Open Source - Page 7 of 17

RoboScan: Automated film scanning with Raspberry Pi

RoboScan automatically digitizes analog films with a DSLR camera. A Raspberry Pi is used for this, which uses machine learning and a stepper motor to move the film in a Lego frame. RoboScan is an open source project by Maker Benjamin Bezine that was created in lockdown and is active on GitHub as bezineb5.

During operation, the film is illuminated from behind at the point to be scanned. This classic trick can be used to photograph the film using a camera with a macro lens. A 3D-printed adapter is required so that the stepper motor can move the analog film in the Lego structure. Versions 2, 3 and 4 are suitable as RaspberryPi. The Pi 4 has the advantage here that the camera can be connected via USB 3.0. Bezineb5 published the project and the material list on GitHub,

Software control RoboScan consists of a JavaScript web front end and a Python backend that takes over the control. The scanning process can be started via the web interface and the images saved on the computer – so there is no need to fiddle with the SD card. The software uses the library libgphoto2 to operate the camera.

A Google Coral Edge TPU USB Accelerator can optionally be used to optimize the machine learning component. How the machine learning algorithm recognizes the individual image segments is clearly explained in the following YouTube video. The installation runs via a supplied Docker-Compose-File, which starts all components and connects them with each other.

And this is how the RoboScan looks during operation.

(stri)

Windows 7: Federal government had extra support in 2020 cost almost 2 million euros

The number of computers in the federal ministries and subordinate authorities that are still operated with Windows 7 is significantly higher than previously assumed. In second gear, the federal government is now going from “at least 51. 479 Clients “on which the operating system is still running that Microsoft has been using since 14. January 2020 no longer supported for free with security updates. A year ago the lead Federal Ministry of the Interior (BMI) was still on 33. 000 relevant IT jobs come.

Problem bigger than known Even then it was clear that the support and migration problem would be much bigger: in In the earlier overview, five of the 12 Federal Ministries were not listed at all. Apparently it was just about the departments in which Windows 7 still plays a particularly important role.

With the significantly increased number of computers for which the federal government has to spend money on further security updates via Microsoft’s Extended Security Update Program (ESU), the necessary expenses have more than doubled: the federal government initially calculated for 2020 with fees of 700. 000 Euro, it ended up according to a heise online current answer to a request from the Green Bundestag member Konstantin von Notz at 1.9 million euros. Until 2023 should “at least around 2, 51 Costs of millions of euros arise “.

The distribution of the affected computers to the individual departments and larger authorities was broken down by the government to Netzpolitik.org. In the Chancellery and the Federal Ministries there are a total of around 14. 000 people busy. This does not include the employees in the many subordinate authorities. The Federal Foreign Office and the Federal Ministry of Defense are particularly well-staffed departments. The latter leads the ranking of the departments on which PCs with Windows 7 are still in operation, also with 27. 326 corresponding jobs.

No Windows 7 only in the Ministry of Education The Ministry of the Interior follows in second place with 12. 800 computers that need extra support, the Foreign Office occupies third place with 10. 700 such computer. The Ministry of Transport and Digital Infrastructure still has to pay a separate support fee to Microsoft for 5000 jobs, the Agriculture and Health departments each for around 1700, the commissioner for culture and media for 1500. At the Ministry of Economic Affairs 1118 computers. In all other areas of government and its subordinate administration, the number is below 1000. The Federal Ministry of Education is the only one that no longer uses PCs with Windows 7.

The information could still be incomplete, the government warns. The authorities and departments are in favor of a timely changeover to Windows 10 after expiry responsible for Windows 7 support. Central records are not kept. The departmental inquiry has still not been “answered by everyone”.

The Federal Ministry of the Interior deliberately does not provide any information on the IT infrastructure of the Federal Intelligence Service (BND) and for reasons of confidentiality at the Federal Office for the Protection of the Constitution. In the meantime, it can be seen from job advertisements that the Federal Office for Consumer Protection, for example, is still specifically looking for three IT specialists with thorough knowledge of the Windows 7 systems and is looking for.

