel This is an exciting feature, which is similar to the current Gauge panel and shares almost all its options. Bar Gauge uses both horizontal and vertical spaces much better, which helps in stacking efficiently. The Bar Gauge also comes with three unique display modes: Basic, Gradient, and Retro LED. Panels Without Title Sometimes panels do not need a title, but still the panel header takes up space. This makes ‘Singlestats’ have bad vertical centering. In version 6.2, Grafana will now allow panel content to use the full panel height, in case there is no panel title. Lazy Loading of Panels Out of View Grafana will not issue any data queries for panels that are not visible. This will greatly reduce the load on the data source backends, when loading dashboards with many panels. This was one of the most requested features from Grafana users. Minor Features and Fixes User time zone support added, called ‘Explore’ Support for configuring timeout durations and retries Support for multiple subscriptions per datasource A small bug fixed which will display percentile metrics in table panel called ‘Elasticsearch’ ‘InfluxDB’ to provide support for POST HTTP verb ‘CloudWatch’ is an important fix for default alias disappearing in v6.1 New ‘Search’ option Ödegaard has also notified users to switch to the new repo soon, as the previous depreciated repo will be removed on July 1. The new repository will contain all the old releases, so the user will not have to upgrade to switch package repository. Users of Grafana are quite happy with the new Grafana 6.2 version. https://twitter.com/PeterZaitsev/status/1131211702169739269 A user on Hacker News commented, “Lazy loading is a feature I was waiting for long time, hopefully this time is here to stay!” Another user added, “Those new gradient bar gauges look great, can't wait to use them on some environmental data.” Read more about the Grafana v6.2 release on the Grafana blog. Grafana 6.0 beta is here with new panel editor UX, google stackdriver datasource, and Grafana Loki among others ‘Tableau Day’ highlights: Augmented Analytics, Tableau Prep Builder and Conductor, and more! Facebook files a lawsuit against South Korean data analytics firm, Rankwave, for unlawful data use amidst high profile calls to “break it up”

Last week, First American Financial Corporation, a provider of title insurance, leaked hundreds of millions of documents related to mortgage deals dated back to 2003, KrebsOnSecurity reports. This vulnerability exposed digitized records such as mortgage and tax records, bank account numbers and statements, wire transaction receipts, social security numbers, and drivers license images without authentication. However, the company said that it had disabled the part of its website that served those files around 2 PM ET on Friday, and thereby addressed the vulnerability soon after it was notified by KrebsOnSecurity. https://twitter.com/briankrebs/status/1132026003386241029 “We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment until our internal review is completed”, the company said in a statement. According to KrebsOnSecurity, “Many of the exposed files are records of wire transactions with bank account numbers and other information from home or property buyers and sellers.” Ben Shoval, the developer who notified KrebsOnSecurity about the data exposure, said, “That’s because First American is one of the most widely-used companies for real estate title insurance and for closing real estate deals — where both parties to the sale meet in a room and sign stacks of legal documents.” Shoval even shared a document link given by First American from a recent transaction, which pointed to a record number that was nine digits long and which dated April 2019. Modifying the document number in the link by numbers in either direction would yield other peoples’ records before or after the same date and time. The earliest document number that was available on the site was 000000075 that pointed a real estate transaction from 2003. A spokesperson from the First American Financial Corporation shared the following statement: “First American has learned of a design defect in an application that made possible unauthorized access to customer data.  At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information. The company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment until our internal review is completed.” The information leaked by First American would have been misused by scammers involved in Business Email Compromise (BEC) scams, which would impersonate real estate agents. https://twitter.com/scottpants/status/1132031820361420801 https://twitter.com/aznalabukm/status/1132807048092147713 To know more about this news, check out the post by KrebsOnSecurity. A WhatsApp vulnerability enabled attackers to inject Israeli spyware on user’s phones A WhatsApp vulnerability enabled attackers to inject Israeli spyware on user’s phones Rust’s recent releases 1.34.0 and 1.34.1 affected from a vulnerability that can cause memory unsafety

