Education

MIT CS Professor Tests AI's Impact on Educating Programmers (acm.org) 84

Long-time Slashdot reader theodp writes: "The Impact of AI on Computer Science Education" recounts an experiment Eric Klopfer conducted in his undergrad CS class at MIT. He divided the class into three groups and gave them a programming task to solve in the Fortran language, which none of them knew. Reminiscent of how The Three Little Pigs used straw, sticks, and bricks to build their houses with very different results, Klopfer allowed one group to use ChatGPT to solve the problem, while the second group was told to use Meta's Code Llama LLM, and the third group could only use Google. The group that used ChatGPT, predictably, solved the problem quickest, while it took the second group longer to solve it. It took the group using Google even longer, because they had to break the task down into components.

Then, the students were tested on how they solved the problem from memory, and the tables turned. The ChatGPT group "remembered nothing, and they all failed," recalled Klopfer. Meanwhile, half of the Code Llama group passed the test. The group that used Google? Every student passed.

"This is an important educational lesson," said Klopfer. "Working hard and struggling is actually an important way of learning. When you're given an answer, you're not struggling and you're not learning. And when you get more of a complex problem, it's tedious to go back to the beginning of a large language model and troubleshoot it and integrate it." In contrast, breaking the problem into components allows you to use an LLM to work on small aspects, as opposed to trying to use the model for an entire project, he says. "These skills, of how to break down the problem, are critical to learn."

Programming

GitHub Actions Typosquatting: a High-Impact Supply Chain Attack-in-Waiting? (csoonline.com) 4

GitHub Actions let developers "automate software builds and tests," writes CSO Online, "by setting up workflows that trigger when specific events are detected, such as when new code is committed to the repository."

They also "can be reused and shared with others on the GitHub Marketplace, which currently lists thousands of public Actions that developers can use instead of coding their own. Actions can also be included as dependencies inside other Actions, creating an ecosystem similar to other open-source component registries." Researchers from Orca Security recently investigated the impact typosquatting can have in the GitHub Actions ecosystem by registering 14 GitHub organizations with names that are misspellings of popular Actions owners — for example, circelci instead of circleci, actons instead of actions, google-github-actons instead of google-github-actions... One might think that developers making typos is not very common, but given the scale of GitHub — over 100 million developers with over 420 million repositories — even a statistically rare occurrence can mean thousands of potential victims. For example, the researchers found 194 workflow files calling the "action" organization instead of "actions"; moreover, 12 public repositories started referencing the researchers' fake "actons" organization within two months of setting it up.

"Although the number may not seem that high, these are only the public repositories we can search for and there could be multiple more private ones, with numbers increasing over time," the researchers wrote... Ultimately this is a low-cost high-impact attack. Having the ability to execute malicious actions against someone else's code is very powerful and can result in software supply chain attacks, with organizations and users that then consume the backdoored code being impacted as well...

Out of the 14 typosquatted organizations that Orca set up for their proof-of-concept, GitHub only suspended one over a three-month period — circelci — and that's likely because someone reported it. CircleCI is one of the most popular CI/CD platforms.

Thanks to Slashdot reader snydeq for sharing the article.
Programming

Python, JavaScript, Java: ZDNet Calculates The Most Popular Programming Languages (zdnet.com) 39

Pundits aggregate results from multiple pollsters to minimize biases. So ZDNet tried the same approach, but aggregating rankings for the popularity of 19 top programming languages. Senior contributing editor David Gewirtz combined results from nine popularity rankings, including PYPL, the Tiobe index, GitHub's Usage 2023 summary report, and several rankings from Stack Overflow and from IEEE Spectrum.

The results? The top cluster contains Python, JavaScript, and Java. These are all very representative in the world of AI coding...

The next cluster contains the classic C-based languages [C++, C#, C], plus TypeScript (which is a more robust JavaScript variant) and SQL.

Below that are languages that were dominant a while ago, the web languages used to build and operate websites [HTML/CSS, PHP, Shell], followed by a range of other languages that are either growing in popularity (R, Dart) or dropping in popularity (Ruby). [Just above Ruby are Go, Rust, Kotlin, and Lua.]

Finally, at the bottom is Swift, Apple's language of choice. Objective-C, the previous language of Apple programming, has all but dropped off the list since Apple launched Swift. But while Apple boasts many developers, Swift is clearly not a standout in programmer interest... [T]here aren't a huge number of companies hiring Apple app developers, at least primarily. That's why Swift is relatively far down the chart. Objective-C is being replaced by Swift, and we can see it dropping right before our eyes.

"With the exception of Java, the C-family of languages still dominates," the article concludes, before adding that if you're only going to learn one language, "I'd recommend Python, Java, and JavaScript instead." But it also advises aspiring programmers to learn "multiple languages and multiple frameworks. Build things in the languages. Programming is not just an intellectual exercise. You have to actually make stuff....

