Technology

WebAssembly runtime maker Wasmer has unveiled py2wasm, a Python-to-WebAssembly compiler that transforms Python programs to the WebAssembly (aka Wasm) binary instruction format.

Using a fork of the Nuitka Python compiler, py2wasm converts Python programs to Wasm, allowing them to run without interpreter overhead. Introduced April 18, py2wasm addresses a situation in which the performance of Python programs in WebAssembly has been less than ideal, Wasmer founder and CEO Syrus Akbary wrote in a blog post. Akbary said that py2wasm gets about 70% of native Python speed, and is about 2.5x to 3x faster than the Python interpreter.

To read this article in full, please click here

Generative AI entered the global consciousness with a bang at the close of 2022 (cue: ChatGPT), but making it work in the enterprise has amounted to little more than a series of stumbles. Shadow AI use in the enterprise is sky high as employees are making day-to-day task companions out of AI chat tools. But for the knowledge-intensive workflows that are core to an organization’s mission, generative AI has yet to deliver on its lofty promise to transform the way we work.

To read this article in full, please click here

WebAssembly was originally designed to give in-browser web applications a way to run portable, sandboxed, high-performance binaries. As WASM matures beyond the browser, new uses for the technology are emerging. Using WASM to build programmability and extensibility into applications is one use case that is gathering steam.

The Extism software library lets you write programs that can interface with extensions written in WebAssembly. Extism handles the data and function-calling interface between code written in your host application and the WASM extensions. This lets you focus on writing the functionality in your application and extensions, rather than dealing manually with WASM's data types or calling conventions.

To read this article in full, please click here

Promises are a central mechanism for handling asynchronous code in JavaScript. You will find them in many JavaScript libraries and frameworks, where they're used to manage the results of an action. The fetch() API is one example of promises at work. As a developer, you might not be familiar with creating and using promises outside of an existing product, but it's surprisingly simple. Learning how to create promises will help you understand how libraries use them. It also puts a powerful asynchronous programming mechanism at your disposal.

In the following example, we're using a Promise to handle the results of a network operation. Instead of making a network call, we just use a timeout:

To read this article in full, please click here

• What do you call "Stuxnet on steroids"??
• Voyager 1 update
• Android 15 to quarantine apps
• Thunderbird & Microsoft Exchange
• China bans Western encrypted messaging apps
• Gentoo says "no" to AI
• Cars collecting diving data
• Freezing your credit
• Investopedia
• Computer Science Abstractions
• Lazy People vs. Secure Systems
• Actalis issues free S/MIME certificates
• PIN Encryption
• DRAM and GhostRace
• AT&T Phishing Scam
• Race Conditions and Multi-core processors
• An Alternative to the Current Credit System
• SpinRite Updates
• Chat (out of) Control

Show Notes - https://www.grc.com/sn/SN-971-Notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to this show at https://twit.tv/shows/security-now.

Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit

You can submit a question to Security Now at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Sponsors:

• canary.tools/twit - use code: TWIT
• lookout.com
• kolide.com/securitynow
• zscaler.com/zerotrustAI

Oracle has released JDK Mission Control (JMC) 9, an update to the tool kit for monitoring, managing, profiling, and troubleshooting Java applications that adds a dark theme and makes the frequency of JVM checks configurable.

The most significant change is that JMC now must use JDK 17 or later to run.

JMC 9 was unveiled on April 21. Binaries can be downloaded from oracle.com. While JMC 9 requires JDK 17 or later, it still can read Java Flight Recorder (JFR) recordings from JDK 7u40 or later. JMC and the JFR profiling and event collection framework together offer a tool chain to collect runtime information for after-the-fact analysis.

To read this article in full, please click here

Microsoft has introduced a new family of small language models (SLMs) as part of its plan to make lightweight yet high-performing generative artificial intelligence technology available across more platforms, including mobile devices.

The company unveiled the Phi-3 platform in three models: the 3.8-billion-parameter Phi-3 Mini, the 7-billion-parameter Phi-3 Small, and the 14-billion-parameter Phi-3 Medium. The models comprise the next iteration of Microsoft’s SLM product line that began with the release of Phi-1 and then Phi-2 in rapid succession last December.

To read this article in full, please click here

Microsoft has introduced a new family of small language models (SLMs) as part of its plan to make lightweight yet high-performing generative artificial intelligence technology available across more platforms, including mobile devices.

The company unveiled the Phi-3 platform in three models: the 3.8-billion-parameter Phi-3 Mini, the 7-billion-parameter Phi-3 Small, and the 14-billion-parameter Phi-3 Medium. The models comprise the next iteration of Microsoft’s SLM product line that began with the release of Phi-1 and then Phi-2 in rapid succession last December.

To read this article in full, please click here

The readability, maintainability, and usability of switch statements and expressions in Java would be improved by a proposal to allow exceptions to be handled in the switch block.

The current OpenJDK proposal, “Exception handling in switch (Preview),” would be part of the Standard Edition of Java, although no specific version Java SE has been designated yet as the recipient. Specifically, the proposal calls for enhancing switch so that exceptions thrown by the selector (the e in switch (e) …) can be handled in the switch block.

