Oracle

Java Installer Flaw Shows Why You Should Clear Your Downloads Folder (csoonline.com) 47

itwbennett writes: On Friday, Oracle published a security advisory recommending that users delete all the Java installers they might have laying around on their computers and use new ones for versions 6u113, 7u97, 8u73 or later. The reason: Older versions of the Java installer were vulnerable to binary planting in the Downloads folder. 'Though considered relatively complex to exploit, this vulnerability may result, if successfully exploited, in a complete compromise of the unsuspecting user's system,' said Eric Maurice, Oracle's software security assurance director, in a blog post.
Open Source

GitHub Open Sources Their Internal Testing Tool (thenewstack.io) 48

destinyland writes: Last week GitHub released a new open source tool called Scientist, a Ruby-based library they've been using in-house for several years. "It's the most terrifying moment when you flip the switch," GitHub engineer Jesse Toth told one technology reporter, who notes that the tool is targeted at developers transitioning from a legacy system. "Scientist was born when GitHub engineers needed to rewrite the permissions code — one of the most critical systems in the GitHub application." The tool measures execution duration and other metrics for both test and production code during runtime, and Toth reports that they're now also developing new versions in Node.js, C#, and .Net..
Security

Researcher Finds Tens of Software Products Vulnerable To Simple Bug (softpedia.com) 132

An anonymous reader writes: There's a German security researcher that is arduously testing the installers of tens of software products to see which of them are vulnerable to basic DLL hijacking. Surprisingly, many companies are ignoring his reports. Until now, only Oracle seems to have addressed this problem in Java and VirtualBox. Here's a short (probably incomplete) list of applications that he found vulnerable to this attack: Firefox, Google Chrome, Adobe Reader, 7Zip, WinRAR, OpenOffice, VLC Media Player, Nmap, Python, TrueCrypt, and Apple iTunes. Mr. Kanthak also seems to have paid special attention to antivirus software installers. Here are some of the security products he discovered vulnerable to DLL hijacking: ZoneAlarm, Emsisoft Anti-Malware, Trend Micro, ESET NOD32, Avira, Panda Security, McAfee Security, Microsoft Security Essentials, Bitdefender, Rapid7's ScanNowUPnP, Kaspersky, and F-Secure.
Facebook

Why Facebook Really Shut Down Parse (medium.com) 39

New submitter isisilik writes: For those working in the 'aaS' business the Parse shutdown was the main topic of conversation this weekend. So why did Facebook decide to shut down their developer platform? The author claims that Facebook never wanted to host apps to begin with, they just wanted developers to use Facebook login. And he builds up a good case.
Firefox

Firefox Adopts a 6-8 Week Variable Release Schedule (mozilla.org) 230

AmiMoJo writes: Four years ago Mozilla moved to a fixed-schedule release model, otherwise known as the Train Model, in which we released Firefox every six weeks to get features and updates to users faster. Now Mozilla is moving to a variable 6-8 week cycle, with the same number of releases per year but some flexibility to 'respond to emerging user and market needs' and allow time for holidays. The new release schedule looks like this:
  • 2016-01-26 – Firefox 44
  • 2016-03-08 – Firefox 45, ESR 45 (6 weeks cycle)
  • 2016-04-19 – Firefox 46 (6 weeks cycle)
  • 2016-06-07 – Firefox 47 (7 weeks cycle)
  • 2016-08-02 – Firefox 48 (8 weeks cycle)
  • 2016-09-13 – Firefox 49 (6 weeks cycle)
  • 2016-11-08 – Firefox 50 (8 weeks cycle)
  • 2016-12-13 – Firefox 50.0.1 (5 week cycle, release for critical fixes as needed)
  • 2017-01-24 – Firefox 51 (6 weeks from prior release)

Programming

Drag-and-Drop "CS" Tutorials: the Emperor's New Code? 155

theodp writes: Teaching kids computer science is a great movement," writes HS senior David Yue, "however, to overly dilute the magnitude of the difficulty in regards to the subject area of coding and to create the illusion of mastering a 'superpower' (Code.org) is a huge mistake. There are many videos and articles on the Internet these days that have demonstrated positive support towards computer science education. Below these articles, one can find many comments, left mostly by parents and supporters. These people usually express how proud they are that their children have an opportunity to learn computer science or how proud they are that computer science is being integrated at a more substantial level into the education system." But Drag and Drop Doesn't = Coding, argues Yue. "Parents and teachers today who aren't technical need to be aware that the drag and drop code or the candy-coated learning process does not effectively teach children programming but eventually causes a huge amount of shock once they are immersed in real code." Yue's Emperor's-New-Code warning comes days before President Obama — a graduate of Code.org's drag-and-drop Disney Princess coding tutorial — asks Congress for $4-billion-and-change in the upcoming budget to fund his "Computer Science for All" K-12 initiative.
Windows

