Zorro (Slashdot reader #15,797) summarizes a new article in the Guardian: The death of a woman hit by a self-driving car highlights an unfolding technological crisis, as code piled on code creates "a universe no one fully understands."

"In some ways we've lost agency. When programs pass into code and code passes into algorithms and then algorithms start to create new algorithms, it gets farther and farther from human agency. Software is released into a code universe which no one can fully understand."
The author dubs these man-made monsters "franken-algos," since "After a time in the wild, we no longer know what they are: they have the potential to become erratic." Self-learning algorithms are already part of the "new all-machine phase" of Wall Street trading, leading to what science historian George Dyson believes are rules "where nobody knows what the rules are: the algorithms create their own rules -- you let them evolve the same way nature evolves organisms."

Where does it end? There's already a robotic sharpshooter policing the demilitarized zone between North and South Korea, and "swarms of coordinated, weaponized drones" already being developed by three different countries. The article suggests re-thinking our legal system to assign blame for any badly malfunctioning algorithms, noting that the Association for Computing Machinery recently updated its code of ethics "along the lines of medicine's Hippocratic oath, to instruct computing professionals to do no harm and consider the wider impacts of their work.... Solutions exist or can be found for most of the problems described here, but not without incentivizing big tech to place the health of society on a par with their bottom lines.

"More serious in the long term is growing conjecture that current programming methods are no longer fit for purpose given the size, complexity and interdependency of the algorithmic systems we increasingly rely on." Toby Walsh, a professor of artificial intelligence at the University of New South Wales, even says "We will eventually give up writing algorithms altogether... "because the machines will be able to do it far better than we ever could. Software engineering is in that sense perhaps a dying profession."

This week in Vancouver, Linux kernel developer Greg Kroah-Hartman criticized Intel's slow initial response to the Spectre and Meltdown bugs in a talk at the Open Source Summit North America. An anonymous reader quotes eWeek: Kroah-Hartman said that when Intel finally decided to tell Linux developers, the disclosure was siloed.... "Intel siloed SUSE, they siloed Red Hat, they siloed Canonical. They never told Oracle, and they wouldn't let us talk to each other." For an initial set of vulnerabilities, Kroah-Hartman said the different Linux vendors typically work together. However, in this case they ended up working on their own, and each came up with different solutions. "It really wasn't working, and a number of us kernel developers yelled at [Intel] and pleaded, and we finally got them to allow us to talk to each other the last week of December [2017]," he said. "All of our Christmas vacations were ruined. This was not good. Intel really messed up on this," Kroah-Hartman said...

"The majority of the world runs Debian or they run their own kernel," Kroah-Hartman said. "Debian was not allowed to be part of the disclosure, so the majority of the world was caught with their pants down, and that's not good." To Intel's credit, Kroah-Hartman said that after Linux kernel developers complained loudly to the company in December 2017 and into January 2018, it fixed its disclosure process for future Meltdown- and Spectre-related vulnerabilities... "Intel has gotten better at this," he said.

An interesting side effect of the Meltdown and Spectre vulnerabilities is that Linux and Windows developers are now working together, since both operating systems face similar risks from the CPU vulnerabilities. "Windows and Linux kernel developers now have this wonderful back channel. We're talking to each other and we're fixing bugs for each other," Kroah-Hartman said. "We are working well together. We have always wanted that."

darthcamaro writes: In a wide-ranging conversation at the Open Source Summit, Linus Torvalds admitted that he no longer knows everything that's in LInux. "Nobody knows the whole kernel anymore," Torvalds said. "Having looked at patches for many years, I know the big picture of all the areas in the kernel and I can look at a patch and know if it's right or wrong." Overall, he emphasized that being open source has enabled Linux to attract new developers that can pick up code and maintain all the various systems in Linux. In his view, the only way to deal with complexity is to be open. "When you have complexity you can't manage it in a closed environment, you need to have the people that actually find problems and give them the ability to get involved and help you to fix them," Torvalds said. "It's a complicated world and the only way to deal with complexity is the open exchange of ideas."

