Technology

With the second preview of its planned update to Visual Studio 2022, Microsoft is offering enhancements of the IDE’s Git experience, including capabilities for comparing branches and checking out commits.

Published January 5, Visual Studio 2022 17.1 Preview 2 is available from the Visual Studio website. In this version, developers can compare checked out Git branches with any local or remote branch. They also can check out the tip commit or any previous commit of remote and local branches.

To read this article in full, please click here

Norton 360, one of the most popular antivirus products on the market today, has installed a cryptocurrency mining program on its customers’ computers. Norton’s parent firm says the cloud-based service that activates the program and allows customers to profit from the scheme — in which the company keeps 15 percent of any currencies mined — is “opt-in,” meaning users have to agree to enable it. But many Norton users complain the mining program is difficult to remove, and reactions from longtime customers have ranged from unease and disbelief to, “Dude, where’s my crypto?”

Norton 360 is owned by Tempe, Ariz.-based NortonLifeLock Inc. In 2017, the identity theft protection company LifeLock was acquired by Symantec Corp., which was renamed to NortonLifeLock in 2019 (LifeLock is now included in the Norton 360 service).

According to the FAQ posted on its site, “Norton Crypto” will mine Ethereum (ETH) cryptocurrency while the customer’s computer is idle. The FAQ also says Norton Crypto will only run on systems that meet certain hardware and software requirements (such as an NVIDIA graphics card with at least 6 GB of memory).

“Norton creates a secure digital Ethereum wallet for each user,” the FAQ reads. “The key to the wallet is encrypted and stored securely in the cloud. Only you have access to the wallet.”

NortonLifeLock began offering the mining service in July 2021, and early news coverage of the program did not immediately receive widespread attention. That changed on Jan. 4, when Boing Boing co-editor Cory Doctorow tweeted that NortonCrypto would run by default for Norton 360 users.

NortonLifeLock says Norton Crypto is an opt-in feature only and is not enabled without user permission.

“If users have turned on Norton Crypto but no longer wish to use the feature, it can be disabled by temporarily shutting off ‘tamper protection’ (which allows users to modify the Norton installation) and deleting NCrypt.exe from your computer,” NortonLifeLock said in a written statement. However, many users have reported difficulty removing the mining program.

From reading user posts on the Norton Crypto community forum, it seems some longtime Norton customers were horrified at the prospect of their antivirus product installing coin-mining software, regardless of whether the mining service was turned off by default.

“How on Earth could anyone at Norton think that adding crypto mining within a security product would be a good thing?,” reads a Dec. 28 thread titled “Absolutely furious.”

“Norton should be DETECTING and killing off crypto mining hijacking, not installing their own,” the post reads. “The product people need firing. What’s the next ‘bright idea’? Norton Botnet? ‘ And I was just about to re-install Norton 360 too, but this has literally has caused me to no longer trust Norton and their direction.”

It’s an open question whether Norton Crypto users can expect to see much profit from participating in this scheme, at least in the short run. Mining cryptocurrencies basically involves using your computer’s spare resources to help validate financial transactions of other crypto users. Crypto mining causes one’s computer to draw more power, which can increase one’s overall electricity costs.

“Norton is pretty much amplifying energy consumption worldwide, costing their customers more in electricity use than the customer makes on the mining, yet allowing Norton to make a ton of profit,” tweeted security researcher Chris Vickery. “It’s disgusting, gross, and brand-suicide.”

Then there’s the matter of getting paid. Norton Crypto lets users withdraw their earnings to an account at cryptocurrency platform CoinBase, but as Norton Crypto’s FAQ rightly points out, there are coin mining fees as well as transaction costs to transfer Ethereum.

“The coin mining fee is currently 15% of the crypto allocated to the miner,” the FAQ explains. “Transfers of cryptocurrencies may result in transaction fees (also known as “gas” fees) paid to the users of the cryptocurrency blockchain network who process the transaction. In addition, if you choose to exchange crypto for another currency, you may be required to pay fees to an exchange facilitating the transaction. Transaction fees fluctuate due to cryptocurrency market conditions and other factors. These fees are not set by Norton.”

Which might explain why so many Norton Crypto users have taken to the community’s online forum to complain they were having trouble withdrawing their earnings. Those gas fees are the same regardless of the amount of crypto being moved, so the system simply blocks withdrawals if the amount requested can’t cover the transfer fees.

Norton Crypto. Image: Bleeping Computer.

I guess what bothers me most about Norton Crypto is that it will be introducing millions of perhaps less savvy Internet users to the world of cryptocurrency, which comes with its own set of unique security and privacy challenges that require users to “level up” their personal security practices in fairly significant ways.

