Tuesday, February 3, 2015

Google Going to fix 60 percent of Android users risk at WebView

Figures from a seven-day period ending Jan. 5 posted on the Android Developers Dashboard indicate Jelly Bean had 46 percent of the market and KitKat 39 percent. Ice Cream Sandwich had 6.7 percent and Gingerbread 7.8 percent. Lollipop didn't make the cut for the dashboard, which doesn't display any versions with less than 0.1 percent distribution. In other words, a good 60 percent of Android users are at risk from WebView flaws.


Google has decided not to fix vulnerabilities in WebView for Android 4.3 and older, sparking heated discussions among developers.

Those versions of WebView run on the WebKit browser. Fixing them "required changes to significant portions of the code and was no longer practical to do so safely," Adrian Ludwig, lead engineer for Android security, explained last week in a post.

Ludwig recommended steps users and developers can take to mitigate the potential exploitation of WebView vulnerabilities without updating to Lollipop, or Android 5.0.

The decision will leave 930 million users of Android devices in the lurch, Tod Bearsley warned earlier this month.

Let 'Em Eat Cake!

Users should employ a browser that has its own content renderer and is regularly updated, Ludwig suggested.

Chrome and Firefox are securely updated through Google Play, he pointed out. Firefox is supported on Android 2.3 and higher, while Chrome is supported on Android 4.0 and higher.

Consumers should load content only from trusted sources, Ludwig advised.
Developers should "confirm that only trusted content ... is displayed within WebViews in their application," he said. They should consider providing their own renderer on Android 4.3 and earlier so they can update it with the latest security patches.

Everybody's Going for Shiny New Stuff

"With the advances in Android 4.4, the number of users that are potentially affected by legacy WebKit security issues is shrinking every day as more and more people upgrade or get new devices," Ludwig observed.

Android 4.4, aka "KitKat," introduced a new WebView component based on the Chromium open source project. It includes an updated version of the V8 JavaScript engine and support for modern Web standards not in the earlier version of WebView.

However, Google's own statistics tell a different tale.

Figures from a seven-day period ending Jan. 5 posted on the Android Developers Dashboard indicate Jelly Bean had 46 percent of the market and KitKat 39 percent. Ice Cream Sandwich had 6.7 percent and Gingerbread 7.8 percent. Lollipop didn't make the cut for the dashboard, which doesn't display any versions with less than 0.1 percent distribution.

In other words, a good 60 percent of Android users are at risk from WebView flaws.

Still, "generally speaking, Google can't go back and support all the old versions," said Al Hilwa, a research program director at IDC.

"You have to have a cutoff at some point and go forward," he told TechNewsWorld. "That's pretty normal for the industry."

Reactions to Ludwig's Ideas

"Telling app developers to just provide your renderer rather than you guys handling your own screw-ups? What a joke," wrote Jake Weisz in response to Ludwig's post. Stating the fix is expensive or difficult "is not an excuse because it's Google's responsibility."

Also, "as a developer of an app that renders content from the open Web, I feel like [the suggestion devs provide their own renderer] badly misrepresents and underestimates the work involved in such a task," Chris Lacy wrote. "Building and shipping a Web render is an absolutely massive task."

From a developer perspective, "it isn't right for Google to not provide backward compatibility or at least a support library for most of the vulnerabilities," said Anirudh Pothani, head of Android development at Copper Mobile.

"This isn't the first time Google has done something to make developers' lives hard by not providing backward compatibility," he told TechNewsWorld.
In most cases, developers "might require a custom implementation of the WebView" to patch the vulnerability, Pothani said.

However, most developers might not do anything to fix the problem, because the independents might not have the time to write their own WebView, he noted, while for corporate devs, most companies "do not provide adequate time to fix issues which might need them to rewrite the core framework being used in their app."

