Tech News

Filestack has come up with Filestack Workflows, a machine learning powered solution to help businesses detect, analyze, moderate and curate content in scalable and automated ways. Filestack and Workflows have traditionally been providing tools for companies to handle content as it is uploaded. Their tools checked for NSFW content, cropped photos, performed copyright detection on Word Docs, etc. However, handling content at scale using tools they've built in-house was proving to be difficult. They relied heavily on developers to implement the code or set up a chain of events. This brought them to develop a new interface that allows businesses to upload, moderate, transform and understand content at scale, freeing them to innovate more and manage less. The Filestack Workflows platform is built on a logic-driven intelligence functionality which uses machine learning to provide quick analysis of images and return actionable insights. This includes object recognition and detection, explicit content detection, optical character recognition, and copyright detection. Filestack Workflows provide flexibility for integration either from Filestack’s own API or from a simple user Interface. Workflows also have several new features that extend far beyond simple image transformation: Optical Character Recognition (OCR) allows users to abstract text from any given image. Images of everything from tax documents to street signs can be uploaded through their system, returning a raw text format of all characters in that image. Not Safe for Work (NSFW) Detection for filtering out content that is not appropriate for the workplace. Their image tagging feature can automate content moderations by implementing “safe for work” and a “not safe for work” score. Copyright Detection to determine if a file is an original work. A single API call will display the copyright status of single or multiple images. They have also released a quick demo to highlight the features of Filestack Workflows. This demo creates a Workflow that takes uploaded content (images or documents) and determines a filetype and then curates ‘safe for work’ images. It determines the Filetype using the following logic: If it is an 'Image' then: Determine if the image is 'Safe for Work' If it is 'Safe', then store to a specific storage source. If it is 'Not Safe' then, pixelate the image, and then store to a specific storage source for modified images. If it is a 'Document', then store to a specific storage source for documents. Read more about the news on Filestack’s blog. Facebook introduces Rosetta, a scalable OCR system that understands text on images using Faster-RCNN and CNN How Netflix uses AVA, an Image Discovery tool to find the perfect title image for each of its shows Datasets and deep learning methodologies to extend image-based applications to videos

I started to add a daily coping tip to the SQLServerCentral newsletter and to the Community Circle, which is helping me deal with the issues in the world. I’m adding my responses for each day here. All my coping tips are under this tag.  Today’s tip is to bring joy to others. Share something which made you laugh. I love comedy, and that is one outing that my wife and I miss. We’ve watched some specials and comedians online, but it’s not the same. I look forward to being able to go back to a live comedy show. One thing that I love about the Internet is the incredible creativity of so many people. While I get that there is a lot of things posted that others may not like, and it’s easy to waste lots of time, it’s also nice to take a brief break and be entertained by something. There is plenty to be offended by, but one of the cleaner, more entertaining things was brought to my by my daughter. She showed me You Suck at Cooking one night while I was cooking. I finished and then ended up spending about 20 minute watching with her while we ate. Two I enjoyed: kale chips potato latkes The post Daily Coping 30 Dec 2020 appeared first on SQLServerCentral.

Last week, the Scala team announced the release of Scala 2.13. This release brings a number of improvements including overhauled standard library collections, a 5-10% faster compiler, and more. Overhauled standard library collections The major highlight of Scala 2.13 is standard library collections that are now better in simplicity, performance, and safety departments as compared to previous versions.  Some of the important changes made in collections include: Simpler method signatures The implicit CanBuildFrom parameter was one of the most powerful abstractions in the collections library. However, it used to make method signatures too difficult to understand. Beginning this release, transformation methods will no longer take an implicit ‘CanBuildFrom’ parameter making the resulting code simpler and easier to understand. Simpler type hierarchy The package scala.collection.parallel is now a part of the Scala standard module. This module will now come as a separate JAR that you can omit from your project if it does not uses parallel collections. Additionally, Traversable and TraversableOnce are now deprecated. New concrete collections The Stream collection is now replaced by LazyList that evaluates elements in order and only when needed. A new mutable.CollisionProofHashMap collection is introduced that implements mutable maps using a hashtable with red-black trees in the buckets. This provides good performance even in worst-case scenarios on hash collisions. The mutable.ArrayDeque collection is added, which is a double-ended queue that internally uses a resizable circular buffer. Improved Concurrency In Scala 2.13, Futures are “internally redesigned” to ensure it provides expected behavior in a broader set of failures. The updated Futures will also provide a foundation for increased performance and support more robust applications. Changes in the language The updates in language include the introduction of literal-based singleton types, partial unification on by default, and by-name method arguments extended to support both implicit and explicit parameters. Compiler updates The compiler will now be able to perform a deterministic and reproducible compilation. This essentially means that it will be able to generate identical output for identical input in more cases. Also, operations on collections and arrays are now optimized making the compiler 5-10% better compared to Scala 2.12. These were some of the exciting updates in Scala 2.13. For a detailed list, check out the official release notes. How to set up the Scala Plugin in IntelliJ IDE [Tutorial] Understanding functional reactive programming in Scala [Tutorial] Classifying flowers in Iris Dataset using Scala [Tutorial]

