Mediaboss Marketing

The developer of JavaScript library node-ipc, which is used by the popular vue.js framework, deliberately introduced a critical security vulnerability that, for some netizens, would destroy their computers' files.

Brandon Nozaki Miller, aka RIAEvangelist on GitHub, created node-ipc, which is fetched about a million times a week from the NPM registry, and is described as an "inter-process communication module for Node, supporting Unix sockets, TCP, TLS, and UDP."

It appears Miller intentionally changed his code to overwrite the host system's data, then changed the code to display a message calling for world peace, as a protest against Russia's invasion of Ukraine. GitHub on Wednesday declared this a critical vulnerability tracked as CVE-2022-23812.

"The malicious code was intended to overwrite arbitrary files dependent upon the geo-location of the user IP address," the Microsoft-owned biz said.

Between March 7 and March 8, versions 10.1.1 and 10.1.2 of the library were released. When imported as a dependency and run by a project, these checked if the host machine had an IP address in Russia or Belarus, and if so, overwrote every file it could with a heart symbol. Version 10.1.3 was released soon after without this destructive functionality; 10.1.1 and 10.1.2 were removed from the NPM registry.

Version 11 was then published, and the following week version 9.2.2. Both brought in a new package by Miller called peacenotwar, which creates files called WITH-LOVE-FROM-AMERICA.txt in users' desktop and OneDrive folders. This text file is supposed to contain a message from the developer stating among other things, "war is not the answer, no matter how bad it is," though some folks reported the file was empty.

Whenever node-ipc versions 11 or 9.2.2 are used as a dependency by another project, they bring in peacenotwar and run it, leaving files on people's computers. Version 9.2.2 has disappeared from the NPM registry along with the destructive 10.1.x versions. Vue.js, for one, brought in node-ipc 9.2.2 while it was available, as 9.x is considered a stable branch, meaning there was a period in which some Vue developers may have had .txt files show up unexpectedly.

In other words, not too many people fetched the destructive version, as big apps and frameworks will have used the stable branch, which for a short while dropped .txt files. Anyone using bleeding-edge versions may have had their files vanished, or found manifestos saved to their computers.

A timeline of events has been documented by infosec outfit Snyk. We note that the landing page for the node-ipc module on NPM states "as of v11 this module uses the peacenotwar module."

Miller has defended his peacenotwar module on GitHub, saying "this is all public, documented, licensed and open source." Earlier, there were more than 20 issues flagged against node-ipc about its bad behavior, and just now plenty more over on peacenotwar.

Some of the comments referred to Miller's creation as "protestware." Others might call it malware. The programmer was not available for comment.

Someone even claimed an American NGO had their production files on one system trashed by node-ipc as they were running the library on a monitoring server in Belarus with an IP address that triggered the data-wiping code.

The continuing rise of the Node.js JavaScript framework has given the world a whole new type of software vulnerability.

Node's package manager is NPM, which is overseen and owned these days by GitHub along with NPM's registry of modules. This tool makes it easy for Node apps to automatically pull in other libraries of code directly from online repositories. This results in vast numbers of downloads for many modules, meaning that small code changes can propagate very rapidly across large numbers of computers.

The file-dropping version of node-ipc got sucked into version 3.1 of Unity Hub, a tool for the extremely popular Unity games engine although it was removed the same day.

"This hot-fix eliminates an issue where a third-party library was able to create an empty text file on the desktop of people using this release version," the Unity team wrote. "While it was a nuisance, the issue did not include malicious functionality. Any user that had this file appear on their desktop after updating the Unity Hub can delete this file."

This is far from the first time something like this has happened. In 2016, a developer removed his tiny leftpad library from NPM, breaking thousands of other apps. Earlier this year, another developer added a breaking change to his library as a protest.

Infosec firm WhiteSource said earlier this year it detected in 2021 1,300 malicious npm packages. It reported them to npm, which quietly removed them.

The rest is here:
JavaScript library updated to wipe files from Russian computers - The Register

Corporate funding splurged on AI technology is expected to grow to $120bn by 2025 in the US, a yearly increase of 26 percent over the next four financial years, according to IDC.

The two largest industries ramping up investments in machine learning are retail and banking, according to the market research firm. Together they are predicted to make up 28 percent, nearly $20bn, of investments by 2025. The fastest rate of spending increase, however, will come from media and financial trading businesses. AI investments for these markets are projected to grow 30 percent year over year. Automated claims processing and IT optimization will be growth areas, increasing 30 and 29.7 percent respectively every year until 2025.

"The greatest potential benefit for the use of AI remains its use in developing new business, and building new business models," Mike Glennon, senior research manager with IDC's Customer Insights & Analysis team said.

