Orome1 shares a report from Help Net Security: Software developers love to reuse code wherever possible, and hackers are no exception. While we often think of different malware strains as separate entities, the reality is that most new malware recycles large chunks of source code from existing malware with some changes and additions (possibly taken from other publicly released vulnerabilities and tools). This approach makes sense. Why reinvent the wheel when another author already created a working solution? While code reuse in malware can make signature-based detection methods more effective in certain cases, more often than not it frees up time for attackers to do additional work on detection avoidance and attack efficacy -- which can create a more dangerous final product.

There are multiple reasons why hackers reuse code when developing their own malware. First, it saves time. By copying code wherever possible, malware authors have more time to focus on other areas, like detection avoidance and attribution masking. In some cases, there may be only one way to successfully accomplish a task, such as exploiting a vulnerability. In these instances, code reuse is a no-brainer. Hacker also tend to reuse effective tactics such as social engineering, malicious macros and spear phishing whenever possible simply because they have a high rate of success.

Pete Warden, engineer and CTO of Jetpac, shares his view on how deep learning is already starting to change some of the programming is done. From a blog post, shared by a reader last week: The pattern is that there's an existing software project doing data processing using explicit programming logic, and the team charged with maintaining it find they can replace it with a deep-learning-based solution. I can only point to examples within Alphabet that we've made public, like upgrading search ranking, data center energy usage, language translation, and solving Go, but these aren't rare exceptions internally. What I see is that almost any data processing system with non-trivial logic can be improved significantly by applying modern machine learning. This might sound less than dramatic when put in those terms, but it's a radical change in how we build software. Instead of writing and maintaining intricate, layered tangles of logic, the developer has to become a teacher, a curator of training data and an analyst of results. This is very, very different than the programming I was taught in school, but what gets me most excited is that it should be far more accessible than traditional coding, once the tooling catches up. The essence of the process is providing a lot of examples of inputs, and what you expect for the outputs. This doesn't require the same technical skills as traditional programming, but it does need a deep knowledge of the problem domain. That means motivated users of the software will be able to play much more of a direct role in building it than has ever been possible. In essence, the users are writing their own user stories and feeding them into the machinery to build what they want.

Plus1Entropy shares a report from BBC, adding: "But when I asked Putin, he said they didn't do it": Russia's Ministry of Defense has posted what it called "irrefutable proof" of the U.S. aiding so-called Islamic State -- but one of the images was actually taken from a video game. The ministry claimed the image showed an IS convoy leaving a Syrian town last week aided by U.S. forces. Instead, it came from the smartphone game AC-130 Gunship Simulator: Special Ops Squadron. The ministry said an employee had mistakenly attached the photo. The Conflict Intelligence Team fact-checking group said the other four provided were also errors, taken from a June 2016 video which showed the Iraqi Air Force attacking IS in Iraq. The video game image seems to be taken from a promotional video on the game's website and YouTube channel, closely cropped to omit the game controls and on-screen information. In the corner of the image, however, a few letters of the developer's disclaimer can still be seen: "Development footage. This is a work in progress. All content subject to change."

An anonymous reader writes: After 35 years of programming in C, Eric S. Raymond believes that we're finally seeing viable alternatives to the language. "We went thirty years -- most of my time in the field -- without any plausible C successor, nor any real vision of what a post-C technology platform for systems programming might look like. Now we have two such visions...and there is another."

"I have a friend working on a language he calls 'Cx' which is C with minimal changes for type safety; the goal of his project is explicitly to produce a code lifter that, with minimal human assistance, can pull up legacy C codebases. I won't name him so he doesn't get stuck in a situation where he might be overpromising, but the approach looks sound to me and I'm trying to get him more funding. So, now I can see three plausible paths out of C. Two years ago I couldn't see any. I repeat: this is huge... Go, or Rust, or Cx -- any way you slice it, C's hold is slipping."
Raymond's essay also includes a fascinating look back at the history of programming languages after 1982, when the major complied languages (FORTRAN, Pascal, and COBOL) "were either confined to legacy code, retreated to single-platform fortresses, or simply ran on inertia under increasing pressure from C around the edges of their domains.

"Then it stayed that way for nearly thirty years."

tedlistens writes from a report via Fast Company: "Facebook routinely shares the sensitive income and employment data of its U.S.-based employees with the Work Number database, owned by Equifax Workforce Solutions," reports Fast Company. "Every week, Facebook provides an electronic data feed of its employees' hourly work and wage information to Equifax Workforce Solutions, formerly known as TALX, a St. Louis-based unit of Equifax, Inc. The Work Number database is managed separately from the Equifax credit bureau database that suffered a breach exposing the data of more than 143 million Americans, but it contains another cache of extensive personal information about Facebook's employees, including their date of birth, social security number, job title, salary, pay raises or decreases, tenure, number of hours worked per week, wages by pay period, healthcare insurance coverage, dental care insurance coverage, and unemployment claim records."

