10 interesting stories served every morning and every evening.
Germany’s leading data protection regulator for Facebook has banned the social network from using data from WhatsApp users.
It follows controversy of the messaging app’s latest privacy terms which the authority believes are illegal.
The move follows emergency discussions in Hamburg after WhatsApp asked users to consent to the new terms or stop using it.
WhatsApp is used by almost 60 million users in Germany.
Johannes Caspar, head of the Data Protection Authority in Hamburg said: “This order seeks to secure the rights and freedoms of the many millions of users who give their consent to the terms of use throughout Germany.
“My objective is to prevent disadvantages and damages associated with such a black-box procedure.”
The regulator suggested that the decision wasn’t just about protecting users’ privacy but also to avoid the use of data “to influence voters’ decisions to manipulate democratic choices”, citing the upcoming 26 September parliamentary elections in Germany,
The regulator will now submit the case to the European Data Protection Committee, the body responsible for enforcing the rules across the EU.
WhatsApp, which is owned by Facebook, accused the Hamburg data protection authority of misunderstanding the purpose of the update and said there was no legitimate basis for the ban.
The messaging app defended the latest privacy terms, saying they won’t affect the confidentiality of messages exchanged with friends and family, but was primarily intended to help companies communicate better with their customers via the platform, notably to allow them to sell their products directly on it.
A spokesperson for WhatsApp said: “As the Hamburg DPA’s claims are wrong, the order will not impact the continued roll-out of the update. We remain fully committed to delivering secure and private communications for everyone.”
The regulatory action has opened a new front in Germany over Facebook’s privacy policies, with its national antitrust regulator waging a legal battle over data practices it says amount to an abuse of market dominance.
Since 2018, online privacy in Europe has been subject to the General Data Protection Regulation (GDPR). Under these rules, Ireland oversees Facebook because the company’s European headquarters is there.
...
Read the original on www.euronews.com »
Enter the characters you see below
Sorry, we just need to make sure you’re not a robot. For best results, please make sure your browser is accepting cookies.
Type the characters you see in this image:
© 1996-2014, Amazon.com, Inc. or its affiliates
...
Read the original on www.amazon.com »
This website presents FragAttacks (fragmentation and aggregation attacks) which is a collection of new security vulnerabilities that affect Wi-Fi devices. An adversary that is within radio range of a victim can abuse these vulnerabilities to steal user information or attack devices. Three of the discovered vulnerabilities are design flaws in the Wi-Fi standard and therefore affect most devices. On top of this, several other vulnerabilities were discovered that are caused by widespread programming mistakes in Wi-Fi products. Experiments indicate that every Wi-Fi product is affected by at least one vulnerability and that most products are affected by several vulnerabilities.
The discovered vulnerabilities affect all modern security protocols of Wi-Fi, including the latest WPA3 specification. Even the original security protocol of Wi-Fi, called WEP, is affected. This means that several of the newly discovered design flaws have been part of Wi-Fi since its release in 1997! Fortunately, the design flaws are hard to abuse because doing so requires user interaction or is only possible when using uncommon network settings. As a result, in practice the biggest concern are the programming mistakes in Wi-Fi products since several of them are trivial to exploit.
The discovery of these vulnerabilities comes as a surprise, because the security of Wi-Fi has in fact significantly improved over the past years. For instance, previously we discovered the KRACK attacks, the defenses against KRACK were proven secure, and the latest WPA3 security specification has improved. Unfortunately, a feature that could have prevented one of the newly discovered design flaws was not adopted in practice, and the other two design flaws are present in a feature of Wi-Fi that was previously not widely studied. This shows it stays important to analyze even the most well-known security protocols (if you want to help, we are hiring). Additionally, it shows that it’s essential to regularly test Wi-Fi products for security vulnerabilities, which can for instance be done when certifying them.
To protect users, security updates were prepared during a 9-month-long coordinated disclosure that was supervised by the Wi-Fi Alliance and ICASI. If updates for your device are not yet available, you can mitigate
some attacks (but not all) by assuring that websites use HTTPS and by assuring that your devices received all other available updates.
The research will be presented at the USENIX Security conference and a longer talk with more background will also be given at Black Hat USA
this summer.
The following video shows three examples of how an adversary can abuse the vulnerabilities. First, the aggregation design flaw is abused to intercept sensitive information (e.g. the victim’s username and password). Second, it’s shown how an adversary can exploit insecure internet-of-things devices by remotely turning on and off a smart power socket. Finally, it’s demonstrated how the vulnerabilities can be abused as a stepping stone to launch advanced attacks. In particular, the video shows how an adversary can take over an outdated Windows 7 machine inside a local network.
As the demo illustrates, the Wi-Fi flaws can be abused in two ways. First, under the right conditions they can be abused to steal sensitive data. Second, an adversary can abuse the Wi-Fi flaws to attack devices in someone’s home network.
The biggest risk in practice is likely the ability to abuse the discovered flaws to attack devices in someone’s home network. For instance, many smart home and internet-of-things
devices are rarely updated, and Wi-Fi security is the last line of defense that prevents someone from attacking these devices. Unfortunately, due to the discover vulnerabilities, this last line of defense can now be bypassed. In the demo above, this is illustrated by remotely controlling a smart power plug and by taking over an outdated Windows 7 machine.
The Wi-Fi flaws can also be abused to exfiltrate transmitted data. The demo shows how this can be abused to learn the username and password of the victim when they use the NYU website. However, when a website is configured with HSTS to always use HTTPS as an extra layer of security, which nowadays close
to
20% of websites are, the transmitted data cannot be stolen. Additionally, several browsers now warn
the user when HTTPS is not being used. Finally, although not always perfect, recent mobile apps by default use HTTPS and therefore also use this extra protection.
Several implementation flaws can be abused to easily inject frames into a protected Wi-Fi network. In particular, an adversary can often inject an unencrypted Wi-Fi frame by carefully constructing this frame. This can for instance be abused to intercept a client’s traffic by tricking the client into using a malicious DNS server as shown in the demo (the intercepted traffic may have another layer of protection though). Against routers this can also be abused to bypass the NAT/firewall, allowing the adversary to subsequently attack devices in the local Wi-Fi network (e.g. attacking an outdated Windows 7 machine as shown in the demo).
How can the adversary construct unencrypted Wi-Fi frames so they are accepted by a vulnerable device? First, certain Wi-Fi devices accept any unencrypted frame even when connected to a protected Wi-Fi network. This means the attacker doesn’t have to do anything special! Two of out of four tested home routers were affected by this vulnerability, several internet-of-things devices were affected, and some smartphones were affected. Additionally, many Wi-Fi dongles on Windows will wrongly accept plaintext frames when they are split into several (plaintext) fragments.
