Tech News

Google is again under fire for discrimination and retaliation, this time against pregnant women. According to an employee memo received by Motherboard, "I'm Not Returning to Google After Maternity Leave, and Here is Why," a Googler has accused the company of discrimination and harassment when she was pregnant. She writes, “I’m sharing this statement because I hope it informs needed change in how Google handles discrimination, harassment, and retaliation. I stood up for a mother on my team and doing so sent me down a path that destroyed my career trajectory at Google." The retaliation started after she brought up a manager's derogatory comments towards a pregnant colleague to the HR. The spiral went downhill from there and she faced discrimination leading up to her own childbirth. The employee writes that, after several years as a high performer with a strong track record within the company, she was promoted to manage a small team of her own. "At one point after my promotion, my director/manager started making inappropriate comments about a member of my team, including that the Googler was likely pregnant again and was overly emotional and hard to work with when pregnant," she writes. The manager later asked her to ‘manage the member of the staff’ and this prompted her to complain against her to the HR. She was told that her comments might be directly shared with her boss but that would not impact her, as strong retaliation measures were in place. What happened was the opposite. "I endured months of angry chats and emails, vetoed projects, her ignoring me during in-person encounters, and public shaming," the employee writes. She reported the retaliation several times to HR, but nothing improved. Being pregnant herself and worried about her gestating baby, she decided to move to another team to avoid the stressful environment. She was immediately contacted by the VP who said she wouldn’t have to leave and that her manager was transitioning off to another team. However, even after a month later the manager stayed put. Four and a half months later, after facing continued retaliation, she thought of joining another management role of lesser responsibility but was communicated that she wouldn’t be absorbed in the new team due to the fear that her maternity leave might ‘stress the team’ and ‘rock the boat’. She later developed a condition that put her life and her pregnancy at risk. The condition was likely to force her to start her maternity leave early. When discussing it with her manager, however, the boss dismissed her concerns, claiming that a media report "debunked the benefits of bed rest." The boss added that she herself had ignored her own physician's recommendations and kept working when she was pregnant. The manager "then emphasized that a management role was no longer guaranteed upon my return from maternity leave and that she supported my interviewing for other roles at Google,” she adds. The Pregnancy Discrimination Act, prohibits companies to discriminate against people "on the basis of pregnancy, childbirth, or related medical conditions." https://twitter.com/mjyazzie/status/1158535549281394689 This is not the first time Google has faced scrutiny for retaliating against employees. In April, Claire Stapleton, and Meredith Whittaker, Google walkout organizers accused the company of retaliation against them over last year’s Google Walkout protest. Both their roles changed dramatically including calls to abandon one’s AI ethics work, demotion, and more. Consequently, Stapleton left the company in June, with Meredith following soon after in July after facing continuous retaliation from the management. In August, according to the Wall Street Journal, a former Google engineer claimed that he was blacklisted, bullied and ultimately fired by Google for reporting unlawful discrimination and retaliation, both internally and to government agencies. The company also sued him in arbitration, which has racked up over $100,000 in legal fees. In response to this memo, the tech giant has been tight-lipped not accepting any responsibility; a Google spokesperson told Motherboard: "We prohibit retaliation in the workplace and publicly share our very clear policy. To make sure that no complaint raised goes unheard at Google, we give employees multiple channels to report concerns, including anonymously, and investigate all allegations of retaliation." Google Walkout organizer, Claire Stapleton resigns after facing retaliation from management Google employees lay down actionable demands after staging a sit-in to protest retaliation #NotOkGoogle: Employee-led town hall reveals hundreds of stories of retaliation at Google

Last week, Avinash Jain, a Lead Infrastructure Security Engineer at Grofers, reported that a misconfiguration in JIRA publicly exposed sensitive information about employees and projects of many big companies. These included organizations like NASA, Google, Yahoo, Zendesk, Lenovo, 1password, Informatica, as well as governing bodies across the world. https://twitter.com/logicbomb_1/status/1157311534395056128 What was the JIRA misconfiguration JIRA is Atlassian’s proprietary product used for bug tracking, issue tracking, and agile project management. When you create a dashboard or filter in JIRA it will set their visibility to “Everyone” and “All users” by default. While these settings seem like you are giving access to everyone in the organization, they are instead shared publicly. JIRA also has a user picker functionality that provides a complete list of every user’s username and email address. This happens because of an authorization misconfiguration in Jira’s Global Permissions settings. These misconfiguration issues in JIRA exposed internal user data including their names, emails, roles via JIRA groups, project details, upcoming milestones through JIRA dashboards/filters. An attacker with good knowledge of search queries just need to have access to find the link and they will have access to this information from anywhere. Jain further explained that he found the link to these dashboards, user pickers, and filters with something called “Google dorks”. He just had to fire a search query in Google and the results showed links to all the companies that had the user picker functionality misconfigured: Credits: Avinash Jain Jain has already contacted the affected companies. “I reported this to various companies, some rewarded me, some fixed it while some are still living with it,” he wrote. It is, however, unclear whether he has reported this vulnerability to Atlassian as there is no reply from the JIRA creator yet. What steps Atlassian and users can take to avoid this vulnerability Jain and many other users also feel that JIRA’s UX is a little bit confusing. He urges Atlassian to be more explicit about what it means by “Everyone” and “All users” and also recommends it should set the visibility to “Private” by default. Explaining the issue, a user on Hacker News said, “This issue arises because, if the site allows any public sharing, the "create filter" UI gives team members the option to share a new filter with "Everyone", which sounds like an org-local scope but is in fact a public/non-logged-in scope. The org-level scope is called, "Open", and is not part of this UI. Sigh.” The Hacker News user further recommends, “To prevent this issue as a site admin on Jira cloud, go to: Jira Settings -> System -> General Configuration and disable "Allow users to share dashboards and filters with the public." This doesn't affect existing filters, which you have to manually fix. In true Jira fashion, if you try to reassign a filter after flipping this setting, it will deny the operation and ask you to edit the ACL, which there is no convenient admin UI to do.” To know more, you can read Jain’s Medium post about the JIRA misconfiguration. Atlassian overhauls its Jira software with customizable workflows, new tech stack, and roadmaps tool Atlassian acquires OpsGenie, launches Jira Ops to make incident response more powerful A vulnerability found in Jira Server and Data Center allows attackers to remotely execute code on systems

