Language Selection

English French German Italian Portuguese Spanish

Web

Web Standards

Filed under
Web
  • Inrupt, Tim Berners-Lee's Solid, and Me

    All of this is a long-winded way of saying that I have joined a company called Inrupt that is working to bring Tim Berners-Lee's distributed data ownership model that is Solid into the mainstream. (I think of Inrupt basically as the Red Hat of Solid.) I joined the Inrupt team last summer as its Chief of Security Architecture, and have been in stealth mode until now.

    The idea behind Solid is both simple and extraordinarily powerful. Your data lives in a pod that is controlled by you. Data generated by your things -- your computer, your phone, your IoT whatever -- is written to your pod. You authorize granular access to that pod to whoever you want for whatever reason you want. Your data is no longer in a bazillion places on the Internet, controlled by you-have-no-idea-who. It's yours. If you want your insurance company to have access to your fitness data, you grant it through your pod. If you want your friends to have access to your vacation photos, you grant it through your pod. If you want your thermostat to share data with your air conditioner, you give both of them access through your pod.

  • World wide web founder scales up efforts to reshape internet
  • Sir Tim Berners-Lee's Inrupt is Redesigning the way the web is to Work and Apple is working with them on their Data Transfer Project

    Inrupt, the start-up company founded by Sir Tim Berners-Lee to redesign the way the web works, is expanding its operational team and launching pilot projects in its quest to develop a "massively scalable, production-quality technology platform."

  • Inconsistent user-experiences with native lazy-loading images

    The specification for web browser native support for lazy-loading images landed in the HTML Living Standard a week ago. This new feature lets web developers tell the browser to defer loading an image until it is scrolled into view, or it’s about to be scrolled into view.

    Images account for 49 % of the median webpage’s byte size, according to the HTTP Archive. Lazy image loading can help reduce these images’ impact on page load performance. It can also help lower data costs by clients that never scroll down to images far down on a page.

    Historically, lazy-loading was implemented by responding to changes in the scroll position and tracking the image element’s offset from the top of the page. This could degrade page-scrolling performance. Comparatively, the new native lazy loading for images is easier to implement and doesn’t degrade scrolling performance.

Greenpeace, greenwash, openwash

Filed under
Red Hat
OSS
Web
  • Greenpeace takes open-source approach to finish web transformation

    Greenpeace is working with open source software firm Red Hat to scale and revamp its grassroots engagement platform, Planet 4.

    The project marks a complete re-design of Greenpeace.org’s backend content management systems (CMS), which are now designed to put content on the web and provide a vehicle for driving grassroots environmental action.

  • Greenpeace turns to Red Hat to scale its “Planet 4” global engagement platform
  • Greenpeace turns to open source to finish its web transformation

    In 2016, Greenpeace International decided to try a new way of stimulating grass-level environmental activity via something it called ‘Planet 4’ - a global content management system (CMS) it defined as its new engagement platform. In its original mission statement, it also outlined its expectations for the tool: that it would foster more engagement “when we present ourselves to our supporters, and our potential supporters, through a clear representation of our values with a clear proposition for why we exist, how people can become change agents through our work, and what they can do with us right now”.

Mozilla/WWW: TenFourFox, Markdown, DOM, Firefox Spying ("Glean") and Apple Monopoly

Filed under
Moz/FF
Web
  • TenFourFox FPR20b1 available

    When using FPR20 you should notice ... absolutely nothing. Sites should just appear as they do; the only way you'd know anything changed in this version is if you pressed Command-I and looked at the Security tab to see that you're connected over TLS 1.3, the latest TLS security standard. In fact, the entirety of the debate was streamed over it, and to the best of my knowledge TenFourFox is the only browser that implements TLS 1.3 on Power Macs running Mac OS X. On regular Firefox your clue would be seeing occasional status messages about handshakes, but I've even disabled that for TenFourFox to avoid wholesale invalidating our langpacks which entirely lack those strings. Other than a couple trivial DOM updates I wrote up because they were easy, as before there are essentially no other changes other than the TLS enablement in this FPR to limit the regression range. If you find a site that does not work, verify first it does work in FPR19 or FPR18, because sites change more than we do, and see if setting security.tls.version.max to 3 (instead of 4) fixes it. You may need to restart the browser to make sure. If this does seem to reliably fix the problem, report it in the comments. A good test site is Google or Mozilla itself. The code we are using is largely the same as current Firefox's.

