Tech News

Yesterday, the team at GitHub along with its partners from Weights & Biases introduced the CodeSearchNet challenge evaluation environment and leaderboard. The team is also releasing a large dataset to help data scientists in building models for this task and several baseline models that highlight the current state of the art. Semantic code search involves retrieving relevant code when a natural language query is given. While dealing with other information retrieval tasks, it needs to bridge the gap between the language used in code and natural language. Also, the standard information retrieval methods don’t work effectively in the code search domain because usually there is little shared vocabulary between search terms and results. Evaluating methods for this task is very difficult, as there are no substantial datasets that were made for this task.  Considering these issues and to evaluate the progress on code search, the team is releasing CodeSearchNet Corpus and they are presenting the CodeSearchNet Challenge. The CodeSearchNet Challenge consists of 99 natural language queries and around 4k expert relevance annotations.  The CodeSearchNet Corpus  The CodeSearchNet corpus contains around 6 million functions from open-source code spanning six programming languages including Go, Java, Python, JavaScript, PHP, and Ruby. For collecting a large dataset of functions, the team used TreeSitter infrastructure, a parser generator tool and an incremental parsing library. The team is also releasing its data preprocessing pipeline for others to use as it will be a starting point in applying machine learning to code. This data is not directly related to code search but if used with related natural language description, it can help in training models.  CodeSearchNet corpus contains automatically generated query-like natural language for around 2 million functions. It also includes the metadata that indicates the original location where the data was found. CodeSearchNet Corpus collection The team collects the corpus from publicly available open-source non-fork GitHub repositories and uses libraries.io for identifying all projects which are used by at least one other project. They further sort these projects based on their ‘popularity’ by checking the number of stars and forks. The team removes the projects that do not have a license or whose license does not allow the re-distribution of parts of the project.  The team has also tokenized all the functions, including Go, JavaScript, Python, Java, PHP and Ruby with the help of TreeSitter. For generating the training data for the CodeSearchNet Challenge, the team considers those functions in the corpus hat have documentation associated with them. The CodeSearchNet Challenge The team collected an initial set of code search queries for evaluating code search models. They started by collecting the common search queries that had high click-through rates from Bing and then combined these with queries from StaQC. The team manually filtered out those queries that were clearly ‘technical keywords’ for obtaining a set of 99 natural language queries. The team then used a standard Elasticsearch installation and baseline models for obtaining 10 results per query from their CodeSearchNet Corpus. They then asked data scientists, programmers, and machine learning researchers for annotating the results for relevance to the query. For evaluating the CodeSearchNet Challenge, a method should return a set of results from CodeSearchNet Corpus for each of 99 pre-defined natural language queries.  Other interesting news in data Can a modified MIT ‘Hippocratic License’ to restrict misuse of open source software prompt a wave of ethical innovation in tech? ImageNet Roulette: New viral app trained using ImageNet exposes racial biases in artificial intelligent system GitLab 12.3 releases with web application firewall, keyboard shortcuts, productivity analytics, system hooks and more

After releasing Rust 1.37 last month, the Rust team announced the release of Rust 1.38 yesterday. This version supports pipelined rustc compilation, an extended #[deprecated] attribute for macros, the std::any::type_name function to know the type name, and more. Key updates in Rust 1.38 Pipelined compilation to increase parallelism Rust’s dependency manager and project compiler, Cargo create a directed acyclic graph  (DAG) of crates whenever a cargo build command is fired. Cargo waits till all of the dependencies for that compilation is completed, only then it proceeds to execute rustc.  Starting with 1.38, this wait is minimized by introducing pipelined compilation. Cargo will now take advantage of the metadata produced by the compiler to start the next compilation. Read also: Rust 1.29 is out with improvements to its package manager, Cargo The team shared in the announcement that though this update doesn’t have much effect on builds for a single crate, it has shown up to 10-20% improvement in compilation speed during testing. “Other ones did not improve much, and the speedup depends on the hardware running the build, so your mileage might vary. No code changes are needed to benefit from this,” the team adds. Linting incorrect uses of mem::{uninitialized, zeroed} Previously, the ‘mem::uninitialized’ function allowed developers to sidestep Rust’s initialization checks. This operation can be “incredibly dangerous” as it makes the Rust compiler assume that values are properly initialized. This was addressed in Rust 1.36 by stabilizing the ‘MaybeUninit<T>’ type. The Rust team explained in a previous announcement, “The Rust compiler will understand that it should not assume that a MaybeUninit<T> is a properly initialized T. Therefore, you can do gradual initialization more safely and eventually use .assume_init() once you are certain that maybe_t: MaybeUninit<T> contains an initialized T.” The ‘mem::uninitialized’ function is planned to deprecate in Rust 1.39. Starting with Rust 1.38, the compiler has a few checks to identify incorrect initializations using ‘mem::uninitialized’ or ‘mem::zeroed’. However, these checks do not cover all cases of unsound use of these methods. The #[deprecated] attribute for macros Rust 1.9 introduced the  #[deprecated] attribute that allows crate authors to notify their users an item of their crate is deprecated and will be removed in a future release. In Rust 1.38, this attribute can also be applied to indicate the deprecation of macros. The std::any::type_name function Rust 1.38 introduces a new function called ‘std::any::type_name’ that gives you the type name. Since this is a standard library function for debugging, the exact content and format of the string are not guaranteed. The team explains, “The value returned is only a best-effort description of the type; multiple types may share the same type_name value, and the value may change in future compiler releases.” Some users have already upgraded to Rust 1.38 and shared their feedback on Twitter. https://twitter.com/gilescope/status/1177229413320134661 While others are eagerly waiting for the release that will have the stabilized async-await. https://twitter.com/shirshak55/status/1177247635285000192 These were some of the updates in Rust 1.38. Check out the official announcement for more. Introducing Weld, a runtime written in Rust and LLVM for cross-library optimizations Mozilla introduces Neqo, Rust implementation for QUIC, new http protocol Introducing Nushell: A Rust-based shell Oracle releases JDK 13 with switch expressions and text blocks preview features, and more! Darklang available in private beta