A few days ago, the Entertainment Software Association accidentally leaked a spreadsheet including personal information of about 2,025 games industry journalists, content creators, video producers on its E3 ( Electronic Entertainment Expo) website making it publically available.  The information including details such as names, publications, home addresses, email addresses, and phone numbers was captured when they registered for E3. Hackers or bad actors can use this information to harass journalists or investors. The existence of this spreadsheet was first reported by a journalist, Sophia Narwitz who posted it on her personal YouTube channel on Friday, August 2. In the video, Narwitz described, “On the public E3 website was a web page that carried a link simply titled ‘Registered Media List.’ Upon clicking the link, a spreadsheet was downloaded that included the names, addresses, phone numbers, and publications of over 2,000 members of the press who attended E3 this past year.” ESA told VentureBeat, “ESA was made aware of a website vulnerability that led to the contact list of registered journalists attending E3 being made public. Once notified, we immediately took steps to protect that data and shut down the site, which is no longer available. We regret this occurrence and have put measures in place to ensure it will not occur again.” Narwitz tweeted, a group of journalists has been focusing on discrediting her, “Given that the ESA just caused a lot of suffering for many game journalists, I actually hate being on the offensive here, but the way folks in the media are lying about me and trying to bury me, it makes me really wanna scream about their lack of ethics.” https://twitter.com/Grummz/status/1157882288631246848 Although the E3 website is updated and the link to the spreadsheet no longer exists, a cached version of the site does “show a link titled “Registered Media List” used to appear on a “Helpful Links” page. For some time yesterday, even after this page was removed, clicking on the link in the easily-accessible Google cached version of the page would download the spreadsheet from the E3 website’s servers,” states Kotaku, a video game website and blog. ESA, in a statement, to GamesIndustry.biz said, it provides “ESA members and exhibitors a media list on a password-protected exhibitor site so they can invite you to E3 press events, connect with you for interviews, and let you know what they are showcasing. For more than 20 years there has never been an issue.” This accidental leak has serious potential to impact ESA’s image given that E3 is a prestigious event that companies pay the organization a lot of money to show up to. Also, “the ESA website was likely also accessible from Europe, and it contained info for European members of the press. That could turn this into a GDPR (General Data Protection Regulation) issue,” VentureBeat reports.  Users and gamers who attended E3 are disappointed and angry over ESA “accidental leak”. Some users say ESA should have been careful about their security measures and taken precautions to keep personal information of thousands of journalists. https://twitter.com/Dom_Pepin/status/1157772465445179392 Nathan Ditum, an Editor at a Playstation Access, attended the E3 this year, tweeted “Many journalists and content creators are freelancers and work from home addresses. This leak isn't just clumsy, it's a real cause for concern.” https://twitter.com/NathanDitum/status/1157744239045988353 A content creator with the handle @Parris tweeted he is “getting random texts saying they have my personal info, including my home address and putting my family at risk.” https://twitter.com/vicious696/status/1157642132779237377 A gaming news commentator at SDGC tweeted, “The ESA's carelessness and negligence has put the private information of thousands of games media employees in the hands of harassers.” https://twitter.com/DerekOfTheD/status/1157500146189553664 A user on Reddit writes, “There's a legitimate question of whether there will even be an E3 next year after this. Because there's absolutely no question that the ESA is getting sued heavily over this. Especially since European journalists are on this. Which means the ESA's going to be subject to GDPR. It's hard to really overstate how potentially devastating this is going to be for them.” Another Reddit user writes, “What's unforgivable is at this point, things like this have happened so many times and you still have people who refuse to take their security seriously and double-check their work. It's just negligent at this point.” https://twitter.com/Futterish/status/1157751307131924481 GDPR complaint in EU claim billions of personal data leaked via online advertising bids Hacker destroys Iranian cyber-espionage data; leaks source code of APT34’s hacking tools on Telegram Unprotected Elasticsearch database exposes 2 billion user records from smart home devices

Last month, the Guardian reported that Apple contractors regularly listen to confidential medical information, drug deals, and personal recordings of couples, as part of their job via Siri’s recordings. The contractors are responsible for grading Siri’s responses on a variety of factors such as checking if the activation of the voice assistant was deliberate or accidental,  if the query was something Siri was expected to help with and whether Siri’s response was appropriate. As per the report by the Guardian, one of the Apple contractors explained the grading process. In the grading process, the audio snippets are taken which are not connected to names or IDs of individuals and contractors are made to listen to them in order to check whether Siri is accurately hearing them or Siri may have been invoked by mistake. In a statement to the Guardian, Apple said, “A small portion of Siri requests are analysed to improve Siri and dictation. User requests are not associated with the user’s Apple ID. Siri responses are analysed in secure facilities and all reviewers are under the obligation to adhere to Apple’s strict confidentiality requirements.”  Additionally, Apple said that the data “is used to help Siri and dictation … understand you better and recognise what you say.” Siri can also accidentally get activated when it by mistakenly hears the word ‘wake’ or the phrase “Hey Siri”. The Apple contractor explained, “The sound of a zip, Siri often hears as a trigger.” This month, Apple has planned to suspend Siri’s response grading and review the process, this might be the company’s counter move against this report by the Guardian. Apple will also be issuing a software update in the future that will give Siri users a choice to choose whether they participate in the grading process or not.  In a statement to TechCrunch, Apple said, “We are committed to delivering a great Siri experience while protecting user privacy.” The company further added, “While we conduct a thorough review, we are suspending Siri grading globally. Additionally, as part of a future software update, users will have the ability to choose to participate in grading.” Companies like Amazon and Google have also come into the radar because of involving humans for monitoring their automatic voice assistants. There were reports that stated that Amazon’s staff was listening to some of Alexa’s recordings. And there was a similar incident that happened with Google Assistant. This month, Amazon came up with an option to disable the human review of Alexa recordings. It seems users might appreciate if they are asked for their consent before their personal recordings get monitored. Also, these recordings get stored on the server and if any incident of data breach takes place or if a malicious attacker targets the server or datacenter, there is a high possibility of such data getting into the wrong hands. And this might make us think if our personal data is really secure? In a recent Threatpost Podcast on voice assistant privacy issues, Tim Mackey, principal security strategist at cybersecurity research center at Synopsys said, “The biggest concern that I have is actually around data retention policies and disclosure.”  Mackey further added, “So we have an expectation that these are connected devices, and that perhaps short of the Alexa-then-perform-action activity, that the communication, the actual processing of our request is going to occur on an Amazon server, Google server or so forth…. And what we’re learning is that the providers tend to keep this data for an indeterminate amount of time. And that’s a significant risk, because the volume of data itself means that it’s potentially very interesting to a malicious actor someplace who wishes to say, target an individual.” Apple acquires Pullstring to possibly help Apple improve Siri and other IoT-enabled gadgets Apple joins the Thread Group, signaling its Smart Home ambitions with HomeKit, Siri and other IoT products Apple previews macOS Catalina 10.15 beta, featuring Apple music, TV apps, security, zsh shell, driveKit, and much more!        

