Technology

Continuous integration (CI) and continuous delivery (CD), also known as CI/CD, embodies a culture and set of operating principles and practices that application development teams use to deliver code changes both more frequently and more reliably.

CI/CD is a best practice for devops teams. It is also a best practice in agile methodology. By automating code integration and delivery, CI/CD lets software development teams focus on meeting business requirements while ensuring that software is high in quality and secure.

To read this article in full, please click here

Recently Redis changed its license, and mountains of misinformation have followed, not to mention a fork driven by trillion-dollar cloud company AWS. Among that misinformation is Steven J. Vaughn-Nicols’ earnest but incorrect declaration that the Redis change “means developers can no longer use Redis’ code.”

This is simply not true. For 99.9999999999999% of developers, their rights under the license remain exactly the same as they would under the most permissive of open source licenses. What it does mean is that trillion-dollar cloud companies like AWS can no longer take Redis’s code without contributing back.

To read this article in full, please click here

Gmail turns 20, AI PC definition, xz Utils backdoor

• 20 years of Gmail
• Backdoor found in widely used Linux utility breaks encrypted SSH connections
• An Accidental Discovery of a Backdoor Likely Prevented Thousands of Infections
• EU probes Apple, Meta and Alphabet under landmark new law
• Google Podcasts service shuts down in the US next week
• Daniel Kahneman, Who Plumbed the Psychology of Economics, Dies at 90 - The New York Times
• The great rewiring: is social media really behind an epidemic of teenage mental illness?
• Social Media, Authoritarianism, and the World As It Is - LPE Project
• Phison Announces Strategic Partnerships Deploying aiDAPTIV+ at NVIDIA GTC 2024
• Microsoft says this single key is the difference between an AI PC and just a PC with AI

Host: Leo Laporte

Guests: Allyn Malventano, Daniel Rubino, and Doc Rock

Download or subscribe to this show at https://twit.tv/shows/this-week-in-tech

Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit

Sponsors:

• zscaler.com/zerotrustAI
• wix.com/studio
• Download StepDog
• www.stamps.com promo code TWIT
• eufy.com
• NetSuite.com/TWIT

Deno 1.42, the latest release of the JavaScript, TypeScript, and WebAssembly runtime, introduces support for JSR, a new package registry for JavaScript and TypeScript. The release also improves Node and NPM compatibility and startup times.

Deno 1.42 was announced March 28. Users can upgrade in their terminal by running the deno upgrade command.

Deno 1.42 allows users to consume and publish modules to the JSR package registry directly from Deno, using the deno add and deno publish subcommands. At the same time, Deno continues to support NPM. JSR offers a modern, TypeScript-first and cross-platform-compatible registry, integrated into Deno, Deno’s developers said.

To read this article in full, please click here

Java Development Kit (JDK) 23, the next planned version of standard Java, is off and running, with two features now scheduled for the release.

Due September 19, JDK 23 has just added a second preview of a class-file API, providing a standard API for parsing, generating, and transforming Java class files. This feature was previously previewed in JDK 22, which was released on March 19. Previously slotted for JDK 23 was a preview of primitive types in patterns, instanceof, and switch.

To read this article in full, please click here

Microsoft is adding safety and security tools to Azure AI Studio, the company’s cloud-based toolkit for building generative AI applications. The new tools include protection against prompt injection attacks, detection of hallucinations in model output, system messages to steer models toward safe output, model safety evaluations, and risk and safety monitoring.

Microsoft announced the new features on March 28. Safety evaluations are now available in preview in Azure AI Studio. The other features are coming soon, Microsoft said. Azure AI Studio, also in preview, can be accessed from ai.azure.com.

To read this article in full, please click here

In December 2023, delegates from almost 200 countries met in Dubai for the UN’s climate-change conference, COP28, to discuss the pressing need to reduce emissions, as reported by IEEE in this article.

According to the website sustainability scoring tool Ecograder, and as the authors are quick to point out, the COP28 website produces 3.69 grams of CO2 per page load. Those webpage hits add up. If the site gets 10,000 monthly views for a year, its emissions would be slightly more than a one-way flight from San Francisco to Toronto.

To read this article in full, please click here

Thread hijacking attacks. They happen when someone you know has their email account compromised, and you are suddenly dropped into an existing conversation between the sender and someone else. These missives draw on the recipient’s natural curiosity about being copied on a private discussion, which is modified to include a malicious link or attachment. Here’s the story of a recent thread hijacking attack in which a journalist was copied on a phishing email from the unwilling subject of a recent scoop.

