Technology

Oracle’s 2023 per-employee pricing for standard Java is raising concerns about its potential impact on Java licensing costs for customers. The pricing is based on total employee counts, not the number of employees using Java.

Published January 23, Oracle’s price list covers the new Java SE Universal Subscription program. The pricing starts at $15 per employee per month for as many as 999 employees, and drops as low as $5.25 per employee per month for 40,000 to 49,999 users. Oracle cited an example in which a company with a total employee count of 28,000, including full-time and part-time employees and agents, consultants, and contractors, would be charged $2.268 million per year.

To read this article in full, please click here

Microsoft published a beta release of TypeScript 5.0, the company’s strongly typed JavaScript variant, on January 26. The new release aims to modernize decorators for class customization.

Decorators, an upcoming ECMAScript feature, allow for customizing classes and their members in a reusable way, Microsoft noted in a blog post announcing the release. Decorators can be used on methods, properties, getters, setters, and auto-accessors. Classes can be decorated for subclassing and registration. While TypeScript previously supported experimental decorators, these were modeled on a much older version of the decorators proposal.

To read this article in full, please click here

The new release of Steampipe is all about relationship graphs. Our blog post shows how these graphs provide contextual awareness for devops and security pros who can now see all the resources related to an EC2 instance, or determine at a glance whether the permissions related to an IAM role are properly scoped. As always, developers can explore and remix the code that builds these graphs, and adapt the idioms for their own purposes in any data domain.

These relationship graphs are driven by SQL queries that define nodes and edges. Such queries can use any column of any table provided by any Steampipe plugin to form nodes, and then edges between nodes. If you want to see connections among the people and objects represented by diverse APIs, you can now use SQL idioms to graph them. The only limit is your imagination.

To read this article in full, please click here

A recent study by Gartner predicts that by 2025 more than 95% of application workloads will exist on cloud-native platforms (up from 30% in 2021). I tend not to believe these kinds of predictions because adoption is never linear. We run out of applications that are easy to convert to new development approaches (in this case, cloud native) and thus adoption slows down or ceases much earlier than most understand.

If you’re still a bit confused by what the heck “cloud native” means, you’re not alone. Here’s my best explanation: 

To read this article in full, please click here

Google has released Flutter 3.7, an update to the company’s open source, cross-platform development framework that adds custom menu bar support and previews a new rendering engine for iOS apps. The company also unveiled an alpha preview of Dart 3, a new version of the programming language used with Flutter.

Flutter 3.7 can be used to build menu bars and cascading context menus. Developers can design a Material Design menu providing cascading menu bars or standalone cascading menus triggered by another user interface element. These menus are customizable and menu items can be custom widgets, or developers can use new menu item widgets including MenuItemButton and SubmenuButton.

To read this article in full, please click here

Canonical’s Ubuntu Pro, a Linux security maintenance subscription service covering thousands of applications and toolchains in the open-source ecosystem, is generally available as of January 26.

Released in beta in October, Ubuntu Pro helps users of Linux desktops and servers get CVE (common vulnerabilities and exposures) patches, harden their systems at scale, and stay compliant with standards such as FedRAMP, HIPPA, PCI-DSS. Ubuntu Pro covers an additional 23,000 packages beyond the main OS, providing protection against critical, high, and selected medium CVEs for applications and toolchains ranging from Ansible and Apache Tomcat to Node.js, Puppet, PowerDNS, Redis, Rust, and WordPress.

To read this article in full, please click here

Far more than a trendy buzzword in the business world today, data science is redefining how companies interact with their customers.

No matter the sector or industry—retail, insurance, manufacturing, banking, travel—every large enterprise has its own way of dealing with data science. They have to. Data is everywhere. It’s the new gold, and mining that data is critical to the success or failure of any business.

Data gives access to the kind of information that separates competitors. Data-driven companies provide better service to their customers and make better decisions—all because those decisions are backed by data.

Data science is the next evolution in the business world, and those that fail to adapt to this new reality will cease to exist. The alternative is extinction.

To read this article in full, please click here

Artificial neural networks are a form of deep learning and one of the pillars of modern-day AI. The best way to really get a grip on how these things work is to build one. This article will be a hands-on introduction to building and training a neural network in Java.

See my previous article, Styles of machine learning: Intro to neural networks for an overview of how artificial neural networks operate. Our example for this article is by no means a production-grade system; instead, it shows all the main components in a demo that is designed to be easy to understand.