The Pentagon is no longer taking questions on its controversial cloud contract after making last-minute amendments to the deal -- and has received another complaint from disgruntled prospective bidder Oracle. The Register adds: The Joint Enterprise Defense Infrastructure (JEDI) contract has a massive scope, covering different levels of secrecy and classification across all branches of the US military, and a massive budget, being worth a potential $10bn for a maximum of 10 years. Unsurprisingly, it has garnered similar levels of interest and complaint. Most criticism focused on the decision to hand the deal to a single vendor amid speculation that AWS would be a shoo-in. Would-be bidder -- and longtime AWS rival -- Oracle filed an official complaint with US government at the start of the month, arguing a single vendor would lock the Department of Defense into "legacy cloud" and went against its purported commitment to innovation and competition. It has now filed a supplementary protest with the Government Accountability Office (GAO), which is not yet public but is likely to be an exchange of information and documents. The filing coincided with the Pentagon updating the terms of the JEDI deal, which it said came after engagement with industry after the previous request for proposals (RFP) was published.

dmoberhaus writes: Yesterday, a writer for SB Nation named Natalie Weiner posted a screenshot of a rejection form she received when she tried to sign up for a website. Her submission was rejected because a spam algorithm considered her last name "offensive." After she posted about this, hundreds of other people with similarly "offensive" last names sounded off about how they had experienced similar issues. As it turns out, this phenomenon is so widespread that it has a name among computer scientists. It's called the Scunthorpe problem and it's been a scourge of the internet since the beginning. Motherboard spoke to content moderation experts about its origins and why it's such a hard problem to solve 20 years later. A big reason why the problem has yet to be solved is "because creating effective obscenity filters depends on the filter's ability to understand a word in context," reports Motherboard. "Despite advances in [AI], this is something that even the most advanced machine-learning algorithms still struggle with today."

"This works both ways around," Michael Veale, a researcher studying responsible machine learning at University College London, told Motherboard. "Cock (a bird) and Dick (the given name) are both harmless in certain contexts, even in children's settings online, but in other cases parents might not want them used. Equally, those wanting to abuse a system can find ways around it."

More than a dozen people who work near Waymo's office in Chandler, Arizona, have complained about the self-driving cars to The Information. "One women said that she almost hit one of the company's minivans because it suddenly stopped while trying to make a right turn, while another man said that he gets so frustrated waiting for the cars to cross the intersection that he has illegally driven around them," reports CNBC. From the report: The anecdotes highlight how challenging it can be for self-driving cars, which are programmed to drive conservatively, to master situations that human drivers can handle with relative ease -- like merging or finding a gap in traffic to make a turn. Waymo has been testing its vehicles in the Phoenix suburbs for little more than a year and is widely seen as the furthest along in the self-driving car space, but its safety drivers have to take control of the vehicles regularly, people with direct knowledge of the issues tell The Information.

A Waymo spokesperson said its cars are "continually learning" and that "safety remains its highest priority" during testing. The spokesperson also said that Waymo is using feedback from its early rider program to improve its technology, though it declined to comment specifically on the intersection complaints mentioned in The Information story. The company has previously said that it plans to launch a commercial self-driving taxi service before the end of the year, but that its service will still include a Waymo employee in each car as a "chaperone."

Julia, the MIT-created programming language for developers "who want it all", hit its milestone 1.0 release this month -- with MIT highlighting its rapid adoption in the six short years since its launch. From a report: Released in 2012, Julia is designed to combine the speed of C with the usability of Python, the dynamism of Ruby, the mathematical prowess of MatLab, and the statistical chops of R. "The release of Julia 1.0 signals that Julia is now ready to change the technical world by combining the high-level productivity and ease of use of Python and R with the lightning-fast speed of C++," says MIT professor Alan Edelman. The breadth of Julia's capabilities and ability to spread workloads across hundreds of thousands of processing cores have led to its use for everything from machine learning to large-scale supercomputer simulation. MIT says Julia is the only high-level dynamic programming language in the "petaflop club," having been used to simulate 188 million stars, galaxies, and other astronomical objects on Cori, the world's 10th-most powerful supercomputer. The simulation ran in just 14.6 minutes, using 650,000 Intel Knights Landing Xeon Phi cores to handle 1.5 petaflops (quadrillion floating-point operations per second).