Dependency as a problem The The authors of a study commissioned by the Federal Ministry of the Interior 2019 had already come to the conclusion that the dependence on Microsoft products in particular “leads to pain points in the federal administration”. This is “in contradiction to the strategic goals of the IT of the federal government”. Interior Minister Horst Seehofer (CSU) announced at the time that he would hold talks with software providers and examine alternative programs. The use of free software should play an essential role here.

In the new plan for slow IT consolidation, however, there is no mention of open source. The Ministry of Defense remains in the recorded, up to 2028 running four waves for the harmonization of computer and server structures as well as the relocation of services to the cloud, as well as left out the Foreign Office.

(mho)

Patchday: Android secured against remote code execution, among other things

For the first patch day in the new year, Google has numerous security holes in Android versions 8.0, 8.1, 9, 10 and 11 eliminated. Four of them are considered critical and could have been misused by attackers, among other things, to carry out denial-of-service attacks or to remotely execute code on vulnerable devices (remote code execution). With a “Moderate” exception, the remaining vulnerabilities are at high risk.

The Android Security Bulletin for January 2021 differentiates between two patch levels, the installation of which either part of the security holes (level 2021 – 01 – 01 ) or all gaps (Level 2021 – 01 – 05 ) fixes. According to Google, manufacturers of Android devices should allow this procedure more flexibility when patching.

Critical security holes According to Google’s assessment, the most dangerous of the closed security holes, CVE – 2021 – 0316, is located directly in the operating system code (section “System” in the bulletin). It enables attackers to execute remote code in the context of a privileged process. In order to carry out the attack, Google only indicates that the transmission of specially prepared data is necessary.

CVE – 2021 – 0316, as well as the critical gap CVE – 2021 – 11 (Denial-of-Service) in the Android framework, by raising the patch level to 2021 – 01 – 01 eliminated. To eliminate two further security holes with “Critical” classification in Qualcomm’s closed source components – CVE – 2020 – 11134 and CVE – 2020 – 11182 – is on the other hand level 2021 – 01 – 05 necessary.

Separate bulletin for Pixel devices As usual, a separate January bulletin with updates for Google’s Pixel devices has been published. It includes four additional security fixes that are automatically distributed to supported Pixel devices along with all other patches. There are also several functional patches from the areas of audio, graphics, sensors and telephony. Details are given in a post in the Pixel Support Forum.

In addition to Google, other manufacturers regularly publish security patches – but mostly only for some product series. Devices from other manufacturers receive the updates much later or, in the worst case, not at all.

According to Google, other manufacturers (“Android partners”) were informed of the vulnerabilities at least one month before the publication, as usual, and thus had sufficient time to implement the code. The source code for the patches is available in the Android Open Source Project (AOSP).

(ovw)

Container: Dynamic templates for FreeBSD jails with Bastille

Bastille was released in version 0.8. The tool automates and manages jails under FreeBSD, i.e. operating system and application containers. An instance of a FreeBSD jail provided with Bastille with the full range of commands of the base system only requires around 10 to 12 Mbytes of space on the data carrier.

Improved and dynamic templates The version jump brings some innovations and improvements . The Bastille templates now run completely natively. Each jail or container is automatically based on a self-explanatory template: base, empty, thick, thin and vnet. Another new feature is that the templates are dynamically, for example, using $ JAIL_NAME or $ JAIL_IP can be individually parameterized.

When updating from version 0.7 to 0.8, it should be noted that the syntax in the configuration files has changed slightly and users can save their existing templates via bastille template –convert … have to adapt. The templates can also be created individually or downloaded from the public GitLab directory.

FreeBSD 13 on board In addition to the current and older FreeBSD versions, Bastille 0.8 can also do the in FreeBSD under development 13 – provide CURRENT. As usual, it should be noted that the FreeBSD version of the host must not be older than the version of the jail. On 64 – bit hosts can be 32 – Create and start bit jails, the reverse is not possible.

With bastille config get | set users from version 0.8 can define individual values in the configuration file (/ usr / local / bastille / jails //jail.conf) read out or set via scripts. A ALL as the jail name applies the action to all jails.

