Tech News

Two days ago, Jeremy Soller, the Redox OS BDFL (Benevolent dictator for life) shared recent developments in Redox which is a Unix-like operating system written in Rust. The Redox OS team is pretty close to running rustc, the compiler for the Rust programming language on Redox. However, dynamic libraries are a remaining area that needs to be improved. https://twitter.com/redox_os/status/1199883423797481473 Redox is a Unix-like Operating System written in Rust, aiming to bring the innovations of Rust to a modern microkernel and full set of applications. In March this year, Redox OS 0.50 was released with support for Cairo, Pixman, and other libraries and packages. Ongoing developments in Redox OS Soller says that he has been running the Redox OS on a System76 Galago Pro (galp3-c) along with the System76 Open Firmware and has found the work satisfactory till now. “My work on real hardware has improved drivers and services, added HiDPI support to a number of applications, and spawned the creation of new projects such as pkgar to make it easier to install Redox from a live disk,” quotes Soller in the official Redox OS news page. Furthermore, he notified users that Redox has also become easier to cross-compile since the redoxer tool can now build, run, and test. It can also automatically manage a Redox toolchain and run executables for Redox inside of a container on demand. However, “compilation of Rust binaries on Redox OS”, is one of the long-standing issues in Redox OS, that has garnered much attention for the longest time. According to Soller, through the excellent work done by ids1024, a member of the GSoC Project, Readox OS had almost achieved self-hosting. Later, the creation of the relibc (a C library written in Rust) library and the subsequent work done by the contributors of this project led to the development of the POSIX C compatibility library. This gave rise to a significant increase in the number of available packages. With a large number of Rust crates suddenly gaining Redox OS support, “it seemed that as though the dream of self-hosting would soon be reality”, however, after finding some errors in relibc, Soller realized, “rustc is no longer capable of running statically linked!”  Read More: Rust 1.39 releases with stable version of async-await syntax, better ergonomics for match guards, attributes on function parameters, and more Finally, the team shifted its focus to relibc’s ld_so which provides dynamic linking support for executables. However, this has caused a temporary halt to porting rustc to Redox OS. Building Redox OS on Redox OS is one of the highest priorities of the Redox OS project. Soller has assured its users that Rustc is a few months away from being run permanently. He also adds that with Redox OS being a microkernel, it is possible that even the driver level could be recompiled and respawned without downtime, which will make the operating system exceedingly fast to develop. In the coming months, he will be working on increasing the efficiency of porting more software and tackling more hardware support issues. Eventually, Soller hopes that he will be able to successfully develop Redox OS which would be a fully self-hosted, microkernel operating system written in Rust. Users are excited about the new developments in Redox OS and have thanked Soller for it. One Redditor commented, “I cannot tell you how excited I am to see the development of an operating system with greater safety guarantees and how much I wish to dual boot with it when it is stable enough to use daily.” Another Redditor says, “This is great! Love seeing updates to this project 👍” https://twitter.com/flukejones/status/1200225781760196609 Head over to the official Redox OS news page for more details. AWS will be sponsoring the Rust Project A Cargo vulnerability in Rust 1.25 and prior makes it ignore the package key and download a wrong dependency Rust 1.38 releases with pipelined compilation for better parallelism while building a multi-crate project Homebrew 2.2 releases with support for macOS Catalina ActiveState adds thousands of curated Python packages to its platform

Yesterday, the project manager of Homebrew, Mike McQuaid, announced the release of Homebrew 2.2. This is the third release of Homebrew this year. Some of the major highlights of this new version include support to macOS Catalina, faster implementations of  HOMEBREW_AUTO_UPDATE_SECS and brew upgrade’s post-install dependent checking, and more. Read More: After Red Hat, Homebrew removes MongoDB from core formulas due to its Server Side Public License adoption New key features in Homebrew 2.2 Homebrew will now support macOS Catalina (10.15), support to macOS Sierra (10.12) and older are unsupported The speed of the no-op case for HOMEBREW_AUTO_UPDATE_SECS has become extremely fast and defaults to 5 minutes instead of 1 The brew upgrade will no longer give an unsuccessful error code if the formula is up-to-date. Homebrew upgrade’s post-install dependent checking is now exceedingly faster and reliable. Homebrew on Linux has updated and raised its minimum requirements. Starting from Homebrew 2.2, the software package management system will use OpenSSL 1.1. The Homebrew team has disabled the brew tap-pin since it was buggy and not much used by Homebrew maintainers. It will stop supporting Python 2.7 by the end of 2019 as it will reach EOL. Read More: Apple’s MacOS Catalina in major turmoil as it kills iTunes and drops support for 32 bit applications Many users are excited about this release and have appreciated the maintainers of Homebrew for their efforts. https://twitter.com/DVJones89/status/1199710865160843265 https://twitter.com/dirksteins/status/1199944492868161538 A user on Hacker News comments, “While Homebrew is perhaps technically crude and somewhat inflexible compared to other and older package managers, I think it deserves real credit for being so easy to add packages to. I contributed Homebrew packages after a few weeks of using macOS, while I didn't contribute a single package in the ten years I ran Debian. I'm also impressed by the focus of the maintainers and their willingness for saying no and cutting features. We need more of that in the programming field. Homebrew is unashamedly solely for running the standard configuration of the newest version of well-behaved programs, which covers at least 90% of my use cases. I use Nix when I want something complicated or nonstandard.” To know about the features in detail, head over to Hombrew’s official page. Announcing Homebrew 2.0.0! Homebrew 1.9.0 released with periodic brew cleanup, beta support for Linux, Windows and much more! Homebrew’s Github repo got hacked in 30 mins. How can open source projects fight supply chain attacks? ActiveState adds thousands of curated Python packages to its platform Firefox Preview 3.0 released with Enhanced Tracking Protection, Open links in Private tab by default and more

