Python

Python's Official Repository Included 10 'Malicious' Typo-Squatting Modules (bleepingcomputer.com) 69

An anonymous reader quotes BleepingComputer: The Slovak National Security Office (NBU) has identified ten malicious Python libraries uploaded on PyPI -- Python Package Index -- the official third-party software repository for the Python programming language. NBU experts say attackers used a technique known as typosquatting to upload Python libraries with names similar to legitimate packages -- e.g.: "urlib" instead of "urllib." The PyPI repository does not perform any types of security checks or audits when developers upload new libraries to its index, so attackers had no difficulty in uploading the modules online.

Developers who mistyped the package name loaded the malicious libraries in their software's setup scripts. "These packages contain the exact same code as their upstream package thus their functionality is the same, but the installation script, setup.py, is modified to include a malicious (but relatively benign) code," NBU explained. Experts say the malicious code only collected information on infected hosts, such as name and version of the fake package, the username of the user who installed the package, and the user's computer hostname. Collected data, which looked like "Y:urllib-1.21.1 admin testmachine", was uploaded to a Chinese IP address. NBU officials contacted PyPI administrators last week who removed the packages before officials published a security advisory on Saturday."

The advisory lays some of the blame on Python's 'pip' tool, which executes arbitrary code during installations without requiring a cryptographic signature.

Ars Technica also reports that another team of researchers "was able to seed PyPI with more than 20 libraries that are part of the Python standard library," and that group now reports they've already received more than 7,400 pingbacks.
Advertising

First Ever Malvertising Campaign Uses JavaScript To Mine Cryptocurrencies In Your Browser (bleepingcomputer.com) 70

An anonymous reader writes from a report via Bleeping Computer: Malware authors are using JavaScript code delivered via malvertising campaigns to mine different cryptocurrencies inside people's browsers (mostly Monero), without their knowledge. The way crooks pulled this off was by using an online advertising company that allows them to deploy ads with custom JavaScript code. The JavaScript code is a modified version of MineCrunch (also known as Web Miner), a script released in 2014 that can mine cryptocurrencies using JavaScript code executed inside the browser. Cryptocurrency mining operations are notoriously resource-intensive and tend to slow down a user's computer. To avoid raising suspicion, crooks delivered malicious ads mainly on video streaming and browser-based gaming sites (currently mostly Ukrainian and Russian sites). Both types of sites use lots of resources, and users wouldn't get suspicious when their computer slowed down while accessing the site. Furthermore, users tend to linger more on browser games and video streaming services, allowing the mining script to do its job and generate profits for the crooks.
Java

Java EE Is Moving To the Eclipse Foundation (adtmag.com) 70

Oracle has chosen the Eclipse Foundation to be the new home of the Java Platform Enterprise Edition (Java EE), the company announced this week. Oracle made the decision in collaboration with IBM and Red Hat, the two other largest contributors to the platform. From a report: "The Eclipse Foundation has strong experience and involvement with Java EE and related technologies," wrote Oracle software evangelist David Delabassee in a blog post. This will help us transition Java EE rapidly, create community-friendly processes for evolving the platform, and leverage complementary projects such as MicroProfile. We look forward to this collaboration." Mike Milinkovich, executive director of the Eclipse Foundation, is optimistic about this move, which he said is exactly what the enterprise Java needs and what the community has been hoping for.
Google

Google Publicly Releases Internal Developer Documentation Style Guide (betanews.com) 96

BrianFagioli shares a report from BetaNews: The documentation aspect of any project is very important, as it can help people to both understand it and track changes. Unfortunately, many developers aren't very interested in documentation aspect, so it often gets neglected. Luckily, if you want to maintain proper documentation and stay organized, today, Google is releasing its internal developer documentation style guide. This can quite literally guide your documentation, giving you a great starting point and keeping things consistent.