To read this article in full, please click here

On Dec. 23, 2022, KrebsOnSecurity alerted big-three consumer credit reporting bureau Experian that identity thieves had worked out how to bypass its security and access any consumer’s full credit report — armed with nothing more than a person’s name, address, date of birth, and Social Security number. Experian fixed the glitch, but remained silent about the incident for a month. This week, however, Experian acknowledged that the security failure persisted for nearly seven weeks, between Nov. 9, 2022 and Dec. 26, 2022.

The tip about the Experian weakness came from Jenya Kushnir, a security researcher living in Ukraine who said he discovered the method being used by identity thieves after spending time on Telegram chat channels dedicated to cybercrime.

Normally, Experian’s website will ask a series of multiple-choice questions about one’s financial history, as a way of validating the identity of the person requesting the credit report. But Kushnir said the crooks learned they could bypass those questions and trick Experian into giving them access to anyone’s credit report, just by editing the address displayed in the browser URL bar at a specific point in Experian’s identity verification process.

When I tested Kushnir’s instructions on my own identity at Experian, I found I was able to see my report even though Experian’s website told me it didn’t have enough information to validate my identity. A security researcher friend who tested it at Experian found she also could bypass Experian’s four or five multiple-choice security questions and go straight to her full credit report at Experian.

Experian acknowledged receipt of my Dec. 23 report four days later on Dec. 27, a day after Kushnir’s method stopped working on Experian’s website (the exploit worked as long as you came to Experian’s website via annualcreditreport.com — the site mandated to provide a free copy of your credit report from each of the major bureaus once a year).

Experian never did respond to official requests for comment on that story. But earlier this week, I received an otherwise unhelpful letter via snail mail from Experian (see image above), which stated that the weakness we reported persisted between Nov. 9, 2022 and Dec. 26, 2022.

“During this time period, we experienced an isolated technical issue where a security feature may not have functioned,” Experian explained.

It’s not entirely clear whether Experian sent me this paper notice because they legally had to, or if they felt I deserved a response in writing and thought maybe they’d kill two birds with one stone. But it’s pretty crazy that it took them a full month to notify me about the potential impact of a security failure that I notified them about.

It’s also a little nuts that Experian didn’t simply include a copy of my current credit report along with this letter, which is confusingly worded and reads like they suspect someone other than me may have been granted access to my credit report without any kind of screening or authorization.

After all, if I hadn’t authorized the request for my credit file that apparently prompted this letter (I had), that would mean the thieves already had my report. Shouldn’t I be granted the same visibility into my own credit file as them?

Instead, their woefully inadequate letter once again puts the onus on me to wait endlessly on hold for an Experian representative over the phone, or sign up for a free year’s worth of Experian monitoring my credit report.

As it stands, using Kushnir’s exploit was the only time I’ve ever been able to get Experian’s website to cough up a copy of my credit report. To make matters worse, a majority of the information in that credit report is not mine. So I’ve got that to look forward to.

If there is a silver lining here, I suppose that if I were Experian, I probably wouldn’t want to show Brian Krebs his credit file either. Because it’s clear this company has no idea who I really am. And in a weird, kind of sad way I guess, that makes me happy.

For thoughts on what you can do to minimize your victimization by and overall worth to the credit bureaus, see this section of the most recent Experian story.

Many young developers today do not remember the time of the shedding and cold rocks, let alone the dotcom bomb (or its associated fansite). Before each of these collapses, the fat times felt like they would never end. But fat times always give way to lean times and layoffs. Even if you are in a stable position, it is wise to prepare for the unexpected.

Companies started enticing employees with free drinks just before the 2000 dotcom bomb. Silicon Valley started serving employees free food before the 2008 recession. Granted, free food and drinks are enticements to stay in the office, but in lean times… there are layoffs. These perks go away, or you’re encouraged not to use them.

To read this article in full, please click here

In Lists and people on Mastodon I showed how I added a list column to the following tab of the Mastodon browser I’m building. That was a step in the direction of easier and more powerful list management. It enables me to see whether the people I follow are assigned to lists, and to consider who should be on a list (or perhaps on a different list).

Today, as I began to use that new affordance in earnest, I discovered a new challenge. In order to assign someone to a list, or change a list assignment, I clicked the link in the account_url column to open that person’s profile in the Mastodon web app. That was fine for accounts on my home server, mastodon.social. An account URL like Shelley Powers’ https://mastodon.social/@burningbird brings me to Shelley’s profile on my home server where the list manager is available.