On Tuesday, ActiveState a Canadian software company announced to add thousands of Python packages to its ActiveState Platform. ActiveState helps enterprises scale securely with open source languages and offers developers various tools to work on. More than 2 million developers and 97% of Fortune 1,000 enterprises use ActiveState to support mission-critical systems and speed up their software development process. The ActiveState Platform is a SaaS platform for open source language automation to centrally build, certify and resolve runtime environments. It incorporates more than 20 years of engineering expertise in order to automate much of the complexity associated with building, maintaining and sharing Python and Perl runtimes. With minimal knowledge, a developer can automatically build open source language runtimes, resolve dependencies, and certify it against compliance and security criteria. The result is a consistent, reproducible runtime from development to production. In this latest installment, the company has added more than 50,000 package versions covering the most popular Python 2 and 3 packages, as well as their dependencies. These dependencies can be automatically resolved, built and packaged into runtimes to eliminate issues. “Python is one of the most popular programming languages on the planet right now, so it's no wonder that the majority of the more than 200,000 developers on the ActiveState Platform are asking us to do more to support their Python development efforts. In order to ensure our customers can automatically build all Python packages, even those that contain C code, we're designing systems to vet the code and metadata for every package in PyPI. Today's release is a significant first step toward that goal.” says Jeff Rouse, Vice president, product management at ActiveState. The company is preparing itself for Python 2 EOL and in the process, it has vetted thousands of key Python 2 packages critical to the support of customers' Python 2 applications. In addition, the company has added many of the most popular Python 3 packages to support the efforts of their broad and wide customer base. It is a significant milestone on the road to make all of the Python Package Index (PyPI) available on the ActiveState Platform. To know more about this news, check out the official press release by the company. Listen: How ActiveState is tackling “dependency hell” by providing enterprise-level support for open source programming languages [Podcast] Introducing ActiveState State Tool, a CLI tool to automate dev & test setups, workflows, share secrets and manage ad-hoc tasks Python 3.9 alpha 1 is now ready for testing PyPI announces 2FA for securing Python package downloads Getting Started with Python Packages

Earlier this month, the Firefox team released the Firefox Preview 3.0 with various features to make browsing and bookmarking safer and easier. This release features a default Enhanced Tracking Protection feature for all users, and notifications support for long-running downloads. Key features in Firefox Preview 3.0 Enhanced tracking protection The Enhanced tracking protection will protect you from ads, analytics, cryptomining and fingerprinting trackers. Open links in private tabs by default Firefox Preview 3.0 lets you open pages directly in private browsing, so you can search and browse without saving any history on the browser. Option to clear browsing information on exit The Quit option in the menu automatically deletes your browsing history every time they exit Firefox through that Quit option. Option to choose what information should be synced across devices  In this release you can choose what types of browsing information should be synced across devices. Set an autoplay or background behavior The latest Firefox Preview gives you lots of options for playing video and audio on phones, including background playback and auto-play settings. See and manage downloads You can easily download files from various sites within Firefox Preview. A progress bar displays in the Notifications panel when the download begins, giving you the ability to pause/resume or cancel the download. If the download fails, tap Try Again to restart it. If the download is successful, a confirmation pop-up displays where you can tap Open to open the file. Updated browser menu An updated browser menu has replaced the Quick Action bar present in older versions of Firefox. Manually add search engines Firefox Preview gives the ability to set a default search engine. There are a variety of search engines to choose from such as Google and Bing. You can also manually add other search engines and set them as your default. Move the navigation bar to the top or bottom By default, the Firefox Preview navigation bar displays at the bottom of the app. However, you can move it to the top of the app if desired. Force enable zoom With this, you’ll always have the ability to zoom in when accessing various websites. You can use the + sign that displays at the bottom of every website within Firefox Preview to zoom in if necessary. To know more about this release in detail, check out the official Firefox blog page. Firefox 70 released with better security, CSS, and JavaScript improvements The new WebSocket Inspector will be released in Firefox 71 Mozilla brings back Firefox’s Test Pilot Program with the introduction of Firefox Private Network Beta Firefox 69 allows default blocking of third-party tracking cookies and cryptomining for all users Scroll Snapping and other cool CSS features come to Firefox 68

On November 26, the Kali Linux team announced its fourth and final release of 2019, Kali Linux 2019.4, which is readily available for download. A few features of Kali Linux 2019.4 include a new default desktop environment, Xfce; a new GTK3 theme (for Gnome and Xfce); Kali Undercover” mode, the kernel has been upgraded to version 5.3.9, and much more. Talking about ARM the team highlighted, “2019.4 is the last release that will support 8GB sdcards on ARM. Starting in 2020.1, a 16GB sdcard will be the minimum we support.” What’s new in Kali Linux 2019.4? New desktop environment, Xfce and GTK3 theme The much-awaited desktop environment update is here. The older versions had certain performance issues resulting in fractured user experience. To address this, they developed a new theme running on Xfce. Its lightweight design can run on all levels of Kali installs. The new theme can handle various needs of the average user with no changes. It uses standard UI concepts and there is no learning curve to it. It looks great with modern UI elements that make efficient use of screen space. Kali Undercover mode For pentesters doing their work in a public environment, the team has made a little script that will change the user’s Kali theme to look like a default Windows installation. This way, users can work a bit more incognito. “After you are done and in a more private place, run the script again and you switch back to your Kali theme. Like magic!”, the official blog post reads. BTRFS during setup Another significant new addition to the documentation is the use of BTRFS as a root file system. This gives users the ability to do file system rollbacks after upgrades. In cases when users are in a VM and about to try something new, they will often take a snapshot in case things go wrong. However, running Kali bare metal is not easy. There is also a manual clean up included. With BTRFS, users can have a similar snapshot capability on a bare metal install! NetHunter Kex – Full Kali Desktop on Android phones With NetHunter Kex, users can attach their Android devices to an HDMI output along with Bluetooth keyboard and mouse and get a full, no compromise, Kali desktop from their phones. To get a full breakdown on how to use NetHunter Kex, check out its official documents on the Kali Linux website. Kali Linux users are excited about this release and look forward to trying the newly added features. https://twitter.com/firefart/status/1199372224026861568 https://twitter.com/azelhajjar/status/1199648846470615040 To know more about other features in detail, read the Kali Linux 2019.4  official release on Kali Linux website. Glen Singh on why Kali Linux is an arsenal for any cybersecurity professional [Interview] Kali Linux 2019.1 released with support for Metasploit 5.0 Kali Linux 2018 for testing and maintaining Windows security – Wolf Halton and Bo Weaver [Interview]

