Education

Why So Many Top Hackers Come From Russia (krebsonsecurity.com) 114

Long-time Slashdot reader tsu doh nimh writes: Brian Krebs has an interesting piece this week on one reason that so many talented hackers (malicious and benign) seem to come from Russia and the former Soviet States: It's the education, stupid. Krebs's report doesn't look at the socioeconomic reasons, but instead compares how the U.S. and Russia educate students from K-12 in subjects which lend themselves to a mastery in coding and computers -- most notably computer science. The story shows that the Russians have for the past 30 years been teaching kids about computer science and then testing them on it starting in elementary school and through high school. The piece also looks at how kids in the U.S. vs. Russia are tested on what they are supposed to have learned.
Fossbytes also reports that Russia claimed the top spot in this year's Computer Programming Olympics -- their fourth win in six years -- adding that "the top 9 positions out of 14 were occupied by Russian or Chinese schools." The only two U.S. schools in the top 20 were the University of Central Florida (#13) and MIT (#20).
Cloud

Should Your Company Switch To Microservices? (cio.com) 109

Walmart Canada claims that it was microservices that allowed them to replace hardware with virtual servers, reducing costs by somewhere between 20 and 50 percent. Now Slashdot reader snydeq shares an article by a senior systems automation engineer arguing that a microservices approach "offers increased modularity, making applications easier to develop, test, deploy, and, more importantly, change and maintain."

The article touts things like cost savings and flexibility for multiple device types, suggesting microservices offer increased resilience and improved scalabiity (not to mention easier debugging and a faster time to market with an incremental development model). But it also warns that organizations need the resources to deploy the new microservices quicky (and the necessary server) -- along with the ability to test and monitor them for database errors, network latency, caching issues and ongoing availability. "You must embrace devops culture," argues the article, adding that "designing for failure is essential... In a traditional setting, developers are focused on features and functionalities, and the operations team is on the hook for production challenges. In devops, everyone is responsible for service provisioning -- and failure."

The original submission ends with a question for Slashdot reader. "What cautions do you have to offer for folks considering tapping microservices for their next application?"
Open Source

'Stack Clash' Linux Flaw Enables Root Access. Patch Now (threatpost.com) 124

msm1267 writes: Linux, BSD, Solaris and other open source systems are vulnerable to a local privilege escalation vulnerability known as Stack Clash that allows an attacker to execute code at root. Major Linux and open source distributors made patches available Monday, and systems running Linux, OpenBSD, NetBSD, FreeBSD or Solaris on i386 or amd64 hardware should be updated soon.

The risk presented by this flaw, CVE-2017-1000364, becomes elevated especially if attackers are already present on a vulnerable system. They would now be able to chain this vulnerability with other critical issues, including the recently addressed Sudo vulnerability, and then run arbitrary code with the highest privileges, said researchers at Qualys who discovered the vulnerability.

Operating Systems

32TB of Windows 10 Internal Builds, Core Source Code Leak Online (theregister.co.uk) 200

According to an exclusive report via The Register, "a massive trove of Microsoft's internal Windows operating system builds and chunks of its core source code have leaked online." From the report: The data -- some 32TB of installation images and software blueprints that compress down to 8TB -- were uploaded to betaarchive.com, the latest load of files provided just earlier this week. It is believed the data has been exfiltrated from Microsoft's in-house systems since around March. The leaked code is Microsoft's Shared Source Kit: according to people who have seen its contents, it includes the source to the base Windows 10 hardware drivers plus Redmond's PnP code, its USB and Wi-Fi stacks, its storage drivers, and ARM-specific OneCore kernel code. Anyone who has this information can scour it for security vulnerabilities, which could be exploited to hack Windows systems worldwide. The code runs at the heart of the operating system, at some of its most trusted levels. In addition to this, hundreds of top-secret builds of Windows 10 and Windows Server 2016, none of which have been released to the public, have been leaked along with copies of officially released versions.
Software

NSA Opens GitHub Account, Lists 32 Projects Developed By the Agency (thehackernews.com) 64

