In information security, a confused deputy is a computer program that is tricked by another program (with fewer privileges or less rights) into misusing its authority on the system. It is a specific type of privilege escalation. The confused deputy problem is often cited as an example of why capability-based security is important. Capability systems protect against the confused deputy problem, whereas access-control list–based systems do not. Such systems can mitigate the confused deputy problem by eliminating ambient authority, allowing programs to act only on resources for which they hold explicit capabilities, whereas access-control list–based systems are more susceptible to it. However, this protection depends on correct implementation; in formally verified capability systems such as seL4, it can be shown that the kernel enforces capability constraints correctly, preventing such behavior at the system level. == Example == In the original example of a confused deputy, there was a compiler program provided on a commercial timesharing service. Users could run the compiler and optionally specify a filename where it would write debugging output, and the compiler would be able to write to that file if the user had permission to write there. The compiler also collected statistics about language feature usage. Those statistics were stored in a file called "(SYSX)STAT", in the directory "SYSX". To make this possible, the compiler program was given permission to write to files in SYSX. But there were other files in SYSX: in particular, the system's billing information was stored in a file "(SYSX)BILL". A user ran the compiler and named "(SYSX)BILL" as the desired debugging output file. This produced a confused deputy problem. The compiler made a request to the operating system to open (SYSX)BILL. Even though the user did not have access to that file, the compiler did, so the open succeeded. The compiler wrote the compilation output to the file (here "(SYSX)BILL") as normal, overwriting it, and the billing information was destroyed. === The confused deputy === In this example, the compiler program is the deputy because it is acting at the request of the user. The program is seen as 'confused' because it was tricked into overwriting the system's billing file. Whenever a program tries to access a file, the operating system needs to know two things: which file the program is asking for, and whether the program has permission to access the file. In the example, the file is designated by its name, “(SYSX)BILL”. The program receives the file name from the user, but does not know whether the user had permission to write the file. When the program opens the file, the system uses the program's permission, not the user's. When the file name was passed from the user to the program, the permission did not go along with it; the permission was increased by the system silently and automatically. It is not essential to the attack that the billing file be designated by a name represented as a string. The essential points are that: the designator for the file does not carry the full authority needed to access the file; the program's own permission to access the file is used implicitly. == Other examples == A cross-site request forgery (CSRF) is an example of a confused deputy attack that uses the web browser to perform sensitive actions against a web application. A common form of this attack occurs when a web application uses a cookie to authenticate all requests transmitted by a browser. Using JavaScript, an attacker can force a browser into transmitting authenticated HTTP requests. The Samy computer worm used cross-site scripting (XSS) to turn the browser's authenticated MySpace session into a confused deputy. Using XSS the worm forced the browser into posting an executable copy of the worm as a MySpace message which was then viewed and executed by friends of the infected user. Clickjacking is an attack where the user acts as the confused deputy. In this attack a user thinks they are harmlessly browsing a website (an attacker-controlled website) but they are in fact tricked into performing sensitive actions on another website. An FTP bounce attack can allow an attacker to connect indirectly to TCP ports to which the attacker's machine has no access, using a remote FTP server as the confused deputy. Another example relates to personal firewall software. It can restrict Internet access for specific applications. Some applications circumvent this by starting a browser with instructions to access a specific URL. The browser has authority to open a network connection, even though the application does not. Firewall software can attempt to address this by prompting the user in cases where one program starts another which then accesses the network. However, the user frequently does not have sufficient information to determine whether such an access is legitimate—false positives are common, and there is a substantial risk that even sophisticated users will become habituated to clicking "OK" to these prompts. Not every program that misuses authority is a confused deputy. Sometimes misuse of authority is simply a result of a program error. The confused deputy problem occurs when the designation of an object is passed from one program to another, and the associated permission changes unintentionally, without any explicit action by either party. It is insidious because neither party did anything explicit to change the authority. Another example is when an administrator authorizes an AI agent to act on their behalf, and that AI subsequently delegates authority to another AI agent neither vetted nor authorized by the original administrator. The unvetted AI can then act without permissions or oversight from the original developer. == Solutions == In some systems it is possible to ask the operating system to open a file using the permissions of another client. This solution has some drawbacks: It requires explicit attention to security by the server. A naive or careless server might not take this extra step. It becomes more difficult to identify the correct permission if the server is in turn the client of another service and wants to pass along access to the file. It requires the client to trust the server to not abuse the borrowed permissions. Note that intersecting the server and client's permissions does not solve the problem either, because the server may then have to be given very wide permissions (all of the time, rather than those needed for a given request) in order to act for arbitrary clients. The simplest way to solve the confused deputy problem is to bundle together the designation of an object and the permission to access that object. This is exactly what a capability is. Using capability security in the compiler example, the client would pass to the server a capability to the output file, such as a file descriptor, rather than the name of the file. Since it lacks a capability to the billing file, it cannot designate that file for output. In the cross-site request forgery example, a URL supplied "cross"-site would include its own authority independent of that of the client of the web browser.