A few days ago, a German security agency CERT-Bund revealed it had found a Remote Code Execution (RCE) flaw in the popular open-source, VLC Media Player allowing hackers to install, modify, or run any software on a victim’s device without their authority and could also be used to disclose files on the host system. The vulnerability (listed as CVE-2019-13615) was first announced by WinFuture and received a vulnerability score of 9.8 making it a "critical" problem. According to a release by CERT-Bund, “A remote, anonymous attacker can exploit a vulnerability in VLC to execute arbitrary code, create a denial of service state, disclose information, or manipulate files.” According to Threat Post, “Specifically, VLC media player’s heap-based buffer over-read vulnerability exists in mkv::demux_sys_t::FreeUnused() in the media player’s modules/demux/mkv/demux.cpp function when called from mkv::Open in modules/demux/mkv/mkv.cpp.” VLC is not vulnerable, VideoLAN says Yesterday, VideoLAN, the makers of VLC, tweeted that VLC is not vulnerable. They said, “the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago. VLC since version 3.0.3 has the correct version shipped, and @MITREcorp did not even check their claim.” https://twitter.com/videolan/status/1153963312981389312 VideoLAN said a reporter, opened a bug on their public bug tracker, which is outside of the reporting policy and should have mailed in private on the security alias. “We could not, of course, reproduce the issue, and tried to contact the security researcher, in private”, VideoLAN tweeted. VideoLAN said the reporter was using Ubuntu 18.04, an old version of Ubuntu and “clearly has not all the updated libraries. But did not answer our questions.” VideoLAN says it wasn’t contacted before the CVE was issued VideoLAN is quite unhappy that MITRE Corp did not approach them before issuing a CVE for the VLC vulnerability, which is a direct violation of MITRE’s own policies. Source: CVE.mitre.org https://twitter.com/videolan/status/1153965979988348928 When VideoLAN complained and asked if they could manage their own CVE (like another CNA), “we had no answer and @usnistgov NVD told us that they basically couldn't do anything for us, not even fixing the wrong information”, they tweeted. https://twitter.com/videolan/status/1153965981536010240 VideoLAN said even CERT Bund did not contact them for clarifications. They further added, “So, when @certbund decided to do their "disclosure", all the media jumped in, without checking anything nor contacting us.” https://twitter.com/videolan/status/1153971024297431047 The VLC CVE on the National Vulnerability Database has now been updated. NVD has downgraded the severity of the issue from a Base Score of 9.8 (critical) to 5.5 (medium). Also, the changelog specifies that the “Victim must voluntarily interact with attack mechanism.” Dan Kaminsky, an American security researcher, tweeted, “A couple of things, though: 1) Ubuntu 18.04 is not some ancient version 2) Playing videos with VLC is both a first-class user demand and a major attack surface, given the realities of content sourcing.  If Ubuntu can't secure VLC dependencies, VLC probably has to ship local libs.” https://twitter.com/dakami/status/1154118377197035520 Last month, VideoLAN fixed two high severity bugs in their security update for the VLC media player. The update included fixes for 33 vulnerabilities in total, of which two were marked critical, 21 medium and 10 rated low. Jean-Baptiste Kempf, president of VideoLAN and an open-source developer, wrote, “This high number of security issues is due to the sponsoring of a bug bounty program funded by the European Commission, during the Free and Open Source Software Audit (FOSSA) program”. To know more about this news in detail, you can read WinFuture’s blog post. The EU Bounty Program enabled in VLC 3.0.7 release, this version fixed the most number of security issues A zero-day vulnerability on Mac Zoom Client allows hackers to enable users’ camera, leaving 750k companies exposed VLC’s updating mechanism still uses HTTP over HTTPS