The Julia team yesterday announced a new version of the language, Julia v1.3. A few highlights of this release include new language features such as support for Unicode 12.1.0, support for Unicode bold digits and double-struck digits 0 through 9 as valid identifiers, and many more. What’s new in Julia v1.3? In this latest Julia v1.3, methods can now be added to an abstract type. Also, the syntax var"#str#" for printing and parsing non-standard variable names have been added. Multi-threading changes New experimental Threads.@spawn macro runs a task on any available thread. All system-level I/O operations (e.g. files and sockets) are now thread-safe. This does not include subtypes of IO that are entirely in-memory, such as IOBuffer, although it specifically does include BufferStream. The global random number generator (GLOBAL_RNG) is now thread-safe (and thread-local). New Channel(f::Function, spawn=true) keyword argument to schedule the created Task on any available thread, matching the behavior of Threads.@spawn. Simplified the Channel constructor, which is now easier to read and more idiomatic julia. Use of the keyword arguments csize and ctype is now discouraged. New library functions findfirst, findlast, findnext and findprev now accept a character as first argument to search for that character in a string passed as the second argument. Added new findall(pattern, string) method where pattern is a string or regex. Added sincosd(x) to simultaneously compute the sine and cosine of x, where x is in degrees (#30134). The function nonmissingtype, which removes Missing from type unions, has been exported. Standard library changes Regex can now be multiplied (*) and exponentiated (^), like strings. Cmd interpolation (`$(x::Cmd) a b c` where) now propagates x's process flags (environment, flags, working directory, etc) if x is the first interpolant and errors otherwise. Zero-dimensional arrays are now consistently preserved in the return values of mathematical functions that operate on the array(s) as a whole (and are not explicitly broadcasted across their elements). Previously, the functions +, -, *, /, conj, real and imag returned the unwrapped element when operating over zero-dimensional arrays. mod now accepts a unit range as the second argument to easily perform offset modular arithmetic to ensure the result is inside the range. Julia v1.3 also includes changes in other libraries including Libdl, LinearAlgebra, SparseArrays, Dates, Statistics, Sockets, and a few more. According to the team, @spawn expr from the Distributed standard library should be replaced with @spawnat :any expr. Also, Threads.Mutex and Threads.RecursiveSpinLock have been removed; developers suggest using ReentrantLock (preferred) or Threads.SpinLock instead. Another tooling improvement includes the ClangSA.jl static analysis package has been imported, which makes use of the clang static analyzer to validate GC invariants in Julia's C code. The analysis may be run using make -C src analyzegc. Users are excited to try out Julia v1.3. A user on Hacker News commented, “By far the most interesting part of this release is the new multi-threading features.” To know more about this news in detail, head over to Julia v1.3 release notes. The Julia team shares its finalized release process with the community Julia v1.2 releases with support for argument splatting, Unicode 12, new star unary operator, and more. Julia co-creator, Jeff Bezanson, on what’s wrong with Julialang and how to tackle issues like modularity and extension

Last month, Vinny Troia, the founder of Data Viper and Bob Diachenko, an independent cybersecurity consultant discovered a “wide-open” Elasticsearch server. The server exposed the personal information of about 1.2 billion unique users including their names, email addresses, phone numbers, LinkedIn and Facebook profile information. The Elasticsearch server did not have any kind of authentication whatsoever and was accessible via a web browser. "No password or authentication of any kind was needed to access or download all of the data," the report adds. What the investigation on the Elasticsearch server revealed Troia and Diachenko came across the Elasticsearch server while looking for exposures on the web scanning services BinaryEdge and Shodan. Upon further investigation, the researchers speculated that the data originated from two different data enrichment companies: People Data Labs and  OxyData.io. Data enrichment, as the name suggests, is a process of enhancing the existing raw data to make it useful for businesses. Data enrichment companies can provide access to large stores of data merged from multiple third-party sources, which enables businesses to gain deeper insights into their current and potential customers. Elasticsearch stores its data in an index, which is similar to a ‘database’ in a relational database. The researchers found that the majority of the data spanned four separate data indexes, labeled “PDL” and “OXY”. Also, each user record was labeled with a “source” field that matched either PDL or Oxy, respectively. After the researchers de-duplicated the nearly 3 billion user records with the PDL index, they found roughly 1.2 billion unique people and 650 million unique email addresses. These numbers matched with the statistics provided by the company on their website. The data within the three PDL indexes included slightly varied information. While some focused on scraped LinkedIn information, email addresses and phone numbers, others included information on individual social media profiles such as a person’s Facebook, Twitter, and Github URLs. After analyzing the data under the OXY index, the researchers found scrape of LinkedIn data, including recruiter information. What made the case confusing was that the Elasticsearch server was hosted on Google Cloud Services, while People Data Labs appears to be using Amazon Web Services. When contacted about the Elasticsearch server, both the companies denied that the server belonged to them. In an interview with Wired, PDL co-founder Sean Thorne said, “The owner of this server likely used one of our enrichment products, along with a number of other data-enrichment or licensing services. Once a customer receives data from us, or any other data providers, the data is on their servers and the security is their responsibility. We perform free security audits, consultations, and workshops with the majority of our customers." This news sparked a discussion on Hacker News. While some users were stunned by the sheer negligence of leaving the Elasticsearch server wide-open, others were questioning the core business model of these companies. A user commented, “It has to exist on a private network behind a firewall with ports open to application servers and other es nodes only. Running things on a public IP address is a choice that should not be taken lightly. Clustering over the public internet is not a thing with Elasticsearch (or similar products).” “It's a tragedy that all of this data was available to anyone in a public database instead of.... checks notes... available to anyone who was willing to sign up for a free account that allowed them 1,000 queries. It seems like PDL's core business model is irresponsible regarding their stewardship of the data they've harvested,” another user added. Read the full report on Data Viper’s official website. Adobe confirms security vulnerability in one of their Elasticsearch servers that exposed 7.5 million Creative Cloud accounts Following Capital One data breach, GitHub gets sued and AWS security questioned by a U.S. Senator US Customs and Border Protection reveal data breach that exposed thousands of traveler photos and license plate images