Yesterday the Mypy team uploaded mypy 0.730 to the Python Package Index (PyPI). Mypy is a static type checker for Python. This release includes many features, bug fixes and library stub updates. You can install it as follows: python3 -m pip install -U mypy Python creator Guido van Rossum tweeted about this release, he says “mypy 0.720 released. New semantic analyzer is now the default! Also, --warn-unreachable flag, and many more fixes and updates.” Major updates in Mypy 0.730 Some of the breaking changes in the Mypy 0.730 include: More precise error locations If you call a function with an incompatible argument type, mypy now points the error message to the argument with the incompatible type. Previously, mypy pointed to the function being called, which could be confusing in multi-line calls. Error codes Mypy 0.730 can now optionally display error codes. They are shown within square brackets after each error message: prog.py:24: error: "str" has no attribute "trim"  [attr-defined] Enable error codes using --show-error-codes (or show_error_codes = True in a configuration file). Ignoring specific error codes You can ignore only errors with specific error codes on a particular line by using a # type: ignore[code, ...] comment. This reduces the risk of ignoring unexpected, serious errors when using # type: ignore comments that ignore (almost) all possible errors on a line. Colors in output Mypy 0.730 now uses colored, more user-friendly output by default. You can use --no-color to disable colored output. You can use --no-error-summary to hide the summary line with the number of errors. Pretty output mode You can use --pretty to display each line which had errors and a caret that points to the location of the error on each line. Old semantic analyzer removed This release of Mypy 0.730 no longer includes the old semantic analyzer. Reachability and context managers The --warn-unreachable option now behaves more correctly with “exception-swallowing” context managers. If a context manager is currently declared to return bool but it never swallows exceptions, you should annotate the return of __exit__ as Literal[False] instead of bool, or otherwise mypy may complain about missing return statements. To know more about this release, read the full documentation on Read the Docs. Other interesting news in programming Łukasz Langa at PyLondinium19: “If Python stays synonymous with CPython for too long, we’ll be in big trouble” Microsoft introduces Pyright, a static type checker for the Python language written in TypeScript Python 3.8 alpha 2 is now available for testing

More than five months after announcing Warp, Cloudflare has finally made it available to the general public, yesterday. With two million people on the waitlist to try Warp, the Cloudflare team says that it took them harder than they thought to build a next-generation service to secure consumer mobile connections, without compromising on speed and power usage. Along with Warp, Cloudflare is also launching Warp Plus. Warp is a free VPN to the 1.1.1.1 DNS resolver app which will speed up mobile data using the Cloudflare network to resolve DNS queries at a faster pace. It also comes with end-to-end encryption and does not require users to install a root certificate to observe encrypted internet traffic. It is built around a UDP-based protocol that is optimized for the mobile internet and offers excellent performance and reliability. Why Cloudflare delayed the Warp release? A few days before Cloudflare announced Warp on April 1st, Apple released its new version iOS 12.2 with significant changes in its underlying network stack implementation. This made the Warp network unstable thus making the Cloudflare team arrange for workarounds in their networking code, which took more time. Cloudflare adds, “We had a version of the WARP app that (kind of) worked on April 1. But, when we started to invite people from outside of Cloudflare to use it, we quickly realized that the mobile Internet around the world was far more wild and varied than we'd anticipated.” As the internet is made up of diverse network components, the Cloudflare team found it difficult to include all the diversity of mobile carriers, mobile operating systems, and mobile device models in their network. The Cloudflare team also found it testing to include users’ diverse network settings in their network. Warp uses a technology called Anycast to route user traffic to the Cloudflare network, however, it moves the users’ data between entire data centers, which made the Warp functioning complex.  To overcome all these barriers, the Cloudflare team has now changed its approach by focussing more on iOS. The team has also solidified the shared underpinnings of the app to ensure that it would even work with future network stack upgrades. The team has also tested Warp with network-based users to discover as many corner cases as possible. Thus, the Cloudflare team has successfully invented new technologies to keep the session state stable even with multiple mobile networks. Cloudflare introduces Warp Plus - an unlimited version of Warp Along with Warp, the Cloudflare team has also launched Warp Plus, an unlimited version of WARP for a monthly subscription fee. Warp Plus is faster than Warp and uses Cloudflare’s Argo Smart Routing to achieve a higher speed than Warp. The official blog post states, “Routing your traffic over our network often costs us more than if we release it directly to the internet.” To cover these costs, Warp Plus will charge a monthly fee of $4.99/month or less, depending on the user location. The Cloudflare team also added that they will be launching a test tool within the 1.1.1.1 app in a few weeks to make users “see how your device loads a set of popular sites without WARP, with WARP, and with WARP Plus.” Read Also: Cloudflare plans to go public; files S-1 with the SEC  To know more details about Warp Plus, read the technical post by Cloudflare team. Privacy features offered by Warp and Warp Plus The 1.1.1.1 DNS resolver app provides strong privacy protections such as all the debug logs will be kept only long enough to ensure the security of the service. Also, Cloudflare will only retain the limited transaction data for legitimate operational and research purposes.  Warp will not only maintain the 1.1.1.1 DNS protection layers but will also ensure: User’s-identifiable log data will be written to disk The user’s browsing data will not be sold for advertising purposes Warp will not demand any personal information (name, phone number, or email address) to use Warp or Warp Plus Outside editors will regularly regulate Warp’s functioning The Cloudflare team has also notified users that the newly available Warp will have bugs present in them. The blog post also specifies that the most popular bug currently in Warp is due to traffic misroute, which is making the Warp function slower than the speed of non-Warp mobile internet.  Image Source: Cloudflare blog The team has made it easier for users to report bugs as they have to just click on the little bug icon near the top of the screen on the 1.1.1.1 app or shake their phone with the app open and send a bug report to Cloudflare. Visit the Cloudflare blog for more information on Warp and Warp Plus. Facebook will no longer involve third-party fact-checkers to review the political content on their platform GNOME Foundation’s Shotwell photo manager faces a patent infringement lawsuit from Rothschild Patent Imaging A zero-day pre-auth vulnerability is currently being exploited in vBulletin, reports an anonymous researcher

