Tech News

Just two days ago, the research team at Google AI introduced Translatotron, an end to end, speech to speech translation model.  In their research paper, “Direct speech-to-speech translation with a sequence-to-sequence model” they demonstrated the Translatotron and realized that the model achieves high translation quality on two Spanish-to-English datasets. Speech-to-speech translation systems have usually been broken into three separate components: Automatic speech recognition: It used to transcribe the source speech as text. Machine translation: It is used for translating the transcribed text into the target language Text-to-speech synthesis (TTS): It is used to generate speech in the target language from the translated text. Dividing the task into such systems have been working successfully and have powered many commercial speech-to-speech translation products, including Google Translate. In 2016, most of the engineers and researchers realized the need for end-to-end models on speech translation when researchers demonstrated the feasibility of using a single sequence-to-sequence model for speech-to-text translation. In 2017, the Google AI team demonstrated that such end-to-end models can outperform cascade models. Recently, many approaches for improving end-to-end speech-to-text translation models have been proposed. Translatotron demonstrates that a single sequence-to-sequence model can directly translate speech from one language into another. Also, it doesn’t rely on an intermediate text representation in either language, as required in cascaded systems. It is based on a sequence-to-sequence network that takes source spectrograms as input and then generates spectrograms of the translated content in the target language. Translatotron also makes use of two separately trained components: a neural vocoder that converts output spectrograms to time-domain waveforms and a speaker encoder, which is used to maintain the source speaker’s voice in the synthesized translated speech. The sequence-to-sequence model uses a multitask objective for predicting source and target transcripts and generates target spectrograms during training. But during the inference, no no transcripts or other intermediate text representations are used. The engineers at Google AI validated Translatotron’s translation quality by measuring the BLEU (bilingual evaluation understudy) score, computed with text transcribed by a speech recognition system. The results do lag behind a conventional cascade system but the engineers have managed to demonstrate the feasibility of the end-to-end direct speech-to-speech translation. Translatotron can retain the original speaker’s vocal characteristics in the translated speech by incorporating a speaker encoder network. This makes the translated speech sound natural and less jarring. According to the Google AI team, the Translatotron gives more accurate translation than the baseline cascade model, while retaining the original speaker’s vocal characteristics. The engineers concluded that Translatotron is the first end-to-end model that can directly translate speech from one language into speech in another language and can retain the source speaker’s voice in the translated speech. To know more about this news, check out the blog post by Google AI. Google News Initiative partners with Google AI to help ‘deep fake’ audio detection research Google AI releases Cirq and Open Fermion-Cirq to boost Quantum computation Google’s Cloud Healthcare API is now available in beta

According to a latest research paper and demonstration from researchers at Northeastern University in Boston, hackers can hijack the systems used to guide aeroplanes by spoofing and compromising the radio signals used during landing. By using a $600 software defined radio, the researchers can now spoof airport signals that cause a pilot’s navigation instruments to falsely indicate that a plane is off course. Attackers can attack by sending a signal that causes a pilot’s course deviation indicator in order to show that a plane is slightly too far to the left of the runway, even when the plane is perfectly aligned. The pilot will react by guiding the plane to the right and inadvertently steer over the centerline. The spoofed signals can also be used to indicate that a plane’s angle of descent is more gradual than it actually is. The spoofed message can also generate a “fly down” signal that instructs the pilot to steepen the angle of descent, possibly causing the aircraft to touch the ground before reaching the start of the runway. In this paper, the researchers have investigated and demonstrated the vulnerability of aircraft instrument landing systems to wireless attacks. The researchers have further analyzed the instrument landing system (ILS) waveforms’ and have shown the feasibility of spoofing radio signals. This might lead to last-minute go around decisions, and in worst case scenarios, it can even lead to missing the landing zone in low-visibility scenarios. The researchers have first shown that it is possible to fully and in fine-grain control the course deviation indicator, as displayed by the ILS receiver, in real time, and further demonstrate it on aviation-grade ILS receivers. They have also analyzed the potential of both an overshadowing attack, and a lower-power single-tone attack. Note: The overshadowing attack involves sending specific ILS signals at a high power level to overpower legitimate ILS signals. The single-tone attack interferes with a legitimate ILS signal through the transmission of a lower power frequency tone which alters the plane's course deviation indicator needle. For evaluating the complete attack, the researchers have developed a tightly-controlled closed-loop ILS spoofer. This spoofer adjusts the adversary’s transmitted signals as a function of the aircraft GPS location which maintains power and keeps the deviation consistent with the adversary’s target position, causing an undetected off-runway landing. They have also demonstrated the integrated attack on an FAA (Federal Aviation Administration) certified flight-simulator (XPlane) by incorporating a spoofing region detection mechanism. This mechanism triggers the controlled spoofing on entering the landing zone to reduce detectability. The researchers have evaluated the performance of the attack against X-Plane’s AI-based autoland feature, and demonstrated a systematic success rate with offset touchdowns of 18 meters to over 50 meters. The researchers have investigated the security of aircraft instrument landing system against wireless attacks. For both these attacks, the researchers have generated specially crafted radio signals that are similar to the legitimate ILS signals using low-cost software-defined radio hardware platform. They have successfully induced aviation-grade ILS receivers, in real time, to lock and display arbitrary alignment to both horizontal and vertical approach path. This also demonstrates the potential for an adversary to trigger multiple aborted landings that would cause air traffic disruption and might let the aircraft to overshoot the landing zone or miss the runway entirely. The researchers then discuss potential countermeasures including failsafe systems such as GPS and show that these systems also do not provide sufficient security guarantees. They have also highlighted that implementing cryptographic authentication on ILS signals is not enough as the system could be vulnerable to record and replay attacks. Therefore, the researchers highlight on an open research challenge of building secure, scalable and efficient aircraft landing systems. To know more about this, check out the research paper. Researchers from China introduced two novel modules to address challenges in multi-person pose estimation AI can now help speak your mind: UC researchers introduce a neural decoder that translates brain signals to natural sounding speech OpenAI researchers have developed Sparse Transformers, a neural network which can predict what comes next in a sequence