  • Moving to Markdown

    I'm writing this only for those who follows this blog via RSS feed and probably wonders why they had many notifications on their RSS reader. Sorry, this thing happen when upload a new version of my website. So, what's new on this new website? Not much, nothing changed visually... But everything changed under the hood!

  • Semantic markup, browsers, and identity in the DOM

    HTML was initially designed as a semantic markup language, with elements having semantics (meaning) describing general roles within a document. These semantic elements have been added to over time. Markup as it is used on the web is often criticized for not following the semantics, but rather being a soup of divs and spans, the most generic sorts of elements. The Web has also evolved over the last 25 years from a web of documents to a web where many of the most visited pages are really applications rather than documents. The HTML markup used on the Web is a representation of a tree structure, and the user interface of these web applications is often based on dynamic changes made through the DOM, which is what we call both the live representation of that tree structure and the API through which that representation is accessed.

    Browsers exist as tools for users to browse the Web; they strike a balance between showing the content as its author intended versus adapting that content to the device it is being displayed on and the preferences or needs of the user.

    Given the unreliable use of semantics on the Web, most of the ways browsers adapt content to the user rarely depend deeply on semantics, although some of them (such as reader mode) do have significant dependencies. However, browser adaptations of content or interventions that browsers make on behalf of the user very frequently depend on the persistent object identity in the DOM. That is, nodes in the DOM tree (such as sections of the page, or paragraphs) have an identity over the lifetime of the page, and many things that browsers do depend on that identity being consistent over time. For example, exposing the page to a screen reader, scroll anchoring, and I think some aspects of ad blocking all depend on the idea that there are elements in the web page that the browser understands the identity of over time.

  • Chris H-C: This Week in Glean: A Distributed Team Echoes Distributed Workflow

    I was recently struck by a realization that the position of our data org’s team members around the globe mimics the path that data flows through the Glean Ecosystem.

  • Apple May Soon Let You Set Third-Party Mail, Browser Apps as Default on iOS: Report

    Apple has always had its own apps set as defaults in cases like the music player and the browser, Apple Music and Safari respectively. But, this might change soon. Reportedly, Apple is considering allowing third party apps to be set as defaults on iOS. Apple is also debating whether to allow third-party music apps on the HomePod speaker, something would mean allowing users to stream music via Spotify, which is one of Apple Music's rivals. No decision has been made by the company as of now.

Gopher: When Adversarial Interoperability Burrowed Under the Gatekeepers' Fortresses

Filed under
Web

In the early 1990s, personal computers did not arrive in an "Internet-ready" state. Before students could connect their systems to UMN's network, they needed to install basic networking software that allowed their computers to communicate over TCP/IP, as well as dial-up software for protocols like PPP or SLIP. Some computers needed network cards or modems, and their associated drivers.

That was just for starters. Once the students' systems were ready to connect to the Internet, they still needed the basic tools for accessing distant servers: FTP software, a Usenet reader, a terminal emulator, and an email client, all crammed onto a floppy disk (or two). The task of marshalling, distributing, and supporting these tools fell to the university's Microcomputer Center.

For the university, the need to get students these basic tools was a blessing and a curse. It was labor-intensive work, sure, but it also meant that the Microcomputer Center could ensure that the students' newly Internet-ready computers were also configured to access the campus network and its resources, saving the Microcomputer Center thousands of hours talking students through the configuration process. It also meant that the Microcomputer Center could act like a mini App Store, starting students out on their online journeys with a curated collection of up-to-date, reliable tools.

