Technology

Bun and HTMX are two of the most interesting things happening in software right now. Bun is an incredibly fast, all-in-one server-side JavaScript platform, and HTMX is an HTML extension used to create simple, powerful interfaces. In this article, we'll use these two great tools together to develop a full-stack application that uses MongoDB for data storage and Elysia as its HTTP server.

To read this article in full, please click here

Apache Spark is a data processing framework that can quickly perform processing tasks on very large data sets, and can also distribute data processing tasks across multiple computers, either on its own or in tandem with other distributed computing tools. These two qualities are key to the worlds of big data and machine learning, which require the marshalling of massive computing power to crunch through large data stores. Spark also takes some of the programming burdens of these tasks off the shoulders of developers with an easy-to-use API that abstracts away much of the grunt work of distributed computing and big data processing.

To read this article in full, please click here

• A near-Universal (Local) Linux Elevation of Privilege vulnerability
• TechCrunch informed AT&T of a 5 year old data breach
• Signal to get very useful cloud backups
• Telegram to allow restricted incoming
• HP exits Russia ahead of schedule
• Advertisers are heavier users of Ad Blockers than average Americans!
• The Google Incognito Mode Lawsuit
• Canonical fights malicious Ubuntu store apps
• Spinrite update
• A Cautionary Tale

Show Notes - https://www.grc.com/sn/SN-968-Notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to this show at https://twit.tv/shows/security-now.

Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit

You can submit a question to Security Now at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Sponsors:

• 1bigthink.com
• kolide.com/securitynow
• Melissa.com/twit
• vanta.com/SECURITYNOW

Bun 1.1, the latest version of the Bun toolkit and drop-in Node.js replacement for building, testing, and running JavaScript and TypeScript, now supports Windows 10. The latest version is also more compatible with Node.js.

To read this article in full, please click here

2023 has been a breakout year for developers and generative AI. GitHub Copilot graduated from its technical preview stage in June 2022, and OpenAI released ChatGPT in November 2022. Just 18 months later, according to a survey by Sourcegraph, 95% of developers report they use generative AI to assist them in writing code. Generative AI can help developers write more code in a shorter space of time, but we need to consider how much of a good thing that may be.

To read this article in full, please click here

Talk to anybody about generative AI in the cloud, and the conversation goes quickly to GPUs (graphics processing units). But that could be a false objective. GPUs do not matter as much as people think they do, and in a few years, the conversation will likely shift to what is much more critical to the development and deployment of generative AI systems in the cloud.

The current assumption is that GPUs are indispensable for facilitating the complex computations required by generative AI models. While GPUs have been pivotal in advancing AI, overemphasizing them might detract from exploring and leveraging equally effective and potentially more sustainable alternatives. Indeed, GPUs could quickly become commodities like other resources that AI systems need, such as storage and processing space. The focus should be on designing and deploying these systems, not just the hardware they run on. Call me crazy.

To read this article in full, please click here

It’s hard to believe that the agile software development methodology officially turned 20 years old last year. What once was an outlying practice for startups collaborating in colocated spaces with stickies and whiteboards is now a sophisticated, scalable, and widely used set of agile software development processes and tools.

There’s a rich history behind agile software development and why organizations use agile methods such as scrum and kanban to modernize applications, improve customer experience, and implement digital transformations. There’s also a tremendous body of knowledge around these methodologies and their intersections with design thinking, product management, and devops. Fewer people today ask, “What is agile?” More are seeking guidance for how to align their teams on agile best practices.

To read this article in full, please click here

Google has announced plans to eventually merge its Angular and Wiz web frameworks. The company says it is already looking for ways that Angular could benefit from Wiz's superior performance, while Wiz could benefit from Angular's focus on developer experience.

In a blog post posted by the Angular team on March 30, proponents said that Angular and Wiz were “better together.” The merge will happen "gradually and responsibly" over the coming years, according to the post. Google’s strategy is to steadily open-source Wiz features via Angular and follow an open model of development. A public RFC (request for comment) process will ensure community feedback is gathered on relevant proposed features. The primary goal of the merge is to improve the Angular framework.

To read this article in full, please click here

The latest version of the web rendering engine Babylon.js has arrived with performance and rendering enhancements to support 3D capabilities and more.

Version 7.0 of the rendering and game engine was announced on March 28. Directions for getting started with Babylon.js can be found on GitHub.

Procedural geometry in version 7.0, also called Node Geometry, lets users create complex geometry at runtime or build time. This removes the need to download large 3D assets. Instead, local machines or devices can use the CPU to create these assets.

To read this article in full, please click here

Even with all of the advances in IT, whether it’s modular hardware, massive cloud computing resources, or small-form-factor edge devices, IT still has a scale problem. Not physically—it’s easy to add more boxes, more storage, and more “stuff” in that respect. The challenge with scale is getting your operations to work as intended at that level, and it starts with making sure you can build, deploy, and maintain applications effectively and efficiently as you grow. This means that the basic building block of devops, the operating system, needs to scale—quickly, smoothly, and seamlessly.