Additionally, certain devices accept plaintext aggregated frames that look like handshake messages. An adversary can exploit this by sending an aggregated frame whose starts resembles a handshake message and whose second subframe contains the packet that the adversary wants to inject. A vulnerable device will first interpret this frame as a handshake message, but will subsequently process it as an aggregated frame. In a sense, one part of the code will think the frame is a handshake message and will accept it even though it’s not encrypted. Another part of the code will instead see it as an aggregated frame and will process the packet that the adversary wants to inject.
Finally, several devices process broadcasted fragments as normal unfragmented frames. More problematic, some devices accept broadcast fragments even when sent unencrypted. An attacker can abuse this to inject packets by encapsulating them in the second fragment of a plaintext broadcast frame.
The first design flaw is in the frame aggregation feature of Wi-Fi. This feature increases the speed and throughput of a network by combining small frames into a larger aggregated frame. To implement this feature, the header of each frame contains a flag that indicates whether the (encrypted) transported data contains a single or aggregated frame. This is illustrated in the following figure:
Unfortunately, this “is aggregated” flag is not authenticated and can be modified by an adversary, meaning a victim can be tricked into processing the encrypted transported data in an unintended manner. An adversary can abuse this to inject arbitrary network packets by tricking the victim into connecting to their server and then setting the “is aggregated” flag of carefully selected packets. Practically all tested devices were vulnerable to this attack. The ability to inject packets can in turn be abused to intercept a victim’s traffic by making it use a malicious DNS server (see the demo).
This design flaw can be fixed by authenticating the “is aggregated” flag. The Wi-Fi standard already contains a feature to authenticate this flag, namely requiring SPP A-MSDU frames, but this defense is not backwards-compatible and not supported in practice. Attacks can also be mitigated using an ad-hoc fix, though new attacks may remain possible.
The second design flaw is in the frame fragmentation feature of Wi-Fi. This feature increases the reliability of a connection by splitting large frames into smaller fragments. When doing this, every fragment that belongs to the same frame is encrypted using the same key. However, receivers are not required to check this and will reassemble fragments
that were decrypted using different keys. Under rare conditions this can be abused to exfiltrate data. This is accomplished by mixing fragments that are encrypted under different keys, as illustrated in the following figure:
In the above figure, the first fragment is decrypted using a different key than the second fragment. Nevertheless, the victim will reassemble both fragments. In practice this allows an adversary to exfiltrate selected client data.
This design flaw can be fixed in a backwards-compatible manner by only reassembling fragments that were decrypted using the same key. Because the attack is only possible under rare conditions it is considered a theoretical attack.
The third design flaw is also in Wi-Fi’s frame fragmentation feature. The problem is that, when a client disconnects from the network, the Wi-Fi device is not required to remove non-reassembled fragments from memory. This can be abused against hotspot-like networks such as eduroam and govroam
and against enterprise network where users distrust each other. In those cases, selected data sent by the victim can be exfiltrated. This is achieved by injecting a malicious fragment in the memory (i.e. fragment cache) of the access point. When the victim then connects to the access point and sends a fragmented frame, selected fragments will be combined (i.e. reassembled) with the injected fragment of the adversary. This is illustrated in the following figure:
In the above figure, the adversary injects the first fragment into the fragment cache of the access point. After the adversary disconnects the fragment stays in the fragment cache and will be reassembled with a fragment of the victim. If the victim sends fragmented frames, which appears uncommon in practice, this can be abused to exfiltrate data.
This design flaw can be fixed in a backwards-compatible manner by removing fragments from memory whenever disconnecting or (re)connecting to a network.
Some routers will forward handshake frames to another client even when the sender hasn’t authenticated yet. This vulnerability allows an adversary to perform the aggregation attack, and inject arbitrary frames, without user interaction.
Another extremely common implementation flaw is that receivers do not check whether all fragments belong to the same frame, meaning an adversary can trivially forge frames by mixing the fragments of two different frames.
Additionally, against several implementations it is possible to mix encrypted and plaintext fragments.
Finally, some devices don’t support fragmentation or aggregation, but are still vulnerable to attacks because they process fragmented frames as full frames. Under the right circumstances this can be abused to inject packets.
An overview of all assigned Common Vulnerabilities and Exposures (CVE) identifiers can be found on GitHub. At the time of writing, ICASI has a succinct overview
containing references to additional info from vendors (the CVE links below might only become active after a few days). Summarized, the design flaws were assigned the following CVEs:
* CVE-2020-24586: fragment cache attack (not clearing fragments from memory when (re)connecting to a network).
Implementation vulnerabilities that allow the trivial injection of plaintext frames in a protected Wi-Fi network are assigned the following CVEs:
* CVE-2020-26145: Accepting plaintext broadcast fragments as full frames (in an encrypted network).
* CVE-2020-26144: Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network).
Other implementation flaws are assigned the following CVEs:
* CVE-2020-26139: Forwarding EAPOL frames even though the sender is not yet authenticated (should only affect APs).
* CVE-2020-26141: Not verifying the TKIP MIC of fragmented frames.
For each implementation vulnerability we listed the reference CVE identifier. Although each affected codebase normally receives a unique CVE, the agreement between affected vendors was that, in this specific case, using the same CVE across different codebases would make communication easier. For instance, by tying one CVE to each vulnerability, a customer can now ask a vendor whether their product is affected by a specific CVE.
Please note that this deviates from normal MITRE guidelines, and that this decision was made by affected vendors independently of MITRE, and that this in no way reflects any changes in how MITRE assigns CVEs.
Our paper behind the attack is titled Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation
and will be presented at USENIX Security. You can use the following bibtex entry to cite our paper:
The pre-recorded presentation made for USENIX Security can already be viewed online. Note that the target audience of this presentation are academics and IT professionals:
* An overview of all
attacks and their preconditions. It also contains two extra examples on how an
adversary can: (1) abuse packet injection vulnerabilities to make a victim use a malicious DNS; and
(2) how packet injection can be abused to bypass the NAT/firewall of a router.
* Slides illustrating
how the aggregation attack (CVE-2020-24588) works in practice. Performing this attack requires tricking
the victim into connecting to the adversary’s server. This can be done by making the victim download an
image from the adversary’s server. Note that JavaScript code execution on the victim is not required.
* Detailed slides
giving an in-depth explanation of each discovered vulnerability.
* Overview slides
illustrating only the root cause of each discovered vulnerability.
A tool was made that can test if clients or APs are affected by the discovered design and implementations flaws. It can test home networks and enterprise networks where authentication is done using, e.g., PEAP-MSCHAPv2 or EAP-TLS. The tool supports over 45 test cases and requires modified drivers in order to reliable test for the discovered vulnerabilities. Without modified drivers, one may wrongly conclude that a device is not affected while in reality it is.