"However, existing businesses are hesitant to embrace this potential, leaving the greatest opportunities to new market entrants that have no fear of change and can adapt easily to new ways of conducting business. The future for business is AI and those companies that can seize this opportunity could easily become the new giants."

There are different levels of risk for different types of industries when adopting AI. In retail, for example, IDC reckons most funding will go towards "augmented customer service agents" and "expert shopping advisors and product recommendations", which will account for nearly 40 percent of AI spending in retail and more than 20 percent of the total funding in 2025. A separate report from Gartner said companies were set to spend $7bn on AI chatbots.

Before the latest AI boom, retailers were already using software to automate customer service and advertise products online. Switching over to a newer form of technology that's more efficient and effective isn't as risky compared to industries that never had those capabilities in place before.

Banking is similar in that respect. Online services like fraud analysis or threat intelligence are some of the areas that are expected to become increasingly powered by AI, and these capabilities were already previously handled by software.

The roll-out of AI in industries thus is increasing, though the tech is still considered high risk in healthcare and transportation.

Read the original:
US biz to blow $120bn on AI by 2025, says IDC - The Register

The AlmaLinux OS Foundation is pulling in new members from the world of mainframes, hosting and IT services to contribute to the project and deliver a community-supported Linux compatible with Red Hat Enterprise Linux (RHEL).

The non-profit organization that oversees AlmaLinux said four new entrants had arrived, with AMD, BlackHOST, and KnownHost joining at the Silver Member level, and Sine Nomine Associates joining the Gold tier.

The foundation expects the contributions from these new members to help in bring AlmaLinux closer to full parity with RHEL.

AlmaLinux was started up last year in response to Red Hat's decision to effectively kill off the CentOS project it had operated up to that point and replace it with CentOS Stream, a kind of preview of what to expect in RHEL rather than a binary-compatible build.

"We founded the AlmaLinux OS Foundation for the specific goal of creating a CentOS successor that allowed those who had a stake in the future of the operating system to also have a voice," chair Benny Vasquez said in a statement welcoming the new members.

AMD said it is joining the AlmaLinux OS Foundation in order to sustain support for its products. The firm has seen growing adoption in the enterprise and high-performance computing (HPC) space for its Epyc processors, and so has an interest in ensuring that production-grade enterprise Linux distributions run smoothly on its processors.

Sine Nomine Associates is a custom engineering and development firm that provides consulting and support services to universities, plus government, banking, and finance sectors. The firm claims to have pioneered the virtual server farm concept using Linux on IBM mainframe systems.

KnownHost is a managed web hosting provider, and therefore has a stake in a free and open-source enterprise-grade Linux, as its COO Daniel Pearson explained in a statement.

"Web hosting runs on Linux and AlmaLinux provides a clean CentOS migration path and strong community engagement. By joining the AlmaLinux OS Foundation, we will continue to provide the best web hosting technology solutions for our customers," Pearson said.

BlackHOST offers a range of IT services for businesses and enthusiasts, but claims to specialize in unmetered networking hardware ranging from 1Gbps up to 100Gbps, utilizing datacenters and network points of presence around the world.

BlackHOST CTO Thomas Nuchatel said it has made AlmaLinux its default choice for clients seeking virtual private servers and dedicated servers.

"Linux is a key technology in web hosting and a range of other cloud infrastructure services, and AlmaLinux is the type of community-based distribution that provides value to our customers," he said.

The foundation said that AlmaLinux recently passed over 1 million Docker pulls, plus there is now a beta release for AlmaLinux 8.5 for PowerPC. And the foundation has its first Platinum sponsor, Codenotary, and claimed to have released AlmaLinux 8.5 within 48 hours of the latest Red Hat Enterprise Linux release.

Original post:
AlmaLinux OS Foundation welcomes AMD to the fold - The Register

The Linux Mint project has announced version 5 of its Debian edition, code-named Elsie.

Linux Mint is one of the longest-running and most polished distros downstream of Ubuntu, and really took off after Ubuntu switched to the controversial Unity desktop with 11.04. Around that time, Mint 12 retained a Windows-like look and feel that later evolved into the Cinnamon desktop.

This won it a lot of converts who didn't care for Ubuntu's more Mac-like look. Even thought Ubuntu killed Unity and switched back to GNOME, it's GNOME 3 still very unlike Windows. Mint provides familiarity for the many people who feel more comfy with a taskbar, a start menu, and so on.

We looked at Mint 20 when it came out a couple of years ago, and last January, the latest 20.3 release, too which includes a natively packaged version of Firefox, direct from Mozilla, instead of Ubuntu's Snap version. In fact it's notable that Mint eschews Ubuntu's Snap apps altogether. Instead, you get Red Hat-style Flatpaks.

Linux Mint Debian Edition LMDE for short is the other flavour of Mint. Instead of being based on the stable LTS version of Ubuntu, LMDE is directly based on Debian, which is largely Ubuntu's upstream. LMDE 5 is based on Debian 11, code-named Bullseye.