The software was developed by Christer Edwards, who was previously involved in SaltStack, which has now been taken over by VMware, and who was responsible for it as a maintainer. He took over parts of the security mechanisms for Bastille from the HubbleStack, which he also helped to design and on which SaltStack SecOps is based. Bastille is under the free BSD 3 Clause license, has no dependencies (25 KByte download via pkg install bastille ) and is for all supported platforms by amd 64, i 386, sparc 64, powerpc 64 up to aarch 64 (Raspberry Pi 3/4) available.

Qt limits use of long-term support versions to commercial customers

The Qt Company is immediately restricting the visibility of the Qt-5. 15 branch to the public. The long-term support release (LTS) Qt 5. 15 will for the first time only be available to paying customers, according to an email to Qts Development Mailing list.

The company wants to keep the branch visible to the public, but it no longer provides any new patches. The branch is also closed for new commits, with the exception of the QtWebEngine and the Qt Script marked as deprecated, due to LGPL dependencies on a third party.

LTS release only for commercial customers The company had already announced this step in January 2020 that brings many customers an unpredictable future. Now the rule is that only paying customers will have access to the private repository and the code that includes the future LTS point releases for Qt 5. 15. The first purely commercial Qt 5. 15 LTS Tagged Release should appear in February.

A year ago, the Qt Company had the changes in a Blog post summarized. As a justification, the company stated that this change should ensure the further growth of Qt as a platform. The company hopes that the need for a Qt account to install binaries will generate more contributions from the open source community, as a user account has always been mandatory for bug reports and code reviews.

Qt’s offline installer, on the other hand, is a feature that is particularly interesting for corporate customers. The elimination of the free option should therefore clearly make the paid product “more attractive”. However, the company believes the impact on open source users is small. Open source developers should also have to switch to new Qt versions more quickly, which the company hopes to get more feedback on the individual versions. The LTS releases are reserved for paying customers who are dependent on a certain Qt version for their own products.

(mdo)

Huawei will allow other Chinese manufacturers to install Harmony OS on their smartphones

by Jordi Bercial 05 / 01 / 2021 …

At this point it is no secret that Huawei has serious problems to continue using Android on their smartphones, something that does not look to change anytime soon. In the same way, they have an address marked, something that started with the Huawei Mobile Services and will continue with HarmonyOS , the The company’s next operating system for some of its smartphones.

However, not only Huawei could have this same problem, but really any other Chinese manufacturer could be in the same position, reason whereby HarmonyOS will be available to any Chinese manufacturer that needs a fully functional operating system , something that Android is not without the Google Mobile Services.

As we can read In Huawei Central, it is expected that HarmonyOS will be open source to be able to adapt it to other smartphones, something that for now is not It is like this, in addition to having a flexible kernel that can work with other processors without problem , not only those with which Huawei lock heh, so there is probably still work to do, starting with checking that indeed HarmonyOS works properly on Huawei’s own devices.

Be that as it may, it is a great opportunity for Huawei in the face of to recover from the bad streak that has meant not having the Google Mobile Services on their latest smartphones , and which will probably also help them financially if enough companies make use of this new operating system.

End of Article. Tell us something in the Comments or come to our Forum!

Jordi Bercial

Avid technology and electronics enthusiast . I mess around with computer components almost since I learned to ride. I started working at Geeknetic after winning a contest on their forum for writing hardware articles. Drift, mechanics and photography lover. Don’t be shy and leave a comment on my articles if you have any questions.

WebAssembly-Runtime: Major Release 1.0 by Wasmer published

With the aim of being able to run independent, platform-dependent applications on every platform, the Wasmer team started developing a Wasm runtime environment around two years ago, which uses Emscripts to compile WebAssembly- Can execute modules independently of the host system – Linux, macOS, OpenBSD, Windows, Android, iOS. The now published version Wasmer 1.0 promises developers the maturity and performance necessary for productive use.

Production-ready performance and more compilers Since the official launch of Wasmer 0. 16 in spring 2020 the team upgraded the runtime environment in several ways. In addition to the performance classified as ready for production, to which, among other things, compilers working in parallel should contribute, the Wasm Runtime comes up with important innovations and improvements. Support for the Wasm-C-API, a native object engine and expandability to integrate various compilers such as LLVM, Cranelift and Single-pass are new.