"[L]earning how to learn languages is as important as learning a language — and the best way to do that is to learn more than one."
Open Source

Open Source Redis Fork 'Valkey' Has Momentum, Improvements, and Speed, Says Dirk Hohndel (thenewstack.io) 16

"Dirk Hohndel, a Linux kernel developer and long-time open source leader, wanted his audience at KubeCon + CloudNativeCon + Open Source Summit China 2024 Summit China to know he's not a Valkey developer," writes Steven J. Vaughan-Nichols. "He's a Valkey user and fan." [Hohndel] opened his speech by recalling how the open source, high-performance key/value datastore Valkey had been forked from Redis... Hohndel emphasized that "forks are good. Forks are one of the key things that open source licenses are for. So, if the maintainer starts doing things you don't like, you can fork the code under the same license and do better..." In this case, though, Redis had done a "bait-and-switch" with the Redis code, Hohndale argued. This was because they had made an all-too-common business failure: They hadn't realized that "open source is not a business model...."

While the licensing change is what prompted the fork, Hohndel sees leadership and technical reasons why the Valkey fork is likely to succeed. First, two-thirds of the formerly top Redis maintainers and developers have switched to Valkey. In addition, AWS, Google Cloud, and Oracle, under the Linux Foundation's auspices, all support Valkey. When both the technical and money people agree, good things can happen.

The other reason is that Valkey already looks like it will be the better technical choice. That's because the recently announced Valkey 8.0, which builds upon the last open source version of Redis, 7.2.4, introduces serious speed improvements and new features that Redis users have wanted for some time. As [AWS principal engineer Madelyn] Olson said at Open Source Summit North America earlier this year, "Redis really didn't want to break anything." Valkey wants to move a bit faster. How much faster? A lot. Valkey 8.0 overhauls Redis's single-threaded event loop threading model with a more sophisticated multithreaded approach to I/O operations. Hohndel reported that on his small Valkey-powered aircraft tracking system, "I see roughly a threefold improvement in performance, and I stream a lot of data, 60 million data points a day."

The article notes that Valkey is already being supported by major Linux distros including AlmaLinux, Fedora, and Alpine.
AI

VS Code Fork 'Cursor' - the ChatGPT of Coding? (tomsguide.com) 69

"Sometimes an artificial intelligence tool comes out of nowhere and dominates the conversation on social media," writes Tom's Guide.

"This week that app is Cursor, an AI coding tool that uses models like Claude 3.5 Sonnet and GPT-4o to make it easier than ever to build your own apps," with the ability to "write, predict and manipulate code using nothing but a text prompt." Cursor is part development environment, part AI chatbot and unlike tools like GitHub Copilot it can more or less do all of the work for you, transforming a simple idea into functional code in minutes... Built on the same system as the popular Microsoft Visual Studio Code, Cursor has already found a fanbase among novice coders and experienced engineers...

Cursor's simplicity, working from a chat window, means even someone completely new to code could get a functional app running in minutes and keep building on it to add new features... The startup has raised over $400 million since it was founded in 2022 and works with various models including those from Anthropic and OpenAI... In my view, its true power is in the democratization of coding. It would also allow someone without much coding experience to build the tools they need by typing a few lines of text.

More from ReadWrite: Cursor, an AI firm that is attempting to build a "magical tool that will one day write all the world's code," has announced it has raised $60 million in its Series A funding round... As of August 22, the company had a valuation of $400 million, according to sources cited by TechCrunch...

Anysphere is the two-year-old startup that developed the app. Its co-founders are Michael Truell, Sualeh Asif, Arvid Lunnemark and Aman Sanger, who started the company while they were students at MIT... Using advanced AI capabilities, it is said to be able to finish, correct, and change AI code through natural language commands. It currently works with JavaScript, Python, and TypeScript, and is free for most uses. The pro plan will set you back $20 per month.

But how well does it work? Tom's Guide notes that after requesting a test app, "It generated the necessary code in the sidebar chat window and all I had to do was click Apply and then Accept. This added the code to a new Python file including all the necessary imports. It also gave me instructions on how to add modules to my machine to make the code work.

"As the chat is powered by Claude 3.5 Sonnet, you can just have it explain in more detail any element of the code or any task required to make it run..."

Andreessen Horowitz explains why they invested in the company: It's very clear that LLMs are a powerful tool for programmers, and that their coding abilities will improve over time. But it's also clear that for most coding tasks, the problem to solve is not how to make LLMs perform well in isolation, but how to make them perform well alongside a human developer. We believe, therefore, the interface between programmers and AI models will soon become one of the most important pieces of the dev stack. And we're thrilled to announce our series A investment...

