Are you looking to ensure a great career in web development? Then, master your existing skills and hit on valuable learning opportunities. Here Im going to pin down a few tips for you to try to ensure a successful web development career:

1.Enroll in an Online Course

First & foremost, get yourself enrolled in any good web development course. You should consider getting a certification in internet programming to build skills in this field. Typically, an online course has a duration of 18 months, and you will learn so many new things and gain confidence during that period. You will learn the art to build your own website and learn new methods of developing and designing. You will also learn how to effectively administer websites. An online course helps you build a site from scratch and end up mastering business skillsa gateway to ensure a successful career.

2.Work on Open-Source Projects

If you aim to excel in your web development career, then its best to join the open-source community. This will help you polish your existing skills in so many different ways. You get to learn new things from field experts, you get to be a part of real-time projects, you can get the maximum exposure to coding, you can learn the ability to become an accomplished developer, etc. You should know that contributing to open-source projects can help you establish new skills. You can either be a part of an existing project or establish an iteration of it.

3.Learn New Industry Trends

To succeed in your career, you must stay up-to-date with changing industry trends. This will help you gain an edge over colleagues, business competitors, etc. Learn about what is currently going on in the web development industry and learn by doing. Join industry groups, socialize with expert web developers, attend conferences/colloquiums, etc. to learn more about the web development industry. Remember that web development is a competitive & fast-changing industry and you must want to stay on top of your industry trends.

4.Regularly Write Codes

Have you ever heard that common saying that practice makes the man perfect? Well, the same applies when it comes to polishing your skills in web development. If you want to be a pro in coding, then dont miss a day without doing the coding. Once you have learned the art of coding, its time to focus on that skill. Constantly learning a skill is ideal to grow and be successful in your field. Writing codes every day and being creative with what you are doing will help you become an amazing web developer.

5.Teach Others What Youve Learned

Perhaps, youve already heard, if you want to improve your skills in a specific area, then teach what youre learning. This can help you grow on so many personal levels. Teaching others about how to write codes enables you to gain new perspectives. You should know that learning and teaching are two different things, and hence you must simultaneously employ both to have a solid understanding of web development. First, learn how coding works and then share with others what youve learned. This will help you raise new queries that you never thought about earlier.

Excerpt from:
Career in Web Development: 5 Tips on How to Improve Your Skills - Tech Guide

Media analysts said GB News faced a bigger long-term challenge: It wants to be treated as a traditional ad-supported news channel, but it is promoting itself as a politically opinionated combatant in the culture wars.

GB News is pitching itself along identity lines but using the idea of a separation between advertisers and editorial to fight back against its critics, said Meera Selva, director of the Reuters Journalism Fellowship Program at the University of Oxford.

There are also questions about whether GB News will run afoul of Britains broadcast rules. Several hundred viewers filed complaints with the broadcasting regulator, known as Ofcom, after Mr. Woottons harsh criticism of Mr. Johnsons postponed reopening a warning sign, given that it was the channels first night.

Under the regulations, broadcasters are allowed to deliver opinions, provided there is a rough balance over the course of a day between left and right. Some media experts said the mix of programming on GB News from Mr. Woottons commentary to Mr. Neils interviews suggested that it was trying to strike that balance.

Theyre not trying to bust the rules, said Stewart Purvis, a former chief editor at the broadcaster ITN, who oversaw content and standards at Ofcom. Theyre trying to understand the rules.

More than a British version of Fox, Mr. Purvis said, GB News was an example of grievance television. Its targets are the media establishment, personified by the BBC, and the politically correct precincts of academia and government. That will appeal to its mainly pro-Brexit audience, he said. But when Mr. Neil is not on the air, GB News fills the time with far less well-known figures.

What weve never had before in British television is a succession of young people just talking to each other, Mr. Purvis said. Whether there is an audience for endless, anti-woke, happy talk is less clear.

Anna Joyce contributed reporting.

See original here:
GB News Is Off to a Splashy, but Shaky, Start in Britain - The New York Times

John Leyden17 June 2021 at 15:03 UTC Updated: 17 June 2021 at 15:06 UTC

DevSecOops

Programming code-share platform GitLab has fixed a server-side request forgery (SSRF) issue in a software library after the problem was flagged by a security researcher.

Server-side request forgery is a class of web security vulnerability that allows, for example, an attacker to force a vulnerable server to make a connection to internal services within an organizations infrastructure.