Jed Hartman, Technical Writer, Google says, "For some years now, our technical writers at Google have used an internal-only editorial style guide for most of our developer documentation. In order to better support external contributors to our open source projects, such as Kubernetes, AMP, or Dart, and to allow for more consistency across developer documentation, we're now making that style guide public. If you contribute documentation to projects like those, you now have direct access to useful guidance about voice, tone, word choice, and other style considerations. It can be useful for general issues, like reminders to use second person, present tense, active voice, and the serial comma; it can also be great for checking very specific issues, like whether to write 'app' or 'application' when you want to be consistent with the Google Developers style."
You can access Google's style guide here.
Programming

Is Python Really the Fastest-Growing Programming Language? (stackoverflow.blog) 254

An anonymous reader quotes Stack Overflow Blog: In this post, we'll explore the extraordinary growth of the Python programming language in the last five years, as seen by Stack Overflow traffic within high-income countries. The term "fastest-growing" can be hard to define precisely, but we make the case that Python has a solid claim to being the fastest-growing major programming language... June 2017 was the first month that Python was the most visited [programming language] tag on Stack Overflow within high-income nations. This included being the most visited tag within the US and the UK, and in the top 2 in almost all other high income nations (next to either Java or JavaScript). This is especially impressive because in 2012, it was less visited than any of the other 5 languages, and has grown by 2.5-fold in that time. Part of this is because of the seasonal nature of traffic to Java. Since it's heavily taught in undergraduate courses, Java traffic tends to rise during the fall and spring and drop during the summer.

Does Python show a similar growth in the rest of the world, in countries like India, Brazil, Russia and China? Indeed it does. Outside of high-income countries Python is still the fastest growing major programming language; it simply started at a lower level and the growth began two years later (in 2014 rather than 2012). In fact, the year-over-year growth rate of Python in non-high-income countries is slightly higher than it is in high-income countries... We're not looking to contribute to any "language war." The number of users of a language doesn't imply anything about its quality, and certainly can't tell you which language is more appropriate for a particular situation. With that perspective in mind, however, we believe it's worth understanding what languages make up the developer ecosystem, and how that ecosystem might be changing. This post demonstrated that Python has shown a surprising growth in the last five years, especially within high-income countries.

The post was written by Stack Overflow data scientist David Robinson, who notes that "I used to program primarily in Python, though I have since switched entirely to R."
Bug

Bug In Windows Kernel Could Prevent Security Software From Identifying Malware (bleepingcomputer.com) 75

An anonymous reader writes: "Malware developers can abuse a programming error in the Windows kernel to prevent security software from identifying if, and when, malicious modules have been loaded at runtime," reports Bleeping Computer. "The bug affects PsSetLoadImageNotifyRoutine, one of the low-level mechanisms some security solutions use to identify when code has been loaded into the kernel or user space. The problem is that an attacker can exploit this bug in a way that PsSetLoadImageNotifyRoutine returns an invalid module name, allowing an attacker to disguise malware as a legitimate operation. The issue came to light earlier this year when enSilo researchers were analyzing the Windows kernel code. Omri Misgav, Security Researcher at enSilo and the one who discovered the issue, says the bug affects all Windows versions released since Windows 2000. Misgav's tests showed that the programming error has survived up to the most recent Windows 10 releases." In an interview, the researcher said Microsoft did not consider this a security issue. Bug technical details are available here.
Education

Following Cheating Scandals, Harvard Dean of Undergrad Ed Visits CS50 Class and Tells Students Not To Cheat (thecrimson.com) 107

theodp writes: After a flood of cheating cases roiled Harvard's Computer Science 50: "Introduction to Computer Science I" last year, Dean of Undergraduate Education Jay Harris implored students in the course not to cheat on assignments at an orientation session Wednesday night. Course head David Malan, the Harvard Crimson reports, spent the last five minutes of the orientation session fielding questions from students confused about the course's collaboration policy and whether or not CS50 enrollees are allowed to use code found online. He told them never to Google solutions, and never to borrow a friend's work. Last week, CS50 students were informed via a CS50 FAQ that they are also now "encouraged" to physically attend the course's taped weekly lectures. In an essay last year, Prof. Malan had questioned the value of saying everyone should attend every lecture. Attendance is now also expected at every discussion section until the first mid-semester exam. In case you're curious, the estimated sticker price for attending Harvard College during the 2017-2018 school year is $69,600-$73,600 (health insurance sold separately).
Chrome

Chrome 61 Arrives With JavaScript Modules, WebUSB Support (venturebeat.com) 115

The latest version of Google Chrome has launched, bringing a host of new developer features like JavaScript modules and WebUSB support. An anonymous Slashdot reader shares a report from VentureBeat: Google has launched Chrome 61 for Windows, Mac, and Linux. Additions in this release include JavaScript modules and WebUSB support, among other developer features. You can update to the latest version now using the browser's built-in silent updater or download it directly from google.com/chrome. Google also released Chrome 61 for Android today. In addition to performance and stability fixes, you can expect two new features: Translate pages with a more compact toolbar and pick images with an improved image picker.