Earlier this week, the team behind Racket announced the release of Racket 7.3. This release comes with improved Racket-on-Chez, refactored IO system, a new shear function in the Pict library, and more. The Racket programming language is general-purpose, multi-paradigm, and is a dialect of Lisp and Scheme. Updates in Racket 7.3 Snapshot builds of Racket-on-Chez are now available Racket’s core was largely implemented in C, which affects its portability to different systems, maintenance, and performance. Hence, back in 2017, the team decided to make the Racket distribution run on Chez Scheme. With the last release (Racket 7.2), the team shared that the implementation of Racket on Chez Scheme (Racket CS) has reached almost complete status with all functionalities in place. With this release, the team has added more improvements to Racket-on-Chez and has made its snapshot builds available on Racket Snapshots. The team further shared that by next release we can expect Racket-on-Chez to be included as a download option. Other updates In addition to the improvements in Racket-on-Chez, the following updates are introduced: Racket’s IO system is refactored to provide better performance and a simplified internal design. The JSON reader is now dramatically faster. The Racket web library now comes with improved support for 307 redirects. The Plot library comes with color map support for renderers. The Plot library allows you to produce any kind of plot including scatter plots, line plots, contour plots, histograms, and 3D surfaces and isosurfaces. A ‘shear’ function is added to the Pict library, Racket’s one of the standard functional picture libraries. Read the full announcement on Racket’s official website. Racket 7.2, a descendant of Scheme and Lisp, is now out! Racket v7.0 is out with overhauled internals, updates to DrRacket, TypedRacket among others Swift is improving the UI of its generics model with the “reverse generics” system

Microsoft and Sony have been fierce rivals when it comes to gaming starting from 2001 when Microsoft’s Xbox challenged the Sony PlayStation 2. However, in an unusual announcement yesterday, Microsoft and Sony signed a memorandum of understanding to jointly explore the development of future cloud solutions in Microsoft Azure to support their respective game and content-streaming services. Sony and Microsoft will also explore collaboration in the areas of semiconductors and AI. For semiconductors, they will jointly develop new intelligent image sensor solutions.  In terms of AI, the parties will incorporate Microsoft’s AI platform and tools in Sony’s consumer products. Microsoft in a statement said,  “these efforts will also include building better development platforms for the content creator community,” seemingly stating that both companies will probably partner on future services aimed at creators and the gaming community. Rivals turned to Allies Sony’s decision to keep aside the rivalry and partner with Microsoft makes sense because of two main reasons. First, cloud streaming is considered the next big thing in gaming. Only three companies Microsoft, Google, and Amazon have enough cloud experience to present viable, modern cloud infrastructure. Although Sony has enough technical competence to build its own cloud streaming service, it makes sense to deploy via Microsoft’s Azure than scaling its own distribution systems. Microsoft is also happy to extend a welcoming hand to a customer as large as Sony. Moreover, neither Sony nor Microsoft is going to commit to focus on game streaming completely, as both already have consoles currently in development. This is unlike Amazon and Google, who are going to go full throttle in building game streaming. It makes sense that Sony chose to go with Microsoft putting enough resources into these efforts, and going so far as to collaborate, showing that they understand game streaming is something not to be looked down on for not having. Second, this partnership is also likely a direct competition to Google’s Stadia game streaming service, unveiled at Game Developers Conference 2019. Stadia is a cloud-based game streaming platform that aims to bring together, gamers, YouTube broadcasters, and game developers “to create a new experience”. The games get streamed from any data center to any device that can connect to the internet like TV, laptop, desktop, tablet, or mobile phone. Gamers can access their games anytime and virtually on any screen. And, game developers will be able to use nearly unlimited resources for developing games. Since all the graphics processing happens on off-site hardware, there will be little stress on your local hardware. “Sony has always been a leader in both entertainment and technology, and the collaboration we announced today builds on this history of innovation,” says Microsoft CEO Satya Nadella. “Our partnership brings the power of Azure and Azure AI to Sony to deliver new gaming and entertainment experiences for customers.” Twitter was filled with funny memes on this alliance and its direct contest with Stadia. https://twitter.com/MikieDaytona/status/1129076134950445056 https://twitter.com/shaunlabrie/status/1129144724646813696 https://twitter.com/kettleotea/status/1129142682004205569 Going forward, the two companies will share additional information when available. Read the official announcement here. Google announces Stadia, a cloud-based game streaming service, at GDC 2019 Microsoft announces Project xCloud, a new Xbox game streaming service Amazon is reportedly building a video game streaming service, says Information