That's where Gopher comes in. While the campus mainframe administrators had plans to selectively connect their systems to the Internet through specialized software, the Microcomputer Center had different ideas. Years before the public had heard of the World Wide Web, the Gopher team sought to fill the same niche, by connecting disparate systems to the Internet and making them available to those with little-to-no technical expertise—with or without the cooperation of the systems they were connecting.

Gopher used text-based menus to navigate "Gopherspace" (all the world's public Gopher servers). The Microcomputer Center team created Gopher clients that ran on Macs, DOS, and in Unix-based terminals. The original Gopher servers were a motley assortment of used Macintosh IIci systems running A/UX, Apple's flavor of Unix. The team also had access to several NeXT workstations.

Read more

Also: The Things Industries Launches Global Join Server for Secure LoRaWAN

Meet Ephemeral: The Always-Incognito Web Browser For Linux

Filed under
Linux
Web

Popping up of the ads based on your browsing data has become a common issue that most people face nowadays. Hence, it’s obvious that people are turning toward the more privacy focussed search engine and web browser.

Keeping the private browsing in mind, Cassidy James Blaede, co-founder & CXO at elementary, developed an open-source and always-incognito web browser, Ephemeral.

Read more

Rclone Browser (Fork) 1.8.0 Gets Proxy Support, Option To Create Public Link

Filed under
Software
Web

Rclone Browser (fork), a Qt5 GUI for Rclone, was updated to version 1.8.0, getting proxy support, an option to display the complete directory tree for a remote, and the ability to create a public link to easily share files, among others.

Rclone Browser is a cross-platform (Windows, macOS and Linux) Qt5 GUI for Rclone, a command line tool to synchronize (and mount) files from remote cloud storage services like Google Drive, OneDrive, Nextcloud, Dropbox, Amazon Drive and S3, Mega, and others.

This GUI can be used to simplify operations like copying a file from one cloud storage to another or to the local drive, mount cloud storages on your system with a click, and browsing the contents of various cloud storage remotes in a tabbed interface.

Read more

Brave Browser and DRM With 'Open' Veneer

Filed under
OSS
Web
  • Data Doctors: Is the Brave browser safe to use?

    If you’re like most users, you spend more time using a browser than any other program on your computer or smartphone.

    You probably don’t think about what browser you’re using; the focus is on getting to a website, not what got you there.

    Google Chrome is by far the most popular browser, but because it’s a Google product integrated with all their tracking and advertising networks, a lot of people are looking for an alternative.

  • Here’s how to know if the Brave browser is safe to use

    A: If you’re like most users, you spend more time using a browser than any other program on your computer or smartphone.

    You probably don’t think about what browser you’re using as the focus is on getting to a website and not what got you there.

    Google’s Chrome is by far the most popular browser, but because it’s a Google product integrated with all their tracking and advertising networks, a lot of people are looking for an alternative.

  • Netflix Now Exploring AVIF For Image Compression

    Following Netflix's AV1 adoption with collaborating with Intel on the SVT-AV1 encoder, now using AV1 streaming for Android users, and others around this advanced royalty-free video codec, Netflix is now exploring AVIF as their next-gen image format.

    [...]

    Netflix acknowledges the significant need for next-gen image coding that has better compression efficiency and more features than JPEG. Netflix believes AVIF has the potential albeit they aren't yet ready to transition to AVIF today.

    In their testing they are finding good results out of AVIF compared to JPEG and other image formats. For those wanting to go through a long and interesting technical read, on the Netflix Tech Blog they have example screenshots and results comparing their AVIF results to other formats.

  • Netflix begins streaming AV1 content on its Android mobile app

    Netflix today announced that it is beginning to stream videos compressed using the AV1 codec, on its Android mobile app. AV1 is a next-generation, royalty-free video codec that provides compression efficiency that is improved by 20%. This codec, developed to replace VP9, was built by the Alliance for Open Media, of which Netflix, Google, Amazon Prime Video, and more big-name content providers are a part of.