On the way to the first major release, the team behind the runtime environment has, according to its own statement, made an effort to also include developers who are not familiar with the WebAssembly ecosystem and its concepts in detail To make working with the API as easy as possible. While the Wasmer-C-API originally designed for this purpose should continue to be supported, users of Wasmer 1.0 are encouraged to use the standard Wasm-C-API, which has now matured, as a preference.

use wasmer :: {Store, Module, Instance, Value, imports}; fn main () -> Result {let module_wat = r # “(module (type $ t0 (func (param i 32) (result i 32))) (func $ add_one (export “add_one”) (type $ t0) (param $ p0 i 32) (result i 32) get_local $ p0 i 32. const 1 i 32. add)) “#; let store = Store :: default (); let module = Module :: new (& store, & module_wat); let import_object = imports! {}; let instance = Instance :: new (module, & import_object) ?; let add_one = instance.exports.get_function (“add_one”) ?; let result = add_one.call () ?; assert_eq! (result [0], Value :: I 32 (43)); OK(()) } Wasmer not only implements the cross-platform approach pursued by WebAssembly, but also gives developers the greatest possible freedom in choosing their preferred programming language. The runtime environment can be expanded with a wide variety of compilers. The compiler infrastructure LLVM, the code generator Cranelift, which emerged from the Bytecode Alliance project and written in Rust, and the single-pass back-end, which is recommended for use in environments with limited resources, are already firmly anchored in the scope of delivery of Wasmer 1.0. like IoT devices or blockchain applications.

Headless Wasmer for Edge and IoT Wasmer from version 1.0 can also be used headless, especially for IoT and edge computing environments. The version, which is only a few KByte in size, can run precompiled Wasm binaries on any device thanks to AOT (Ahead Of Time) support. In addition, developers benefit from the extended capabilities of the runtime environment for cross-compilation. Previously, the execution of compiled Wasm applications was limited to the respective platform, now applications can be used across the board – one on x 86 _ 64 – computers compiled app, for example, also on the aarch 64 – architecture and vice versa. The Wasmer developers also claim to offer the first uninterpreted server-side WebAssembly VM that Wasm supports on the new Apple Silicon systems.

A complete overview of all innovations and functions in Wasmer 1.0 can be found in the blog post announcing the production-ready version of Wasm Runtime. Detailed information can be found in the documentation of the open source project. If you want to try Wasmer, you can install Wasm Runtime via the command line from the Wasmer homepage as a stand-alone runtime environment or integrate it into your preferred programming language.

(map)

Lightspeed: New open source software for the complete live streaming package

A new open source tool appears under the name Lightspeed, with which users can set up a server for live streaming. The project should be characterized above all by the low latency of less than one second as well as the easy installation of the three necessary modules.

The basis is appropriate called Lightspeed Ingest, which carries out the FTL handshake with the clients involved. FTL is the Faster Than Light protocol, which puts the speed of transmission above its quality. It saw the light of day as part of Microsoft’s failed game streaming service Mixer.

Modular structure with three components Second The component is Lightspeed WebRTC, which plays out incoming RTP packets via WebRTC. The third module is a React website as a front end for the audience. At the start of the project, Lightspeed needs all three components, but developers should be able to write their own alternative modules in the future.

The requirement on the Windows, macOS or Linux streaming computer is the Open Broadcast Software (OBS) with the FTL SDK. Installation instructions can be found on GitHub. Lightspeed appears as open source software under the MIT license.

(fo)

rC3: How the Corona Warning App is protected against hacker attacks

Thomas Klingbeil, senior developer at SAP, gave insights into the backend architecture of the Corona Warning App (CWA) at the remote Chaos Communication Congress (rC3). It basically consists of a CWA server with the diagnostic keys, a verification server and another server for transmitting the test results from the laboratory.

The app and the infrastructure behind it are generally designed for data economy and take into account the state of the art in IT security with a wide range of encryption methods and the exchange of hash values. When tracking contacts via Bluetooth, the responsible server knows, for example, which mobile phone the data is coming from, but cannot draw any conclusions about the user of the device.

A particularly critical data transfer occurs when the user is away Chosen to share a positive test result. Even in this case, only a collection of pseudonymous crypto keys is transmitted. It is therefore difficult to find out who the affected user is. Nevertheless, the developer companies, to which Deutsche Telekom belongs in addition to SAP, have also taken precautions against unauthorized data access and potentially possible analysis of the information at this level.