A live USB image is also available. This image contains pre-installed modified drivers, modified firmware for certain Atheros USB dongles, and a pre-configured Python environment for the tool. Using a live image is useful when you cannot install the modified drivers natively (and using a virtual machine can be unreliable for some network cards).
Apart from a tool to test if a device is vulnerable I also made proof-of-concepts to exploit weaknesses. Because not all devices currently have received updates these attacks scripts will be released at a later point if deemed useful.
You can reach Mathy Vanhoef on twitter at @vanhoefm
or by emailing mathy.vanhoef@nyu.edu.
Yes! Mathy Vanhoef will be starting as a professor at KU Leuven University (Belgium) later this year and is looking for a PhD student. The precise topic you want to work on can be discussed. If you’re a master student at KU Leuven you can also contact me to discuss a Master’s thesis topic. Note that the DistriNet group at KU Leuven is also recruiting in security-related research fields.
If you want to do network research at New York University Abu Dhabi in the Cyber Security & Privacy (CSP)
team where the FragAttacks research was carried out, you can contact Christina Pöpper.
Yes, you can use the logo, illustrations of the aggregation
design flaw (mobile version), illustrations of the mixed key design flaw (mobile version), and illustrations of the fragment cache design flaw (mobile version).
Thanks goes to Darlee Urbiztondo for designing the logo. You can find more of her awesome graphic works here.
When the 802.11n amendment was being written in 2007, which introduced supported for aggregated (A-MSDU) frames, several IEEE members
noticed that the “is aggregated” flag was not authenticated. Unfortunately, many products already implemented a draft of the 802.11n amendment, meaning this problem had to be addressed in a backwards-compatible manner. The decision was made that devices would advertise whether they are capable of authenticating the “is aggregated” flag. Only when devices implement and advertise this capability is the “is aggregated” flag protected. Unfortunately, in 2020 not a single tested device supported this capability, likely because it was considered hard to exploit. To quote a remark made back in 2007: “While it is hard to see how this can be exploited, it is clearly a flaw that is capable of being fixed.”
In other words, people did notice this vulnerability and a defense was standardized, but in practice the defense was never adopted. This is a good example that security defenses must be adopted before attacks become practical.
Likely because it was only considered a theoretic vulnerability when the defense was created. To quote a remark made back in 2007: “While it is hard to see how this can be exploited, it is clearly a flaw that is capable of being fixed.”
Additionally, the threat model that was used in the aggregation attack, were the victim is induced into connecting to the adversary’s server, only become widely accepted in 2011 after the disclosure of the BEAST
attack. In other words, the threat model was not yet widely known back in 2007 when the IEEE added the optional feature that would have prevented the attack. And even after this threat model became more common, the resulting attack isn’t obvious.
First, it’s always good to remember general security best practices: update your devices, don’t reuse your passwords, make sure you have backups of important data, don’t visit shady websites, and so on.
In regards to the discovered Wi-Fi vulnerabilities, you can mitigate attacks that exfiltrate sensitive data by double-checking that websites you are visiting use HTTPS. Even better, you can install the HTTPS Everywhere plugin. This plugin forces the usage of HTTPS on websites that are known to support it.
To mitigate attacks where your router’s NAT/firewall is bypassed and devices are directly attacked, you must assure that all your devices are updated. Unfortunately, not all products regularly receive updates, in particular smart or internet-of-things devices, in which case it is difficult (if not impossible) to properly secure them.
More technically, the impact of attacks can also be reduced by manually configuring your DNS server so that it cannot be poisoned. Specific to your Wi-Fi configuration, you can mitigate attacks (but not fully prevent them) by disabling fragmentation, disabling pairwise rekeys, and disabling dynamic fragmentation in Wi-Fi 6 (802.11ax) devices.
These days a lot of websites and apps use HTTPS to encrypt data. When using HTTPS, an adversary cannot see the data you are transmitting even when you are connected to an open Wi-Fi network. This also means that you can safely use open Wi-Fi hotspots as long as you keep your devices up-to-date and as long as you assure that websites are using HTTPS. Unfortunately, not all websites require the usage of HTTPS (i.e. they’re not using HSTS), meaning they remain vulnerable to possible attacks.
At home, the security of your Wi-Fi network is also essential. An insecure network means that others might be able to connect to the internet through your home. Additionally, more and more devices are using Wi-Fi to transfer personal files in your local network without an extra layer of protection (e.g. when printing files, smart display screens, when sending files to a local backup storage, digital photo stands, and so on). More problematic, a lot of internet-of-things devices have tons of security vulnerabilities that can be exploited if an adversary can communicate with them. The main thing that prevents an adversary from exploiting these insecure internet-of-things devices is the security of your Wi-Fi network. It therefore remains essential to have strong encryption and authentication at the Wi-Fi layer.
At work, the security of Wi-Fi is also essential for the same reasons as mentioned above. Additionally, many companies will automatically allow access to sensitive services when a user (or adversary) is able to connect to the Wi-Fi network. Therefore strong Wi-Fi security is also essential in a work setting.
Using a VPN can prevent attacks where an adversary is trying to exfiltrate data. It will not prevent an adversary from bypassing your router’s NAT/firewall to directly attack devices.
The seeds of this research were already planted while I was investigating the KRACK attack. At that time, on 8 June 2017 to be precise, I wrote down some notes to further investigate (de)fragmentation support in Linux. In particular, I thought there might be an implementation vulnerability in Linux. However, a single unconfirmed implementation flaw isn’t too spectacular research-wise, so after disclosing the KRACK attack I decided to work on other research instead. The idea of inspecting (de)fragmentation in Wi-Fi, and determining whether there really was a vulnerability or not, was always at the back of my mind though.
Fast-forward three years later, and after gaining some additional ideas to investigate, closer inspection confirmed some of my hunches and also revealed that these issues were more widespread than I initially assumed. And with some extra insights I also discovered all the other vulnerabilities. Interestingly, this also shows the advantage of fleshing out ideas before rushing to publish (though actually finishing the paper before submission was still a race against time..).
In experiments on more than 75 devices, all of them were vulnerable to one or more of the discovered attacks. I’m curious myself whether all devices in the whole world are indeed affected though! To find this out, if you find a device that isn’t affected by at least one of the discovered vulnerabilities, let me know.
Also, if your company provides Wi-Fi devices and you think that your product was not affected by any of the discovered vulnerabilities, you can send your product to me. Once I confirmed that it indeed was not affected by any vulnerabilities the name of your product and company will be put here! Note that I do need a method to assure that I’m indeed testing a version of the product that was available before the disclosure of the vulnerabilities (and that you didn’t silently patch some vulnerabilities).