Openwashing of 5G

Filed under
OSS
Web

Detailed tests of search engines: Google, Startpage, Bing, DuckDuckGo, metaGer, Ecosia, Swisscows, Searx, Qwant, Yandex, and Mojeek

Filed under
Google
Reviews
Web

Since my last in-depth comparison review of alternative search engines in 2014, a lot has changed, and a lot has stayed the same. Google is appearing as a loan-verb in more and more languages due to its continued dominance in the search engine market. But at the same time, Google is being increasingly demonized by privacy focused users. An even more more interesting development is the trend of complaints that Google’s algorithm is producing results that are less relevant and more indicative of artificial stupidity than artificial intelligence. I belong in this latter camp, as I am more of a pragmatist than a privacy pundit. I simply want the best search results with minimal effort and no nonsense. Back in my 2014 article, I was hopeful that DuckDuckGo was quickly becoming a viable and attractive alternative to Google. While DuckDuckGo continues to be the darling of privacy conscious users and is enjoying more popularity than ever, I am concerned that its core search infrastructure and algorithms have largely stagnated. Since my last article, many other alternatives have cropped up, bringing some very interesting features and concepts, but it still remains to be seen if they offer acceptable results in the fundamentally important area of relevant search results. This comparison sets out to analyze and compare the current batch of alternatives in 2020.

Read More

Browsers and Privacy

Filed under
OSS
Web
  • Browsers, web sites, and user tracking

    Browser tracking across different sites is certainly a major privacy concern and one that is more acute when the boundaries between sites and browsers blur—or disappear altogether. That seems to be the underlying tension in a "discussion" of an only tangentially related proposal being made by Google to the W3C Technical Architecture Group (TAG). The proposal would change the handling of the User-Agent headers sent by browsers, but the discussion turned to the unrelated X-Client-Data header that Chrome sends to Google-owned sites. The connection is that in both cases some feel that the web-search giant is misusing its position to the detriment of its users and its competitors in the web ecosystem.

  • Data detox: Four things you can do today to protect your computer

    From the abacus to the iPad, computers have been a part of the human experience for longer than we think. So much so that we forget the vast amounts of personal data we share with our devices on a daily basis. On any given day we could be tackling sensitive work emails, planning our next vacation, or just booking some good ole doctor’s appointments. No big deal right? Well, in the wrong hands it can become a huge deal.

    Thankfully, it’s pretty easy to tighten your device security. Read on for four easy things you can do today to protect your personal info along with your devices.

Syndicate content

More in Tux Machines

Planet Changes and Cilium

  • Planet Arch Linux migration

    The software behind planet.archlinux.org was implemented in Python 2 and is no longer maintained upstream. This functionality has now been implemented in archlinux.org's archweb backend which is actively maintained but offers a slightly different experience.

  • Cilium drops 1.7 release, upping insight and manageability

    Network and API connectivity project Cilium has been released in version 1.7, providing users with a UI for observability platform Hubble and the option to apply cluster-wide network policies. Cilium is an open source project developed by US startup Isovalent to provide and secure network connectivity and load balancing for workloads such as application containers or processes. It is based on a virtual machine-like construct called Berkeley Packet Filter (BPF) which can be found in the Linux kernel.

OSS and Development

  • Someone is selling the free, open source Playnite launcher on Steam for $100

    Playnite is a free open source PC application designed to be an all-in-one answer to the growing number of game launchers we've all got on our desktops. In other words, it combines libraries from the likes of Steam, Epic Games Store, Uplay and GOG Galaxy, and then lets you organise them however you see fit. Jody tried it last year and came away impressed. I should emphasise the "free" above: it is available straight from the source here and, according to the site, "no features are locked behind a paywall and the complete source code is available under the MIT license". The MIT license basically surrenders the software to any kind of use with no restrictions, including resales.

