ZDNet reports of a security flaw in Skype's updater process that "can allow an attacker to gain system-level privileges to a vulnerable computer." If the bug is exploited, it "can escalate a local unprivileged user to the full 'system' level rights -- granting them access to every corner of the operating system." What's worse is that Microsoft, which owns Skype, won't fix the flaw because it would require the updater to go through "a large code revision." Instead, Microsoft is putting all its resources on building an altogether new client. From the report: Security researcher Stefan Kanthak found that the Skype update installer could be exploited with a DLL hijacking technique, which allows an attacker to trick an application into drawing malicious code instead of the correct library. An attacker can download a malicious DLL into a user-accessible temporary folder and rename it to an existing DLL that can be modified by an unprivileged user, like UXTheme.dll. The bug works because the malicious DLL is found first when the app searches for the DLL it needs. Once installed, Skype uses its own built-in updater to keep the software up to date. When that updater runs, it uses another executable file to run the update, which is vulnerable to the hijacking. The attack reads on the clunky side, but Kanthak told ZDNet in an email that the attack could be easily weaponized. He explained, providing two command line examples, how a script or malware could remotely transfer a malicious DLL into that temporary folder.

In 2014, the National Museum of Computing published a blog post in which it tried to find the person who has been programming the longest. At the time, it declared Bill Williams, a 70-year old to be one of the world's most durable programmers, who claimed to have started coding for a living in 1969 and was still doing so at the time of publication. The post has been updated several times over the years, and over the weekend, the TNMC updated it once again. The newest contender is Terry Froggatt of Hampshire, who writes: I can beat claim of your 71-year-old by a couple of years, (although I can't compete with the likes of David Hartley). I wrote my first program for the Elliott 903 in September 1966. Now at the age of 73 I am still writing programs for the Elliott 903! I've just written a 903 program to calculate the Fibonacci numbers. And I've written quite a lot of programs in the years in between, some for the 903 but also a good many in Ada.

Jesse Donat argues via Donut Studios why GitHub should never allow usernames to be valid again once they are deleted. He provides an example of a user who deleted his GitHub account and personal domain with a popular tool used for embedding data files into Go binaries. "While this is within his rights to do, this broke a dependency many people had within their projects," Donat writes. "To fix this, some users of the project recreated the account and the repository based on a fork of the project." Donat goes on to write: Allowing username reuse completely breaks any trust that what I pull is what it claims to be. What if this user had been malicious? It may have taken a while before someone actually noticed this wasn't the original user and the code was doing something more than it claimed to.

While Go's "go get" functionality is no doubt naive and just pulls the head of a repository, this is not exclusively Go's problem as this affects any package manager that runs on tags. Simply tag malicious changes beyond the current release and it would be deployed to many users likely with little actual review.

ClockEndGooner writes: Researchers at the Technische Universitat Wein have created a simulation of a simple worm's neural network, and have been able to replicate its natural behavior to completely mimic the worm's natural reflexive behavior. According to the article, using a simple neural network of 300 neurons, the simulation of "the worm can find its way, eat bacteria and react to certain external stimuli. It can, for example, react to a touch on its body. A reflexive response is triggered and the worm squirms away. This behavior is determined by the worm's nerve cells and the strength of the connections between them. When this simple reflex network is recreated on a computer, the simulated worm reacts in exactly the same way to a virtual stimulation -- not because anybody programmed it to do so, but because this kind of behavior is hard-wired in its neural network." Using the same neural network without adding any additional nerve cells, Mathias Lechner, Radu Grosu, and Ramin Hasani were able to have the nematode simulation learn to balance a pole "just by tuning the strength of the synaptic connections. This basic idea (tuning the connections between nerve cells) is also the characteristic feature of any natural learning process."

