tsu doh nimh writes "A new exploit for a zero-day vulnerability in Oracle's Java JRE version 7 and above is making the rounds. A Metasploit module is now available to attack the flaw, and word in the underground is that it will soon be incorporated into BlackHole, a widely used browser exploit pack. KrebsOnSecurity.com talked to the BlackHole developer, who said the Java exploit would be worth at least $100,000 if sold privately. Instead, this vulnerability appears to have been first spotted in targeted/espionage attacks that used the exploit to drop the remote control malware Poison Ivy, according to experts from Deep End Research. Because Oracle has put Java on a quarterly patch cycle, and the next cycle is not scheduled until October, experts have devised and are selectively releasing an unofficial patch for the flaw."
Catch up on stories from the past week (and beyond) at the Slashdot story archive
snydeq writes "Regardless of where you stand on Anonymous' tactics, politics, or whatever, I think the group has something to teach developers and development organizations,' writes Andrew Oliver. 'As leader of an open source project, I can revoke committer access for anyone who misbehaves, but membership in Anonymous is a free-for-all. Sure, doing something in Anonymous' name that even a minority of "members" dislike would probably be a tactical mistake, but Anonymous has no trademark protection under the law; the organization simply has an overall vision and flavor. Its members carry out acts based on that mission. And it has enjoyed a great deal of success — in part due to the lack of central control. Compare this to the level of control in many corporate development organizations. Some of that control is necessary, but often it's taken to gratuitous lengths. If you hire great developers, set general goals for the various parts of the project, and collect metrics, you probably don't need to exercise a lot of control to meet your requirements."
CowboyRobot writes "Although not as lucrative as video games or movies, Gartner projects the software application development industry will pass the US$9 Billion mark this year. They credit 'evolving software delivery models, new development methodologies, emerging mobile application development, and open source software.' Also in the report is a projection that 'mobile application development projects targeting smartphones and tablets will outnumber native PC projects by a ratio of 4:1 by 2015.'"
Nerval's Lobster writes "Facebook recently invited a handful of employers into its headquarters for a more in-depth look at how it handles its flood of data. Part of that involves the social network's upcoming 'Project Prism,' which will allow Facebook to maintain data in multiple data centers around the globe while allowing company engineers to maintain a holistic view of it, thanks to tools such as automatic replication. That added flexibility could help Facebook as it attempts to wrangle an ever-increasing amount of data. 'It allows us to physically separate this massive warehouse of data but still maintain a single logical view of all of it,' is how Wired quotes Jay Parikh, Facebook's vice president of engineering, as explaining the system to reports. 'We can move the warehouses around, depending on cost or performance or technology.' Facebook has another project, known as Corona, which makes its Apache Hadoop clusters less crash-prone while increasing the number of tasks that can be run on the infrastructure."
An anonymous reader writes "A Cambridge academic is arguing for regulations that allow software users to sue developers when sloppy coding leaves holes for malware infection. European officials have considered introducing such a law but no binding regulations have been passed. Not everyone agrees that it's a good idea — Microsoft has previously argued against such a move by analogy, claiming a burglary victim wouldn't expect to be able to sue the manufacturer of the door or a window in their home."
An anonymous reader writes "In the tech industry, as the economy continues its downturn, IT folks in my circles who were either laid off or let go are turning to contract work to pay their bills. Layoffs and a decline in tech jobs has affected older IT workers the most. Many of us find it more lucrative and enjoyable in the long run and leave the world of cubicles forever. However, there is much to be said for working for a large company or corporation, and health insurance is one of the benefits we value most. But what happens to those who find themselves in this position at mid-career or later in life? Hopefully they have accumulated enough savings or have enough money in an HSA to survive a major medical emergency. Unfortunately, many do not and some find themselves in dire straits with their lives depending on others for help. I have been working IT contracts mostly now for the past 11 years and I've done very well. I belong to a group insurance plan and the coverage is decent, but as I get older, premiums and copays go up and coverage goes down. If you work contracts exclusively, what do you think is the best plan for insurance? Any preferences?"