Walt, an alternative syntax for WebAssembly text format, was introduced today. It allows developers to use JavaScript syntax to write to as “close to the metal” as possible. Its ultimate goal is to make WebAssembly accessible to regular JavaScript programmers. Written 100% in JavaScript it requires no LLVM/binary toolkits. What Walt tries to solve? Writing zero-overhead, optimized WebAssembly code is difficult. You need to write very plain C code, compile that to .wast and then optimize that result. Then, finally, you're ready to compile that into the final WebAssembly binary. Walt attempts to take C/Rust out of the equation and write “as close to the metal” as possible without losing readability. How it solves the problem? What Walt does is, it provides a thin layer of syntax sugar on top of .wat text format. This improved syntax will give developers direct control over the WebAssembly output. This means that there should be minimal to none post optimization to be done to the wast code generated. For example, here is what a .walt module, which exports a recursive Fibonacci function, looks like: Source: GitHub When this code is passed through the Walt compiler, you get a buffer which can be used to create a WebAssembly module with a fibonacci export. Al this is done with familiar JS syntax and without any external binary toolkits. What are some of its use cases? Anyone who is interested in WebAssembly but is not familiar with system languages can get a quick start with Walt. It can be used in the following scenarios: Web/Node libraries Games Web VR/AR Projects depending on heavy real-time computation from complex UIs to 3D visualizations To know more about Walt and how you can get started with it, check out its GitHub repository. Introducing Wasmjit: A kernel mode WebAssembly runtime for Linux Unity Benchmark report approves WebAssembly load times and performance in popular web browsers Why is everyone going crazy over WebAssembly?

Jenkins has been a success for more than a decade now mainly due to its extensibility, community and it being general purpose. But there are some challenges and problems in it which have become more pronounced now. Kohsuke Kawaguchi, the creator of Jenkins, is now planning to take steps to solve these problems and make the platform better. Challenges in Jenkins With growing competition in the continuous integration (CI), The following limitations in Jenkins come in the way of teams. Some of them discourage admins from using and installing plugins. Service instability: CI is a critical service nowadays. People are running bigger workloads, needing more plugins, and high availability. Services like instant messaging platforms need to be online all the time. Jenkins is unable to keep up with this expectation and a large instance requires a lot of overhead to keep it running. It is common for someone to restart Jenkins every day and that delays processes. Errors need to be contained to a specific area without impacting the whole service. Brittle Configuration: Installing/upgrading plugins and tweaking job settings have caused side effects. This makes admins lose confidence to make these changes safely. There is a fear that the next upgrade might break something and cause problems for other teams and affect delivery. Assembly required: Jenkins requires an assembly of service blocks to make it work as a whole. As CI has become mainstream, the users want something that can be deployed in a few clicks. Having too many choices is confusing and leads to uncertainty when assembling. This is not something that can be solved by creating more plugins. Reduced Development Velocity: It is difficult for a contributor to make a change that spans across multiple plugins. The tests do not give enough confidence to shop code; many of them do not run automatically and the coverage is not deep. Changes and steps to make Jenkins better There are two key efforts here, Cloud Native Jenkins and Jolt. Cloud native is a CI engine that runs on Kubernetes and has a different architecture, Jolt will continue in Jenkins 2 and add faster development pace with increased stability. Cloud Native Jenkins It is a sub-project in the context of Cloud Native SIG. It will use Kubernetes as runtime. It will have a new extensibility mechanism to retain what works and to continue the development of the the automation platform's ecosystem. Data on Cloud Managed Data Services to achieve high availability and horizontal scalability, alleviating admins from additional responsibilities. Configuration as Code and Jenkins Evergreen help with the brittleness. There are also plans to make Jenkins secure by default design and to continue with Jenkins X which has been received very well. The aim is to get things going in 5 clicks through easy integration with key services. Jolt in Jenkins Cloud Native Jenkins is not usable for everyone and targets only a particular set of functionalities. It also requires a platform which has a limited adoption today, so Jenkins 2 will be continued at a faster pace. For this Jolt in Jenkins is introduced. This is inspired by what happened to the development of Java SE; change in the release model by shedding off parts to move faster. There will a major version number change every couple of months. The platform needs to be largely compatible and the pace needs to justify any inconvenience put on the users. For more, visit the official Jenkins Blog. How to build and enable the Jenkins Mesos plugin Google Compute Engine Plugin makes it easy to use Jenkins on Google Cloud Platform Everything you need to know about Jenkins X, the new cloud native CI/CD solution on Kubernetes