The thing is, though, it's hard to tell. LMDE uses the same Cinnamon desktop as its Ubuntu-based sibling. It has the latest native Firefox from Mozilla, rather than Debian's outdated ESR version that's tricky to update. It has Flatpak integrated as well, along with multimedia codecs and so on. It has the same tools as the default Ubuntu-based edition, for software updates, backup, and so on.

There are advantages to being close to a widely used desktop distro. For instance, sometimes desktop users need third-party drivers, such as for graphics cards or printers. Ubuntu has first-rate driver support. If you encounter issues, it's often easy to find Ubuntu-based solutions online, and they are very likely to work, at least so long as they don't depend on a specific desktop.

Debian is rather more polished than it used to be, as well. The old joke is that Ubuntu is an ancient word, meaning: "I can't configure Debian." (It doesn't, but it's a good gag.)

That jibe's not true any more. Contemporary Debian is relatively easy: you can readily add Flatpak support or Snap if you prefer, or both and install non-FOSS firmware and so on. Bullseye includes Cinnamon, too, albeit a slightly older version.

Even so, LMDE 5 does make it a smoother, easier process, and it looks good, too. If you want to run Debian on a desktop or laptop, you don't mind (or even actively need) non-FOSS codecs or firmware, and you're not a Debian guru, then Elsie is a solid choice.

The positions of the Mint project and Ubuntu seem to be diverging. Ubuntu officially favors GNOME 3, while Mint has built its own next-gen desktop. Ubuntu favors its own Snaps, whereas Mint favors Flatpak. Ubuntu is packaging fast-changing apps such as Firefox as Snaps, whereas Mint favors natively packaged browsers. And Mint, as ever, includes non-FOSS freeware such as codecs and apps such as Spotify in its repos.

Other Ubuntu-based distros have switched upstream and moved to Debian in the past, such as the late Crunchbang Linux. Up to version 9, it used Ubuntu; 10 and onward used Debian, as do its continuing derivatives BunsenLabs and Crunchbang++. We wouldn't be surprised to see a future version of Mint sideline its Ubuntu-derived edition in favor of the Debian edition, or even discontinue it altogether.

View original post here:
Linux Mint Debian Edition 5 is here - The Register

MathWorks, maker of the long-standing MATLAB suite, is focusing its latest software updates on reaching beyond its traditional scientific base and eyeing up autonomous vehicle developers, makers of devices with wireless communications, and others.

MATLAB and Simulink R2022a has "hundreds of new and updated features and functions five new products and 11 major updates," MathWorks said. The news here isn't just about all that stuff. It's also about what MathWorks is trying to do: chase more markets.

MATLAB and Simulink have been mainstays in academic and engineering environments, and the wheelhouse in which those products operate is an aging one. There's no shortage of modeling and simulation software waiting to knock MathWorks from its throne. To that end, this is an update full of features designed in hope of keeping MATLAB and Simulink relevant.

Latest-and-next-generation technologies feature heavily in the five products being added to the MATLAB and Simulink world, such as industrial communication, self-driving vehicles, and wireless technology.

MathWorks' RoadRunner Scenario is an autonomous driving simulator that lets users "placevehiclesand paths, define logic and parameterize scenarios,then simulate the scenarios in theeditor" using vehicles imported from custom designs or pre-populated ones. RoadRunner also has an API that lets users automate the creation of different scenarios and the testing process.

The Wireless Testbench contains reference applications designed to run on off-the-shelf software-defined radio hardware, with applications including data transmission and capturing, spectrum monitoring, and signal analysis.

An Industrial Communication Toolbox has been added that will allow MATLAB and Simulink users to access live and historic industrial data, as well as read, write and log OPC UA data from distributed control systems, PLCs and other industrial hardware.

Also added was a DSP HDL Toolbox for designing digital signal processing apps for FPGAs, ASICs, and SoCs, and a Bluetooth Toolbox for simulating and testing systems using the radio standard.

Several of the "major updates" MathWorks alluded to add what could be seen as essential functions, and are therefore worth a mention.

The MATLAB Compiler SDK is now able to publish MATLAB functions as Docker container microservices, and the Production Server can now map custom request URLs to already-deployed MATLAB functions, as well as serve static content and customize request headers.

Polyspace Access can now identify coding defects, review analysis results and monitor software quality metrics, which are sure to be welcomed capabilities of a code analysis product.And the Simulink Real-Time development computer now has Linux support, and the Signal Processing Toolbox can now pre-process, extract features, and label signals in AI workflows.

For a full rundown of what's changed check out the full R2022a patch notes.

Read more:
MATLAB expands to reach self-driving, wireless biz - The Register