Last week, Applitools, the provider of AI-powered end-to-end visual testing and monitoring, announced the “2019 State of Automated Visual Testing Report.” According to the report, as the number of screens and pages across applications, operating systems websites, and devices continue to grow, the continuous management of a web application’s visual quality becomes a competitive advantage for businesses worldwide. The report has been conducted as an independent survey of over 350 companies and it outlines the research findings for visual testing and quality. It further identifies key patterns that bring excellence in Application Visual Management. With the help of this research, organizations can now better understand the business challenges and opportunities that are associated with visual quality. This year’s Automated Visual Testing Report covers a few important findings: Visual bugs are common and they typically cost the R&D team between $1.75m and $6.9m annually to fix. The reports further says that the average release to production has 9 visual bugs. Also, over 30 percent of companies release more than 22 bugs per release that cost them over $143,000 per release. For a team that is pushing towards CI-CD (continuous integration and continuous delivery) and releasing only four times per month, these common visual bugs affect the visual quality. According to the report, with the increasing number of screens and pages, the increasing expectations of faster release cycles, the goal of continuous visual quality is going to be much more challenging in the future which would underscore the need for Visual AI to help meet it. The findings further state that CI/CD and Digital Transformation initiatives are necessary for dealing with the enormous challenge of visual quality and according to over 64 percent of companies surveyed, these initiatives are either non-existent or failing to deliver as planned. Companies that are using automated visual testing are building competitive advantage via improvements to quality, coverage, release velocity, and team morale. The findings show the overall app test coverage increasing by over 60 percent. It further shows the Visual quality improving by 3.6x and the monthly release velocity more than doubles. According to the report, only 12 percent of companies surveyed are using automated visual testing as of Q1 2019, which suggests that competitive advantage is possible for those companies who quickly move to adopt the technique this year. Also by the end of this year, there would be an additional 38 percent of companies who would have initiated automated visual testing as a core strategy. Gil Sever, Co-Founder and CEO of Applitools wrote in an email to us, “Today, software equals brand. Managing application quality effectively as releases occur more frequently is becoming a competitive advantage for all companies, regardless of vertical market, company size, or geography.” He further added, “Continuous visual quality is now a goal for QA and software development teams as the stakes continue to get higher for organizations competing for customer attention and retention in this age of across the board digital transformation.” Applitools introduces AI based automated root cause analysis to pinpoint bugs quickly 5 ways artificial intelligence is upgrading software engineering Top 5 automated testing frameworks  

Last week, Mozilla announced the release of Firefox 67, with many performance enhancing features to make Firefox “faster than ever”. On Thursday, Nathan Egge and Christopher Montgomery wrote a blogpost explaining the importance of high performance, royalty free AV1 video decoder, called ‘dav1d’. This feature is now enabled by default on all desktop platforms of Mozilla (Windows, OSX and Linux) for both 32-bit and 64-bit systems. AV1 allows high-quality video experience with very less network usage. It’s files are 30% smaller than today’s most popular web codec VP9. AV1 is also 50% smaller than its widely deployed predecessor H.264. AV1 has the potential to transform how and where we watch videos on the internet. ‘Dav1d’ allows developers to rewrite critical sections in highly-parallelized SIMD assembly allowing higher performance and greater efficiency. This enables smooth playback of AV1 video in the browser with significantly less CPU utilization. In 2018, Matt Frost, head of strategy and partnerships for Chrome Media at Google had predicted that it would take another two years for AV1 to adopt wide scale. He had said, “Hardware support will likely come in 2020, as chip development typically takes two to three years”. However statistics prove that ‘dav1d’ can turn this prediction upside down. In the last few months, Firefox Beta has seen a remarkable growth in video playback after implementing AV1. Firefox Beta latest figures show 11.8% of playback proportion in April 2019, up from 3% in March and 0.85% in February. Looking at this growth, more websites are expected to take advantage of this next-generation video codec AV1. Image Source: Mozilla Hacks With its immense advantages, Mozilla has decided to invest in the future of AV1. Mozilla and Xiph.Org are jointly developing a clean-room encoder named rav1e (the Rust AV1 Encoder). This will help in increasing encoding gains, i.e., reducing the signal-to-noise ratio which in turn will allow software encoding fast enough for real-time applications like WebRTC. Rav1e will develop methods to make AV1 encoding tools 1000x faster by finding new algorithms, rather than simply optimizing existing code. https://twitter.com/waxzce/status/1132924406278307840 A user on Hacker News comments, “AV1's been making good progress in Firefox. A 1080p60 video has gone from being essentially unplayable in AV1 to now being almost perfect on my 5-year old, AVX2 enabled laptop in Firefox 68 beta” Visit the Mozilla Blog to know more about dav1d and rav1e. Firefox 67 will come with faster and reliable JavaScript debugging tools Firefox releases v66.0.4 and 60.6.2 to fix the expired certificate problem that ended up disabling add-ons Mozilla developers have built BugBug which uses machine learning to triage Firefox bugs