  • uGet is an open source download manager for Windows and Linux that also supports Torrents and Video downloads

    The GUI has four panes, a menu bar and a toolbar. The Status pane in the top left corner displays all downloads and the ones which are Active, Queuing, Finished, and Recycled (deleted). The total number of downloads for each category is displayed next to its name, and you can click on any of these to see the list of items contained. Switch to the Category pane to jump between the default and the ones you have created. You can use the Category menu to add new sorting options, set the default download folder for each category, maximum active downloads, and also the maximum upload and download speeds. The pane below the toolbar is the download list pane; anything that you select in the status pane is displayed here. It shows the name, the file size of the download that has been completed, the total size, the progression percentage, time left to complete the download, and the upload/download speeds of each file. The View menu can be used to customize the columns that are displayed in the list pane, and the other visual elements of the program. Highlighting an item in the download list brings up its summary on the bottom pane.

  • Open Source Music Tagger Picard 2.3 Released With Custom MP4 Tags Support

    Free and Open source MusicBrainz announced the point release of Picard 2.3 with major changes to the user interface, tag, and desktop integration support. MusicBrainz stores all the metadata of the music and Picard is the official tag editor that helps in identifying and organizing the digital audio recording.

  • For Square Crypto, the Way to Bitcoin Mass Adoption Is Open Source

    When Jack Dorsey founded Square in February 2009, Bitcoin was all of one month old. In fact, Satoshi Nakamoto and Dorsey were likely laying the groundwork for their respective creations concurrently in the year prior. Ten years later, the two would converge in what now seems like an inevitable collision. Square launched its Venmo-like payment service, Cash App, in 2013. The application features common stock investing, and i

  • Gold-nuggeting: Machine learning tool simplifies target discovery for pen testers

    Recognizing this analogy with the precious metals industry, researchers at Delve Labs have developed Batea, an open source tool that leverages machine learning to find valuable information in network device data.

  • ’Second Revolution’ In Electronic Bond Trading

    Sri Ambati, chief executive and founder at H2O.ai, told Markets Media that the firm’s open source platform can perform one billion regressions in less than five seconds.

  • Google ‘AutoFlip’ can resize video using AI

    The way we consume video has changed a lot over the course of the last decade. We now watch videos on our mobile devices from anywhere and because of this, video content comes in a wide variety of formats. Google recognizes this shift and so last week their AI team announced ‘AutoFlip’ an open-source framework for “intelligent video reframing.”

  • This open-source framework, ‘AutoFlip’, can do automated video cropping using AI

    Many times when we see a video on mobile devices is badly cropped, it is not much you can do about it. Understanding this problem, Google’s AI’s team has built an open-source solution on top of MediaPipe, Autoflip, which can reframe a video that fits any device or dimension (landscape, portrait, etc.). AutoFlip works in three phases. The first phase includes scene detection; the second is the video content analysis, and the third is reframing. For this tool, if a video and a target dimension are given, it analyzes the video content. Later it develops optimal tracking and cropping strategies, which finally enables it to create an output video at the same time limit in the desired aspect ratio.

  • Tech Events in Africa: Nerds Unite, Open Source Festival and #CodeZone

    It’s a new week and another opportunity to meet up with like-minded people, become better in your chosen field and seal those deals for your startup. And we at TechNext want to help with a list of tech events happening around you this week.

  • An unofficial version of Brave browser brings native ARM64 support

    Privacy-focused Brave browser launched late last year after almost four years of being in the works. The browser is based on the Chromium open-source project and joins the likes of Microsoft Edge that is built on that platform. However, while Mozilla Firefox and Microsoft’s offering currently support ARM64 PCs natively in the stable channels, Brave does not. That might change, as Windows Insider MVP Jeremy Sinclair was able to compile an unofficial build of the open-source Brave browser that natively supports ARM64 PCs. The recompiled build (version 1.6.33) uses Microsoft’s ARM64 Chromium libraries and can run natively on those PCs like the Surface Pro X. Samsung Galaxy Book S. Native support results in improved performance and efficiency since the browser will not have to run in emulation.