To read this article in full, please click here

One of the hardest parts of building software is choosing your technology stack. You have to pick a tool or framework to get started, but you can’t know its real capabilities until you’ve worked with it for a while. It’s a Catch-22, and prototyping only helps so much. There is a tendency to stick to the same familiar technologies you’ve used in the past, but this has obvious drawbacks, including missing out on important innovations.

This article is an overview and comparison of the leading front-end JavaScript frameworks at the time of this writing. We’ll start with a look at the field, discuss the reasons you might need a new framework, and then look at each of the 10 frameworks in this list in detail, including a feature-by-feature comparison that you can download for future reference.

To read this article in full, please click here

Continuous integration (CI) and continuous delivery (CD), also known as CI/CD, embodies a culture and set of operating principles and practices that application development teams use to deliver code changes both more frequently and more reliably.

CI/CD is a best practice for devops teams. It is also a best practice in agile methodology. By automating code integration and delivery, CI/CD lets software development teams focus on meeting business requirements while ensuring that software is high in quality and secure.

To read this article in full, please click here

Recently Redis changed its license, and mountains of misinformation have followed, not to mention a fork driven by trillion-dollar cloud company AWS. Among that misinformation is Steven J. Vaughn-Nicols’ earnest but incorrect declaration that the Redis change “means developers can no longer use Redis’ code.”

This is simply not true. For 99.9999999999999% of developers, their rights under the license remain exactly the same as they would under the most permissive of open source licenses. What it does mean is that trillion-dollar cloud companies like AWS can no longer take Redis’s code without contributing back.

To read this article in full, please click here

Gmail turns 20, AI PC definition, xz Utils backdoor

• 20 years of Gmail
• Backdoor found in widely used Linux utility breaks encrypted SSH connections
• An Accidental Discovery of a Backdoor Likely Prevented Thousands of Infections
• EU probes Apple, Meta and Alphabet under landmark new law
• Google Podcasts service shuts down in the US next week
• Daniel Kahneman, Who Plumbed the Psychology of Economics, Dies at 90 - The New York Times
• The great rewiring: is social media really behind an epidemic of teenage mental illness?
• Social Media, Authoritarianism, and the World As It Is - LPE Project
• Phison Announces Strategic Partnerships Deploying aiDAPTIV+ at NVIDIA GTC 2024
• Microsoft says this single key is the difference between an AI PC and just a PC with AI

Host: Leo Laporte

Guests: Allyn Malventano, Daniel Rubino, and Doc Rock

Download or subscribe to this show at https://twit.tv/shows/this-week-in-tech

Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit

Sponsors:

• zscaler.com/zerotrustAI
• wix.com/studio
• Download StepDog
• www.stamps.com promo code TWIT
• eufy.com
• NetSuite.com/TWIT

Deno 1.42, the latest release of the JavaScript, TypeScript, and WebAssembly runtime, introduces support for JSR, a new package registry for JavaScript and TypeScript. The release also improves Node and NPM compatibility and startup times.

Deno 1.42 was announced March 28. Users can upgrade in their terminal by running the deno upgrade command.

Deno 1.42 allows users to consume and publish modules to the JSR package registry directly from Deno, using the deno add and deno publish subcommands. At the same time, Deno continues to support NPM. JSR offers a modern, TypeScript-first and cross-platform-compatible registry, integrated into Deno, Deno’s developers said.

To read this article in full, please click here

Java Development Kit (JDK) 23, the next planned version of standard Java, is off and running, with two features now scheduled for the release.

Due September 19, JDK 23 has just added a second preview of a class-file API, providing a standard API for parsing, generating, and transforming Java class files. This feature was previously previewed in JDK 22, which was released on March 19. Previously slotted for JDK 23 was a preview of primitive types in patterns, instanceof, and switch.

To read this article in full, please click here

Microsoft is adding safety and security tools to Azure AI Studio, the company’s cloud-based toolkit for building generative AI applications. The new tools include protection against prompt injection attacks, detection of hallucinations in model output, system messages to steer models toward safe output, model safety evaluations, and risk and safety monitoring.

Microsoft announced the new features on March 28. Safety evaluations are now available in preview in Azure AI Studio. The other features are coming soon, Microsoft said. Azure AI Studio, also in preview, can be accessed from ai.azure.com.

To read this article in full, please click here

In December 2023, delegates from almost 200 countries met in Dubai for the UN’s climate-change conference, COP28, to discuss the pressing need to reduce emissions, as reported by IEEE in this article.

According to the website sustainability scoring tool Ecograder, and as the authors are quick to point out, the COP28 website produces 3.69 grams of CO2 per page load. Those webpage hits add up. If the site gets 10,000 monthly views for a year, its emissions would be slightly more than a one-way flight from San Francisco to Toronto.