An anonymous reader quotes a report from The Hacker News: The National Security Agency (NSA) -- the United States intelligence agency which is known for its secrecy and working in the dark -- has finally joined GitHub and launched an official GitHub page. GitHub is an online service designed for sharing code amongst programmers and open source community, and so far, the NSA is sharing 32 different projects as part of the NSA Technology Transfer Program (TTP), while some of these are "coming soon." "The NSA Technology Transfer Program (TTP) works with agency innovators who wish to use this collaborative model for transferring their technology to the commercial marketplace," the agency wrote on the program's page. "OSS invites the cooperative development of technology, encouraging broad use and adoption. The public benefits by adopting, enhancing, adapting, or commercializing the software. The government benefits from the open source community's enhancements to the technology." Many of the projects the agency listed are years old that have been available on the Internet for some time. For example, SELinux (Security-Enhanced Linux) has been part of the Linux kernel for years.
Intel

Intel Quietly Discontinues Galileo, Joule, and Edison Development Boards (intel.com) 95

Intel is discontinuing its Galileo, Joule, and Edison lineups of development boards. The chip-maker quietly made the announcement last week. From company's announcement: Intel Corporation will discontinue manufacturing and selling all skus of the Intel Galileo development board. Shipment of all Intel Galileo product skus ordered before the last order date will continue to be available from Intel until December 16, 2017. [...] Intel will discontinue manufacturing and selling all skus of the Intel Joule Compute Modules and Developer Kits (known as Intel 500 Series compute modules in People's Republic of China). Shipment of all Intel Joule products skus ordered before the last order date will continue to be available from Intel until December 16, 2017. Last time orders (LTO) for any Intel Joule products must be placed with Intel by September 16, 2017. [...] Intel will discontinue manufacturing and selling all skus of the Intel Edison compute modules and developer kits. Shipment of all Intel Edison product skus ordered before the last order date will continue to be available from Intel until December 16, 2017. Last time orders (LTO) for any Intel Edison products must be placed with Intel by September 16, 2017. All orders placed with Intel for Intel Edison products are non-cancelable and non-returnable after September 16, 2017. The company hasn't shared any explanation for why it is discontinuing the aforementioned development boards. Intel launched the Galileo, an Arduino-compatible mini computer in 2013, the Edison in 2014, and the Joule last year. The company touted the Joule as its "most powerful dev kit." You can find the announcement posts here.
Programming

Community Ports 'Visual Studio Code' To Chromebooks, Raspberry Pi (infoworld.com) 79

An anonymous reader quotes InfoWorld: A community build project led by developer Jay Rodgers is making Visual Studio Code, Microsoft's lightweight source code editor, available for Chromebooks, Raspberry Pi boards, and other devices based on 32-bit or 64-bit ARM processors. Supporting Linux and Chrome OS as well as the DEB (Debian) and RPM package formats, the automated builds of Visual Studio Code are intended for less-common platforms that might not otherwise receive them. Obvious beneficiaries will be IoT developers focused on ARM devices -- and the Raspberry Pi in particular -- who will find it helpful to have the editor directly on the device they're programming against... Rodgers said the lure of Visual Studio Code for him was its user-friendly interface, making it approachable for new users.
Security

What Happens When Software Companies Are Liable For Security Vulnerabilities? (techbeacon.com) 221

mikeatTB shares an article from TechRepublic: Software engineers have largely failed at security. Even with the move toward more agile development and DevOps, vulnerabilities continue to take off... Things have been this way for decades, but the status quo might soon be rocked as software takes an increasingly starring role in an expanding range of products whose failure could result in bodily harm and even death. Anything less than such a threat might not be able to budge software engineers into taking greater security precautions. While agile and DevOps are belatedly taking on the problems of creating secure software, the original Agile Manifesto did not acknowledge the threat of vulnerabilities as a problem, but focused on "working software [as] the primary measure of progress..."

