JavaScript Projects Were Broken After Left-Pad Was Unpublished

Tuesday afternoon and you start running your brand new JavaScript for the website you’re working on. You’ve been working on it for days and have been enjoying it working only to find it breaks. The reason your project, among hundreds of JavaScript Projects, was broken for hours because someone unpublished a piece of their work known as Left-pad.

As people create more and more complex programs they often rely on code written by others in modules or tools, in this case, the module was titled left-pad and was taken down my creator Azer Koçulu after lawyers representing instant messaging app, Kik, targeted one of Koçulu’s many modules for having the same name. While this wouldn’t cause problems for many, left-pad whose sole purpose is to pad the left-hand side of strings (or sentences) with zeroes or spaces, is used in projects like Node and Babel, most popular pieces of work that are used in many other projects themselves.

With left-pad removed from NPM (a packet manager that helps developers organise their use of other modules or packages), the projects suddenly found themselves unable to retrieve the code, ultimately falling over in style. With just under 2.5 million downloads in the last month alone according to NPM you can tell just how many projects could have been broken by a single action.

In order to solve this problem Laurie Voss, CTO and co-founder of NPM took a step that many consider unprecedented and republished the previously removed left-pad 0.0.3. This action was apparently prompted by the new owner and allowed Voss to end the day knowing that he was “sleeping fine tonight”.

MIT’s Polaris Hopes To Speed Up Your Browsing Online

Sadly the experience on some websites these days can very quickly be summed up by the word “loading”. We like our pictures, our videos and some even like ads, the problem being is that everything you view on the internet has to come from somewhere and that is where the loading comes in. MIT and Harvard want to give you a hand and help speed up your browsing online.

MIT’s Computer Science and Artificial Intelligence Lab (CSAIL) and Harvard have gone and created a framework that focuses on those things you have to download to view your favourite sites. With everything from images to Javascript downloaded to your computer, the new project, titled Polaris will help download all those different features in the most efficient sequence possible, avoiding the constant pinging and server routing that comes with traditional browsing.

Polaris was in fact built using JavaScript, something which means that any browser and website can use the new system, the only requirement is that the server the sites on is running Polaris in the first place.

The plan for Polaris is to open-source the framework, meaning you could soon find it in every site and browser you use, and with it showing reductions of up to 34% in loading time on websites, you can get one more cat video in on your lunch break.

Ransomware Just Got Worse By The Use of JavaScript

Ransomware is probably one of the peskiest and most annoying things that your computer can catch. Not only do you lose access to your files, you have to pay a criminal to release them again. Even if you should choose to pay, there is no guarantee what-so-ever that the criminal will release the files again or hide more malware to hit you again once you are “free”. If that wasn’t bad enough, a new version of Ransom32 has arrived that exploits JavaScript in order to infect you and worst of all, barely any anti-virus and anti-malware programs will catch it at this time.

While all this sounds bad, there are ways to protect yourself and if you use common sense while surfing the web, then you should be safe anyway. Stay away from dubious websites and don’t touch any archive or executable downloaded from anything but official manufacturer websites. But let us get back to the new malware in question, the ransomware called Ransom32.

Ransom32 is built on the NW.js-Framework which was developed to build desktop applications on a javascript base. A really cool framework by the way. That, unfortunately, means that where we usually only see Windows users that are at risk, those with Linux and MacOS are equally vulnerable to Ransom32. Thanks to the use of this framework, the ransomware is able to get past the sandbox environment that JavaScript runs in these days.

The security researcher Fabian Wosar from EmsiSoft discovered the new Ransom32 as a self-extracting RAR-Archiv. If that archive is unpacked, it will hide in your temp folder and disguise itself as the Chrome web browser and be visible as Chrome.exe. This is where advanced users already had noticed it and not used any automatic-unpack function. However, should the new chrome.exe be executed, then it will start to encrypt all your files with AES-128 bit CTR-mode and also place itself firmly in the systems autostart features.

The Ransom32 creators have also made it very easy for people to use their tool. Evil minded people can access the tool via a Tor address. When on the site, they can customize the tools features before downloading it. The creators reportedly also use the same network for their control servers and connections. To top the whole thing off, the creators take 25 percent of the accumulated ransoms for themselves, and everything stays anonymous thanks to the use of Bitcoins.

We can only hope that the virus scanners and anti-malware tools get an update soon so the less tech-minded people won’t get infected by this nasty new piece of software. You can also read a lot more details about this new piece of software on the EmsiSoft blog.

Chinese Devices Mount Massive DDoS Web Attack

Cyber attacks are an increasing and dangerous threat which is perpetrated by groups and countries alike, these attacks are a substantial threat to free speech, livelihoods of website operators and also the whole infrastructure of the Internet. It’s no surprise to learn that a huge DDoS attack against a target website resulted in 650,000 devices being unwittingly enrolled into a giant cyber attack which overwhelmed its target.

