First time accepted submitter JavaBear writes "Oracle have just released the u7 release of their Java 7. From the article: 'In response to the findings of a recent vulnerability in Java 7 that was being exploited by malware developers, Oracle has released an official patch that takes care of the problem. In the past week, a new vulnerability was unveiled in Oracle's Java 7 runtime, which has been used by hackers in targeted attacks on Windows-based systems. Similar to the recent Flashback malware in OS X, this vulnerability allows criminals to create a drive-by hack where the only action needed to compromise a system is to visit a rogue Web page that hosts a malicious Java applet."
Catch up on stories from the past week (and beyond) at the Slashdot story archive
dutchwhizzman writes "Polish security researcher Adam Gowdiak submitted bug reports months ago for the current Java 7 zero-day exploit that's wreaking havoc all over the Internet. It seems that Oracle can't — or won't? — take such reports seriously. Is it really time to ditch Oracle's Java and go for an open source VM?"
theodp writes "The Wall Street Journal reports that pair programming is all the rage at tech darlings Facebook and Square. Its advocates speak in glowing terms of the power of pair programming, saying paired coders can catch costly software errors and are less likely to waste time surfing the Web. 'The communication becomes so deep that you don't even use words anymore,' says Facebook programmer Kent Beck. 'You just grunt and point.' Such reverent tones prompted Atlassian to poke a little fun at the practice with Spooning, an instructional video in which a burly engineer sits on a colleague's lap, wraps his arms around his partner's waist and types along with him hand over hand."
tsu doh nimh writes "A new exploit for a zero-day vulnerability in Oracle's Java JRE version 7 and above is making the rounds. A Metasploit module is now available to attack the flaw, and word in the underground is that it will soon be incorporated into BlackHole, a widely used browser exploit pack. KrebsOnSecurity.com talked to the BlackHole developer, who said the Java exploit would be worth at least $100,000 if sold privately. Instead, this vulnerability appears to have been first spotted in targeted/espionage attacks that used the exploit to drop the remote control malware Poison Ivy, according to experts from Deep End Research. Because Oracle has put Java on a quarterly patch cycle, and the next cycle is not scheduled until October, experts have devised and are selectively releasing an unofficial patch for the flaw."
snydeq writes "Regardless of where you stand on Anonymous' tactics, politics, or whatever, I think the group has something to teach developers and development organizations,' writes Andrew Oliver. 'As leader of an open source project, I can revoke committer access for anyone who misbehaves, but membership in Anonymous is a free-for-all. Sure, doing something in Anonymous' name that even a minority of "members" dislike would probably be a tactical mistake, but Anonymous has no trademark protection under the law; the organization simply has an overall vision and flavor. Its members carry out acts based on that mission. And it has enjoyed a great deal of success — in part due to the lack of central control. Compare this to the level of control in many corporate development organizations. Some of that control is necessary, but often it's taken to gratuitous lengths. If you hire great developers, set general goals for the various parts of the project, and collect metrics, you probably don't need to exercise a lot of control to meet your requirements."
CowboyRobot writes "Although not as lucrative as video games or movies, Gartner projects the software application development industry will pass the US$9 Billion mark this year. They credit 'evolving software delivery models, new development methodologies, emerging mobile application development, and open source software.' Also in the report is a projection that 'mobile application development projects targeting smartphones and tablets will outnumber native PC projects by a ratio of 4:1 by 2015.'"
Nerval's Lobster writes "Facebook recently invited a handful of employers into its headquarters for a more in-depth look at how it handles its flood of data. Part of that involves the social network's upcoming 'Project Prism,' which will allow Facebook to maintain data in multiple data centers around the globe while allowing company engineers to maintain a holistic view of it, thanks to tools such as automatic replication. That added flexibility could help Facebook as it attempts to wrangle an ever-increasing amount of data. 'It allows us to physically separate this massive warehouse of data but still maintain a single logical view of all of it,' is how Wired quotes Jay Parikh, Facebook's vice president of engineering, as explaining the system to reports. 'We can move the warehouses around, depending on cost or performance or technology.' Facebook has another project, known as Corona, which makes its Apache Hadoop clusters less crash-prone while increasing the number of tasks that can be run on the infrastructure."
An anonymous reader writes "A Cambridge academic is arguing for regulations that allow software users to sue developers when sloppy coding leaves holes for malware infection. European officials have considered introducing such a law but no binding regulations have been passed. Not everyone agrees that it's a good idea — Microsoft has previously argued against such a move by analogy, claiming a burglary victim wouldn't expect to be able to sue the manufacturer of the door or a window in their home."
