Technology

Google has released the first beta of the Android 15 mobile OS for developers and early adopters. This version of the Android operating system emphasizes productivity, user privacy and security, and making apps more widely visible and accessible.

The beta was released on April 11 and a final release is expected sometime in August. Apps targeting Android 15 are displayed edge-to-edge by default, so they no longer need to explicitly call Window.setDecorFitsSystemWindows (false) or enableEdgetoEdge to show content behind system bars. Android builders recommend still calling enableEdgetoEdge() to get the edge-to-edge experience on earlier Android operating systems.

To read this article in full, please click here

Facebook, Instagram, and WhatsApp parent Meta has released a new generation of its open source Llama large language model (LLM) in order to garner a bigger pie of the generative AI market by taking on all model providers, including OpenAI, Mistral, Anthropic, and Elon Musk’s xAI.

“This next generation of Llama demonstrates state-of-the-art performance on a wide range of industry benchmarks and offers new capabilities, including improved reasoning. We believe these are the best open source models of their class, period,” the company wrote in a blog post, adding that it had set out to build an open source model(s) that is at par with the best performing proprietary models available in the market.

To read this article in full, please click here

Amazon Web Services (AWS) has slowly and silently phased out its Snowmobile service—an offering launched at its annual AWS re:Invent conference in 2016 to help enterprises move data from their on-premises servers to the cloud provider’s data centers to accelerate their migration to the public cloud.

The Snowmobile service, essentially an eighteen-wheel truck and trailer or “big rig” with 100 petabyte data storage and network connectivity, was commissioned by AWS then-CEO Andy Jassy (now CEO of Amazon) to help enterprises who wanted to transfer vast amounts of data, measured in the petabytes or exabytes.

To read this article in full, please click here

Java would be enhanced with the ability to succinctly import all packages exported by a module, under a proposal floating in the Java community. The plan would simplify the use of modular libraries in Java.

The preview language feature for Java SE (Standard Edition), called Module Import Declarations, has been filed as a JDK Enhancement Proposal (JEP) in the OpenJDK community.

Goals of the plan include simplifying the reuse of modular libraries by allowing entire modules to be imported at once, avoiding the noise of multiple type-import-on-demand declarations when using diverse parts of the API exported by a module, and allowing beginners to more easily use third-party libraries and fundamental Java classes without having to learn where they are located in a package hierarchy, the proposal states.

To read this article in full, please click here

ASP.NET Core offers a simplified hosting model, called minimal APIs, that allows us to build lightweight APIs with minimal dependencies. Ideal for building fast and simple services, minimal APIs were initially introduced in ASP.NET Core 6 to strip away the complexity of traditional APIs and make it easier to build microservices.

The goal of this post is to explore the new features for building minimal APIs introduced in ASP.NET Core 8. To use the code examples provided in this article, you should have Visual Studio 2022 installed in your system. If you don’t already have a copy, you can download Visual Studio 2022 here.

To read this article in full, please click here

Asia/Pacific companies are struggling with wasteful cloud spending, according to a commissioned study conducted by Forrester Consulting. The study found that cloud cost management initiatives and tools are being introduced too late and without a full picture of their environment to be very effective.

The study, paid for by IPaaS provider Boomi, found that 87% had exceeded their set cloud budgets over the past two years and that 69% foresee exceeding their cloud budgets during the current fiscal year. In other words, we’ve spent too much money on the cloud and will continue to spend too much. I can’t imagine that going over well in the executive meetings, having sat through a few of those.

To read this article in full, please click here

Building applications at scale is nothing compared to building an operating system like Windows, especially when it comes to source code control. How do you manage the repository (or repositories) for such a software behemoth, with thousands of developers and testers, and with a complex build pipeline that’s continuously delivering fresh code?

Microsoft’s history with internal source control systems is convoluted. You might think it used the now discontinued Visual SourceSafe, but that was most appropriate for local file systems and smaller projects. Instead, Microsoft used many different tools over the years, initially an internal fork of the familiar Unix Revision Control System, before standardizing on Perforce Source Depot.