Last week, the GNU C Library version 2.30 was made available to all users. The major highlights of this release include new POSIX (Portable Operating System Interface)-proposed functions, support for Unicode 12.1.0, support to --preload argument to preload shared objects, addition of new functions such as getdents64, gettid, and tgkill to Linux and more. The GNU C Library is used in the GNU systems, GNU/Linux systems as well as on other systems that use Linux as the kernel. It is a portable and high performance C library. Major new features in GNU C Library version 2.30 New POSIX-proposed pthread_cond_clockwait, pthread_mutex_clocklock, pthread_rwlock_clockrdlock, pthread_rwlock_clockwrlock and sem_clockwait functions have been introduced in GNU C Library version 2.30. All the functions allow waiting against CLOCK_MONOTONIC and CLOCK_REALTIME.  The GNU C Library version 2.30 has an added support of Unicode 12.1.0. Character encoding, character type info, and transliteration tables have also been updated to Unicode 12.1.0. The dynamic linker will now accept the --preload argument to preload shared objects along with the LD_PRELOAD environment variable. The getdents64, gettid, and tgkill functions have been added on Linux. Memory allocation functions malloc, calloc, realloc, reallocarray, valloc, pvalloc, memalign, and posix_memalign will need object size smaller than PTRDIFF_MAX. This will help the memory allocation functions to avoid potential undefined behavior with pointer subtraction within the allocated object, which caused ptrdiff_t type overflow. Deprecated features influencing compatibility Functions like clock_gettime, clock_getres, clock_settime, clock_getcpuclockid, clock_nanosleep have been removed from the librt library for new applications. The outdated  XSI STREAMS header files <stropts.h> and <sys/stropts.h> and the RES_INSECURE1 and RES_INSECURE2 option flags for the DNS stub have been abolished. The support for “inet6” option in /etc/resolv.conf and the RES_USE_INET6 resolver flag have been eliminated. The Linux-specific <sys/sysctl.h> header and the sysctl function have been removed from the GNU C Library version 2.30 and also will not be present in the future versions of glibc. The getentropy function can be used for obtaining random bits. Bug Fixes in GNU C Library version 2.30 gettid() to have a wrapper in libc nftw() does not return dangling symlink's inode in libc mtrace hangs when MALLOC_TRACE is defined in malloc memusagestat is built using system C library in malloc libpthread IFUNC resolver for vfork can lead to crash in nptl These are select few updates. For more information, you may go through the libc sourceware page. Debian 10 codenamed ‘buster’ released, along with Debian GNU/Hurd 2019 as a port Google proposes a libc in LLVM, Rich Felker of musl libc thinks it’s a very bad idea GNU APL 1.8 releases with bug fixes, FFT, GTK, RE and more

After a long wait, Intel has officially launched its first 10th generation core processors, code-named ‘Ice Lake’. The first batch contains 11 highly integrated 10nm processors which showcases high-performance artificial intelligence (AI) features and is designed for sleek 2 in 1s and laptops. The ‘Ice Lake’ processors are manufactured on Intel’s 10nm processor and consist of the 14nm chipset in the same carrier. It includes two or four Sunny Cove cores along with Intel’s Gen 11 Graphics processing unit (GPU). The 10nm measure of the processor indicates the size of the transistors used. The 10 nanometer miniscule length also shows the power of the transistor as it is considered that smaller the transistor, better is its power consumption. Read More: Intel unveils the first 3D Logic Chip packaging technology, ‘Foveros’, powering its new 10nm chips, ‘Sunny Cove’ Chris Walker, Intel corporate vice president and general manager of Mobility Client Platforms in the Client Computing Group says that “With broad-scale AI for the first time on PCs, an all-new graphics architecture, best-in-class Wi-Fi 6 (Gig+) and Thunderbolt 3 – all integrated onto the SoC, thanks to Intel’s 10nm process technology and architecture design – we’re opening the door to an entirely new range of experiences and innovations for the laptop.” Intel was supposed to ship the 10nm processors, way back in 2016. Intel CEO Bob Swan says that the delay was due to the “company’s overly aggressive strategy for moving to its next node.” Intel has also introduced a new processor number naming structure for the 10th generation ‘Ice Lake’ processors which indicates the generation and the level of graphics performance of the processor. Image source: Intel What’s new in the 10th generation Intel core processors? Intelligent performance The 10th generation core processors are the first purpose-built processors for AI on laptops and 2 in 1s. They are built for modern AI-infused applications and contains many features such as: Intel Deep Learning Boost, used for specifically boosting flexibility to run complex AI workloads. It has a dedicated instruction set that accelerates neural networks on the CPU for maximum responsiveness. Up to 1 teraflop of GPU engine compute for sustained high-throughput inference applications Intel’s Gaussian & Neural Accelerator (GNA) provides an exclusive engine for background workloads such as voice processing and noise prevention at ultra-low power, for utmost battery life. New graphics With the Iris Plus graphics, the 10th generation core processors imparts double graphic performance in 1080p and higher-level content creation in 4K video editing, application of video filters and high-resolution photo processing. This is the first time that Intel’s Graphics processing unit (GPU) will support VESA’s Adaptive Sync* display standard. It enables a smoother gaming experience across games like Dirt Rally 2.0* and Fortnite*. According to Intel, this is the industry's first integrated GPU to incorporate variable rate shading for better rendering performance, as it uses the Gen11 graphics architecture.  The 10th generation core processors supports the BT.2020* specification, hence it is possible to view a 4K HDR video in a billion colors. Best connectivity With improved board integration, PC manufacturers can innovate on form factor for sleeker designs with Wi-Fi 6 (Gig+) connectivity and up to four Thunderbolt 3 ports. Intel claims this is the “fastest and most versatile USB-C connector available.” In the first batch of 11 'Ice Lake' processors, there are 6 Ice Lake U series and 5 Ice Lake Y series processors. Given below is the complete Ice Lake processors list. Image Source: Intel Intel has revealed that laptops with the 10th generation core processors can be expected in the holiday season this year. The post also states that they will soon release additional products in the 10th generation Intel core mobile processor family due to increased needs in computing. The upcoming processors will “deliver increased productivity and performance scaling for demanding, multithreaded workloads.”   Users love the new 10th generation core processor features and are especially excited about the Gen 11 graphics. https://twitter.com/Tribesigns/status/1133284822548279296 https://twitter.com/Isaacraft123/status/1156982456408596481 Many users are also expecting to see the new processors in the upcoming Mac notebooks. https://twitter.com/ChernSchwinn1/status/1157297037336928256 https://twitter.com/matthewmspace/status/1157295582844575744 Head over to the Intel newsroom page for more details. Apple advanced talks with Intel to buy its smartphone modem chip business for $1 billion, reports WSJ Why Intel is betting on BFLOAT16 to be a game changer for deep learning training? Hint: Range trumps Precision. Intel’s new brain inspired neuromorphic AI chip contains 8 million neurons, processes data 1K times faster