Yesterday, JetBrains announced the release of IntelliJ IDEA 2019.2 Beta 2, which marks the next step towards the stable release. The team has already implemented major features like profiling tools, better shell script support, a new Services tool window, among others. With this release, the team has given a final polish to the existing features including the Terminal that now soft-wraps long lines better. This solves the previous problem of breaking links while wrapping lines. Source: IntelliJ IDEA Shell script support This release will come with rich editing features for shell scripts including word and path completion, quick documentation preview, and textual rename. Additionally, it will also allow integration with various other external tools to provide developers an enhanced shell script support. For instance, the IDE will prompt you to install ShellCheck to detect possible errors in your scripts and also suggest quick fixes for them. A new Services tool window IntelliJ IDEA 2019.2 will introduce a new Services tool window, which will be your single stop to view all connections and run configurations that are configured to be reported to the Services view.  The Services view will incorporate windows for several tools such as RunDashboard, Database Console, Docker, and Application Servers. You have the option of viewing all the service types as nodes or tabs. To view a service type on a separate tab you can either use the Show in New tab action from the toolbar or simply drag and drop the needed node on to the edge of the Services tool window. You can also create a custom tab to group various services using the Group Services action from the context menu or from the toolbar. Source: IntelliJ IDEA Profiling tools for IntelliJ IDEA Ultimate You will be able to analyze the performance of your application right from the IDE using the new CPU Profiler integration and Memory Profiler integration on macOS, Linux, and Windows. It will also come integrated with Java Flight Recorder and Async profiler. This will help you get an insight into how the CPU and memory resources are allocated in your application. To run Java Flight Recorder or Async profiler, you just need to click the icon on the main toolbar or the run icon in the gutter. These tools will only be available in the professional and fully-featured commercial IDE, IntelliJ IDEA Ultimate. Source: IntelliJ IDEA Syntax highlighting for over 20 different programming languages IntelliJ IDEA 2019.2 will provide syntax highlighting for more than 20 different languages. To provide this support, this upcoming version comes integrated with TextMate text editor and a collection of built-in grammar files for various languages. You can find the full list of supported languages in Preferences / Settings | Editor | TextMate Bundles. In case you require syntax highlighting for any additional languages, you can download the TextMate bundle for the selected language and import it into IntelliJ IDEA. Commit directly from the Local Changes With this version, developers will be able to commit directly from the Local Changes tab without having to go through a separate Commit dialog. While working on a commit, you will be able to browse through the source code, view the file history, view the diff for the file in the same area as the commit, or use other features of the IDE. In previous versions, all these actions were impossible because the modal commit dialog blocked all the other IDE functionality. Additionally, there is a new feature for projects that are using version systems like Git or Mercurial. You just need to press the Commit shortcut (Ctrl-K on Windows, Linux/Cmd-K on macOS) and the IDE will select the modified files for the commit. You will then be able to review the selected files and change the file or code chunk. Source: IntelliJ IDEA These were some of the features coming in IntelliJ IDEA 2019.2. You can read the entire release notes and stay updated with the IntelliJ IDEA blog to know more in detail. Developers are excited about the profiling tools and other shining features bundled with this release: https://twitter.com/Rahamat87523498/status/1149221123256492032 https://twitter.com/goKarumi/status/1148849477136146432 https://twitter.com/matsumana/status/1140659765518852097 What’s new in IntelliJ IDEA 2018.2 IntelliJ IDEA 2018.3 Early Access Program is now open! Netbeans, Intellij IDEA and PyCharm come to Haiku OS

Mojolicious, a next generation web framework for the Perl programming language announced its upgrade to the latest 8.0 version. Mojolicious 8.0 was announced at the Mojoconf in Norway held from 6th to 7th September 2018. This release is codenamed as ‘Supervillain’ and is by far the major release in Mojolicious. Mojolicious allows users to easily grow single file prototypes into well-structured MVC web applications. It is a powerful web development toolkit, that one can use for all kinds of applications, independently of the web framework. Many companies such as Alibaba Group, IBM, Logitech, Mozilla, and others rely on Mojolicious to develop new code bases. Even companies like Bugzilla are getting themselves ported to Mojolicious. The Mojolicious community has decided to make a few organizational changes, to support the continuous growth. This includes: All new development will be consolidated in a single GitHub organization. Mojolicious’ official IRC channel named say hi! that has almost 200 regulars will be moving to Freenode (#mojo on irc.freenode.net). This will make it easier for people not yet part of the Perl community to get involved. Some highlights of the Mojolicious 8.0 Promises/A+ Mojolicious 8.0 includes Promises/A+, a new module and pattern for working with event loops. A promise represents the eventual result of an asynchronous operation. Roles and subprocess The version 8.0 now includes roles, a new way to extend Mojo classes. Also, the subprocesses can now mix event loops and computationally expensive tasks. Placeholder types and Mojo::File With the placeholder types, one can avoid repetitive routes. Whereas the Mojo::File, is the brand new module for dealing with file systems. Cpanel::JSON::XS and Mojo::PG With the Cpanel::JSON::XS, users can process JSON at a much faster rate now. The Mojo::PG includes many new SQL::Abstract extensions for Postgres features. To know more about Mojolicious 8.0 in detail, visit its GitHub page. Warp: Rust’s new web framework for implementing WAI (Web Application Interface) What’s new in Vapor 3, the popular Swift based web framework Beating jQuery: Making a Web Framework Worth its Weight in Code