The design issues are, on their own, tedious to exploit in practice. Unfortunately, some of the implementation vulnerabilities are common and trivial to exploit. Additionally, by combining the design issues with certain implementation issues, the resulting attacks become more serious. This means the impact of our findings depends on the specific target. Your vendor can inform you what the precise impact is for specific devices. In other words, for some devices the impact is minor, while for others it’s disastrous.
By default devices don’t send fragmented frames. This means that the mixed key attack and the fragment cache attack, on their own, will be hard to exploit in practice, unless Wi-Fi 6 is used. When using Wi-Fi 6, which is based on the 802.11ax standard, a device may dynamically fragment frames to fill up available airtime.
By default access points don’t renew the pairwise session key, even though some may periodically renew the group key. This means that the default mixed key attack as described in the paper is only possible against networks that deviate from this default setting.
The test tool that we released can only be used to test whether a device is vulnerable. It cannot be used to perform attacks: an adversary would have to write their own tools for that. This approach enables network administrators to test if devices are affected while reducing the chance of someone abusing the released code.
The code that has currently been released focusses on detecting vulnerable implementations. The proof-of-concepts scripts that perform actual attacks are not released to provide everyone with more time to implement and deploy patches. Once a large enough fraction of devices has been patched, and if deemed necessary and/or beneficial, the attack script will be publicly released as well.
There are example network captures of the test tool that illustrate the root causes of several vulnerabilities.
The modifications to certain drivers have been submitted upstream to Linux meaning they will be maintained by the Linux developers themselves. The patches to the Intel driver have not been submitted upstream because they’re a bit hacky. Concretely, this means that drivers such as ath9k_htc will be supported out of the box, while for Intel devices you will have to use patched drivers and I’m not sure how much time I’ll have to maintain those.
That’s a good question. I’m not sure why so many developers missed this. This widespread implementation vulnerability does highlight that leaving important cryptographic operations up to developers is not ideal. Put another way, it might have been better if the standard required an authenticity check over the reassembled frame instead. That would also better follow the principle of authenticated encryption.
The 802.11 standard states in section 10.6: “If security encapsulation has been applied to the fragment, it shall be deencapsulated and decrypted before the fragment is used for defragmentation of the MSDU or MMPDU”. There is unfortunately no warning that unencrypted fragments should be dropped. And there are no recommend checks that should be performed when reassembling two (decrypted) fragments.
Yes, although this is unlikely to occur in practice. More technically, let’s assume that an implementation tries to prevent mixed key attacks by: (1) assigning an unique key ID to every fragment; (2) incrementing this key ID whenever the pairwise transient key (PTK) is updated; and (3) assuring all fragments were decrypted under the same key ID. Unfortunately, in that case cache attacks may still be feasible. In particular, if under this defense key IDs are reused after (re)connecting to a network, for example because they are reset to zero, fragments that are decrypted using a different key may still be assigned the same key ID. As a result, cache attacks remain possible, because the fragments will still be reassembled as they have the same key ID.
Strictly speaking not, because the 802.11 standard does not explicitly require that a sender encrypts all fragments of a specific frame under the same key. Fortunately, all implementations that we tested did encrypt all fragments using the same key, at least under the normal circumstances that we tested, meaning in practice the mixed key attack can be prevented without introducing incompatibilities.
...
Read the original on www.fragattacks.com »
Apple’s AirTags are designed to help you keep track of things. There are many things you can use AirTags to track, beyond the most obvious ideas such as your keys or bag.
But you may also be able to use an AirTag to track a package. I sent one in the mail to a friend, and followed it across the country. Here’s what happened.
I live near Stratford-upon-Avon, in the United Kingdom, and I sent the AirTag to a friend south of London. I mailed this AirTag on Friday afternoon, and, with first-class postage, I expected the envelope to be delivered the next day.
The AirTag weighs a mere 11g, so I put one taped to a card, then in a small bubble envelope for protection. I dropped it in the mailbox in my village, just down the road from my home. I made sure to open the Find My app on my iPhone when I was next to the mailbox; it showed the correct location.
Mail is picked up around 5 pm, and a bit later than that, I checked the Find My app on my iPad. At 5:28, I found that my AirTag had reached the local sorting station.
This means that someone, either the mailman who picked up the mail and delivered it to the sorting station, or another employee at the sorting station had an iPhone, which spotted the AirTag. Apple touts their network of nearly a billion devices capable of spotting AirTags, and if there are that many, it should be easy to track this envelope across the country.
Related: How Tough are AirTags? We Froze, Washed and Dried, Ran Over, and Put Them in the Hot Sun
It didn’t take long for my AirTag to start its journey. At 5:49, it had started moving, going into Stratford-upon-Avon, presumably for it to be loaded on to a truck to go to the next location. At around 6:40, it had left the town, heading north.
At 7:30, it reached the South Midlands Mail Centre, a “highly automated mail processing centre,” a massive warehouse-like site where mail is sorted. The presence of even one employee with an iPhone, with Find My turned on, was enough to register this location, but it’s likely that many of the employees have iPhones.
I had set up a script on my Mac to take screenshots of the Find My app every two minutes, and these show the journey of the AirTag across the country. At 10:08 pm, the AirTag was on the road, and here’s its progress through the night and the following morning. The duration of each image in the video does not represent how much time has passed.
There were a couple of stops along the way, where presumably some mail was transferred to other vehicles, and by 6:45 am, the AirTag had reached the final sorting office near where my friend lives. He received delivery in late morning.
After the AirTag was delivered, my friend left the envelope on a table in his house. He has an iPhone, so I expected him to be notified of the presence of the AirTag after a while. According to Apple, anyone who is in the presence of an AirTag that has been separated from its owner for three days will get an alert on their iPhone. They are supposed to get an “AirTag Found Moving With You” message. It’s possible that this alert only displays when the person is actually moving with the AirTag, but that seems somewhat limiting; imagine that you leave an AirTag in someone’s bag at their home, but they don’t take the bag with them right away. Should it take another three days for them to get an alert? Apple isn’t clear enough about the way to prevent AirTags from being used by stalkers.
I therefore expected my friend to get such a message on or after Monday afternoon, three days after I mailed it. By Tuesday, he had still not received any alerts. As I write this article, I just checked in the Find My app, and the AirTag was last seen 13 minutes ago, at his location, but he still has not received any alerts.
Apple also says that “When moved, any AirTag separated for a period of time from the person who registered it will make a sound to alert those nearby.” Again, this is supposed to be three days, and the sound apparently only plays for 15 seconds, and isn’t very loud, according to this Washington Post article. My friend thinks he might have heard a sound at some point, but he couldn’t be sure, because he had the TV on at the time.