Windows 10 Gets Core Console Host Enhancements (nivot.org) 244

x0n writes: As of Windows 10 TH2 (10.0.1058), the core console subsystem has support for a large number of ANSI and VT100 escape sequences. This is likely to prepare for full Open SSH server/client integration, which is already underway over on github. It looks like xterm is finally coming to Windows. OpenSSH was previously announced (last year) by the very forward-looking PowerShell team. The linked article provides some context, and explains that the console host isn't the same as either cmd.exe or powershell.exe, but there is a lot of overlap in functionality.
Displays

Unreal Engine Will Soon Allow Developers To Build Games Inside of VR (roadtovr.com) 37

An anonymous reader writes: Epic Games, the creators of Unreal Engine, has been a longstanding supporter of VR. They were on board way back when Oculus sparked the VR industry in 2012 with a Kickstarter that would snowball into a rekindling of consumer virtual reality. Having been one of the first major game engines to support VR headsets like the Rift, the company has been aggressively positioning Unreal Engine as the go-to tool for VR developers. Now they're taking a massive next step, showing the first look at bringing developers themselves inside of virtual reality to craft games with the full set of UE4 tools at their fingertips. That means that developers can place and manipulate objects from right within a world in progress; the video demo in the linked story is impressive.
Businesses

GitHub Is Undergoing a Full-Blown Overhaul As Execs and Employees Depart (businessinsider.com) 266

mattydread23 writes: This is what happens when hot startups grow up. [GitHub] CEO Chris Wanstrath is imposing management structure where there wasn't much before, and execs are departing, partly because the company is cracking down on remote work. It's a lot like Facebook in 2009. Business Insider has the full inside story based on multiple sources in and close to the company.
Education

K-12 CS Framework Draft: Kids Taught To 'Protect Original Ideas' In Early Grades 132

theodp writes: Remember that Code.org and ACM-bankrolled K-12 Computer Science Education Framework that Microsoft, Google, Apple, and others were working on? Well, a draft of the framework was made available for review on Feb. 3rd, coincidentally just 3 business days after U.S. President Barack Obama and Microsoft President Brad Smith teamed up to announce the $4+ billion Computer Science for All initiative for the nation's K-12 students. "Computationally literate citizens have the responsibility to learn about, recognize, and address the personal, ethical, social, economic, and cultural contexts in which they operate," explains the section on Fostering an Inclusive Computing Culture, one of seven listed 'Core K-12 CS Practices'. "Participating in an inclusive computing culture encompasses the following: building and collaborating with diverse computational teams, involving diverse users in the design process, considering the implication of design choices on the widest set of end users, accounting for the safety and security of diverse end users, and fostering inclusive identities of computer scientists." Hey, do as they say, not as they do! Also included in the 10-page draft (pdf) is a section on Law and Ethics, which begins: "In early grades, students differentiate between responsible and irresponsible computing behaviors. Students learn that responsible behaviors can help individuals while irresponsible behaviors can hurt individuals. They examine legal and ethical considerations for obtaining and sharing information and apply those behaviors to protect original ideas."
Open Source

Python 3 Is Coming To Scrapy (scrapinghub.com) 87

New submitter Valdir Stumm Junior writes: Scrapy with beta Python 3 support is finally here! Released through Scrapy 1.1.0rc1, this is the result of several months of hard work on the part of the Scrapy community and Scrapinghub engineers.

This is a huge milestone for all you Scrapy users (and those who haven't used Scrapy due to the lack of Python 3). Scrapy veterans and new adopters will soon be able to move their entire stack to Python 3 once the release becomes stable. Keep in mind that since this a release candidate, it is not ready to be used in production.

