My Weekly RoundUp #116

The week kicked off with the launch of Disney+, but also other things happened!

So let’s not waste time, and let’s start to talk about WhatsApp, ZoneAlarm, Telegram, Python, Java and JQuery,

Further, some news about Elon Musk‘s Neuralink, a controversial update on Google Chrome and some problems for Vodafone India.

Finally, some news about privacy: the benefits of a Dumb Phone and the usual concerns related to Facial Recognition.

Cybersecurity

New WhatsApp Bug Could Have Let Hackers Secretly Install Spyware On Your Devices

The recent controversies surrounding the WhatsApp hacking haven’t yet settled, and the world’s most popular messaging platform could be in the choppy waters once again.
The Hacker News has learned that last month WhatsApp quietly patched yet another critical vulnerability in its app that could have allowed attackers to remotely compromise targeted devices and potentially steal secured chat messages and files stored on them.
The vulnerability — tracked as CVE-2019-11931 — is a stack-based buffer overflow issue that resided in the way previous WhatsApp versions parse the elementary stream metadata of an MP4 file, resulting in denial-of-service or remote code execution attacks.
To remotely exploit the vulnerability, all an attacker needs is the phone number of targeted users and send them a maliciously crafted MP4 file over WhatsApp, which eventually can be programmed to install a malicious backdoor or spyware app on the compromised devices silently.
The vulnerability affects both consumers as well as enterprise apps of WhatsApp for all major platforms, including Google Android, Apple iOS, and Microsoft Windows.

The Hacker News

ZoneAlarm forum site hack exposed data of thousands of users

ZonaAlarm, the popular security software firm owned by Check Point Technologies, has suffered a data breach. According to the post published by The Hacker News, the security breach exposed the data of ZonaAlarm discussion forum users.
The ZoneAlarm suite includes antivirus software and firewall solutions to and users and small organizations, it has nearly 100 million downloads.
“Though neither ZoneAlarm or its parent company Check Point has yet publicly disclosed the security incident, the company quietly sent an alert via email to all affected users over this weekend, The Hacker News learned.” reads the post published by The Hacker News.
The company sent a data breach notification mail to forum users urging them to change their forum account passwords. At the time it is unclear when the attackers compromised the ZoneAlarm forum. The message revealed that attackers gained unauthorized access to forum members data, including names, email addresses, hashed passwords, and date of births.

SecurityAffairs

Telegram MTProxy Servers Used to DDoS Iranian Cloud Provider

A cloud infrastructure provider in Iran found itself at the receiving end of a distributed denial-of-service (DDoS) attack through MTProxy servers that Telegram users in the country rely on to avoid government-enforced internet restrictions.
As Telegram continues to be banned in Iran, users in this country route their messenger communication through MTProxy servers, which make the traffic look random through encryption. This makes restricting it difficult, allowing servers to fulfill their anti-censorship purpose.

BleepingComputer

Programming

Programming languages: Python overtakes Java on GitHub as Google Dart use soars

The hit programming language Python has climbed over once-dominant Java to become the second most popular language on Microsoft-owned open-source code-sharing site GitHub.

Python now outranks Java based on the number of repository contributors, and by that metric Python is now second only to JavaScript, which has been in top spot since 2014, according to GitHub’s ‘State of the Octoverse’ report for 2019.

That’s quite a milestone for 30-year-old Python, whose creator Guido van Rossum retired this week after leaving his position at cloud file storage company Dropbox, which built most of its back-end services and desktop app on Python.

Another interesting aspect of GitHub’s report is its ranking of fastest-growing languages. Google’s Dart programming language and Flutter, for building UIs for iOS and Android apps, are getting major traction with developers on GitHub.

Dart was the fastest-growing language between 2018 and 2019, with usage up a massive 532%. It was followed by the Mozilla-developed Rust, which grew a respectable 235%.

ZDNet

84% of all websites are impacted by jQuery XSS vulnerabilities

Welcome to Snyk’s State of JavaScript frameworks security report 2019. In this blog post we’ll review security vulnerabilities found in other frontend ecosystem projects.

After reviewing Angular and React as major JavaScript frameworks, we’ll take a brief review of selected JavaScript and CSS frameworks: Vue.js, jQuery and Bootstrap.

Snyk

Science

Several weeks ago, I was asked to write a commentary for the Journal of Medical Internet Research (JMIR) on the ethics of Elon Musk and Neuralink’s much-touted brain-machine interface. JMIR had accepted Musk’s paper on the technology for publication and wanted to accompany its release with a number of invited papers exploring different aspects of the technology.
That commentary has just been published alongside Musk and Neuralink’s paper. Rather than writing another commentary on the ethical challenges of cutting-edge brain tech, I set out to apply our work around risk innovation to the development of the technology. And as a result, my colleague Marissa Scragg and I carried out a unique assessment of what it might take for Musk and Neuralink to create a product that is good for society as well as the company’s bottom line.

OneZero

Technology

Google begins testing Extension Manifest V3 which may kills Adblockers

Google has begun testing their upcoming extension manifest V3 in the the latest Chrome Canary build, and with this initial ‘alpha’ release, developers can begin testing their extensions under the upcoming specification.