Researcher Vin01 discovered that GitLabs CI Lint API, a library related to code handling and managing developer workflows, was flawed.

Catch up with the latest DevOps news and analysis

After discovering the problem last December, the researcher reported it to GitLab, which responded by publishing a temporary fix in February.

GitLab followed up with a more complete patch early this month, clearing the way for Vin01 to publish a detailed technical write-up of their findings.

The affected CI Lint API is used to validate CI/CD YAML configuration for GitLab instances. A flaw in the technology, if left unaddressed, created a means for miscreants to steal sensitive info such as passwords and cloud service credentials, Vin01 told The Daily Swig.

Installations which had a particular configuration in place to allow internal network requests from GitLab were vulnerable to server-side request forgery (SSRF), where an attacker could have sent a request to internal servers by jumping from the public facing GitLab servers.

These internal servers are usually not exposed to the internet as they are only meant to be used internally and may contain sensitive information like passwords, API keys, cloud service credentials, which could have been stolen as a result of this vulnerability.

Public facing GitLab servers are quite common, and the issue in hand was exacerbated because no authentication was required in order to exploit it.

The vulnerabilities are tracked as CVE-2021-22175 and CVE-2021-22214.

READ MORE Vulnerability in Microsoft Teams granted attackers access to emails, messages, and personal files

In my research I saw hundreds of vulnerable GitLab servers including but not limited to many open source projects, government departments and universities which use GitLab for hosting their code and integrate it with their infrastructure, Vin01 added.

The security researcher has put together a small script to test if a GitLab server is vulnerable, availableon GitHub.

Vin01 praised GitLabs handling of the disclosure process, adding that even though they have since privately warned many affected organizations about their exposure to the flaw, there are still many vulnerable instances.

RELATED Security researcher turns Apache Airflow into bug bounty cash cow

Read more here:
GitLab fixes serious SSRF flaw that exposed orgs internal servers - The Daily Swig

Much has been said about the virtual mode of learning. Were engineering and technical colleges in a better position to adapt to online teaching?

Naturally, yes indeed. Many technical colleges were already using different digital platforms, online tools and NPTEL (National Programme on Technology Enhanced Learning) courses prior to Covid-19. Hence it was easy for technical colleges to migrate to online education. Secondly, most of the institutions have [the open source] MOODLE-based education [system] or their own learning management system. Plus, the ministry of human resource development's MOOC (massive open online course) portal, SWAYAM, which started about three-and-a-half years ago, has over 3,000 courses and 10 million plus users. Other institutions, like arts and commerce colleges or even schools, had little exposure to online methodology. There are certainly difficulties in remote, rural areas. But even there, people have been innovative. There are common service centres, what we call CSCs, in almost all the blocks and villages, where there are computers, internet and power supply. The SWAYAMs counterpart, in the form of SWAYAM PRABHA direct-to-home channels, too, are easily available with a simple dish antenna anywhere, for free.

Many courses are also posted on the website. So, the digital divide is bare minimum. In fact, if a level-playing field can be created, it is only through digital technology. Because in order to have education for all, if you have to build brick-and-mortar infrastructure and induct a huge number of faculty, it will be expensive. The online mode is much more economical. And fortunately, in India, fibre optic connectivity has reached almost all the villages.

Many people lost their jobs and could not pay the fees for their children.... I found that many philanthropists are coming forward and are saying that they will take care of the fees.

How have colleges under the AICTE fared since the pandemic struck?

In March, when the first lockdown started, we set up a helpline. Many students having difficulty with food, hostel accommodation, transport, medical aid and other essentials were connected to people ready to help. So there were philanthropists and NGOs on one side and students seeking help on the other. And we did match-making using artificial intelligence tools. Then we had two hackathonsSamadhan and Ideathoncompleted to sensitise students and for helping the community. We are in the midst of two other hackathons, a drug discovery hackathon and a toycathon, for developing new drugs, and indigenous toys.

We have trained 1.65 lakh faculty members in emerging areas like AI, data science, machine learning and other emerging technologies through 948 week-long programmes. We also held several one-week-long faculty development programmes covering topics like universal human values, ethics, sensitisation towards society and empathy development. Some 40,000 teachers were trained and they are, in turn, taking that to the students.