On Wednesday, Puppet announced the findings of its eighth annual State of DevOps Report. This report reveals practices and patterns that can help organisations in integrating security into the software development lifecycle. As per Puppet’s 2019 State of DevOps Report, 22% of the firms at the highest level of security integration has reached an advanced stage of DevOps maturity, while 6% of the firms are without security integration.  While talking about the firms with an overall ‘significant to full’ integration status, according to the report findings, Europe is ahead of the Asia Pacific regions and the US with 43% in contrast to 38% or less. Alanna Brown, Senior Director of Community and Developer Relations at Puppet and author of the State of DevOps report, said, “The DevOps principles that drive positive outcomes for software development — culture, automation, measurement and sharing — are the same principles that drive positive security outcomes. Organisations that are serious about improving their security practices and posture should start by adopting DevOps practices.”  Brown added, “This year's report affirms our belief that organisations who ignore or deprioritise DevOps, are the same companies who have the lowest level of security integration and who will be hit the hardest in the case of a breach.” Key findings of State of the DevOps Report 2019 According to the report, firms that are at the highest level of security integration can deploy to production on-demand at a higher rate as compared to firms at all other levels of integration. Currently, 61% of firms are able to do so and while comparing with organisations that have not integrated security at all, less than half (49%) can deploy on-demand. According to 82% of survey respondents at firms with the highest level of security integration, security practices and policies to improve their firm’s security posture. While comparing this with respondents at firms without security integration, only 38% had the level of confidence. Firms that are integrating security throughout their lifecycle are more than twice as likely to stop a push to production for a medium security vulnerability. In the middle stages of evolution of security integration, delivery and security teams experience higher friction while collaborating where software delivery slows down and the audit issues increase. The report findings state that friction is higher for respondents who work in security jobs than those who work in non-security jobs. But if they continue working, they will get the results of their hard work faster. Hypothesis on remediation time As per the hypothesis, just 7% of the total respondents can remediate a critical vulnerability in less than an hour.  32% of the total respondents can remediate in one hour to less than one day.  33% of the total respondents can remediate in one day to less than one week.   Michael Stahnke, VP of Platform Engineering, CircleCI, said, “It shouldn’t be a surprise to anyone that integrating security into the software delivery lifecycle requires intentional effort and deep collaboration across teams.” Stahnke added, “What did surprise me, however, was that the practices that promote cross-team collaboration had the biggest impact on the teams’ confidence in the organisation’s security posture. Turns out, empathy and trust aren’t automatable.” Factors responsible for the success of an organizational structure to be DevOps ready The flexibility of the current organizational structure. The organizational culture.  How isolated the different functions are.  Skillsets of your team.  The relationship between team leaders and teams. Best practices for improving security posture Development and security teams collaborate on threat models. Security tools are integrated in the development integration pipeline such that the engineers feel confident that they are not involving any known security problems into their codebases. Security requirements, both functional as well as non-functional should be prioritised as part of the product backlog. Security experts should evaluate automated tests and review changes in high-risk areas of the code like cryptography, authentication systems, etc. Before the deployment, infrastructure-related security policies should be reviewed. Andrew Plato, CEO, Anitian, said, “Puppet’s State of DevOps report provides outstanding insights into the ongoing challenges of integrating security and DevOps teams.”  Plato added, “While the report outlines many problems, it also highlights the gains that arise when DevOps and security are fully integrated. These benefits include increased security effectiveness, more robust risk management, and tighter alignment of business and security goals. These insights mirror our experiences at Anitian implementing our security automation platform. We are proud to be a sponsor of the State of DevOps report as well as a technology partner with Puppet. We anticipate referencing this report regularly in our engagement with our customers as well as the DevOps and security communities.” To summarize, organizations that are focusing on improving their security posture and practices should adopt DevOps practices just as the organizations at the highest levels of DevOps acceptance have fully integrated security practices.  Check out the complete 2019 State of DevOps Report here. Other interesting news in cloud & networking GitLab 12.3 releases with web application firewall, keyboard shortcuts, productivity analytics, system hooks and more Kubernetes 1.16 releases with Endpoint Slices, general availability of Custom Resources, and other enhancements DevOps platform for coding, GitLab reached more than double valuation of $2.75 billion than its last funding and way ahead of its IPO in 2020  

Tesla rolled out a new software version for its Cars - Tesla Software Version 10.0 with a host of features for Model S, Model X, and Model 3 owners. Software v10 has in-car karaoke, entertainment services like Netflix and Hulu, as well as Spotify Premium account access. https://youtu.be/NfMtONBK8dY Probably the most interesting feature is the Smart Summon. If you are a customer who has purchased Full Self-Driving Capability or Enhanced Autopilot, you are eligible for the update. With this feature, you can summon your car or get it to navigate a parking lot, as long as the car is within your line of sight. This feature, Tesla says, is perfect, “if you have an overflowing shopping cart, are dealing with a fussy child, or simply don’t want to walk to your car through the rain.” Tesla’s updated file system now separates videos captured by the car’s camera when in Dashcam and Sentry Mode. They will be auto-deleted when there’s a need to free up storage. Tesla Software Version 10.0 is jam-packed with entertainment options With Tesla Theatre, you can stream Netflix, YouTube, and Hulu or Hulu + Live TV right from your car while parked. Chinese customers have iQiyi and Tencent Video access. Spotify Premium account access is also available in all supported markets, in addition to Slacker Radio and TuneIn. For China customers, Tesla has the Ximalaya service for podcasts and audiobooks. Additionally, you have a karaoke system “Car-aoke”, which includes a library of music and song lyrics that passengers and drivers can use parked or driving. Tesla also added some new navigation features that suggest interesting restaurants and sightseeing opportunities that are within your car’s range. Maps are also improved so that search results will be sorted based on the distance to each destination. Tesla Arcade has a new Cuphead port. Cuphead is a run and gun video game developed and published by StudioMDHR. Using a USB controller, single-player and co-op modes are available to play in the Tesla Edition of Cuphead. Tesla’s new software update has got Twitteratis thrilled. https://twitter.com/mortchad/status/1177301454446460933 https://twitter.com/ChrisJCav/status/1177304907197534208 https://twitter.com/A13Frank/status/1177339094835191808 To receive this update as quickly as possible, Tesla says, make sure your car is connected to Wi-Fi. You’ll automatically receive Version 10.0 when it’s ready for your car based on your location and vehicle configuration — there is no need to request the update. Tesla reports a $408 million loss in its Q2 earnings call; CTO and co-founder, JB Straubel steps down Tesla Autonomy Day takeaways: Full Self-Driving computer, Robotaxis launching next year, and more Researchers successfully trick Tesla autopilot into driving into opposing traffic via “small stickers as interference patches on the ground”. Tesla is building its own AI hardware for self-driving cars