Baron_Yam shares a report from Engadget: Police in China are now sporting glasses equipped with facial recognition devices and they're using them to scan train riders and plane passengers for individuals who may be trying to avoid law enforcement or are using fake IDs. So far, police have caught seven people connected to major criminal cases and 26 who were using false IDs while traveling, according to People's Daily. The Wall Street Journal reports that Beijing-based LLVision Technology Co. developed the devices. The company produces wearable video cameras as well and while it sells those to anyone, it's vetting buyers for its facial recognition devices. And, for now, it isn't selling them to consumers. LLVision says that in tests, the system was able to pick out individuals from a database of 10,000 people and it could do so in 100 milliseconds. However, CEO Wu Fei told the Wall Street Journal that in the real world, accuracy would probably drop due to "environmental noise." Additionally, aside from being portable, another difference between these devices and typical facial recognition systems is that the database used for comparing images is contained in a hand-held device rather than the cloud."

An issue at Apple appears to be resulting in app developers getting emails of ad spend and install summaries for apps belonging to other developers. From a report: The issue -- which appears specific right now to developers using Search Ads Basic, pay-per-install ads that appear as promoted apps when people search on the App Store -- was raised on Twitter by a number of those affected, including prominent developer Steve Troughton-Smith, who posted a screenshot of an email that summarized January's ad spend and install data another developer's two apps. Several others replied noting the same issue, listing more developers and random apps.

An anonymous reader writes: On Monday Graydon Hoare, the original creator of the Rust programming language, posted some memories on Twitter. "25 years ago I got a job at a computer bookstore. We were allowed to borrow and read the books; so I read through all the language books, especially those with animals on the covers. 10 years ago I had a little language of my own printing hello world." And Monday he was posting a picture of O'Reilly Media's first edition of their new 622-page book Programming Rust: Fast, Safe Systems Development. Then he elaborated to his followers about what happened in between.

"I made a prototype, then my employer threw millions of dollars at it and hired dozens of researchers and programmers (and tireless interns, hi!) and a giant community of thousands of volunteers showed up and _then_ the book arrived. (After Jim and Jason wrote it and like a dozen people reviewed it and a dozen others edited it and an army of managers coordinated it and PLEASE DESIST IN THINKING THINGS ARE MADE BY SINGLE PEOPLE IT IS A VERY UNHEALTHY MYTH)." He writes that the nostaglic series of tweets was inspired because "I was just like a little tickled at the circle-of-life feeling of it all, reminiscing about sitting in a bookstore wondering if I'd ever get to work on cool stuff like this."

One Twitter user then asked him if Rust was about dragging C++ hackers halfway to ML, to which Hoare replied "Not dragging, more like throwing C/C++ folks (including myself) a life raft wrt. safety... Basically I've an anxious, pessimist personality; most systems I try to build are a reflection of how terrifying software-as-it-is-made feels to me. I'm seeking peace and security amid a nightmare of chaos. I want to help programmers sleep well, worry less."

The organizers of the Game Developers Choice Awards announced today that they have rescinded the Pioneer Award for Atari founder Nolan Bushnell, and announced the award will not be given this year entirely. "The decision follows a day of outcry after GDC organizers announced that Bushnell, 74, had been tapped for the GDCA's lifetime achievement honor," reports Polygon. "News accounts and histories over the past several years have documented a history of workplace misconduct and sexist behavior toward women by Bushnell, during Atari's early days." From the report: In a statement this morning, GDC said its awards committee "made the decision not to give out a Pioneer Award for this year's event, following additional feedback from the community. They believe their picks should reflect the values of today's game industry and will dedicate this year's award to honor the pioneering and unheard voices of the past." The Pioneer Award is for "individuals who developed a breakthrough technology, game concept, or gameplay design at a crucial juncture in video game history," according to its official site. Nine have been conferred since 2008, none of them women. Bushnell founded Atari in 1972 and installed the first coin-operated video game, Pong, shortly thereafter. He presided over the company's rise to dominate the early generation of home console gaming before selling it off and founding what is today the Chuck E. Cheese line of restaurants. Bushnell issued a statement on Twitter: "I applaud the GDC for ensuring that their institution reflects what is right, specifically with regards to how people should be treated in the workplace. And if that means an award is the price I have to pay personally so the whole industry may be more aware and sensitive to these issues, I applaud that, too. If my personal actions or the actions of anyone who ever worked with me offended or caused pain to anyone at our companies, then I apologize without reservation."