  • The Brave web browser is taking on Google Chrome: Is it safe?

    The creator of Brave, Brendan Eich, also created JavaScript and co-founded the Mozilla Project that led to the development of the Firefox browser. Brave is based on the open-source Chromium browser that’s also the basis for Google’s Chrome, Opera and most recently Microsoft’s Chromium Edge browser. Open-source means that anyone can take the source code and build whatever they’d like out of it, but it doesn’t mean that all the browsers are the same. In the case of Brave, they chose to focus on user privacy by blocking trackers, scripts and ads by default. The natural by-product of blocking all this activity that usually goes unnoticed by the average user is faster load times. Brave can also make use of the wide variety of extensions for Chromium-based browsers via the Chrome Web Store at chrome.google.com.

  • This new tool could improve economic analysis of sub-national climate policies in the US

    Empowered by the Paris Agreement and a lack of national leadership on climate policy in the United States, state and local governments are leading on their own climate initiatives. California, New York and Colorado have set ambitious greenhouse gas emission and renewable energy targets for 2030. Just last week, Massachusetts introduced sweeping climate legislation targeting net zero emissions by 2050. As these environmental and energy policies move ahead, experts need to invest in economic data and tools that allow them to conduct robust economic analysis, to better inform policymakers, stakeholders and the public on how to design robust alternative climate and energy policies.

  • 2020 Open Access Award Finalists Named

    The Benjamin Franklin Award for Open Access in the Life Sciences is a humanitarian/bioethics award presented annually by Bioinformatics.org to an individual who has, in his or her practice, promoted free and open access to the materials and methods used in the life sciences.

  • Are we having fund yet, npm? CTO calls for patience after devs complain promised donations platform has stalled

    At the end of August, JavaScript package registry NPM Inc said it intended "to finalize and launch an Open Source funding platform by the end of 2019." But instead of a platform, what's available at the moment might be better referred to as a feature of the npm command-line interface (CLI). The announcement was received with some skepticism at the time and the project hasn't managed to defy that expectation: There was a minor milestone last November with the addition of the "fund" command to npm v6.13.0. But not much has changed since then.

  • RcppSimdJson 0.0.2: First Update!

    RcppSimdJson wraps the fantastic simdjson library by Daniel Lemire which truly impressive. Via some very clever algorithmic engineering to obtain largely branch-free code, coupled with modern C++ and newer compiler instructions, it results in persing gigabytes of JSON parsed per second which is quite mindboggling. I highly recommend the video of the recent talk by Daniel Lemire at QCon (which was also voted best talk). The best-case performance is ‘faster than CPU speed’ as use of parallel SIMD instructions and careful branch avoidance can lead to less than one cpu cycle use per byte parsed. This release syncs the simdjson headers with upstream, and polishes the build a little by conditioning on actually having a C++17 compiler rather than just suggesting it. The NEWS entry follows.

  • Nvidia Blames ‘Misunderstanding’ for Activision Faux Pas

    When Nvidia Corp. abruptly dropped Activision Blizzard Inc. games from its new GeForce Now service earlier this week, it left customers wondering what happened. Nvidia said on Tuesday that Activision had asked to have its titles removed from GeForce, but didn’t explain why. It turns out that the video-game giant wanted a commercial agreement with Nvidia before they proceeded -- and the situation stemmed from a simple misunderstanding, Nvidia said on Thursday.

Web Standards

  • Inrupt, Tim Berners-Lee's Solid, and Me

    All of this is a long-winded way of saying that I have joined a company called Inrupt that is working to bring Tim Berners-Lee's distributed data ownership model that is Solid into the mainstream. (I think of Inrupt basically as the Red Hat of Solid.) I joined the Inrupt team last summer as its Chief of Security Architecture, and have been in stealth mode until now.