Several of my elder family members and closest friends are longtime Norton users who renew their subscription year after year (despite my reminding them that it’s way cheaper just to purchase it again each year as a new user). None of them are particularly interested in or experts at securing their computers and digital lives, and the thought of them opening CoinBase accounts and navigating that space is terrifying.

Big Yellow is not the only brand that’s cashing in on investor fervor over cryptocurrencies and hoping to appeal to a broader (or maybe just older) audience: The venerable electronics retailer RadioShack, which relaunched in 2020 as an online-focused brand, now says it plans to chart a future as a cryptocurrency exchange.

“RadioShack’s argument is basically that as a very old brand, it’s primed to sell old CEOs on cryptocurrency,” writes Adi Robertson for The Verge.

“Too many [cryptocurrency companies] focused on speculation and not enough on making the ‘old-school’ customer feel comfortable,” the company’s website states, claiming that the average “decision-making” corporate CEO is 68 years old. “The older generation simply doesn’t trust the new-fangled ideas of the Bitcoin youth.”

Build processes can be quite sophisticated for enterprise applications, but even simple and early-stage projects can benefit from automated build pipelines. This article describes a quick-to-deploy system for running an automated build, test, and deploy pipeline with Node.js, Jenkins, and Git.

You’ll need Git and Node/NPM installed on your system to follow along. You’ll also need a Google Cloud Platform (GCP) account. (Google offers a generous free trial account.)

To read this article in full, please click here

ASP.NET Core 6 introduces a simplified hosting model that reduces the boilerplate code that you would otherwise need to write to get your ASP.NET Core application up and running. The Program and Startup classes are the two major classes where you would typically write your code to configure your application.

This article talks about how you can configure the application start-up classes in ASP.NET Core 6, with relevant code examples wherever appropriate.

To work with the code examples provided in this article, you should have Visual Studio 2022 installed in your system. If you don’t already have a copy, you can download Visual Studio 2022 here.

To read this article in full, please click here

Google’s Prediction Framework stitches together Google Cloud Platform services, from Cloud Functions to Pub/Sub to Vertex AutoML to BigQuery, to help users implement data science prediction projects and save time doing so.

Detailed in a December 29 blog post, Prediction Framework was designed to provide the basic scaffolding for prediction solutions and allow for customization. Built for hosting on the Google Cloud Platform, the framework is an attempt to generalize all steps involved in a prediction project, including data extraction, data preparation, filtering, prediction, and post-processing. The idea behind the framework is that with just a few particularizations/modifications, the framework would fit any similar use case, with a high level of reliability.

To read this article in full, please click here

The November 2021 launch of .NET 6 introduced the first Long Term Support (LTS) version of the new .NET Core-based unified platform. Supported until November 2024, .NET 6 is intended for production code that needs a stable foundation. You can build on .NET 6 now and be sure that your code won’t need significant changes until after the launch of .NET 8.

As a result, it’s not surprising to see Azure’s main PaaS (platform-as-a-service) tools adopt .NET 6 very quickly, with immediate, “day zero” support in Azure Functions, Azure App Service, and Azure Static Web Apps. We’ll walk through the .NET 6 support in these popular Azure services below.

To read this article in full, please click here

Nvidia AI Enterprise is an end-to-end AI software stack. It includes software to clean data and prepare it for training, perform the training of neural networks, convert the model to a more efficient form for inference, and deploy it to an inference server.

In addition, the Nvidia AI software suite includes GPU, DPU (data processing unit), and accelerated network support for Kubernetes (the cloud-native deployment layer on the diagram below), and optimized support for shared devices on VMware vSphere with Tanzu. Tanzu Basic lets you run and manage Kubernetes in vSphere. (VMware Tanzu Labs is the new name for Pivotal Labs.)

Nvidia LaunchPad is a trial program that gives AI and data science teams short-term access to the complete Nvidia AI stack running on private compute infrastructure. Nvidia LaunchPad offers curated labs for Nvidia AI Enterprise, with access to Nvidia experts and training modules.

To read this article in full, please click here

• Picture of the Week.
• Log4j's 5th update.
• Microsoft's Log4j scanner triggers false positives.
• Chinese government is annoyed with Alibaba.
• "Hack the DHS" Bug Bounty Expanded.
• COVID postpones the RSA Conference.
• DuckDuckGo continues to grow.
• The cost of cyber insurance will likely be rising or perhaps terminated.
• "The Matrix Resurrections" what a disappointment!
• SpinRite.
• December 33rd.

We invite you to read our show notes at https://www.grc.com/sn/SN-852-Notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to this show at https://twit.tv/shows/security-now.

Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit

You can submit a question to Security Now! at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Sponsors:

• progress.com/security-now
• bitwarden.com/twit
• itpro.tv/securitynow promo code SN30

For the second consecutive year, Python has been named TIobe’s programming language of the year, a distinction the company awards to the language with the highest increase in ratings – or popularity – for the year 2021.

Python’s year-over-year increase in popularity was 1.86 percent, according to Tiobe, with a year-end rating of 13.58 percent in the Tiobe index. Tiobe noted this was still far below Java’s all-time record of 26.49 percent achieved in 2001. Tiobe said C# was on its way to becoming the language of the year but was surpassed by Python in the last month.

To read this article in full, please click here

If 2020 was the year that we became acutely aware of the consumer goods supply chain (toilet paper, anyone? Anyone?), then 2021 was the year that the software supply chain rose in our collective consciousness. In perhaps the most infamous attack of the year, thousands of customers, including several US government agencies, downloaded compromised SolarWinds updates.

Alas, SolarWinds was not alone. Indeed, the weaknesses in our software supply chain were all too evident with the recent Log4j vulnerability. Log4j is a widely used open source Java logging framework, so the vulnerability has put tens of thousands of applications (ranging from data storage services to online video games) at risk.

To read this article in full, please click here

It’s 2 a.m. and you’ve just put the finishing touches on the option list for your new home build. Last week you picked the lot with a mountain view, and this week you’ve configured your new 2,500-square-foot home using a web-based design tool. Once your design is complete, you hit the “build” button. Three days later, you get a text that your home is ready for occupancy, the utilities are activated, and the occupancy permits already granted. You have yet to speak with a single human about your home build.

How do we get a home delivered at this speed? It will require complete automation of the design and build processes, with as few humans as possible in the mix. This includes automation of all construction-related trades, and even automation to meet all required legal checkpoints along the way. It will be a homeowner’s utopia.

To read this article in full, please click here

OpenJDK’s Project Valhalla, which explores advanced Java language and JVM feature possibilities, is moving forward with a staged delivery of value objects, primitive objects, and unification of basic primitives.

Overall, the ambitious Valhalla project is intended to heal a rift between primitives and objects. The three key capabilities, cited in a December 2021 blog post, “The State of Valhalla” by Brian Goetz, Java language architect at Oracle, are described in JDK Enhancement Proposals (JEP) currently pending in the OpenJDK community. Those three capabilities are:

To read this article in full, please click here

DNS is essential to the operation of all aspects of the internet and modern digital businesses. DNS is a highly available, highly redundant, highly reliable service that is absolutely essential to your company’s applications and business operations. A failure in your DNS can bring business to a halt, jeopardizing your company’s future.

The problem with DNS is that a tiny mistake in a configuration file can have a ripple effect through the entire DNS and impact all aspects of your company’s operations. A DNS failure will impede your customers’ ability to use your products and your company’s ability to make money. Without solid DNS configuration management in place, you make yourself vulnerable to simple but costly mistakes.

To read this article in full, please click here

Amazon likes to boast that there are “more than 900,000 registered Alexa developers who have built over 130,000 Alexa skills,” but it’s still the case that it’s virtually impossible to actually use more than a small handful of those skills. Hence, it’s not surprising that Priya Anand, after reviewing internal Amazon documents that detail slowing growth in Alexa devices, concluded that Alexa’s biggest problem is “people simply don’t find Alexa that useful.“

To read this article in full, please click here

Leo Laporte takes us through the past year in tech. 2021 highlights include:

• Comparisons between the roaring '20s and the NEW roaring '20s
• GameStop, meme stocks, and the revenge of the retail trader
• CryptoPunks, NFTs, and the Blockchain.
• Nicholas almost unboxes his NBA NFT
• Facebook Is Building An Instagram For Kids Under The Age Of 13.
• Jeff Bezos' Legacy as CEO of Amazon
• How Amy Webb Beat Her Insomnia
• Rick Roll gets 1 billion views
• IBM PC Turns 40 Years Old
• "New Data Says More Communities Built Their Own Broadband Because of COVID.
• U.S. Broadband Wireless Speeds Climb to Pathetic 14th Place Globally. "
• China's central bank says all cryptocurrency-related activities are illegal, vows harsh crackdown.
• iPod is 20 years old

Host: Leo Laporte

Download or subscribe to this show at https://twit.tv/shows/this-week-in-tech

Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit

Sponsors:

• podium.com/twit
• nureva.com
• Blueland.com/TWIT
• imperfectfoods.com promo code TWIT

KrebsOnSecurity.com celebrates its 12th anniversary today! Maybe “celebrate” is too indelicate a word for a year wracked by the global pandemics of COVID-19 and ransomware. Especially since stories about both have helped to grow the audience here tremendously in 2021. But this site’s birthday also is a welcome opportunity to thank you all for your continued readership and support, which helps keep the content here free to everyone.