There are examination reforms to take students away from rote learning; like Bloom's Taxonomy-based examination, which has questions fostering innovation and critical thinking. All of this was done during the pandemic. We have two Guinness Book of World Records now. We trained 1.2 lakh students in a [programming] language called Python; [a] face-recognition system was taught to 1.2 lakh students in 24 hours. We have not shut our eyes to what is going on. We did much better than how we did in a non-pandemic time during the previous year.

Can you talk a little bit about the AICTE's open and distance learning (ODL) and the online education guidelines of 2021?

In terms of online and ODL education, the AICTE is clear that any course which requires a lot of laboratory experiments or hands-on work is not going to be allowed in this online mode. We [have], however, permitted computer applications and management [courses] in online mode. We added courses like travel and tourism to the list last year. Then we expanded it this year to include logistics, AI and data science. We are still not allowing courses like civil, electrical, mechanical or aerospace engineering in distance or online mode.

How have the enrolment figures of engineering courses been affected by Covid-19? Can you share some data?

I do not have the exact data, but, perhaps, 5 per cent, plus or minus. That is the nature of variation in the last four or five years. The total number of students entering engineering has not been increasing. That is a truth, but they are not decreasing.

They are actually getting divided into two different types of institutions. Previously there were only a few private universities or deemed-to-be universities. Most of the institutions with engineering seats were in affiliated colleges. But with a large number of private universities and many deemed universities expanding their number of seats, the intake has spread out. There are institutions which have engineering seats with a capacity of 10 to 12 colleges. So naturally, if there are such large institutions, they will absorb most of the students, and the affiliated colleges get affected and it [causes] an impression that there are less admissions.

The data which we receive about admissions in engineering are from the affiliated colleges. So it looks like there is a decrease in the number of engineering admissions, but, overall, actually it is almost steady. With the pandemic, many people lost their jobs and could not pay the fees for their children. So maybe 5 per cent to 10 per cent less admissions would have happened. But, this time I have found that many philanthropists are coming forward and are saying that they will take care of the fees of students who cannot afford it. This is a good sign of giving back to society.

And placement? How has that suffered?

Placement figures, of course, have reduced a little bit because many companies were not fully running during the lockdown. Even internships have been affected because the number of companies which allow students on their premises decreased. And like education, internships have also gone online.

But, I am very happy that two major IT companies have taken in 40,000 students from engineering colleges. So it is not as bad as what we were expecting. Once industrial activity gets back at full throttle, I am sure there will be a huge requirement of jobs and students will get placements.

What about new programmes and technologies introduced in the last one year? Any area or discipline which is now being given a push or an increased focus?

We have identified areas where emerging technologies will play an important role. They are all available as minor degrees. AI, data science, robotics, 3D printing, augmented reality, virtual reality, quantum computing, cloud computing, cyber security and data analytics. If you have a combination of AI and data science, the opportunities will double.

The March 12 guidelines call for removal of physics, chemistry and mathematics as a mandatory requirement for admissions to engineering courses. This led to widespread debates. Your comments.

We have not said that physics, chemistry and mathematics are not required. This is absolutely untrue. Prior to 2005, physics, chemistry and mathematics were mandatory for engineering admissions. But, since 2005, chemistry was made optional at the time of entry. Courses such as biology and computer programming were added as alternatives. Nobody possibly noticed this and very few made use of this flexibility and thus nobody practiced it either. Very few institutions probably allowed students to join engineering programmes without chemistry. These subjects were the basis of entrance exams and may continue to be for the next whatever number of years.

We [also] added courses like graphics, drawing and vocational subjects or courses which are akin to engineering or science. Today, there are 14 such subjects at the Class 12 level which students can study to opt for engineering courses. The new education policy speaks about flexibility, multiple levels of entry and exit. If we do not open it up to the ones who may not have studied chemistry or physics in school, then that is not right. And that is where this policy is absolutely inclusive. This is giving choice to students. This is also autonomous in terms of allowing students to learn whatever they want to. There are many people in rural areas who do not know what engineering is all about. There is no science stream available in some remote areas and hence students might have missed maths or physics. Why are you stopping them if they have talent? In fact, one of the suggestions which we have often been making is that we must test aptitude rather than knowledge of physics, chemistry, or maths, which can be always taught in the engineering colleges. In fact, science and maths faculty in engineering colleges are far more qualified to train students. There are many maths, physics, chemistry and even biology courses in the AICTE's model curriculum. Thus, no student will be able to move ahead in engineering education without doing the requisite levels of maths, physics and chemistry. These are the foundations on which the entire edifice of engineering is built.