NVIDIA announced the release of CUDA 10.2 last week. This is the last version to have macOS support for developing CUDA applications and will be completely dropped in the next release. Other updates include libcu++, new interoperability APIs, and more. Key updates in CUDA 10.2 General CUDA 10.2 updates New APIs: CUDA 10.2 ships with CUDA Virtual Memory Management APIs. New interoperability APIs are added for buffer allocation, synchronization, and streaming. However, these are in beta and may change in future releases. Support for new operating systems: This release adds support for a few new operating systems including Fedora 29, Red Hat Enterprise Linux (RHEL) 7.x and 8.x, OpenSUSE 15.x, SUSE SLES 12.4 and SLES 15.x, Ubuntu 16.04.6 LTS and Ubuntu 18.04.3 LTS. In CUDA 10.2, RHEL 6.x is deprecated and support will be dropped in the next release of CUDA. Increased texture size limit for Maxwell+ GPUs: The 1D linear texture size limit for Maxwell+ GPUs in CUDA is now increased to 2^28. Updates in CUDA tools The Nvidia CUDA Compiler (NVCC) now has support for Clang 8.0 and Xcode 10.2 as host compilers. There is a new -forward-unknown-to-host-compiler option that allows forwarding options not recognized by NVCC to the host compiler. Visual Profiler and NVProf now allow tracing features for non-root and non-admin users on desktop platforms. The events and metrics profiling is still restricted to non-root and non-admin users. Also, starting with CUDA 10.2, Visual Profiler and NVProf use dynamic/shared CUPTI library. Users are required to set the path to the CUPTI library before launching Visual Profiler and NVProf. Updates in CUDA libraries cuBLAS: The cuBLAS library is a fast GPU-accelerated implementation of the standard basic linear algebra subroutines (BLAS). In CUDA 10.2, performance is further improved on some large and other GEMM sizes due to increased internal workspace size. cuSOLVER: This library includes a collection of direct solvers that deliver significant acceleration for computer vision, CFD, and linear optimization apps. In this release, a new Tensor Cores Accelerated Iterative Refinement Solver (TCAIRS) is introduced. The cusolverMg library includes ‘cusolverMgGetrf’ and ‘cusolverMgGetrs’ to support multi-GPU LU. cuFFT: This library provides GPU-accelerated FFT implementations that perform up to 10x faster than CPU-only alternatives. This release comes with improved performance and scalability for these use cases: multi-GPU non-power of 2 transforms, R2C and Z2D odd-sized transforms, 2D transforms with small sizes and large batch counts These were a few updates in CUDA 10.2. Read the official release notes to know what else has shipped with this release. CUDA 10.1 released with new tools, libraries, improved performance and more Implementing color and shape-based object detection and tracking with OpenCV and CUDA [Tutorial] NVIDIA releases Kaolin, a PyTorch library to accelerate research in 3D computer vision and AI