In Sept. 2023, the Pennsylvania news outlet LancasterOnline.com published a story about Adam Kidan, a wealthy businessman with a criminal past who is a major donor to Republican causes and candidates, including Rep. Lloyd Smucker (R-Pa).

The LancasterOnline story about Adam Kidan.

Several months after that piece ran, the story’s author Brett Sholtis received two emails from Kidan, both of which contained attachments. One of the messages appeared to be a lengthy conversation between Kidan and a colleague, with the subject line, “Re: Successfully sent data.” The second missive was a more brief email from Kidan with the subject, “Acknowledge New Work Order,” and a message that read simply, “Please find the attached.”

Sholtis said he clicked the attachment in one of the messages, which then launched a web page that looked exactly like a Microsoft Office 365 login page. An analysis of the webpage reveals it would check any submitted credentials at the real Microsoft website, and return an error if the user entered bogus account information. A successful login would record the submitted credentials and forward the victim to the real Microsoft website.

But Sholtis said he didn’t enter his Outlook username and password. Instead, he forwarded the messages to LancasterOneline’s IT team, which quickly flagged them as phishing attempts.

LancasterOnline’s Executive Editor Tom Murse said the two phishing messages from Mr. Kidan raised eyebrows in the newsroom because Kidan had threatened to sue the news outlet multiple times over Sholtis’s story.

“We were just perplexed,” Murse said. “It seemed to be a phishing attempt but we were confused why it would come from a prominent businessman we’ve written about. Our initial response was confusion, but we didn’t know what else to do with it other than to send it to the FBI.”

The phishing lure attached to the thread hijacking email from Mr. Kidan.

In 2006, Kidan was sentenced to 70 months in federal prison after pleading guilty to defrauding lenders along with Jack Abramoff, the disgraced lobbyist whose corruption became a symbol of the excesses of Washington influence peddling. He was paroled in 2009, and in 2014 moved his family to a home in Lancaster County, Pa.

The FBI hasn’t responded to LancasterOnline’s tip. Messages sent by KrebsOnSecurity to Kidan’s emails addresses were returned as blocked. Messages left with Mr. Kidan’s company, Empire Workforce Solutions, went unreturned.

No doubt the FBI saw the messages from Kidan for what they likely were: The result of Mr. Kidan having his Microsoft Outlook account compromised and used to send malicious email to people in his contacts list.

Thread hijacking attacks are hardly new, but that is mainly true because many Internet users still don’t know how to identify them. The email security firm Proofpoint says it has tracked north of 90 million malicious messages in the last five years that leverage this attack method.

One key reason thread hijacking is so successful is that these attacks generally do not include the tell that exposes most phishing scams: A fabricated sense of urgency. A majority of phishing threats warn of negative consequences should you fail to act quickly — such as an account suspension or an unauthorized high-dollar charge going through.

In contrast, thread hijacking campaigns tend to patiently prey on the natural curiosity of the recipient.

Ryan Kalember, chief strategy officer at Proofpoint, said probably the most ubiquitous examples of thread hijacking are “CEO fraud” or “business email compromise” scams, wherein employees are tricked by an email from a senior executive into wiring millions of dollars to fraudsters overseas.

But Kalember said these low-tech attacks can nevertheless be quite effective because they tend to catch people off-guard.

“It works because you feel like you’re suddenly included in an important conversation,” Kalember said. “It just registers a lot differently when people start reading, because you think you’re observing a private conversation between two different people.”

Some thread hijacking attacks actually involve multiple threat actors who are actively conversing while copying — but not addressing — the recipient.

“We call these mutli-persona phishing scams, and they’re often paired with thread hijacking,” Kalember said. “It’s basically a way to build a little more affinity than just copying people on an email. And the longer the conversation goes on, the higher their success rate seems to be because some people start replying to the thread [and participating] psycho-socially.”

The best advice to sidestep phishing scams is to avoid clicking on links or attachments that arrive unbidden in emails, text messages and other mediums. If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark so as to avoid potential typosquatting sites.

Snowflake on Thursday said it was making its Data Clean Room application generally available for free in the Snowflake Marketplace. The application, which was built on Snowflake’s Native Application Framework, will allow customers to set up data clean rooms at no additional cost, the company said.

Introduced in 2022, Snowflake’s Native Application Framework offers developers the ability to build and run applications inside the Snowflake Data Cloud platform, without the need to move data when building and running those applications.

To read this article in full, please click here

.NET 7, a version Microsoft’s open-source, cross-platform application framework that was released in November 2022, will reach its end of support on May 14, 2024, Microsoft said on March 27.