To read this article in full, please click here

Code commonly flows downstream, from an open-source project into an organization’s own products. Upstreaming is the process of reversing that flow—contributing code back to an open-source project. The value proposition of upstreaming includes harnessing the strength of an open-source community to examine code, find and fix problems, and add their own features that make the code more valuable to everyone using it.

As someone who has been deeply involved with open-source projects for many years—I’ve committed code to the open source FreeBSD operating system project for over a decade now, served on that project’s core team for two terms, contributed to open source ZFS, and co-written two books about ZFS—I’ve seen countless organizations meet the challenges and reap the substantial benefits of upstreaming. In short, contributed code that becomes part of a mainline open-source project receives shared maintenance, active development, and extension, with other members across the community often adding value that goes well beyond the initial contribution.

To read this article in full, please click here

Java services are the most-impacted by third-party vulnerabilities, according to the “State of DevSecOps 2024” report just released by cloud security provider Datadog.

Released on April 17, the report found that 90% of Java services were susceptible to one or more critical or high-severity vulnerabilities introduced by a third-party library. The average for other languages was 47%.

Datadog’s report analyzed tens of thousands of applications and container images and thousands of cloud environments to assess application security. Following Java in the vulnerabilities assessment were JavaScript, at roughly 70%; Python, at 62%; .NET, at 50%; PHP, at 35%; and Go (golang) and Ruby, both at about 32%.

To read this article in full, please click here

Building applications at scale is nothing compared to building an operating system like Windows, especially when it comes to source code control. How do you manage the repository (or repositories) for such a software behemoth, with thousands of developers and testers, and with a complex build pipeline that’s continuously delivering fresh code?

Microsoft’s history with internal source control systems is convoluted. You might think it used the now discontinued Visual SourceSafe, but that was most appropriate for local file systems and smaller projects. Instead, Microsoft used many different tools over the years, initially an internal fork of the familiar Unix Revision Control System, before standardizing on Perforce Source Depot.

To read this article in full, please click here

OpenAI, the artificial intelligence research company, has updated its Assistants API with a faster, more accurate file search tool, vector stores, and a tool choice parameter.

OpenAI announced the Assistants API update on April 17. The new file_search tool can retrieve as many as 10,000 files per assistant. It connects models with developers' data to assist in building applications relevant to an organization or use case. The tool works with the new vector store objects for automated file parsing, chunking, and embedding. New token controls, tool-choice capabilities, and added support for model configuration parameters offer greater flexibility to individual use cases.

To read this article in full, please click here

In a move that could redefine how generative AI can be used by enterprises sans the present ambiguity over its ability to scale and interoperable across business systems, the LF AI & Data Foundation has announced the launch of the Open Platform for Enterprise AI (OPEA) in collaboration with several technology companies.

The objective is to spearhead the development of open, robust, multi-provider, and composable GenAI systems that are flexible, scalable, and enterprise-grade. Technology bigwigs supporting the initiative include Intel, VMWare, Red Hat, SAS, Cloudera, MariaDB Foundation, Anyscale, and Datastax. The LF AI & Data Foundation is inviting and expecting more members to join the bandwagon.

To read this article in full, please click here

A change to Java’s G1 garbage collector would lower the memory and processing overhead and speed the execution of Java’s C2 optimizing JIT (just-in-time) compiler, benefiting cloud deployments, under a proposal in the Java community.

The OpenJDK proposal would simplify the implementation of G1’s barriers, which record information about application memory accesses, by shifting their expansion from early in the C2 JIT's compilation pipeline to later, the proposal states.

Underlying this proposal is the increasing popularity of cloud-based Java deployments, which has led to a stronger focus on reducing overall JVM overhead. Goals of the plan include reducing the execution of time of C2 when using the G1 collector, making G1 barriers comprehensible to HotSpot developers who lack a deep understanding of C2, and guaranteeing that C2 preserves invariants about the relative ordering of memory accesses, safepoints, and barriers. Another goal is preserving the quality of C2-generated code in terms of speed and size.