Surprisingly, Facebook is among friends. Every payroll period, Amazon, Microsoft, and Oracle provide an electronic feed of their employees' hourly work and wage information to Equifax. So do Wal-Mart, Twitter, AT&T, Harvard Law School, and the Commonwealth of Pennsylvania. Even Edward Snowden's former employer, the sometimes secretive N.S.A. contractor Booz Allen Hamilton, sends salary and other personal data about its employees to the Equifax Work Number database. It now contains over 296 million employment records for employees at all wage levels, from CEOs to interns. The database helps streamline various processes for employers and even federal government agencies, says Equifax. But databases like the Work Number also come with considerable risks. As consumer journalist Bob Sullivan puts it, Equifax, "with the aid of thousands of human resource departments around the country, has assembled what may be the most powerful and thorough private database of Americans' personal information ever created." On October 8, a month after Equifax announced its giant data breach, security expert Brian Krebs uncovered a gaping hole in the separate Work Number online consumer application portal, which allowed anyone to view a person's salary and employment history "using little more than someone's Social Security number and date of birth -- both data elements that were stolen in the recent breach at Equifax."

On this day, eight years ago, a group of programmers at Google released Go, a brand-new open-source programming language that they hoped would solve some of the problems they faced with Java, C++ and other programming languages. In the past eight years, Go has gotten a tremendous traction, with Go helping drive several services running inside Google. The company, on its part, has added a handful of features to Go, including a revamped garbage collector in 2015, and support for various ARM processors. From a blog post: Go has been embraced by developers all over the world with approximately one million users worldwide. In the freshly published 2017 Octoverse by GitHub, Go has become the #9 most popular language, surpassing C. Go is the fastest growing language on GitHub in 2017 in the top 10 with 52% growth over the previous year. In growth, Go swapped places with Javascript, which fell to the second spot with 44%. In Stack Overflow's 2017 developer survey, Go was the only language that was both on the top 5 most loved and top 5 most wanted languages. People who use Go, love it, and the people who aren't using Go, want to be. [...] Since Go was first open sourced we have had 10 releases of the language, libraries and tooling with more than 1680 contributors making over 50,000 commits to the project's 34 repositories; More than double the number of contributors and nearly double the number of commits from only two years ago. This year we announced that we have begun planning Go 2, our first major revision of the language and tooling.

An anonymous reader quotes a report from Motherboard: WikiLeaks published new alleged material from the CIA on Thursday, releasing source code from a tool called Hive, which allows its operators to control malware it installed on different devices. WikiLeaks previously released documentation pertaining to the tool, but this is the first time WikiLeaks has released extensive source code for any CIA spying tool. This release is the first in what WikiLeaks founder Julian Assange says is a new series, Vault 8, that will release the code from the CIA hacking tools revealed as part of Vault 7. "This publication will enable investigative journalists, forensic experts and the general public to better identify and understand covert CIA infrastructure components," WikiLeaks said in its press release for Vault 8. "Hive solves a critical problem for the malware operators at the CIA. Even the most sophisticated malware implant on a target computer is useless if there is no way for it to communicate with its operators in a secure manner that does not draw attention." In its release, WikiLeaks said that materials published as part of Vault 8 will "not contain zero-days or similar security vulnerabilities which could be repurposed by others."

theodp writes: Well, this year's Hour of Code is almost upon us, and if Google has its way, K-12 schoolchildren across the nation will be learning computer science by creating Google Doodles with Scratch (lesson plan). Curiously, the introductory video for the Create Your Own Google Logo Hour of Code activity from the Google Computer Science Education Department sternly warns kids, "While it is okay to use the Google logo for your personal Doodle, it is not okay [emphasis Google's] to use it anyplace else or outside this activity." In addition to respecting its intellectual property, Google instructs kids that they are to follow the Scratch Community Guidelines when they create Google logos: "Please stay positive, friendly, and supportive towards others in the Scratch Community. Help us keep Scratch a place where people of different backgrounds and interests feel welcome to hang out and create together."

An anonymous reader quotes IT News: Fashion retailer The Iconic is no longer running quality assurance as a separate function within its software development process, having shifted QA responsibilities directly onto developers... "We decided: we've got all these [developers] who are [coding] every day, and they're testing their own work -- we don't need a second layer of advice on it," head of development Oliver Brennan told the New Relic FutureStack conference in Sydney last week. "It just makes people lazy..."