mpol writes "Sergei from MariaDB speculated on some changes within MySQL 5.5.27. It seems new testcases aren't included with MySQL any more, which leaves developers depending on it in the cold. 'Does this mean that test cases are no longer open source? Oracle did not reply to my question. But indeed, there is evidence that this guess is true. For example, this commit mail shows that new test cases, indeed, go in this "internal" directory, which is not included in the MySQL source distribution.' On a similar note, updates for the version history on Launchpad are not being updated anymore. What is Oracle's plan here? And is alienating the developer community just not seen as a problem at Oracle?"
itwbennett writes "Earlier this month, the judge in the Oracle v. Google trial ordered the companies to disclose the names of bloggers and reporters who had taken payments from them. Not surprisingly, both companies have denied making direct payments to writers (with the exception of Florian Mueller of FOSSPatents, whose relationship to Oracle was disclosed in April). But Oracle has tattled on Google regarding some indirect connections. In particular, Oracle called out Ed Black for an article he wrote about the case for Forbes. And Jonathan Band, co-author of the book, 'Interfaces on Trial 2.0,' which Google cited in its April 3, 2012 copyright brief." Groklaw has an in-depth look at the filings. Oracle's fingerpointing is based in part on this BBC article and this piece at The Recorder, both of which they entered into evidence. Google's filing (PDF) affirmed that they have not paid media for articles or done any quid pro quo in exchange for coverage. However, they acknowledged that many people receive money from Google through other means (the company's philanthropy, ad business, etc.), and asked the judge if he wanted further details about those instances.
New submitter atsabig10fo writes "Twitter has finally released the hinted-at changes to their API, which include limiting the number of users for third party clients, per-endpoint rate limiting, and restrictions on how tweets can be displayed and posted. Twitter's Michael Sippey wrote, 'One of the key things we've learned over the past few years is that when developers begin to demand an increasingly high volume of API calls, we can guide them toward areas of value for users and their businesses. To that end, and similar to some other companies, we will require you to work with us directly if you believe your application will need more than one million individual user tokens.' Third party app developers are certainly going to be sweating these changes, and it puts the future of new development in question."
Nerval's Lobster writes "Tech writer and programmer Jeff Cogswell does a head-to-head comparison of Microsoft Azure and Amazon Web Services from a pure programming perspective, examining the respective sides' vendor lock-in and vendor-specific APIs (among other issues). 'If you're not using any vendor-specific APIs, then it's safe to say the experience you get on either Amazon or Microsoft will be roughly the same,' he writes. 'But that means you're also not developing an app that necessarily takes advantage of all possible cloud capabilities—not just add-ons, but scalability. Your app might need to expand and grow as your user base grows.' He suggests it's ultimately a tie between the two companies. 'From a strict programming perspective, both companies have their own RESTful API, and their own libraries for using the API.'" The problem with both of these services, though, that RMS could have told you about: "The moment you start using either, you're locked in for the most part."
judgecorp writes "Mozilla's mobile phone operating system only exists in an early beta form, but Oleg Romashin, a researcher at Nokia, has already got it working on the Raspberry Pi and posted video to prove it. We don't think this indicates any alternate strategy for Nokia if Windows Phone doesn't pan out, but it does show that Firefox OS is portable, and the Pi is capable, and both can be played with — which will please both Mozilla and the Raspberry Pi Foundation. And the Firefox OS work in progress is available for download (direct tarball link)."
whyloginwhysubscribe writes "The usually excellent BBC 'Click' programme has an article on 'Why computer code is the new language to learn' — which features a company in London who offer courses on learning to code in a day. The BBC clip has an interesting interview with a marketing director who, it seems to me, is going to go back and tell his programmers to speed up because otherwise he could do it himself! Decoded.co's testimonials page is particularly funny: 'I really feel like I could talk credibly to a coder, given we can now actually speak the same language.'"