The point of these alerts is to let people know if they’re being tracked surreptitiously by someone who placed an AirTag in their bag, their pocket, or their car. Three days is already much too long, but the fact that no audible sounds or alerts are occurring after four days is disturbing.
AirTags aren’t designed to track something in movement; this isn’t like a Tom Cruise movie, where spies track a car in a city, seeing exactly where it is in real time. They are meant to be used to find lost keys, luggage, or other objects. But my experiment shows that you can track these devices to a certain extent.
The reason for this is the sheer size of the network of iOS devices that can locate AirTags. Apple says that there are nearly one billion iOS devices around the world that participate in this network, and that ensures that you can locate AirTags in most situations.
I don’t know if any of the truck drivers carrying the mail didn’t have iPhones. Even if they didn’t, it’s possible that if someone in a car driving next to the truck has an iPhone, then it would be spotted. Since AirTags use Bluetooth 5, the range is around 100m, but that depends on such things as interference, walls, and other obstacles, and testing would need to be done to find how efficient they are in motion.
It’s also not clear how often AirTag locations update. I gave my partner an AirTag last week for her to take when she went on an errand, driving about 20 miles from home. Since she has an iPhone, I expected to see frequent updates in the Find My app, but that wasn’t the case. It seemed that when she was on the road, there weren’t many updates, but when she got to a shopping mall — where there are lots of people with iPhones — it updated much more often. Curiously, it updated at one location on the road in both directions, which was when she drove around a large roundabout. Perhaps when the device is traveling fast, there are less frequent updates, and when it slows down, it updates more often.
Obviously, if your device is in an area with fewer iPhones around, you won’t be able to track it, or find it. In more remote or rural areas, this will be more difficult, but in most situations, there’s a good chance that someone with an iPhone will be near your AirTag if it gets lost. This experiment also shows that if, for example, you’ve taken a flight and the airline has lost your luggage, you’ll have a good chance of keeping track of where it is.
Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.
You can also subscribe to our e-mail newsletter and keep an eye here on Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Facebook, Instagram, Twitter, and YouTube.
writes about Apple products and more on his blog Kirkville.
He is co-host of the Intego Mac Podcast, as well as several other podcasts, and is a regular contributor to The Mac Security Blog, TidBITS, and several other websites and publications.
Kirk has written more than two dozen books, including Take Control books about Apple’s media apps, Scrivener, and LaunchBar.
Follow him on Twitter at @mcelhearn.
View all posts by Kirk McElhearn →
...
Read the original on www.intego.com »
Info Pages
Guides
How to Write an SCP
“●●|●●●●●|●●|●” by LurkD, from the SCP Wiki. Source: https://scp-wiki.wikidot.com/scp-2521. Licensed under CC-BY-SA.
For more information, see Licensing Guide.
Licensing Disclosures
For more information about on-wiki content, visit the Licensing Master List.
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License
Click here to edit contents of this page.
Click here to toggle editing of individual sections of the page (if possible). Watch headings for an “edit” link when available.
Append content without editing the whole page source.
Check out how this page has evolved in the past.
If you want to discuss contents of this page - this is the easiest way to do it.
View and manage file attachments for this page.
Change the name (also URL address, possibly the category) of the page.
View wiki source for this page without editing.
View/set parent page (used for creating breadcrumbs and structured layout).
Notify administrators if there is objectionable content in this page.
Something does not work as expected? Find out what you can do.
Wikidot.com Terms of Service - what you can, what you should not etc.
...
Read the original on scp-wiki.wikidot.com »
(Reuters) - Some of the world’s biggest chip buyers, including Apple Inc, Microsoft Corp and Alphabet Inc’s Google, are joining top chip-makers such as Intel Corp to create a new lobbying group to press for government chip manufacturing subsidies.
The newly formed Semiconductors in America Coalition, which also includes Amazon.com’s Amazon Web Services, said Tuesday it has asked U. S. lawmakers to provide funding for the CHIPS for America Act, for which President Joe Biden has asked Congress to provide $50 billion.
“Robust funding of the CHIPS Act would help America build the additional capacity necessary to have more resilient supply chains to ensure critical technologies will be there when we need them,” the group said in a letter to Democratic and Republican leaders in both houses of the U. S. Congress.
A global chip shortage has hit automakers hard, with Ford Motor Co saying it could halve second-quarter production.
Automotive industry groups have pressed the Biden administration to secure chip supply for car factories. But Reuters last week reported administration officials were reluctant to use a national security law to redirect computer chips to automakers because doing so could hurt other industries.
The new coalition includes some of those other chip-consuming industries, with members such as AT&T, Cisco Systems, General Electric, Hewlett Packard Enterprise and Verizon Communications Inc. It cautioned against government actions to favor a single industry such as automakers.
“Government should refrain from intervening as industry works to correct the current supply-demand imbalance causing the shortage,” the group said.
Tech companies such as Apple are also being hit by the chip shortage, but far less severely than automakers.
The iPhone maker said last month it will lose $3 billion to $4 billion in sales in the current quarter ending in June because of the chip shortage, but that equates to just a few percent of the $72.9 billion in sales analyst expect for Apple’s fiscal third quarter, according to Refinitiv revenue estimates.
...
Read the original on www.reuters.com »
1work done while an intern at Intel Labs
We present an approach to enhancing the realism of synthetic images. The images are enhanced by a convolutional network that leverages intermediate representations produced by conventional rendering pipelines. The network is trained via a novel adversarial objective, which provides strong supervision at multiple perceptual levels. We analyze scene layout distributions in commonly used datasets and find that they differ in important ways. We hypothesize that this is one of the causes of strong artifacts that can be observed in the results of many prior methods. To address this we propose a new strategy for sampling image patches during training. We also introduce multiple architectural improvements in the deep network modules used for photorealism enhancement. We confirm the benefits of our contributions in controlled experiments and report substantial gains in stability and realism in comparison to recent image-to-image translation methods and a variety of other baselines.
Please cite our work if you use code or data from this site.
@Article{Richter_2021,
title = {Enhancing Photorealism Enhancement},
author = {Stephan R. Richter and Hassan Abu AlHaija and Vladlen Koltun},
journal= {arXiv:2105.04619},
year = {2021},
The modifications by our method are geometrically and semantically consistent with the original images.
They are also temporally stable:
It greens the parched grass and hills in GTA’s California:
It adds reflections to the windows and increases the fresnel effect (e.g., at the roof of cars):
It greens the parched grass and hills in GTA’s California:
Images from this dataset are recorded around the world with wide variety of cameras. The images are more vibrant and of high resolution.
It removes distant haze and rebuilds the road:
...
