Tech News

Last week, an appellate court in San Francisco ruled against Facebook’s appeal to block a class-lawsuit over a massive data breach it witnessed last year. This data breach impacted nearly 30 million Facebook users. On September 25th last year, Facebook discovered a data breach caused by a vulnerability that existed in its code between July 2017 and September 2018. This vulnerability “was the result of a complex interaction of three distinct software bugs.” These bugs were related to the “View As” feature that allows users to see what their profile looks like to another user. By exploiting this vulnerability, the attackers were able to steal digital access tokens of users. These keys make it easier for users to access their profiles without having to log in every time they visit the site. Facebook shared that the attackers were able to see everything in a user’s profile, although it was not sure whether they got access to private messages or if any of that data was misused. Zuckerberg in a call with reporters following the data breach said, “So far our initial investigation has not shown that these tokens were used to access any private messages or posts or to post anything to these accounts. But this, of course, may change as we learn more. The attackers used our APIs to access profile information fields like name, gender, hometown, etc. But we do not yet know if any private information was accessed that way.” The class-lawsuit against Facebook alleged to violate user privacy Following this incident, several Facebook users filed class-action complaints in a San Francisco appeals court, alleging that Facebook has failed to protect its users' data. The class-action lawsuit alleges that the vulnerability in Facebook’s code plus its “grossly inadequate” security measures have made victims’ more prone to identity theft. The lawsuit seeks to represent all people “who registered for Facebook accounts in the United States and whose PII (personally identifiable information) was accessed, compromised, or stolen from Facebook in the September 2018 data breach.” As a legal remedy, the plaintiffs are seeking statutory damages, penalties, punitive damages, and attorneys’ fees. In response, Facebook appealed to block the lawsuit in March arguing that some of the plaintiffs’ information was not “sensitive” as it was publicly available on their Facebook profile. And, therefore, no real harm had been done as the attackers were not able to steal users’ financial information and passwords. U.S. District Judge William Alsup dismissed Facebook’s appeal saying, “The lack of reasonable care in the handling of personal information can foreseeably harm the individuals providing the information.” He added, “Further, some of the information here was private, and plaintiff plausibly placed trust in Facebook to employ appropriate data security. From a policy standpoint, to hold that Facebook has no duty of care here ‘would create perverse incentives for businesses who profit off the use of consumers’ personal data to turn a blind eye and ignore known security risks.’” This is not the only instance were Facebook has shown its negligence towards personal data. Earlier this month, during a pretrial hearing, Facebook argued that it didn’t violate users’ privacy rights because there’s no expectation of privacy when using social media. Recently Aaron Greenspan, the founder of Think Computer Corporation, claimed that Mark does not really believe in the concept of personal data as Facebook has performed security fraud on a number of occasions, in an incredibly blatant manner. This is one of the many lawsuits against Facebook. Earlier this month, the Austrian Supreme Court overturned Facebook’s appeal to block a lawsuit against it for not conforming to Europe’s General Data Protection Regulation (GDPR). Regarding its alleged involvement in the Cambridge Analytica case, the social media giant is also preparing to pay a fine of up to $5 billion. You can read the lawsuit to know more details. Austrian Supreme Court rejects Facebook’s bid to stop a GDPR-violation lawsuit against it by privacy activist, Max Schrems Facebook fails to block ECJ data security case from proceeding Zuckberg just became the target of the world’s first high profile white hat deepfake op. Can Facebook come out unscathed?  

Yesterday, many parts of the Internet faced an unprecedented outage as Verizon, the popular Internet transit provider accidentally rerouted IP packages after it wrongly accepted a network misconfiguration from a small ISP in Pennsylvania, USA. According to The Register, “systems around the planet were automatically updated, and connections destined for Facebook, Cloudflare, and others, ended up going through DQE and Allegheny, which buckled under the strain, causing traffic to disappear into a black hole”. According to Cloudflare, “What exacerbated the problem today was the involvement of a “BGP Optimizer” product from Noction. This product has a feature that splits up received IP prefixes into smaller, contributing parts (called more-specifics). For example, our own IPv4 route 104.20.0.0/20 was turned into 104.20.0.0/21 and 104.20.8.0/21”. Many Google users were unable to access the web using the Google browser. Some users say the Google Calendar went down too. Amazon users were also unable to use some services such as Amazon books, as users were unable to reach the site. Source: Downdetector Source:Downdetector Source:Downdetector Also, in another incident, on June 6, more than 70,000 BGP routes were leaked from Swiss colocation company Safe Host to China Telecom in Frankfurt, Germany, which then announced them on the global internet. “This resulted in a massive rerouting of internet traffic via China Telecom systems in Europe, disrupting connectivity for netizens: a lot of data that should have gone to European cellular networks was instead piped to China Telecom-controlled boxes”, The Register reports. BGP caused a lot of blunder in this outage The Internet is made up of networks called Autonomous Systems (AS), and each of these networks has a unique identifier, called an AS number. All these networks are interconnected using a  Border Gateway Protocol (BGP), which joins these networks together and enables traffic to travel from an ISP to a popular website at a far off location, for example. Source: Cloudflare With the help of BGP, networks exchange route information that can either be specific, similar to finding a specific city on your GPS, or very general, like pointing your GPS to a state. DQE Communications with an AS number AS33154, an Internet Service Provider in Pennsylvania was using a BGP optimizer in their network. It announced these specific routes to its customer, Allegheny Technologies Inc (AS396531), a steel company based in Pittsburgh. This entire routing information was sent to Verizon (AS701), who further accepted and passed this information to the world. “Verizon’s lack of filtering turned this into a major incident that affected many Internet services”, Cloudfare mentions. “What this means is that suddenly Verizon, Allegheny, and DQE had to deal with a stampede of Internet users trying to access those services through their network. None of these networks were suitably equipped to deal with this drastic increase in traffic, causing disruption in service” Job Snijders, an internet architect for NTT Communications, wrote in a network operators' mailing list, “While it is easy to point at the alleged BGP optimizer as the root cause, I do think we now have observed a cascading catastrophic failure both in process and technologies.” https://twitter.com/bgpmon/status/1143149817473847296 Cloudflare's CTO Graham-Cumming told El Reg's Richard Speed, "A customer of Verizon in the US started announcing essentially that a very large amount of the internet belonged to them. For reasons that are a bit hard to understand, Verizon decided to pass that on to the rest of the world." "but normally [a large ISP like Verizon] would filter it out if some small provider said they own the internet", he further added. “If Verizon had used RPKI, they would have seen that the advertised routes were not valid, and the routes could have been automatically dropped by the router”, Cloudflare said. https://twitter.com/eastdakota/status/1143182575680143361 https://twitter.com/atoonk/status/1143139749915320321 Rerouting is highly dangerous as criminals, hackers, or government-spies could be lurking around to grab such a free flow of data. However, this creates security distension among users as their data can be used for surveillance, disruption, and financial theft. Cloudflare was majorly affected by this outage, “It is unfortunate that while we tried both e-mail and phone calls to reach out to Verizon, at the time of writing this article (over 8 hours after the incident), we have not heard back from them, nor are we aware of them taking action to resolve the issue”, the company said in their blogpost. One of the users commented, “BGP needs a SERIOUS revamp with Security 101 in mind.....RPKI + ROA's is 100% needed and the ISPs need to stop being CHEAP. Either build it by Federal Requirement, at least in the Nation States that take their internet traffic as Citizen private data or do it as Internet 3.0 cause 2.0 flaked! Either way, "Path Validation" is another component of BGP that should be looked at but honestly, that is going to slow path selection down and to instrument it at a scale where the internet would benefit = not worth it and won't happen. SMH largest internet GAP = BGP "accidental" hijacks” Verizon in a statement to The Register said, "There was an intermittent disruption in internet service for some [Verizon] FiOS customers earlier this morning. Our engineers resolved the issue around 9 am ET." https://twitter.com/atoonk/status/1143145626516914176 To know more about this news in detail head over to CloudFlare’s blog. OpenSSH code gets an update to protect against side-channel attacks Red Badger Tech Director Viktor Charypar talks monorepos, lifelong learning, and the challenges facing open source software [Interview] Facebook signs on more than a dozen backers for its GlobalCoin cryptocurrency including Visa, Mastercard, PayPal and Uber