Goals of the plan, which was created January 12 and updated April 19, include improving readability and maintainability by allowing switch to concisely handle all possible outcomes of evaluating the selector, and streamlining the use of APIs that throw checked exceptions, when used by the selector of a switch statement or expression.

To read this article in full, please click here

Amazon Web Services (AWS) is moving some features of its generative AI application-building service, Amazon Bedrock, to general availability, the company said on Tuesday.

These features include guardrails for AI, a model evaluation tool, and new large language models (LLMs).

To read this article in full, please click here

As I’ve been saying for the past year or so, cloud conferences have become generative AI conferences, as have data center conferences, databases conferences, and you name it. It’s clearly more than just a trend—it’s a game-changing push. But we’ve seen this happen enough times in the past 30 years to know nothing is guaranteed to be a true trend. Remember “push technology?” Exactly.

As enterprises rush headlong into generative AI, selecting an appropriate infrastructure is critical for optimal performance and cost-effectiveness. Comparing cloud computing and traditional on-premises solutions reveals some interesting things when cloud platforms host generative AI applications. These weaknesses may mean public cloud computing platforms are not a slam dunk when it comes to the best place for generative AI systems to live. Let’s explore this.

To read this article in full, please click here

The exponential growth of data, and in particular unstructured data, is a problem enterprises have been wrestling with for decades. IT organizations are in a constant battle between ensuring that data is accessible to users, one the one hand, and that the data is globally protected and in compliance with data governance policies, on the other. Added to this is the need to ensure that files are stored in the most cost-effective manner possible, on whichever storage is best at that point in time.

The problem is there is no such thing as a one-size-fits-all storage platform that can serve as the shared repository for all of an organization’s data, especially across multiple locations. Instead, there are myriad storage choices available from as many vendors, each of which is best suited for a particular performance requirement, access protocol, and cost profile for each phase of the data’s life cycle. Users and applications simply want reliable, persistent access to their files. But data policies inevitably require files to move to different storage platforms or locations over time. This creates additional cost and complexity for IT and disrupts user workflows. 

To read this article in full, please click here

Okay, so I’m just going to go ahead and say it:

It is impossible to accurately estimate a software project of any significance.

Now, a non-trivial number of you are going to read that sentence and think I’m nuts.  And maybe I am. But someone has to just say what we all know to be true but don’t want to admit.

Look, there have been countless books written, innumerable conferences held, untold consulting hours purchased, and endless blog posts written on how to be better at estimating software projects. I get it. We all work earnestly to give our best effort in an attempt to placate hungry bosses who want to know when a new feature will be ready. We all set deadlines based on a conference date and not when the software will actually be ready.

To read this article in full, please click here

The head of counterintelligence for a division of the Russian Federal Security Service (FSB) was sentenced last week to nine years in a penal colony for accepting a USD $1.7 million bribe to ignore the activities of a prolific Russian cybercrime group that hacked thousands of e-commerce websites. The protection scheme was exposed in 2022 when Russian authorities arrested six members of the group, which sold millions of stolen payment cards at flashy online shops like Trump’s Dumps.

A now-defunct carding shop that sold stolen credit cards and invoked 45’s likeness and name.

As reported by The Record, a Russian court last week sentenced former FSB officer Grigory Tsaregorodtsev for taking a $1.7 million bribe from a cybercriminal group that was seeking a “roof,” a well-placed, corrupt law enforcement official who could be counted on to both disregard their illegal hacking activities and run interference with authorities in the event of their arrest.

Tsaregorodtsev was head of the counterintelligence department for a division of the FSB based in Perm, Russia. In February 2022, Russian authorities arrested six men in the Perm region accused of selling stolen payment card data. They also seized multiple carding shops run by the gang, including Ferum Shop, Sky-Fraud, and Trump’s Dumps, a popular fraud store that invoked the 45th president’s likeness and promised to “make credit card fraud great again.”

All of the domains seized in that raid were registered by an IT consulting company in Perm called Get-net LLC, which was owned in part by Artem Zaitsev — one of the six men arrested. Zaitsev reportedly was a well-known programmer whose company supplied services and leasing to the local FSB field office.

The message for Trump’s Dumps users left behind by Russian authorities that seized the domain in 2022.

Russian news sites report that Internal Affairs officials with the FSB grew suspicious when Tsaregorodtsev became a little too interested in the case following the hacking group’s arrests. The former FSB agent had reportedly assured the hackers he could have their case transferred and that they would soon be free.

But when that promised freedom didn’t materialize, four the of the defendants pulled the walls down on the scheme and brought down their own roof. The FSB arrested Tsaregorodtsev, and seized $154,000 in cash, 100 gold bars, real estate and expensive cars.

At Tsaregorodtsev’s trial, his lawyers argued that their client wasn’t guilty of bribery per se, but that he did admit to fraud because he was ultimately unable to fully perform the services for which he’d been hired.

The Russian news outlet Kommersant reports that all four of those who cooperated were released with probation or correctional labor. Zaitsev received a sentence of 3.5 years in prison, and defendant Alexander Kovalev got four years.