Update: Mozilla declared on the 28th November, that they now support the Contract for the Web. However, they have not signed the contract yet but would consider doing so if stronger accountability measures are added. Mozilla said they would "like to see a clear method for accountability as part of the signatory process, particularly since some of the big tech platforms are high profile signatories." Tim Berners-Lee has been talking extensively about his plans to save the web in the past, also sharing a detailed outline which he called a ‘Contract for the Web’. Over the weekend, he finally launched this global plan to fight misinformation, fake news and propaganda, and other privacy violations. Berners-Lee had outlined his vision at the Web Summit event last year. He wanted to restore some degree of equilibrium and transparency to the digital realm. He had listed down three sources of problems that are affecting today’s web. Deliberate, malicious intent, such as state-sponsored hacking and attacks, criminal behavior, and online harassment. System design that creates perverse incentives where user value is sacrificed, such as ad-based revenue models that commercially reward clickbait and the viral spread of misinformation. Unintended negative consequences of benevolent design, such as the outraged and polarised tone and quality of online discourse. Although Berners-Lee was relatively light on detail at that time, the full contract was due to be published in May 2019. The plan got delayed by almost 6 months and was completely unveiled on Saturday, 23rd November 2019. The agenda of this Contract is to make the online world safe, empowering and genuinely welcoming for everyone. Contract for the Web outlines nine principles inviting governments, companies, civil society organizations and individuals to back the Contract and uphold its principles and clauses. The contract has nine core principles, while underneath them is a total of 76 clauses. Contract for the Web has been worked on by 80 organizations for more than a year. It has the backing of more than 150 organizations, from Microsoft, Google, Facebook, Twitter, Reddit, DuckDuckGo along with the digital rights group the Electronic Frontier Foundation. Amazon remained notable absent from endorsing the principles. The nine principles of ‘Contract for the Web’ For Governments Ensure everyone can connect to the internet By setting and tracking ambitious policy goals By designing robust policy-frameworks and transparent enforcement institutions to achieve such goals By ensuring systematically excluded populations have effective paths towards meaningful internet access Keep all of the internet available, all of the time By establishing legal and regulatory frameworks to minimize government-triggered internet disruptions, and ensure any interference is only done in ways consistent with human rights law By creating the capacity to ensure demands to remove illegal content are done in ways that are consistent with human rights law By promoting openness and competition in both internet access and content layers Respect and protect people’s fundamental online privacy and data rights By establishing and enforcing comprehensive data protection and rights frameworks By requiring that government demands for access to private communications and data are necessary and proportionate to the aim pursued By supporting and monitoring privacy and online data rights For Companies Make the internet affordable and accessible to everyone By crafting policies that address the needs of systematically excluded groups By working towards an ever-increasing quality of service. By ensuring full use of the internet by all, through close coordination with Government and Civil Society Respect and protect people’s privacy and personal data to build online trust By giving people control over their privacy and data rights, with clear and meaningful choices to control processes involving their privacy and data By supporting corporate accountability and robust privacy and data protection by design By making privacy and data rights equally available to everyone Develop technologies that support the best in humanity and challenge the worst By being accountable for their work, through regular reports By engaging with all communities in an inclusive way By investing in and supporting the digital commons For Citizens Be creators and collaborators on the Web by being active participants in shaping the Web, including content and systems made available through it. Build strong communities that respect civil discourse and human dignity by working towards a more inclusive Web. Fight for the Web by being active citizens so the Web remains open and a global public resource for people everywhere, now and in the future. Launching the Contract, Sir Tim said, “The power of the web to transform people’s lives, enrich society and reduce inequality is one of the defining opportunities of our time. But if we don’t act now — and act together — to prevent the web being misused by those who want to exploit, divide and undermine, we are at risk of squandering that potential. He added, “The forces taking the web in the wrong direction have always been very strong, whether you’re a company or a government, controlling the web is a way to make huge profits or a way of ensuring you remain in power. The people are arguably the most important part of this because it’s only the people who will be motivated to hold the other two to account.” The plan releases at a crucial moment in time as large internet companies like Facebook and Google are facing heightened regulatory pressure over how they handle consumers’ information and protect their privacy. Recently, Amnesty International released a new report calling for a radical transformation of the tech giants’ core business model. It said that Facebook and Google’s omnipresent surveillance of billions of people poses a systemic threat to human rights. Actor and comedian Sacha Baron Cohen also attacked  Facebook and other social media platforms in his speech at the Anti-Defamation League (ADL). He criticized them for enabling the proliferation of hate speech and misinformation describing Facebook as “the greatest propaganda machine in history”. However, the fact that Google and Facebook have signed up for this plan raised eyebrows. A comment on Hacker news reads, “Does Google and Facebook "signing" it means they agree to abide by the plan? If not, signing it means nothing. If so, then either they are lying, or the plan imposes so few restrictions that it is worthless.” The plan itself was met with mixed reactions on social media. While some appreciated and backed the contract. https://twitter.com/dsmooney/status/1198785438976221184 https://twitter.com/hopkinsdavid/status/1198859610481934336 Others felt that the plan isn't taking any strong stances and provides zero actionable guidance. A comment on Hacker News reads, “I'm sorry, but this just sounds like a bunch of feel-good babble that isn't taking anything seriously. Free speech? Fundamental rights? "Support the best in humanity"? "Build strong communities"? Yes, these are all good things. But also all in deep, fundamental conflict with each other. Moral and political philosophers have been debating how to resolve them for centuries... and the disagreements are just as strong as ever.” Another said, “This new scheme is a sort of UN for Web 1.0? And, like the UN, one that is totally powerless beyond sternly written letters and is governed by some of the greatest infringers of the very rights it's claiming to protect?” You can back the Contract for the Web at contractfortheweb.org. Read the full contract here. Tim Berners-Lee is on a mission to save the web he invented WWW turns 30: Tim Berners-Lee, its inventor, shares his plan to save the Web from its current dysfunctions Sir Tim Berners-Lee on digital ethics and socio-technical systems at ICDPPC 2018

Last week, Google notified its users that Cloud Print, Google’s cloud-based printing solution will not receive any support after December 31, 2020. The Cloud Print service has been in beta since 2010. It is a technology that enables users to print data from any Cloud Print-aware application like web, desktop, mobile in the network cloud to any printer. Google also advised its users to migrate to an alternate native printing solution before the beginning of 2021. In the short support note, Google says that it has improved the native printing experience for Chrome OS users and will continue adding new features to it. “For environments besides Chrome OS, or in multi-OS scenarios, we encourage you to use the respective platform’s native printing infrastructure and/or partner with a print solutions provider,” adds Google. Native print management features currently or will be supported by Chrome OS by the end of 2019 Admin console interface will manage thousands of CUPS-based printers for users, devices, and managed guests by organizational unit. The admin console policy will manage user printing defaults for 2-sided (duplex) and color. Support for advanced printing attributes like stapling, paper trays, pin printing. The admin console policy will include user account and filename in IPP header of print job over a secure IPPS connection. This will enable third-party printing features such as secure printing and print-usage tracking. PIN code printing will also be managed by the admin console policy. It will allow users to enter pin code when sending the print job. It will also release the print job for printing the pin code into the printer keypad. Read More: Google Chrome ‘secret’ experiment crashes browsers of thousands of IT admins worldwide New print management features to be available for Chrome OS before 2021 New support for external CUPS print servers, including authentication. A Policy that will configure connections to external CUPS print servers. APIs for third-parties to access print job metadata, submit print jobs and printer management capabilities. Google has always been infamous for killing its own products. This year they have retired many products like the Trips app, Google Inbox, and Hire by Google to name a few. Read More: Why Google kills its own products Many users have expressed their disappointment with the retirement of Cloud Print. https://twitter.com/Filmtographer/status/1197684347526144000 https://twitter.com/Jamie00015/status/1197863088017608704 https://twitter.com/dietler/status/1197692376149413888 A user on Hacker News labeled Google to be the ‘land of the walking-dead projects’. The comment read, “Good news: they give you a year to transition. Bad news: you'll have to buy a new printer if it doesn't play nicely with CUPS. Google really is the land of walking-dead projects.” Google starts experimenting with Manifest V3 extension in Chrome 80 Canary build Google releases patches for two high-level security vulnerabilities in Chrome, one of which is still being exploited in the wild Google AI introduces Snap, a microkernel approach to ‘Host Networking’ Are we entering the quantum computing era? Google’s Sycamore achieves ‘quantum supremacy’ while IBM refutes the claim Smart Spies attack: Alexa and Google Assistant can eavesdrop or vish (voice phish) unsuspecting users, disclose researchers from SRLabs