Read the original on intel-isl.github.io »
Matthew Prince, at the end of his prepared remarks after Cloudflare’s recent earnings report, related a story from the company’s earliest days:
Back in 2010, right before Cloudflare’s first Board meeting and our launch, I got some advice from one of our early investors. He said running a company is a bit like flying an airplane. You want to make sure it’s well maintained at all times. And that when you’re flying, you keep the wheel steady and the nose 10 degrees about the horizon. That’s stuck with me, and we’ve designed Cloudflare for consistent and disciplined execution. That shows in quarters like the one we just had.
What is most important of all, though, is the destination that airplane is headed for.
The launch Prince referred to happened at TechCrunch Disrupt 2010; the entire video is worth a watch, but there are three highlights in particular. First, Prince — despite a three-minute technical delay — did an excellent job of laying out Cloudflare’s core value proposition:
Prince, a graduate of Harvard Business School, explicitly invoked HBS Professor Clayton Christensen while answering a question about competition:
The most memorable moment of the presentation, though, was Prince’s response to a seemingly anodyne question about when companies might grow out of Cloudflare’s offering:
Despite the audacity of Prince’s answer — Our vision is that we’re going to power the Internet — the company’s list of competitors in its 2019 S-1 seemed rather aspirational, in both breadth and scale:
Our current and potential future competitors include a number of different types of companies, including:
On-premise hardware network vendors, such as Cisco Systems Inc., F5 Networks, Inc., Check Point Software Technologies Ltd., FireEye, Inc., Imperva, Inc., Palo Alto Networks, Inc., Juniper Networks, Inc., and Riverbed Technology, Inc.;
Point-cloud solution vendors, including cloud security vendors such as Zscaler, Inc. and Cisco Systems Inc. through Umbrella (formerly known as OpenDNS), content delivery network vendors such as Akamai Technologies, Inc., Limelight Networks, Inc., Fastly, Inc., and Verizon Communications Inc. through Edgecast, domain name system vendors services such as Oracle Corporation through DYN, NeuStar, Inc., and UltraDNS Corporation, and cloud SD-WAN vendors; and
Traditional public cloud vendors, such as Amazon.com, Inc. through Amazon Web Services, Alphabet Inc. through Google Cloud Platform, Microsoft Corporation through Azure, and Alibaba Group Holding Limited through Alibaba Cloud.
The first two categories make sense; after all, Cloudflare’s value proposition from the beginning was speed and security, so of course they would grow up to compete with network and security vendors. It was that last bullet point, though, that even now leads to raised eyebrows: Cloudflare’s big quarter entailed $138 million in revenue; AWS, over the same period, made $150 million a day.
To understand why Cloudflare sees public cloud vendors as competitors it helps to go back to what made Cloudflare disruptive; Christensen wrote in The Innovator’s Dilemma:
Occasionally, however, disruptive technologies emerge: innovations that result in worse product performance, at least in the near-term. Ironically, in each of the instances studied in this book, it was disruptive technology that precipitated the leading firms’ failure. Disruptive technologies bring to a market a very different value proposition than had been available previously. Generally, disruptive technologies underperform established products in mainstream markets. But they have other features that a few fringe (and generally new) customers value. Products based on disruptive technologies are typically cheaper, simpler, smaller, and, frequently, more convenient to use.
That was basically Prince’s value proposition: Cloudflare’s CDN would be cheaper (free), simpler (just change DNS servers), smaller (only 5 servers to start), and more convenient (ridiculously easy!). And Cloudflare’s customers were definitely fringe:
What Cloudflare had in its favor, though, was the most potent advantage on the Internet: the service, much like Google a decade-earlier with its link-based ranking system, got better with use. This was because Cloudflare paired its content delivery network with DDoS protection; the latter was extremely attractive to websites, gave Cloudflare an in with ISPs who valued the protection to build point-of-presence servers around the world, and, critically, gave Cloudflare better-and-better data about how data flowed around the world (improving its service) even as it improved its CDN capabilities.
Cloudflare’s focus on security-for-free also meant its CDN was built on general-purpose hardware from the beginning; from the S-1:
To achieve the level of efficiency needed to compete with hardware appliances required us to invent a new type of platform. That platform needed to be built on commodity hardware. It needed to be architected so any server in any city that made up Cloudflare’s network could run every one of our services. It also needed the flexibility to move traffic around to serve our highest paying customers from the most performant locations while serving customers who paid us less, or even nothing at all, from wherever there was excess capacity.
As time went on those general purpose machines were used for more-and-more offerings beyond a CDN and DDoS protection; HHHypergrowth has a fantastic overview of everything Cloudflare is working on, and the article is daunting in length because Cloudflare’s portfolio is so vast. It is Cloudflare Workers, though, that are responsible for the big cloud players being in Cloudflare’s competitive set.
Cloudflare launched Workers seven years after the company’s launch at Disrupt; from the introductory blog post:
Cloudflare is about to go through a similar transition [as programmable CPUs]. At its most basic level, Cloudflare is an HTTP cache that runs in 117 locations worldwide (and growing). The HTTP standard defines a fixed feature set for HTTP caches. Cloudflare, of course, does much more, such as providing DNS and SSL, shielding your site against attacks, load balancing across your origin servers, and so much else.
But, these are all fixed functions. What if you want to load balance with a custom affinity algorithm? What if standard HTTP caching rules aren’t quite right, and you need some custom logic to boost your cache hit rate? What if you want to write custom WAF rules tailored for your application?
You want to write code.
We can keep adding features forever, but we’ll never cover every possible use case this way. Instead, we’re making Cloudflare’s edge network programmable. We provide servers in 117+ locations around the world — you decide how to use them.
Workers were extremely limited in functionality to start; just a bit of stateless Javascript code running in a V8 isolate, but as close to users as possible. In 2018 Cloudflare added a key-value store, giving Workers access to highly distributed eventually-consistent data storage; in 2020 the company introduced Workers Unbound, dramatically expanding Workers capabilities, and Durable Objects, which not only store data but also state, which means a single source of truth. Once again Cloudflare’s network comes to the rescue:
When using Durable Objects, Cloudflare automatically determines the Cloudflare datacenter that each object will live in, and can transparently migrate objects between locations as needed. Traditional databases and stateful infrastructure usually require you to think about geographical “regions”, so that you can be sure to store data close to where it is used.
Thinking about regions can often be an unnatural burden, especially for applications that are not inherently geographical. With Durable Objects, you instead design your storage model to match your application’s logical data model. For example, a document editor would have an object for each document, while a chat app would have an object for each chat. There is no problem creating millions or billions of objects, as each object has minimal overhead.
In Cloudflare’s example of a chat app, every individual conversation is an object, and that object is moved as close to the participants as possible; two people chatting in the U. S. would utilize a Durable Object in a U.S. data center, for example, while two in Europe would use one there. There is a bit of additional latency, but less than there might be with a centralized cloud provider. That’s ok, though, because the real advantage of Workers isn’t what Cloudflare thought it was.