On Tuesday, at The Atlantic Festival in Washington DC, Nick Clegg, communications VP at  Facebook outlined the measures that Facebook is taking to prevent the involvement of the third-party fact-checkers in elections.  Facebook relies on third-party fact-checkers for reducing the spread of fake news and misinformation. The company has now decided to exempt the politicians’ speech from their third-party fact-checking program as they don’t want to intervene in any political speech coming from politicians.  Clegg said in his speech, “At Facebook, our role is to make sure there is a level playing field, not to be a political participant ourselves.” The company will no longer send any organic content or ads coming from the politicians to their third-party fact-checking partners for review. In case a politician shares previously debunked content then Facebook will demote that content. How do these third-party fact-checkers handle fake news? The third-party fact-checkers review the posts and stories and identify the fake news by looking into the feedback coming from Facebook users. After checking the facts, they rate the accuracy of the content. In case fact-checker rates the content as false, the content will get demoted and will appear lower in News Feed. This also reduces the number of people who can view this content. The third-party fact-checkers restrict the pages and websites that repeatedly share false news and reduce their distribution on the platform. They will be restricted by the third-party fact-checkers from monetising and advertising and registering as a news Page. As per the newsworthiness exemption, Facebook does not ban content even if violates its guidelines  Since 2016, Facebook had a newsworthiness exemption which means if a user makes a statement or shares a post that goes against community standards, Facebook will still allow it on their platform if it doesn’t increase the risk of harm.  Clegg announced that from now on, the speech from politicians will be considered as newsworthy content.  Clegg’s speech reads, “Today, I announced that from now on we will treat speech from politicians as newsworthy content that should, as a general rule, be seen and heard. However, in keeping with the principle that we apply different standards to content for which we receive payment, this will not apply to ads – if someone chooses to post an ad on Facebook, they must still fall within our Community Standards and our advertising policies.” How is the newsworthiness determined? While determining the newsworthiness, the public’s interest in the value of speech is evaluated against the risk of harm. While balancing these interests, the company takes a number of factors into consideration which includes country-specific circumstances such as elections or war scenario.  He further added, “In evaluating the risk of harm, we will consider the severity of the harm. Content that has the potential to incite violence, for example, may pose a safety risk that outweighs the public interest value. Each of these evaluations will be holistic and comprehensive in nature, and will account for international human rights standards." Facebook makes it clear that they are just a platform for content  While explaining their stand, Clegg said, “At Facebook, our role is to make sure there is a level playing field, not to be a political participant ourselves. To use tennis as an analogy, our job is to make sure the court is ready – the surface is flat, the lines painted, the net at the correct height. But we don’t pick up a racket and start playing. How the players play the game is up to them, not us.” So, in this case, if the politicians are using nasty comments on the platform, the platform won’t be responsible or it, they can try to curb it to a limit by demoting the content in case it is inappropriate. The politicians have been given a platform to use it and it is up to them how they use it. According to Clegg, it is not possible for the platform to become a referee, each time a politician posts nasty comments and posts a fake claim.  Clegg added, “Would it be acceptable to society at large to have a private company in effect become a self-appointed referee for everything that politicians say? I don’t believe it would be. In open democracies, voters rightly believe that, as a general rule, they should be able to judge what politicians say themselves.” Facebook clarifies that it is not their job to intervene when the politicians speak and they won’t allow interference from third-party fact-checkers for reviewing them. How are YouTube and Twitter planning to deal with political speech? Yesterday, Susan Wojcicki, CEO at YouTube said that they won’t ban politicians from using YouTube even if their content goes against company’s guidelines, Politico reports. Wojcicki talked about how YouTube approach political figures and suggested that whatever they post is important for people to be aware of.  Wojcicki said at The Atlantic Festival, “When you have a political officer that is making information this is really important for their constituents to see, or for other global leaders to see, that is content that we would leave up because we think it’s important for other people to see.”  On the contrast, Twitter won’t take down the content by politicians or political figures because it’s of public interest, but the content that goes against the guidelines of the platform will be labeled as ‘rule-breaking’. The platform will de-prioritize the labeled tweets in the company’s algorithms and search bar so that they aren’t visible to a larger audience.  To know more about this news, check out Facebook’s post. Other interesting news in data Can a modified MIT ‘Hippocratic License’ to restrict misuse of open source software prompt a wave of ethical innovation in tech? ImageNet Roulette: New viral app trained using ImageNet exposes racial biases in artificial intelligent system GitLab 12.3 releases with web application firewall, keyboard shortcuts, productivity analytics, system hooks and more  