To read this article in full, please click here

As the use of ever more powerful AI models continues to grow, ensuring trust and accountability must be at the top of the list of goals, on par with any of AI’s potential benefits. It won’t happen overnight, nor will it result from any single step, such as better code, government regulations, or sincere pledges from AI developers. It will require a substantial cultural shift over time involving people, processes, and technology, and it will require widespread collaboration and cooperation among developers and users.

Despite any misgivings about AI’s shortcomings, business leaders can’t ignore its benefits. Gartner found that 79% of corporate strategists believe that their success over the next two years will depend heavily on their use of data and AI. The proliferating use of AI is inevitable. The rise of generative AI in particular has created a gold-rush mentality born of the fear of being at a competitive disadvantage—resulting in significant noise and potential recklessness as companies launch themselves into the ring of AI offerings. For developers and technology leaders considering adding AI to their ecosystem, there are several pitfalls worth examining before choosing a solution. Luckily, the calls for responsible use are also growing.

To read this article in full, please click here

The ECMAScript specification is like a portrait of the JavaScript language that is repainted every year. As is typical of modern JavaScript, the spec and real-world practice move in tandem. The newest version of the spec, ECMAScript 2024, includes seven new JavaScript features and is expected to be finalized in June. This article introduces four of the new features that are already available in browsers and server-side environments, and ready for you to use today:

• Promise.withResolvers is a powerful mechanism for managing asynchronous operations when external control over resolution and rejection is necessary.
• Object.groupBy and Map.groupBy let you organize collections based on key properties.
• Atomics.waitAsync facilitates safe communication and synchronization between worker threads.
• String.isWellFormed and String.toWellFormed add valuable tools for handling user input and network data.

Let’s start with the new static method on Promise, called withResolvers(). JavaScript promises give us various ways to deal with asynchronous operations. The withResolvers() method is used to create the three parts of a Promise: the Promise itself and the resolve() and reject() functions. 

To read this article in full, please click here

A common problem with Python applications is how to share them with other people. Developers frequently use a web interface to solve this issue, presenting the app's functionality by way of a UI. But that solution works best when the application UI is a natural fit for web components. Data exploration apps can work like this, for instance, but they also require front-end components written in JavaScript for ideal interactivity.

Streamlit is a Python library that aims to solve many of these issues at once. Using Streamlit, developers can create Python apps with web-based front ends, built from a rich library of interactive components.

To read this article in full, please click here

• An update on the AT&T data breach
• 340,000 social security numbers leaked
• Cookie Notice Compliance
• The GDPR does enforce some transparency
• Physical router buttons
• Wifi enabled button pressers
• Netsecfish disclosure of Dlink NAS vulnerability
• Chrome bloat
• SpinRite update
• GhostRace

Show Notes - https://www.grc.com/sn/SN-970-Notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to this show at https://twit.tv/shows/security-now.

Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit

You can submit a question to Security Now at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Sponsors:

• kolide.com/securitynow
• bitwarden.com/twit
• vanta.com/SECURITYNOW
• 1bigthink.com

As of the first quarter of 2024, 83% of developers were involved in devops-related activities such as performance monitoring, security testing, or CI/CD, according to the State of CI/CD Report 2024, published by the Continuous Delivery (CD) Foundation, a part of the Linux Foundation.

Released April 16, the State of CI/CD Report 2024 is downloadable from the CD Foundation, authored by developer researcher SlashData, and sponsored by CloudBees, provider of a DevSecOps platform.

To read this article in full, please click here

Open-source database provider Qdrant has made available Qdrant Hybrid Cloud, a dedicated vector database to be offered in a managed hybrid cloud model.

Qdrant, the open-source foundation of both Qdrant Cloud and Qdrant Hybrid Cloud, is a vector similarity search engine and vector database written in Rust. Qdrant offers a set of features for performance optimization and can handle billions of vectors with scale and memory safety, the company said. 

To read this article in full, please click here