Earlier this month, Cisco announced a critical vulnerability in its Nexus 9000 Series Application Centric Infrastructure (ACI) Mode Switch Software. This vulnerability allows an unauthenticated, remote attacker to connect to the affected system with the privileges of the root user. This vulnerability is only exploitable over IPv6; however, the IPv4 is not vulnerable. Cisco has released free software updates that address the vulnerability. This vulnerability(CVE-2019-1804), with a CVSS severity rating of 9.8, is due to the presence of a default SSH key pair that is present in all devices. An attacker could exploit this vulnerability by opening an SSH connection via IPv6 to a targeted device using the extracted key materials. There are no workarounds, so Cisco is encouraging users to update to the latest software release. However, the fix is only an interim patch. The company also issued a “high” security warning advisory for the Nexus 9000, with a CVSS severity rating of 10.0. This involves an exploit that allows attackers to execute arbitrary operating-system commands as root on an affected device. In order to succeed, an attacker would need valid administrator credentials for the device, Cisco said. The vulnerability is due to overly broad system-file permissions where an attacker could exploit this vulnerability by authenticating to an affected device, creating a crafted command string and writing this crafted string to a specific file location. Critical vulnerabilities Cisco’s web-based management interface Multiple critical vulnerabilities in the web-based management interface of Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable Network (EPN) Manager were revealed yesterday. These vulnerabilities could allow a remote attacker to gain the ability to execute arbitrary code with elevated privileges on the underlying operating system. These vulnerabilities affect Cisco PI Software Releases prior to 3.4.1, 3.5, and 3.6, and EPN Manager Releases prior to 3.0.1 One of these issues, CVE-2019-1821, can be exploited by an unauthenticated attacker that has network access to the affected administrative interface. For the second and third issues(CVE-2019-1822 and CVE-2019-1823), the attacker needs to have valid credentials to authenticate to the impacted administrative interface. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. To know more about these and other vulnerabilities, visit Cisco’s Security Advisories and Alerts page. Cisco merely blacklisted a curl instead of actually fixing the vulnerable code for RV320 and RV325 Cisco announces severe vulnerability that gives improper access controls for URLs in its Small Business routers RV320 and RV325 A WhatsApp vulnerability enabled attackers to inject Israeli spyware on user’s phones

Today, Google announced a security bug in its Bluetooth Low Energy (BLE) Titan Security Keys. This issue is due to a misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols, which is currently affecting the BLE versions in the U.S. Google has provided users with quick actions to protect themselves against the attack and to gain a free replacement key. However, the bug affects Bluetooth pairing only, so non-Bluetooth security keys are not affected. “Current users of Bluetooth Titan Security Keys should continue to use their existing keys while waiting for a replacement since security keys provide the strongest protection against phishing”, the official post reads. Attackers can only gain access to a user’s device if they are within close proximity (approximately 30 feet) while the user is using the security key. With this, the attacker can easily communicate with a user’s security key or also communicate with the device to which the user’s key is paired. The two cases an attacker might use to exploit the security keys in the BLE are: While trying to sign into an account on the device, a user is normally asked to press the button on their BLE security key to activate it. At this time, the attacker will have to connect their own device to the user’s affected security key before the user’s own device connects, for the bug to be exploited. However, this case is only possible if they have already obtained the victim’s username and password. The attacker could also use their device to masquerade as the user’s affected security key and connect to the user’s device at the moment the user is asked to press the button on the key. After that, they could attempt to change their device to appear as a Bluetooth keyboard or mouse and potentially take actions on the user’s device. Google also mentions that this issue does not affect the primary purpose of security keys (to protect you against phishing by a remote attacker). They also suggest that security keys remain the strongest available protection against phishing and it is still safer to use a key that has this issue, rather than turning off security key-based two-step verification (2SV) on one’s Google Account or downgrading to less phishing-resistant methods (e.g. SMS codes or prompts sent to a user’s device). This local proximity Bluetooth issue does not affect USB or NFC security keys. “To determine if your key is affected, check the back of the key. If it has a “T1” or “T2” on the back of the key, your key is affected by the issue and is eligible for free replacement”, the official post states. Mark Risher, Director of Product Management at Google tweeted: https://twitter.com/mrisher/status/1128703153397030913 Google has also provided some additional steps that users can take to minimize the remaining risk until they receive their replacement keys on their official blog post. To know more about this news in detail, head over to Google’s official blog post. Go 1.11.3 and Go 1.10.6 released with fixes to security issues Amazon FreeRTOS adds a new ‘Bluetooth low energy support’ feature Google I/O 2019: Flutter UI framework now extended for Web, Embedded, and Desktop