In 2017, KrebsOnSecurity profiled Trump’s Dumps, and found the contact address listed on the site was tied to an email address used to register more than a dozen domains that were made to look like legitimate Javascript calls many e-commerce sites routinely make to process transactions — such as “js-link[dot]su,” “js-stat[dot]su,” and “js-mod[dot]su.”

Searching on those malicious domains revealed a 2016 report from RiskIQ, which shows the domains featured prominently in a series of hacking campaigns against e-commerce websites. According to RiskIQ, the attacks targeted online stores running outdated and unpatched versions of shopping cart software from Magento, Powerfront and OpenCart.

Those shopping cart flaws allowed the crooks to install “web skimmers,” malicious Javascript used to steal credit card details and other information from payment forms on the checkout pages of vulnerable e-commerce sites. The stolen customer payment card details were then sold on sites like Trump’s Dumps and Sky-Fraud.

If you follow open source topics on X/Twitter, you can be forgiven for believing the biggest issue in open source today is companies relicensing their open source code under different licenses. Thierry Carrez, the vice chairperson of the OSI, for example, recently issued a dire warning: “single vendor is the new proprietary.” Sounds terrible, right? I mean, once you forget that the vast majority of software that you and I use every day on our phones, laptops, servers, etc., is proprietary. (Yes, with plenty of open source buried inside and effectively “relicensed.”)

To read this article in full, please click here

Some developers and business leaders believe that low-code is only for small, lightly used applications such as replacing spreadsheets and building dashboards. “These tools, in general, aren’t well suited to more advanced applications,” says Steve Jones, devops advocate at  Red Gate Software. With heavier use and more complex data manipulation requirements, he says, “they often start to fail and cause workload and performance issues.”

I've used low-code and no-code platforms for over two decades and have written extensively about them, including articles on how generative AI is changing low-code, using low-code to accelerate application modernization, and how no-code drives innovation. I've also discussed the eight signs your low-code platform is overpromising and underdelivering on business needs.

To read this article in full, please click here

• Cops can force suspect to unlock phone with thumbprint, US court rules
• TikTok 'ban' passes in the House again
• Senate reauthorizes FISA spy program, but not before its midnight expiration
• Surveillance Law Section 702 Keeps Us Safe
• Netflix (NFLX) earnings Q1 2024
• Americans' New TV Habit: Subscribe. Watch. Cancel. Repeat.
• How One Author Pushed the Limits of AI Copyright
• Amazon Prime Memberships in US Gain 8% to New High After Lull
• Tesla recalls all 3,878 Cybertrucks over faulty accelerator pedal
• Tesla asks shareholders to approve Elon Musk's nixed $56 billion pay plan
• Cool or creepy? Microsoft's VASA-1 is a new AI model that turns photos into 'talking faces'
• GPT-4 can exploit real vulnerabilities by reading advisories
• Boston Dynamics' Atlas humanoid robot goes electric
• Schools Want to Ban Phones. Parents Say No.

Host: Leo Laporte

Guests: Jason Howell, Abrar Al-Heeti, and Mikah Sargent

Download or subscribe to this show at https://twit.tv/shows/this-week-in-tech

Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit

Sponsors:

• eufy.com
• IntouchCX.com/twit
• canary.tools/twit - use code: TWIT
• lookout.com
• zscaler.com/zerotrustAI

Google has released the first beta of the Android 15 mobile OS for developers and early adopters. This version of the Android operating system emphasizes productivity, user privacy and security, and making apps more widely visible and accessible.

The beta was released on April 11 and a final release is expected sometime in August. Apps targeting Android 15 are displayed edge-to-edge by default, so they no longer need to explicitly call Window.setDecorFitsSystemWindows (false) or enableEdgetoEdge to show content behind system bars. Android builders recommend still calling enableEdgetoEdge() to get the edge-to-edge experience on earlier Android operating systems.

To read this article in full, please click here

Facebook, Instagram, and WhatsApp parent Meta has released a new generation of its open source Llama large language model (LLM) in order to garner a bigger pie of the generative AI market by taking on all model providers, including OpenAI, Mistral, Anthropic, and Elon Musk’s xAI.

“This next generation of Llama demonstrates state-of-the-art performance on a wide range of industry benchmarks and offers new capabilities, including improved reasoning. We believe these are the best open source models of their class, period,” the company wrote in a blog post, adding that it had set out to build an open source model(s) that is at par with the best performing proprietary models available in the market.

To read this article in full, please click here

Amazon Web Services (AWS) has slowly and silently phased out its Snowmobile service—an offering launched at its annual AWS re:Invent conference in 2016 to help enterprises move data from their on-premises servers to the cloud provider’s data centers to accelerate their migration to the public cloud.

The Snowmobile service, essentially an eighteen-wheel truck and trailer or “big rig” with 100 petabyte data storage and network connectivity, was commissioned by AWS then-CEO Andy Jassy (now CEO of Amazon) to help enterprises who wanted to transfer vast amounts of data, measured in the petabytes or exabytes.

To read this article in full, please click here