Secure connections alone are not enough A well-armed attacker could theoretically record the network traffic running through the infrastructure built in the background, stated Klingbeil in his lecture. Only secure connections are used, so that only the sizes of the data packets sent are recognizable, but not their content. This would also make it possible to understand whether a test had taken place and a TAN query took place.

The end point and thus the tested user remained unclear at first. executed the programmer. From the recognizable byte amounts, a hacker could also conclude that there are specific sizes for special requests. Furthermore, it can be seen in principle when the responsible CWA server is contacted for a TAN upload. Unless it is also clear that a user would have to be positive if diagnostic keys were transmitted. In the worst-case scenario, it could also be possible to link this key to an IP address and to determine the user behind it.

“We must therefore include plausible deniability,” said Klingbeil Model of “credible deniability”. Methods are used to hide confidential data or its origin. The CWA is a disturbing noise that is built into the data traffic: According to the insider, the app partially simulates the corresponding traffic in the backend and deliberately sends false or meaningless information to a “playbook” that functions as a “dummy”.

In addition to various encryption techniques, there is also “annoying Noise “is used in order to achieve a high level of data protection when transmitting positive test results.

As part of this automated process, determinable inquiries could be triggered by a real event, explained Klingbeil. But it is just as likely that it is a “fake”. Even if a test turns out negative, the dummy application asks for the diagnostic key and the TAN is also used. So you can no longer find out “if someone really warns”.

Filtering out incorrect packets A special field in the header informs the backend server at the same time that they should not enter the falsified packets into the relevant databases, but should otherwise behave and respond as usual. The additional traffic does not cause any increased costs for the users, since the mobile network operators generally do not count the volume caused by the CWA against the personal contingent (“zero rating”). Metadata would also be removed from a mediation server.

The CWA architecture also has an interface in the form of an “EU Federation Service” to upload national keys for “contact tracing” and foreign keys from member states with interoperable ones To be able to inquire about architectures. The responsible servers are informed about the upload of new keys via a callback mechanism. Klingbeil clarified that even if keys from other EU countries were ultimately treated as national ones, a so-called replay attack and the associated transmission of previously recorded data to trick authentication procedures would not be possible. The information would initially be embargoed for two hours and could only be used afterwards.

The appeal from the Chaos Computer Club (CCC), the CWA with an option for decentralized cluster recording, for example The SAP innovation expert did not want to comment on enrichment via the CrowdNotifier. This is outside of his scope, as the Federal Ministry of Health decides on new functions. Machine learning is currently not used to determine the risk of infection. Criticism from the hacker community that the interaction with the community in the open source project via the developer portal Github is often slow, he will bring to the team.

(pbe)

rC3: DDoS attack and DNS problems reduced the hacking experience

Fairy-tale ended on Wednesday after four days of lectures and virtual meetings in a specially created 2D world populated with avatars of the remote Chaos Communication Congress (rC3). The master of ceremonies “blubbel” from the Chaos Computer Club (CCC) read the audience a story about the “big annual festival” of the nerds, whose country had been ravaged by an epidemic. The “clever beings” had therefore come up with the idea of building a “huge artificial island” that they could enter with their image of the soul instead of their body.

bubbling told.

(Image: rC3 media.ccc.de (CC by 4.0))

After a team of princesses and other scouts identified a “small valley with green meadows and lots of space” in the land of Neu as suitable, this one was included a lake, an island and boats have been equipped as a communication system over longer distances, said the hacker. In the actual rC3 world, the organizers use the open source video conference system Jitsi to fill in the communication areas and enable live communication between visitors.

Lovely Tetris sounds “At times the ports could no longer accommodate boats”, in the background there was still a lot of hammering, reported blubbel about the starting difficulties in the 2D world on the congress platform. To make matters worse, there was a “magical DDoS attack” (Distributed Denial of Service) on the 1st day of the conference, so that the storm defense had to be reinforced at night. Afterwards, the data travelers could finally have created more content and held meetings. Lovely Tetris sounds were heard, applications such as a bottle collecting simulator or a flamethrower controlled by DECT telephone were very popular.