Such a move has the obvious potential to create problems should a developer drop the ball; to make sure the impact of any unforeseen issues is minimised for customers, The Iconic introduced feature toggles -- allowing developers to turn off troublesome functionality without having to deploy new code. Every new feature that goes into production must now sit behind one of these toggles, which dictates whether a user is served the new or old version of the feature in question. The error rates between the new and old versions are then monitored for any discrepancies... While Brennan is no fan of "people breaking things", he argues moving fast is more beneficial for customers.
"If our site is down now, people will generally come back later," Brennan adds, and the company has now moved all of its QA workers into engineering roles.

Thomas Claburn, writing for The Register: Developers really dislike Perl, and projects associated with Microsoft, at least among those who volunteer their views through Stack Overflow. The community coding site offers programmers a way to document their technical affinities on their developer story profile pages. Included therein is an input box for tech they'd prefer to avoid. For developers who have chosen to provide testaments of loathing, Perl tops the list of disliked programming languages, followed by Delphi and VBA. The yardstick here consists of the ratio of "likes" and "dislikes" listed in developer story profiles; to merit chart position, the topic or tag in question had to show up in at least 2,000 stories. Further down the down the list of unloved programming language comes PHP, Objective-C, CoffeeScript, and Ruby. In a blog post seen by The Register ahead of its publication today, Stack Overflow data scientist David Robinson said usually there's a relationship between how fast a particular tag is growing and how often it's disliked. "Almost everything disliked by more than 3 per cent of Stories mentioning it is shrinking in Stack Overflow traffic (except for the quite polarizing VBA, which is steady or slightly growing)," said Robinson. "And the least-disliked tags -- R, Rust, TypeScript and Kotlin -- are all among the fast-growing tags (TypeScript and Kotlin growing so quickly they had to be truncated in the plot)."

An anonymous reader quotes a local NBC news report: Stories are starting to pour in about those impacted by last month's massive Equifax data breach, which compromised the private information of more than 140 million people. Katie Van Fleet of Seattle says she's spent months trying to regain her stolen identity, and says it has been stolen more than a dozen times. "I kept receiving letters from Kohl's, from Macy's, from Home Depot, from Old Navy saying 'thank you for your application,'" she said to CNN affiliate KCPQ. But she says she's never applied for credit from any of those places. Instead, Van Fleet and her attorney Catherine Fleming say they believe her personal data was stolen during the massive Equifax security breach... Fleming has filed a class-action lawsuit against Equifax, saying they were negligent in losing private information on more than 140 million Americans... "Countless people, I mean, I've really, truly lost count, and the stories that like Katie's, the stories I hear are heart-wrenching," Fleming said.
But are things about to get worse? Marketwatch reports: It will become harder for consumers to sue their banks or companies like Equifax... The Senate voted Tuesday night to overturn a rule the Consumer Financial Protection Bureau worked on for more than five years. The final version of the rule banned companies from putting "mandatory arbitration clauses" in their contracts, language that prohibits consumers from bringing class-action lawsuits against them. It applies to institutions that sell financial products, including bank accounts and credit cards. Consumer advocates say it's good news for companies like Wells Fargo or Equifax, which have both had class-action lawsuits filed against them, and bad news for their customers... Lisa Gilbert, the vice president of legislative affairs at Public Citizen, a nonprofit based in Washington, D.C., said the Senate vote shouldn't impact cases that are already ongoing. However, there will "certainly" be more forced arbitration clauses in contracts in the future, and fewer cases brought against companies, she said.

An anonymous reader quotes HPE Insights: Software developers and testers must be sick of hearing security nuts rant, "Beware SQL injection! Monitor for cross-site scripting! Watch for hijacked session credentials!" I suspect the developers tune us out... The industry has generated newer tools, better testing suites, Agile methodologies, and other advances in writing and testing software. Despite all that, coders keep making the same dumb mistakes, peer reviews keep missing those mistakes, test tools fail to catch those mistakes, and hackers keep finding ways to exploit those mistakes. One way to see the repeat offenders is to look at the Open Web Application Security Project Top 10, a sometimes controversial ranking of the 10 primary vulnerabilities, published every three or four years by the Open Web Application Security Project... It boggles the mind that a majority of top 10 issues appear across the 2007, 2010, 2013, and draft 2017 OWASP lists...