After the successful launch of Elon Musk’s mammoth space mission, Starlink last week, the company has unveiled a brand new website with more details on the Starlink commercial satellite internet service. Starlink Starlink sent 60 communications satellites to the orbit which will eventually be part of a single constellation providing high speed internet to the globe. SpaceX has plans to deploy nearly 12,000 satellites in three orbital shells by the mid-2020s, initially placing approximately 1600 in a 550-kilometer (340 mi)-altitude area. The new website gives a few glimpses of how Starlink’s plan looks like such as including the CG representation of how the satellites will work. These satellites will move along their orbits simultaneously, providing internet in a given area. They have also revealed more intricacies about the satellites. Flat Panel Antennas In each satellite, the signal is transmitted and received by four high-throughput phased array radio antennas. These antennas have a flat panel design and can transmit in multiple directions and frequencies. Starlink Ion Propulsion system and solar array Each satellite carries a krypton ion propulsion system. These systems enable satellites to orbit raise, maneuver in space, and deorbit. There is also a singular solar array, singe for simplifying the system. Ion thrusters provide a more fuel-efficient form of propulsion than conventional liquid propellants. It uses Krypton, which is less expensive than xenon but offers lower thrust efficiency. Starlink Star Tracker and Autonomous collision avoidance system Star Tracker is Space X’s inbuilt sensors, that can tell each satellite’s output for precise broadband throughput placement and tracking. The collision avoidance system uses inputs from the U.S. Department of Defense debris tracking system, reducing human error with a more reliable approach. Through this data it can perform maneuvers to avoid collision with space debris and other spacecrafts. Per Techcrunch, who interviewed a SpaceX representative, “the debris tracker hooks into the Air Force’s Combined Space Operations Center, where trajectories of all known space debris are tracked. These trajectories are checked against those of the satellites, and if a possible collision is detected the course changes are made, well ahead of time.” Source: Techcrunch More information on Starlink (such as the cost of the project, what ground stations look like, etc) is yet unknown. Till that time, keep an eye on the Starlink’s website and this space for new updates. SpaceX delays launch of Starlink, its commercial satellite internet service, for the second time to “update satellite software” Jeff Bezos unveils space mission: Blue Origin’s Lunar lander to colonize the moon Elon Musk reveals big plans with Neuralink

A report released by Motherboard yesterday reveals employees of Snap Inc., the parent company of the popular social media, Snapchat, abused privileged data management tools to spy on Snap users. They gained access to location, contact details, email addresses, even saved Snaps! This news was first reported by Motherboard stating that various departments within Snap have dedicated tools for accessing data. Talking about sources, Motherboard said, “two former employees said multiple Snap employees abused their access to Snapchat user data several years ago”. Along with those sources, Motherboard also obtained information from two other former employees, a current employee, and a cache of internal company emails. The sources and the emails obtained highlight one of the internal tools that can access user data called SnapLion   Former employees said that SnapLion was originally used to gather information on users in response to valid law enforcement requests, such as a court order or subpoena. “Both of the sources said SnapLion is a play on words with the common acronym for law enforcement officer LEO, with one of them adding it, is a reference to the cartoon character Leo the Lion”, Motherboard reports. Snap Inc.’s ‘Spam and Abuse’ team has access to the tool and it can also be used to combat bullying or harassment on the platform by other users. Motherboard said, “An internal Snap email obtained by Motherboard says a department called "Customer Ops" also has access to SnapLion. Security staff also have access, according to the current employee. The existence of this tool has not been previously reported”. “Motherboard granted multiple sources in this story anonymity to speak candidly about internal Snap processes”, reports Motherboard. Snapchat has a customer bandwidth of around 186 million users who use it to share photos, videos, or post stories trusting that it may get auto-deleted as per Snapchat’s privacy policies. Snaps are photos or videos that, if not saved, typically disappear after being received (or after 24 hours if posted to a user's Story). However, in 2014, the Federal Trade Commission fined Snapchat for failing to disclose that the company collected, stored, and transmitted geolocation data. A Snap spokesperson wrote to Motherboard, “Protecting privacy is paramount at Snap. We keep very little user data, and we have robust policies and controls to limit internal access to the data we do have. Unauthorized access of any kind is a clear violation of the company's standards of business conduct and, if detected, results in immediate termination." A few years ago, SnapLion did not have a satisfactory level of logging to track what data employees accessed, a former employee said. The company then implemented more monitoring, the former employee added. Snap said it currently monitors access to user data. The second former