After May 14, Microsoft will no longer provide servicing updates including technical support or security fixes. Developers will need to update to .NET 8, released in November 2023, to continue to receive support. .NET 7 is a Standard Term Support release, which receives support for 18 months. It is supported by Microsoft on multiple operating systems, including Windows, MacOS, Linux, Android, and iOS.

To read this article in full, please click here

JetBrains’ IntelliJ IDEA 2024.1, a release of the integrated development environment (IDE) due on April 4, will feature an optional K2 compiler mode, enabling developers to use K2 for faster and more robust Kotlin code analysis, the company said.

With this planned release, the IDE for Kotlin and Java will have two modes. The class mode, enabled by default, will use the standard K1 Kotlin compiler to analyze Kotlin code. The K2 mode will use the new K2 compiler as its code analysis engine. The K2 mode now is in an alpha state. The company made the announcement in a March 25 blog post.

To read this article in full, please click here

With atomic clock-like regularity, the latest version of Java, JDK 22, was released last week. Although this is not a long-term support (LTS) release, there is nothing to stop you from using it in production, and it contains some interesting new features.

Let’s dive in and see what this brings us.

New features for the Java platform are defined through JDK Enhancement Proposals (JEPs), and JDK 22 contains 12 of these. Coincidentally, over the last 13 Java releases, since the switch to a six-month cadence, the average number of JEPs (to the nearest integer) is also 12. You could, therefore, describe this as an average release!

To read this article in full, please click here

Kubernetes plays an important role at Microsoft. The container management system is a foundational piece of the company’s many clouds, from Microsoft 365 and Xbox, to Azure, to partners like OpenAI that use Microsoft’s Kubernetes to host their own services.

As a result, Microsoft has invented many of its own Kubernetes management tools. These include Kaito for deploying AI inferencing workloads and Fleet for large-scale management of Kubernetes clusters. All of Microsoft’s various tools sit underneath its two managed Kubernetes services, Azure Kubernetes Service and Azure Container Service, allowing you to deploy and orchestrate your container-based applications without needing to build the necessary management framework. It all comes for free, with APIs, portals, and command line interfaces.

To read this article in full, please click here

Chatbots like ChatGPT, Claude.ai, and phind can be quite helpful, but you might not always want your questions or sensitive data handled by an external application. That's especially true on platforms where your interactions may be reviewed by humans and otherwise used to help train future models.

One solution is to download a large language model (LLM) and run it on your own machine. That way, an outside company never has access to your data. This is also a quick option to try some new specialty models such as Meta's recently announced Code Llama family of models, which are tuned for coding, and SeamlessM4T, aimed at text-to-speech and language translations.

To read this article in full, please click here

Microsoft has announced a private preview of Copilot in Azure SQL Database, an AI assistant that improves productivity in the Azure portal by offering natural language to SQL conversion, along with self-help for database administration.

Microsoft announced the preview on March 21. To sign up for the preview, users can request access.

To read this article in full, please click here

Data lakehouse provider Databricks has released a family of open-source large language models (LLM), DBRX, that it says outperforms OpenAI’s GPT 3.5 and open-source models such as Mixtral, Claude 3, Llama 2, and Grok-1 on standard benchmarking tests.

To read this article in full, please click here

In Steampipe unbundled we showed how its plugins, which originally worked only with the foreign data wrapper loaded into Steampipe’s batteries-included Postgres, are now also available as stand-alone distributions that you can load into your own instances of Postgres or SQLite. Now Steampipe itself is unbundled: its dashboard server and benchmark runner have migrated to a new open-source project, Powerpipe.

To read this article in full, please click here

Graceful error handling is an essential aspect of well-designed software. It’s also tricky. This article offers an overview of error handling in React applications and how to use React error boundaries to handle render-time errors.

We can divide React application errors broadly into two types, and error handling into two aspects.

The two React error types:

• JavaScript errors: These are conventional JavaScript errors that occur in the code portion of a component.
• Render errors: These are errors raised by the rendering engine, emerging from the markup.

Note that the nature of JavaScript UI makes for tricky error handling. Aside from typical runtime errors, there are errors that spring from the “drawing” of the screen components. We are distinguishing these two types of errors here as “JavaScript errors” and “Render errors.”

To read this article in full, please click here

Visual Studio Code is a terrific software development environment, and not only because it has excellent code-editing features and language support. Thanks to its rich culture of extensions, VS Code supports many tasks besides editing. You’ll find VS Code extensions for everything from a speedier way to navigate the editor to effortlessly inserting placeholder text and images.

Here are 11 VS Code extensions that you might want to consider when putting together your development environment. Some could be extremely useful additions to your toolkit, and even part of your daily workflow. 

To read this article in full, please click here