Last week, Carnegie Mellon University (CMU) and Google researchers presented a paper XLNet: Generalized Autoregressive Pretraining for Language Understanding which focuses on the XLNet model. https://twitter.com/quocleix/status/1141511813709717504 In this paper, the researchers have explained about the XLNet and how it uses a permutation language modeling objective for combining the advantages of AR and AE methods. The researchers compared XLNet with BERT and they have shown with examples that XLNet was able to surpass BERT on 20 tasks using the RACE, SQuAD and GLUE datasets. What is the need for XLNet Among different unsupervised pre-training objectives, autoregressive (AR) language modeling and autoencoding (AE) have been the two most successful pre-training objectives. Also, AR language modeling estimates the probability distribution of a text corpus with an autoregressive model. This language model has been only trained to encode a uni-directional context and is not effective at modeling deep bidirectional contexts. But the downstream language understanding tasks usually need bidirectional context information and which results in a gap between AR language modeling and effective pretraining. In contrast, AE based pretraining does not perform density estimation but it works towards reconstructing the original data from corrupted input. As density estimation is not part of the objective, BERT can utilize bidirectional contexts for reconstruction which also closes the bidirectional information gap in AR language modeling and improves performance. BERT (Bidirectional Encoder Representations from Transformers) achieves better performance than pretraining approaches that are based on autoregressive language modeling. But it relies on corrupting the input with masks and neglects dependency between the masked positions and also suffers from a discrepancy. Considering these pros and cons, the researchers from CMU and Google proposed XLNet, a generalized autoregressive pretraining method that: (1) enables learning bidirectional contexts by simply maximizing the expected likelihood over all permutations of the factorization order and (2) overcomes the limitations of BERT because of its autoregressive formulation. XLNet also integrates ideas from Transformer-XL which is the state-of-the-art autoregressive model, into pretraining. It outperforms BERT on 20 tasks and usually by a large margin, and achieves state-of-the-art results on 18 tasks. These tasks include question answering,  sentiment analysis, natural language inference, and document ranking. The researchers observed that applying a Transformer(-XL) architecture to permutation-based language modeling does not work as the factorization order is random and also the target is unclear. To solve this, the researchers proposed to reparameterize the Transformer(-XL) network for removing the ambiguity. https://twitter.com/rsalakhu/status/1141539269565132800?s=19 XLNet comparison with BERT While comparing with BERT, researchers observed that BERT and XLNet perform partial prediction, which means predicting only a subset of tokens in the sequence. It is important for BERT because in case, all the tokens are masked then it is impossible to make any meaningful predictions. Partial prediction plays a role in reducing optimization difficulty for both BERT and XLNet by predicting tokens with sufficient context. XLNet improves architectural designs for pretraining and improves the performance for tasks involving a longer text sequence. XLNet does not rely on data corruption so it does not suffer from the pretrain-finetune discrepancy that happens in the case of BERT. The autoregressive objective provides a natural way to use the product rule for factorizing the joint probability of the predicted tokens. This eliminates the independence assumption made in BERT. XLNet maximizes the expected log likelihood of a sequence with respect to all possible permutations of the factorization order instead of using a fixed forward or backward factorization order. According to the researchers, “BERT factorizes the joint conditional probability p(x¯ | xˆ) based on an independence assumption that all masked tokens x̄ are separately reconstructed (Given a text sequence x = [x1, · · · , xT ],). The researchers have called it as independence assumption, and according to them it disables BERT to model dependency between targets. The researchers explain the difference between XLNet and BERT with an example, “Let’s consider a concrete example [New, York, is, a, city]. Suppose both BERT and XLNet select the two tokens [New, York] as the prediction targets and maximize 6 log p(New York | is a city). Also suppose that XLNet samples the factorization order [is, a, city, New, York]. In this case, BERT and XLNet respectively reduce to the following objectives: JBERT = log p(New | is a city) + log p(York | is a city), JXLNet = log p(New | is a city) + log p(York | New, is a city). Notice that XLNet is able to capture the dependency between the pair (New, York), which is omitted by BERT.” In the above example, BERT learns some dependency pairs such as (New, city) and (York, city), so the researchers conclude that XLNet always learns more dependency pairs given the same target and contains “denser” effective training signals. Also, the XLNet objective comprises of more effective training signals that offer better performance. XLNet comparison with Language Model According to the researchers, standard AR language model like GPT (GUID Partition Table) is only able to cover the dependency (x = York, U = {New}) but not (x = New, U = {York}). On the other hand, XLNet is able to cover both in expectation overall factorization orders. This limitation of AR language modeling can be a critical issue in real-world applications. The researchers concluded that AR language modeling is not able to cover the dependency but XLNet is able to cover all dependencies in expectation. There has always been a gap between language modeling and pretraining because of the lack of the capability of bidirectional context modeling. But XLNet generalizes language modeling and bridges the gap. Implementation and conclusion The researchers used the BooksCorpus and English Wikipedia as part of their pre-training data, which contains 13GB plain text combined. They experimented on four datasets including RACE dataset, SQuAD dataset, ClueWeb09-B Dataset, and GLUE dataset. “They further studied three major aspects: The effectiveness of the permutation language modeling objective, especially compared to the denoising auto-encoding objective used by BERT.  The importance of using Transformer-XL as the backbone neural architecture and employing segment-level recurrence (i.e. using memory). The necessity of some implementation details including span-based prediction, the bidirectional input pipeline, and next-sentence prediction.” The researchers concluded that XLNet is a generalized AR pre-training method and it uses a permutation language modeling objective for combining the advantages of AR and AE methods. According to them, the neural architecture of XLNet is developed to work seamlessly with the AR objective that integrates Transformer-XL. It also achieves state-of-the-art results in various tasks with improvement. The paper reads, “In the future, we envision applications of XLNet to a wider set of tasks such as vision and reinforcement learning.” A lot of users seem to be excited about this news and they think it can get even better. One of the users commented on Reddit, “The authors are currently trying to see the text generation capability of XLNet. If they confirm that it's on par with left-to-right model (hence better than BERT), then their work would be even more impressive.” Few others think that it will be better if the researchers use more diverse datasets for experimentation purpose. Another user commented, “The result seems to me as if the substantial improvement in this setting is coming mostly from the use of Transformer-XL (i.e. larger context size). Probably using more data and greater context size (and more diverse dataset) is far more important than doing anything else proposed in the paper.” Many others are excited about this research and think that XLNet is better than BERT. https://twitter.com/eturner303/status/1143174828804857856 https://twitter.com/ST4Good/status/1143182779460608001 https://twitter.com/alex_conneau/status/1141489936022953984 To know more about this, check out the paper XLNet: Generalized Autoregressive Pretraining for Language Understanding. Curl’s lead developer announces Google’s “plan to reimplement curl in Libcrurl” Google rejects all 13 shareholder proposals at its annual meeting, despite protesting workers Google Calendar was down for nearly three hours after a major outage