Courtesy:- Tech News World
By:- Richard Adhikari

7 Amazing Tools To Embrace DevOps During Software Development

There was a time when developers and operations used to have a hate-hate relationship. Production code update was never done benefiting developers and they also used to suffer a lot in hands of administrators who are in charge of running the servers smoothly. Since DevOps has arrived on the board, the battleground has been silent as the DevOps tools have bridged the gaps at large. Here are seven best DevOps tools which are promising enough to make life easier for developers as well as sysadmins:




1. Atlas: 

This tool has been introduced recently to provide visibility into infrastructure like servers, containers and virtual machines. Atlas is built on open source projects like Vagrant, Packer, Serf, Consul and Terraform and this tool enables DevOps across cloud platforms like AWS, Google Compute Engine, Azure and OpenStack. Atlas tool is getting considered at companies to become a part of customer engagement platform.

2. Chef: 

This is a systems and cloud infrastructure framework for automation of building, deploying and management of infrastructure. The tool uses short scripts called 'recipes'. But if its pluggable configuration modules are used, then only the real power of the tool can be realised. Chef is mostly used by Facebook and recently the internal Chef framework at Facebook has been open sourced too. The University of Pennsylvania’s Wharton School also uses Chef tool. It opens the door for more collaboration and efficiency across organisations.

3. Docker: 

Docker is used to bring portability to applications through its popular containerisation technology. Though this tool, applications can run in self-contained units which can be shifted across platforms. A Docker Engine is also present which is actually a lightweight runtime and packaging tool and Docker Hub is the cloud service used for application sharing and workflow automation.

4. Puppet: 

Puppet Enterprise offers data center orchestration as it automates configuration and management of machines and software. Puppet has recently released its Version 3.7 which features Puppet Apps, applications for IT automation and so on. An open source version of Puppet is also available. The open source version is being used by Stanford University which is helpful in bridging the gap between software development and system administration teams. Now developers are getting more involved with system administration while sysadmins are also more involved with software development these days, enabling quicker development of applications.

5. SaltStack: 

It provides system management for data automation, server provisioning, cloud building and application configuration. SaltStack is being used to automate the environment where virtual machines are mostly relied upon for a production and staging environment. SaltStack is a common language to manage servers.

6. ScriptRock GuardRail: 

This tool is effectively used for configuration monitoring and it also helps users to ensure that the production environment is similar to QA, test and dev environments. This tool is effective in configuration drifting and it can also create human-readable tests.

7. Splunk: 

This tool can detect and fix issues in real time across the application lifecycle. Developers can visualise data from production environments even without any access to production machines. With Splunk, users can take help from DevOps processes like integration and deployment. Splunk is widely used which can change the operations of the production systems.

Courtesy Java World

6 Best DNS Services To Keep You Protected From Malware And Phishing Attacks!

Security software is a trending issue these days when phishing sites, botnets, intrusive advertising and unwanted visitors are quite common in this era of vulnerable cyber security. DNS services can be a good option to protect unwary surfers from all these kind of vulnerabilities. DNS or Domain Name System is used every time we surf the web. Every time we type a site name into the browser, DNS is asked for the IP address to that domain and then the browser contacts the Web server and pulls in content for you.



So basically DNS servers are the mediators between a browser and a website. There are some third-party DNS services too which are highly useful for both users and network admins. These third-party tools are used for content filtering, malware blocking, protecting from botnets etc. In this list, we are providing you the names of six DNS services which provide content filtering kind of protection:

1. Comodo Secure DNS

This service can be used for personal use only. The addresses for this DNS service are 8.26.56.26 and 8.20.247.20. It's a free service which can block harmful websites which contain malware and spyware. It offers security solutions like SSL certificates, secure email services etc. If this DNS blocks any site, then it displays a warning page. The warning details about why the page is blocked and if the user wants to disregard its warning, then the user is allowed to do so.

2. Dyn Internet Guide

This DNS service can be used for both personal and business purposes and the addresses are 216.146.35.35 and 216.146.36.36. It's again a free service which is used both personally and commercially. It's pre-configured in such a way that it blocks malware and phishing sites automatically. It's also capable of customisable content filtering and it lets users block up to 30 pre-defined content categories. If any site is blocked, an alert page shows why the particular site has been blocked, though the user is allowed to bypass the warning and continue using the site.