Read the original post:
We did much better than how we did in a non-pandemic year - THE WEEK

Elevate your enterprise data technology and strategy at Transform 2021.

Enterprise adoption of open source software has grown rapidly, and 91% of developers said in a recent survey they expect open source to be part of their make up a part of their organizations software plans in the years to come, according to Aiven, a software company that combines open source technologies with cloud infrastructure.

Above: The survey revealed growing positivity towards open source, with respondents listing twice as many benefits of the technology, as they did disadvantages.

Image Credit: Avien

The survey revealed growing positivity towards open source among cloud and database developers in the United Kingdom, with respondents listing twice as many benefits as they did disadvantages. The most popular advantage listed by developers was the transparency of open source code, which makes it easier to find and fix bugs quickly. 69% of respondents identified this as a key benefit. Other benefits included reduced vendor lock in (53%) and the ability to build your own features (53%). The most cited obstacle to using open source was maintenance, which 52% of respondents viewed as a challenge. Other difficulties included configuring or installing the software (48%), a lack of support (45%), and hidden costs (27%).

Given these challenges identified, businesses are looking for solutions to make open source easier to adopt. 35% of respondents indicated they would opt for a managed open source solution in the future, allowing them to avoid the burden of installation and maintenance and spend more time focusing on business critical tasks. As businesses look to grow post-pandemic, managed solutions will likely continue to grow in demand.

Aivens research was conducted by Resonance on behalf of Aiven in January/February 2021. The study surveyed 200 UK developers who work in large enterprises and who specialize in cloud and database technology.

Read more from the original source:

Aiven: 91% of developers say open source is in their future - VentureBeat

Sir Tim Berners-Lee gives a speech at the Campus Party Italia 2019 on July 25, 2019 in Milan, Italy.

Rosdiana Ciaravolo | Getty Images

LONDON British computer scientist and inventor Tim Berners-Lee is auctioning the original code for the World Wide Web as a nonfungible token.

The auction for the World Wide Web NFT titled "This Changed Everything" will be run by Sotheby's in London from June 23-30, with bidding starting at $1,000. The proceeds of the auction will benefit initiatives that Berners-Lee and his wife support, Sotheby's said.

NFTs are a type of digital asset designed to show that someone has ownership of a unique virtual item, such as online pictures and videos, or even sports trading cards.

The NFT includes original time-stamped files containing the source code written by Berners-Lee, an animated visualization of the code, a letter written by Berners-Lee on the code and its creation, and a digital "poster" of the full code. They will all be digitally signed by Berners-Lee.

It will be the first time Berners-Lee has been able to capitalize financially on what is widely viewed as one of the greatest inventions of our time.

"Three decades ago, I created something which, with the subsequent help of a huge number of collaborators across the world, has been a powerful tool for humanity," said Berners-Lee in a statement. "For me, the best bit about the web has been the spirit of collaboration. While I do not make predictions about the future, I sincerely hope its use, knowledge and potential will remain open and available to us all to continue to innovate, create and initiate the next technological transformation, that we cannot yet imagine."

He added: "NFTs, be they artworks or a digital artefact like this, are the latest playful creations in this realm, and the most appropriate means of ownership that exists. They are the ideal way to package the origins behind the web."

Cassandra Hatton, global head of science and popular culture at Sotheby's, said in a statement that the "NFT format" will allow collectors to "own the ultimate digitally-born artefact."

In March, South Carolina-based graphic designer Beeple, whose real name is Mike Winkelmann, sold an NFT for a record $69 million at a Christie's auction. Jack Dorsey, CEO of Twitter, sold his first tweet as an NFT for $2.9 million later that month.

On Thursday, a rare digital avatar known as a CryptoPunk sold at Sotheby's for over $11.7 million. Total NFT sales reached an eye-popping $2 billion in the first quarter of this year, according to data from Nonfungible, a website which tracks the market.

But there are signs that the bubble could be bursting, with sales of digital collectibles falling dramatically in recent weeks. Overall sales plunged from a seven-day peak of $176 million on May 9, to just $8.7 million on June 15, according to numbers from Nonfungible. That means volumes are now roughly back where they were at the start of 2021.

Additional reporting by CNBC's Ryan Browne.