Bipartisan Senators Mark Warner and Josh Hawley introduced a new bill on Monday that requires Facebook, Google, Amazon and other major platforms to disclose the value of their users' data. Called The Dashboard Act (Designing Accounting Safeguards to Help Broader Oversight and Regulations on Data), this act will force companies (services with 100M active users) to regularly disclose to consumers the ways in which their data is being used, the third parties it is being shared with, and what their data is worth to the platform. The tech companies will have to undergo assessment of the data's value once every 90 days and file an annual report to the Securities and Exchange Commission. https://twitter.com/SenHawleyPress/status/1143177612786880519 The use of personal data for monetization purposes by tech companies has been a bone of contention for governments and activists. Consumers lack transparency in fully understanding the terms of the exchange and decide for themselves whether they are getting a fair deal from the platform companies that monetize their data. This serves as a major obstacle for agencies like the Federal Trade Commission (FTC) seeking to address competitive and consumer harms. “For years, social media companies have told consumers that their products are free to the user. But that’s not true — you are paying with your data instead of your wallet,” Warner said in a statement. “But the overall lack of transparency and disclosure in this market have made it impossible for users to know what they’re giving up, who else their data is being shared with, or what it’s worth to the platform,” he added. The bill suggests the following amendments Require commercial data operators (defined as services with over 100 million monthly users) to disclose the types of data collected as well as regularly provide their users with an assessment of the  value of that data. Require commercial data operators to file an annual report on the aggregate value of user data they’ve collected, as well as contracts with third parties involving data collection. Require commercial data operators to allow users to delete all, or individual fields of data collected and disclose to users all the ways in which their data is being used. Empower the SEC (Securities and Exchange Commission) to develop methodologies for calculating data value, while encouraging the agency to facilitate flexibility to enable businesses to adopt methodologies that reflect the different uses, sectors, and business models With this bill, the senators want to serve three important goals. Consumers will be able to determine the true value of the data they are providing to platforms. Making the value more transparent could increase competition by attracting competitors to the market. Disclosing the economic value of consumer data will also assist antitrust enforcers in identifying unfair transactions and anti competitive transactions and practices. Public opinion on this bill was appreciative with people calling it a right move to protect user data. https://twitter.com/davidshepardson/status/1142936991790768128 https://twitter.com/profcarroll/status/1142975892442025985   However, some find it insufficient. Lindsey Barrett, a staff attorney at Georgetown Law’s Institute for Public Representation Communications and Technology Clinic noted that greater transparency might not change tech companies’ practices. https://twitter.com/LAM_Barrett/status/1142942803716182016 She also questioned how people are to martial the info this bill would give them into better decision-making. https://twitter.com/LAM_Barrett/status/1143169637732904960 ITIF also argues that Hawley gets “paying” with data wrong. https://twitter.com/ITIFdc/status/1143194101204094977 Previous to the DASHBOARD Act, Senator Hawley introduced the Do Not Track Act, last month. The Do Not Track Act would prohibit web companies from collecting more data than they need to operate their services. Per the act, “first parties” -- meaning sites users intentionally visit, like Amazon or Google's search engine -- will be prohibited from collecting or sharing data for ad targeting when they encounter users who have activated do-not-track. This act would be modeled after the Federal Trade Commission’s (FTC) “Do Not Call” list and allow users to opt out of non-essential data collection. This bill is introduced in Congress and is up for consideration by the Senate. Last month, DuckDuckGo, the browser known for its privacy protection policies, also proposed a draft legislation which will require sites to respect the Do Not Track browser setting. In March, presidential candidate Elizabeth Warren’s also proposed regulating “big tech companies” by breaking up Google and Facebook. A section-by-section summary of the Dashboard act is available here. Bill text is available here. UK’s data protection regulator ICO releases report concludes that Adtech industry operates illegally. Facebook fails to block ECJ data security case from proceeding Experts present most pressing issues facing global lawmakers on citizens’ privacy and rights to freedom of speech.

After releasing Elixir 1.8 in January, the team behind Elixir announced the release of Elixir 1.9 yesterday. This comes with a new ‘releases’ feature, the Config API for streamlined configuration, plus many other enhancements and bug fixes. Elixir is a functional, concurrent, general-purpose programming language that runs on the Erlang VM. Releases, a single unit for code and the runtime Releases are the most important feature that has landed in this version. A release is a “self-contained directory” that encapsulates not only your application code and its dependencies but also the whole Erlang VM and runtime. So, basically, it allows you to precompile and package your code and runtime in a single unit. You can then deploy this single unit to a target that is running on the same OS distribution and version as the machine running the ‘mix release’ command. Following are some of the benefits ‘releases’ provide: Code preloading: As releases run in embedded mode for loading code it loads all the modules beforehand. This makes your system ready for handling requests right after booting. Configuration and customization: It gives you “fine-grained control” over system configuration and the VM flags for starting the system. Multiple releases: It allows you to assemble different releases of the same application with different configurations. Management scripts: It provides management scripts to start, restart, connect to the running system remotely, execute RPC calls, run in daemon mode, run in Windows service mode, and more. Releases are also the last planned feature for Elixir and the team is not planning to add any other user-facing feature in the near future. The Elixir team shared in the announcement, “Of course, it does not mean that v1.9 is the last Elixir version. We will continue shipping new releases every 6 months with enhancements, bug fixes, and improvements.” A streamlined configuration API This version comes with a more streamlined Elixir’s configuration API in the form of a new ‘Config’ module. Previously, the ‘Mix.Config’ configuration API was part of the Mix build tool. Beginning Elixir 1.9, the runtime configuration is now taken care of by ‘releases’ and Mix is no longer included in ‘releases’, this API is now ported to Elixir. “In other words, ‘use Mix.Config’ has been soft-deprecated in favor of import Config,” the announcement reads. Another crucial change in configuration is that starting from this release the ‘mix new’ command will not generate a ‘config/config.exs’ file. The ‘mix new --umbrella’ will also not generate a configuration for each child app as the configuration is now moved from individual umbrella application to the root of the umbrella. Many developers are excited about the ‘releases’ support. One user praised the feature saying, “Even without the compilation and configuration stuff, it's easier to put the release bundle in something basic like an alpine image, rather than keep docker image versions and app in sync.” However, as many of them currently rely on the Distillery tool for deployment they have some reservations about using releases as it lacks some of the features Distillery provides. “Elixir's `mix release` is intended to replace (or remove the need for) third-party packages like Distillery. However, it's not there yet, and Distillery is strictly more powerful at the moment. Notably, Elixir's release implementation does not support hot code upgrades. I use upgrades all the time, and won't be trying out Elixir's releases until this shortcoming is addressed,” a Hacker News user commented. Public opinion on Twitter was also positive: https://twitter.com/C3rvajz/status/1140351455691444225 https://twitter.com/rrrene/status/1143443465549897733 Why Ruby developers like Elixir How Change.org uses Flow, Elixir’s library to build concurrent data pipelines that can handle a trillion messages Introducing Mint, a new HTTP client for Elixir