"People are doing exactly what they are being incentivized to do," says Joshua Corman, director of the Cyber Statecraft Initiative for the Atlantic Council and a founder of the Rugged Manifesto, a riff on the original Agile Manifesto with a skew toward security. "There is no software liability and there is no standard of care or 'building code' for software, so as a result, there are security holes in your [products] that are allowing attackers to compromise you over and over." Instead, almost every software program comes with a disclaimer to dodge liability for issues caused by the software. End-User License Agreements (EULAs) have been the primary way that software makers have escaped liability for vulnerabilities for the past three decades. Experts see that changing, however.

The article suggests incentives for security should be built into the development process -- with one security professional warning that in the future, "legal precedent will likely result in companies absorbing the risk of open source code."
Software

Announcing 'build', Auto-Configuration In 1000 Lines Of Makefile (github.com) 103

Christophe de Dinechin created the XL programming language -- and as descubes he's also Slashdot reader #35,093. Today he shares his latest project, a simple makefile-based build system that he's split from ELFE/XL: Most open-source projects use tools such as autoconf and automake. For C and C++ projects, build is a make-based alternative that offers auto-configuration, build logs, colorization, testing and install targets, in about 1000 lines of makefile. A sample makefile looks like this:

BUILD=./
SOURCES=hello.cpp
PRODUCTS=hello.exe
CONFIG= <stdio.h> <iostream> clearenv libm
TESTS=product
include $(BUILD)rules.mk


Iphone

The Size of iPhone's Top Apps Has Increased by 1,000% in Four Years (sensortower.com) 128

Research firm Sensor Tower shares an analysis: As the minimum storage capacity of iPhone continues to increase -- it sits at 32 GB today on the iPhone 7, double the the iPhone 5S's 16 GB circa 2013 -- it's not surprising that the size of apps themselves is getting larger. In fact, Apple raised the app size cap from 2 GB to 4 GB in early 2015. What's surprising is how much faster they're increasing in size compared to device storage itself. According to Sensor Tower's analysis of App Intelligence, the total space required by the top 10 most installed U.S. iPhone apps has grown from 164 MB in May 2013 to about 1.8 GB last month, an 11x or approximately 1,000 percent increase in just four years. [...] Of the top 10 most popular U.S. iPhone apps, the minimum growth we saw in app size since May 2013 was 6x for both Spotify and Facebook's Messenger. As the chart above shows, other apps, especially Snapchat, have grown considerably more. In fact, Snapchat is more than 50 times larger than it was four years ago, clocking in at 203 MB versus just 4 MB at the start of the period we looked at. It's not the largest app among the top 10, however. That distinction goes to Facebook, which, at 388 MB, is 12 times larger than it was in May 2013 when it occupied 32 MB. It grew by about 100 MB in one update during September of last year.
Programming

Developers Who Use Spaces Make More Money Than Those Who Use Tabs (stackoverflow.blog) 515

An anonymous reader writes: Do you use tabs or spaces for code indentation? This is a bit of a "holy war" among software developers; one that's been the subject of many debates and in-jokes. I use spaces, but I never thought it was particularly important. But today we're releasing the raw data behind the Stack Overflow 2017 Developer Survey, and some analysis suggests this choice matters more than I expected. There were 28,657 survey respondents who provided an answer to tabs versus spaces and who considered themselves a professional developer (as opposed to a student or former programmer). Within this group, 40.7% use tabs and 41.8% use spaces (with 17.5% using both). Of them, 12,426 also provided their salary. Analyzing the data leads us to an interesting conclusion. Coders who use spaces for indentation make more money than ones who use tabs, even if they have the same amount of experience. Indeed, the median developer who uses spaces had a salary of $59,140, while the median tabs developer had a salary of $43,750.
The Almighty Buck