During the Google Cloud Next ‘19, Google Cloud announced the beta version of GKE Sandbox, a new feature in Google Kubernetes Engine (GKE). Yesterday, Yoshi Tamura (Product Manager of Google Kubernetes Engine and gVisor) and Adin Scannell (Senior Staff Software Engineer of gVisor) explained in brief about the GKE Sandbox, on Google Cloud’s official blogspot. GKE Sandbox increases the security and isolation of containers by adding an extra layer between the containers and the host OS. At general availability, GKE Sandbox will be available in the upcoming GKE Advanced. This feature will help in building demanding production applications on top of managed Kubernetes service. GKE Sandbox uses gVisor to abstract the internals, which makes the internals an easy-to-use service. While creating a pod, the user can simply choose GKE Sandbox and continue to interact with containers. This will need no new learning of controls or a mental model. In view of limiting potential attacks, GKE Sandbox helps teams running multi-tenant clusters such as SaaS providers. These teams are often executing  unknown or untrusted code. This helps in providing more secure multi-tenancy in GKE. gVisor is an open-source container sandbox runtime that was released last year. It was created to defend against a host compromise when it runs an arbitrary, untrusted code, and still integrate with container-based infrastructure. gVisor is used in many Google Cloud Platform (GCP) services like the App Engine standard environment, Cloud Functions, Cloud ML Engine, and most recently Cloud Run. Some features of gVisor include: Provides an independent operating system kernel to each container. Applications can interact with the virtualized environment provided by gVisor's kernel rather than the host kernel. Manages and places restrictions on file and network operations. Ensures there are two isolation layers between the containerized application and the host OS. Due to the reduced and restricted interaction of an application with the host kernel, attackers have a smaller attack surface. An experience shared on the official Google blog post mentions how Data refinery creator Descartes Labs have applied machine intelligence to massive data sets. Tim Kelton, Co-Founder and Head of SRE, Security, and Cloud Operations at Descartes Labs, said, “As a multi-tenant SaaS provider, we still wanted to leverage Kubernetes scheduling to achieve cost optimizations, but build additional security layers on top of users’ individual workloads. GKE Sandbox provides an additional layer of isolation that is quick to deploy, scales, and performs well on the ML workloads we execute for our users." Applications suitable for GKE Sandbox GKE Sandbox is well-suited to run compute and memory-bound applications and so works with a wide variety of applications such as: Microservices and functions : GKE Sandbox will enable additional defense in depth while preserving low spin-up times and high service density. Data processing : GKE Sandbox can process data in less than 5 percent for streaming disk I/O and compute-bound applications like FFmpeg. CPU-based machine learning: Training and executing machine learning models frequently involves large quantities of data and complex workflows which mostly belongs to a third party. The CPU overhead of sandboxing compute-bound machine learning tasks is less than 10 percent. A user on Reddit commented, “This is a really interesting add-on to GKE and I'm glad to see vendors starting to offer a variety of container runtimes on their platforms.” GKE Sandbox feature has got rave reviews on twitter too. https://twitter.com/ahmetb/status/1128709028203220992 https://twitter.com/sarki247/status/1128931366803001345 If you want to try GKE Sandbox and know more details, head over to Google’s official feature page. Google Open-sources Sandboxed API, a tool that helps in automating the process of porting existing C and C++ code Google Cloud introduces Traffic Director Beta, a networking management tool for service mesh Google Cloud Console Incident Resolved!

The Trump administration on Wednesday launched a new tool where US citizens can complain about social media bias. Indirectly this is a platform for conservatives to “share their story”. The White House launched the tool just hours after it broke with more than a dozen world leaders and top technology companies in an international call to action around the rise of online extremism on social platforms. Over the past few months, Republicans have taken aim at social media networks, citing claims that conservatives have been wrongly censored on these platforms. In a recent poll, 83 percent of Republicans thought the tech companies were biased against conservatives.Committees like House of Energy and Commerce and Senate Judiciary, have even held hearings on the issue where lawmakers questioned officials from companies like Facebook and Twitter over the alleged bias. The outrage started last year in April when the House Judiciary Committee invited pro-Trump online personalities Diamond and Silk to discuss being “censored” on social media. And again this year Facebook in the wake of realworld hate crimes and violent terror attacks, banned six extremist account and a conspiracy theory organization. Additionally last month it was reported that President Trump met with Twitter founder and CEO Jack Dorsey. Twitter representatives said that the meeting was supposed to discuss the health of the platform, but it was later reported that Trump spent a significant portion of their 30-minute discussion complaining that he was losing followers on Twitter. Other members of the Trump family, like Don Jr., also voiced concern of the deplatforming of right-wing activists. After Facebook announced that it would banning conspiracy theorist Alex Jones along with other extremists accounts, Trump’s eldest son tweeted, “The purposeful & calculated silencing of conservatives on Facebook & the rest of the Big Tech monopoly men should terrify everyone,” https://twitter.com/DonaldJTrumpJr/status/1124339494616993792 When Vice reported about an all-hands meeting held on March 22 in Twitter, it stated that an employee asked a question, “Twitter has largely eradicated Islamic State propaganda off its platform. Why can’t it do the same for white supremacist content?” To which another Twitter executive who works on machine learning and artificial intelligence responded that such algorithms can be implemented but it would remove content from some of the Republican politicians when algorithms aggressively remove white supremacist material. The White House says the tool which is hosted on Typeform is meant to help people share stories about ways they were unfairly targeted by social platforms for free speech. But the online form where users can submit requests also appears to be an email collection mechanism. https://twitter.com/WhiteHouse/status/1128765001223663617 The form begins by asking users to submit basic information about themselves, like their first and last names. It then asks users if they are US citizens or permanent resident. If a user clicks "yes," the form continues. If a user clicks "no," a screen pops up saying: "Unfortunately, we can't gather your response through this form. Please feel free to contact us at WhiteHouse.gov/contact." This means immigrants will not be able to submit their views. There is also the risk of the US government gathering such information for the purpose of deportation from the country. If users clicked Yes, the tool will ask them to click which platform they've experienced bias on: Facebook, Instagram, Twitter, YouTube or Other. It asks users to link to the suspected post and post a screenshot from the platform, if applicable, of the rule violation notification. Critics were quick to point out that the online form was not very sophisticated and could be easily gamed by anyone. For example, the "captcha" response test used at the end of the survey to determine if the respondent is a bot asks users to type the year the Declaration of Independence was signed. "I tried it with '1945,' it cleared it. You just need to type four numbers," tweeted Quentin Hardy, head of editorial at Google Cloud. The form also asks you if you would want to be added to their mailing list. "We want to keep you posted on President Trump's fight for free speech," the form states after a few questions. "Can we add you to our email newsletters so we can update you without relying on platforms like Facebook and Twitter?" The move is yet another example of ways the administration has chosen to gather personal information of US citizens, promoting hate and bigotry under the veil of “free speech”, and unfairly excluding migrant voices from political discourse. https://twitter.com/RMac18/status/1128791345898745856 https://twitter.com/rob_sheridan/status/1128784373895974912 Twitter launches a new ‘search prompt’ feature to help users find credible sources about vaccines U.S. Supreme Court ruled 5-4 against Apple on its App Store monopoly case Facebook bans six toxic extremist accounts and a conspiracy theory organization