Yesterday, Amazon announced support for load balancing UDP traffic on Network Load Balancers, which will enable it to deploy connectionless services for online gaming, IoT, streaming, media transfer, and native UDP applications. This has been a long requested feature by Amazon customers. The Network Load Balancer is designed to handle tens of millions of requests per second while maintaining high throughput at ultra low latency, with no effort on the users part. UDP load balancing will give users the liberty to no longer maintain a fleet of proxy servers to ingest UDP traffic, and instead use the same load balancer for both TCP and UDP traffic. Hence simplifying the network architecture, reducing users cost and scalability. Supported Targets UDP on Network Load Balancers is supported for Instance target types only. It does not support IP target types and PrivateLink. Health Checks Health checks must be done using TCP, HTTP, or HTTPS. Users can check on the health of a service by clicking override and specifying a health check on the selected port. Users can then run a custom implementation of Syslog that stores the log messages centrally and in a highly durable form. Multiple Protocols A single Network Load Balancer can handle both TCP and UDP traffic. In situations like DNS, when support of TCP and UDP is both needed on the same port, user can set up a multi-protocol target group and a multi-protocol listener. New CloudWatch Metrics The existing CloudWatch metrics (ProcessedBytes, ActiveFlowCount, and NewFlowCount) can  now represent the aggregate traffic processed by the TCP, UDP, and TLS listeners on the given Network Load Balancer. Users who host DNS, SIP, SNMP, Syslog, RADIUS and other UDP services in their own data centers can now move their services to AWS. It is also possible to deploy services to handle Authentication, Authorization, and Accounting, often known as AAA. Earlier this year, Amazon launched the TLS Termination support for Network Load Balancer. It simplifies the process of building secure web applications by allowing users to make use of TLS connections that terminate at a Network Load Balancer. Users are delighted with Amazon’s support for load balancing UDP traffic. https://twitter.com/cgswong/status/1143312489360183296 A user on Hacker News comments,“This is a Big Deal because it enables support for QUIC, which is now being standardized as HTTP/3. To work around the TCP head of line blocking problem (among others) QUIC aises UDP. QUIC does some incredible patching over legacy decisions in the TCP and IP stack to make things faster, more reliable, especially on mobile networks, and more secure.” Another comment reads, “This is great news, and something I’ve been requesting for years. I manage an IoT backend based on CoAP, which is typically UDP-based. I’ve looked at Nginx support for UDP, but a managed load balancer is much more appealing.” Some users see this as Amazon’s way of preparing ‘http3 support’ for the future. https://twitter.com/atechiethought/status/1143240391870832640 Another user on Hacker News wrote, “Nice! I wonder if this is a preparatory step for future quick/http3 support?” For details on how to create a UDP Network Load Balancer, head over to Amazon’s official blog. Amazon patents AI-powered drones to provide ‘surveillance as a service’ Amazon is being sued for recording children’s voices through Alexa without consent Amazon announces general availability of Amazon Personalize, an AI-based recommendation service

Last week, researchers from the Imperial College in London and Samsung’s AI research center in the UK revealed how deepfakes can be used to generate a singing or talking video portrait by from a still image of a person and an audio clip containing speech. In their paper titled, “Realistic Speech-Driven Facial Animation with GANs”, the researchers have used temporal GAN which uses 3 discriminators focused on achieving detailed frames, audio-visual synchronization, and realistic expressions. Source: arxiv.org “The generated videos are evaluated based on sharpness, reconstruction quality, lip-reading accuracy, synchronization as well as their ability to generate natural blinks”, the researchers mention in their paper. https://youtu.be/9Ctm4rTdVTU Researchers used the GRID, TCD TIMIT, CREMA-D and LRW datasets. The GRID dataset has 33 speakers each uttering 1000 short phrases, containing 6 words randomly chosen from a limited dictionary. The TCD TIMIT dataset has 59 speakers uttering approximately 100 phonetically rich sentences each. The CREMA-D dataset includes 91 actors coming from a variety of different age groups and races utter 12 sentences. Each sentence is acted out by the actors multiple times for different emotions and intensities. Researchers have used the recommended data split for the TCD TIMIT dataset but exclude some of the test speakers and use them as a validation set. Researchers performed data augmentation on the training set by mirroring the videos. Metrics used to assess the quality of generated videos Researchers evaluated the videos using traditional image reconstruction and sharpness metrics. These metrics can be used to determine frame quality; however, they fail to reflect other important aspects of the video such as audio-visual synchrony and the realism of facial expressions. Hence they have also proposed alternative methods capable of capturing these aspects of the generated videos. Reconstruction Metrics This method uses common reconstruction metrics such as the peak signal-to-noise ratio (PSNR) and the structural similarity (SSIM) index to evaluate the generated videos. However, the researchers reveal that “reconstruction metrics will penalize videos for any facial expression that does not match those in the ground truth videos”. Sharpness Metrics The frame sharpness is evaluated using the cumulative probability blur detection (CPBD) measure, which determines blur based on the presence of edges in the image. For this metric as well as for the reconstruction metrics larger values imply better quality. Content Metrics The content of the videos is evaluated based on how well the video captures the identity of the target and on the accuracy of the spoken words. The researchers have verified the identity of the speaker using the average content distance (ACD), which measures the average Euclidean distance of the still image representation, obtained using OpenFace from the representation of the generated frames. The accuracy of the spoken message is measured using the word error rate (WER) achieved by a pre-trained lip-reading model. They used the LipNet model which exceeds the performance of human lip-readers on the GRID dataset. For both content metrics, lower values indicate better accuracy. Audio-Visual Synchrony Metrics Synchrony is quantified in Joon Son Chung and Andrew Zisserman’s “Out of time: automated lip sync in the wild”. In this work Chung et al. propose the SyncNet network which calculates the euclidean distance between the audio and video encodings on small (0.2 second) sections of the video. The audio-visual offset is obtained by using a sliding window approach to find where the distance is minimized. The offset is measured in frames and is positive when the audio leads the video. For audio and video pairs that correspond to the same content, the distance will increase on either side of the point where the minimum distance occurs. However, for uncorrelated audio and video, the distance is expected to be stable. Based on this fluctuation they further propose using the difference between the minimum and the median of the Euclidean distances as an audio-visual (AV) confidence score which determines the audio-visual correlation. Higher scores indicate a stronger correlation, whereas confidence scores smaller than 0.5 indicate that Limitations and the possible misuse of Deepfake The limitation of this new Deepfake method is that it only works for well-aligned frontal faces. “the natural progression of this work will be to produce videos that simulate in wild conditions”, the researchers mention. While this research appears the next milestone for GANs in generating videos from still photos, it also may be misused for spreading misinformation by morphing video content from any still photograph. Recently, at the House Intelligence Committee hearing, Top House Democrat Rep. Adam Schiff (D-CA) issued a warning on Thursday that deepfake videos could have a disastrous effect on the 2020 election cycle. “Now is the time for social media companies to put in place policies to protect users from this kind of misinformation not in 2021 after viral deepfakes have polluted the 2020 elections,” Schiff said. “By then it will be too late.” The hearing came only a few weeks after a real-life instance of a doctored political video, where the footage was edited to make House Speaker Nancy Pelosi appear drunk, that spread widely on social media. “Every platform responded to the video differently, with YouTube removing the content, Facebook leaving it up while directing users to coverage debunking it, and Twitter simply letting it stand,” The Verge reports. YouTube took the video down; however, Facebook refused to remove the video. Neil Potts, Public Policy Director of Facebook had stated that if someone posted a doctored video of Zuckerberg, like one of Pelosi, it would stay up. After this, on June 11, a fake video of Mark Zuckerberg was posted on Instagram, under the username, bill_posters_uk. In the video, Zuckerberg appears to give a threatening speech about the power of Facebook. https://twitter.com/motherboard/status/1138536366969688064 Omer Ben-Ami, one of the founders of Canny says that the video is made to educate the public on the uses of AI and to make them realize the potential of AI. Though Zuckerberg’s video was to retain the educational value of Deepfakes, this shows the potential of how it can be misused. Although some users say it has interesting applications, many are concerned that the chances of misusing this software are more than putting it into the right use. https://twitter.com/timkmak/status/1141784420090863616 A user commented on Reddit, “It has some really cool applications though. For example in your favorite voice acted video game, if all of the characters lips would be in sync with the vocals no matter what language you are playing the game in, without spending tons of money having animators animate the characters for every vocalization.” To know more about this new Deepfake, read the official research paper. Lawmakers introduce new Consumer privacy bill and Malicious Deep Fake Prohibition Act to support consumer privacy and battle deepfakes Worried about Deepfakes? Check out the new algorithm that manipulate talking-head videos by altering the transcripts Machine generated videos like Deepfakes – Trick or Treat?