Apple's push for performance and security improvements over new features will also apply to this year's Mac software, Axios reported on Wednesday, but one key feature remains on the roadmap for 2018: The ability for Macs to run iPad apps. From the report: On the Mac side, this is taking the form of a new project around security as well as improvements in performance when waking and unlocking the system. While users would certainly welcome changes that make their systems run better and more securely, customers tend to be more motivated to make purchases based on new features rather than promised improvements around security or performance, which can be tough to judge. The signature new feature for the Mac -- the ability to run iPad apps -- is a significant undertaking that adds a high degree of complexity to this year's OS release.

An anonymous reader quotes InfoWorld: When it comes to which programming languages are in demand by employers, JavaScript, Java, Python, C++, and C -- in that order -- came out on top in a recent developer survey. Developers, however, want to learn languages like Python, Go, and Kotlin. A survey of developers by technical recruiter HackerRank, conducted in October, found no gap between languages employers want and what developers actually know, with JavaScript barely edging out Java...

HackerRank also found gaps in JavaScript frameworks between what employers want and what developers know. The React JavaScript UI library had the biggest delta between employers and developers, with about 37 percent of employers wanting React skills but only about 19 percent of developers having them... [But] problem-solving skills are the most-sought by employers, more than language proficiency, debugging, and system design.
The survey involved 39,441 developers, and concluded that "Python ruled among all age groups," according to Application Development Trends, "except for those 55 years or older, who narrowly prefer C."

Presto Vivace shares a report from The Verge: The Immigration and Customs Enforcement (ICE) agency has officially gained agency-wide access to a nationwide license plate recognition database, according to a contract finalized earlier this month. The system gives the agency access to billions of license plate records and new powers of real-time location tracking, raising significant concerns from civil libertarians. The source of the data is not named in the contract, but an ICE representative said the data came from Vigilant Solutions, the leading network for license plate recognition data. While it collects few photos itself, Vigilant Solutions has amassed a database of more than 2 billion license plate photos by ingesting data from partners like vehicle repossession agencies and other private groups. ICE agents would be able to query that database in two ways. A historical search would turn up every place a given license plate has been spotted in the last five years, a detailed record of the target's movements. That data could be used to find a given subject's residence or even identify associates if a given car is regularly spotted in a specific parking lot. Presto Vivace adds, "This will not end well."

theodp writes: Speaking to a class of Grade 7 students taking coding lessons at the Apple Store in Eaton Centre, the Toronto Star reports that Apple CEO Tim Cook told the kids that most students would shun programming because coding languages were 'too geeky' until Apple introduced Swift. "Swift came out of the fundamental recognition that coding languages were too geeky. Most students would look at them and say, 'that's not for me,'" Cook said as the preteens participated in an Apple-designed 'Everyone Can Code' workshop. "That's not our view. Our view is that coding is a horizontal skill like your native languages or mathematics, so we wanted to design a programming language that is as easy to learn as our products are to use."

An anonymous reader writes: When 24-year-old Donald Knuth began writing The Art of Computer Programming, he had no idea that he'd still be working on it 56 years later. This month he also celebrated his 80th birthday in Sweden with the world premier of Knuth's Fantasia Apocalyptica, a multimedia work for pipe organ and video based on the bible's Book of Revelations, which Knuth describes as "50 years in the making."

But Knuth also points to the recent publication of "one of the most important sections of The Art of Computer Programming" in preliminary paperback form: Volume 4, Fascicle 6: Satisfiability. ("Given a Boolean function, can its variables be set to at least one pattern of 0s and 1 that will make the function true?")
Here's an excerpt from its back cover: Revolutionary methods for solving such problems emerged at the beginning of the twenty-first century, and they've led to game-changing applications in industry. These so-called "SAT solvers" can now routinely find solutions to practical problems that involve millions of variables and were thought until very recently to be hopelessly difficult.
"in several noteworthy cases, nobody has yet pointed out any errors..." Knuth writes on his site, adding "I fear that the most probable hypothesis is that nobody has been sufficiently motivated to check these things out carefully as yet." He's uncomfortable printing a hardcover edition that hasn't been fully vetted, and "I would like to enter here a plea for some readers to tell me explicitly, 'Dear Don, I have read exercise N and its answer very carefully, and I believe that it is 100% correct,'" where N is one of the exercises listed on his web site.