Chrome now supports JavaScript modules natively via the new element, letting developers declare a script's dependencies. Modules are already popular in third-party build tools, which use them to bundle only the required scripts. Native support means the browser can fetch granular dependencies in parallel, taking advantage of caching, avoiding duplications across the page, and ensuring the script executes in the correct order, all without a build step. Google recommends these two blog posts for more information: ECMAScript modules in browsers and ES6 Modules in Depth. Speaking of JavaScript, Chrome 61 also upgrades the browser's V8 JavaScript engine to version 6.1. Developers can expect performance improvements and a binary size reduction. The WebUSB API meanwhile allows web apps to access user-permitted USB devices. This enables all the functionality provided by hardware peripherals such as keyboards, mice, printers, and gamepads, while still preserving the security guarantees of the web.

Businesses

Oracle Staff Report Big Layoffs Across Solaris, SPARC Teams (theregister.co.uk) 239

Simon Sharwood, reporting for the Register: Soon-to-be-former Oracle staff report that the company made hundreds of layoffs last Friday, as predicted by El Reg, with workers on teams covering the Solaris operating system, SPARC silicon, tape libraries and storage products shown the door. Oracle's media relations agency told The Register: "We decline comment." However, Big Red's staffers are having their say online, in tweets such as the one below. "For real. Oracle RIF'd most of Solaris (and others) today," an employee said. A "RIF" is a "reduction in force", Oracle-speak for making people redundant (IBM's equivalent is an "RA", or "resource action"). Tech industry observer Simon Phipps claims "~all" Solaris staff were laid off. "For those unaware, Oracle laid off ~ all Solaris tech staff yesterday in a classic silent EOL of the product."
Android

With Android Oreo, Google Is Introducing Linux Kernel Requirements (betanews.com) 120

Mark Wilson shares a report from BetaNews: As is easy to tell by comparing versions of Android from different handset manufacturers, developers are -- broadly speaking -- free to do whatever they want with Android, but with Oreo, one aspect of this is changing. Google is introducing a new requirement that OEMs must meet certain requirements when choosing the Linux kernel they use. Until now, as pointed out by XDA Developers, OEMs have been free to use whatever Linux kernel they wanted to create their own version of Android. Of course, their builds still had to pass Google's other tests, but the kernel number itself was not an issue. Moving forward, Android devices running Oreo must use at least kernel 3.18, but there are more specific requirements to meet as well. Google explains on the Android Source page: "Android O mandates a minimum kernel version and kernel configuration and checks them both in VTS as well as during an OTA. Android device kernels must enable the kernel .config support along with the option to read the kernel configuration at runtime through procfs."
Government

Thousands of Job Applicants Citing Top Secret US Government Work Exposed In Amazon Server Data Breach (gizmodo.com) 115

According to Gizmodo, "Thousands of files containing the personal information and expertise of Americans with classified and up to Top Secret security clearances have been exposed by an unsecured Amazon server, potentially for most of the year." From the report: The files have been traced back to TigerSwan, a North Carolina-based private security firm. But in a statement on Saturday, TigerSwan implicated TalentPen, a third-party vendor apparently used by the firm to process new job applicants. "At no time was there ever a data breach of any TigerSwan server," the firm said. "All resume files in TigerSwan's possession are secure. We take seriously the failure of TalentPen to ensure the security of this information and regret any inconvenience or exposure our former recruiting vendor may have caused these applicants. TigerSwan is currently exploring all recourse and options available to us and those who submitted a resume."

Found on an insecure Amazon S3 bucket without the protection of a password, the cache of roughly 9,400 documents reveal extraordinary details about thousands of individuals who were formerly and may be currently employed by the U.S. Department of Defense and within the U.S. intelligence community. The files, unearthed this summer by a security analyst at the California-based cybersecurity firm UpGuard, were discovered in a folder labeled "resumes" containing the curriculum vitae of thousands of U.S. citizens holding Top Secret security clearances -- a prerequisite for their jobs at the Central Intelligence Agency, the National Security Agency, and the U.S. Secret Service, among other government agencies.

Java

Why Oracle Should Cede Control of Java SE (infoworld.com) 110

An anonymous reader quotes InfoWorld: Now that Oracle wants to turn over leadership of enterprise Java's (Java EE's) development to a still-unnamed open source foundation, might the same thing happen with the standard edition of Java (Java SE) that Oracle also controls? Such a move could produce substantial benefits... Oracle said it has no plans to make such a move. But the potential fruits of a such a move are undeniable.