Jack Wallen, writing for TechRepublic: For a company to support Linux, they have to consider supporting: Multiple file systems, multiple distributions, multiple desktops, multiple init systems, multiple kernels. If you're an open source developer, focusing on a single distribution, that's not a problem. If you're a company that produces a product (and you stake your living on that product), those multiple points of entry do become a problem. Let's consider Adobe (and Photoshop). If Adobe wanted to port their industry-leading product to Linux, how do they do that? Do they spend the time developing support for ext4, btrfs, Ubuntu, Fedora, GNOME, Mate, KDE, systemd? You see how that might look from the eyes of any given company?

It becomes even more complicated when companies consider how accustomed to the idea of "free" (as in beer) Linux users are. Although I am very willing to pay for software on Linux, it's a rare occasion that I do (mostly because I haven't found a piece of must-have software that has an associated cost). Few companies will support the Linux desktop when the act of supporting means putting that much time and effort into a product that a large cross-section of users might wind up unwilling to pay the price of admission. That's not to say every Linux user is unwilling to shell out the cost for a piece of software. But many won't.

A post on Irish technology news blog, which criticizes the recent works of the world's second largest smartphone maker Huawei, is being widely circulated across several Android communities, with most people agreeing with the concerns raised in the post. From the story: Huawei is the second largest smartphone manufacturer in the world, falling second only to Samsung having recently overtaken Apple. They're huge in Ireland and across the globe. As a company, they have done a number of great things for both the enthusiast and the general user alike, but amidst privacy concerns the company has started to lash out at the community which helped get it (and especially its sub-brand Honor) off of the ground. Not only have they begun to block users from unlocking the devices which they've paid for, they are now looking to make users return their already unlocked devices to their normal state, according to numerous reports on the forums of XDA-Developers and well known Magisk developer topjohnwu. "I am informed that a new Huawei OTA will render Magisk-installed devices from booting," the developer wrote. Magisk is a popular "root" solution used which gives a user access to their device's system files.

Huawei was huge with the development community for a number of reasons, no less because their devices were some of the easiest to unlock out of all of the major manufacturers. You simply applied for your key online and promptly received it. It was a rather painless system, which allowed you to then install what's known as a "custom ROM". A custom ROM is simply just a custom version of Android, free from all of the included pre-installed applications from Huawei. They often run better too, again because of the lack of bloat.

NPM Inc. added a feature to JavaScript's package manager this spring letting users type npm audit fix to replace old, insecure project modules -- and the Register asked them how it's going? Since April, according to the company, npm users have run 50 million automatic scans and have deliberately invoked the command 3.1 million times. And they're running 3.4 million security audits a week. Across all audits, 51 per cent found at least one vulnerability and 11 per cent identified a critical vulnerability. In a phone interview with The Register, Adam Baldwin, head of security at NPM, said he didn't have data on how many people are choosing to fix flagged flaws. "But what we've seen from pull requests suggests it's gaining traction," he said.

Incidentally, npm's thinking about security is finding similar expression elsewhere in the industry. Earlier this year, GitHub began alerting developers when their code contains insecure libraries. During a recent media briefing, GitHub's head of platform Sam Lambert said he hoped that the process could be made more automated through the mechanized submission of git pull requests that developers could simply accept to replace flawed code.

Baldwin said NPM might implement something similar, an intervention rather than a simple notification. "Currently it's not proactive policy enforcement," he said. "But it's something we're considering." That would appeal to NPM's growing enterprise constituency. "Enterprises for sure want the compliance and control," said Baldwin. "They want that ability to know the open source they're bringing in is safe or meets a certain set of criteria."
Wednesday NPM added "Report a Vulnerability" buttons to every NPM package web page, and also started checking new passwords against the "Have I Been Pwned?" database to spot already-compromised passwords. "The tools for avoiding problems and fixing them are getting better," writes the Register. But it'd be interesting to hear from Slashdot readers.

How do you feel about code repositories automatically offering replacements for insecure libraries?