A few days ago, researchers from Positive technologies discovered flaws in Visa contactless cards, which allow hackers to bypass the payment limits. This research was conducted by two of Positive technologies’ researchers: Leigh-Anne Galloway, Cyber Security Resilience Lead and Tim Yunusov, Head of banking security. The attack was tested with “five major UK banks where it successfully bypassed the UK contactless verification limit of £30 on all tested Visa cards, irrespective of the card terminal”, the researchers mentioned. They added that the contactless Visa card vulnerability is possible on cards outside the UK as well. How to exploit this contactless Visa card vulnerability? The attack manipulates two data fields that are exchanged between the card and the terminal during a contactless payment. “Predominantly in the UK, if a payment needs an additional cardholder verification (which is required for payments over 30 pounds in the UK), cards will answer "I can’t do that," which prevents against making payments over this limit,” the researchers said. Next, the terminal uses country-specific settings, which demand that the card or mobile wallet provide additional verification of the cardholder, such as through the entry of the card PIN or fingerprint authentication on the phone. The attack could bypass both these checks using a device that intercepts communication between the card and the payment terminal. This device acts as a proxy thereby conducting a man in the middle (MITM) attack. “This attack is possible because Visa does not require issuers and acquirers to have checks in place that block payments without presenting the minimum verification,” the researchers say. “The attack can also be done using mobile wallets such as GPay, where a Visa card has been added to the wallet. Here, it is even possible to fraudulently charge up to £30 without unlocking the phone,” Positive Technologies mention in their post. One of the researchers, Yunusov said, "The payment industry believes that contactless payments are protected by the safeguards they have put in place, but the fact is that contactless fraud is increasing. While it’s a relatively new type of fraud and might not be the number one priority for banks at the moment, if contactless verification limits can be easily bypassed, it means that we could see more damaging losses for banks and their customers." A hacker can easily conduct a cardless attack Forbes explains, criminals, for instance, could take a payment from a card when the user wasn’t looking with their own mobile payments machine (though a malicious merchant would eventually be caught by banks’ fraud systems if they used the same terminal). They could even take a payment reading from a credit card using their mobile phones and send the data to another phone and make a payment on that second device going beyond the limit, the researchers claimed. “For the hack to work, all the fraudsters need is to be close to their victim,” Forbes mentions. “So that means if you found someone’s card or if someone stole your card, they wouldn’t have to know your PIN, they wouldn’t have to impersonate your signature, and they could make a payment for a much higher value,” Galloway said. According to UK Finance, fraud on contactless cards and devices increased from £6.7 million in 2016 to £14 million in 2017. £8.4 million was lost to contactless fraud in the first half of 2018. Researchers suggest that additional security should be provided by the bank issuing cards and shouldn’t rely on Visa to provide a secure protocol for payments. “Instead, issuers should have their own measures in place to detect and block this attack vector and other payment attacks,” the researchers say. Galloway says, “It falls to the customer and the bank to protect themselves. While some terminals have random checks, these have to be programmed by the merchant, so it is entirely down to their discretion.” “Because of this, we can expect to see contactless fraud continue to rise. Issuers need to be better at enforcing their own rules on contactless and increasing the industry standard. Criminals will always gravitate to the more convenient way to get money quickly, so we need to make it as difficult as possible to crack contactless,” she further adds. In the U.S., contactless card transactions are relatively rare, with only about 3 percent of cards falling into this category, CNBC reports. Researchers say the limits attackers can withdraw will differ in different countries. In the UK, they were able to make payments of £100 without any detection. Galloway says, for instance, in the U.S., it’s considerably higher at $100. What measures is Visa taking to prevent this kind of contactless fraud? Surprisingly, the company was not alarmed by this situation. In fact, Forbes reports that Visa wasn’t planning on updating their systems anytime soon. “One key limitation of this type of attack is that it requires a physically stolen card that has not yet been reported to the card issuer. Likewise, the transaction must pass issuer validations and detection protocols. It is not a scalable fraud approach that we typically see criminals employ in the real world,” a Visa spokesperson told Forbes. The company also said it was continually working on improving its fraud detection tech. https://twitter.com/a66ot/status/1155793829443842049 To know more about this news in detail, head over to Positive technologies’ official post. A vulnerability found in Jira Server and Data Center allows attackers to remotely execute code on systems VLC media player affected by a major vulnerability in a 3rd library, libebml; updating to the latest version may help A zero-day vulnerability on Mac Zoom Client allows hackers to enable users’ camera, leaving 750k companies exposed