Yesterday, the GNU APL version 1.8 was released with bug fixes, FFT, GTK, RE, user defined APL commands and more. GNU APL is a free interpreter for the programming language APL. What's new in GNU APL 1.8? Bug fixes, FFT (fast fourier transforms; real, complex, and windows), GTK (create GUI windows from APL), RE (regular expressions), User-defined APL commands, An interface from Python into GNU APL.With this interface one can use APL's vector capabilities in programs written in Python. People are excited to use the GNU APL 1.8 version. A user on Hacker News states that “1Wow, each of ⎕FFT, ⎕GTK and ⎕RE are substantial and impressive additions! Thank you, and congratulations on the new release!” Another user says that “APL can do some pretty cool stuff” Another user comments “I'd like to play with this as it is a free APL that I could use for work without paying a license (like Dyalog APL requires). J is another free array language, but it doesn't use the APL characters that I enjoy. I've had a little trouble in the past getting it to install (this was version 1.7) on Ubuntu. Granted I've never been an expert at installing from source, but a more in-depth installation guide or YouTube tutorial would help some. Thanks for doing this btw! I hope to eventually get to check this out!” Introducing Luna, world’s first programming language with dual syntax representation, data flow modeling and much more! Researchers highlight impact of programming languages on code quality and reveal flaws in the original FSE study Stack Overflow survey data further confirms Python’s popularity as it moves above Java in the most used programming language list

Researchers from the security firm Dragos reported on Friday that a group of hackers behind two potentially fatal intrusions in industrial facilities have expanded its activities to investigate dozens of electricity grids in the US and other regions. The group, known as Xenotime, had gained attention in 2017 when researchers from Dragos and cyber-security firm FireEye independently reported about Xenotime causing dangerous operational disruption at a critical infrastructure site in the Middle East, reports Ars Technica. Researchers from Dragos have called the group the most dangerous cyber threat in the world since then. According to Bloomberg, FireEye Inc. has linked the group to a research institution in Moscow owned by the Russian government, called the Central Scientific Research Institute of Chemistry and Mechanics. Xenotime is one of the few groups in the world to use malware tailored to industrial control systems, said Benjamin Read, a FireEye senior manager. The most alarming of this group is the use of malware which was never seen before in the security processes of the installation. Such security instrumented systems are a combination of hardware and software that many critical infrastructure sites use to prevent unsafe conditions from arising. For example, when the gas fuel pressure or reactor temperature increases to potentially unsafe thresholds, a SIS will automatically close the valves or initiate cooling processes to avoid accidents that endanger life. In April, FireEye reported that the SIS manipulation malware, alternatively known as Triton and Trisis, was used in an attack at another industrial facility. Proliferation of threats in different sectors Dragos also reported that Xenotime has been conducting network scans and recognition of multiple components through power grids in the United States and other regions. Sergio Caltagirone, senior vice president of threat intelligence at Dragos, told Ars Technica that his firm has detected dozens of public services, some of them located in the United States, which have been subjected to Xenotime surveys from 2018. "The threat has proliferated and is now targeting electric companies in the US and Asia Pacific, which means that we are no longer safe thinking that the threat to our electrical utilities are understood or stable ", He said in an interview: "This is the first sign that threats are proliferating in all sectors, which means that now we can not be sure that a threat to the sector will remain in that sector and will not cross." Probes can come in multiple forms, one of them is credential filler attacks, which use passwords stolen in previous infractions, sometimes unrelated, in the hope that they will work against new targets. Another is network exploration, which maps and catalogs the different computers, routers and other devices connected to it and lists the network ports in which they receive the connections. "The scale of the operation and the regions it addresses, "Caltagirone said," shows more than a passing interest in the sector. " In a publication published on Friday, Dragos researchers wrote: “While none of the events of the electric utility company resulted in a known and successful intrusion into victim organizations to date, persistent attempts and the expansion in scope are cause for ultimate concern. Xenotime has successfully engaged several oil and gas environments, demonstrating its ability to do so in other vertical markets. Specifically, Xenotime remains one of four threats (along with electrum, sandworm and the entities responsible for stuxnet) to execute a deliberate disruptive or disruptive attack. Xenotime is the only known entity specifically aimed at instrumented safety systems (sis) for disruptive or destructive purposes. The electrical service environments are significantly different from oil and gas operations in several aspects, but electrical operations still have safety and protection equipment that could be directed with similar vessels. Xenotime, which expresses a direct and constant interest in the operations of the electric company, is a cause for deep concern, given the willingness of this adversary to compromise the security of the process, and therefore the integrity, of fulfilling its mission. The expansion of Xenotime to another vertical industry is emblematic of an increasingly hostile industrial industry. The most observed Xenotime activity focuses on the collection of initial information and access operations necessary for ICS tracking intrusion operations. As seen in the long-term intrusions sponsored by the state in the US, UU, the United Kingdom and other electrical infrastructure, entities are increasingly interested in the fundamental aspects of ICS operations and show all the badges associated with the information and acquisition of access necessary to carry out future attacks. While Dragos does not see evidence at this time to indicate that Xenotime (or any other activity group, such as electrum or allanite) is capable of executing a prolonged disruptive or disruptive event in the operations of the electric company, the observed activity shows a strong the adversary's interest in meeting the prerequisites for doing so.” This news has brought anxiety among cyber security folks on Reddit comments, “it's time to develop disconnected micro grids”. Another user comments, “Or just do security correctly. Much of the utility infrastructure in the country does not align with best practices or published standards.” To know more about this, check out the official research page of Dragos. Over 19 years of ANU(Australian National University) students’ and staff data breached Symantec says NSA’s Equation group tools were hacked by Buckeye in 2016 way before they were leaked by Shadow Brokers in 2017 How not to get hacked by state-sponsored actors

Last week, Damien Miller, a Google security researcher, and one of the popular OpenSSH and OpenBSD developers announced an update to the existing OpenSSH code that can help protect against the side-channel attacks that leak sensitive data from computer’s memory. This protection, Miller says, will protect the private keys residing in the RAM against Spectre, Meltdown, Rowhammer, and the latest RAMBleed attack. SSH private keys can be used by malicious threat actors to connect to remote servers without the need of a password. According to CSO, “The approach used by OpenSSH could be copied by other software projects to protect their own keys and secrets in memory”. However, if the attacker is successful in extracting the data from a computer or server's RAM, they will only obtain an encrypted version of an SSH private key, rather than the cleartext version. In an email to OpenBSD, Miller writes, “this change encrypts private keys when they are not in use with a symmetric key that is derived from a relatively large 'prekey' consisting of random data (currently 16KB)." He further adds, "Attackers must recover the entire prekey with high accuracy before they can attempt to decrypt the shielded private key, but the current generation of attacks have bit error rates that, when applied cumulatively to the entire prekey, make this unlikely”. "Implementation-wise, keys are encrypted 'shielded' when loaded and then automatically and transparently unshielded when used for signatures or when being saved/serialised," Miller said. The OpenSSH dev hope they'll be able to remove this special protection against side-channel attacks "in a few years time when computer architecture has become less unsafe", Miller said at the end of the patch. To know more about this announcement in detail, visit Damien Miller’s email. All Docker versions are now vulnerable to a symlink race attack Telegram faces massive DDoS attack; suspects link to the ongoing Hong Kong protests A second zero-day found in Firefox was used to attack Coinbase employees; fix released in Firefox 67.0.4 and Firefox ESR 60.7.2