An anonymous reader writes: I know PHP isn't to some devs liking, but chances are you know people who work with PHP or have sites that are built with it. PHP 5.6 and 7.0 are shortly coming to the end of the support period for security patches, so what plans have you made to migrate code and sites to newer platforms? With apparently huge numbers (80%) of sites still running PHP 5.6, there appears to be little industry acknowledgement of the issue. Is there a ticking PHP Time Bomb waiting to go off?

A backlash against the app stores of Apple and Google is gaining steam, with a growing number of companies saying the tech giants are collecting too high a tax for connecting consumers to developers' wares. From a report: Netflix and video game makers Epic Games and Valve are among companies that have recently tried to bypass the app stores or complained about the cost of the tolls Apple and Google charge. Grumbling about app store economics isn't new. But the number of complaints, combined with new ways of reaching users, regulatory scrutiny and competitive pressure are threatening to undermine what have become digital goldmines for Apple and Google. "It feels like something bubbling up here," said Ben Schachter, an analyst at Macquarie. "The dollars are just getting so big. They just don't want to be paying Apple and Google billions." Apple and Google launched their app stores in 2008, and they soon grew into powerful marketplaces that matched the creations of millions of independent developers with billions of smartphone users. In exchange, the companies take up to 30 percent of the money consumers pay developers.

Programmers may love hot newer languages like Kotlin and Rust, but according to a Cloud Foundry Foundation (CFF) recent survey of global enterprise developers and IT decision makers, Java and Javascript are the top enterprise languages. ZDNet: That said, the CFF also found [PDF] that, "More and more, businesses are employing a polyglot and a multi-platform strategy to meet their exact needs." The CFF discovered 77 percent of enterprises are using or evaluating Platforms-as-a-Service (PaaS); 72 percent are using or considering containers; and 46 percent are using or thinking about serverless computing. Simultaneously, more than a third (39 percent) are using all three technologies together. For companies this "flexibility of cloud-native practices enables [companies to move] away from a monolithic approach and towards a world of computing that is flexible, portable and interoperable." That means, while Java and JavaScript are only growing ever more popular, the larger the company, the more languages are used. After the Java twins, C++, C#, Python, and PHP are the most popular languages.

The FTC has "failed to convince a federal judge in San Francisco that DirecTV should pay nearly $4 billion in restitution to customers for allegedly misleading consumers about the costs of programming packages," reports the Los Angeles Times. From the report: The judge didn't eliminate all of the FTC's false-advertising claims but made clear that "the scope of the maximum potential recovery in this case has been substantially curtailed." "This case did not involve the type of strong proof the court would expect to see in a case seeking nearly $4 billion in restitution, based on a claim that all of DirecTV's 33 million customers between 2007 and 2015 were necessarily deceived," U.S. District Judge Haywood Gilliam said Thursday.

The ruling follows an August 2017 nonjury trial of the FTC suit, alleging that DirecTV failed to adequately disclose to consumers in 40,000 print, mail, online and TV advertisements that its lower introductory pricing lasted just one year but tied buyers to a two-year contract. The FTC also alleged the subscription television service failed to alert customers that its offer for 90 days of premium channels required them to cancel the subscription to avoid continuing monthly charges.

It's a day that developers of some of the most high-profile Twitter third-party apps have dreaded, though it's one they've long-known was coming: Twitter is finally shutting off some of the developer tools that popular apps like Tweetbot and Twitterific have heavily relied on. From a report: With the change, many third-party Twitter apps will lose some functionality, like the ability to instantly refresh users' Twitter feeds and send push notifications. It won't make these apps unusable -- in some cases the apps' users may not even immediately notice the changes -- but it's a drastic enough change that developers have mounted a public campaign against the decision.

Now, Twitter is finally weighing in on the changes, after months of publicly declining to comment on the state of third-party Twitter clients. The verdict, unsurprisingly, is complicated. The company is adamant that its goal isn't to single out these developers. The company is retiring these APIs out of necessity, it says, as it's no longer feasible to support them."We are sunsetting very old, legacy software that we don't have an ability to keep supporting for practical reasons," says Ian Caims, group product manager at Twitter. At the same time, though, the company has also made a conscious decision not to create new APIs with the same functionality. Here's how Twitter's senior director of product management Rob Johnson explains the move: "It is now time to make the hard decision to end support for these legacy APIs -- acknowledging that some aspects of these apps would be degraded as a result. Today, we are facing technical and business constraints we can't ignore. The User Streams and Site Streams APIs that serve core functions of many of these clients have been in a 'beta' state for more than 9 years, and are built on a technology stack we no longer support.