And where did this attack originate from? That’s right, our friends over at the democracy-suppressing Truman Show style country that is China. The attack transmitted a staggering 4.5 billion separate requests for data in one day to the target destination. Below is an image which analyses the log timeframe of HTTP requests per hour, as you can see, requests for data ramped up dramatically within only a relatively small period of time before dissipating.

Since the attack had been levelled at a client of US Company CloudFlare, they were able to “write a dedicated script and were able to further analyze 17M log lines, about 0.4% of the total requests” They found that 99.8% of the flood was originating from China while 0.2% was labelled as “Other” They were also able to determine that 80% of the requests came from mobile devices .

So, how is it possible to booby trap an amazingly high number of devices? CloudFlare security analyst Marek Majkowski speculated that an ad network might have been the root cause which was compromised and used as a distribution vector for the attack. “It seems probable that users were served advertisements containing malicious JavaScript. These ads were likely shown in iframes within mobile apps, or mobile browsers to people while they were casually browsing the internet”

Think of this speculated but plausible scenario like this, while a user was browsing the Internet or through an app, he or she was served an iframe which contained an advertisement. This ad had been requested from an ad network who then forwarded the request to a third-party that won the ad auction. This meant that either the third-party was the “attack page” or it forwarded the user to an attack page, by doing this the user was served a page containing malicious Java Script which then launched a flood of XHR requests against CloudFlare servers.

CloudFlare have declined to name the company which had their server attacked but are warning against future cyber attacks with the same level of intensity. It’s a worrying trend which has many outlets including the Darth Vader weapon of choice “The Great Cannon.” This is also not serving the long-established technique of serving ads to consumers via the Internet, if advertisements are increasingly being injected with malicious code, consumers are going to use extensions to block them.

The Internet connects the world and is seen as a necessity and therefore a human right by powerful individuals, what countries want you to see on the net, well, that’s a whole different ball game.

Thank you blog.cloudflare for providing us with this information.

Image courtesy of cloudpro

Microsoft Releases Slimline Windows 10 for the Raspberry Pi

Microsoft has unveiled a developer-focused, Windows 10 edition designed for the Rapsberry Pi. Windows 10 IoT Core is targeted towards small form-factor devices and doesn’t utilize the default Windows shell. This means you create your own Universal Windows App and construct a visual frontend. To access these creation tools, you need a development machine running Windows 10 (Build 10240) and Visual Studio 2015.

The operating system is built around software development and encourages new and existing developers to make Windows Apps. The software supports the standard UWP languages such as C++, C#, JavaScript and Visual Basic. There is also a wide array of tools to help with debugging and ensure systems like Node.js and Python are integrated into the toolset without feeling too different.

The Microsoft blog post shows the company’s intentions to create an open-source community of developers who can share and discuss projects on Github. The Raspberry PI is a fantastic learning tool for coders and can create an assortment of unique, yet cheap devices. I’m not convinced if this software package is enough to deter people from a Unix-based environment. Possibly, the focus on is commercial usage and marketing hardware as being invented on a Microsoft development platform.

Clearly, Microsoft is trying to push their own struggling App Store and compete with the Apple Store and Android’s Play Store. Giving developers the tools to create interesting projects is an important step but is it already too late?

Hackers Find Serious 0day Vulnerability in Mozilla Firefox

Mozilla got word this Wednesday that a severe Firefox 0day vulnerability was being exploited by an ad on a Russian website. Although the company was swift in delivering a fix, they are now urging users to check that they are running version 39.0.3 or later to prevent hackers from gaining access to their sensitive data.

It looks like the vulnerability affected a non-privileged part of Firefox’s built-in PDF viewer, where hackers were able to inject JavaScript files. Since they are in the same origin policy as the local browser, hackers could then have the script search and upload data to a server located in Ukraine, as sources indicate.

Security specialists found that the exploit mainly targeted developer-focused content, though it was released to the general audience. However, the attack seems pretty neat because you can have a large number of audience on the website, but have data transferred from browsers with significant relevance. The guys looking into the hack found that it did not leave traces of it behind, which means that even experienced users may be unaware if they have been the victim of a hack or not.

Though the hack affected only Windows and Linux systems, Mac users should also be on guard, since the hack can also be modified to target Macintosh OS’ too.

Thank you Sci-Tech Today for providing us with this information

Image courtesy of Wikimedia

GitHub Gets Hit by the Biggest DDoS Attack in Site’s History

GitHub, the popular website used for projects spanning from game engines to security applications and even web app frameworks, is apparently suffering the biggest DDoS attack in the website’s history, which they believe to originate from China.