Reuters reported on Wednesday that the Trump administration hit Chinese telecoms giant Huawei by adding the company into its so called “Entity List”.  The Commerce Department said by adding Huawei Technologies and its 70 affiliates under this list means it will ban the company from acquiring components and technology from US firms without government approval. https://twitter.com/MSNBC/status/1128765546806284288 President Donald Trump has taken this decision to “prevent American technology from being used by foreign-owned entities in ways that potentially undermine US national security or foreign policy interests”, said US Secretary Wilbur Ross in a statement on Wednesday. This move has come at a very delicate time when two of the world’s largest economies fight over the tariff battle, which the US officially calls as China’s unfair trade practices. And on the same day Trump signed an executive order barring US companies from using telecommunications equipment made by firms deemed to pose a national security risk. The order signed by the President did not specify any country or company but, US officials have previously labelled Huawei a “threat” and actively lobbied allies not to use Huawei network equipment in next-generation 5G networks. In response to this Huawei on Wednesday said to ABC News that possible new U.S. restrictions on market access will have little impact on them and that these were  "unreasonable restrictions" by the United States. https://twitter.com/HuaweiFacts/status/1128904569621082112 "Restricting Huawei from doing business in the US will not make the US more secure or stronger; instead, this will only serve to limit the US to inferior yet more expensive alternatives," the telecom giant said in a statement. "In addition, unreasonable restrictions will infringe upon Huawei's rights and raise other serious legal issues," the statement said. It said it was “ready and willing to engage with the US government and come up with effective measures to ensure product security". US prosecutors had charged two Huawei units in Washington state in January as well. The charges were for conspiring to steal T-Mobile US Inc trade secrets. Last week the FCC voted unanimously to deny China Mobile's bid to provide US telecommunications services. This news comes to the market striking an urgency in US as wireless carriers roll out 5G networks. Elite US universities including MIT and Stanford break off partnerships with Huawei and ZTE amidst investigations in the US China’s Huawei technologies accused of stealing Apple’s trade secrets, reports The Information Huawei launches Kirin 980, the world’s first 7nm mobile AI chip

Microsoft has taken steps to release security updates for unsupported but still widely-used Windows operating systems like XP and Windows 2003. The company took this move as a part of its May 14 Patch Tuesday, due to the discovery of a “wormable” flaw that could be a major threat similar to the WannaCry ransomware attacks of 2017. The WannaCry ransomware threat was quick to spread across the world in May 2017 due to a vulnerability that was prevalent among systems running Windows XP and older versions of Windows. On Tuesday, Microsoft released 16 updates that target at least 79 security issues in Windows and related software. Now let’s have a look at the vulnerabilities,  CVE-2019-0708 and CVE-2019-0863. CVE-2019-0708, remote desktop services vulnerability The  CVE-2019-0708 vulnerability is in remote desktop services into supported versions of Windows, including Windows 7, Windows Server 2008 R2, and Windows Server 2008. It is present in computers powered by Windows XP and Windows 2003. To attack the system, an unauthenticated attacker connects to the target system using Remote Desktop Protocol (RDP) and then sends specially crafted requests. This security update now corrects how Remote Desktop Services handles connection requests. Though the vulnerability CVE-2019-0708 does not affect Microsoft’s latest operating systems, including,  Windows 10, Windows 8, Windows 8.1, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012. The company hasn’t observed any evidence of attacks against this security flaw, but it might head off a serious and imminent threat. Simon Pope, director of incident response for the Microsoft Security Response Center said, “This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable,’ meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017. It is important that affected systems are patched as quickly as possible to prevent such a scenario from happening.” CVE-2019-0863, zero-day vulnerability One of the security updates fixed a zero-day vulnerability, (CVE-2019-0863) in the Windows Error Reporting Service. An attacker who can successfully exploit this vulnerability can run arbitrary code in kernel mode.The attacker can then install programs; change, view, or delete data; or create new accounts with administrator privileges. An attacker has to gain unprivileged execution on the victim’s system in order to exploit the vulnerability. Microsoft’s security update addresses this vulnerability by correcting the way WER (Windows Error Reporting) handles files. According to Chris Goettl, director of product management for security vendor Ivanti, this vulnerability has already been seen in targeted attacks. Microsoft Office and Office365, Sharepoint, .NET Framework and SQL server are some of the other Microsoft products that received patches. To know more about this news, check out Microsoft’s page. #MSBuild2019: Microsoft launches new products to secure elections and political campaigns Microsoft Build 2019: Introducing Windows Terminal, application packed with multiple tab opening, improved text and more Microsoft Build 2019: Introducing WSL 2, the newest architecture for the Windows Subsystem for Linux  