Visit link:

The webs source code is being auctioned as an NFT by inventor Tim Berners-Lee - CNBC

British computer scientist Tim Berners-Lee is auctioning the original source code for his most famous creation, the World Wide Web, as an NFT. Set to appear at a Sothebys auction called This Changed Everything running from June 23 through the end of the month, the work will have a starting bid of $1,000. Sothebys has not designated an estimate for the work, though its final sale price is likely to far exceed its starting bid.

Proceeds from the sale will benefit causes supported by the MIT professor and his wife Rosemary Leith. Sothebys did not specify the names of organizations to which the sale proceeds will be given.

More from Robb Report

The time-stamped files being sold contain 9,550 lines of original programming code Berners-Lee wrote. That code has since served as the foundational structures of the internet: Hypertext Transfer Protocol (HTTP), Hypertext Markup Language (HTML) and Universal Document Identified (URI). Alongside the files, a Python-backed digital poster, which serves as a visualization of the source code and comprises the inventors digital signature, will be auctioned. An additional letter penned by Berners-Lee detailing his 1989 creation, which he made while working at CERN, a physics research lab in Switzerland, will also go to the winning bidder.

Sir Tims invention created a new world, democratizing the sharing of information, said the auction houses global head of science and popular culture, Cassandra Hatton.

Though Berners-Lees code has been open source since 1993, two years after the first webpage supported by his code went live, the auction represents the chance to own the ultimate digitally-born artefact, Hatton said. As the first one of its kind to be offered at auction, this version of the source code is a unique NFT that is valuable as a collectors item.

Story continues

Three decades ago, I created something which, with the subsequent help of a huge number of collaborators across the world, has been a powerful tool for humanity, Berners-Lee said in a press statement. The scientist, who also serves as the chief technology officer at Boston data startup Inrupt, said that an NFT is the ideal format and the most appropriate means of ownership that exists for his game-changing invention.

NFTs (non-fungible tokens) are minted as unique editions using blockchain technology. In recent months, high-profile auctions of them have set records and lent digital art a new stature within the art market. Most recently, Sothebys sold 28 digital artworks in collaboration with crypto artist Pak for a collective $17.1 million last month. That sale followed Christies $69 million auction of cult crypto artist Beeples Everydays project in March.

Some sales of NFTs have drawn controversy over issues around authenticity. Digital art experts decried Christies recent sale of five NFT versions of Andy Warhols 1980s-era Amiga computer drawings, claiming they were essentially exhibition copies.

Best of Robb Report

Sign up for Robb Report's Newsletter. For the latest news, follow us on Facebook, Twitter, and Instagram.

Go here to see the original:

The Internets Original Source Code Is Coming to Auction as an NFT This Month - Yahoo Lifestyle

Microsoft has unveiled a slew of developer tools, including a preview of the 64-bit Visual Studio 2022, ahead of that developer event set for 24 June.

Preview 1 of Visual Studio 2022 comes direct from the department of never-say-never following version after version of the toolset remaining staunchly 32-bit, even as the hardware world changed around it.

The move to 64-bit was announced earlier this year and is an ambitious one considering the ecosystem and sheer size of the Visual Studio codebase.

Far be it from us to wonder how much cruft might be lurking within a product that has its roots in the previous century.

"The 64-bit conversion effort affects every part of Visual Studio, so the scope is much bigger than our usual previews," explained Microsoft senior program manager Justin Johnson in a blog on the matter, meaning that the first release is not so much about whizzbang new features (although there are improvements to IntelliCode even if some bits of VS2019 are missing at present) but more about seeing if the old thing remains upright as programmers prod at it.

Microsoft is particularly keen that developers throw huge and complex solutions at the preview that would have caused wobbles in previous versions. The company boasted that "customers were able to run the IDE for days, even with solutions containing 700 (or more!) projects."

Perhaps this hack is a bit old fashioned, but there is surely an argument to be made that rather than allowing developer tools to expand like a helium balloon headed for space, getting to a solution that isn't quite so bloated might be made easier by having a rethink rather than adding yet more memory.

While Visual Studio can now chomp through more system resources, its ecosystem of extensions has not fared so well Microsoft warned that updates would be required by vendors before those same extensions would turn up in Visual Studio 2022. This may not bode well for that one weird component that has long been abandoned but is still depended upon by a developer.

