40s Newsletter
- Apple will hold a press conference in March or April: push the iPhone SE3
- Developers deliberately destroy well-known NPM open source libraries for no pay, causing heated discussions
- Apple to pay developers a record $60 billion in 2021
- Log4j-like vulnerability found in H2 database
- 19-year-old hacked 25 Tesla cars remotely, says he exploited software flaw
- To avoid attacks, security researchers call for Apple to disable '2G'
- Linux is preparing to finally remove support for the a.out format
- Chrome will block external domains from accessing the local network
- Linux 5.16 released with many improvements, fixes
- Google launches Chrome 98 beta, supports color gradient vector fonts
- Linux 5.16 Developer Statistics
- KeePass 2.50 released with significant increase in key derivation capabilities
- Rust 1.58.0 Released, Introducing Captured Identifiers
- KDE Plasma 5.24 Beta Released
Industry information
Apple will hold a press conference in March or April: push the iPhone SE3
According to the latest US media reports, Apple is currently planning to hold a conference in March or April this year to launch the iPhone SE3 that supports 5G networks. The conference is still online and virtual. According to previous statements, the new third-generation iPhone SE will be released this year, and will support 5G networks and upgrade A-series chips. In terms of appearance, there will be no changes. In the past two years, there have been many rumors of the iPhone SE3. Some information mentioned that the iPhone SE3 will usher in a new design, similar to the iPhone 11, without touch ID, and the border will be narrowed, but some other rumors say that the appearance of the iPhone SE3 will not change. The newly designed iPhone SE has been delayed until 2024.
Developers deliberately destroy well-known NPM open source libraries for no pay, causing heated discussions
Recently, Marak Squires, the author of the well-known open source tool faker.js, deliberately destroyed the open source libraries "faker.js" and "color.js" on GitHub, emptied all the code of the project, and left the word "endgame" in the commit. The README reads "What really happened with Aaron Swartz?". (Swartz was an American programmer, entrepreneur, and well-known hacker activist who committed suicide after a lawsuit.) Marak reportedly sabotaged the project for no pay. Previously in September 2020, Marak, who had bomb material in his home, was suspected of having "mental problems" and was charged with reckless endangerment. In November he posted a request for companies using the faker.js project to pay him or he would no longer provide maintenance.
Currently, Marak has been suspended from GitHub, and NPM has reverted to the previous version of the faker.js package. Marak's move has caused a lot of controversy among netizens: information security expert VessOnSecurity called the behavior "irresponsible"; software engineer Sergio Gómez called it "kidnapping", and proposed that the need to start decentralized hosting of free open source code, etc.
Apple to pay developers a record $60 billion in 2021
Apple said it will pay developers a total of $60 billion in 2021. Additionally, the App Store has paid developers a total of $260 billion since 2008. , which shows that App Store sales are still growing at a record pace. As of 2019 and 2020, the total amount Apple paid to developers was $155 billion and $200 billion, respectively, which means that in 2020, Apple paid $45 billion to app developers.
Foreign media reported that Apple’s payments to developers accounted for 70% to 85% of total sales in Apple’s App Store, and App Store sales accounted for 15% to 30% of digital app purchase sales. Analysts estimate that Apple's App Store sales are still growing rapidly.
Log4j-like vulnerability found in H2 database
Recently, a security researcher at JFrog Security (a software distribution social platform) discovered a critical JNDI-based vulnerability in the H2 database (open source Java SQL database) console, similar to Log4Shell, in the Apache log library. This vulnerability is now tracked as CVE-2021-42392.
And on Jan. 10, senior officials at the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said that security personnel's fight against the log4j security flaw will be a protracted battle. During the conference call on the 10th, CISA director Jen Easterly told reporters that although there are many more undisclosed attacks, other than the attack on the Belgian Ministry of Defense, US federal agencies have not seen any significant network of direct Log4j vulnerabilities. attack.
19-year-old hacked 25 Tesla cars remotely, says he exploited software flaw
David Colombo, a 19-year-old German security researcher, said a few days ago he found a software flaw in Tesla's systems that allowed him to remotely hack more than 25 Tesla electric vehicles in 13 countries. car so that it turns off the security system. Colombo, who describes himself as an "information technology expert," said on Twitter on Tuesday that a software flaw in his Tesla car allowed him to remotely open doors and windows, start the car without a key, and disable the vehicle's security systems. Colombo also said he has been in touch with Tesla's security team and that Tesla is currently investigating the issue and will keep Colombo informed if there are any updates.