The attack appears to have started last Thursday and has all its staff working on mitigating the access problems since then. GitHub states that the attack “involves a wide combination of attack vectors,” which “includes every vector we’ve seen in previous attacks as well as some sophisticated new techniques that use the web browsers of unsuspecting, uninvolved people to flood github.com with high levels of traffic.”

“Based on reports we’ve received, we believe the intent of this attack is to convince us to remove a specific class of content,” GitHub says.

Wall Street Journal reports that GitHub’s traffic surge is based on visits intended for China’s largest search engine, Baidu. Security experts told the publication that the vast levels of traffic has paralysed GitHub over the DDoS attack’s duration.

The attack, which leads back to China, apparently targets two specific sections of GitHub. One of them is Greatfire.org, an anti-censorship organization dubbed the “Great Firewall of China”, which releases tools to help Chinese citizens bypass the county’s censorship controls, and the other links to copies of the New York Time’s Chinese language website and other banned domains.

Security specialist Anth@x from Insight Labs believes that the attack was due to HTTP hijacking by replacing some JavaScript files from Baidu with malicious ones, having Block Execution also used in order to prevent looping. The security specialist even goes further and states that non-Chinese users are now also being “weaponized” to target the country’s targets.

“In other words, even people outside China are being weaponized to target things the Chinese government does not like, for example, freedom of speech.” Anth@x posted on Insight Labs.

GitHub’s status updates twitter account has been keeping us updated with the attack’s status. While yesterday they reported that “all systems reporting at 100%. Attack traffic continues, so we remain on high alert.”, about an hour ago, they stated that “The DDoS attack has evolved and we are working to mitigate”.

Baidu apparently denies involvement in the attack and states that it “was not intentionally involved in any traffic redirection”.

Thank you ZDnet for providing us with this information

Chrome to Get Faster with New JavaScript Techniques

Chrome was built with speed as one of the primary missions since its start back in 2008 and now the coders have come up with the next thing to help make it even faster. Chrome is introducing two techniques called script streaming and code caching designed to reduce that painful waiting time spent staring at a white screen, especially on mobile devices.

The script streaming optimizes the parsing of JavaScript files where previous versions of Chrome would download a script in full before beginning to parse it, an inefficient way to deal with data. Starting in version 41, Chrome parses async and deferred scripts on a separate thread as soon as the download has begun. This means that parsing can complete just milliseconds after the download has finished, and results in pages loading as much as 10% faster. It’s particularly effective on large scripts and slow network connections.

Code caching is the second new technique that helps speed up page loading, specifically on repeated visits to the same page. Chrome 42 introduces an advanced technique of storing a local copy of the compiled code, so that when the user returns to the page the downloading, parsing, and compiling steps can all be skipped. This allows Chrome to avoid about 40% of compile time across all page loads.

Thanks to Chromium for providing us with this information

Waterproof Rubix Cube-Like System Runs Linux, Heads to Kickstarter

Is it a new shiny rubix cube? It could look like one, but in fact Cuberox is a Kickstarter project that includes 16×16 screens on a waterproof casing, having it powered by Linux and wireless charging.

The coolest rubix cube-like project is said to give you the ability to run various applications, making it the perfect home or even office solution. Having it based on a Unix platform, it gives the user limitless possibilities of running a separate app on each side of the cube. From a developer’s perspective, the device could be a gold mine and JavaScript, which is the main coding language for the device, would be the pickaxe.

In terms of specs, the device is said to feature built-in speakers, multicolored smart backlit technology, wireless connectivity and charging, all encased with a waterproof seal.

The device has currently surpassed the $35,000 mark for its ultimate $150,000 goal and has less than 30 days to go. More information on the device and project can be found over at Kickstarter.

Thank you Kickstarter and Tweak Town for providing us with this information

Is Firefox Coming to iOS?

After firmly denying that Firefox could ever make it to iOS, citing Apple’s prohibition of its web engine, Mozilla’s new CEO might be steering the company into a u-turn. At an event in Portland on Tuesday, Mozilla discussed their desire to release a version of Firefox for iOS.

Lukas Blakk, the new CEO, quoted Mozilla’s Vice President for Firefox Jonathan Nightingale on his Twitter account, saying, “We need to be where our users are so we’re going to get Firefox on iOS.”

In the past, Mozilla’s desire to release Firefox for iOS was curtailed by Apple’s restrictive browser policy. Versions of Chrome and Opera on iOS have been adapted to run on Apple’s own JavaScript and rendering engines, while Mozilla was unwilling to abandon its own browser infrastructure. Now, Mozilla appears more willing to compromise in order to widen its reach to potentially increase its market share.