On Thursday, the US launched a cyber-attack on Iranian weapons systems, according to sources. This attack is a retaliation by the US govt after Iran shot down a US spy drone. In response to the drone’s destruction, the US was ready to carry out a military strike against Iran but US President Donald Trump said he called it off at the last minute after being told some 150 people could die. Although that didn’t stop him from secretly authorizing US Cyber Command to carry out a retaliatory cyber attack on Iran. Defense officials had prepared such a cyber response as a contingency plan for weeks preceding the attack. The cyber-attacks disabled computer systems controlling Iran’s rocket and missile launchers. Officials told the Guardian that the attack, which specifically targeted computer systems of Iran’s Islamic Revolutionary Guard Corps (IRGC), had been provided as options after two oil tankers were bombed. The IRGC has been designated a foreign terrorist group by the Trump administration. The AP news agency said the cyber-attack had disabled the Iranian systems. The New York Times said it was intended to take the systems offline for a period of time. The response by Iran An Iran Minister however rejected these claims stating that US cyber attacks on Iranian targets were not successful. “They try hard, but have not carried out a successful attack,” Mohammad Javad Azari Jahromi, Iran’s minister for information and communications technology, told Reuters. “Media asked if the claimed cyber attacks against Iran are true,” he said. “Last year we neutralized 33 million attacks with the (national) firewall.” Azari Jahromi called attacks on Iranian computer networks “cyber-terrorism”, referring to Stuxnet, the first publicly known example of a virus used to attack industrial machinery, which targeted Iran’s nuclear facilities in November 2007. In response to the shooting down of the U.S drone, an Iranian navy commander warned it could be repeated. “Everyone saw the downing of the unmanned drone,” navy commander Rear Admiral Hossein Khanzadi was quoted as saying by the Tasnim news agency. “I can assure you that this firm response can be repeated, and the enemy knows it.” On Saturday the US Department for Homeland Security warned that Iran was stepping up its own cyber-attacks on the US. Christopher Krebs, the director of the Cybersecurity and Infrastructure Security Agency, said "malicious cyber activity" was being directed at US industries and government agencies by "Iranian regime actors and their proxies.'' The US military and intelligence officials are drafting plans for additional cyber attacks against Iranian targets. It will also further impose sanctions on Iran. President Trump said these sanctions were "major" and were needed to prevent Tehran from obtaining nuclear weapons, and economic pressure would be maintained unless Tehran changed course. Technology plays a central role in national security and foreign policies. Most recently, the US-China trade war saw Huawei and Apple caught at the center of escalating tensions. US prohibited wide swath of technology deals with a “foreign adversary” for national security reasons. National security and technological environments are intertwined because technology has a strong influence on the ways wars are fought and the character of the missions reserve components are asked to perform. It is often caught in the web of trade wars. The US Iran cyber attack is a clear example of the way the lines between physical and digital warfare are blurring. Hacker destroys Iranian cyber-espionage data; leaks source code of APT34’s hacking tools on Telegram FireEye’s Global DNS Hijacking Campaign suspects Iranian-based group as the prime source Slack has terminated the accounts of some Iranian users, citing U.S. sanctions as the reason.

At the first re:MARS event early this month Amazon proposed its plans to further digitize its delivery services by making the AI-powered drones deliver orders. Amazon was recently granted a US patent on June 4 for these ‘unmanned aerial vehicles (UAV) or drones’ to provide “surveillance as a service.” The patent which was filed on June 12, 2015, mentions how Amazon’s UAVs could keep an eye on customers’ property between deliveries while supposedly maintaining their privacy. “The property may be defined by a geo-fence, which may be a virtual perimeter or boundary around a real-world geographic area. The UAV may image the property to generate surveillance images, and the surveillance images may include image data of objects inside the geo-fence and image data of objects outside the geo-fence,” the patent states. A diagram from the patent shows how delivery drones could be diverted to survey a location. Source: USPTO According to The Telegraph, “The drones would look for signs of break-ins, such as smashed windows, doors left open, and intruders lurking on people’s property. Anything unusual could then be photographed and passed on to the customer and the police”. “Drones have long been used for surveillance, particularly by the military, but companies are now beginning to explore how they might be used for home security”, The Verge reports. Amazon’s competitor, Alphabet Inc.’s Wing, became the first drone to win an FAA approval to operate as a small airline, in April. However, Amazon received an approval to start making drone deliveries only in remote parts of the United States. Amazon says it hopes to launch a commercial service “in a matter of months.” The drones could be programmed to trigger automated text or phone alerts if the system’s computer-vision algorithms spot something that could be a concern. Those alerts might go to the subscriber, or directly to the authorities. “For example, if the surveillance event is the determination that a garage door was left open, an alert may be a text message to a user, while if the surveillance event is a fire, an alert may be a text message or telephone call to a security provider or fire department,” the inventors write. But this raises a lot of data privacy concerns as this may allow drones to peep into people’s houses and collect information they are not supposed to. However, Amazon’s patent stating that, “Geo-clipped surveillance images may be generated by physically constraining a sensor of the UAV, by performing pre-image capture processing, or post-image capture processing. Geo-clipped surveillance images may be limited to authorized property, so privacy is ensured for private persons and property.” Amazon has been curating a lot of user data using various products including the smart doorbell made by Ring, which Amazon bought for more than $1 billion in February last year. This smart doorbell sends a video feed customers can check and answer from their smartphone. Amazon launched Neighbors, a crime-reporting social network that encourages users to upload videos straight from their Ring security cameras and tag posts with labels like “Crime,” “Safety,” and “Suspicious.” Over 50 local US police departments have partnered with Ring to gain access to its owners’ security footage. Amazon’s Key allows Prime members to have packages delivered straight into their homes—if they install its smart lock on their door and Amazon security cameras inside their homes. Last month, the US House Oversight and Reform Committee held its first hearing on examining the use of ‘Facial Recognition Technology’. The hearing included discussion on the use of facial recognition by government and commercial entities, flaws in the technology, lack of regulation and its impact on citizen’s civil rights and liberties. Joy Buolamwini, founder of Algorithmic Justice League highlighted one of the major pressing points for the failure of this technology as ‘misidentification’, that can lead to false arrests and accusations, a risk especially for marginalized communities. Earlier this year in January, activist shareholders proposed a resolution to limit the sale of Amazon’s facial recognition tech called Rekognition to law enforcement and government agencies. Rekognition was found to be biased and inaccurate and is regarded as an enabler of racial discrimination of minorities. Rekognition, runs image and video analysis of faces, has been sold to two states; Amazon has also pitched it to Immigration and Customs Enforcement. Last month, Amazon shareholders rejected the proposal on ban of selling its facial recognition tech to governments. Amazon pushed back the claims that the technology is inaccurate, and called on the U.S. Securities and Exchange Commission to block the shareholder proposal prior to its annual shareholder meeting. While ACLU blocked Amazon’s efforts to stop the vote, amid growing scrutiny of its product. According to an Amazon spokeswoman, the resolutions failed by a wide margin. Amazon has defended its work and said all users must follow the law. It also added a web portal for people to report any abuse of the service. The votes were non-binding, thus, allowing the company to reject the outcome of the vote. In April, Bloomberg reported that Amazon workers “listen to voice recordings captured in Echo owners’ homes and offices. The recordings are transcribed, annotated and then fed back into the software as part of an effort to eliminate gaps in Alexa’s understanding of human speech and help it better respond to commands”. Also, this month, two lawsuits were filed in Seattle alleging that Amazon is recording voiceprints of children using its Alexa devices without their consent. This shows Amazon may be secretly collecting user’s data and now, with the surveillance drones they can gain access to user’s home on the whole. What more can a company driven on user data ask for? We’ll have to see if Amazon stays true to what they have stated in their patent. While drones hovering over for surveillance seems interesting, it is actually collecting large volumes of user data, and a lot of private information. Black hat hackers who use their skills to break into systems and access data and programs without the permission of the owners may gain access to this data, which is a risk. They can further sell the data to 3rd party buyers including advertisement companies who may further use it to forward advertisements on particular products they use. Amazon employees managing the data from these drones may also have certain access to this data. As a network administrator or security professional, the rights and privileges allow them access most of the data on the systems of user’s network. Also, one can easily decrypt the data if they have access to the recovery agent account. This creates an alarming state whether this extra private is data safe or not? On what level can intruders misuse this? According to The Verge, “Amazon has patented some pretty eccentric drone technologies over the years that have never made it to market; including a floating airship that could act as a warehouse for delivery drones, a parachute shipping label, and a system that lets a drone understand when you shout or wave at it”. https://twitter.com/drewharwell/status/1141712282184867840 https://twitter.com/drewharwell/status/1141793761283989504 To know more about ‘surveillance as a service’ read the patent. Amazon announces general availability of Amazon Personalize, an AI-based recommendation service US regulators plan to probe Google on anti-trust issues; Facebook, Amazon & Apple also under legal scrutiny Amazon shareholders reject proposals to ban sale of facial recognition tech to govt and to conduct independent review of its human and civil rights impact