employee said, "Logging isn't perfect". “Snap said it limits internal access to tools to only those who require it, but SnapLion is no longer a tool purely intended to help law enforcement. It is now used more generally across the company”, the former employees reported. One of them who worked with SnapLion said the tool is used for resetting passwords of hacked accounts and "other user administration." A current employee said that the company's strides for user privacy and two former employees stressed the controls Snap has in place for protecting user privacy. Snap also introduced end to end encryption in January of this year. Similar to Snap Inc. there are stories where other tech giants like Facebook, Uber employees have accessed their ex-employees’ data. Facebook fired some of its employees in May, last year, for using their privileged access to user data to stalk exes. In 2016, Uber employees, on the other hand, used internal systems to spy on ex-partners, politicians, and celebrities. https://twitter.com/justkelly_ok/status/1131750164773818369 Read more about this news in detail on Motherboard’s full coverage. A WhatsApp vulnerability enabled attackers to inject Israeli spyware on user’s phones Intel discloses four new vulnerabilities labeled MDS attacks affecting Intel chips Atlassian Bitbucket, GitHub, and GitLab take collective steps against the Git ransomware attack

Yesterday, the Rust team announced the release of Rust 1.35.0. This release highlights the implementation of Fn* closure traits for Box<dyn Fn*>. Additionally it has features like coercing closures which are extended to unsafe fn pointers, dbg! macro can now be called without passing any arguments, a number of APIs have become stable and many more. Key features explained in brief: Fn* closure traits implemented for Box<dyn Fn*> In Rust 1.35.0, the FnOnce, FnMut, and the Fn traits are now implemented for Box<dyn FnOnce>, Box<dyn FnMut>, and Box<dyn Fn> respectively. This allows users to use boxed functions in places where a function is to be implemented. It is also now possible to directly call Box<dyn FnOnce> objects. Coercing closures to unsafe function pointers In the earlier versions, it was possible to coerce closures which do not capture from the environment, into function pointers only . With this release, coercing closures has been extended to ‘unsafe’ function pointers also. Calling dbg!() with no argument ‘dbg!()’ macro allows to quickly inspect the value of some expression with context. Now, users can call dbg!() without passing any arguments. This is useful in tracing what branch your application will take. Library stabilizations In 1.35.0, a number of APIs have become stable. Few new implementations and other changes have also been made. Some are mentioned below: Copy the sign of a floating point number onto another Check whether a Range contains a value Map and split a borrowed RefCell value in two Replace the value of a RefCell through a closure Hash a pointer or reference by address, not value Copy the contents of an Option<&T> To know more about the changes in Library, head over to the release notes page. Changes in Clippy Clippy is a collection of lints to catch common mistakes and improve the Rust code. In this release of Rust, a new lint ‘drop_bounds’ has been added. Also Clippy has split the lintredundant_closure into redundant_closure and redundant_closure_for_method_calls. Changes in Cargo When passing a test filter, such as ‘cargo test foo’, the user does not have to build examples (unless they set test = true). ‘rustc-cdylib-link-arg’ key has been added to build scripts to specify linker arguments for cdylib crates. ‘Cargo clippy-preview’ is now a built-in cargo command. The verification step in ‘cargo package’ that checks if any files are modified is now stricter. It uses a hash of the contents instead of checking file system mtimes. It also checks all files in the package. To know more about the changes in Cargo, head over to the release notes page. Read more about the Rust 1.35.0 announcement on the official Rust blog. Read More Rust’s recent releases 1.34.0 and 1.34.1 affected from a vulnerability that can cause memory unsafety Rust 1.34 releases with alternative cargo registries, stabilized TryFrom and TryInto, and more Rust shares roadmap for 2019

On Wednesday, Germany’s biggest bank, Deutsche Bank, shared that it has found a bug in its decade old software that it has using for flagging suspicious transactions. This news came out just a day ahead of the bank’s annual shareholders meeting held on May 23. According to a Deutsche Bank spokesman the faulty software was one of the many anti-financial crime systems that the bank uses. The glitch happened because two of 121 parameters in the software were not defined accurately. It was detected when employees from the bank's anti-financial crime unit started working on improving the bank’s internal processes last year. In a statement the bank said, “Deutsche Bank is working on correcting the error as quickly as possible and is in close contact with the regulators." This news has further dealt a major blow to the bank's reputation as it is already facing several accusations regarding its involvement in money laundering. On Tuesday, The New York Times reported that during 2016-2017, the bank’s executives were informed by its anti-laundering-specialists about several suspicious transactions. These transactions, which also involved Donald J. Trump and his son-in-law, Jared Kushner, were first flagged by a computer system. Despite these reports, the bank refused to take any action. "Compliance staff