Two-phase locking
In databases and transaction processing, two-phase locking (2PL) is a pessimistic concurrency control method that guarantees conflict-serializability. It is also the name of the resulting set of database transaction schedules (histories). The protocol uses locks, applied by a transaction to data, which may block (interpreted as signals to stop) other transactions from accessing the same data during the transaction's life. By the 2PL protocol, locks are applied and removed in two phases: Expanding phase: locks are acquired and no locks are released. Shrinking phase: locks are released and no locks are acquired. Two types of locks are used by the basic protocol: Shared and Exclusive locks. Refinements of the basic protocol may use more lock types. Using locks that block processes, 2PL, S2PL, and SS2PL may be subject to deadlocks that result from the mutual blocking of two or more transactions. == Read and write locks == Locks are used to guarantee serializability. A transaction is holding a lock on an object if that transaction has acquired a lock on that object which has not yet been released. For 2PL, the only used data-access locks are read-locks (shared locks) and write-locks (exclusive locks). Below are the rules for read-locks and write-locks: A transaction is allowed to read an object if and only if it is holding a read-lock or write-lock on that object. A transaction is allowed to write an object if and only if it is holding a write-lock on that object. A schedule (i.e., a set of transactions) is allowed to hold multiple locks on the same object simultaneously if and only if none of those locks are write-locks. If a disallowed lock attempts on being held simultaneously, it will be blocked. == Variants == Note that all conflict serializable schedules are also view serializable (but not vice-versa). === Two-phase locking === According to the two-phase locking protocol, each transaction handles its locks in two distinct, consecutive phases during the transaction's execution: Expanding phase (aka Growing phase): locks are acquired and no locks are released (the number of locks can only increase). Shrinking phase (aka Contracting phase): locks are released and no locks are acquired. The two phase locking rules can be summarized as: each transaction must never acquire a lock after it has released a lock. The serializability property is guaranteed for a schedule with transactions that obey this rule. Typically, without explicit knowledge in a transaction on end of phase 1, the rule is safely determined only when a transaction has completed processing and requested commit. In this case, all the locks can be released at once (phase 2). === Conservative two-phase locking === Conservative two-phase locking (C2PL) differs from 2PL in that transactions obtain all the locks they need before the actual execution begins. This is to ensure that a transaction that already holds some locks will not block waiting for other locks. C2PL prevents deadlocks. In cases of heavy lock contention, C2PL reduces the time locks are held on average, relative to 2PL and Strict 2PL, because transactions that hold locks are never blocked. In light lock contention, C2PL holds more locks than is necessary, because it is difficult to predict which locks will be needed in the future, thus leading to higher overhead. A C2PL transaction will not obtain any locks if it cannot obtain all the locks it needs in its initial request. Furthermore, each transaction needs to declare its read and write set (the data items that will be read/written), which is not always possible. Because of these limitations, C2PL is not used very frequently. === Strict two-phase locking === To comply with the strict two-phase locking (S2PL) protocol, a transaction needs to comply with 2PL, and release its write (exclusive) locks only after the transaction has ended (i.e., either committed or aborted). On the other hand, read (shared) locks are released regularly during the shrinking phase. Unlike 2PL, S2PL provides strictness (a special case of cascade-less recoverability). This protocol is not appropriate in B-trees because it causes Bottleneck (while B-trees always starts searching from the parent root). === Strong strict two-phase locking === or Rigorousness, or Rigorous scheduling, or Rigorous two-phase locking To comply with strong strict two-phase locking (SS2PL), a transaction's read and write locks are released only after that transaction has ended (i.e., either committed or aborted). A transaction obeying SS2PL has only a phase 1 and lacks a phase 2 until the transaction has completed. Every SS2PL schedule is also an S2PL schedule, but not vice versa.