But peace was not yet achieved: “A curse of invisibility hit the island” – by that blubbel meant various problems with the findability of the rC3-World via the Domain Name System (DNS). There are several entries in the status report about incidents that could only be cleared up gradually. 130. 000 DNS updates are due to the 2D world was necessary, it said from the infrastructure center. Altogether there are 34. 858 critical information, 13. 070 Warnings and two abuse emails because of the DDoS attack was received.

Despite the hardship, the opportunity for exchange and mutual learning was eagerly used, explained blubbel. Each hackerspace has given its own medals in the form of knight badges for heroic deeds, even places of need have been turned into celebration places. After the four days, however, the artificial island could no longer be held. The blueprints were retained and would be posted publicly so that many small editions could be set up via local hacking centers according to the motto: “And if the servers haven’t melted, then hack them today.

Update for Corona warning app: contact diary now available

The Corona warning app has received another update. The new version 1. 10 introduces a contact diary in which users can manually enter who they have met and which places they have visited. “This is important information for the health department and for finding chains of infection,” writes SAP in a blog post published on Monday. The software group is developing the open source app together with Telekom.

As SAP emphasizes, the information provided in the diary is only saved locally on the smartphone and automatically deleted after 16 days. You can also delete entries manually at any time.

Data transfer is voluntary Anyone who is infected can save the information from the diary as Export the RTF file and send it to the responsible health department. “This is of course voluntary,” emphasizes SAP. However, the information is a “great help” for the health authorities. They would gain valuable time in order to find and warn contacts at risk.

The new version of the Corona warning app is already available for download in Apple’s App Store. It is also available in Google’s Play Store. In some cases it can take a little longer until the new version is visible in the store.

Overall, the Corona warning app has already been 24 Millions of times downloaded, as a Telekom spokesman announced on Twitter on Monday. An Android version of the app that works without Google services has recently become available.

(cwo)

Huawei’s HarmonyOS 2.0 beta is based on Android’s framework

Huawei released the HarmonyOS 2.0 beta version of the software for select devices earlier this month and one developer decided to dig a little deeper to see what Huawei’s new OS is all about. And as it turns out, it’s still pretty much Android-y.

First, he made a simple “Hello world” app for the much older Android 4.4 KitKat environment and this triggered a very similar message on a virtual machine running a recent version of Android (left) and a virtual machine running HarmonyOS 2.0 beta (right). This seems to be a reoccurring theme with other things, but instead of “Android”, the messages say “HarmonyOS”.

The developer also managed to open up the system partition, which only confirmed his theory – HarmonyOS is based on Android’s framework. At least for now, it is.

According to Huawei’s own presentation, the AOSP (Android Open Source Project) will serve as a stepping stone to what HarmonyOS is trying to achieve. Meaning, current beta 2.0 version might be based on Android, but in the future, it would most likely transition to its own framework.

Via | Source (in Chinese)

rC3: The Internet of Things as a killer app for IT security

With the Internet of Things, the suffering of all users of networked devices is increasing, so that the dreary situation in the area of IT security could change for the better. The “Internet of Things” (IoT) could usher in a paradigm shift, said US encryption expert Bruce Schneier on Sunday at the remote Chaos Communication Congress (rC3). The reason for this is that with networked things “security collides with physical security”.

Software bad and too complex Even if someone hacked his thermostat on the Internet, “the lines could freeze”, Schneier gave an example. With networked homes, cars or even factories, the attack surfaces and threatening effects on the well-being of people and entire social groups multiplied. This could help to iron out the existing errors of the market through stronger state regulation.

Bad and overly complex software, which is the worst enemy of security, is currently following exactly, according to the lecturer at Harvard Kennedy School the laws of the market. In software, for example, these reward more and more functionalities, efficiency and speed, which leads to bloated programs. In contrast, simplicity and security are expensive. Most people did not want to pay extra for it, but deliberately took risks.

When the toaster suddenly e-mails sent Such short-term advantages would in the long run at the expense of society, emphasized Schneier in the online conversation with Frank Rieger from the Chaos Computer Club (CCC), which was interrupted by several technical problems. Politicians must therefore intervene, for example with requirements for food and drug safety. This applies above all to the IoT, since the devices and the associated software are often produced in countries such as China by companies that in some cases quickly went bankrupt. It’s not that far with updates.