To read this article in full, please click here

• Picture of the Week.
• PayPal Credential Stuffing.
• iOS 16.3 : Cloud encryption for all.
• InfoSecurity Magazine: "ChatGPT Creates Polymorphic Malware".
• CheckPoint Research: OPWNAI : Cybercriminals Starting to Use ChatGPT.
• "Meta" fined for the third time.
• Bitwarden acquires "Passwordless.dev".
• Closing the Loop.
• SpinRite.
• Credential Reuse.

Show Notes: https://www.grc.com/sn/SN-907-Notes.pdf
 

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to this show at https://twit.tv/shows/security-now.

Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit

You can submit a question to Security Now! at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Sponsors:

• GO.ACILEARNING.COM/TWIT
• expressvpn.com/securitynow
• drata.com/twit

While passing objects as arguments is a standard and familiar way to invoke methods, providing methods as arguments to other methods is less so. Nonetheless, we often must pass a method as a parameter to another method when working with event handling in C#. We do this using delegates.

I provided an overview of delegates in an earlier article here. In this article, we’ll examine how we can work with Action, Func, and Predicate delegates in C#. To work with the code examples provided in this article, you should have Visual Studio 2022 installed in your system. If you don’t already have a copy, you can download Visual Studio 2022 here.

To read this article in full, please click here

Google’s Optimize and Optimize 360 website testing and analytics tools will no longer be available after September 30, 2023. Customers’ personalizations and experiments on Optimize and Optimize 360 can continue to run until September 30, but any still active on that date will end, the company said.

In a bulletin published January 20, Google said it remains committed to enabling businesses of all sizes to improve user experiences and is investing in A/B testing in Google Analytics 4. Introduced July 31, 2019, Google Analytics 4 is an analytics service for measuring engagement and traffic across websites.

To read this article in full, please click here

Everything in Python is an object, or so the saying goes. If you want to create your own custom objects, with their own properties and methods, you use Python’s class object to make that happen. But creating classes in Python sometimes means writing loads of repetitive, boilerplate code to set up the class instance from the parameters passed to it or to create common functions like comparison operators.

Dataclasses, introduced in Python 3.7 (and backported to Python 3.6), provide a handy, less verbose way to create classes. Many of the common things you do in a class, like instantiating properties from the arguments passed to the class, can be reduced to a few basic instructions.

To read this article in full, please click here

Denis Emelyantsev, a 36-year-old Russian man accused of running a massive botnet called RSOCKS that stitched malware into millions of devices worldwide, pleaded guilty to two counts of computer crime violations in a California courtroom this week. The plea comes just months after Emelyantsev was extradited from Bulgaria, where he told investigators, “America is looking for me because I have enormous information and they need it.”

A copy of the passport for Denis Emelyantsev, a.k.a. Denis Kloster, as posted to his Vkontakte page in 2019.

First advertised in the cybercrime underground in 2014, RSOCKS was the web-based storefront for hacked computers that were sold as “proxies” to cybercriminals looking for ways to route their Web traffic through someone else’s device.

Customers could pay to rent access to a pool of proxies for a specified period, with costs ranging from $30 per day for access to 2,000 proxies, to $200 daily for up to 90,000 proxies.

Many of the infected systems were Internet of Things (IoT) devices, including industrial control systems, time clocks, routers, audio/video streaming devices, and smart garage door openers. Later in its existence, the RSOCKS botnet expanded into compromising Android devices and conventional computers.

In June 2022, authorities in the United States, Germany, the Netherlands and the United Kingdom announced a joint operation to dismantle the RSOCKS botnet. But that action did not name any defendants.

Inspired by that takedown, KrebsOnSecurity followed clues from the RSOCKS botnet master’s identity on the cybercrime forums to Emelyantsev’s personal blog, where he went by the name Denis Kloster. The blog featured musings on the challenges of running a company that sells “security and anonymity services to customers around the world,” and even included a group photo of RSOCKS employees.

“Thanks to you, we are now developing in the field of information security and anonymity!,” Kloster’s blog enthused. “We make products that are used by thousands of people around the world, and this is very cool! And this is just the beginning!!! We don’t just work together and we’re not just friends, we’re Family.”