Pixelmator
Pixelmator is a series of graphics editors developed by Apple for macOS, iOS, and iPadOS. Pixelmator apps leverage Apple-specific technologies such as CoreML and Metal. Pixelmator uses a proprietary format across their apps (.PXD), but supports editing a variety of file types including Photoshop, RAW, and WebP. == History == Pixelmator Team was founded in 2007 by Lithuanian brothers Saulius and Aidas Dailidė, and released Pixelmator (now Pixelmator Classic) 1.0 in September of the same year. The company resided in Vilnius, Lithuania. In November 2024, Pixelmator Team agreed to be acquired by Apple for an unknown monetary amount, which was completed on 11 February 2025, the company was later folded into Apple with its products coming under them fully. == Pixelmator Classic == Pixelmator Classic was the original version of Pixelmator released for Mac on 25 September 2007. It uses a palette-style interface with floating toolbars compared to Pixelmator Pro's single-window interface. It is no longer being updated and has been delisted from the Mac App Store. == Pixelmator iOS == Pixelmator for iOS launched on 23 October 2014 as an iPad-exclusive app with touch-optimized versions of Pixelmator's desktop features. In May 2015, Pixelmator for iOS 2.0 was released with support for the iPhone. Apple no longer updates Pixelmator for iOS as of 13 January 2026, shortly before the release of Pixelmator Pro for iPad. == Pixelmator Pro == Pixelmator Pro is an image, video, and vector editing software for macOS that launched on 29 November 2017. It was a paid upgrade for Pixelmator Classic users, featuring a redesigned interface, a graphics pipeline rewritten using Metal, Apple silicon support and a greater focus on ML/AI editing features. On 28 January 2026, Apple announced Apple Creator Studio, a subscription bundle for their professional software that contains Pixelmator Pro. They also brought Pixelmator Pro to iPad, shortly after discontinuing Pixelmator iOS. == Photomator == Photomator (formerly Pixelmator Photo) is a photo-oriented editing app which launched on iPad in 2019, on iOS in 2021, and macOS in 2022. After launching the macOS version, the app moved from a one-time purchase to a subscription; however, a lifetime license can still be purchased for $99. Photomator differentiates itself from other Pixelmator apps with features such as batch editing of full photoshoots and AI-powered color correction. Edits in Photomator are made on a single layer and are non-destructive.
Lucy–Hook coaddition method
The Lucy–Hook coaddition method is an image processing technique for combining sub-stepped astronomical image data onto a finer grid. The method allows the option of resolution and contrast enhancement or the choice of a conservative, re-convolved, output. Tests with very deep Hubble Space Telescope Wide Field and Planetary Camera 2 (WFPC2) imaging data of excellent quality show that these methods can be very effective and allow fine-scale features to be studied better than on the unprocessed images. The Lucy–Hook coaddition method is an extension of the standard Richardson–Lucy deconvolution iterative restoration method. For many purposes it may be more convenient to combine dithered datasets using the Drizzle method.
KoalaPad
The KoalaPad is a graphics tablet, released in 1983 by US company Koala Technologies Corporation, for the Apple II, TRS-80 Color Computer (as the TRS-80 Touch Pad), Atari 8-bit computers, Commodore 64, and IBM PC compatibles. Originally designed by Dr. David Thornburg as a low-cost computer drawing tool for schools, the Koala Pad and the bundled drawing program, KoalaPainter, was popular with home users as well. KoalaPainter was called KoalaPaint in some versions for the Apple II, and PC Design for the IBM PC. A program called Graphics Exhibitor was included for creating slideshow presentations from KoalaPainter drawings. == Description == The pad was four inches square (i.e. roughly 10×10 cm) and mounted on a slightly inclined base with the back of the pad higher than the front. At the top, "behind" the pad, were two buttons. The pad hooked into the computer using the analog signals of the joystick ports (the so-called paddle inputs), which meant that it had a low resolution and tended to jostle the cursor if moved during use. As an alternative to the drawing stylus, the pad could as easily be operated by the user's fingers for tasks that demanded less precision, such as selecting between menu items (thus using the pad as a kind of "indirect touch screen"). The top-mounted buttons tended to be somewhat frustrating to use, as the user had to "reach around" the stylus to push the buttons in order to start or stop drawing. A similar tablet from Atari, the Atari CX77 Touch Tablet, addressed this with a built-in button on the stylus, which some enterprising users adapted for use with their KoalaPad. == KoalaPainter == The pad shipped with a simple bitmap graphics editor developed by Audio Light called KoalaPainter, PC Design or Micro Illustrator depending on the target machine (see release history). Although bundled with the pad, KoalaPainter could also be operated using an ordinary digital joystick. One unique feature of the program, for its time, was that it held two pictures in the computer's memory, allowing the user to flip from one to the other—a function commonly used in order to study the differences between an original and a modified picture, and to copy and paste between two different pictures. Some third-party bitmap editors could also be used with the KoalaPad, such as Broderbund's Dazzle Draw for the Apple II. === Release history === KoalaPainter for Commodore 64 (1983) and Atari 8-bit computers (1983) PC Design for the IBM PC (1983) Micro Illustrator for the Apple II (1983), Atari 