An anonymous reader writes "In the tech industry, as the economy continues its downturn, IT folks in my circles who were either laid off or let go are turning to contract work to pay their bills. Layoffs and a decline in tech jobs has affected older IT workers the most. Many of us find it more lucrative and enjoyable in the long run and leave the world of cubicles forever. However, there is much to be said for working for a large company or corporation, and health insurance is one of the benefits we value most. But what happens to those who find themselves in this position at mid-career or later in life? Hopefully they have accumulated enough savings or have enough money in an HSA to survive a major medical emergency. Unfortunately, many do not and some find themselves in dire straits with their lives depending on others for help. I have been working IT contracts mostly now for the past 11 years and I've done very well. I belong to a group insurance plan and the coverage is decent, but as I get older, premiums and copays go up and coverage goes down. If you work contracts exclusively, what do you think is the best plan for insurance? Any preferences?"
mpol writes "Sergei from MariaDB speculated on some changes within MySQL 5.5.27. It seems new testcases aren't included with MySQL any more, which leaves developers depending on it in the cold. 'Does this mean that test cases are no longer open source? Oracle did not reply to my question. But indeed, there is evidence that this guess is true. For example, this commit mail shows that new test cases, indeed, go in this "internal" directory, which is not included in the MySQL source distribution.' On a similar note, updates for the version history on Launchpad are not being updated anymore. What is Oracle's plan here? And is alienating the developer community just not seen as a problem at Oracle?"
itwbennett writes "Earlier this month, the judge in the Oracle v. Google trial ordered the companies to disclose the names of bloggers and reporters who had taken payments from them. Not surprisingly, both companies have denied making direct payments to writers (with the exception of Florian Mueller of FOSSPatents, whose relationship to Oracle was disclosed in April). But Oracle has tattled on Google regarding some indirect connections. In particular, Oracle called out Ed Black for an article he wrote about the case for Forbes. And Jonathan Band, co-author of the book, 'Interfaces on Trial 2.0,' which Google cited in its April 3, 2012 copyright brief." Groklaw has an in-depth look at the filings. Oracle's fingerpointing is based in part on this BBC article and this piece at The Recorder, both of which they entered into evidence. Google's filing (PDF) affirmed that they have not paid media for articles or done any quid pro quo in exchange for coverage. However, they acknowledged that many people receive money from Google through other means (the company's philanthropy, ad business, etc.), and asked the judge if he wanted further details about those instances.
New submitter atsabig10fo writes "Twitter has finally released the hinted-at changes to their API, which include limiting the number of users for third party clients, per-endpoint rate limiting, and restrictions on how tweets can be displayed and posted. Twitter's Michael Sippey wrote, 'One of the key things we've learned over the past few years is that when developers begin to demand an increasingly high volume of API calls, we can guide them toward areas of value for users and their businesses. To that end, and similar to some other companies, we will require you to work with us directly if you believe your application will need more than one million individual user tokens.' Third party app developers are certainly going to be sweating these changes, and it puts the future of new development in question."
Nerval's Lobster writes "Tech writer and programmer Jeff Cogswell does a head-to-head comparison of Microsoft Azure and Amazon Web Services from a pure programming perspective, examining the respective sides' vendor lock-in and vendor-specific APIs (among other issues). 'If you're not using any vendor-specific APIs, then it's safe to say the experience you get on either Amazon or Microsoft will be roughly the same,' he writes. 'But that means you're also not developing an app that necessarily takes advantage of all possible cloud capabilities—not just add-ons, but scalability. Your app might need to expand and grow as your user base grows.' He suggests it's ultimately a tie between the two companies. 'From a strict programming perspective, both companies have their own RESTful API, and their own libraries for using the API.'" The problem with both of these services, though, that RMS could have told you about: "The moment you start using either, you're locked in for the most part."
judgecorp writes "Mozilla's mobile phone operating system only exists in an early beta form, but Oleg Romashin, a researcher at Nokia, has already got it working on the Raspberry Pi and posted video to prove it. We don't think this indicates any alternate strategy for Nokia if Windows Phone doesn't pan out, but it does show that Firefox OS is portable, and the Pi is capable, and both can be played with — which will please both Mozilla and the Raspberry Pi Foundation. And the Firefox OS work in progress is available for download (direct tarball link)."