Yesterday, Microsoft announced that it has open-sourced an algorithm called Space Partition Tree And Graph (SPTAG) to make the Bing search engine quickly return search results. This algorithm allows users to take advantage of the intelligence from deep learning models for searching through billions of pieces of information, called vectors, in milliseconds. Machine-learning algorithms help search engines to deliver the best answers by building vectors. They are long lists of numbers that represent their input data, whether it be text on a webpage, images, sound, or videos. With the help of the vector search, it becomes easier to search by concept rather than keyword. For example, if a user types in “How tall is the tower in Paris?” Bing can return a natural language result telling the user the Eiffel Tower is 1,063 feet, even though the word “Eiffel” never appeared in the search query and the word “tall” never appears in the result. Bing captures billions of vectors for all the different kinds of media that it indexes and Microsoft uses SPTAG for searching these vectors. In this process, firstly, the team took a pre-trained model and then encoded that data into vectors, where each vector represents a word or pixel. With the help of SPTAG library, which is at the core of the open-sourced Python library, it was possible to generate a vector index. So, when the queries come in, the deep learning model translates that text or image into a vector and the library finds the most related vectors in that index. To explain this in detail, when an input query is converted into a vector, SPTAG is used to quickly find "approximate nearest neighbors" (ANN), or in other words, it searches the vectors that are similar to the input. The SPTAG library is now available under the MIT license and provides all of the tools for building and searching distributed vector indexes. According to the Microsoft team, the vectorizing effort has extended to over 150 billion pieces of data with Bing search which brings improvement over traditional keyword matching. Jeffrey Zhu, program manager on Microsoft’s Bing team, said, “Bing processes billions of documents every day, and the idea now is that we can represent these entries as vectors and search through this giant index of 100 billion-plus vectors to find the most related results in 5 milliseconds.” Microsoft’s official blog reads, “Only a few years ago, web search was simple. Users typed a few words and waded through pages of results. Today, those same users may instead snap a picture on a phone and drop it into a search box or use an intelligent assistant to ask a question without physically touching a device at all. They may also type a question and expect an actual reply, not a list of pages with likely answers.” The Bing team is expecting that the algorithm could be used for enterprise or consumer-facing applications for identifying a language being spoken based on an audio snippet. It could be even used for image-heavy services such as an app that lets people take pictures of flowers and for identifying what type of flower it is. It seems that there are endless possibilities with this algorithm when fused with the vector concept! To know more about this news, check out Microsoft’s blog post. #MSBuild2019: Microsoft launches new products to secure elections and political campaigns Microsoft Build 2019: Introducing Windows Terminal, application packed with multiple tab opening, improved text and more Microsoft Build 2019: Introducing WSL 2, the newest architecture for the Windows Subsystem for Linux  

At Build 2019, Microsoft showcased Web Template Studio (WebTS), a cross-platform Visual Studio Code extension, which is built by a team of Microsoft Garage interns. Yesterday, the tech giant open sourced the extension under the MIT license and announced its availability on VS Marketplace. The Visual Studio Code extension is currently only available in preview form. Explaining the vision behind developing this extension, Kelly Ng, one of the Software engineering intern who helped build it said, “A lot of times in a hackathon, you spend the whole hackathon just setting all of that up before you can start programming. With our tool, you can hook everything up in just 5 or 6 minutes.” What is Microsoft Web Template Studio? Written in TypeScript and React, Microsoft WebTS allows developers to easily create new web applications with the help of its “dev-friendly wizard”. It is built along the same lines of a Visual Studio extension, Windows Template Studio, which simplifies and accelerates the creation of Universal Windows Platform (UWP) apps. With this extension, you can generate boilerplate code for a full-stack web application by selecting your choice of front-end frameworks, back-end frameworks, pages, and cloud services. Right now, WebTS only supports React.js for frontend and Node.js for backend. In the future, the team plans to add more frameworks like Angular and Vue. The extension comes with various app page templates including blank page, common layouts, and pages that implement common patterns like grid or list. You just need to choose from these pages to add a common UI into your web app. Once you are done doing all that, you just need to specify which Azure cloud services you want to use for your project. Currently, the extension supports Azure Cosmos DB for storage and Azure Functions for compute. If you want to use the extension, just head over to Visual Studio Marketplace’s Web Template Studio page and click install. The project is still in its initial stages and the team plans to support more frameworks and services as it grows with the help of the community. In case you want to contribute, check out its GitHub repository. You can read the full announcement at Microsoft Blog. Microsoft Build 2019: Microsoft showcases new updates to MS 365 platform with focus on AI and developer productivity Microsoft Build 2019: Introducing Windows Terminal, application packed with multiple tab opening, improved text and more Microsoft announces ‘Decentralized Identity’ in partnership with DIF and W3C Credentials Community Group