Yesterday, the Thunderbird developers announced to implement OpenPGP support in Thunderbird 78, which is planned to be a Summer 2020 release. This means that the support for Thunderbird in Enigmail will be discontinued. Enigmail is a data encryption and decryption extension for Mozilla Thunderbird and SeaMonkey internet suite that provides OpenPGP public key email encryption and signing. Patrick Brunschwig, the lead developer of the Enigmail project, says “this is an inevitable step.” The Mozilla developers have been and still are actively working on removing old code from their codebase. This affects not only Thunderbird but also add-ons. “While it was possible for Thunderbird to keep old "legacy" add-ons alive for a certain time, the time has come for Thunderbird to stop supporting them,” Brunschwig added. Thunderbird is unable to bundle GnuPG software due to incompatible licenses (MPL version 2.0 vs. GPL version 3+). Instead of relying on users to obtain and install external software like GnuPG or GPG4Win, the developers intend to identify and use an alternative, compatible library (Thunderbird 78), and distribute it as part of Thunderbird on all supported platforms. Will OpenPGP support in Thunderbird 78 mark an end to Enigmail? Brunschwig, in an email thread, writes that he “will continue to support and maintain Enigmail for Thunderbird 68 until 6 months after Thunderbird 78 will have been released (i.e. a few months beyond Thunderbird 68 EOL).”  He further mentioned that Enigmail will not run anymore on Thunderbird 72 beta and newer. Thunderbird 78 will no longer support the APIs that Enigmail requires and only allow new "WebExtensions". WebExtensions have a completely different API than classical add-ons, and a much-reduced set of capabilities to the user interface. Enigmail will not end; however, it will continue to maintain and support Enigmail for Postbox, which is running on a different release schedule than Thunderbird for the foreseeable future. “The Thunderbird developers and I have therefore agreed that it's much better to implement OpenPGP support directly in Thunderbird. The set of functionalities will be different than what Enigmail offers, and at least initially likely be less feature-rich. But in my eyes, this is by far outweighed by the fact that OpenPGP will be part of Thunderbird and no add-on and no third-party tool will be required,” Brunschwig writes. To process OpenPGP messages, GnuPG stores secret keys, public keys of correspondents, and trusted information for public keys in its own file format. Thunderbird 78 will not reuse the GnuPG file format, but will rather implement its own storage for keys and trust. Users who already own secret keys from their previous use of Enigmail and GnuPG, and who wish to reuse their existing secret keys, will be required to transfer their keys to Thunderbird 78. On systems that have GnuPG installed, the team may offer assisted importing. Many users are awaiting the summer release next year. https://twitter.com/robertjhansen/status/1181561188301320192 https://twitter.com/glynmoody/status/1181550756916334592 ZDNet writes, “What Mozilla devs will do remains to be seen, and they might end up creating a new OpenPGP library from scratch -- which might take up a lot of Mozilla's resources but will be a win for the open-source community as a whole.” To know more about this news in detail, read Mozilla Wiki. Cloudflare and Google Chrome add HTTP/3 and QUIC support; Mozilla Firefox soon to follow suit Mozilla introduces Neqo, Rust implementation for QUIC, new http protocol Mozilla proposes WebAssembly Interface Types to enable language interoperability