From Uber to Lyft to Airbnb, it's the year of tech Initial Public Offering. Yesterday reports from various news sources came of Slack Technologies which started trading on the New York Stock Exchange in a direct public offering. The workplace chat app synonymous to generic term “I’ll Slack you”, landed on the Wall Street with $20 billion valuation on Thursday, according to Financial Times. Slack took a different route than the other tech giants in Silicon Valley, and saw its shares soar as it went public without the IPO. This year in February, Slack had confidentially filed with the Securities and Exchange Commission to go public in the U.S. for listing its shares. The Slack management had agreed to a reference price of $26 per share but the shares opened at $38.50, and closed at $38.62. Slack shares started trading around noon Thursday on the NYSE under the ticker symbol "$WORK." It was a historic day for Slack as the stocks climbed as high as $42 in an intraday trading Thursday evening. https://twitter.com/TechCrunch/status/1141464711889920006 https://twitter.com/WSJ/status/1141454210887819264   Slack was reportedly valued at $7 billion in 2018, according to CNBC, and has more than 10 million daily active users. The platform expects its annual revenue for this year to be $500 million and with the offering it has achieved this goal. Stewart Butterfield, Slack co-founder and chief executive officer is a billionaire, having an 8.6% stake worth $1.6 billion at the opening price. Accel, its largest shareholder, has a stake worth a whopping $4.6 billion. Other key shareholders include Social Capital, which owns a stake worth $2 billion, Andreessen Horowitz  ($2.6 billion), SoftBank ($1.4 billion) and Slack co-founder Cal Henderson ($646 million). According to Fortune, Butterfield comes a long way from the log cabin where he lived without electricity and running water for the first few years of his life. He was introduced to computers in the second grade but lost interest in the technology as he got older and went on to study philosophy in college. “By the time I finished my master's degree I really had no idea of what I was going to do except for being an academic because, you know, the big five philosophy firms aren't always hiring,'' Butterfield told Bloomberg last year. Why Slack chose to go direct and how is it beneficial Butterfield told CNBC that the company chose not to have a traditional IPO for a pragmatic reason: It didn’t need the cash. “We’re not ideological crusaders on this stuff,” he said. The direct listing process is a more efficient way to price a stock, he said, “but I don’t think anything comes close to not having to dilute existing shareholders by 10%.” Butterfield said he also wanted to avoid the lockup period. “Especially in a period when you’re locked up, when the supply is so constrained, the psychological impact of that can be a big negative,” he said. “Giving employees the option early is more important.” https://twitter.com/CNBC/status/1141698220164362240 As per Fortune, unlike an ordinary IPO, a direct listing means the company doesn't issue any new shares and doesn't raise additional capital. It's primarily a way for company insiders to sell some of their holdings to investors, while bypassing the formidable fees and requirements of using an underwriter. Direct listing is different in a way than a traditional initial public offering that, it does not include securing commitments from investment banks, attracting potential investors through a "roadshow" and pricing the shares before they start trading. Slack is second in a row to choose for direct listing, following in the footsteps of Spotify last summer. Goldman Sachs Group Inc., Morgan Stanley and Allen & Co. advised Slack on the listing. A direct listing "is viewed as a little bit riskier or more uncertain for a number of reasons, principally because you haven't had this roadshow process, so it's a bit harder to tell where the shares are going to open and at what price," said Adam Augusiak-Boro, a senior research associate at EquityZen. What investors should pay for the shares of Slack CNBC’s Jim Crammer says, “Slack will generate a ton of excitement when it lists on the New York Stock Exchange”, he also gave a breakdown of what investors should pay for the shares of Slack. “I’m willing to let you pay $40. ... That’s well above. Now if you can get it below that, that’s even better. If not, you keep your bat on your shoulder,” said Jim Crammer. “Slack is a great story ... but we still got to be disciplined if you want to start a position in this one.” Cramer calls Slack “fresh-faced” enterprise software play with a strong growth rate. Slack’s revenue grew 82% in 2018, but slowed to 67% in its most recent quarter. Paid customers grew 42% in the same year, and it grew another 42% in the most recent quarter, Cramer said. The company also grew its client base of businesses that bring in more than $100,000 of annual revenue by 93%, he said. “In short, Slack’s overall growth is fantastic,” he said. “The company’s on the path to profitability. The balance sheet is fine.” Community response has been positive on this news, one of the users on Hacker News commented, “Well deserved. Their product-vision was clear, their execution focused on what mattered... and they didn't need to bend or break laws to succeed. It's easily my favorite unicorn of the past decade.” People also appreciated the fact that Slack has been a diverse organization and everyone did benefit from the IPO. https://twitter.com/DonaldRichard/status/1141717416294174721 Dropbox gets a major overhaul with updated desktop app, new Slack and Zoom integration Slack launches Enterprise Key Management (EKM) to provide complete control over encryption keys Slack removed 28 accounts: A step against the spread of hate speech