At the end of January, Unity announced the ‘Obstacle Tower Challenge’ to test AI game players. The Obstacle Tower Challenge examines how AI software performs in computer vision, locomotion skills, and high-level planning. The challenge began on 11th February and will run through 24th May. Round 1 ran from 11th Feb till 31st March and the results are just in. For the first round of the challenge, Unity received 2000+ entries from 350+ teams. Now, Unity has announced the launch of the second round of the challenge. Teams who trained an agent in round one and received an average score of five on unseen versions of the tower will advance for round 2. Agents will need to account for a variety of new challenges in Obstacle Tower Environment 2.0 including enemies to dodge, distractions to avoid, and more complicated floor layouts with circling paths. What’s new in the Obstacle Tower Environment 2.0? Unity has expanded the floors in the tower from 25 to 100 with three new visual styles - Industrial, Modern, and Future. The higher floors also contain new challenges apart from the ones already present such as enemies to dodge, distracting TVs to avoid, more complex floor layouts with circling paths, and larger rooms on each floor with additional platforming challenges. Obstacle Tower Environment 2.0 has expanded on the number of available parameters which can be customized when resetting the environment. These include the ability to change things like the lighting, visual theme, floor layouts, and room contents on the floors in the tower. They have also worked on the placement of the reset button in puzzle rooms which, based on feedback from round 1, was unintuitive. So Unity has now separated out the block, goal, and reset button positions in these rooms, to make it less likely that the agent will press the reset button by accident. The Obstacle Tower Environment natively supports the Unity ML-Agents Toolkit. To learn more about the environment, you can go through their research paper. Unity has also released the final list of contestants selected for Round 2. Unity has launched the ‘Obstacle Tower Challenge’ to test AI game players Unity updates its TOS, developers can now use any third party service that integrate into Unity. Improbable says Unity blocked SpatialOS; Unity responds saying it has shut down Improbable and not Spatial OS.

Yesterday, Intel and a group of microarchitecture security researchers disclosed four new hackable vulnerabilities in Intel’s chips. These vulnerabilities expose extremely sensitive data and processes from a victim’s CPU to the attacker. Intel has grouped these vulnerabilities together and labeled them as Microarchitectural Data Sampling or MDS attacks. MDS is a sub-class of previously disclosed speculative execution side channel vulnerabilities and is comprised of four closely related CVEs. These vulnerabilities were first identified by Intel’s internal researchers and partners and independently reported to Intel by external researchers. These include: Microarchitectural Load Port Data Sampling (MLPDS) - CVE-2018-12127 Fallout: Microarchitectural Store Buffer Data Sampling (MSBDS) - CVE-2018-12126 ZombieLoad or RIDL: Microarchitectural Fill Buffer Data Sampling (MFBDS) - CVE-2018-12130 Microarchitectural Data Sampling Uncacheable Sampling (MDSUM) - CVE-2019-11091 Researchers have named few of these vulnerabilities as ZombieLoad, Fallout, and RIDL, or Rogue In-Flight Data Load, with ZombieLoad being the most dangerous as it can scrape more data than the rest. Intel said that the ARM and AMD are not likely vulnerable to these MDS attacks. Also, some models released last month include a fix for this problem. However, all of Intel's chips that the researchers tested, going back as early as 2008, were affected. According to a report by ZDNet, “The good news is that Intel had more than a year to get this patched, and the company worked with various OS and software vendors to coordinate patches at both the hardware and software level. Both the hardware (Intel CPU microcode updates) and software (OS security updates) protections must be installed at the same time to fully mitigate MDS attacks. If patches aren't available yet, disabling the Simultaneous Multi-Threading (SMT) feature on Intel CPUs will significantly reduce the impact of all MDS attacks.” In these new cases, researchers found that they could use speculative execution to trick Intel's processors into grabbing sensitive data that's moving from one component of a chip to another. Unlike Meltdown, which used speculative execution to grab sensitive data sitting in memory, MDS attacks focus on the buffers that sit between a chip's components, such as between a processor and its cache, the small portion of memory allocated to the processor to keep frequently accessed data close at hand. Cristiano Giuffrida, one of the researchers in the VUSec group at Vrije Universiteit Amsterdam who discovered the MDS attack said, "It's kind of like we treat the CPU as a network of components, and we basically eavesdrop on the traffic between them. We hear anything that these components exchange." Zombieload side-channel attack Zombieload, a side-channel attack, is the leading attack among the new vulnerabilities and also falls in the same category as Meltdown, Spectre, and Foreshadow. It is exploited by taking advantage of the speculative execution process, which is an optimization technique that Intel added to its CPUs to improve data processing speeds and performance. Read Also: Seven new Spectre and Meltdown attacks found ZombieLoad gets its name from a “zombie load,” an amount of data that the processor can’t understand or properly process, forcing the processor to ask for help from the processor’s microcode to prevent a crash. Apps are usually only able to see their own data, but this bug allows that data to bleed across those boundary walls. ZombieLoad will leak any data currently loaded by the processor’s core, the researchers said. Intel said patches to the microcode will help clear the processor’s buffers, preventing data from being read. “Like Meltdown and Spectre, it’s not just PCs and laptops affected by ZombieLoad — the cloud is also vulnerable. ZombieLoad can be triggered in virtual machines, which are meant to be isolated from other virtual systems and their host device”, the TechCrunch reports. Daniel Gruss, one of the researchers who discovered the latest round of chip flaws, said it works “just like” it does on PCs and can read data off the processor. That’s potentially a major problem in cloud environments where different customers’ virtual machines run on the same server hardware. Although no attacks have been publicly reported, the researchers couldn’t rule them out nor would any attack necessarily leave a trace, they said. Gruss said it was “easier than Spectre” but “more difficult than Meltdown” to exploit — and both required a specific set of skills and effort to use in an attack. But if exploit code was compiled in an app or delivered as malware, “we can run an attack,” he said. Intel has released microcode to patch vulnerable processors. Apple, Microsoft, and Google have also released patches, with other companies expected to follow. “In a call with TechCrunch, Intel said the microcode updates, like previous patches, would have an impact on processor performance. An Intel spokesperson told TechCrunch that most patched consumer devices could take a 3 percent performance hit at worst, and as much as 9 percent in a datacenter environment. But, the spokesperson said, it was unlikely to be noticeable in most scenarios. And neither Intel nor Gruss and his team have released exploit code, so there’s no direct and immediate threat to the average user”, TechCrunch reports. Is Zombieload a security threat for Linux system? As a defense against Zombieload, a ZDNet report suggests, “To defend yourself, your processor must be updated, your operating system must be patched, and for the most protection, Hyper-Threading disabled.” Red Hat rated CVE-2018-12130(Zombieload) as a severity impact of "important," while the others have moderate severity. Greg Kroah-Hartman, the stable Linux kernel maintainer, in an announcement email wrote, “I'm announcing the release of the 5.1.2 kernel. All users of the 5.1 kernel series must upgrade. Well, kind of, let me rephrase that...All users of Intel processors made since 2011 must upgrade.” “Red Hat noted all its Linux distributions from Red Hat Enterprise Linux (RHEL) 5 on up to the new RHEL 8 are affected. Platforms based on these Linux distros, such as Red Hat Virtualization and Red Hat OpenStack, are also vulnerable”, ZDNet reports. Chris Robinson, Red Hat's product security assurance manager, explained: "These vulnerabilities represent an access restriction bypass flaw that impacts many Intel CPU's and many of the operating systems that enable that hardware. Working with other industry leaders, Red Hat has developed kernel security updates for products in our portfolio to address these vulnerabilities. We are working with our customers and partners to make these updates available, along with the information our customers need to quickly protect their physical systems, virtual images, and container-based deployments." According to a Wired post, “VUSec's Giuffrida notes that his team was paid $100,000 by Intel for their work as part of the company's "bug bounty" program that rewards researchers who warn the company about critical flaws. That's hardly the kind of money paid out for trivial issues, he points out. But he also says that Intel at one point offered VUSec only a $40,000 bug bounty, accompanied by a $80,000 "gift"—which Giuffrida saw as an attempt to reduce the bounty amount cited publicly and thus the perceived severity of the MDS flaws. VUSec refused the offer of more total money in favor of a bounty that better reflected the severity of its findings, and it threatened to opt out of a bug bounty in protest. Intel changed its offer to the full $100,000.” To know more about this news, read Intel’s official blog post. A WhatsApp vulnerability enabled attackers to inject Israeli spyware on user’s phones ChaCha20-Poly1305 vulnerability issue affects OpenSSL 1.1.1 and 1.1.0 Drupal releases security advisory for ‘serious’ Remote Code Execution vulnerability