Cross-platform app development is the rage now! And to add fuel to the fire, Xamarin has released its latest cross-platform toolkit upgrade. The latest stable release of Xamarin Forms 3 is here! Version 3 hosts new layout and styling updates to improve how developers build UI. These include updates to Visual State Manager, Flex Layout, Style Sheets, and Right-to-Left support to name a few. XAML compilation has also received specific attention with build times reduced by as much as 88% in some benchmarks. Let us look at each of the above features in detail. Visual State Manager Visual State Manager is now available in Xamarin Forms. The VSM provides a structured way to make visual changes to the user interface from code. The VSM introduces the concept of visual states. Visual states are collected in visual state groups. Developers can now define the various states for layouts and controls declaratively in XAML or C# and easily update their UI. The Xamarin.Forms Visual State Manager defines one visual state group named "CommonStates" with three visual states: Normal Disabled Focused FlexLayout FlexLayout is a new layout inspired by the web’s Flexbox. FlexLayout promotes flat, performant, and flexible UIs. It is ideal for handling distribution and spacing of content within layouts. It also provides control of the direction of layout, the justification, and alignment among other properties. FlexLayout defines six public bindable properties and five attached bindable properties that affect the size, orientation, and alignment of its child elements. StyleSheets Xamarin.Forms 3.0 introduces the ability to style an app using CSS. StyleSheets come in companionship with Flex Layouts. A style sheet consists of a list of rules, with each rule consisting of one or more selectors and a declaration block. They can be added as separate CSS files or inline with Resources. In Xamarin.Forms, CSS style sheets are parsed and evaluated at runtime, rather than compile time, and are re-parsed on use. Right-To-Left Localization Xamarin.Forms 3.0 are now equipped with FlowDirection property to make it easier to flip layouts to match language direction.  This is especially beneficial to Arabic and Hebrew scripts that flow from right-to-left. FlowDirection property apart from supporting right-to-left layouts also offers flexibility to customize layouts as seen fit by developers. Xamarin.Forms 3.0 is now available on NuGet. Read the full release notes for the list of entire bug fixes. Five reasons why Xamarin will change mobile development Hybrid Mobile apps: What you need to know Creating Hello World in Xamarin.Forms_sample

Last week, Bleeping Computer reported that the latest versions of Google Chrome, Safari, Opera, and Microsoft Edge will not allow users to disable hyperlink auditing that was possible in previous versions. What is hyperlink auditing? The Web Applications 1.0 specification introduced a new feature in HTML5 called hyperlink auditing for tracking clicks on the links. To track user clicks, the “a” and “area” elements support a “ping” attribute that takes one or more URIs as a value. For example: When you click on the hyperlink, the “href” link will be loaded as expected, but additionally, the browser will also send an HTTP POST request to the ping URL. The request headers can then be examined by the scripts that receive the ping POST request to find out where the ping came from. Which browsers have made hyperlink auditing compulsory? After finding this issue in Safari Technology Preview 72, Jeff Johnson, a professional Mac, and iOS software engineer reported this to Apple. Despite this, Apple released Safari 12.1 without any settings to disable hyperlink auditing. Prior to Safari 12.1, users were able to disable this feature with a hidden preference. Similar to Safari, in Google Chrome hyperlink auditing was enabled by default. Users could previously disable this by going to “chrome://flags#disable-hyperlink-auditing” and setting the flag to “Disabled”. But, in Chrome 74 Beta and Chrome 75 Canary builds, this flag has been completely removed. Microsoft Edge and Opera 61 Developer build also removes the option to disable/enable hyperlink auditing. Firefox and Brave, on the other hand, have disabled hyperlink auditing by default. In Firefox 66, Firefox Beta 67, and Firefox Nightly 68 users can enable it using the browser.send_pings setting, the Brave browser, however, does not allow users to enable it at all. How people are reacting to this development? The hyperlink auditing feature has received mixed reactions from developers and users. While some were concerned about its privacy implications, others think that this process makes the user experience more transparent. Sharing how this development can be misused, Chris Weber co-founder of Casaba Security wrote in a blog post,  “the URL could easily be appended with junk causing large HTTP requests to get sent to an inordinately large list of URIs. Information could be leaked in the usual sense of Referrer/Ping-From leaks.” One Reddit user said that this feature is privacy neutral as this kind of tracking can be done with JavaScript or non-JavaScript redirects. Sharing other advantages of the ping attribute, another user said, “The ping attribute for hyperlinks aims to make this process more transparent, with additional benefits such as optimizing network traffic to the target page loads more quickly, as well as an option to disable sending the pings for more user-friendly privacy.” Though this feature brings some advantages, the Web Hypertext Application Technology Working Group (WHATWG) encourages user agents to put control in the hands of the users by providing them a feature to disable this behavior. “User agents should allow the user to adjust this behavior, for example in conjunction with a setting that disables the sending of HTTP `Referer` (sic) headers. Based on the user's preferences, UAs may either ignore the ping attribute altogether or selectively ignore URLs in the list,” mentions WHATWG. To read the full story, visit Bleeping Computer. Google dissolves its Advanced Technology External Advisory Council in a week after repeat criticism on selection of members Microsoft’s #MeToo reckoning: female employees speak out against workplace harassment and discrimination Mozilla is exploring ways to reduce notification permission prompt spam in Firefox