Yesterday, Maddie Stone, a Security Researcher in the Google Project Zero team shared a detailed analysis of the use-after-free Android Binder vulnerability. The vulnerability, tracked under CVE-2019-2215 was being exploited in-the-wild affecting most Android devices manufactured before fall last year. Stone's post goes into detail about how they discovered this Android Binder vulnerability, its technical details, how it can be exploited, and its fix. Along with these details, she also shared that the Project Zero team is working on improving their approach of handling "in-the-wild" zero-day exploits under the mission "make zero-day hard." Their current approach is to hunt for bugs based on rumors or leads and patch the bug, perform variant analysis to find similar vulnerabilities and patch them. Finally, sharing the complete detailed analysis of the exploit with the community. The use-after-free Android Binder vulnerability The use-after-free Android Binder vulnerability is a local privilege escalation vulnerability that gives the attacker full read and write access to a vulnerable device. It is not new though. Back in 2017, Szybot, a syzkaller system reported it to both the Linux kernel and syzkaller-bugs mailing lists. In February 2018, it was patched in the Linux 4.14, Android 3.18, Android 4.4, and Android 4.9 kernels. The patch, however, never made it to the Android monthly security bulletin leaving many already released devices such as Pixel and Pixel 2 vulnerable to an exploit. Then in late summer 2019, the NSO Group, an Israel-based technology firm known for its Pegasus spyware, informed Project Zero about an Android zero-day exploit that was part of an attack chain that installed Pegasus spyware on target devices. Based on the details shared by the NSO Group Stone was able to track down the bug in Android Binder. Project Zero reported the Android Binder vulnerability to Android on September 27. In the report Stone has shared a list of devices that appear to be vulnerable: “Other devices which appear to be vulnerable based on source code review are (referring to 8.x releases unless otherwise stated): 1) Pixel 2 with Android 9 and Android 10 preview (https://android.googlesource.com/kernel/msm/+/refs/heads/android-msm-wahoo-4.4-q-preview-6/) 2) Huawei P20 3) Xiaomi Redmi 5A 4) Xiaomi Redmi Note 5 5) Xiaomi A1 6) Oppo A3 7) Moto Z3 8) Oreo LG phones (run the same kernel according to the website) 9) Samsung S7, S8, S9 “ After reporting the Android Binder vulnerability to Android, the team publicly disclosed it on October 3 and three days later Android added updates to the October Android Security Bulletin. In a statement to the Project Zero team, Android shared, "Android partners were notified of the bug and provided updates to address it within 24 hours. Android also assigned CVE-2019-2215 to explicitly indicate that it represents a security vulnerability as the original report from syzkaller and the corresponding Linux 4.14 patch did not highlight any security implications.” The statement further reads, “Pixel 3 and 3a were already protected against these issues. Updates for affected Pixel devices were available to users as early as October 7th, 2019.” To read more about the exploit, check out Stone’s blog post: Bad Binder: Android In-The-Wild Exploit. Also, check out the proof-of-concept exploit that Stone wrote together with Jann Horn, a fellow team member. The PoC demonstrates how this vulnerability can be used to gain arbitrary read and write permissions when run locally. StackRox Kubernetes Security Platform 3.0 releases with advanced configuration and vulnerability management capabilities An unpatched vulnerability in NSA’s Ghidra allows a remote attacker to compromise exposed systems 10 times ethical hackers spotted a software vulnerability and averted a crisis  