Yesterday, the GNOME Foundation shared that Rothschild Patent Imaging LLC has filed a lawsuit against them stating that their Shotwell photo manager and other similar products infringe its patent. “On information and belief, Defendant sells, offers to sell, and/or uses network storage systems and methods including, without limitation, the Gnome Shotwell platform, and any similar products (“Product”), which infringe at least Claim 4 of the ‘086 Patent,” the lawsuit reads. Shotwell is a digital photo manager for the GNOME desktop environment. It allows you to import photos and videos from a disk or digital camera directly and organize them by keywords and events. It also includes editing features for cropping, rotating, adjusting levels and color balance, straightening, and eliminating red-eye. GNOME has called this lawsuit “baseless” and has decided to fight against this case head-on. In a statement, Neil McGovern, Executive Director for the GNOME Foundation said, “We have retained legal counsel and intend to vigorously defend against this baseless suit. Due to the ongoing litigation, we, unfortunately, cannot make any further comments at this time.” The 9,936,086 patent titled "Wireless image distribution system and method” was filed by Rothschild Patent Imaging LLC at the US Patent and Trademark Office on 2 June 2017 and got accepted on 3 April 2018. It talks about wirelessly connecting an image capturing device with a receiving device and sharing them based on transfer criteria. This patent is very vague and can be applied to literally any software that transfers images from one device to another. Also, there are quite a few similar technologies that GNOME can present as prior art resulting in the invalidation of the lawsuit. There is Shotwell’s predecessor, F-Shot that was discontinued in 2017. In a discussion on LW.NET, a user shared, “Shotwell's predecessor (F-Spot) had equivalent "wireless" functionality at least two years before this patent was first applied for.” The GNOME Foundation is not the first one who has been sued by Rothschild Patent Imaging LLC. It looks like the company has been on a suing spree adding Cyberlink.com,  QNAP Inc., Pinterest, Inc., Piximity, LLC, Magix Computer Products International Co. on their list. Considering its history, many are saying that Rothschild Patent Imaging LLC is nothing but a patent troll. A user on Hacker News commented, “Rothschild Patent Imaging appears to be the company holding the rights to a number of dubious patents filed by Leigh M. Rothschild, who appears to have a well-deserved reputation as a patent troll.” Many users commented that there should be some kind of “reform” to eliminate patent trolling. A user added, “One reform worth considering is that an entity that can be demonstrated to persistently engage in frivolous patent lawsuits should lose the rights to their entire portfolio. This could be accomplished with a legal mechanism that allows the defendant to counter-sue the plaintiff as a patent troll. In this scope, they could bring in the previous litigation history of the plaintiff (or any related entities, piercing the corporate veil). If the judge rules in the defendant's favor, then all of the plaintiff's patents (and any related entities) are immediately released into the public domain.” Another user suggested, “Another potential reform (from the book "Radical Markets") - charge a (say 1%) property tax on the patent based on self-assessed value, with the caveat that you MUST sell the patent to anyone willing to pay your claimed value. This basically destroys patent trolling, which only works because of the asymmetrical difference in cost between obtaining a patent and defending a patent lawsuit. If the troll prices the patent too low, the person they are suing just buys it, if they charge too much, they have a massive recurring tax bill (and an incentive to settle quickly, not to drag it out in the courts for years).” GNOME 3.34 releases with tab pinning, improved background panel, custom folders and more! GNOME 3.32 released with fractional scaling, improvements to desktop, web and much more Amazon patents AI-powered drones to provide ‘surveillance as a service’ Apple is patenting Swift features like optional chaining Open Invention Network expands its patent non-aggression coverage in Linux system  

Update: Six days after an anonymous researcher had disclosed a zero-day pre-auth remote code execution vulnerability in vBulletin, Cloudflare has deployed a new rule within their Cloudflare Specials Rulesets (ruleId: 100166).  The Cloudflare team states, “We assess this vulnerability to be very significant as it has a CVSS score of 9.8/10 and affects 7 out of the 10 key risk areas of the OWASP 2017 Top 10. Protection against common RCE attacks is a standard feature of Cloudflare's Managed Rulesets.” Cloudflare customers with Managed Rulesets and Cloudflare Specials can be protected against this vulnerability by enabling the WAF Managed Rulesets in the Firewall tab of Cloudflare. Head over to the Cloudflare blog for more details about Cloudflare’s protection against this vulnerability. On September 23rd, an anonymous researcher published a zero-day pre-authentication remote code execution vulnerability in vBulletin, which allows an attacker to remotely execute malicious shell commands on any vBulletin server running versions 5.0.0 up to 5.5.4. The vulnerability was disclosed on Full Disclosure, a public access mailing list. Yesterday, the vBulletin team issued a security patch for this vulnerability, which is now tracked under the CVE-2019-16759. How does the zero-day vulnerability in vBulletin work Ryan Seguin, a research engineer at Tenable explains in his blog that this vulnerability utilizes default vBulletin configurations. This enables an unauthenticated attacker to send a specially crafted HTTP POST request to a vulnerable vBulletin host and execute commands. He further states, “These commands would be executed with the permissions of the user account that the vBulletin service is utilizing. Depending on the service user’s permissions, this could allow complete control of a host.” Another security researcher, Troy Mursch of the Bad Packets security intelligence service told Arstechnica that the attackers are employing botnets to actively exploit vulnerable servers. The exploit, Mursch says, can modify the includes/vb5/frontend/controller/bbcode.php via the "sed" command to add a backdoor to the code. Mursch adds, “This is done by setting a “password” (epass) of 2dmfrb28nu3c6s9j. By doing this, the compromised site will only execute code in the eval function if 2dmfrb28nu3c6s9j is set in future requests sent to the server. This would allow a botnet command-and-control (C2) server to exclusively exploit CVE-2019-16759 and issue commands to the targeted site. The vulnerability itself has been regarded by some as a backdoor.” The vBulletin vulnerability is exploiting websites via the backdoor to build a list of bots that can configure supplementary ways of exploiting the infected hosts. The backdoor can infect the compromised hosts with DDoS malware and conduct denial-of-service attacks. It is not known yet if the anonymous publisher of this vulnerability had reported the vulnerability to the vBulletin team or not. Another possibility is that the vBulletin team could not find a timely solution to this issue, encouraging the user to publish the vulnerability on Full Disclosure. The anonymous researcher has published about the zero-day vulnerability from an unnamed email service. Why is a vulnerability in vBulletin so severe? vBulletin, a popular web forum software package has around 0.1% market share of all the running forums across the internet. Though the percentage looks small, the vulnerability in vBulletin can impact billions of internet users, reports ZDNet. vBulletin is designed to collect user information about registered users. “While billions of internet sites don't store any info about users, a handful of online forums could very easily store data on most internet users. Therefore, a market share of 0.1% is actually pretty significant, when we factor in how many users could be registered on these forums.” Steam, EA, Zynga, NASA, Sony, BodyBuilding.com, the Houston Texans, and the Denver Broncos are some of the customers that use the vBulletin server. Yesterday, GreyNoise, a cybersecurity company has tweeted that the vBulletin hackers are actively using this vulnerability to attack vulnerable forums. https://twitter.com/GreyNoiseIO/status/1176898873622781954 According to Chaouki Bekrar, founder and CEO of the Zerodium exploit broker, the vulnerability is known for many years. https://twitter.com/cBekrar/status/1176803541047861249 The vBulletin team has already issued a patch for CVE-2019-16759 for vBulletin versions 5.5.2, 5.5.3, and 5.5.4. Users on earlier versions of vBulletin 5.x are advised to update to one of the supported versions in order to implement the patch. The vBulletin cloud version has already updated and fixed this issue. Silicon-Interconnect Fabric is soon on its way to replace Printed Circuit Boards, new UCLA research claims Google Chrome Keystone update can render your Mac system unbootable ReactOS 0.4.12 releases with kernel improvements, Intel e1000 NIC driver support, and more