More than seven million unique visitors came to KrebsOnSecurity.com in 2021, generating some 12 million+ pageviews and leaving almost 8,000 comments. We also now have nearly 50,000 subscribers to our email newsletter, which is still just a text-based (non-HTML) email that goes out each time a new story is published here (~2-3 times a week).

Back when this site first began 12 years ago, I never imagined it would attract such a level of engagement. Before launching KrebsOnSecurity, I was a tech reporter for washingtonpost.com. For many years, The Post’s website was physically, financially and editorially separate from what the dot-com employees affectionately called “The Dead Tree Edition.” When the two newsrooms finally merged in 2009, my position was eliminated.

Happily, the blog I authored for four years at washingtonpost.com — Security Fix — had attracted a sizable readership, and it seemed clear that the worldwide appetite for in-depth news about computer security and cybercrime would become practically insatiable in the coming years.

Happier still, The Post offered a severance package equal to six months of my salary. Had they not thrown that lifeline, I doubt I’d have had the guts to go it alone. But at the time, my wife basically said I had six months to make this “blog thing” work, or else find a “real job.”

God bless her eternal patience with my adopted occupation, because KrebsOnSecurity has helped me avoid finding a real job for a dozen years now. And hopefully they let me keep doing this, because at this point I’m certainly unqualified to do much else.

I’d be remiss if I didn’t take this opportunity to remind Dear Readers that advertisers do help keep the content free here to everyone. For security and privacy reasons, KrebsOnSecurity does not host any third-party content on this site — and this includes the ad creatives, which are simply images or GIFs vetted by Yours Truly and served directly from krebsonsecurity.com.

That’s a long-winded way of asking: If you regularly visit KrebsOnSecurity.com with an ad blocker, please consider adding an exception for this site.

Thanks again, Dear Readers. Please stay safe, healthy and alert in 2022. See you on the other side!

As the world adapted to work from home orders and began operating in more distributed, remote teams over the past two years, one common refrain from software developers was the lack of a truly remote alternative to a whiteboard.

Whether it is the dreaded whiteboard test during a job interview, or Mark Zuckerberg and Eduardo Saverin’s apocryphal scribbling of the original Facebook algorithm on a dorm room window, the whiteboard has long been a key tool to help programmers understand and explain the complex systems they are designing and running.

To read this article in full, please click here

Leo Laporte walks through some of the highlights of the show and most impactful stories of 2021. Stories include:

• SolarWinds Hack Detailed By Microsoft
• Crispy Subtitles from Lay's
• Remembering Dan Kaminsky
• REvil Hacks Apple Supplier Quanta Computer
• The "Doom" CAPTCHA
• How Colonial Pipeline Was Breached
• When John McAfee Called Steve Gibson
• T-Mobile Subscribers: Do This Now
• Internet Anonymity" is an Oxymoron

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to this show at https://twit.tv/shows/security-now.

Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit

You can submit a question to Security Now! at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Sponsor:

• ZipRecruiter.com/securitynow

Ten years ago, many CIOs had a negative opinion about cloud computing; few CIOs landed on the positive side. Cloud subject matter experts like me got walked out of the building on a regular basis. 

These days it’s a career killer to not leverage cloud computing. Most CIOs now have at least 20% of their applications and data moved to the cloud with 10% to 15% scheduled to move in the next year or so.

With that shift in thinking, CIOs are now all in with cloud computing. However, I still hear some common complaints these days. Here are the gifts most cloud-using CIOs want to receive in 2022:

To read this article in full, please click here

In 1960, J.C.R. Licklider, an MIT professor and an early pioneer of artificial intelligence, already envisioned our future world in his seminal article, “Man-Computer Symbiosis”: 

In the anticipated symbiotic partnership, men will set the goals, formulate the hypotheses, determine the criteria, and perform the evaluations. Computing machines will do the routinizable work that must be done to prepare the way for insights and decisions in technical and scientific thinking.

In today’s world, such “computing machines” are known as AI assistants. However, developing AI assistants is a complex, time-consuming process, requiring deep AI expertise and sophisticated programming skills, not to mention the efforts for collecting, cleaning, and annotating large amounts of data needed to train such AI assistants. It is thus highly desirable to reuse the whole or parts of an AI assistant across different applications and domains.

To read this article in full, please click here