Reinforcement learning (RL) agents explore their environments to learn optimal policies by trial and error method. In such environments, one of the critical concerns is the safety of all the agents involved in the experiment. Though, currently, the reinforcement learning agents are mostly executed in simulation, there is a possibility that increased simulation complexities of the real world, will make the safety concerns paramount. To undertake safe exploration as a critical focus of the reinforcement learning research, a group of OpenAI researchers have proposed a new standardized constrained reinforcement learning (RL) method to incorporate safety specifications into reinforcement learning algorithms to achieve safe exploration. The major challenge of reinforcement learning is handling the trade-offs between competing objectives, such as task performance and satisfying safety requirements. However, in constrained reinforcement learning, “we don’t have to pick trade-offs—instead, we pick outcomes, and let algorithms figure out the trade-offs that get us the outcomes we want,” states OpenAI. Consequently, the researchers believe “constrained reinforcement learning may turn out to be more useful than normal reinforcement learning for ensuring that agents satisfy safety requirements.” Read More: OpenAI’s AI robot hand learns to solve a Rubik RLusing Reinforcement learning and Automatic Domain Randomization (ADR) The field of reinforcement learning has greatly progressed in recent years, however, different implementations use different environments and evaluation procedures. Hence, the researchers believe that there is a deficiency of a standard set of environments for making progress on safe exploration specifically. To this end, the researchers present Safety Gym, a suite of tools for accelerating safe exploration research. Safety Gym is a benchmark suite of 18 high-dimensional continuous control environments for safe exploration, 9 additional environments for debugging task performance separately from safety requirements, and tools for building additional environments. https://twitter.com/OpenAI/status/1197559989704937473 How does a Safety Gym prioritize safety exploration in reinforcement learning Safety Gym consists of two components, out of which first is an environment-builder that allows a user to create a new environment by mixing and matching from a wide range of physics elements, goals, and safety requirements. The other component of Safety Gym is a suite of pre-configured benchmark environment to standardize the measure of progress on the safe exploration problem. It is implemented as a standalone module that uses the OpenAI Gym interface for instantiating and interacting with reinforcement learning environments. It also uses the MuJoCo physics simulator to construct and forward-simulate each environment. In line with the proposal of standardizing constrained reinforcement learning, each Safety Gym environment provides a separate objective for task performance and safety. These objectives are conveyed via a reward function and a set of auxiliary cost functions respectively. Key features of Safety Gym Since there exists a gradient of difficulty across benchmark environments, it allows practitioners to quickly perform the simplest tasks before proceeding to the hardest ones. Each distribution layer of the Safety Gym benchmark environments is continuous and minimally restricted, thus allowing essentially infinite variations within each environment. It is highly extensible. The Safety Gym tools enables easy building of new environments with different layout distributions. In all Safety Gym environments, an agent perceives the surrounding through a robot’s sensors and interacts with the world through its actuators. It is shipped with three pre-made robots. Three pre-made robots included in the Safety Gym suite Point is a simple robot that is limited to the 2D plane. It uses one actuator for turning and another for moving forward or backward. It has a front-facing small square which helps it with the Push task. Car has two independently-driven parallel wheels and a free-rolling rear wheel. For this robot, turning and moving forward or backward require coordinating both of the actuators. Doggo is a quadrupedal robot with bilateral symmetry.  Each of the four legs has two controls at the hip, and one in the knee which controls the angle. It is designed such that a uniform random policy should keep the robot from falling over and generate some travel.  Image source: Research paper These three environment-builders currently support three main tasks of Goal, Button and Push. All the tasks in Safety Gym are mutually exclusive and can work on only one task at a time. It supports five main kinds of elements relevant to safety requirements like Hazards (dangerous areas to avoid), Vases (Objects to avoid), Pillars (Immobile obstacles), Buttons (Incorrect goals), and Gremlins (Moving objects). All the types of constraint elements pose different challenges for the agent to avoid. General trends observed during the experiment After conducting experiments on the unconstrained and constrained reinforcement learning algorithms on the constrained Safety Gym environments, the researchers found that the unconstrained reinforcement learning algorithms are able to score high returns by taking unsafe actions, as measured by the cost function. On the other hand, the constrained reinforcement learning algorithms attain lower levels of return, and correspondingly maintain desired levels of costs. Also, they found that the standard reinforcement learning is able to control the Doggo robot and can acquire complex locomotion behavior, as indicated by high returns in the environments when trained without constraints. However,despite the success of constrained reinforcement learning when locomotion requirements are absent, and the success of standard reinforcement learning when locomotion is needed, the constrained reinforcement learning algorithms struggled to learn the safe locomotion policies. The researchers also state that additional research is needed to develop constrained reinforcement learning algorithms that can solve more challenging tasks. Thus the OpenAI researchers propose a standardized constrained reinforcement learning as the main formalism for safe exploration. They also introduce Safety Gym which is the first benchmark of high-dimensional continuous control environments for evaluating the performance of constrained reinforcement learning algorithms. The researchers have also evaluated baseline unconstrained and constrained reinforcement learning algorithms on Safety Gym environments to clarify the current state of the art in safe exploration. Many have appreciated Safety Gym’s feature of prioritizing ‘safety’ first in AI. https://twitter.com/gicorit/status/1197594242715131904 https://twitter.com/tupjarsakiv/status/1197597397918126085 Interested reader can read the research paper for more information on Safety Gym. Open AI researchers advance multi-agent competition by training AI agents in a simple hide and seek environment What does a data science team look like? NVIDIA releases Kaolin, a PyTorch library to accelerate research in 3D computer vision and AI Baidu adds Paddle Lite 2.0, new development kits, EasyDL Pro, and other upgrades to its PaddlePaddle deep learning platform LG introduces Auptimizer, an open-source ML model optimization tool for efficient hyperparameter tuning at scale

Three days ago, the team behind Python announced the release of Python 3.9.0a1, which is the first out of the six planned alpha releases of Python 3.9. The final stable version of Python 3.9 is slated to release in May 2020. An alpha release indicates that developers can start testing the new features and check for bug fixes but are not recommended to use it in production. Last month, the previous stable version, Python 3.8 was released with features like walrus operator, positional-only parameters support for Vectorcall. Read More: Core Python team confirms sunsetting Python 2 on January 1, 2020 Let’s look at some of the raw features that you can be expected in the upcoming Python 3.9 version. Some improvements introduced in Python 3.9.0a1 Language Changes The __import__() function which is invoked by the import statement will now raise ImportError instead of ValueError. In the previous versions, the latter used to occur when a relative import went past its top-level package. Starting from Python 3.9.0a1, the absolute path of the script filename will be specified on the command line: the __file__ attribute of the __main__ module. The sys.argv[0] and sys.path[0] will become an absolute path rather than a relative path. Also, the traceback will now display the absolute path for __main__ module frames in this case. The encoding and errors arguments in the debug build and development mode will now be checked in the string encoding and decoding operations. Improved Modules ast: It is added in the indent option to dump() and produces a multi-line indented output. asyncio: It can now use coroutine which is a generalized form of subroutines. Subroutines enter and exit at only two different points, while coroutines can be entered, exited, and resumed at many points. Moreover, asyncio.run() is updated to use the new coroutine. New functions like curses.get_escdelay(), curses.set_escdelay(), curses.get_tabsize(), and curses.set_tabsize() and constants F_OFD_GETLK, F_OFD_SETLK and F_OFD_SETLKW is included in Python 3.9.0a1. Few Python users have already started testing the Python 3.9.0a1 release. https://twitter.com/codewithanthony/status/1197559895744110592 The next alpha release for Python 3.9 is scheduled for 16th December 2019. To know more about Python 3.9.0a1, check out the official documentation. Introducing Spleeter, a Tensorflow based python library that extracts voice and sound from any music track Severity issues raised for Python 2 Debian packages for not supporting Python 3 Introducing OpenDrop, an open-source implementation of Apple AirDrop written in Python Poetry, a Python dependency management and packaging tool, releases v1 beta 1 with URL dependency PyPy will continue to support Python 2.7, even as major Python projects migrate to Python 3

