Loma Baumbach

Loma Baumbach

1604281080

Diversity, inclusion, and belonging at GitHub in 2020

Like our global community, we’ve had a year of challenges and extremes at GitHub, and I’m grateful everyday for our culture as our foundation of strength and resilience. We started our fiscal year in July 2019 on a beautiful day in Austin, Texas, where we gathered ~950 Hubbers for our Company Summit. We were so happy to be together, many of us meeting for the first time, enjoying the positive impact we are having for developers and getting ready for the biggest year of growth in our history. Our theme was Forward Together.  That energy carried us into 2020, launching new products and services, acquiring high value security, analytics, package registry, and DevOps companies to advance GitHub, and continuing to grow with new Hubbers joining us every two weeks. There was a momentum and sense of purpose in our everyday activities.

#company #github

What is GEEK

Buddha Community

Diversity, inclusion, and belonging at GitHub in 2020
Brain Crist

Brain Crist

1594753020

Citrix Bugs Allow Unauthenticated Code Injection, Data Theft

Multiple vulnerabilities in the Citrix Application Delivery Controller (ADC) and Gateway would allow code injection, information disclosure and denial of service, the networking vendor announced Tuesday. Four of the bugs are exploitable by an unauthenticated, remote attacker.

The Citrix products (formerly known as NetScaler ADC and Gateway) are used for application-aware traffic management and secure remote access, respectively, and are installed in at least 80,000 companies in 158 countries, according to a December assessment from Positive Technologies.

Other flaws announced Tuesday also affect Citrix SD-WAN WANOP appliances, models 4000-WO, 4100-WO, 5000-WO and 5100-WO.

Attacks on the management interface of the products could result in system compromise by an unauthenticated user on the management network; or system compromise through cross-site scripting (XSS). Attackers could also create a download link for the device which, if downloaded and then executed by an unauthenticated user on the management network, could result in the compromise of a local computer.

“Customers who have configured their systems in accordance with Citrix recommendations [i.e., to have this interface separated from the network and protected by a firewall] have significantly reduced their risk from attacks to the management interface,” according to the vendor.

Threat actors could also mount attacks on Virtual IPs (VIPs). VIPs, among other things, are used to provide users with a unique IP address for communicating with network resources for applications that do not allow multiple connections or users from the same IP address.

The VIP attacks include denial of service against either the Gateway or Authentication virtual servers by an unauthenticated user; or remote port scanning of the internal network by an authenticated Citrix Gateway user.

“Attackers can only discern whether a TLS connection is possible with the port and cannot communicate further with the end devices,” according to the critical Citrix advisory. “Customers who have not enabled either the Gateway or Authentication virtual servers are not at risk from attacks that are applicable to those servers. Other virtual servers e.g. load balancing and content switching virtual servers are not affected by these issues.”

A final vulnerability has been found in Citrix Gateway Plug-in for Linux that would allow a local logged-on user of a Linux system with that plug-in installed to elevate their privileges to an administrator account on that computer, the company said.

#vulnerabilities #adc #citrix #code injection #critical advisory #cve-2020-8187 #cve-2020-8190 #cve-2020-8191 #cve-2020-8193 #cve-2020-8194 #cve-2020-8195 #cve-2020-8196 #cve-2020-8197 #cve-2020-8198 #cve-2020-8199 #denial of service #gateway #information disclosure #patches #security advisory #security bugs

Edison Stark

Edison Stark

1603861600

How to Compare Multiple GitHub Projects with Our GitHub Stats tool

If you have project code hosted on GitHub, chances are you might be interested in checking some numbers and stats such as stars, commits and pull requests.

You might also want to compare some similar projects in terms of the above mentioned stats, for whatever reasons that interest you.

We have the right tool for you: the simple and easy-to-use little tool called GitHub Stats.

Let’s dive right in to what we can get out of it.

Getting started

This interactive tool is really easy to use. Follow the three steps below and you’ll get what you want in real-time:

1. Head to the GitHub repo of the tool

2. Enter as many projects as you need to check on

3. Hit the Update button beside each metric

In this article we are going to compare three most popular machine learning projects for you.

#github #tools #github-statistics-react #github-stats-tool #compare-github-projects #github-projects #software-development #programming

Loma Baumbach

Loma Baumbach

1604281080

Diversity, inclusion, and belonging at GitHub in 2020

Like our global community, we’ve had a year of challenges and extremes at GitHub, and I’m grateful everyday for our culture as our foundation of strength and resilience. We started our fiscal year in July 2019 on a beautiful day in Austin, Texas, where we gathered ~950 Hubbers for our Company Summit. We were so happy to be together, many of us meeting for the first time, enjoying the positive impact we are having for developers and getting ready for the biggest year of growth in our history. Our theme was Forward Together.  That energy carried us into 2020, launching new products and services, acquiring high value security, analytics, package registry, and DevOps companies to advance GitHub, and continuing to grow with new Hubbers joining us every two weeks. There was a momentum and sense of purpose in our everyday activities.