An anonymous reader quotes a report from TechCrunch: In an effort to provide more transparency and deliver on a promise to Congress, Google just published an archive of political ads that have run on its platform. Google's new database, which it calls the Ad Library, is searchable through a dedicated launch page. Anyone can search for and filter ads, viewing them by candidate name or advertiser, spend, the dates the ads were live, impressions and type. For anyone looking for the biggest ad budget or the farthest reaching political ad, the ads can be sorted by spend, impressions and recency, as well. Google also provided a report on the data, showing ad spend by U.S. state, by advertiser and by top keywords.

Apple invited a group of app developers to a secret April 2017 meeting in New York's Tribeca district, asking them to move from selling apps at low prices to renting app access through subscriptions, Business Insider reports. From a story: This change is intended to keep users paying for apps "on a regular basis, putting money into developer coffers on a regular schedule," the report claims.

An anonymous reader quotes a report from Bloomberg: Oracle is named in a lawsuit alleging the company's executives lied to shareholders when they explained why cloud sales were growing. The investor leading the case, the City of Sunrise Firefighters' Pension Fund, claimed Oracle engaged in coercion and threats to sell its cloud-computing products, creating an unsustainable model that fell apart, according to the suit seeking class-action status and filed Friday in San Jose, California. The Florida-based firefighter pension fund and other investors lost money when Oracle's stock plummeted in March after reporting a disappointing earnings report and outlook, according to the lawsuit.

The suit claimed that Oracle's executives lied in forward-looking statements, which are never guaranteed, during earnings calls and at investor conferences in 2017 when they said customers were rapidly adopting their cloud-based products and cloud sales would accelerate. The firefighter pension, which manages about $143 million for 235 participants, alleged that Oracle used software license audits and weakened existing maintenance programs to compel customers to buy the cloud products.

Tesla CEO Elon Musk announced he would share the source code for Tesla's car security software with other manufacturers, adding that it would be "extremely important" to ensure the safety of future self-driving cars. Engadget reports: Musk didn't provide a timeline for availability, and you might not want to get your hopes up when it took years for Tesla just to post any source code. And this isn't strictly a selfless gesture. If rival brands adopt Tesla's approach, it could set an unofficial standard for connected car security that would look good from a marketing standpoint. The code could provide a boost to connected car security if and when it arrives. There are few common frameworks (technical or legal) for safeguarding networked vehicles, and security might not always be a top priority. This could give companies a baseline level of security that would save brands the trouble of developing an effective defense from scratch.

At the DefCon hacking conference on Friday, Rachel Greenstadt, an associate professor of computer science at Drexel University, and Aylin Caliskan, Greenstadt's former PhD student and now an assistant professor at George Washington University, presented a number of studies they've conducted using machine learning techniques to de-anonymize the authors of code samples. "Their work could be useful in a plagiarism dispute, for instance, but it could also have privacy implications, especially for the thousands of developers who contribute open source code to the world," reports Wired. From the report: First, the algorithm they designed identifies all the features found in a selection of code samples. That's a lot of different characteristics. Think of every aspect that exists in natural language: There's the words you choose, which way you put them together, sentence length, and so on. Greenstadt and Caliskan then narrowed the features to only include the ones that actually distinguish developers from each other, trimming the list from hundreds of thousands to around 50 or so. The researchers don't rely on low-level features, like how code was formatted. Instead, they create "abstract syntax trees," which reflect code's underlying structure, rather than its arbitrary components. Their technique is akin to prioritizing someone's sentence structure, instead of whether they indent each line in a paragraph.

The method also requires examples of someone's work to teach an algorithm to know when it spots another one of their code samples. If a random GitHub account pops up and publishes a code fragment, Greenstadt and Caliskan wouldn't necessarily be able to identify the person behind it, because they only have one sample to work with. (They could possibly tell that it was a developer they hadn't seen before.) Greenstadt and Caliskan, however, don't need your life's work to attribute code to you. It only takes a few short samples.