Open Source

Link Rot Rx: 'Amber' Add-on For WordPress and Drupal 17

David Rothman writes: If you run a WordPress or Drupal site, you can now fight link rot with Amber, a new open source add-on from Harvard's Berkman Center. If links are dead, visitors can still summon up the pages as stored on your server or, if you prefer, outside ones such as the Internet Archive. TeleRead has the details, and the Amber site is here, with download information.
Cloud

New Hack Shrinks Docker Containers (www.iron.io) 130

destinyland writes: Promising "uber tiny Docker images for all the things," Iron.io has released a new library of base images for every major language optimized to be as small as possible by using only the required OS libraries and language dependencies. "By streamlining the cruft that is attached to the node images and installing only the essentials, they reduced the image from 644 MB to 29MB,"explains one technology reporter, noting this makes it quicker to download and distribute the image, and also more secure. "Less code/less programs in the container means less attack surface..." writes Travis Reeder, the co-founder of Iron.io, in a post on the company's blog. "Most people who start using Docker will use Docker's official repositories for their language of choice, but unfortunately if you use them, you'll end up with images the size of the Empire State Building..."
Programming

Winner of the 2015 Underhanded C Contest Announced (underhanded-c.org) 48

Xcott Craver writes: The Underhanded C contest results have now been announced. This time the contest challenge was to cause a false match in a nuclear inspection scenario, allowing a country to remove fissile material from a warhead without being noticed. The winner receives $1000 from the Nuclear Threat Initiative.
IOS

7 Swift 2 Enhancements iOS Devs Will Love 123

snydeq writes: InfoWorld's Paul Solt outlines how Apple has made good on Swift's emphasis on performance, approachability, and ease in its latest update, offering up seven worthwhile enhancements to Swift 2, along with code samples. 'Many of the enhancements to Swift, through both the Swift 2.0 update and subsequent Swift 2.1 update, have made the language more explicit and intentional, and in turns, Swift 2 code will be safer and easier to maintain for years to come (especially now that Swift is open source). New language constructs (keywords) in Swift 2 improve the readability of control flow — the order in which lines of code are executed. Thanks to these new keywords, collaborating on Swift code will be much more productive and efficient.'
The Media

How To Build a TimesMachine (nytimes.com) 41

necro81 writes: The NY Times has an archive, the TimesMachine, that allows users to find any article from any issue from 1851 to the present day. Most of it is shown in the original typeset context of where an article appeared on a given page — like sifting through a microfiche archive. But when original newspaper scans are 100-MB TIFF files, how can this information be conveyed in an efficient manner to the end user? These are other computational challenges are described in this blog post on how the TimesMachine was realized.
Communications

After More Than a Decade, MSN Chat Authentication Is Documented (goo.gl) 27

An anonymous reader writes: After MSN Chat closed in 2003, and then again in 2006, some guy has finally documented the authentication system used — over a decade later! Developer Joshua Davison writes by way of explanation: I think it's important to document the challenge we (users, scripters, hackers) faced connecting to MSN Chat, which is the only known 'proper' implementation of IRCX v8.1 at this time. MSN Chat introduced a GateKeeper SASL authentication protocol, which implemented 'GateKeeper' and 'GateKeeperPassport' (not dissimilar to the widely documented NTLM authentication protocol, which was also implemented as NTLM, and NTMLPassport) The GateKeeper Security Support Provider (GKSSP) functioned in two ways; allowing a user to login with a Microsoft Account (Previously known as Microsoft Passport, .NET Passport, Microsoft Passport Network, and Windows Live ID), and also allowed guest authentication for users without, or not willing to use a Microsoft Account. While most users didn't need or want to understand how the protocol worked, there were many of us who did, and many that just preferred to use MSN Chat outside of the browser.
Bug

FTDI Driver Breaks Hardware Again (eevblog.com) 268

janoc writes: It seems that the infamous FTDI driver that got famous by intentionally bricking counterfeit chips [NOTE: that driver was later removed] has got a new update that injects garbage data ('NON GENUINE DEVICE FOUND!') into the serial data. This was apparently going on for a while, but only now is the driver being pushed as an automatic update through Windows Update, thus many more people stand to be affected by this.

Let's hope that nobody dies in an industrial accident when a tech connects their cheap USB-to-serial cable to a piece of machinery and the controller misinterprets the garbage data.

Apple

Apple: Losing Out On Talent and In Need of a Killer New Device (theguardian.com) 428

mspohr writes with a link to an interesting (and rather dour) take at The Guardian on the state of Apple, which holds that: "Despite its huge value, Silicon Valley developers are turned off by [Apple's] 'secretive, controlling' culture and its engineering is no longer seen as cutting edge." From the article: "Tellingly, Apple is no longer seen as the best place for engineers to work, according to several Silicon Valley talent recruiters. It's a trend that has been happening slowly for years – and now, in this latest tech boom, has become more acute. ... Or as Elon Musk recently put the hiring situation a little more harshly: Apple is the "Tesla graveyard." "If you don't make it at Tesla, you go work at Apple," Musk recently told a German newspaper. The biggest issue for programmers seems to be a high-stress culture and cult of secrecy, which contrasts sharply with office trends toward gentler management and more playful workdays."

Slashdot Top Deals