Major companies like Uber, Microsoft, Cognizant and many others are walking on the path of job cuts and layoffs. Well, layoffs get real bad when it comes as a result of discrimination and that is happening at IBM as per the recent reports.  In the last few years, IBM has fired over 100,000 employees to attract the millennials and be at par with companies like Amazon and Google, as per a deposition by a former vice president in an ongoing age discrimination lawsuit. It is an effort towards replacing the older staff with the young ones. The company is already facing several lawsuits that accuse IBM of firing older workers that include a class-action case in Manhattan as well as individual civil suits filed in California, Pennsylvania and Texas last year. Jonathan Langley aged 60, was a worldwide program director and sales lead at IBM's Bluemix cloud service. Jonathan also removed from the company in March 2017.  Jonathan filed a lawsuit against the company and stated the complaint under the Age Discrimination in Employment Act. Despite his good performance and netting $20,000 performance bonus in January 2017, he was laid off.  He wasn’t successful at getting any other role within IBM and the company’s HR system marked him as having resigned. Soon after he left in July, Langley got a letter that congratulated him on his "retirement." On the contrary, IBM management informed the US government's Equal Employment Opportunity Commission about Langley’s lay off and stated that his supervisor Kim Overbayhe ranked him as the worst-performing employee in his team in January 2017. While it was evident that his performance was good as he had won the biggest bonus that quarter. A report from ProPublica and Mother Jones show how IBM targeted older workers for termination. The report also states how the money saved from such layoffs got used for hiring the youth. Also, the job cuts were converted into retirement and the company boosted resignations and firings.  The employees that were targeted for layoffs were encouraged to apply for other IBM positions and the managers were quietly advised not to hire them. While few employees were told that their skills weren’t up to the mark but then were asked to work as contract workers at lower pay and fewer benefits. As per January’s report, a former senior executive at IBM claimed that she was ordered to lie to the US government about the count of older workers IBM was laying off. When she spoke about how the company was breaking the age discrimination laws by firing the employees that were above 50 years, she was fired. The company might also be looking towards cost-cutting by removing the older employees as IBM’s revenue is falling 4.2 percent year-on-year. IBM has also struggled with shrinking revenue for almost seven years now.  A user commented on HackerNews, “I doubt IBM lays off its older workers solely to appeal to Millenials. It's more likely that older workers are laid off because they are more expensive due to higher higher pay, have more paid time off, use more healthcare and are more politically calibrated to their organizations than younger workers.” According to a few, the older employees come with great experience and knowledge and it is good to work around them. A user commented on HackerNews, “But I want to comment that as a young mainframer (I started 14 years ago at the age of 26, with a big IBM competitor), I really enjoyed working with older people.” “They work quite hard (they have survived lots of changes in the organization, and that - in majority of cases - means that their contribution was appreciated somewhere), often are less crazy (they are set in life, don't have to "compete" anymore), don't panic or get overexcited too much (they have seen lot of stuff and that moderates their emotions), have good stories from life (they lived through one already), and you can learn from them a lot (they often have weird experience in areas that you would never expect).” Another user commented, “When I worked at Boeing (my first real job) I learned an awful lot from the older engineers. But when I switched to the software biz, older ones didn't exist and I had to pretty much learn everything the hard way.” IBM halt sales of Watson AI tool for drug discovery amid tepid growth: STAT report Using Qiskit with IBM QX to generate quantum circuits [Tutorial] IEEE Spectrum: IBM Watson has a long way to go before it becomes an efficient AI doctor

Yesterday, Amazon introduced a new SQL-compatible query language named PartiQL, which is a “unifying query language” that allows you to query data regardless of the database type and vendor. Amazon has open-sourced the language’s lexer, parser, and, compiler under the Apache 2.0 license. The open-source implementation also provides an interactive shell or Read Evaluate Print Loop (REPL) using which you can quickly write and evaluate PartiQL queries. Why PartiQL is introduced Amazon’s business requires querying and transforming huge amounts and types of data that are not just limited to SQL tabular data but also nested and semi-structured data. The tech giant wants to make its relational database services like Redshift capable of accessing non-relational data while maintaining backward-compatibility with SQL. To address these requirements, Amazon created PratiQL that enables you to query data across a variety of formats and services in a simple and consistent way. Here’s a diagram depicting the basic idea behind PartiQL: Source: Amazon Many Amazon services are already using PratiQL including Amazon S3 Select, Amazon Glacier Select, Amazon Redshift Spectrum, Amazon Quantum Ledger Database (Amazon QLDB), and Amazon internal systems. Advantages of using PartiQL PartiQL is fully compatible with SQL: You will not have much trouble adopting PartiQL as it is fully compatible with SQL. All the existing queries that you are familiar with will work in SQL query processors that are extended to provide PartiQL. Works with nested data: PartiQL treats nested data as a first-class citizen of the data abstraction. Its syntax and semantics enable users to “comprehensively and accurately access and query nested data.” Format and datastore independent: PartiQL allows you to write the same query for all data formats as its syntax and semantics are not tied to a specific data format. To enable this behavior, the query operates on a logical type system that maps to diverse formats. Because of its expressiveness, you can use it with diverse underlying datastores. Optional schema and query stability: You do not require to have a predefined schema over a dataset. It is built to work with engines that are schemaless or assume the presence of a schema. Requires minimal extensions: It requires a minimum number of extensions as compared to SQL. These extensions for multi-valued, nested, and schema-less combine seamlessly with joining, filtering, and aggregation, and windowing capabilities of standard SQL. To know more in detail, check out the official announcement by Amazon. #WeWontBuildIt: Amazon workers demand company to stop working with Palantir and take a stand against ICE Ex-Amazon employee hacks Capital One’s firewall to access its Amazon S3 database; 100m US and 60m Canadian users affected Amazon Transcribe Streaming announces support for WebSockets