Elsewhere he writes that two "pre-fascicles" -- 5a and 5B -- are also available for alpha-testing. "I've put them online primarily so that experts in the field can check the contents before I inflict them on a wider audience. But if you want to help debug them, please go right ahead."

overheardinpdx quotes HPCwire: Wednesday a company called Bounded Floating Point announced a "breakthrough patent in processor design, which allows representation of real numbers accurate to the last digit for the first time in computer history. This bounded floating point system is a game changer for the computing industry, particularly for computationally intensive functions such as weather prediction, GPS, and autonomous vehicles," said the inventor, Alan Jorgensen, PhD. "By using this system, it is possible to guarantee that the display of floating point values is accurate to plus or minus one in the last digit..."

The innovative bounded floating point system computes two limits (or bounds) that contain the represented real number. These bounds are carried through successive calculations. When the calculated result is no longer sufficiently accurate the result is so marked, as are all further calculations made using that value. It is fail-safe and performs in real time.
Jorgensen is described as a cyber bounty hunter and part time instructor at the University of Nevada, Las Vegas teaching computer science to non-computer science students. In November he received US Patent number 9,817,662 -- "Apparatus for calculating and retaining a bound on error during floating point operations and methods thereof." But in a followup, HPCwire reports: After this article was published, a number of readers raised concerns about the originality of Jorgensen's techniques, noting the existence of prior art going back years. Specifically, there is precedent in John Gustafson's work on unums and interval arithmetic both at Sun and in his 2015 book, The End of Error, which was published 19 months before Jorgensen's patent application was filed. We regret the omission of this information from the original article.

An anonymous reader writes: Apple's Swift project "has completed the process of migrating to the Swift Forums as the primary method for discussion and communication!" announced a blog post on Friday. "The former mailing lists have been shut down and archived, and all mailing list content has been imported into the new forum system."

While they're still maintaining a few Swift-related mailing lists, they're moving discussions into online forums divided into four main categories: Evolution, Development, Using Swift, and Site Feedback. Forum accounts can be set up using either email registration or GitHub accounts.
It was one year ago that Swift creator Chris Lattner answered questions from Slashdot readers.

An anonymous reader quotes a report from the BBC: A new "text bomb" affecting Apple's iPhone and Mac computers has been discovered. Abraham Masri, a software developer, tweeted about the flaw which typically causes an iPhone to crash and in some cases restart. Simply sending a message containing a link which pointed to Mr Masri's code on programming site GitHub would be enough to activate the bug -- even if the recipient did not click the link itself. Mr Masri said he "always reports bugs" before releasing them. Apple has not yet commented on the issue. On a Mac, the bug reportedly makes the Safari browser crash, and causes other slowdowns. Security expert Graham Cluley wrote on his blog that the bug does not present anything to be particularly worried about -- it's merely very annoying. After the link did the rounds on social media, Mr Masri removed the code from GitHub, therefore disabling the "attack" unless someone was to replicate the code elsewhere.

An anonymous reader quotes InfoWorld's report on which JavaScript frameworks are the most widely-used: In a study of 28-day download cycles for front-end JavaScript frameworks, NPM, which oversees the popular JavaScript package registry, found that React has been on a steady upward trajectory; it now accounts for about 0.05 percent of the registry's 13 billion downloads per month as of the fourth quarter of 2017. Web developers as well as desktop and mobile developers are adopting the library and it has spawned an ecosystem of related packages. Preact, a lightweight alternative to React, also has seen growth and could become a force in the future.

On the down side, Backbone, which accounted for almost 0.1 percent of all downloads in 2013, now comprises only about 0.005 percent of downloads (about 750,000 per month). Backbone has declined steeply but is kept afloat by the long shelf life of projects using it, NPM reasoned. The jQuery JavaScript library also remains popular but has experienced decreasing interest. Angular, the Google-developed JavaScript framework, was the second-most-popular framework behind React, when combining the original Angular 1.x with the rewritten Angular 2.x. Version 1.x was at about 0.0125 percent of downloads last month while version 2.x was at about 0.02 percent. Still, Angular as a whole is showing just modest growth.
They also report that the four JavaScript frameworks with the fastest growth rates for 2017 were Preact, Vue, React, and Ember.