#company #github

Shawn Durgan

Shawn Durgan

1597068204

Qualcomm Bugs Open 40 Percent of Android Handsets to Attack

Researchers identified serious flaws in Qualcomm’s Snapdragon SoC and the Hexagon architecture that impacts nearly half of Android handsets.

Six serious bugs in Qualcomm’s Snapdragon mobile chipset impact up to 40 percent of Android phones in use, according research released at the DEF CON Safe Mode security conference Friday.

The flaws open up handsets made by Google, Samsung, LG, Xiaomi and OnePlus to DoS and escalation-of-privileges attacks – ultimately giving hackers control of targeted handsets. Slava Makkaveev, a security researcher with Check Point, outlined his discoveryand said while Qualcomm has provided patches for the bug, most OEM handset makers have not yet pushed out the patches.

Click to register!

The faulty Qualcomm component is the mobile chip giant’s Snapdragon SoC and the Hexagon architecture. Hexagon a brand name for Qualcomm’s digital signal processor (DSP), part of the SoC’s microarchitecture. DSP controls the processing of real-time request between the Android user environment and the Snapdragon processor’s firmware – in charge of turning voice, video and services such GPS location sensors into computationally actionable data.

Makkaveev said the DSP flaws can be used to harvest photos, videos, call recordings, real-time microphone data, and GPS and location data. A hacker could also cripple a targeted phone or implant malware that would go undetected.

The six flaws are CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208 and CVE-2020-11209. Using a fuzzing technique against handsets with the vulnerable chipset, Check Point was able to identify 400 discrete attacks.

The prerequisite for exploiting the vulnerabilities is the target would need to be coaxed into downloading and running a rogue executable.

Qualcomm declined to answer specific questions regarding the bugs and instead issued a statement:

“Providing technologies that support robust security and privacy is a priority for Qualcomm. Regarding the Qualcomm Compute DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to OEMs. We have no evidence it is currently being exploited. We encourage end users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store.” – Qualcomm Spokesperson

The flaws were brought to Qualcomm’s attention between February and March. Patches developed by Qualcomm in July. A cursory review of vulnerabilities patched in the July and August Google Android Security Bulletins reveal patches haven’t been yet been pushed to handsets. For that reason, Check Point chose not to reveal technical specifics of the flaws.

What technical details that are available can be found in a DEF CON Safe Mode video posted to online. Here Makkaveev shares some technical specifics.

#hacks #mobile security #vulnerabilities #cve-2020-11201 #cve-2020-11202 #cve-2020-11206 #cve-2020-11207 #cve-2020-11208 #cve-2020-11209 #def con safe mode #digital signal processor #dos #dsp #escalation of privileges attack #google #hexagon architecture #lg #oneplus #qualcomm #samsung #snapdragon #soc #xiaomi

Ramiro Daugherty

Ramiro Daugherty

1621023240

Github Replacing “Master” With “Main” is a Huge Win for Inclusion in Tech

The little things are the big things

Since I started my journey in Software Engineering three years ago, there have been plenty of times that I’ve found the field to be non-inclusive. The most egregious of these is in the term “master-slave” architecture and the fact that I start off every day on Github requesting updates from “master.”

Even worse is that in Software Engineering “machines” are often called “workers” so I’ve heard people _at work _discuss “killing the slave [workers]” when talking about taking down servers.

Recently,  Github made a transition from labeling their main branches as the “master” branch in an effort to promote more inclusive language and today I created my first repo on Github where the term “master” has been renamed to “main.”

This is in line with a number of changes across the tech industry to shift towards more inclusive language and it is a _massive _understatement to say that this change, while small, is incredibly satisfying.

“master” has now been replaced with “main” in new repos

It may seem small. However, many, if not most, minorities currently in Software Engineering roles have found their own ways to suppress or repress these daily references to slavery — while many of our white colleagues don’t think twice when they interact with “master” or “slave” terminology in their daily work.

More importantly, recruiters and those complaining about the (alleged) ever-elusive “pipeline problem” of getting minorities into tech have no idea how much of a road block unnecessarily non-inclusive terms like “master” and “slave” have in causing many minorities who do enter the “pipeline” to leave at higher rates than their white counterparts.

#diversity-in-tech #inclusion #github