But by the time that investigation was published, Emelyantsev had already been captured by Bulgarian authorities responding to an American arrest warrant. At his extradition hearing, Emelyantsev claimed he would prove his innocence in an U.S. courtroom.

“I have hired a lawyer there and I want you to send me as quickly as possible to clear these baseless charges,” Emelyantsev told the Bulgarian court. “I am not a criminal and I will prove it in an American court.”

RSOCKS, circa 2016. At that time, RSOCKS was advertising more than 80,000 proxies. Image: archive.org.

Emelyantsev was far more than just an administrator of a large botnet. Behind the facade of his Internet advertising company based in Omsk, Russia, the RSOCKS botmaster was a major player in the Russian email spam industry for more than a decade.

Some of the top Russian cybercrime forums have been hacked over the years, and leaked private messages from those forums show the RSOCKS administrator claimed ownership of the RUSdot spam forum. RUSdot is the successor forum to Spamdot, a far more secretive and restricted community where most of the world’s top spammers, virus writers and cybercriminals collaborated for years before the forum imploded in 2010.

A Google-translated version of the Rusdot spam forum.

Indeed, the very first mentions of RSOCKS on any Russian-language cybercrime forums refer to the service by its full name as the “RUSdot Socks Server.”

Email spam — and in particular malicious email sent via compromised computers — is still one of the biggest sources of malware infections that lead to data breaches and ransomware attacks. So it stands to reason that as administrator of Russia’s most well-known forum for spammers, Emelyantsev probably knows quite a bit about other top players in the botnet spam and malware community.

It remains unclear whether Emelyantsev made good on his promise to spill that knowledge to American investigators as part of his plea deal. The case is being prosecuted by the U.S. Attorney’s Office for the Southern District of California, which has not responded to a request for comment.

Emelyantsev pleaded guilty on Monday to two counts, including damage to protected computers and conspiracy to damage protected computers. He faces a maximum of 20 years in prison, and is currently scheduled to be sentenced on April 27, 2023.

As I mentioned a few times in this blog, I’ve been working with and teaching about artificial intelligence since the start of my career. This drove much of my interest in cloud computing because AI was not economically viable or accessible until “the cloud” came along.

Interest in AI and its applications inflected about five years ago. Then the pandemic happened and some budgets shifted to speedy cloud migrations. Now that things are returning to normal, AI is back. Most enterprises grasp the fundamental possibilities of AI and are looking to weaponize the technology for their own business.

The technology got way more impressive along the way. Generative AI, for example, went from PhD dissertations to an accessible and free reality with the advent of generative AI services such as ChatGPT.

To read this article in full, please click here

When you hear leaders talk about the power of great cultures, you often hear talk of communication, integrity, and openness, and these are all important dimensions. Of course, there are as many definitions of healthy cultures as there are opinions about Kubernetes.

Even though we can’t define them precisely, we all want great cultures. 

So when we hire CTOs, we put all the important things we want into the job post. Things like “technically skilled, hires well, ships software.” You rarely find anything about culture in the job post, and that’s disappointing.

Because it turns out that if you don’t have a great culture, you can’t ship software on time with high quality. At least not predictably. And predictable engineering output is essential to a healthy business. Predictability is, surprisingly, something that comes from a great culture. 

To read this article in full, please click here

Developers now can build Rust applications in the CodeSandbox cloud development platform.

Newly added Rust support in CodeSandbox allows developers to spin up a Rust development environment within two seconds, the company announced on January 18. A Rust starter template helps developers kickstart their projects.

CodeSandbox is positioned as an environment for anyone to code, collaborate, and produce projects of any size from any device, quickly. Every sandbox has a public URL that can be shared. Sandboxes that get too large can be exported to GitHub, with developers able to commit to GitHub while using CodeSandbox.

To read this article in full, please click here

The developers of Google’s V8 JavaScript/WebAssembly engine have introduced the JavaScript Promise Integration (JSPI) API, allowing WebAssembly applications that assume access to external functionality is synchronous to smoothly function in asynchronous environments.

Currently in an experimental stage, JSPI should not be used in production applications yet, the developers said. Eventually, it will become a standard, for implementation across major browsers, they said.

Introduced in a V8 blog post on January 19, JSPI bridges synchronous WebAssembly applications and asynchronous web APIs. This is done by suspending the application when it issues a synchronous API call and resuming when the asynchronous I/O operation is concluded. And JSPI does this with very few changes to the application itself.

To read this article in full, please click here