Researchers from UCLA claim in a news study that printed circuit board could be replaced with what they call silicon-interconnect fabric or Si-IF. This fabric allows bare chips to be connected directly to wiring on a separate piece of silicon. The researchers are Puneet Gupta and Subramanian Iyer, members of the electrical engineering department at the University of California at Los Angeles. How can Silicon-Interconnect Fabric be useful In a report published on IEEE Spectrum on Tuesday, the researchers suggest that printed circuit boards can be replaced with silicon which will especially help in building smaller, lighter-weight systems for wearables and other size-constrained gadgets. They write, “Unlike connections on a printed circuit board, the wiring between chips on our fabric is just as small as wiring within a chip. Many more chip-to-chip connections are thus possible, and those connections are able to transmit data faster while using less energy.” Si-IF can also be useful for building “powerful high-performance computers that would pack dozens of servers’ worth of computing capability onto a dinner-plate-size wafer of silicon.” The silicon-interconnect fabric could possibly dissolute the system-on-chip (SoC) into integrated collections of dielets, or chiplets. The researchers say, “It’s an excellent path toward the dissolution of the (relatively) big, complicated, and difficult-to-manufacture systems-on-chips that currently run everything from smartphones to supercomputers. In place of SoCs, system designers could use a conglomeration of smaller, simpler-to-design, and easier-to-manufacture chiplets tightly interconnected on an Si-IF.” The researchers linked up chiplets on a silicon-interconnect fabric built on a 100-millimeter-wide wafer. Unlike chips on a printed circuit board, they can be placed a mere 100 micrometers apart, speeding signals and reducing energy consumption. For evaluating the size, the researchers compared an Internet of Things system based on an Arm microcontroller. Using Si-IF shrinks the size of the board by 70 percent but also reduces its weight from 20 grams to 8 grams. Challenges associated with Silicon-Interconnect Fabric Even though large progress has been made on Si-IF integration over the past few years, the researchers point out that much remains to be done. For instance, there is a need of having a commercially viable, high-yield Si-IF manufacturing process. You also need mechanisms to test bare chiplets as well as unpopulated Si-IFs. New heat sinks or other thermal-dissipation strategies will also be required to take advantage of silicon’s good thermal conductivity. In addition, the chassis, mounts, connectors, and cabling for silicon wafers need to be engineered to enable complete systems. There is also the need to make several changes to design methodology and to consider system reliability. People agreed that the research looked promising. However, some felt that replacing PCBs with Si-IF sounded overachieving, to begin with. A comment on Hacker News reads, “I agree this looks promising, though I'm not an expert in this field. But the title is a bit, well, overpromising or broad. I don't think we'll replace traditional motherboards anytime soon (except maybe in smartphones?). Rather, it will be an incremental progress.” Others were also not convinced. A hacker news user pointed out several benefits of PCBs. “ PCBs are cheaper to manufacture than silicon wafers. PCBs can be arbitrarily created and adjusted with little overhead cost (time and money). PCBs can be re-worked if a small hardware fault(s) is found. PCBs can carry large amount of power. PCBs can help absorb heat away from some components. PCBs have a small amount of flexibility, allowing them to absorb shock much easier PCBs can be cut in such a way as to allow for mounting holes or be in relatively arbitrary shapes. PCBs can be designed to protect some components from static damage.” You can read the full research on IEEE. Hot Chips 31: IBM Power10, AMD’s AI ambitions, Intel NNP-T, Cerebras largest chip with 1.2 trillion transistors and more. IBM open-sources Power ISA and other chips; brings OpenPOWER foundation under the Linux Foundation Deep learning models have massive carbon footprints, can photonic chips help reduce power consumption? Samsung develops Key-value SSD prototype, paving the way for optimizing network storage efficiency and extending server CPU processing power MIT researchers built a 16-bit RISC-V compliant microprocessor from carbon nanotubes