The most controversial aspect of the extension manifest v3 is the upcoming changes to the webRequest API. In v3, Google has changed the API so that extensions can only monitor browser connections, but not modify any of the content before it’s displayed.
Instead Google wants developers to use the declarativeNetRequest API, which has the browser, not the extension, strip content or resources from a visited web sites.  This API, though, has a limit of 30,000 rules that can be created.
Unfortunately, this change will break popular ad blockers such as uBlock Origin, which rely on the original functionality of the webRequest API and need more rules than are available in the declarativeNetRequest API.

BleepingComputer

Situation critical: Vodafone’s future in India in doubt after court ruling

Vodafone said its future in India could be in doubt unless the government stopped hitting operators with higher taxes and charges, after a court judgment over license fees resulted in a 1.9 billion euro group loss in its first half.
Chief Executive Nick Read said India, where Vodafone formed a joint venture with Idea Cellular in 2018, had been “a very challenging situation for a long time”, but Vodafone Idea still had 300 million customers, equating to a 30% share of the sizable market.
“Financially there’s been a heavy burden through unsupportive regulation, excessive taxes and on top of that we got the negative supreme court decision,” he said on Tuesday.

Reuters

Privacy

Switching back to a dumbphone was the smartest thing I’ve ever done

I’m sick of looking at my phone all the time. I can’t help it. On the subway, in supermarket checkout lines, binge-watching Netflix shows — here I am scrolling and tapping once again.
I’m tired of constantly being bombarded by notifications asking me if I’ve “checked this out.”
It’s not like I haven’t tried to reclaim the hours I spend on my phone. I’ve set screen time limits, switched off as many notifications as I can, and even invested in a smartwatch in hopes to not end up in an Instagram hole after innocuously pulling out my phone to check the time. To an extent, these restrictions did work; I’ve nearly managed to slash my smartphone usage in half. Still, I feel hijacked by my smartphone and the companies behind it. Of late, using my phone has begun to channel a sense of anxiety and fatigue within me.

DigitalTrends

Secret Emails Reveal How Washington State Cops Shared Facial Recognition Tech

Over the last decade, large police forces in Washington state like the Seattle Police Department and the Pierce County Sheriff’s Department have turned to facial recognition technology to identify and track down suspects. But it was, until now, unclear just how widespread the use of the technology was across the state, and whether smaller law enforcement departments had access to those same tools.
Now, thanks to thousands of pages of previously undisclosed emails, OneZero can confirm the existence of a massive, secretive network of police departments working together to share these controversial facial recognition tools. The emails, which date back to at least 2016, also indicate that these departments explicitly tried to keep this cross-department partnership secret from the public. These emails were shared with OneZero from a source who obtained the documents through an open records request.

OneZero

Disney+ has arrived!

Disney+ opens up a new front in the Streaming Wars

On the content side, Disney has big plans for its streaming service and is looking to invest more than $2 billion in original programming to bolster its already strong library. Unlike the soft (some would say weak) content launch Apple TV+ debuted with last month, Disney+ launches with more than 500 movies and 7,000 episodes of television. Compare that to the one original movie and nine shows Apple has planned for 2020, and you begin to see the Hulk-sized content advantage Disney brings to the table. If content is king in the streaming wars, Disney would appear to own the castle.
The company plans to generate dozens of original series and movies for the platform, including the highly anticipated Star Wars themed Mandalorian and a slew of Marvel and Pixar based shows. Here we see one of Disney’s key content advantages – its ability to leverage the network effects of the broader business to drive streaming engagement.

VentureBeat

Everything to Know About Disney+

Over a year after it was first announced, Disney+ is finally here and full of cartoons, superheroes, and space wizards for you to gawk at. Last week, Gizmodo got a chance to check out the new streaming service app in its final form and speak with the team behind Disney+’s launch.
The time I spent with Disney+ was brief (only a few hours), but I’ll admit the app and streaming quality were surprisingly good—especially given that streaming services tend to choke in demo situations like the one I was in. But this was one of Disney’s first times showing off the new product to press, so it would have been deeply embarrassing if it had choked on the building’s wifi. Assume your own experience with Disney+ to vary depending on your internet speed and the quality of the device you’re using.

The service’s launch has been confusing thus far. Disney has been scant of details (apart from the briefing I attended, which was under embargo until November 12, 3 a.m. ET. Unless you’ve kept a running tally of the news dropped piecemeal by execs, you might have missed what exactly is going on with Disney’s service and when you can actually use it. So let’s clear it up.

GIZMODO

Disney+ has arrived, here’s everything you need to know

It’s November 12th, and Disney has thrown the doors open on its streaming service Disney+. If you live in the US, Canada or the Netherlands, then you can get unprecedented access to the Disney vault as well as some interesting new original content. That includes most of the Marvel Cinematic UniverseThe Mandalorian and more. Original shows on Disney+ won’t drop all at once, so plan your binge-watching accordingly. Several new series premiered tonight, and they’ll each add new episodes every Friday from now on.

Engadget

Disney+ is finally live: I just watched Episode 1 of ‘The Mandalorian’ and seriously, wow

I dived straightaway into Episode 1 of The Mandalorian. The following will be my initial impressions, so I’ll go ahead and get the requisite *SPOILER* warning out of the way. I’ll try not to ruin certain things (and I’ll refrain from spoiling a huge WHOA moment in the final minutes of the show, one so big you’ll immediately realize why Disney wanted to preserve this surprise for as long as possible). But let me go ahead and tell you right off the bat — Disney has fired a seriously impressive opening salvo for its entry today into the so-called Streaming Wars.

BGR

Related posts