3. FoolDNS

Users can use this DNS service for both personal and business purposes. Addresses are 87.118.111.215 and 213.187.11.62. It provides both free and commercial services for home and small business use. It blocks online tracking, profiling and advertisements, malware and phishing sites. If malware is detected on a site it blocks the same.

4. GreenTeam Internet

Its addresses are 81.218.119.11 and 209.88.198.133. GreenTeam Internet provides both free and premium services for homes and small businesses. It's also pre-configured in such a way that it automatically blocks malware, phishing sites, advertisements, adult-related content and drug-related violent sites. The content filtering is customisable though and you can create own whitelist and blacklist. When it blocks a site, the user is notified and the user can report the blocked page.

5. Norton ConnectSafe

This DNS is used for personal reasons only. It offers three kind of services: If you opt for only security then it will block malware, phishing and scam sites and the addresses for this service are 199.85.126.10 and 199.85.127.10. If you choose security and pornography, then it will block adult-related content too. Its DNS addresses are 199.85.126.20 and 199.85.127.20. If you choose security, pornography and others then it will block content related to alcohol, crime, drugs and gambling. Its addresses are 199.85.126.30 and 199.85.127.30. It offers a business service too with a paid subscription.

6. OpenDNS

This DNS is used for mature personal and business purposes and the addresses are 208.67.222.222 and 208.67.220.220, 208.67.222.123 and 208.67.220.123. It offers both free and premium services and its basic free service is known as Enhanced DNS and it helps in blocking malware and phishing sites. Other service options of OpenDNS include OpenDNS FamilyShield, OpenDNS Home, OpenDNS Home VIP. Its basic business service is Umbrella which offers advanced security and management for large networks and enterprises.

Microsoft Offering Free Windows 10 For Raspberry Pi 2

 Microsoft is planning to enter Internet of Things (IoT) domain with free version of Windows 10. The tech giant is building this free version on Raspberry Pi. Microsoft has reportedly working with Raspberry Pi Foundation on this joint project for last six months.



Microsoft unveiled the ARM-based, Raspberry Pi 2 yesterday. This chip-board will come with Windows 10 experimental version. Raspberry Pi 2 is six times faster than its predecessor. The new chip comes with Broadcom BCM2856 system-on-chip. Raspberry Pi 2 is powered by VideoCore IV GPU along with 900 MHz quad-core ARMv7 Cortex-A7 processor coupled with 1 GB LPDDR2 SDRAM.

Microsoft has vision of bringing innovation in IoT developers community. Windows 10 for Raspberry Pi 2 is available for free as part of Microsoft’s Windows Developer Program for IoT. Raspberry Pi is priced at just $35. The open source company has sold 4.5 million Raspberry Pi units since February 2012. Raspberry Pi is most preferred and favorite single-board-computer out there. It has achieved massive popularity amongst students, developers, hobbyist and innovators in very small time.

Even last year, Microsoft had launched Sharks Cove chip board with CircuitCo. Sharks Cove was Intel-Atom based quad-core chip that brought Windows 8.1 image to users. This chip board was powered by 1.33 GHz Intel Atom processor coupled with 1GB RAM. Sharks Cove was priced at $299 along with Windows 8.1 image. Sharks Cove gained fair amount of attention by hobbyist and hardware vendors. The chip-board was perfect for the experimentation with phones, tablets and SoC. 

Microsoft is already using ARM architecture on Windows RT on Surface tablets. As far as early adopters are concerned, they are more than happy to know that Microsoft is offering free experimentation version of Windows 10 on Raspberry Pi 2 but company is going to have hard time when they start charging for license copy of Windows 10 and developer tools.

Linux OS makers like Ubuntu are also coming up with distro for Raspberry Pi. Snappy Ubuntu runs flawlessly on chip-boards. Intel is trying to give strong competition to Raspberry Pi with its Galileo board.