In order to still be able to build a reasonably secure home network, routers should first act as watchdogs, suggested the 57 – year olds. You should be able to detect a connected device and get information and updates about it. If the toaster suddenly sends e-mails, this function should be able to be switched off via the intermediate instance.

Fewer connections to the outside world Rieger doubted that manufacturers would be more restrictive than before and would collect less data. Only Microsoft Office 365 on the Mac contact 32 other servers, some of which in China or the USA. Any impartial observer would have to classify such a program as malware. Schneier admitted that a lot of persuasion was still needed in this area. At least Microsoft knows the servers. However, the software giant would do well to gradually reduce the connections to the outside world.

The security expert did not consider a rapid reconstruction of IT landscapes under security aspects to be realistic. However, software should go through more audits, since everyone benefits from such testing processes. In this way, back doors could also be found more quickly, as they would have turned out to be a massive security risk for state and private infrastructures as well as a gateway for Russian hackers in the Orion software of the US service provider SolarWinds. Money should flow into pools to organize audits for open source products.

Encryption is critical infrastructure The idea propagated in the repeatedly flaring up Crypto Wars of weakening encryption and circumventing data protection rules was described by Schneier as “incredibly dangerous”. In particular, cryptographically secured cell phones and applications running on them, such as chats, were used by almost everyone, including government representatives and police officers. It is more or less a critical infrastructure that is important for “our societies and democracy to work”. Even if encryption makes law enforcement a little more difficult here, “it is better for all of us.”

Initially, countries such as the USA, Great Britain and Australia in particular requested access to encrypted communication in plain text, the reported Researcher. “Down under” there is even a relevant law that, as far as he knows, has never been applied. In the meantime, Germany and the EU have made similar appeals. But there is no magic bullet to counter this. The fact that he still calls for the state for IT security is not a shot in the oven: “We are the government,” he referred to the main features of popular rule. Should the government oppose “our interests”, “we need a better one”.

Quantum computer: “crypto apocalypse” canceled In principle, the cryptologist described encryption as a secure mathematical process. In practice, however, it is dependent on computers, software, networks and their users. If, for example, the messenger service Signal is running on a smartphone that has a small weak point and everyone can read what is happening on an unlocked screen, this is just as problematic as users who swear by simple passwords.

Schneier called off the “crypto apocalypse”, which was often linked to quantum computers. On the one hand, many more breakthroughs and manageable applications are necessary for practicable quantum computers before they can break encryption solutions, for example. On the other hand, the US standards organization NIST has already started a competition for quantum-resistant algorithms, in which some hot candidates are in the running. In the case of symmetrical encryption, the keys could also simply be extended. Solutions are still being worked on for public key cryptography, but many programs would get by without this approach.

(tiw)

Programming language: Ruby 3.0 promises significant performance gains

Years ago 25 the first major version of Ruby came out shortly before Christmas, and since then there has been a Christmas release tradition among the editors of the programming language established: Ruby 3.0 also joins this choir and has now been released on schedule, almost exactly one year after the last release of the 2.x series – Ruby 2.7. The development of Ruby 3.0 apparently began five years ago and Ruby inventor Yukihiro Matsumoto promises a three times faster execution of programs written with Ruby 3.0 than those programmed with Ruby 2.

Release jump with new features Matsumoto (simply called “Matz” in the community) confirmed on GitHub at the beginning of September, that Ruby developers expect a big release jump around Christmas. Ruby had ridden the 2-series tracks for seven years. Ruby developers have announced in advance that Ruby 3.x can expect higher performance compared to 2.x – albeit with room for improvement. A lot of work on the method-based JIT compiler MJIT has probably contributed to the better performance. Old dependencies with the Ruby-Gems packaging system have apparently been eliminated, and Ruby 3.0 introduces new concepts.

An important innovation is the support for RBS, a language for describing the types of Ruby programs. With TypeProf, there is also an analysis tool that can read simple, i.e. not type-annotated Ruby code and recognize its methods. A still experimental feature is Ractor, an abstraction for concurrent programs inspired by the actor model, which was developed to offer a parallel execution function without concerns about thread safety. The Fiber # scheduler was introduced to intercept blocking operations. It enables simple concurrency without having to change any code. The thread # scheduler has also left the experimental stage: it can be used to intercept blocking processes.