Baptiste Robert, a French security researcher who goes by the online handle Elliot Alderson, has found a vulnerability in a Wordpress plugin called Social Network Tabs. The plugin leaks user’s Twitter account information exposing them to compromise. This WordPress plugin is developed by Design Chemical, which allows websites to help users share content on social media sites. MITRE has assigned the vulnerability CVE-2018-20555. In a twitter thread, Elliot described the details of the bug on Thursday. Per Elliot, the Wordpress Plugin is leaking twice the Twitter access_token, access_token_secret, consumer_key and consumer_secret of their user which is leading to a takeover of their Twitter account.  This was caused by the few lines of code which was within the page where the Twitter widget is displayed. Anyone who viewed this code had access to see the linked Twitter handle and the access tokens. If the access token had read/write rights, the attacker was also able to take over the account and there were 127 such accounts. Elliot tested the bug by searching PublicWWW, a website source code search engine. He was able to find 539 websites using the vulnerable code. He then managed to retrieve access tokens using a script including the Twitter access_token, access_token_secret, consumer_key and consumer_secret from 539 vulnerable websites. According to Elliot, this leak compromised over 446 Twitter accounts with 2 verified accounts and multiple accounts with more than 10K+ followers. The full list of accounts is also made public by him. Elliot talked to Techcrunch about the vulnerability, saying that he had told “Twitter on December 1 about the vulnerability in the third-party plugin, prompting the social media giant to revoke the keys, rendering the accounts safe again. Twitter also emailed the affected users of the security lapse of the WordPress plugin but did not comment on the record when reached.” However, this is not the case. On January 17, he mentioned in a tweet that, “With a simple Google search query, "inurl:/inc/dcwp_twitter.php?1=", you can find that a lot of websites and so Twitter accounts are still vulnerable to this issue. This query returns 3550 results.” He has also written a scraper to automatically extract the keys from the result of this Google search query. SEC’s EDGAR system hacked; allowing hackers to allegedly make a profit of $4.1 million via insider trading Hyatt Hotels launches public bug bounty program with HackerOne Black Hat hackers used IPMI cards to launch JungleSec Ransomware, affects most of the Linux servers.

Google is adding support for two controllers to its popular VR operating system Daydream, which until now, only supported a single controller. The reveal came to light as XDA developers noted mentions of multiple controller support in the latest Google Daydream VR SDK for Unity. Google partnered with Lenovo to launch the first standalone Mirage solo headset back in May. Now, with support for multiple controllers added in Google Daydream SDK will allow for far more applications with Google-powered headsets. As per the official release notes, the headset will be able to prompt the users about devices that support “one controller” and those supporting “two controllers”. The prefab is capable of automatically tracking the Daydream controller on devices supporting only one controller. To get automatic tracking of Daydream Controller on devices supporting two controllers, a second prefab instance should be added. One of these controllers on will play the role of a “dominant” controller and depending on your preferences, you can set either right hand or left-hand controller as the dominant. Support for multiple controllers does not necessarily mean that multiplayer gaming will be possible on the handset. It is just additional controllers added to the device. Having a controller in each hand that does different things can make your gameplay experience way more immersive. As for now, Google hasn’t provided any clear indication regarding how the two controllers will work in conjunction with each other. Whether it is going to use a standalone headset or a Bluetooth 5.0 compatible device to establish the connection between two controllers haven’t been specified. With the new support, Google’s Daydream will pose competition to popular VR headsets such as Oculus Rift, HTC Vive, etc which already come equipped with multiple controllers. There aren’t a lot of games supporting Daydream at the moment but the new update might pave the way for new games being run on these headsets in the future. It’ll be a while before we see anything in action. Although, the new addition will take these headsets a step ahead when it comes to bridging the gap between mobile games and console-level gaming on VR. For more information on the new update, check out the official Google VR SDK. Magic Leap’s first AR headset, powered by Nvidia Tegra X2, is coming this Summer Qualcomm announces a new chipset for standalone AR/VR headsets HTC Vive Focus 2.0 update promises long battery life, among other things for the VR headset