theodp writes "The NYT's Steve Lohr reports that his has been the crossover year for Big Data — as a concept, term and marketing tool. Big Data has sprung from the confines of technology circles into the mainstream, even becoming grist for Dilbert satire ('Big Data lives in The Cloud. It knows what we do.'). At first, Jim Davis, CMO at analytics software vendor SAS, viewed Big Data as part of another cycle of industry phrasemaking. 'I scoffed at it initially,' Davis recalls, noting that SAS's big corporate customers had been mining huge amounts of data for decades. But as the vague-but-catchy term for applying tools to vast troves of data beyond that captured in standard databases gained world-wide buzz and competitors like IBM pitched solutions for Taming The Big Data Tidal Wave, 'we had to hop on the bandwagon,' Davis said (SAS now has a VP of Big Data). Hey, never underestimate the power of a meme!"
An anonymous reader writes "Today the source code to the Rootbeer GPU Compiler was released as open source on github. This work allows for a developer to use almost any Java code on the GPU. It is free, open source and highly tested. Rootbeer is the most full featured translator to convert Java Bytecode to CUDA. It allows arbitrary graphs of objects to be serialized to the GPU and the GPU kernel to be written in Java." Rootbeer is the work of Syracuse University instructor Phil Pratt-Szeliga.
mikejuk writes "WebRTC is a way to allow browsers to get in touch with one another using audio or video data without the help of a server. Google has been something of a pioneer in this area, and submitted a suggested technology for the standard. Mozilla has gone along with it, making it all look good. Microsoft, on the other hand, just seemed to be standing on the sidelines, watching what was happening. However, Microsoft now has a product that needs something like WebRTC; namely, Skype. It has been working on a web-based version of Skype and this has focused the collective mind on the problems of browser-to-browser communication. It now agrees that a standard is needed, just not the one Google and Mozilla are behind. Microsoft has submitted its own proposals for CU-RTC-Web or Customizable, Ubiquitous Real Time Communication over the Web, to the W3C. It may well be that Microsoft's alternative has features that make it superior, but a single standard is preferable to a better non-standard. Given Microsoft's need to make Skype work in the browser, it seems likely that, should its proposal not be accepted as the standard, it will press on regardless, thus splitting the development environment. Both Google and Mozilla have already put a lot of work into WebRTC, and there are partial implementations in Firefox, Chrome and Opera."
hypnosec writes with news that Sergey Aleynikov, once a programmer for Goldman Sachs, has been arrested and charged again for stealing code from his employer in 2009. Aleynikov was originally charged for the crime in 2009. He was convicted in 2010 and sentenced to 97 months in prison, but an appeals court overturned the verdict, saying the corporate espionage laws were misapplied. Manhattan District Attorney Cryus Vance said, "This code is so highly confidential that it is known in the industry as the firm's 'secret sauce.' Employees who exploit their access to sensitive information should expect to face criminal prosecution in New York State in appropriate cases." The Fifth Amendment's "double jeopardy" clause is unlikely to stop this case because it's within a different jurisdiction — the earlier trial was in federal court, and this one is in New York State court.
An anonymous reader writes "Steve Yegge is back at it again. This essay is on the notion that software engineers range from conservative to liberal in their notion of software and how it should be built. He says, 'Just as in real-world politics, software conservatism and liberalism are radically different world views. Make no mistake: they are at odds. They have opposing value systems, priorities, core beliefs and motivations. These value systems clash at design time, at implementation time, at diagnostic time, at recovery time. They get along like green eggs and ham. I think it is important for us to recognize and understand the conservative/liberal distinction in our industry. It probably won't help us agree on anything, pretty much by definition. Any particular issue only makes it onto the political axis if there is a fundamental, irreconcilable difference of opinion about it. Programmers probably won't — or maybe even can't — change their core value systems. But the political-axis framework gives us a familiar set of ideas and terms for identifying areas of fundamental disagreement. This can lead to faster problem resolution.'"