For one, a loosening of Oracle's control could entice other contributors to Java to participate more... [W]ith the current Oracle-dominated setup, other companies and individuals could be reluctant to contribute a lot if they see it as benefiting a major software industry provider -- and possible rival -- like Oracle... Indeed, the 22-year-old language and platform could be given a whole new lease on life, if the open source community rises to the occasion and boosts participation...

Despite the potential to grow Java SE by ceding control, Oracle seems content to hold on to its place as the steward of JDK development. But that could change given the tempestuous relationship Oracle has with parts of the Java community. Oracle has been at loggerheads with the community over both Java SE and Java EE... Oracle may at some point decide it is easier to just cede control rather than having to keep soothing the ruffled feathers that keep occurring among its Java partners.

Programming

Solve a 'Simple' Chess Puzzle, Win $1 Million (st-andrews.ac.uk) 125

An anonymous reader brings an important announcement: Researchers at the University of St Andrews have thrown down the gauntlet to computer programmers to find a solution to a "simple" chess puzzle which could, in fact, take thousands of years to solve, and net a $1 million prize. Computer Scientist Professor Ian Gent and his colleagues, at the University of St Andrews, believe any program capable of solving the famous "Queens Puzzle" efficiently would be so powerful, it would be capable of solving tasks currently considered impossible, such as decrypting the toughest security on the internet. In a paper [PDF] published in the Journal of Artificial Intelligence Research today, the team conclude the rewards to be reaped by such a program would be immense, not least in financial terms with firms rushing to use it to offer technological solutions, and also a $1 million prize offered by the Clay Mathematics Institute in America.

Devised in 1850, the Queens Puzzle originally challenged a player to place eight queens on a standard chessboard so that no two queens could attack each other. This means putting one queen in each row, so that no two queens are in the same column, and no two queens in the same diagonal. Although the problem has been solved by human beings, once the chess board increases to a large size no computer program can solve it.

Education

Do Code Bootcamps Work? (inc.com) 139

"Computer programming is highly specialized work; it can't be effectively taught in an intensive program," writes Inc. magazine's contributing editor: Last month, two of the country's largest and most well-regarded coding bootcamps closed. While there are still over 90 such camps in the U.S. and Canada, these for-profit intensive software engineering schools aren't successfully preparing their students for programming jobs. According to a recent Bloomberg article, the Silicon Valley recruiter Mark Dinan characterized the bootcamps as "a freaking joke," while representatives of Google and Autodesk said respectively that "most graduates from these programs are not quite prepared" and "coding schools haven't been much of a focus for [us]."

In one sense, the failure of coding bootcamps reflects the near-universal failure of for-profit universities, colleges, and charter schools to provide a usable education. In another sense, though, coding bootcamps represent a profound misunderstanding of what computer programming is all about... Coding at the professional level is highly specialized and requires years of practice to master... the idea of a bootcamp for coding is just as practical as the idea of a bootcamp for surgery.

Android

Petition Asks the Developers of Phoenix OS to Open Source the Kernel (xda-developers.com) 34

An anonymous reader shares a report: Android is mainly considered an open source mobile operating system, but there are a number of closed source elements that hundreds of millions of people use every day. The actual requirements of Android is that the kernel be open sourced for the public. This is enforced by the GPL but sadly this is one of those gray areas where someone actually needs to take legal action to enforce it. Some companies have violated this time and time again, and a new petition is calling for the developers of Phoenix OS to do the right thing. For those who are unaware, Phoenix OS is one of the only full desktop versions of Android that is still being maintained. [...] So a dedicated fan of the platform, Karol Putra, has created a Change.org petition in hopes that it will change their minds.
Oracle

Oracle Finally Decides To Stop Prolonging the Inevitable, Begins Hardware Layoffs (theregister.co.uk) 177

Shaun Nichols, reporting for The Register: Oracle is starting layoffs that will hit its hardware division, The Register has learned. Current and some soon-to-be former staffers have whispered that the database giant is shipping out packages containing the paperwork for ending their employment. The workers have received alerts from FedEx that the packages, which will need to be signed for, are en route for a September 1 delivery. "One of my co-workers emailed that he received a notification from FedEx of a label created by Oracle America, Inc," writes one anonymous employee. "I just checked and a label has been created for my home address. This is in the US. Looks like Friday is it for Sparc MicroElectronics." The layoffs are hardly a surprise, given the performance of Oracle's hardware unit as of late. In the last financial year, Oracle reported hardware revenues of $4.15bn. By comparison, in 2016 the unit logged hardware revenues of $4.67bn. In 2015 it was $5.2bn, and 2014 saw $5.37bn.
Businesses