Source: Techcrunch

Google Releases Dart 1.1, Improves JavaScript Performance

Google released its own JavaScript alternative, Dart, a couple of months ago, while claiming to be just as good if not better than the common JavaScript. While Dart is really good in its own V8 JavaScript engine, it did not perform as well when compiled with the help of its own dart2java tool in a normal JavaScript code. And since no browser do not use native Dart applications, it did not look so good.

But it seems that Google released a new version, Dart 1.1, which Google developer Seth Ladd states it fixed the performance problems with the converted JavaScript code. It now shows an increase of around 25% or more (depending on the benchmark) compared to previous code from Dart 1.0.

“Dart2js now generates JavaScript that performs as well as, if not better than, the idiomatic JavaScript equivalent,” Ladd wrote in his article.

Ladd also mentions that there is increasing interest in using Dart for server-side applications. The new Dart 1.1 comes with extra features, including support for large file, process signal handlers, file copy, as well as accessing the UDP networking protocol and terminal information, making it easier to write streaming media applications.

Furthermore, HTTP stack has been optimized, along with decrease in latency for various I/O operations. The Dart language spec as well as other documentation has also been updated to meet the new changes in the newer version.

Thank you The Register for providing us with this information

World’s First Chrome OS All-in-One Revealed By LG

LG Electronics has become the first company to announce an all-in-one PC based on Google’s Chrome OS cloud-powered operating system, a platform more normally associated with ultra-portable laptops.

Based on Linux, Chrome OS eschews the traditional computing paradigm in favour of turning the Chrome browser into the primary user interface. Applications are rarely installed locally, with the user instead being pointed to web-based apps which make heavy use of the browser’s HTML5 and JavaScript support. The downside, for users who didn’t pay extra for a Chromebook with in-built mobile broadband at least, is that the device loses a great deal of its feature set when disconnected from the internet.

Disconnections may be frequent for road warriors, but less so for those who do the majority of their computing at home. It’s in this typically permanently connected environment that LG hopes to push Chrome OS as a real alternative to the like of Microsoft Windows. Step one: the world’s first Chrome OS all-in-one desktop PC, the Chromebase.

Looking for all the world like a slightly bulky monitor, and owing an undeniable debt of gratitude to Apple’s curved iMac design, the Chromebase packs a Haswell-based Celeron processor, 2GB of RAM, 16GB of local storage – the bulk storage of files being offloaded to the Google Drive cloud platform – and a 1.3 megapixel front-facing webcam with support for 720p video capture. The front, meanwhile, is dominated by the Chromebase’s 21.5″ 1,920×1080 in-plane switching (IPS) liquid-crystal display panel. The sides and rear include a single USB 3.0 port, three USB 2.0 ports, analogue audio connectivity to supplement the on-board speakers, an Ethernet connection and – interestingly – a HDMI input, allowing the device to double as a monitor for an external system.

‘Simple to operate for all types of users, the award-winning LG Chromebase computer represents the successful combination of simplicity, power and great design,’ claimed Hyoung-sei Park, head of the IT Business Division at LG Electronics. ‘LG Chromebase is the wave of the future for desktops, [and is] expected to be widely adopted not only at home, but especially in schools, hotels, call centres and other business settings.’

Pricing for the LG Chromebase has yet to be confirmed, with the company expected to make a more detailed announcement at the 2014 Consumer Electronics Show (CES) next month.

Thank you Bit-Tech for providing us with this information
Image courtesy of Bit-Tech

Google’s Dart SDK 1.0 Emerges From Beta

Google has launched version 1.0 of its Dart SDK today, which is the company’s cross-browser and open-source toolkit for structured Web applications. Google considers version 1.0 as the mark of Dart’s transition to a production-ready option for Web developers, though no browser supports Dart native code at the moment.

The Dart project has first seen the light of day in October 2011 and ever since, the company has been working with early adopters to mature the project and grow its community. With the help of third-party developers, the Dart SDK comes with a feature called the Pub package manager with more than 500 packages.

The Dart SDK 1.0 features tools and core libraries to help make development workflow “simpler, faster, and more scalable,” according to Google. A development environment made especially for developers managing a growing code base has also been included in the Dart Editor, with the help of features such as code completion, refactoring, jump to definition, a debugger, hints, warnings, and so on. As for deployment, the dart2js translator allows Dart code to run in modern browsers.

Dart is Google’s open-source Web programming language and the goal set by Google is to replace JavaScript. Of course this cannot be achieved in one go, but in time it could be a possibility. The dart2js from DeltaBlue benchmark output now runs even faster than idiomatic JavaScript, the dart2js output code size has been substantially reduced, and the VM is now between 42% to 130% faster than idiomatic JavaScript running in V8 JavaScript Engine.

Google has made Dart SDK 1.0 available to all who wish to give it a try and can be downloaded from here.

Thank you TNW for providing us with this information
Image courtesy of OnMobile