But for back end services written in JavaScript, npm reports that Express "is the overwhelmingly dominant solution... The next four biggest frameworks are so small relative to Express that it's hard to even see them."

A developer on the Internal Tools team at Stack Overflow reveals some new statistics from their 'Trends' tool: JavaScript UI frameworks and libraries work in cycles. Every six months or so, a new one pops up, claiming that it has revolutionized UI development. Thousands of developers adopt it into their new projects, blog posts are written, Stack Overflow questions are asked and answered, and then a newer (and even more revolutionary) framework pops up to usurp the throne...

There appears to be a quick ascent, as the framework gains popularity and then a slightly less quick but steady decline as developers adopt newer technologies. These lifecycles only last a couple of years. Starting around 2011, there seems to be major adoption of a couple of competing frameworks: Backbone, Knockout, and Ember. Questions about these tags appear to grow until around 2013 and have been in steady decline since, at about the same time as AngularJS started growing. The latest startup is the Vue.js framework, which has shown quick adoption, as it is one of the fastest growing tags on Stack Overflow. Only time can tell how long this growth will last.
"Let's be honest," the post concludes. "The size of a developer community certainly counts; it contributes to a thriving open source environment, and makes it easier to find help on Stack Overflow."

There was some trouble last weekend at the world's largest package repository. An anonymous reader quotes the official npm blog: On Saturday, January 6, 2018, we incorrectly removed the user floatdrop and blocked the discovery and download of all 102 of their packages on the public npm Registry. Some of those packages were highly depended on, such as require-from-string, and removal disrupted many users' installations... Within 60 seconds, it became clear that floatdrop was not a spammer -- and that their packages were in heavy use in the npm ecosystem. The staffer notified colleagues and we re-activated the user and began restoring the packages to circulation immediately. Most of the packages were restored quickly, because the restoration was a matter of unsetting the deleted tombstones in our database, while also restoring package data tarballs and package metadata documents. However, during the time between discovery and restoration, other npm users published a number of new packages that used the names of deleted packages. We locked this down once we discovered it, but cleaning up the overpublished packages and inspecting their contents took additional time...

In cases where the npm staff accepts a user's request to delete a package, we publish a replacement package by the same name -- a security placeholder. This both alerts those who had depended on it that the original package is no longer available and prevents others from publishing new code using that package name. At the time of Saturday's incident, however, we did not have a policy to publish placeholders for packages that were deleted if they were spam. This made it possible for other users to publish new versions of eleven of the removed packages. After a thorough examination of the replacement packages' contents, we have confirmed that none was malicious or harmful. Ten were exact replacements of the code that had just been removed, while the eleventh contained strings of text from the Bible -- and its publisher immediately contacted npm to advise us of its publication.
They're now implementing a 24-hour cooldown on republication of any deleted package names -- and are also updating their review process. "As a general rule, the npm Registry is and ought to be immutable, just like other package registries such as RubyGems and crates.io... However, there are legitimate cases for removing a package once it has been published. In a typical week, most of the npm support team's work is devoted to handling user requests for package deletion, which is more common than you might expect. Many people publish test packages then ask to have them deprecated or deleted. There also is a steady flow of requests to remove packages that contain contain private code that users have published inadvertently or inappropriately."

An anonymous reader quotes a report from the Electronic Frontier Foundation: Good news out of the Ninth Circuit: the federal court of appeals heeded EFF's advice and rejected an attempt by Oracle to hold a company criminally liable for accessing Oracle's website in a manner it didn't like. The court ruled back in 2012 that merely violating a website's terms of use is not a crime under the federal computer crime statute, the Computer Fraud and Abuse Act. But some companies, like Oracle, turned to state computer crime statutes -- in this case, California and Nevada -- to enforce their computer use preferences. This decision shores up the good precedent from 2012 and makes clear -- if it wasn't clear already -- that violating a corporate computer use policy is not a crime.