Yesterday, DoorDash, one of the leading last mile logistics platforms in the US announced that it has entered into a definitive agreement with Square, owned by Jack Dorsey, to acquire Caviar for $410 million in cash. https://twitter.com/DoorDash/status/1157020712462274560 The deal has continued to build on the partnership between DoorDash and Square. DoorDash is currently integrated with Square for restaurants point of sale payments, which streamlines the acceptance of online and in-person orders for merchants. DoorDash benefits from consolidated food delivery services This acquisition is beneficial for DoorDash as it will help serve customers across various market segments. DoorDash competes directly with Uber’s food delivery arm, Uber Eats, and market leader GrubHub and other such apps. Caviar, however, is a far less accessible option, as it focuses mainly on high-end restaurants and commands a higher price per order than the standard food delivery platform. With Caviar joining DoorDash, it seems like the latter will be able to cover a broader chain of restaurants that its lower-cost existing platform has been unable to serve. Tony Xu, CEO of DoorDash says, "Today's announcement is another important step forward on our mission to empower local economies. We have long-admired Caviar, which has a coveted brand, an exceptional portfolio of premium restaurants and leading technology. The acquisition further enhances the breadth of our merchant selection, enabling us to offer customers even more choice when they order through DoorDash. We look forward to welcoming the Caviar team to DoorDash and expanding our partnership with Square in the future." Additionally, DoorDash will also benefit from Caviar's technology and its team, who are passionate about the restaurant delivery experience for merchants, couriers and customers. The Caviar team, including Caviar leader Gokul Rajaram, will join DoorDash once the acquisition which is expected to close this year itself, is completed. Square to focus more on its products According to TechCrunch, this deal for Square will allow it to focus more on its products, for businesses and individuals. Square is a financial services, merchant services aggregator, and mobile payment company based in San Francisco. CEO of Square, Jack Dorsey says, "We are increasing our focus on and investment in our two large, growing ecosystems—one for businesses and one for individuals. This transaction furthers that effort, and we believe partnering with DoorDash provides valuable and strategic opportunities for Square." Caviar Lead, Gokul Rajaram says, "Caviar has built a trusted brand with customers and many of the best restaurants. DoorDash has national scale, complementary restaurant selection, a tremendous logistics platform, and a team that shares our passion and commitment to better serve restaurants, couriers, and customers. I'm incredibly excited to be joining, with the rest of the Caviar team, to help build the future of local commerce." It is worth noting that Square has been trying to sell Caviar since the past three years. In 2016, Bloomberg reported Square was wanting to sell Caviar for $100 million but couldn’t find a buyer. At the time, Square was reportedly in talks with Uber, Grubhub and Yelp. DoorDash and Caviar co-incidentally faced similar controversies The Verge reports that recently DoorDash was under a controversy over the company’s tipping policy. It saw thats customer tips go to the company and not to the contract delivery drivers. DoorDash in the past defended the practice, saying the lack of transparency around the policy did not look at the fact that it typically paid drivers more per order than competing services. However, the backlash increased significantly after an investigation by The New York Times earlier this month highlighted the chaotic, uncertain working conditions of New York City bike messengers largely working for companies like DoorDash. DoorDash then agreed to change its tipping policy just a few days after this investigation. The company claims it will now be made clear to both drivers and customers that any additional money offered through its app as a tip goes directly to the driver and is added on top of the base wage for any given delivery order. Coincidently, Caviar also had a tipping controversy of its own, and Square was forced to settle a $2.2 million class action lawsuit last year over the issue. DeepMind’s AI uses reinforcement learning to defeat humans in multiplayer games Google Chrome to simplify URLs by hiding special-case subdomains like https Understanding security features in the Google Cloud Platform (GCP)

Yesterday, the team behind iTerm2, the GPL-licensed terminal emulator for macOS, announced the release of iTerm2 3.3.0. It is a major release with many new features such as the new Python scripting API, a new scriptable status bar, two new themes, and more. iTerm2 is a successor to iTerm and works on all macOS. It is an open source replacement for Apple's Terminal and is highly customizable as comes with a lot of useful features. Major highlights in iTerm2 3.3.0 A new Python scripting API which can control iTerm2 and extend its behavior has been added. It allows users to write Python scripts easily, thus enabling them to do extensive configuration and customization in iTerm2 3.3.0. A new scriptable status bar has been added with 13 built-in configurable components. iTerm2 3.3.0 comes with two new themes. The first theme is called as Minimal and it helps reducing visual cluster. The second theme can move tabs into the title bar, thus saving space while maintaining the general appearance of a macOS app and is called Compact. Other new features in iTerm2 3.3.0 The session, tab and window titles have been given a new appearance to make it more flexible and comprehensible. It is now possible to configure these titles separately and also to select what type of information it shows per profile. These titles are integrated with the new Python scripting API. The tabs title has new icons, which either indicates a running app or a fixed icon per profile. A new tool belt called ‘Actions’ has been introduced in iTerm2 3.3.0. It provides shortcuts  to frequent actions like sending a snippet of a text. A new utility ‘it2git’ which allows the git status bar component to show git state on a remote host, has been added. New support for crossed-out text (SGR 9) and automatically restarting a session when it ends has also been added in iTerm2 3.3.0. Other Improvements in iTerm2 3.3.0 Many visual improvements Updated app icon Various pages of preferences have been rearranged to make it more visually appealing The password manager can be used to enter a password securely A new option to log Automatic Profile Switching messages to the scripting console has been added The long scrollback history’s performance has been improved Users love the new features in iTerm2 3.3.0 release, specially the new Python API, the scriptable status bar and the new Minimal mode. https://twitter.com/lambdanerd/status/1157004396808552448 https://twitter.com/alloydwhitlock/status/1156962293760036865 https://twitter.com/josephcs/status/1157193431162036224 https://twitter.com/dump/status/1156900168127713280 A user on Hacker News comments, “First off, wow love the status bar idea.” Another user on Hacker News says “Kudos to Mr. Nachman on continuing to develop a terrific piece of macOS software! I've been running the 3.3 betas for a while and some of the new functionality is really great. Exporting a recording of a terminal session from the "Instant Replay" panel is very handy!” Few users are not impressed with iTerm2 3.3.0 features and are comparing it with the Terminal app. A comment on Hacker News reads, “I like having options but wouldn’t recommend iTerm. Apple’s Terminal.app is more performant rendering text and more responsive to input while admittedly having somewhat less unnecessary features. In fact, iTerm is one of the slowest terminals out there! iTerm used to have a lot of really compelling stuff that was missing from the official terminal like tabs, etc that made straying away from the canonical terminal app worth it but most of them eventually made their way to Terminal.app so nowadays it’s mostly just fluff.” For the full list of improvements in iTerm2 3.3.0, visit the iTerm2 changelog page. Apple previews macOS Catalina 10.15 beta, featuring Apple music, TV apps, security, zsh shell, driverKit, and much more! WWDC 2019 highlights: Apple introduces SwiftUI, new privacy-focused sign in, updates to iOS, macOS, and iPad and more Safari Technology Preview release 83 now available for macOS Mojave and macOS High Sierra