Yesterday, Mr Macintosh website reported of Google Chrome Keystone updated to remove the /var symlink on NON SIP protected Mac computers, causing account and booting issues. Few MacAdmins started to report that their systems would not boot properly. And they had following issues:   1. After rebooting the affected system it would Kernel Panic. The system will reboot only to KP again 2. User Logs out and the system shows the Setup Assistant. 3. The System Kernel Panics into a boot Loop.   The MacOS versions 10.9 – 10.14 Mojave were affected by this. It seems the issue affects all Macs that have SIP (System Integrity Protection) Disabled or turned off. Google Chrome keystone update causes booting issues AVID users were some of the first to report the issue. They said that AVID Media Creators use 3rd Party Graphics cards connected to their Mac Pro. When the issue hit yesterday, it was thought that AVID was the main cause of the problems since all the users experiencing the issue had AVID software. Only later after a MacAdmins dived deep in an investigation. After investigation from some of the top minds in the MacAmins Slack Chat #varsectomy channel it was found that the Google Chrome Keystone Updater was at the heart of the issue. How to check if the /var symlink was modified You can check to see if the /var symlink was modified by running the following command. ls -ldO /var The following outputs appear. The first one below means that your /var volder is SIP protected (notice the restrictedflag) and the proper sym link /var -> private/var lrwxr-xr-x@ 1 root wheel restricted,hidden 11 Apr 1 2018 /var -> private/var The next one means that your symlink is broken and the folder is NOT SIP Protected. drwxr-xr-x 5 503 wheel - 170 Sep 24 14:37 /var If you find /var in this condition you are affected! If you LOGOUT, SHUTDOWN OR RESTART your Mac will NOT Boot! You will need to boot into recovery, repair the /var symlink and reset the restricted flags. And there are two ways to fix the issue. First is to fix from MacAdmins User Juest and second is from Google Support, you need to use commands while booting through macOS Recovery. Community hates automatic updates from Google Chrome On Hacker News, users are discussing about sudden updates on Google Chrome Keystone which cause such issues and prefer using Safari or Firefox instead of Chrome. One of them commented, “I've always hated that "service" (more like malware given this news) like everything else that installs itself into the autolaunch sequence without permission, and remove* it whenever I notice/remember it, but it keeps coming back whenever I touch Google Chrome, which I prefer not to use in favor of Safari/FireFox because of reasons like this. Things like these (including secretly signing you into Search when you sign into YouTube† or refusing to support PiP on iPadOS/macOS) just solidify Google's image in my mind as a forever scummy, intrusive company that I wish I could leave behind like I did Microsoft, but sadly Google Search and YouTube still don't have good enough alternatives yet.” Another user commented, “The trends that Google has spearheaded have had a real effect on me over the years. I feel alienated from my computer. Subtle things will just change. If I really dig I might be able to find out why, but I don't have the time, so I just accept it. Usually very small things that are barely noticeable. My Chromecast extension disappeared and was integrated into the browser. My brain could not help but notice this benign change, which caused a hard to place sense of unease. Or when Google decided to remove rotation from the home screen on Android 2.3 -- it wasn't a huge problem, but I could have sworn that something changed. Users were conflicted, many convincing themselves that the homescreen never rotated at all. It has made me not trust my computer. I second guess myself much more. If some option no longer exists, I wonder if it was just my imagination or if it was quietly deprecated while I wasn't looking. Does it even matter? I think that we are being trained to see devices as ephemeral, and not to get too attached to them.” To know more about Google Chrome Keystone update and the issue regarding this, check out the Mr. Macintosh website. Other interesting news in web development Google Chrome 76 now supports native lazy-loading Google Chrome to simplify URLs by hiding special-case subdomains Google Chrome will soon support LazyLoad, a solution to lazily load below-the-fold images and iframes

Last week, the React team announced the release of React Native 0.61. This release comes with an overhauled reloading feature called Fast Refresh, a new hook named ‘useWindowDimensions’, and more. https://twitter.com/dan_abramov/status/1176597851822010375 Key updates in React Native 0.61 Fast Refresh for reliable hot reloading In December last year, the React Native team asked developers what they dislike about React Native. Developers listed the problems they face when creating a React Native application including clunky debugging, improved open-source contribution process, and more. Hot reloading refreshes the updated files without losing the app state. Previously, it did not work reliably with function components, often failed to update the screen, and wasn’t resilient to typos and mistakes, which was one of the major pain points. To address this issue, React Native 0.61 introduces Fast Refresh, which is a combination of live reloading with hot reloading. Dan Abramov, a core React Native developer, wrote in the announcement, “In React Native 0.61, we’re unifying the existing “live reloading” (reload on save) and “hot reloading” features into a single new feature called “Fast Refresh”.” Fast Refresh fully supports function components, hooks, recovers gracefully after typos and mistakes, and does not perform invasive code transformations. It is enabled by default, however, you can turn it off in the Dev Menu. The useWindowDimensions hook React Native 0.61 comes with a new hook called useWindowDimensions, which can be used as an alternative to the Dimensions API in most cases. This will automatically provide and subscribe to window dimension updates. Read also: React Conf 2018 highlights: Hooks, Concurrent React, and more Improved CocoaPods compatibility support is fixed In React Native 0.60, CocoaPods was integrated by default, which ended up breaking builds that used the use_frameworks! attribute. In React Native 0.61, this issue is fixed by making some updates in podspec, which describes a version of a Pod library. Read also: React Native development tools: Expo, React Native CLI, CocoaPods [Tutorial] Check out the official announcement to know more about React Native 0.61. 5 pitfalls of React Hooks you should avoid – Kent C. Dodds #Reactgate forces React leaders to confront community’s toxic culture head on Ionic React RC is now out! React Native VS Xamarin: Which is the better cross-platform mobile development framework? React Native community announce March updates, post sharing the roadmap for Q4

Last week, Pi-hole, the open-source Linux network-level advertisement and internet tracker blocking application released their latest version Pi-hole 4.3.2. It includes many changes in its core and web interfaces. Users can run pihole -up to update this version from a terminal session. One of the core contributors to Pi-hole, Adam Warner revealed that the major change in this release is the removal of support for adblock style lists like Easylist/Easyprivacy. He alerted users that this may lead to a reduction in the number of blocked domains by Pi-hole. Warner also specified the motive behind the removal of adblock support as, “these lists were never designed to be parsed into a HOST formatted file, and while it may catch some domains, there are far too many false positives produced by using them in this way. If you have lists in this format, Pi-hole will now ignore them, and attempts to get around the detection will likely end up with a broken gravity list.” Pi-hole uses dnsmasq, cURL, lighttpd, PHP, and other tools to block Domain Name System (DNS) requests for known tracking and advertising. Intended for a private network, Pi-hole is implemented on embedded devices with network capabilities like Raspberry Pi. A Pi-hole can also block traditional website adverts in smart TVs, mobile operating systems, and more. If Pi-hole obtains any requests from adverts or tracking domains, it does not resolve the requested domain and responds to the requesting device with a blank webpage. Users are happy with Pi-hole 4.3.2 release and are all praises for it on Hacker News. A user said, “I'm a huge fan of this project! I have 3 set-up right now. One as a container on my Nuc at home for myself, and 2 other on old Pi's (one is a 1st gen B model) for family. A simple job to run every 2 months keeps everything up to date. For myself, I use Wireguard to only forward DNS packets to the PiHole when I'm outside the house. If you install a PiHole your help desk calls from family will drop by 90% (personal experience).” Another user comments, “I have Pi-hole running on my LAN and it's amazing. It also helped me identify that my Amcrest PoE security cameras aggressively phone home, even when no cloud functionality is configured on them. All the reasons to keep them on their own VLAN and off the Internet.” Another comment read, “One unadvertised advantage of pi-hole is monitoring and blocking sites that you don't want kids to use, such as the thousands of io-games and whatnot.” Check out the Pi-hole 4.3.2 release notes to know full updates of this release. Brave ad-blocker gives 69x better performance with its new engine written in Rust Chromium developers propose an alternative to webRequest API that could result in existing ad blockers’ end Opera Touch browser lets you browse with one hand on your iPhone, comes with e2e encryption and built-in ad blockers too!