8-bit computers (1983) and Commodore Plus/4 (1984) KoalaPainter II for Commodore 64 (1984) === Reception === Ahoy! called KoalaPainter "a very powerful and effective color drawing package", and concluded that it and the KoalaPad were "excellent in ease of use, a fine choice for a beginner as well as young children". BYTE's reviewer stated in December 1984 that he made far fewer errors when using an Apple Mouse with MousePaint than with a KoalaPad and its software. He found that MousePaint was easier to use and more efficient, predicting that the mouse would receive more software support than the pad. Cassie Stahl in InfoWorld's Essential Guide to Atari Computers praised the tablet and its documentation, rating it "Excellent" among all categories and stating that "Playing with the KoalaPad becomes addictive. It does everything it claims to, and it does it well". She also liked Micro Illustrator, rating it "Excellent" except for "Good" for Performance. While criticizing the limited erase function, Stahl reported an undocumented feature enabling exporting pictures to other software. === File format === The Commodore 64 version of KoalaPainter used a fairly simple file format corresponding directly to the way bitmapped graphics are handled on the computer: A two-byte load address, followed immediately by 8,000 bytes of raw bitmap data, 1,000 bytes of raw "Video Matrix" data, 1,000 bytes of raw "Color RAM" data, and a one-byte Background Color field. == KoalaWare == Koala Technologies offered more software beyond the bundled KoalaPainter and Graphics Exhibitor for use with the pad. Among these applications, marketed under the moniker KoalaWare (like KoalaPainter itself), was educational software for use with customized keypads and overlays, such as spelling tools, music programs, and mathematics instruction software, as well as software for "translating" graphical designs into Logo programs.
Artifact (app)
Artifact was a personalized social news aggregator app that uses recommender systems to suggest articles. Launched in January 2023 by Nokto, Inc., a company founded by co-founders of Instagram Kevin Systrom and Mike Krieger, the app is available for iOS and Android. The app's name is a portmanteau of the words "articles", "artificial intelligence", and "fact". The app shut down in January 2024 as a result of low interest. == History == Nokto, Inc. was established on March 3, 2022, as a foreign stock company in California, with its headquarters in San Francisco. The company's main product, Artifact, is the first new product launched by Krieger and Systrom since their 2018 resignation from Instagram after conflicts with parent company Meta, which acquired Instagram in 2012. Artifact launched on January 31, 2023, after the team had been working on it for over a year, offering the option to sign up for a waiting list for its private beta, which grew to about 160,000 people, and then launching in open beta on February 22, 2023. With a team of seven employees in San Francisco, the app was free throughout its lifetime, with the founders explaining at the time that different business models - such as advertising or subscription fees - could be explored in the future. In January 2024, cofounder Kevin Systrom announced that the app would be shutting down after concluding that "the market opportunity isn’t big enough to warrant continued investment in this way." In April 2024, it was announced Artifact had been acquired by Yahoo, who intended to use the service's technology in an upgraded Yahoo! News app. == Features == Frequently described as "TikTok for text" and a competitor to Twitter, Artifact was a news aggregator that used machine learning to make personalized recommendations based on topics, news sources, and authors that the reader is interested in. In addition to reading articles, the app offered the ability to like articles, leave comments, or listen to an audio version of an article read by AI-generated voices, including a simulation of the voices of Snoop Dogg or Gwyneth Paltrow. AI also would rewrite clickbait headlines that users flagged. Artifact later expanded to a social network where users could post links, images and text to their profile, which could be liked or commented on by other users. Similar to other social news websites like Reddit, reader accounts had profiles with reputation scores.
Alexis Spectral Data
Alexis Spectral Data is a software developed for colour matching processes that calculates from available spectral data the colour numbers used by computers to display colours on screen. It displays the colour for each spectral reflectance curve and records the calculated trichromatic values and colour numbers along with the spectral curves. This eliminates the need to scan the samples separately with a truecolour Scanner while creating the database. The spectral data can be introduced manually as a series of reflectance values at wavelengths measured in different standard illuminants with an arbitrary but fixed increment that must be kept for each spectral curve throughout the creation of the whole database. Therefore, older UV-VIS Spectrophotometers that can't be interfaced with computers can also be used for creating the database needed for colour matching. Alexis Spectral Data determines the whiteness degree in a less time-consuming method, which permits storage and easier handling of the obtained data. Alexis Spectral Data can export the trichromatic values, calculated from the spectral curves, to Alexis Analyser, software that handles only trichromatic data. The earliest information about the development of this software comes from a paper published by a student at the University Politehnica Bucharest in 1993. The software runs on Windows based computers but not on other operating systems.