Earlier this week, Mozilla fixed a zero-day vulnerability that was being actively exploited by attackers. It released another security update yesterday when the Coinbase Security team detected a second zero-day vulnerability in Firefox. This update has landed in Firefox 67.0.4 and Firefox ESR 60.7.2. The two zero-day vulnerabilities The first one was a type confusion vulnerability tracked as CVE-2019-11707 that occurs “when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash.” It enables an attacker to run malicious code inside Firefox’s native process. This vulnerability was reported by both Coinbase Security team and Samuel Groß, a security researcher with Google Project Zero security team. Groß has reported the vulnerability on Bugzilla back in April 15th. https://twitter.com/5aelo/status/1141273394723414016 Sharing the implications of the vulnerability, the tech researcher said, “the bug can be exploited for RCE [remote code execution] but would then need a separate sandbox escape to run code on an underlying operating system. However, most likely it can also be exploited for UXSS [universal cross-site scripting] which might be enough depending on the attacker’s goals.” The second zero-day vulnerability was described as “sandbox escape using Prompt:Open” and is assigned CVE-2019-11708. This highly-critical vulnerability enables the escape of malware from the Firefox protected process and its execution on the targeted host. “Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process,” the advisory page reads. The Coinbase attack Not much detail was out about these attacks and vulnerabilities until yesterday when Martin Phil, Chief Information Security Officer at Coinbase, and his team detected an attack targeting Coinbase employees. Coinbase also said that the attacker might have targeted other cryptocurrency organizations as well. It is now notifying the organizations that it believes have been possibly targeted. https://twitter.com/SecurityGuyPhil/status/1141466335592869888 Fortunately, the attack was detected before it was able to do any damage. If it had been left undetected, the attacker could have gained access to the Coinbase backend network and stole funds from exchanges. Phil in his tweets also shared a couple of Indicators of Compromise (IOC) that will give the indication whether a system is affected or not. https://twitter.com/SecurityGuyPhil/status/1141466339518767104 Vitali Kremez who specializes in Information Security, Malware Hunting & Carding, Cybercrime Intelligence, speculated that these IOCs were linked to a username “powercat”. https://twitter.com/VK_Intel/status/1141540229951709184 Going by the IOCs, we can say that the attacker would have sent a spear-phishing email to lure victims to a web page. So, if the victims were using a vulnerable Firefox version, the web page would have downloaded and installed the malware on their systems. The macOS backdoor attack Not only cryptocurrency organizations, it looks like the attacker has also targeted other Firefox users as well. Yesterday, Patrick Wardle, a macOS security expert published an analysis of a Mac malware. This malware was sent by a user who claimed that it was installed in his fully updated Mac through Firefox’s zero-day vulnerability. Here’s how the email sent by the attacker to this user looked like: Source: Objective-See The malware that was installed on the user’s system was called Finder.app, the hash of which completely matched with one of the hashes provided by Martin. This news sparked a discussion on Hacker News. Many users found it unsettling that Mozilla took two months to deliver the security patch to fix a very crucial bug report. “Really, that Mozilla would let a reported RCE vulnerability simmer for two months until it bit someone would seem to reflect very poorly on their priorities and competence,” a user commented. Others were rather interested to know how Coinbase discovered this attack. A user commented, “I am more interested in how Coinbase employees discovered the attack. I am assuming nobody clicked the suspicious link and instead took it to a vm for reversing and analysis. It would have been game over if the exploit was actually executed on a non-sandboxed machine.” Mozilla releases Firefox 67.0.3 and Firefox ESR 60.7.1 to fix a zero-day vulnerability, being abused in the wild Firefox releases v66.0.4 and 60.6.2 to fix the expired certificate problem that ended up disabling add-ons Firefox 67 enables AV1 video decoder ‘dav1d’, by default on all desktop platforms

Yesterday, Vivaldi released the latest version of their browser, Vivaldi 2.6, with two striking features - privacy and customization. These features will allow users to block abusive ads and feel safe on the web. Also, Vivaldi 2.6 provides users with many customization options for creating multiple personalities of users without logging into a different operating system. There are also other improvements such as filter saved passwords, visually enhanced search field and more. Vivaldi 2.6 is available as a free download for Windows, Mac, and Linux. Users can also import data from a variety of browsers, including Opera, Chrome, Edge, Internet Explorer and -- via HTML export -- Firefox. Browse safely with no abusive ads Vivaldi’s new functionality allows users to block adverts that use abusive technologies such as fake messages, misleading site behavior, etc. Users can use this feature to stop ads from sites, that are causing problems like, pop-ups that prevent them from leaving the site. Vivaldi 2.6’s built-in ad-blocker, will have an enabled-by-default blocklist, which can be switched off in the Privacy section of the Settings menu. This list is hosted by Vivaldi’s servers and is updated automatically and applied to intrusive websites so that users don't have to contact the server each time. This blocklist is hosted on its end-to-end encrypted servers. Here’s how to manually enable or disable abusive ad blocking: Select Vivaldi Menu > Tools > Settings, or use Alt-P to open the Preferences using the shortcut. Switch to the Privacy section. Remove the checkmark from Block ads on abusive violating sites. This turns the functionality off in the Vivaldi browser. In a statement to Packt, Vivaldi CEO, Jon von Tetzchner said, “We try to keep our users safe and will continue to look at more options to protect them. The way that we’ve implemented this functionality is an interesting step in the direction of relying less on third-party services.” Image source: Vivaldi More personality to User Profiles In March this year, Vivaldi had introduced support for User profiles which had different set of extensions, bookmarks, speed dials, cookies, history, and more. With this update, Vivaldi has brought in more customization options for users. Users can now create multiple “users” without logging into a different operating system, user account, or maintain multiple standalone installations of Vivaldi. This update brings a more personal touch for non-synced profiles, with the following additions : Update the avatars Add and delete profiles in the popup Edit avatar within the popup Image source: Vivaldi Other improvements Filter saved passwords: Users can find their saved passwords by filtering either through account names or websites. Keep a tab on unread tabs in the Window Panel: When a link is opened on a background tab, users will be notified in the Window Panel if it is unread. The unread tab counter will inform precisely the number of tabs unattended. Navigate faster with ‘Find in Page’ : Users can find a specific word or a term in a lengthy article with ‘Find in Page’ option. Visually enhanced Search Field: The magnifying glass on the Search Field on the right side of the Address Bar of Vivaldi now displays the favicon of the active search engine, helping users to easily identify the search engine. Support for headphone: A highly requested feature by users - Vivaldi will support headphone devices. Performance improvement: Vivaldi 2.6 has increased its performance to help users working with multiple tabs. Now, a user can easily tile tabs into split-screen views or move tabs to new windows. Opening, closing, and resizing of Panels in the sidebar is also much snappier. The privacy feature of Vivaldi comes at a time when many browsers are being cornered for having privacy issues. Earlier this month, Chrome had made it clear that its ad blocking extensions will only be available for enterprise users. This move by Google had garnered much criticism. Vivaldi, on the other hand, is getting praised for its new privacy-centric features. It also comes with DuckDuckGo search engine as default, which doesn’t track or profile users. https://twitter.com/rankbrite/status/1141726875728908288 A user on Hacker News states that “I'm seriously thinking of switching to Vivaldi now as my default development browser. It has incredible keyboard support and feature wise closest to the old Opera browser, which till date is the first browser I feel in love with.” Another user on Hacker News says that “I changed to Vivaldi about a year ago and it's the first browser ever which isn't constantly slowing down with time and I'm not constantly thinking should I change again.” Also, questions are being raised on Vivaldi, for linking ‘abusive ads’ to Google's guidelines for abusive ads. A user on Hacker News comments that “The "abusive ads" text links to Google's guidelines for abusive ads: is this what Vivaldi is using to determine what's "abusive"?” There are others who prefer Firefox over Vivaldi due to the latter’s slow-moving nature. A user explains that “I switched from Chrome to Vivaldi and back to Firefox for two reasons: 1) Vivaldi rendering performance is the worst I've ever seen in a browser. No idea how they managed that using webkit, but some sites would make tabs crash on a high end system. 2) The web developer tools are unusable due to bugs. 3) Fixing simple but impactful bugs takes too long. I really like their useful and plenty settings for everything, but 1) and 2) make it a no go for me.” For more information read Vivaldi’s blog. Mozilla puts “people’s privacy first” in its browser with updates to Enhanced Tracking Protection, Firefox Lockwise and Firefox Monitor Tor Browser 8.5, the first stable version for Android, is now available on Google Play Store! All about Browser Fingerprinting, the privacy nightmare that keeps web developers awake at night