Google’s decision to hide the special-case subdomains, “www” and “m” in Chrome M69 received a huge backlash from the public last year. Following this backlash, the Chrome team did roll back the change. However, this Wednesday the team announced that they are planning to hide “https” and “www” in Chrome omnibox on desktop and Android in M76. In other news, the team is splitting the HTTP cache to prevent side-channel leakage. Chrome to hide https and www from URLs Citing the reason behind reaching this conclusion, the Chrome team said that it is to improve the “simplicity, usability, and security of UI surfaces.” With this change, the team aims to hide away all the distractions and make URLs easier to read and understand for users. Emily Schechter, Product Manager, Chrome Security at Google, wrote on Chromium Issue tracker, “In Sept 2018, we rolled out a change to hide special-case subdomains “www” and “m”. Per my above message on this thread, we rolled back these changes, and announced our intent to re-ship an adjusted version: we will hide “www” but not “m”.” She added, “For several months, we’ve had this version enabled in our Canary, Dev and Beta channels and are confident that it is ready to be enabled in the Stable channel as well.” The Chrome team, together with other browser representatives, has also added a “Simplify non-human-readable or irrelevant components” section in the web URL standard. The section recommends browsers to omit components that can “provide opportunities for spoofing or distract from security-relevant information.” The team has also built an extension named Suspicious Site Reporter for Chrome using which you can identify suspicious sites and report them to Safe Browsing. With this extension, users will be able to see the full URL with no scheme or subdomain hiding. You can also see the full URL by clicking twice in the URL bar on the desktop, and once on mobile. What the public thinks about this change Users have pretty mixed feelings about this update. While some think that this is a step towards making Google a monopoly, others believe that this does simplify URLs for non-technical users. Expressing their concern on Hacker News, a user said, “...these "improvements" in Chrome are meant to make google the defacto interface for using the web. Imagine a world where 99% of users do not have any concept of URLs or any other fundamental WWW concepts. Instead, they open Chrome type whatever they want and get the results.” Some users also highlighted that this update could raise security concerns as well. “Let's assume that you have a blog platform offering subdomains for each user and 'm.blogplatform.com' is available. Now, any user can get that subdomain and impersonate the homepage because Emily from Chromium decided that eliding parts of the URL without any spec is a reasonable decision,” a user added. Apple’s browser, Safari also only shows the domain and lock icon to indicate the legitimacy of a website’s certificate. Since Apple did not receive this amount of user backlash, some felt that the backlash is just the result of people losing trust in the big tech. A user commented, “...collective shrug when Apple hides the URL, but if Google does so we get huge outrage and assumptions that this must clearly be done primarily for malicious reasons.” You can read the full conversation about this update on Chromium’s bug tracker. Chrome to split the HTTP Cache to prevent cross-origin leakage Currently, the HTTP cache stores resources for each of its entries in a single bucket, which is shared among the origins. So, when loading the same resource these origins will refer to the same cache entry. This can lead to a side-channel attack in which a site can detect whether another site has loaded a resource by going through the cache. To prevent this attack, the Chrome team is planning to partition the HTTP cache by the origin of the page’s top-frame. You can read more about this update on the Chrome Platform Status site. Edge, Chrome, Brave share updates on upcoming releases, recent milestones, and more at State of Browsers event Google plans to remove XSS Auditor used for detecting XSS vulnerabilities from its Chrome web browser Cloud Next 2019 Tokyo: Google announces new security capabilities for enterprise users

Yesterday, the Firefox team announced details of the new CSS features added to the Firefox 68. Earlier this month they had announced the release of Firefox 68 with a bunch of CSS additions and changes. Let us take a look at each: CSS Scroll Snapping The update in Firefox 68 brings the Firefox implementation in line with Scroll Snap as implemented in Chrome and Safari. In addition, it removes the old properties which were part of the earlier Scroll Snap Points Specification. The ::marker pseudo-element The ::marker pseudo-element helps in selecting the marker box of a list item. This will typically contain the list bullet, or a number. If you have ever used an image as a list bullet, or wrapped the text of a list item in a span in order to have different bullet and text colors, this pseudo-element is for you! With the marker pseudo-element, you can target the bullet itself. There are only a few CSS properties that may be used on ::marker. These include all font properties. Therefore you can change the font-size or family to be something different to the text. Using ::marker on non-list items A marker can only be shown on the list items, however you can turn any element into a list-item by using display: list-item. The official blog post covers a detailed example with codes on how you can perform this functionality. The ::marker pseudo-element is standardized in CSS Lists Level 3, and CSS Pseudo-elements Level 4, and currently implemented in Firefox 68 and Safari. CSS fixes in Firefox 68 Web developers suffer when a supported feature works differently in different browsers. These interoperability issues are often caused by the age of the web platform. Hence, the Firefox team has made many changes to the CSS specifications. Developers depend on the browsers to update their implementations to match the clarified spec. In the latest Firefox release, the team has got fixes for the ch unit, and list numbering shipping. In addition to changes to the implementation of CSS in Firefox, Firefox 68 brings some great new additions to Developer Tools to work with CSS. Take a look at the Firefox 68 release notes to get a full overview of all the changes and additions in Firefox 68.