On Tuesday, the team behind Electron, the web framework for building desktop apps, announced the release of Electron 6.0. It comes with further improvement in the ‘Promise’ support, native Touch ID authentication support for macOS, native emoji and color picker methods, and more. This release is upgraded to Chrome 76, Node.js 12.4.0, and V8 7.6. https://twitter.com/electronjs/status/1156273653635407872 Promisification of functions continue Starting from Electron 5.0, the team introduced a process called “promisification” in which callback-based functions are converted to return ‘Promises’. In Electron 6.0, the team has converted 26 functions to return Promises and also supported callback-based invocation. Among these “promisified” functions are ‘contentTracing.getCategories()’, ‘cookies.flushStore()’, ‘dialog.showCertificateTrustDialog()’, and more. Three new variants of the Helper app The hardened runtime was introduced to prevent exploits like code injection, DLL hijacking, and process memory space tampering. However, to serve the purpose it does restricts things like writable-executable memory and loading code signed by a different Team ID.  If your app relies on such functionalities, you can add an entitlement to disable individual protection. To enable a hardened runtime in an Electron app, special code signing entitlements were granted to Electron Helper. Starting from Electron 6.0, three new variants of the Helper app are added to keep these granted entitlements scoped to the process types that require them. These are ‘Electron Helper (Renderer).app)’, ‘(Electron Helper (GPU).app)’, and ‘(Electron Helper (Plugin).app)’. Developers using ‘electron-osx-sign’ to codesign their Electron app, do not have to make any changes to their build logic. But if you are using custom scripts instead, then you will need to ensure that the three Helper apps are correctly codesigned. To correctly package your application with these new helpers, use ‘[email protected]’ or higher. Miscellaneous changes to Electron 6.0 Electron 6.0 brings native Touch ID authentication support for macOS. There are now native emoji and color picker methods for Windows and macOS. The ‘chrome.runtime.getManifest’ API for Chrome extensions is added that returns details about the app or extension from the manifest. The ‘<webview>.getWebContentsId()’ method is added that allows getting the WebContents ID of WebViews when the remote module is disabled. Support is added for the Chrome extension content script option ‘all_frames’. This option allows an extension to specify whether JS and CSS files should be injected into all frames or only into the topmost frame in a tab. With Electron 6.0, the team has laid out the groundwork for a future requirement, which says that all native Node modules loaded in the renderer process will be either N-API or Context Aware. This is done for faster performance, better security, and reduced maintenance workload. Along with the release announcement, the team also announced the end of life of Electron 3.x.y and has recommended upgrading to a newer version of Electron. To know all the new features in Electron 6.0, check out the official announcement. Electron 5.0 ships with new versions of Chromium, V8, and Node.js The Electron team publicly shares the release timeline for Electron 5.0 How to create a desktop application with Electron [Tutorial]

Last week the team at OpenWrt announced the second service release of the stable OpenWrt 18.06 series, OpenWrt 18.06.2. OpenWrt is a Linux operating system that targets embedded devices and provides a fully writable filesystem with optional package management. It is also considered to be a complete replacement for the vendor-supplied firmware of a wide range of wireless routers and non-network devices. What’s new in OpenWrt 18.06.2? OpenWrt 18.06.2 comes with bug fixes in the network and the build system and updates to the kernel and base packages. In OpenWrt 18.06.2, Linux kernel has been updated to versions 4.9.152/4.14.95 (from 4.9.120/4.14.63 in v18.06.1). GNU time dependency has been removed. This release comes with added support for bpf match. In this release, a blank line has been inserted after KernelPackage template to allow chaining calls. INSTALL_SUID macro has been added. This release comes with added support for enabling the rootfs/boot partition size option via tar. Building of artifacts has been introduced. Package URL has been updated. Un-initialized return value has been fixed. Major bug fixes The docbook2man error has been fixed. The issues with libressl build on x32 (amd64ilp32) host has been fixed. The build has been fixed without modifying Makefile.am. Fedora patch has been added for crashing git style patches. The syntax error has been fixed. Security fixes for the Linux kernel, GNU patch, Glibc, BZip2, Grub, OpenSSL, and MbedTLS. IPv6 and network service fixes. Few of the users are happy about this release and they think despite small teams and budgets, the team at OpenWrt has done a wonderful job by powering so many routers. One of the comment reads, “The new release still works fine on a TP-Link TL-WR1043N/ND v1 (32MB RAM, 8MB Flash). This is an old router I got from the local reuse center for $10 a few years ago. It can handle a 100 Mbps fiber connection fine and has 5 gigabit ports. Thanks Openwrt!” But the question is if cheap routers affect the internet speed. One of the users commented on HackerNews, “My internet is too fast (150 mbps) for a cheap router to effectively manage the connection, meaning that unless I pay 250€ for a router, I will just slow down my Internet needlessly.” Read more about this news on the OpenWrt’s official blog post. Mapzen, an open-source mapping platform, joins the Linux Foundation project Remote Code Execution Flaw in APT Linux Package Manager allows man-in-the-middle attack The Haiku operating system has released R1/beta1