It's sad that eight out of 10 of the issues from 2013 are still top security issues in 2017. In fact, if you consider that the draft 2017 list combined two of the 2013 items, it's actually nine out of 10. Ouch... What can you do? Train everyone better, for starters. Look at coding and test tools that can help detect or prevent security vulnerabilities, but don't consider them silver bullets. Do dynamic application security testing, including penetration testing and fuzz testing. Ensure admins do their part to protect applications. And finally, make sure you establish a culture of security-aware programming and deployment.

An anonymous reader quotes InfoWorld: The Firebug web development tool, an open source add-on to the Firefox browser, is being discontinued after 12 years, replaced by Firefox Developer Tools. Firebug will be dropped with next month's release of Firefox Quantum (version 57). The Firebug tool lets developers inspect, edit, and debug code in the Firefox browser as well as monitor CSS, HTML, and JavaScript in webpages. It still has more than a million people using it, said Jan Honza Odvarko, who has been the leader of the Firebug project. Many extensions were built for Firebug, which is itself is an extension to Firefox... The goal is to make debugging native to Firefox. "Sometimes, it's better to start from scratch, which is especially true for software development," Odvarko said.

A computer at the center of a lawsuit digging into Russian interference in the U.S. presidential election has been wiped. "The server in question is based in Georgia -- a state that narrowly backed Donald Trump, giving him 16 electoral votes -- and stored the results of the state's vote-management system," reports The Register. "The deletion of its filesystem data makes analysis of whether the system was compromised impossible to ascertain." From the report: There is good reason to believe that the computer may have been tampered with: it is 15 years old, and could be harboring all sorts of exploitable software and hardware vulnerabilities. No hard copies of the votes are kept, making the electronic copy the only official record. While investigating the Kennesaw State University's Center for Election Systems, which oversees Georgia's voting system, last year, security researcher Logan Lamb found its system was misconfigured, exposing the state's entire voter registration records, multiple PDFs with instructions and passwords for election workers, and the software systems used to tally votes cast. Despite Lamb letting the election center knows of his findings, the security holes were left unpatched for seven months. He later went public after the U.S. security services announced there had been a determined effort by the Russian government to sway the presidential elections, including looking at compromising electronic voting machines.

In an effort to force the state to scrap the system, a number of Georgia voters bandied together and sued. They asked for an independent security review of the server, expecting to find flaws that would lend weight to their argument for investment in a more modern and secure system. But emails released this week following a Freedom of Information Act request reveal that technicians at the election center deleted the server's data on July 7 -- just days after the lawsuit was filed. The memos reveal multiple references to the data wipe, including a message sent just last week from an assistant state attorney general to the plaintiffs in the case. That same email also notes that backups of the server data were also deleted more than a month after the initial wipe -- just as the lawsuit moved to a federal court. It is unclear who ordered the destruction of the data, and why, but they have raised yet more suspicions of collusion between the Trump campaign team, the Republican Party, and the Russian government.

A user writes: Barreling towards my late 40s, I've enjoyed 25+ years of coding for a living, working in telecoms, government, and education. In recent years, it's been typical enterprise Java stuff. Looking around, I'm pretty much always the oldest in the room. So where are the other old guys? I can't imagine they've all moved up the chain into management. There just aren't enough of those positions to absorb the masses of aging coders. Clearly there *are* older workers in software, but they are a minority. What sectors have the others gone into? Retired early? Low-wage service sector? Genuinely interested to hear your story about having left the field, willfully or otherwise.

New submitter fstack writes: Senior software architect Mark Maybee who has been working at Oracle/Sun since '98 says maybe we "could" still see ZFS be a first-class upstream Linux file-system. He spoke at the annual OpenZFS Developer Summit about how Oracle's focus has shifted to the cloud and how they have reduced investment in Solaris. He admits that Linux rules the cloud. Among the Oracle engineer's hopes is that ZFS needs to become a "first class citizen in Linux," and to do so Oracle should port their ZFS code to Oracle Linux and then upstream the file-system to the Linux kernel, which would involve relicensing the ZFS code.