Coders In Wealthy and Developing Countries Lean on Different Programming Languages (vice.com) 92

Stack Overflow data scientist David Robinson published an interesting observation: There exists a small but meaningful divide between the programming technologies used in wealthy countries and those used in developing countries. From a report: To be sure, programmers everywhere tend to build things with the same tools, which makes sense because software is a global industry. The first is in data science, which tends to employ the programming languages Python and R. "Python is visited about twice as often in high-income countries as in the rest of the world, and R about three times as much," Robinson writes. "We might also notice that among the smaller tags, many of the greatest shifts are in scientific Python and R packages such as pandas, numpy, matplotlib and ggplot2. This suggests that part of the income gap in these two languages may be due to their role in science and academic research. It makes sense these would be more common in wealthier industrialized nations, where scientific research makes up a larger portion of the economy and programmers are more likely to have advanced degrees." C and C++ use is similarly skewed toward wealthy countries. This is likely for a similar reason. These are languages that are pushed in American universities. They also tend to be used in highly specialized/advanced programming fields like embedded software and firmware development where you're more likely to find engineers with advanced degrees.
Businesses

China Regulator To Review Apple Antitrust Complaint (bloomberg.com) 30

China's State Administration for Industry and Commerce is reviewing an antitrust complaint accusing Apple of abusing its dominant position in smartphone applications, people familiar with the matter told Bloomberg. From the report: The regulator is studying the information following a complaint filed on behalf of developers before deciding if a formal investigation is necessary, said the people, who asked not to be named because the matter isn't public. The review is preliminary and Chinese antitrust agencies usually review such information before deciding whether a official probe is needed. Beijing-based law firm Daxiao, or Dare & Sure, said earlier this month it filed complaints on the developers' behalf to the SAIC and the National Development and Reform Commission. The lawyers accused Apple of removing apps without a proper explanation and taking an excessive 30 percent cut of in-app transactions, it said in an Aug. 8 statement. The law firm now represents close to 50 developers, producing games and a number of other apps, according to Lin Wei, managing partner of Dare & Sure.
Google

Google Unveils ARCore, Its Answer To Apple's ARKit (fastcompany.com) 40

Google has taken the wraps off its answer to Apple's ARKit -- a new augmented reality development platform called "ARCore." In a blog post, the company said it's releasing a "preview" software development kit for ARCore to Android developers today. From a report: Google released its Tango AR platform in 2014, but AR experiences built on that platform could run only on a few phones sporting advanced sensors and cameras. With ARCore, Google says, developers can create AR apps and games that run on virtually any Android smartphone -- existing and forthcoming. "We've been developing the fundamental technologies that power mobile AR over the last three years with Tango, and ARCore is built on that work," says Android Engineering VP Dave Burke in today's blog post. Developers who have already developed on the Tango platform, Burke says, can use that experience to help them create on the ARCore platform. ARCore games and apps will use an Android phone's camera to determine the position and movement of the phone itself within a real-world environment. The camera will determine the location of horizontal surfaces on which to place digital objects. The camera will also measure the ambient light in a given space, so that digital objects will appear to reflect light in convincing ways.
Java

OpenJDK May Tackle Java Security Gaps With A Secretive New Group (infoworld.com) 79

An anonymous reader quotes InfoWorld: To shore up Java's security, a private group that operates outside the normal open source community process is under consideration. The proposed OpenJDK Vulnerability Group would provide a secure, private forum in which trusted members of the community receive reports on vulnerabilities in code bases and then review and fix them... The vulnerability group and Oracle's internal security teams would work together, and it may occasionally need to work with external security organizations.

Due to the sensitive nature of its work, membership in the group would be more selective, there would be a strict communication policy, and members or their employers would need to sign both a nondisclosure and a license agreement, said Mark Reinhold, chief architect of the Java platform group at Oracle. "These requirements do, strictly speaking, violate the OpenJDK bylaws," Reinhold said. "The governing board has discussed this, however, and I expect that the board will approve the creation of this group with these exceptional requirements." If the Java security group is approved, Andrew Gross, leader of Oracle's internal Java vulnerability team, would lead it.

Slashdot Top Deals