The release was joined by updates to .NET 6 and ASP.NET Core in the form of Preview 5 as well as an updated preview of the .NET Multi-platform App UI (MAUI). Microsoft also announced a developer event at 3pm ET on 24 June, hot on the heels of its "What's next for Windows" show.

After all, there is little point in having a shiny new operating system unless one can encourage developers to target code at it.

More here:

Microsoft: Try to break our first preview of 64-bit Visual Studio go on, we dare you - The Register

In 2021, a vulnerability was revealed in a system that lay at the foundation of modern computing. An attacker could force the system to execute arbitrary code. Shockingly, the vulnerable code was almost 54 years oldand there was no patch available, and no expectation that one would be forthcoming.

Fortunately, that's because the system in question was Marvin Minsky's 1967 implementation of a Universal Turing Machine, which, despite its momentous theoretical importance for the field of computer science, had never actually been built into a real-world computer. But in the decade or so after Minsky's design, the earliest versions of Unix and DOS came into use, and their descendants are still with us today in the 21st century. Some of those systems have had bugs lurking beneath the surface for years or even decades.

Here are ten noteworthy and venerable bugs that were discovered in recent years.

Age: 7 yearsDate introduced: 2010Date fixed: 2017

Way back in 2011, security researcher Ralf-Philipp Weinmann discovered a recently introduced flaw in the baseband processor used in mobile phones that could conceivably be used in an attack: hackers could set up a fake cell tower, trick the phone into connecting to it, and then hijack its network connection. The flaw was corrected relatively quickly by cell phone manufacturers and then just as quickly forgotten about.

There was one problem: cell phones weren't the only devices that used those chips. "Essentially, the same cellular baseband chipset was in the telematics unit in the Nissan Leaf and a variety of other vehicles," says Jesse Michael, Principal Cyber Security Researcher at security firm Eclypsium. Several researchers (who would go on to join Eclypsium) discovered the vulnerability by experimenting with a car they got from a junkyard.

View post:

10 old software bugs that took way too long to squash - CSO Online

First off, Apple has issued an update for some very old devices. Well, vintage 2013, but thats a long time in cell-phone years. Fixed are a trio of vulnerabilities, two of which are reported to be exploited in the wild. CVE-2021-30761 and CVE-2021-30762 are both flaws in Webkit, allowing for arbitrary code execution upon visiting a malicious website.

The third bug fixed is a very interesting one, CVE-2021-30737, memory corruption in the ASN.1 decoder. ASN.1 is a serialization format, used in a bunch of different crypto and telecom protocols, like the PKCS key exchange protocols. This bug was reported by [xerub], who showed off an attack against locked iPhone immediately after boot. Need to break into an old iPhone? Looks like theres an exploit for that now.

Or if we were feeling less charitable, wed call them bloatware. Either way, researchers at Oversecured took a look and found some problems. First up is Samsungs Knox Core app, part of their enterprise security system. This core framework file can install other apps, triggered by a world-writable URI. So first problem, anything that can load a file and call a URI can trigger an arbitrary app install. There is a second problem: part of that install process copies the app-to-be-installed to a world-readable location. This means that with a bit of work, any other app can abuse this to read any file this system app can read, and thats all of them.

Up next is the managed provisioning app. This too allows installing apps, but has a built-in verification system, as it was based on Managed Provisioning from the Android Open Source Project (AOSP). Samsung added features, one of which is a flag to disable the verification. Oh, and this one installs apps as system. Please install my rootkit, Samsung. OK

And the last problem well look at is the TelephonyUI app. It exposes a receiver, PhotoringReceiver, which takes two arguments: the URL to download, and the file location to write it to. This function does check that the remote server reports the file to be an image or video, but this is trivial for an attacker to spoof. The result is that an attacker can send an intent, download an arbitrary file, and write it anywhere on the phone as UID 1001, one of the system users.

Volkswagen has just confirmed that someone got access to a database of their potential and actual customers. Their letter states that a vendor left electronic data unsecured. Based on previous breaches, this is probably something like an Elsticsearch instance exposed to the Internet. So theres good and bad news here. The good, if you only made it into their database as a prospective customer, only your name, physical and email addresses, and a phone number are exposed. The bad? If you were an actual customer, that could include drivers license number, date of birth, and SSN. Watch out for targeted fishing using the information, though the more likely scenario is something like unemployment fraud committed using the information.