    The idea behind Solid is both simple and extraordinarily powerful. Your data lives in a pod that is controlled by you. Data generated by your things -- your computer, your phone, your IoT whatever -- is written to your pod. You authorize granular access to that pod to whoever you want for whatever reason you want. Your data is no longer in a bazillion places on the Internet, controlled by you-have-no-idea-who. It's yours. If you want your insurance company to have access to your fitness data, you grant it through your pod. If you want your friends to have access to your vacation photos, you grant it through your pod. If you want your thermostat to share data with your air conditioner, you give both of them access through your pod.

  • World wide web founder scales up efforts to reshape internet
  • Sir Tim Berners-Lee's Inrupt is Redesigning the way the web is to Work and Apple is working with them on their Data Transfer Project

    Inrupt, the start-up company founded by Sir Tim Berners-Lee to redesign the way the web works, is expanding its operational team and launching pilot projects in its quest to develop a "massively scalable, production-quality technology platform."

  • Inconsistent user-experiences with native lazy-loading images

    The specification for web browser native support for lazy-loading images landed in the HTML Living Standard a week ago. This new feature lets web developers tell the browser to defer loading an image until it is scrolled into view, or it’s about to be scrolled into view. Images account for 49 % of the median webpage’s byte size, according to the HTTP Archive. Lazy image loading can help reduce these images’ impact on page load performance. It can also help lower data costs by clients that never scroll down to images far down on a page. Historically, lazy-loading was implemented by responding to changes in the scroll position and tracking the image element’s offset from the top of the page. This could degrade page-scrolling performance. Comparatively, the new native lazy loading for images is easier to implement and doesn’t degrade scrolling performance.

Security and Scare for Sale

  • Malware Attack Takes ISS World's Systems Offline

    Founded in 1901, the Copenhagen, Denmark-based company provides cleaning, support, property, catering, security, and facility management services for offices, factories, airports, hospitals, and other locations all around the world.

    At the moment, the company’s employees don’t have access to corporate systems, as they were taken offline following a malware attack earlier this week.

  • The rise and rise of ransomware [iophk: Windows TCO]
  • Security flaws belatedly fixed in open source SuiteCRM software

    According to Romano, a second-order PHP object injection vulnerability (CVE-2020-8800) in SuiteCRM could be “exploited to inject arbitrary PHP objects into the application scope, allowing an attacker to perform a variety of attacks, such as executing arbitrary PHP code”. SuiteCRM versions 7.11.11 and below are said to be vulnerable. [...] “We have put a notice on our open source community channels and advice via social media. We have a dedicated community that works around the clock to spot vulnerabilities and produce suitable fixes, which is one of the key benefits for a business when choosing to use open source software.”

  • With the rise of third-party code, zero-trust is key

    The surface area of website and web application attacks keeps growing. One reason for this is the prevalence of third-party code. When businesses build web apps, they use code from many sources, including both commercial and open-source projects, often created and maintained by both professional and amateur developers. Web application creators take advantage of third-party code because it allows them to build their websites and apps quickly. For example, companies are likely to add a third-party chat widget to their site, instead of building one from scratch. But third-party code can leave websites vulnerable. Consider the July 2018 Magecart attack on Ticketmaster. In this data breach, hackers were able to gain access to sensitive customer information on Ticketmaster's website by compromising a third-party script used to provide chatbot functionality. The challenge is that this third-party functionality runs directly on the customer's browser, and the browser is built to simply render the code sent down from a web server. It assumes that all code, whether first-party or third-party, is good.

  • New company BluBracket takes on software supply chain code security
  • BluBracket scores $6.5M seed to help secure code in distributed environments

    BluBracket, a new security startup from the folks who brought you Vera, came out of stealth today and announced a $6.5 million seed investment. Unusual Ventures led the round with participation by Point72 Ventures, SignalFire and Firebolt Ventures.