iPadOS was first announced at Apple’s WWDC 2019 conference as a new operating system for Apple’s iPad which used iOS. Basically, iPadOS builds on the same foundation as iOS, adding intuitive features specific to the large display of iPad. Now, Apple iPadOS is available for iPad Air 2 and later and iPad mini 4 and later. iPadOS has a new Home screen layout with icons arranged in a tighter grid to give you more room for apps and information. What’s new in iPadOS Split View and Slide Over Split View allows you to work on multiple files and documents simultaneously while using the same app for multiple purposes. With Slide Over, you can quickly move between apps by swiping along the bottom. You can also swipe up to see all the apps in Slide Over and make it full screen by dragging it to the top. You can also open a window from the same app in multiple spaces so you can work on different projects across your iPad. The updated App Switcher shows all spaces and windows for all apps along with title windows and the App Exposé allows you to see all the open windows for an app by tapping its icon in the Dock. Updates to Apple Pencil Apple Pencil integration now brings more natural customizations to iPadOS. The latency has been reduced to 9 milliseconds and tool palette has been redesigned. You can drag it to either side of the screen, or minimize it in the corner so you have more room for your content. Apple Pencil also has a pixel eraser and a ruler.  You can also quickly take a screenshot using Apple Pencil by dragging it from either bottom corner. Improvements in the Files app The Files app gets a major improvement and iCloud Drive support for folder sharing. You can now access files on a USB drive, SD card, or hard drive. You can also share folders with friends, family, and colleagues in iCloud Drive. You can also easily browse files deep in nested folders in the new Column View. Quick Actions makes it easy to rotate, mark up, or create a PDF in the Files app. Improved Text Editing Text editing on the iPad receives a major update with iPadOS. With Scroll bar scrubbing, you can instantly navigate long documents, web pages, and conversations. You can also select text just by tapping and swiping. You can double-tap to quickly select addresses, phone numbers, email addresses, and more. With a simple three‑finger swipe to the left, you can undo gestures or redo by swiping three fingers to the right. You can also quickly select email messages, files, and folders by tapping with two fingers and dragging. Other updates in iPadOS You can use your iPad as a second display for additional screen space. New Dark Mode option for low-light environments New Photos tab lets you browse your photo library with different levels of curation Apps launch is up to 2x faster and unlocking the iPad Pro is up to 30 percent faster Support for Apple Arcade, a game subscription service with over 100 amazing new games, all with no ads or additional purchases. Bug in iPadOS grants third-party keyboards full access Apple has warned its users that a bug has been found in iOS and iPadOS that can result in keyboard extensions being granted full access even if you haven't approved this access. This issue does not impact Apple’s built-in keyboards. It also doesn't impact third-party keyboards that don't make use of full access. Apple says that the issue will be fixed soon in an upcoming software update. These are a select few updates. For more information read the detailed coverage on Apple iPadOS. Apple’s September 2019 Event: iPhone 11 Pro and Pro Max, Watch Series 5, Apple TV+, new iPad and more. Apple releases Safari 13 with opt-in dark mode support, FIDO2-compliant USB security keys support and more!. Apple accidentally unpatches a fixed bug in iOS 12.4 that enables its jailbreaking

Yesterday, Joshua Litt from the Google Chromium team announced to add support for top-level await in V8. V8 is Google’s open source high-performance JavaScript and WebAssembly engine, written in C++. It is used in Chrome and in Node.js, among others. It implements ECMAScript and WebAssembly, and runs on Windows 7 or later, macOS 10.12+, and Linux systems that use x64, IA-32, ARM, or MIPS processors. V8 can run standalone, or can be embedded into any C++ application. The official documentation page on Google Chromium reads, “Adds support for parsing top level await to V8, as well as many tests.This is the final cl in the series to add support for top level await to v8.” Top-level await support will ease running JS script in V8 As per the latest ECMAScript proposal on top-level await allows the await keyword to be used at the top level of the module goal. Top-level await enables modules to act as big async functions: With top-level await, ECMAScript Modules (ESM) can await resources, causing other modules who import them to wait before they start evaluating their body. Earlier developers used IIFE for top-level awaits, a JavaScript function that runs as soon as it is defined. But there are certain limitations in using IIFE, that is with await only available within async functions, a module can include await in the code that executes at startup by factoring that code into an async function. And this pattern will be immediately invoked with IIFE and it is appropriate for situations where loading a module is intended to schedule work that will happen some time later. While Top-level await function lets developers rely on the module system itself to handle all of these, and make sure that things are well-coordinated. Community is really happy to know that top-level support has been added to V8. On Hacker News, one of the users commented, “This is huge! Finally no more need to use IIFE's for top level awaits”. Another user commented, “Top level await does more than remove a main function. If you import modules that use top level await, they will be resolved before the imports finish. To me this is most important in node where it's not uncommon to do async operations during initialization. Currently you either have to export a promise or an async function.” To know more about this read the official Google Chromium documentation page. Other interesting news in web development New memory usage optimizations implemented in V8 Lite can also benefit V8 LLVM WebAssembly backend will soon become Emscripten’s default backend, V8 announces V8 7.5 Beta is now out with WebAssembly implicit caching, bulk memory operations, and more