Though when it comes to source code, its not really theft, just unauthorized copying. Regardless, an unnamed group claims to be in possession of 780 GB of internal data and source code from EA, and is offering access for a mere $28 million. Its unclear how the breach happened, but known bugs have been suggested, like the high-profile Microsoft Exchange bug from a few months back. Regardless, the dump includes the full source to FIFA 21 and FrostBite, EAs engine. The really bad part is the collection of API keys and other secrets that were inevitably a part of the grabbed source.

Researchers from NordLocker discovered a really big database of data, which appear to have been collected by a network of trojans. How did that malware wind up on real machines? Mostly through cracked software, it seems. An illegal Photoshop download, a Windows crack, and a handful of games. So think long and hard before youre tempted to fire up you favorite torrent client, you might just be inviting malware in.

The malware did quite a bit while it was active, too. It took a screenshot, as well as a webcam capture. Uploaded files from the users folders, captured and sent along passwords and cookies, and more. The whole trove of data seems to be 1.2 terabytes worth. Yikes.

If you havent noticed, a growing collection of people, companies, and now nations are taking issue with Apples walled garden approach to smartphone software. The ongoing litigation from Epic over the Fortnight game and the app store has perhaps the highest profile. But the European Union, thanks to their proposed Digital Markets Act (DMA), might soon enter the fray. This legislation aims to limit the power a digital gatekeeper can exercise over a market. Tim Cook recently gave his thoughts on the idea not entirely positive. The biggest issue? The DMA would force Apple to allow app sideloading. The official response is that sideloading would destroy the security of the iPhone.

Now lets chat about that for a moment. Is it a bit iffy to install apps on your device that havent been vetted through the official app store? Sure. If you arent careful, youre likely to install apps with malware, and not have a Google or Apple working to detect and automatically remove the malicious app. On the other hand, it seems just a bit over-the-top to say that this would destroy the iPhones security. There have been plenty of vulnerabilities found in the last couple years that can compromise the device from a simple page visit. Not to mention malicious apps that have made it into the store.

Allowing you to install any application you wanted would break Apples stranglehold on the iOS app store. What this would mean, is that Apple would out on a whole lot of revenue from apps like Fortnight, who would be willing to build their own app store. So what do you think? Is this really the big security problem that Apple says it is, or are they just being protective of their walled garden and the benefits thereof?

Sometimes, exploits arent notable for how serious they are, but for how educational the write-up is. Firmly in that category is this story of getting a remote shell on an ancient Linksys WRT54GL. Quick note, the L there stands for Linux, and this particular router exists because the WRT54G was the grand-daddy of custom router firmware. A request for GPL code for the original router led a few hackers to put together their own firmware images, and DD-WRT and OpenWRT were both born out of the efforts. Router revisions happen rapidly, and soon the WRT54G had switched to VxWorks, and cut the flash in half, making support just about impossible for the custom firmwares. Enough customers complained, that Linksys re-released the older version as the WRT54GL.

History aside, [Elon Gliksberg] had one of the old routers, and decided to try to break in. Scan the ports with nmap, nothing interesting. The web interface? There is a diagnostic page that can send pings, so it probably runs a linux commands on the backend, so its worth trying something like ping 192.168.1.1; echo hello; That endpoint was sufficiently sanitized that it wasnt a viable attack. A bit of decompiling did lead to one call of system() that could be abused, though. That call was in the post-upgrade logic, to restore the user-interface language. Set the language to some shellcode, and you get execution. From there, it was just the task of getting the reverse shell compiled for that specific device, and using the built-in wget to fetch it.

So heres the irony: this vulnerability is launched as part of uploading firmware, and this device is just about the most widely supported target for custom firmware in the world. You can install your own Linux image on it with the same access this hack requires. Irony aside, the value here is waking through the process, which is well written out, and full of tips for trying to find your own exploit.

A couple weeks ago, we covered a nifty new project, the WiFi Wart. Well [Ryan] is still at it, and has an update on his progress. Theres good news, like finishing the design of the first prototype boards, sourcing the components, and actually assembling a trio of the test boards. Then there was some bad news, like discovering the hard way that the Low Dropout Regulator (LDO) he ordered was a 3.3 V component, instead of the needed 2.5 V. Thats one board with dead components, and time spent waiting on the replacement parts. Such is the way of things, when building new hardware. Well keep you up to date with this promising project, as updates are available.

See the rest here:

This Week In Security: Updates, Leaks, Hacking Old Hardware, And Making New - Hackaday