Report Reveals In-App Purchase Scams In the App Store (macrumors.com) 48

In a Medium article titled How to Make $80,000 Per Month On the Apple App Store, Johnny Lin uncovers a scamming trend in which apps advertising fake services are making thousands of dollars a month from in-app purchases. The practice works by manipulating search ads to promote dubious apps in the App Store and then preys on unsuspecting users via the in-app purchase mechanism. MacRumors reports: "I scrolled down the list in the Productivity category and saw apps from well-known companies like Dropbox, Evernote, and Microsoft," said Lin. "That was to be expected. But what's this? The #10 Top Grossing Productivity app (as of June 7th, 2017) was an app called 'Mobile protection :Clean & Security VPN.' Given the terrible title of this app (inconsistent capitalization, misplaced colon, and grammatically nonsensical 'Clean & Security VPN?'), I was sure this was a bug in the rankings algorithm. So I check Sensor Tower for an estimate of the app's revenue, which showed ... $80,000 per month?? That couldn't possibly be right. Now I was really curious." To learn how this could be, Lin installed and ran the app, and was soon prompted to start a "free trial" for an "anti-virus scanner" (iOS does not need anti-virus software thanks to Apple's sandboxing rules for individual apps). Tapping on the trial offer then threw up a Touch ID authentication prompt containing the text "You will pay $99.99 for a 7-day subscription starting Jun 9, 2017." Lin was one touch away from paying $400 a month for a non-existent service offered by a scammer. Lin dug deeper and found several other similar apps making money off the same scam, suggesting a wider disturbing trend, with scam apps regularly showing up in the App Store's top grossing lists.
IOS

Apple's App Store Guidelines Now Allow Executable Code in Educational Apps and Developer Tools (macstories.net) 13

An anonymous reader writes: Apple made several changes to the App Store Review Guidelines during WWDC last week, including an easing of the prohibition against downloading and executing code on an iOS device. The ban on executable code remains intact, but rule 2.5.2 now also provides that: "Apps designed to teach, develop, or test executable code may, in limited circumstances, download code provided that such code is not used for other purposes. Such apps must make the source code provided by the Application completely viewable and editable by the user.
Python

Ask Slashdot: Will Python Become The Dominant Programming Language? 808

An anonymous reader shares their thoughts on language popuarity: In the PYPL index, which is based on Google searches and is supposed to be forward looking, the trend is unmistakable. Python is rising fast and Java and others are declining. Combine this with the fact that Python is now the most widely taught language in the universities. In fields such as data science and machine learning, Python is already dominating. "Python where you can, C++ where you must" enterprises are following suit too, especially in data science but for everything else from web development to general purpose computing...

People who complain that you can't build large scale systems without a compiler likely over-rely on the latter and are slaves to IDEs. If you write good unit tests and enforce Test Driven Development, the compiler becomes un-necessary and gets in the way. You are forced to provide too much information to it (also known as boilerplate) and can't quickly refactor code, which is necessary for quick iterations.

The original submission ends with a question: "Is Python going to dominate in the future?" Slashdot readers should have some interesting opinions on this. So leave your own thoughts in the comments. Will Python become the dominant programming language?
AI

Ask Slashdot: How Can Programmers Move Into AI Jobs? 121

"I have the seriously growing suspicion that AI is coming for us programmers and IT experts faster than we might want to admit," writes long-time Slashdot reader Qbertino. So he's contemplating a career change -- and wondering what AI work is out there now, and how can he move into it? Is anything popping up in the industry and AI hype? (And what are these positions called, what do they precisely do, and what are the skills needed to do them?) I suspect something like an "AI Architect", planning AI setups and clearly defining the boundaries of what the AI is supposed to do and explore.

Then I presume the requirements for something like an "AI Maintainer" and/or "AI Trainer" which would probably resemble something like an admin of a big data storage, looking at statistics and making educated decisions on which "AI Training Paths" the AI should continue to explore to gain the skill required and deciding when the "AI" is ready to be let go on to the task... And what about Tensor Flow? Should I toy around with it or are we past that stage already and will others do AI setup and installation better than me before I know how this thing really works...?

Is there a degree program, or other paths to skill and knowledge, for a programmer who's convinced that "AI is today what the web was in 1993"? And if AI of the future ends up tied to specific providers -- AI as a service -- then are there specific vendors he should be focusing on (besides Google?) Leave your best suggestions in the comments. How can programmers move into AI jobs?

Slashdot Top Deals