An anonymous reader shares a report: American tech giants have ramped up the amount of cash they spend on lobbying US lawmakers to get their own way, yet again. As congressmen consider regulating organizations from Facebook to Google, and mull antitrust crackdowns against Amazon, said corporations have responded by flinging more dosh at the problem. The money is spent on, ahem, holding meetings between company execs and politicians so that businesses can push their agenda and swing decisions in their favor, which may not be in the interests of the people who elected said politicians. Facebook's $2.85m for the third quarter of the year -- disclosed this week as required by law -- is beaten only by the amount it spent in the first quarter: $3.21m. In its second quarter, it blew $2.38m. Overall, Facebook's lobbying bills for 2017 looks set to smash the $9.85m it spent in 2015 and the $8.7m in 2016. The social network is being investigated by both halves of Congress for its role in the Russian propaganda campaign during the US presidential election, and this month has been on a huge PR campaign in the capital. Likewise Amazon spent its highest ever amount on professional lobbyists -- both individuals and companies that book face time with lawmakers and their staff where they press the company's viewpoints. Amazon spent $3.41m in the third quarter, up from $3.21m for the second quarter -- which was also a record spend for the company. Apple has already blown past the $4.67m in spent in 2016 -- which was then its highest-ever spending. So far in 2017, the iPhone maker has spent $5.46m bending lawmakers' ears. Google spent less in the third quarter of the year to the wallet-busting Q2 spend of $5.93m, but it still spent $4.17m -- higher than its average spend of $4.0m per quarter over the past five years. But perhaps the most notable increase in spending has come from Oracle, which spent a whopping $3.82m on lobbying in the third quarter: double what it normally spends.

Sarah Jeong at The Verge has an interesting profile of William H. Alsup, the judge in Oracle v. Google case, who to many's surprise was able to comment on the technical issues that Oracle and Google were fighting about. Alsup admits that he learned the Java programming language only so that he could better understand the substance of the case. Here's an excerpt from the interview: On May 18th, 2012, attorneys for Oracle and Google were battling over nine lines of code in a hearing before Judge William H. Alsup of the northern district of California. The first jury trial in Oracle v. Google, the fight over whether Google had hijacked code from Oracle for its Android system, was wrapping up. The argument centered on a function called rangeCheck. Of all the lines of code that Oracle had tested -- 15 million in total -- these were the only ones that were "literally" copied. Every keystroke, a perfect duplicate. It was in Oracle's interest to play up the significance of rangeCheck as much as possible, and David Boies, Oracle's lawyer, began to argue that Google had copied rangeCheck so that it could take Android to market more quickly. Judge Alsup was not buying it. "I couldn't have told you the first thing about Java before this trial," said the judge. "But, I have done and still do a lot of programming myself in other languages. I have written blocks of code like rangeCheck a hundred times or more. I could do it. You could do it. It is so simple." It was an offhand comment that would snowball out of control, much to Alsup's chagrin. It was first repeated among lawyers and legal wonks, then by tech publications. With every repetition, Alsup's skill grew, until eventually he became "the judge who learned Java" -- Alsup the programmer, the black-robed nerd hero, the 10x judge, the "master of the court and of Java."

An anonymous Slashdot reader ran into a problem when looking for a new employer: Most ask for links to "recent work" but the reason I'm leaving my current job is because this company doesn't produce good code. After years of trying to force them to change, they have refused to change any of their poor practices, because the CTO is a narcissist and doesn't recognize that so much is wrong. I have written good code for this company. The problem is it is mostly back-end code where I was afforded some freedom, but the front-end is still a complete mess that doesn't reflect any coherent coding practice whatsoever...

I am giving up on fixing this company but finding it hard to exemplify my work when it is hidden behind some of the worst front-end code I have ever seen. Most job applications ask for links to live code, not for code samples (which I would more easily be able to supply). Some of the websites look okay on the surface, but are one right click -> inspect element away from giving away the mess; most of the projects require a username and password to login as well but account registration is not open. So how do I reference my recent work when all of my recent work is embarrassing on the front-end?
The original submission's title asked what to use for work samples "when the CTO has butchered all my work." Any suggestions? Leave your best thoughts in the comments. How can you apply for a job when your code samples suck?

An anonymous reader shares an article: It's difficult to know what's in store for the future of AI but let's tackle the most looming question first: are engineering jobs threatened? As anticlimactic as it may be, the answer is entirely dependent on what timeframe you are talking about. In the next decade? No, entirely unlikely. Eventually? Most definitely. The kicker is that engineers never truly know how the computer is able to accomplish these tasks. In many ways, the neural operations of the AI system are a black box. Programmers, therefore, become the AI coaches. They coach cars to self-drive, coach computers to recognise faces in photos, coach your smartphone to detect handwriting on a check in order to deposit electronically, and so on. In fact, the possibilities of AI and machine learning are limitless. The capabilities of AI through machine learning are wondrous, magnificent... and not going away. Attempts to apply artificial intelligence to programming tasks have resulted in further developments in knowledge and automated reasoning. Therefore, programmers must redefine their roles. Essentially, software development jobs will not become obsolete anytime soon but instead require more collaboration between humans and computers. For one, there will be an increased need for engineers to create, test and research AI systems. AI and machine learning will not be advanced enough to automate and dominate everything for a long time, so engineers will remain the technological handmaidens.