The economics of public clouds are very straightforward: it makes far more sense for Amazon or Microsoft or Google to build and maintain data centers all over the world and rent out capacity than it does for companies for whom data centers are not their core competency to duplicate their efforts at a sub-scale level. It’s so compelling I labeled the current state The End of the Beginning:
This last point gets at why the cloud and mobile, which are often thought of as two distinct paradigm shifts, are very much connected: the cloud meant applications and data could be accessed from anywhere; mobile made the I/O layer available anywhere. The combination of the two make computing continuous.
What is notable is that the current environment appears to be the logical endpoint of all of these changes: from batch-processing to continuous computing, from a terminal in a different room to a phone in your pocket, from a tape drive to data centers all over the globe. In this view the personal computer/on-premises server era was simply a stepping stone between two ends of a clearly defined range.
While this view of the omnipresent cloud is true for end users, the story is a bit more complicated for developers; if you want to set up a new instance you need to first select a region. AWS, for example, has twenty-five regions around the world:
Once you choose a region your actual app is geographically contained in that region. In theory that limitation gives an advantage to Cloudflare Workers; Prince wrote in a blog post:
Since we’re unlikely to make the speed of light any faster, the ability for any developer to write code and have it run across our entire network means we will always have a performance advantage over legacy, centralized computing solutions — even those that run in the “cloud.” If you have to pick an “availability zone” for where to run your application, you’re always going to be at a performance disadvantage to an application built on a platform like Workers that runs everywhere Cloudflare’s network extends.
The truth, though, is that this performance doesn’t matter very much for most applications. Stratechery’s podcast service runs in the US East (Ohio) region, for example, and it doesn’t really make a difference for me, despite the fact I’m halfway around the world. Price admitted as such:
But let’s be real a second. Only a limited set of applications are sensitive to network latency of a few hundred milliseconds. That’s not to say under the model of a modern major serverless platform network latency doesn’t matter, it’s just that the applications that require that extra performance are niche…People who talk a lot about edge computing quickly start talking about IoT and driverless cars. Embarrassingly, when we first launched the Workers platform, I caught myself doing that all the time.
Indeed, for almost all applications the public clouds were good enough, and again, the economics made any other choice a bad idea.
Earlier this year, in the wake of January 6, I wrote Internet 3.0 and the Beginning of (Tech) History; after raising the arguments from The End of the Beginning I noted:
In the case of the Internet, we are at the logical endpoint of technological development; here, though, the impasse is not the nature of man, but the question of sovereignty, and the potential re-liberation of megalothymia is the likely refusal by people, companies, and countries around the world to be lorded over by a handful of American giants.
As long as economics were all that mattered, we would only ever have the centralized cloud providers; the “limited set of applications” that needed minimal latency could pay a bit more to run on those blue AWS edge providers in the maps above. The point of that article, though, is that economics weren’t the only thing that mattered: going forward politics would be even more important.
Prince had the same realization; the blog post I have been quoting is entitled The Edge Computing Opportunity: It’s Not What You Think, and the chief benefits Prince cites are very much about politics:
Most computing resources that run on cloud computing platforms, including serverless platforms, are created by developers who work at companies where compliance is a foundational requirement. And, up until to now, that’s meant ensuring that platforms follow government regulations like GDPR (European privacy guidelines) or have certifications providing that they follow industry regulations such as PCI DSS (required if you accept credit cards), FedRamp (US government procurement requirements), ISO27001 (security risk management), SOC 1/2/3 (Security, Confidentiality, and Availability controls), and many more.
But there’s a looming new risk of regulatory requirements that legacy cloud computing solutions are ill-equipped to satisfy. Increasingly, countries are pursuing regulations that ensure that their laws apply to their citizens’ personal data. One way to ensure you’re in compliance with these laws is to store and process data of a country’s citizens entirely within the country’s borders.
The EU, India, and Brazil are all major markets that have or are currently considering regulations that assert legal sovereignty over their citizens’ personal data. China has already imposed data localization regulations on many types of data. Whether you think that regulations that appear to require local data storage and processing are a good idea or not — and I personally think they are bad policies that will stifle innovation — my sense is the momentum behind them is significant enough that they are, at this point, likely inevitable. And, once a few countries begin requiring data sovereignty, it will be hard to stop nearly every country from following suit.
This potential reality presents a big problem for Amazon, Microsoft, and Google: what scales on their side is the cloud as a whole, from management to interface to purchasing; individual developers are meant to stay in their regions. Yes, all three companies guarantee that data in one region won’t go elsewhere, but it’s a development nightmare: you have to maintain different apps with different data stores in different regions.
Cloudflare, meanwhile, can use the same capabilities that seamlessly transfer Durable Objects to the nearest data center, to follow local compliance data sovereignty laws at a granual level; from an announcement for Jurisdictional Restrictions for Durable Objects:
Durable Objects, currently in limited beta, already make it easy for customers to manage state on Cloudflare Workers without worrying about provisioning infrastructure. Today, we’re announcing Jurisdictional Restrictions for Durable Objects, which ensure that a Durable Object only stores and processes data in a given geographical region. Jurisdictional Restrictions make it easy for developers to build serverless, stateful applications that not only comply with today’s regulations, but can handle new and updated policies as new regulations are added…
By setting restrictions at a per-object level, it becomes easy to ensure compliance without sacrificing developer productivity. Applications running on Durable Objects just need to identify the jurisdictional rules a given Object should follow and set the corresponding rule at creation time. Gone is the need to run multiple clusters of infrastructure across cloud provider regions to stay compliant — Durable Objects are both globally accessible and capable of partitioning state with no infrastructure overhead.
Durable Objects are not, in-and-of-themselves, going to kill the public clouds; what they represent, though, is an entirely new way of building infrastructure — from the edge in, as opposed to the data center out — that is perfectly suited to a world where politics matters more than economics.
I actually already covered Cloudflare’s differentiated approach, albeit in passing, and by accident. Back in March, I interviewed Prince in the process of writing Moderation in Infrastructure; one thing that stood out to me was how his response to Internet fragmentation differed from Microsoft President Brad Smith, and Google Cloud CEO Thomas Kurian:
I think, it’s a reflection of the fact that if you’re a global technology business, most of the time, it is far more efficient and legally compliant to operate a global model than to have different practices and standards in different countries, especially when you get to things that are so complicated. It’s very hard to have content moderators make decisions about individual pieces of content under one standard, but to try to do it and say, “Well, okay, we’ve evaluated this piece of content and it can stay up in the US but go down in France.” Then you add these additional layers of complexity that add both cost and the risk of non-compliance which creates reputational risk.