To avoid attacks, security researchers call for Apple to disable '2G'
Last year, Google introduced a "disable 2G" feature for new Android smartphones, which will provide some protection for cell site emulators, an intrusive police surveillance technique used across the country. There are many security holes in 2G that make users vulnerable to attacks. So it's great for Google to implement this feature, but it's different for iPhone users because Apple doesn't support this disabling feature. In response, Cooper Quintin, a security researcher and technologist at EFF, called on everyone to ask Apple to stop this feature as well.
Linux is preparing to finally remove support for the a.out format
On January 13, Linux kernel developer Borislav Petkov proposed a patch to remove a.out support from the kernel. Linux relied on the a.out format until v1.2 in the mid-90s, when ELF became a popular binary file format. While the a.out format has not been widely used on Linux for many years, it was only in 2019 that a.out binaries running on x86 32-bit were truly deprecated. Upstream developers of other responses have so far supported clearing this deprecated a.out. It's also possible that some old system calls and other unused kernel code are cleaned up in the process.
Chrome will block external domains from accessing the local network
To prevent malicious scripts from silently executing local HTTP requests on the browser, Chrome will implement a new W3C specification called Private Network Access (PNA) to prevent this abusive behavior by malicious programs. The new feature will be launched in the first half of this year, PNA will introduce a mechanism in Chrome, external domain names need to ask the system permission before trying to establish a connection with a local network device, if the local device such as a server or router does not respond, try to establish a connection request will be blocked.
Latest technical developments
Linux 5.16 released with many improvements, fixes
On January 9, Linux 5.16 was released, and the kernel has been upgraded to the stable version.
Major updates
- FUTEX2 futex_waitv system call to help Steam Play (and Wine);
- AMD Ryzen 6000 mobile series is taking better shape;
- Intel's AMX support for Sapphire Rapids has landed;
- Big AMD Ryzen with Radeon graphics performance improvements and tons of other hardware improvements
Google launches Chrome 98 beta, supports color gradient vector fonts
Following the release of Chrome 97 last week, Google upgraded Chrome 98 to a beta version. In Chrome 98, there are some small improvements, mainly for developers.
Major updates
- Support COLRv1 color gradient vector font as a new font format;
- HDR color media queries using CSS for dynamic range and video dynamic range;
- Support for controlling window.open() behavior, whether it's a popup in a new window, a new tab, etc.
Linux 5.16 Developer Statistics
The recently released Linux 5.16 includes 14,190 changesets from 1,988 developers. The number of developers is second only to 2,062 in Linux 5.13, the second highest in history, with 296 developers contributing patches to the kernel for the first time. According to the change set statistics, the five most active developers are Michael Straube, Cai Huoqing, Jakub Kicinski, Christoph Hellwig and Bart Van Assche, of which Michael Straube's contributions are mainly focused on the r8188eu wireless network card driver, while Cai Huoqing mainly does a lot (probably a Baidu developer, previously emailed with @baidu.com suffix), Jakub Kicinski improved the networking subsystem, Christoph Hellwig's contributions focused on the block and filesystem layers, Bart Van Assche modified the SCSI subsystem code.
KeePass 2.50 released with significant increase in key derivation capabilities
At present, KeePass 2.50 has been upgraded to the stable version, and the key derivation function of the new version has been significantly increased.
Major updates
- AES-KDF is about twice as fast on Windows, and about 4 times faster on Linux if the libgcrypt library is installed;
- Improved detection of Brave, Epiphany, Pale Moon and Vivaldi browsers;
- Improved key handling in Password Manager;
- Improved handling of exclusive key providers and more
Rust 1.58.0 Released, Introducing Captured Identifiers
On January 13, the Rust team announced the release of Rust 1.58.0.
Major updates
- Introduce captured identifiers in format strings;
- Change Command search path on Windows;
- Add the #[must_use] comment to the standard library;
- and some new library stability improvements, etc.
KDE Plasma 5.24 Beta Released
Before the stable release, KDE released Plasma 5.24 Beta.
Major updates
- Wayland improvements;
- Improvements to Breeze theme;
- Various system tray and widget improvements;
- Changes to KDE system settings;
- New KWin overview effect;
- Lots of Discover improvements, lots of fixes and more
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用
。你还可以使用@
来通知其他用户。