After the recent incident of the Christ Church terrorist attack in New Zealand tech companies had scrambled to take action on time due to the speed and volume of content which was uploaded, reuploaded and shared by the users worldwide. Facebook had received severe global pressure to ‘restrict’ the use of Facebook Live considering the shootings were live streamed on its app. Following this pressure, Facebook has now decided to impose restrictions on its live streaming feature. Yesterday in a statement, Facebook declared that from now on they will start restricting users from using Facebook Live if they break certain rules-including their Dangerous Organizations and Individuals policy. What is the restriction? Facebook has called this ‘restriction’ as a ‘one strike’ policy to tighten the rules, specifically to Live. If anybody violates any serious policies like violence and criminal behavior, coordinating harm, etc they will be restricted from using Live for a set period of time– for example, 30 days – starting on their first offense. If a user shares a link to a statement from a terrorist group with no context, he/she will be immediately blocked from using Live for a set period of time. These restrictions will eventually be implemented in other areas of Facebook, like creating ads. The Facebook announcement comes on the eve of a meeting hosted by New Zealand Prime Minister Jacinda Ardern and French President Emmanuel Macron in Paris. This meeting is being conducted to confirm the "Christchurch Call" pledge that will seek participants to eliminate terrorist and violent extremist content on social media and other online platforms. The main aim of this meeting is to bring stricter laws to commit social media firms to keep terrorism and violent extremism off their platforms. Per a report by Stuff, Ardern has described the crackdown by Facebook on the abuse of its live streaming service as a good first step "that shows the Christchurch Call is being acted on". Last month, Australia had introduced hefty fines and even jail time for executives at social media companies who fail to remove violent content quickly. The new legislation could also fine companies up to 10 percent of their annual revenue. Other steps taken by Facebook One of the main challenges faced by Facebook after the Christchurch attack was to remove the edited versions of the video of the attack. These type of videos were hard to detect. For this, Facebook is investing $7.5 million in research in partnership with the University of Maryland, Cornell University and the University of California, Berkeley. Their main aim is to research new techniques to : Detect manipulated media across images, video, and audio. Distinguish between unwitting posters and adversaries who intentionally manipulate videos and photographs. Facebook also hopes to add other research partners to the initiative, which is focused on combating deepfake videos. To read their full statement, head over to Facebook newsroom website. How social media enabled and amplified the Christchurch terrorist attack How social media enabled and amplified the Christchurch terrorist attack Facebook bans six toxic extremist accounts and a conspiracy theory organization