When Equifax announced up to $425 million global settlement with the FTC and that users affected by its data breach in 2017 can file a claim, the public response to this settlement was overwhelming. FTC says, “millions of people visited ftc.gov/Equifax and gone on to the settlement website’s claims form”. The settlement announced last month included other benefits the consumers can claim free credit monitoring services or, alternatively, request cash payment if they already have credit monitoring. Yesterday, the FTC released a statement requesting consumers to choose 10 years’ free credit card monitoring services instead. Only those who certify that they already have credit monitoring are recommended to claim up to $125. The FTC further explains this is because “the pot of money that pays for that part of the settlement is $31 million. A large number of claims for cash instead of credit monitoring means only one thing: each person who takes the money option will wind up only getting a small amount of money. Nowhere near the $125 they could have gotten if there hadn’t been such an enormous number of claims filed.” FTC suggest customers to opt for the 10-year free monitoring services as, “the market value would be hundreds of dollars a year”.  “it monitors your credit report at all three nationwide credit reporting agencies, and it comes with up to $1 million in identity theft insurance and individualized identity restoration services”, the FTC further adds. https://twitter.com/LauraSullivaNPR/status/1156617951245721601 The FTC is now attempting to influence users into believing why a 10-year free credit card monitoring by a company that is lax with its security measures is a better bet than claiming the low risk yet paltry sum of $125. This when users seek to discontinue their services with the company, makes one question who the FTC is protecting - the people, victims of the data breach or Equifax, whose irresponsible data and security practices have exposed millions to risk. https://twitter.com/ScottFeldman/status/1156639735063990272 FTC  says there is still money available; however, it’s to “reimburse people for what they paid out of their pocket to recover from the breach. Say you had to pay for your own credit freezes after the breach, or you hired someone to help you deal with identity theft. The settlement has a larger pool of money for just those people. If you’re one of them, use your documents to submit your claim.” CNBC reports, “Equifax could not immediately be reached for comment.” Many consumers are highly infuriated over this revised decision and also surprised that FTC has fined just $31m for compromising millions of user data. Andy Baio, a former CTO of Kickstarter, tweeted, “If any more than 248,000 people request cash settlements instead of credit monitoring, the payout starts shrinking. If a million people ask for cash, for example, the settlement goes down to $31.” https://twitter.com/waxpancake/status/1154877051574214656 A user on Reddit questions how Equifax is “only being fined $31 million for exposing sensitive data of half the nations population? That’s less than $0.19 per person whose data was hacked”. Another user on HackerNews writes, “It seems absurd that they only need to allocate $31 million for "alternative payments" while the old CEO leaves with close to $20 million in bonuses, while the rest of the money in the settlement is basically reserved for them to pay themselves for their "free" credit monitoring.” He further adds, “This whole situation was a good opportunity to set a precedent for companies not taking data security seriously. But they've instead shown everyone that you can really just ignore all of that and hope it's never discovered - even if it is, it's really just a light slap on the wrist. Combining this with the recent Facebook fine, it really makes me think that the FTC has become a complete joke.” Another furious user wrote on HackerNews, “$31 million is a laughably small amount of money to set aside for direct settlements in the biggest hack in all of history. Add three zeroes to that, probably still not enough.” “I spent three days figuring out this nightmarish credit reporting system and helping friends and family place freezes, as well as educating them to avoid all the horrible dark patterns on Equifax's site. What I want is about $2000 and the ability to opt-out of them owning and reselling my personal data completely. I don't need credit monitoring, I don't need credit period anymore, why am I forced into accepting the unlimited risk of them owning all my data so that this private company can keep operating?”, the user further added. https://twitter.com/ryanlcooper/status/1156638207032692737 To know more about this news in detail, head over to FTC’s official statement. Stefan Judis, a Twilio web developer, on responsible web development with HTTP headers Ex-Amazon employee hacks Capital One’s firewall to access its Amazon S3 database; 100m US and 60m Canadian users affected Equifax data breach could have been “entirely preventable”, says House oversight and government reform committee staff report

At its Cloud Next 2019 conference happening in Tokyo, Google unveiled new security capabilities that are coming to its enterprise products, G Suite Enterprise, Google Cloud, and Cloud Identity. These capabilities are intended to help its enterprise customers protect their “users, data, and applications in the cloud.” Google is hosting this two-day event (July 31- Aug 1) to showcase its cloud products. Among the key announcements made are Advanced Protection Program support for enterprise products that are rolling out soon, expanded availability of Titan Security Keys, improved anomaly detection in G Suite enterprise, and more. Advanced Protection Program for high-risk employees The Advanced Protection Program was launched in 2017 to protect the personal Google accounts of users who are at high risk of online threats like phishing. The program goes beyond the traditional two-step verification by enforcing you to use a physical security key in addition to your password for signing in to your Google account. The program will be available in beta in the coming days for G Suite, Google Cloud Platform (GCP) and Cloud Identity customers. It will enable enterprise admins to enforce a set of security policies for employees who are at high-risk of targeted attacks such as IT administrators, business executives, among others. The set of policies include enforcing the use of Fast Identity Online (FIDO) keys like Titan Security Keys, automatically blocking of access to non-trusted third-party apps, and enabling enhanced scanning of incoming emails. Wider availability of Titan Security Keys After looking at the growing demand for Titan Security Keys in the US, Google has now expanded its availability in Canada, France, Japan, and the United Kingdom (UK). These keys are available as bundles of two: USB/NFC and Bluetooth. You can use these keys anywhere FIDO security keys are supported including Coinbase, Dropbox, Facebook, GitHub, Salesforce, Stripe, Twitter, and more. Anomalous activity alerts in G Suite G Suite Enterprise and G Suite Enterprise for Education admins can now opt-in to receive anomalous activity alerts in the G Suite alert center. G Suite takes the help of machine learning to analyze security signals within Google Drive to detect potential security risks. These security risks include data exfiltration, policy violations when sharing and downloading files, and more. Google also announced that it will be rolling out support for password vaulted apps in Cloud Identity. Karthik Lakshminarayanan and Vidya Nagarajan from the Google Cloud team wrote in a blog post, “The combination of standards-based- and password-vaulted app support will deliver one of the largest app catalogs in the industry, providing seamless one-click access for users and a single point of management, visibility, and control for admins.” You can read the official announcement by Google to know more in detail. Google Project Zero reveals six “interactionless” bugs that can affect iOS via Apple’s iMessage Data Transfer Project: Now Apple joins Google, Facebook, Microsoft and Twitter to make data sharing seamless Understanding security features in the Google Cloud Platform (GCP)