On Tuesday, Racket, a general-purpose programming language announced Racket 7.5. Racket is based on the Scheme dialect of Lisp programming language and is designed to be a platform for programming language design and implementation. Racket is also used to refer to the family of Racket programming languages and the set of tools supporting development on and with Racket. Key features in Racket 7.5 This new release will be distributed under a new and less-restrictive license, either the Apache 2.0 or the MIT license Racket CS will remain in beta for the v7.5, but the compatibility and performance continue to improve. It is expected to be ready for production use by the next release In this release of Racket 7.5 the Web Server provides a standard JSON MIME type, including a response/jsexpr form for HTTP responses bearing JSON In this release GNU MPFR operations run about 3x faster Typed Racket supports definitions of new struct type properties and type checks uses existing struct type properties in struct definitions. Previously, these were ignored by the type checker, so type errors may have been hidden The performance bug in v7.4’s big bang has been repaired DrRacket supports Dark Mode for interface elements. With this release plot can display parametric 3d surfaces and redex supports modeless judgment forms Additionally with the above changes, in the Racket 7.5 MacOS Catalina 10.15 includes a new requirement that executables be “notarized”, to give Apple the ability to prevent certain kinds of malware. In this release, all of the disk images (.dmg’s) are notarized, along with the applications that they contain (.app’s). Many users may not notice any difference, but two groups of Catalina users will be affected; First those who use the “racket” binary directly, and second, those that download the .tgz bundles. In both cases, the operating system is likely to inform that the given executable is not trusted, or that the developer can’t be verified. Fortunately, both groups of users are probably also running commands in a shell, hence the solution for both groups will be the same that is to disable the quarantine flag using the xattr command, for example, xattr -d com.apple.quarantine /path/to/racket. To know more about this news, check out the official announcement on the Racket page. Matthew Flatt’s proposal to change Racket’s s-expressions based syntax to infix representation creates a stir in the community Racket 7.3 releases with improved Racket-on-Chez, refactored IO system, and more Racket 7.2, a descendent of Scheme and Lisp, is now out! Racket v7.0 is out with overhauled internals, updates to DrRacket, TypedRacket among others  

On Tuesday, Facebook mandates Visual Studio Code, the source code editor developed by Microsoft, as their default development environment. Additionally, they also stated that the company will work with Microsoft to expand the remote development extension for Visual Studio Code so that engineers can do large-scale remote development. As per the official announcement page, Facebook engineers have written millions of lines of codes and there is no mandated development environment. Till now Facebook developers used Vim or Emacs  and the development environment was disjointed. And certain developers also used Nuclide, an integrated development environment developed by Facebook. But in late 2018, they announced to their internal engineers that they would move Nuclide to Visual Studio Code. They have also done plenty of development work to migrate the current Nuclide functionality, along with new features to Visual Studio Code and currently it is used extensively across the company in beta. Why Visual Studio Code? The Visual Studio Code is a very popular development tool, with great support from Microsoft and the open source community. It runs on macOS, Windows, and Linux, and has a robust and well-defined extension API that enables to continue building the important capabilities required for the large-scale development done at Facebook. The company believes that it is a platform on which they can safely bet their development platform future. They have also partnered with Microsoft for remote development. At present, Facebook engineers install Visual Studio Code on a local PC, but the actual development is done directly on the development server in the data center. Therefore, it aims to improve efficiency and productivity by making the code on the server accessible in a seamless and high-performance manner. The company believes that using remote extensions will provide many benefits like: Work with larger, faster, or more specialized hardware than what’s available on local machine Create tailored, dedicated environments for each project’s specific dependencies, without worrying about errors due to mixed or conflicting configurations Support the flexibility of being able to quickly switch between multiple running development environments without impacting local resources or tool performance Facebook mandates Visual Studio Code as an integrated development environment which can be used internally, specifically, because Facebook uses various programming languages. It also uses Mercurial as the source control infrastructure, it will work on the development of extensions to allow direct source control operations within Visual Studio Code. Facebook states, “VS Code is now an established part of Facebook’s development future. In teaming with Microsoft, we’re looking forward to being part of the community that helps Visual Studio Code continue to be a world class development tool.” On Hacker News, developers are discussing various issues related to remote development extensions in VS Code, one of them is it is not open-source and Facebook should take efforts to make it an open project. One comment reads, “Just an FYI for people - The Remote Development extensions are not open source. I'd hope if Facebook were joining efforts, they'd do so on a more open project. 1: https://code.visualstudio.com/docs/remote/faq#_why-arent-the... 2: https://github.com/microsoft/vscode/wiki/Differences-between... 3: https://github.com/VSCodium/vscodium/issues/240 (aka, on-the-wire DRM to make sure the remote components only talk to a licensed VS Code build from Microsoft) MS edited the licensing terms many moons ago, to prepare for VS Code in browser using these remote extensions/apis that no one else can use)- https://github.com/microsoft/vscode/issues/48279 Finally, this is the thread where you will see regular users being negatively impacted by the DRM (a closed source, non-statically linked proprietary binary downloaded at runtime) that implements this proprietary-ness: https://github.com/microsoft/vscode-remote-release/issues/10... (of course, also with enough details to potentially patch around this issue if you were so inclined). Further, MS acknowledged that statically linking would help in May, and yet it appears to still be an issue. I just hope they don't come after Eclipse Theia…” Microsoft releases Cascadia Code version 1909.16, the latest monospaced font for Windows Terminal and Visual Studio Code 12 Visual Studio Code extensions that Node.js developers will love [Sponsored by Microsoft] 5 developers explain why they use Visual Studio Code [Sponsored by Microsoft] 5 useful Visual Studio Code extensions for Angular developers Facebook releases PyTorch 1.3 with named tensors, PyTorch Mobile, 8-bit model quantization, and more