To read this article in full, please click here

Thread hijacking attacks. They happen when someone you know has their email account compromised, and you are suddenly dropped into an existing conversation between the sender and someone else. These missives draw on the recipient’s natural curiosity about being copied on a private discussion, which is modified to include a malicious link or attachment. Here’s the story of a recent thread hijacking attack in which a journalist was copied on a phishing email from the unwilling subject of a recent scoop.

In Sept. 2023, the Pennsylvania news outlet LancasterOnline.com published a story about Adam Kidan, a wealthy businessman with a criminal past who is a major donor to Republican causes and candidates, including Rep. Lloyd Smucker (R-Pa).

The LancasterOnline story about Adam Kidan.

Several months after that piece ran, the story’s author Brett Sholtis received two emails from Kidan, both of which contained attachments. One of the messages appeared to be a lengthy conversation between Kidan and a colleague, with the subject line, “Re: Successfully sent data.” The second missive was a more brief email from Kidan with the subject, “Acknowledge New Work Order,” and a message that read simply, “Please find the attached.”

Sholtis said he clicked the attachment in one of the messages, which then launched a web page that looked exactly like a Microsoft Office 365 login page. An analysis of the webpage reveals it would check any submitted credentials at the real Microsoft website, and return an error if the user entered bogus account information. A successful login would record the submitted credentials and forward the victim to the real Microsoft website.

But Sholtis said he didn’t enter his Outlook username and password. Instead, he forwarded the messages to LancasterOneline’s IT team, which quickly flagged them as phishing attempts.

LancasterOnline’s Executive Editor Tom Murse said the two phishing messages from Mr. Kidan raised eyebrows in the newsroom because Kidan had threatened to sue the news outlet multiple times over Sholtis’s story.

“We were just perplexed,” Murse said. “It seemed to be a phishing attempt but we were confused why it would come from a prominent businessman we’ve written about. Our initial response was confusion, but we didn’t know what else to do with it other than to send it to the FBI.”

The phishing lure attached to the thread hijacking email from Mr. Kidan.

In 2006, Kidan was sentenced to 70 months in federal prison after pleading guilty to defrauding lenders along with Jack Abramoff, the disgraced lobbyist whose corruption became a symbol of the excesses of Washington influence peddling. He was paroled in 2009, and in 2014 moved his family to a home in Lancaster County, Pa.

The FBI hasn’t responded to LancasterOnline’s tip. Messages sent by KrebsOnSecurity to Kidan’s emails addresses were returned as blocked. Messages left with Mr. Kidan’s company, Empire Workforce Solutions, went unreturned.

No doubt the FBI saw the messages from Kidan for what they likely were: The result of Mr. Kidan having his Microsoft Outlook account compromised and used to send malicious email to people in his contacts list.

Thread hijacking attacks are hardly new, but that is mainly true because many Internet users still don’t know how to identify them. The email security firm Proofpoint says it has tracked north of 90 million malicious messages in the last five years that leverage this attack method.

One key reason thread hijacking is so successful is that these attacks generally do not include the tell that exposes most phishing scams: A fabricated sense of urgency. A majority of phishing threats warn of negative consequences should you fail to act quickly — such as an account suspension or an unauthorized high-dollar charge going through.

In contrast, thread hijacking campaigns tend to patiently prey on the natural curiosity of the recipient.

Ryan Kalember, chief strategy officer at Proofpoint, said probably the most ubiquitous examples of thread hijacking are “CEO fraud” or “business email compromise” scams, wherein employees are tricked by an email from a senior executive into wiring millions of dollars to fraudsters overseas.

But Kalember said these low-tech attacks can nevertheless be quite effective because they tend to catch people off-guard.

“It works because you feel like you’re suddenly included in an important conversation,” Kalember said. “It just registers a lot differently when people start reading, because you think you’re observing a private conversation between two different people.”

Some thread hijacking attacks actually involve multiple threat actors who are actively conversing while copying — but not addressing — the recipient.

“We call these mutli-persona phishing scams, and they’re often paired with thread hijacking,” Kalember said. “It’s basically a way to build a little more affinity than just copying people on an email. And the longer the conversation goes on, the higher their success rate seems to be because some people start replying to the thread [and participating] psycho-socially.”

The best advice to sidestep phishing scams is to avoid clicking on links or attachments that arrive unbidden in emails, text messages and other mediums. If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark so as to avoid potential typosquatting sites.

Snowflake on Thursday said it was making its Data Clean Room application generally available for free in the Snowflake Marketplace. The application, which was built on Snowflake’s Native Application Framework, will allow customers to set up data clean rooms at no additional cost, the company said.

Introduced in 2022, Snowflake’s Native Application Framework offers developers the ability to build and run applications inside the Snowflake Data Cloud platform, without the need to move data when building and running those applications.

To read this article in full, please click here