Ruby 3.0 supports RBS With Ruby, methods in classes and instance variables in define their type. Inheritance or mixed relationships are also possible. The goal of RBS is to support well-known patterns in Ruby programs. It enables writing of complex types, including union types, method overloads and generics.

RBS is also said to support duck typing with interface types. Duck typing is a concept of object-oriented programming. The class does not describe the type of an object, but the existence of certain methods or attributes is decisive. The third major version of Ruby contains rbs gem , which is supposed to enable the parsing and processing of type definitions written in RBS. Type checkers, including type profilers and other tools that support RBS, are intended to better understand Ruby programs with RBS definitions.

Ruby, the Rednosed Reindeer? The programming language has been around since 1993, it was invented by the Japanese developer Yukihiro “Matz” Matsumoto. Ruby is open source and used specifically for web development. Platforms such as GitHub, Shopify, Stripe and AirBnB actively use Ruby. The language was learned years ago through the “Ruby on Rails” web framework written in Ruby Buoyancy.

Ruby is essentially object-oriented, but also supports other paradigms and concepts such as dynamic typing, reflections and automatic garbage collection. Programs written in Ruby are interpreted at runtime, and the advantage is that the code is not particularly complex. This is said to have brought some developers frustrated by more complex languages on board.

Further information A Most of the features were already known from the preview, and the timetable had been in place since September. Further information can be found in the release message.

(sih)

Programming language: Go 1.16 Beta supports ARM64 architecture

Go, an open source programming language originally developed by Google, is available in version 1. 16 as beta. The most important new features are changes to the core library and, according to the publishers, an improved runtime. The library includes the new embed package: This gives Go developers access to all of them during compilation with the command // go: embed files embedded in the program.

Go supports Apple Silicon Another highlight is the support of the ARM 17 architecture of the new Apple processors (Apple Silicon) on macOS. Apparently only minor changes have been made to the core library of Go, including crypto / dsa as out of date (deprecated) and the unicode – Package is now updated to Unicode 13. 0. The go get -insecure flag for retrieving repositories and for resolving user-defined domains using insecure schemes such as HTTP is also being discontinued and will be omitted in one of the future versions. Most of the changes affect the Go commands: The embedding of static files and file trees in executable files using the // go: embed mentioned above statement is a standard module as of the upcoming release. In addition, go install now accepts arguments with version suffixes. This allows packages to be installed in module mode without having to access the go.mod file.

Another new feature is that the – export – flag (if used accordingly) can list the build ID of the compiled package. Previously, Go developers had to use the go tool buildid command over the previously triggered command go list -exported -f {{. Export} ) run – the extra step is omitted.

Warning notices for invalid tests in the goroutines When testing, when using the testing.T method, there is now a warning for invalid tests in the goroutines. Even when calling Fatalf , FailNow and Skip {, f, Now} during the When testing with testing.T or the testing.B benchmarks, the warning may appear. Calls to the named methods interrupt the execution of the goroutines, but not the test or benchmark function, according to the preliminary release notes, which provide a code example: func TestFoo (t testing.T) {go func () {if condition () {t.Fatal (“oops”) // This exits the inner func instead of TestFoo . } …} ()} code that calls t.Fatal or a similar method from within a goroutine should be rewritten by developers. One way to do this could look like this:

func TestFoo (t testing.T) {go func () {if condition () {t.Error (“oops”) return} …} ()} Further changes to runtime and compiler Further changes concern under among other things, the runtime, which receives a stable interface for reading metrics defined by the implementation. The compiler can obviously process functions with undeclared for loops inline and the Go Linker is considered less “resource-hungry”.

Last but not least, a note to Mac developers: Go 1. 16 is apparently the last release that still runs on macOS Sierra. From the next version 1. 17 macOS 10. 13 High Sierra or higher version required.

More information in the preliminary release notes Further information can be found in the Draft Release Notes for Go 1.16. The final version should appear in February 2021 together with the final release. Fundamental changes to the language are not expected by then, the beta is apparently on the home straight, according to the publishers.

(sih)