members who then reviewed the transactions prepared so-called suspicious activity reports that they believed should be sent to a unit of the Treasury Department that polices financial crimes. But executives at Deutsche Bank, which has lent billions of dollars to the Trump and Kushner companies, rejected their employees’ advice," wrote The New York Times in its report. Following these news, the bank's share price reached a new record low on Thursday morning and needless to say, this left its shareholders unimpressed. At the bank's Annual General Meeting, Christian Sewing, the Deutsche Bank chief executive, faced discontent of the shareholders regarding the bank’s top management. He has now promised to improve the bank's internal controls and is planning to "make tough cutbacks” to reverse the damages. Addressing the investors, Sewing said, "We will accelerate transformation by rigorously focusing our bank on profitable and growing businesses which are particularly relevant to our clients." Read the full story on The New York Times. Lloyds Bank’s online services which were down due to DNSSEC issues have been restored! Wells Fargo’s online and mobile banking operations suffer a major outage Apple’s March Event: Apple changes gears to services, is now your bank, news source, gaming zone, and TV

A new study by researchers at Cambridge University’s Computer Laboratory has revealed that an attack called calibration fingerprinting or SENSORID, allows iOS and Android devices to be tracked across the internet. The researchers stated that this attack is easy to conduct by a website or an app in under 1 second as it requires no special permissions, does not require user interaction, and is computationally efficient. Yesterday, at the IEEE Symposium on Security and Privacy, the researchers presented a research paper titled “SENSORID: Sensor Calibration Fingerprinting for Smartphones”, that introduces the calibration fingerprinting attack. In this paper, the researchers have demonstrated the effectiveness of this attack on iOS devices and found the lack of precision in the M-series co-processor helps the generation of such a fingerprint. “Such an attack does not require direct access to any calibration parameters since these are often embedded inside the firmware of the device and are not directly accessible by application developers”, the research report states. “According to a team of academics from the University of Cambridge in the UK, SensorID impacts iOS devices more than Android smartphones. The reason is that Apple likes to calibrate iPhone and iPad sensors on its factory line, a process that only a few Android vendors are using to improve the accuracy of their smartphones' sensors”, reports ZDNet. The researchers used a new method of fingerprinting devices with embedded sensors by carefully analyzing the sensor output. Sensors do not require any special permissions, and the data can be accessed via both a native app installed on a device and also by JavaScript when visiting a website on an iOS and Android device. It can be generated by both apps and mobile websites and will require no user interaction. When the attack was experimented on an iPhone 6S, it was found that that the GYROID contains about 42 bits of entropy and the MAGID provides an additional 25 bits of entropy. The study has demonstrated that the combination of the MAGID and GYROID – the SENSORID – is globally unique for the iPhone 6S. This did not change on factory reset or after a software update. This shows that the attack can also be applied retrospectively to a historic archive of sensor data. In addition to iOS devices, it has been found that Google Pixel 2 and Pixel 3 can also be fingerprinted by SENSORID attack. The researchers claim that all iOS devices that have a gyroscope or magnetometer can be fingerprinted by this approach, including the latest iPhone XS and iPhone XS Max. The mainstream iOS browsers- Safari, Chrome, Firefox, and Opera and privacy enhanced browsers- Brave and Firefox Focus are all vulnerable to this calibration based fingerprinting attack, even if the fingerprinting protection mode is turned on. They added, “We have also tried measuring the sensor data at different locations and under different temperatures; we confirm that these factors do not change the SENSORID either.” The researchers notified Apple about this vulnerability in August 2018 and Google in December 2018. Apple patched this issue with the release of iOS12.2 in March 2019. However, Google has not taken any prompt action and have just informed the researchers that they will investigate this issue. With the latest iOS 12.2 release, the new iPhones and iPads will generate a new fingerprint with every sensor calibration query, making SENSORID type of user tracking useless. Further, Apple also removed access to motion sensors from Mobile Safari by default. The researchers anticipate that calibration information used in other embedded sensors can also be recovered and used as a fingerprint. Thus future research will successfully perform calibration fingerprinting attacks on other types of sensor. Any iPhone, is vulnerable to an attack, unless it has been updated to to iOS 12.2. If a user is using a Pixel 2 or 3, it's vulnerable to attack. But the vulnerability to an Android phone is not yet known fully, but there is a sure possibility to it. Read More Apple proposes a “privacy-focused” ad click attribution model for counting conversions without tracking users Introducing Minecraft Earth, Minecraft’s AR-based game for Android and iOS users Apple Pay will soon support NFC tags to trigger payments