So far, we have tried to get to what’s common, and the reality is, Ben, it’s super hard on a global basis to design software that behaves differently in different countries. It is super difficult. And at the scale at which we’re operating and the need for privacy, for example, it has to be software and systems that do the monitoring. You cannot assume that the way you’re going to enforce ToS and AUPs is by having humans monitor everything, I mean we have so many customers at such a large scale. And so that’s probably the most difficult thing is saying virtual machines behave one way in Canada, and a different way in the United States, and a third way…I mean that’s super complicated.
Everywhere in the world, governments have some political legitimacy, and they certainly have a lot more political legitimacy than I do…It’s important that we comply with the laws in each jurisdiction in which we operate. We should help our customers comply with the laws in each jurisdiction we operate…Germany can set whatever rules they want for Germany, but it has to be the rules inside of Germany.
And you can manage that okay. You can manage on a per country basis. You feel good about that?
Sure. I mean, for us, that’s easy. And then we can provide that to our customers as a function of what we’re doing. But I think that if you could say, German rules don’t extend beyond Germany and French rules don’t extend beyond France and Chinese rules don’t extend beyond China and that you have some human rights floor that’s in there.
Right. But given the nature of the internet, isn’t that the whole problem? Because, anyone in Germany can go to any website outside of Germany.
That’s the way it used to be, I’m not sure that’s going to be the way it’s going to be in the future. Because, there’s a lot of atoms under all these bits and there’s an ISP somewhere, or there’s a network provider somewhere that’s controlling how that flows and so I think that, that we have to follow the law in all the places that are around the world and then we have to hold governments responsible to the rule of law, which is transparency, consistency, accountability. And so, it’s not okay to just say something disappears from the internet, but it is okay to say due to German law it disappeared from the internet. And if you don’t like it, here’s who you complain to, or here’s who you kick out of office so you do whatever you do. And if we can hold that, we can let every country have their own rules inside of that, I think that’s what keeps us from slipping to the lowest common denominator.
The quotes aren’t perfectly comparable — you can read the full interviews to get the context — but it makes sense that Microsoft and Google (and presumably Amazon) would be very concerned about a world where individual countries make their own laws about what can be put on the Internet, or even seen. Theirs are services predicated on the superior economics that come from centralization; Cloudflare, on the other hand, is already doing all of its computing on the edge — data sovereignty rules are simply a variable. It’s “easy”.
This is why the direction of Cloudflare’s metaphorical plane is so fascinating: Cloudflare’s current addressable market of enterprise security and networking is significant, particularly as remote work has laid bare the problems with traditional approaches; the destination with outsized upside, though, is Internet 3.0, and the resultant need for a service that routes around obstacles, not from nuclear war, but sovereign governments.
...
Read the original on stratechery.com »
...
Read the original on sequencer64.com »
The Arduino IDE is the well-known software we all use to program our boards. Its development started in 2005 based on the graphical interface of the Processing project and has never stopped since. During these years, countless hours of development by the Arduino team with the help of a vibrant community made the Arduino IDE the de facto standard for electronics prototyping. Thanks to an extensible framework based on modular board support packages, the IDE supports more than 1,000 official and non-official boards; it’s translated in 66 languages, mentioned by more than 3,000 books, and is still growing: during the last year, it was downloaded more than 39 millions of times. More than ever.
First off, a big thank you to the Arduino community that makes development possible with donations and — even more important — by buying original Arduino boards: we use your money to pay the developers that work daily on the Arduino open source software for the benefit of everyone. Keep supporting our work!
While the Arduino IDE provides a simple and clear interface that is ideal for the novice users, the more advanced users often report that the editing capabilities are a bit limited compared to modern editors. This includes features like code indentation, block folding, auto-closing brackets, regular expression search and replace, comment toggling. In addition to this, many users have been asking for live debugging, i.e. the ability to run code on an attached board and stop it at a given line to check the contents of variables, memory and registers.
The IDE 1.x is developed in Java, and its monolithic codebase makes it difficult to implement such features. Java is also becoming an obsolete technology for desktop applications and is being phased out by newer operating systems and app stores, which forces us to spend time on working around compatibility issues.
In 2018, we started to refactor the toolchain by announcing a big game changer: arduino-cli, the Arduino command line tool written in Golang that exposes all the core functionalities of the IDE, providing advanced users with a flexible tool they can integrate into their professional IDE of choice. Since then, we maintain and improve arduino-cli on a daily basis (try it now if you haven’t!).
In 2019, we announced the alpha release of a new IDE built on top of arduino-cli and based on a modern software stack (Theia and Electron) under the code name of “Arduino Pro IDE” and we got a lot of positive feedback about it. 2020 has been a busy development year, and a dedicated team of developers has been working behind the scenes to bring the new IDE from a proof-of-concept to a fully functional tool.
We’re pleased to announce that as of today the Arduino IDE 2.0 beta is available for download and its code repositories become open source. It carries a modern editor and provides a better overall user experience thanks to a responsive interface and faster compilation time. Don’t be afraid of trying it today: the upgrade will be frictionless as the interface will look very familiar. But let’s see some of the goodies you’ll find.
While typing, the editor suggests the autocompletion of variables and functions according to the libraries you included:
When right-clicking on a variable or a function, a contextual menu will provide navigation shortcuts to jump to the line (and file) where they are declared:
See this page to learn more about the new editing tools.
But there’s another big feature in the new IDE: a live debugger that allows you to run your code interactively on a board and inspect its execution without writing tens of “Serial.println()” statements. Just fire the debug panel, set breakpoints where you want to pause the execution and inspect the content of variables. Oh, you can even change the content of variables on the fly and resume execution!
As of today, the debugger supports all the Arduino boards based on the SAMD and Mbed platforms (MKR family, Nano 33 IoT, Nano 33 BLE, Portenta, Zero). Maintainers of Arduino cores for third-party boards can add support for debugging by adding the relevant configuration parameters; a technical guide for this is coming. You’ll need to connect a debugging probe such as the Segger J-link to the JTAG pins on the board and you’ll be ready to go.
The new IDE is based on the Eclipse Theia framework, which is an open source project based on the same architecture as VS Code (language server protocol, extensions, debugger). The front-end is written in TypeScript, while most of the backend is written in Golang.
We need your help to test the new IDE. We want to make it perfect and bug-free, so do not hesitate to download it now and join the discussion in the forum! Ready to get started? Follow along with our tutorials here.
...
Read the original on blog.arduino.cc »
To add this web app to your iOS home screen tap the share button and select "Add to the Home Screen".
10HN is also available as an iOS App
If you visit 10HN only rarely, check out the the best articles from the past week.
If you like 10HN please leave feedback and share
Visit pancik.com for more.