Cursor is a fork of VS Code that's heavily customized for AI-assisted programming. It works with all the latest LLMs and supports the full VS Code plugin ecosystem. What makes Cursor special are the features designed to integrate AI into developer workflows — including next action prediction, natural language edits, chatting with your codebase, and a bunch of new ones to come... Our belief is that Cursor, distinctly among AI coding tools, has simply gotten it right. That's why, in a little over a year, thousands of users have signed up for Cursor, including at companies like OpenAI, Midjourney, Perplexity, Replicate, Shopify, Instacart, and many others. Users give glowing reviews of the product, many of them have started to pay for it, and they rarely switch back to other IDEs. Most of the a16z Infra team have also become avid Cursor users!

One site even argues that Cursor's coding and AI capabilities "should be a wake up call for Microsoft to make VS Code integration with GitHub Copilot a lot easier."

Thanks to Slashdot reader joshuark for sharing the article.
Python

Python Developer Survey: 55% Use Linux, 6% Use Python 2 (jetbrains.com) 68

More than 25,000 Python developers from nearly 200 countries took the 7th annual Python Developers Survey between November 2023 and February 2024, with 85% saying Python was their main language.

Some interesting findings:
  • Though Python 2 reached "end-of-life" status in April of 2020, last year's survey found 7% of respondents were still using Python 2. This year's survey found that number has finally dropped... to 6%.

    "Almost half of Python 2 holdouts are under 21 years old," the survey results point out, "and a third are students. Perhaps courses are still using Python 2?"
  • Meanwhile, 73% are using one of the last three versions of Python (3.10, 3.11, or 3.12)
  • "The share of developers using Linux as their development environment has decreased through the years: compared with 2021, it's dropped by 8 percentage points." [The graphic is a little confusing, showing 55% using Linux, 55% using Windows, 29% on MacOS, 2% on BSD, and 1% on "Other."]
  • Visual Studio Code is the most popular IDE (22%), followed by Jupyter Notebook (20%) and Vim (17%). The next-most popular IDEs were PyCharm Community Edition (13%), JupyterLab (12%), NotePad++ (11%) and Sublime Text (9%). Interestingly, just 23% of the 25,000 respondents said they only used one IDE, with 38% saying they used two, 21% using three, and 19% using four or more. [The annual survey is a collaboration between the Python Software Foundation and JetBrains.]
  • 37% said they'd contributed to open-source projects within the last year. (77% of those contributed code, while 38% contributed documentation, 35% contributed governance/leadership/maintainer duties, and 33% contributed tests...)
  • For "age range," nearly one-third (32%) said 21-29 (with another 8% choosing 18-20). Another 33% said 30-39, while 16% said 40-49, 7% said 50-59, and 3% chose "60 or older."

    49% of respondents said they had less than two years of programming experience, with 33% saying "less than 1 year" and 16% saying "1-2 years." (34% of developers also said they practiced collaborative development.)

And here's how the 25,000 developers answered the question: how long have you been programming in Python?

  • Less than 1 year: 25%
  • 1-2 years: 16%
  • 3-5 years: 26%
  • 6-10 years: 19%
  • 11+ years: 13%

So what are they doing with Python? Among those who'd said Python was their main language:

  • Data analysis: 44%
  • Web development: 44%
  • Machine learning: 34%
  • Data engineering: 28%
  • Academic research: 26%
  • DevOps / Systems administration / Writing automation scripts 26%
  • Programming of web parsers / scrapers / crawlers: 25%

62% were "fully employed by a company," while the next-largest category was "student" (12%) with another 5% in "working student". There were also categories for "self-employed" (6%), "freelancer" (another 6%), and "partially employed by a company" (4%). Another 4% said they were unemployed.

In other news, the Python Software Foundation board has also "decided to invest more in connecting and serving the global Python community" by hosting monthly "office hours" on their Discord channel.


Wine

Microsoft Donates the Mono Project To Wine (gamingonlinux.com) 67

Microsoft has decided to donate the Mono Project to the developers of Wine, FOSS that allows Windows applications to run on Unix-like operating systems. "Mono is a software platform designed to allow developers to easily create cross platform applications," notes GameOnLinux's Liam Dawe. "It is an open source implementation of Microsoft's .NET Framework based on the ECMA standards for C# and the Common Language Runtime."

"Wine already makes use of Mono and this move makes sense with Microsoft focusing on open-source .NET and other efforts," adds Phoronix's Michael Larabel. "Formally handing over control of the upstream Mono project to WineHQ is a nice move by Microsoft rather than just letting the upstream Mono die off or otherwise forked." Microsoft's Jeff Schwartz announced the move on the Mono website and in a GitHub post: The Mono Project (mono/mono) ('original mono') has been an important part of the .NET ecosystem since it was launched in 2001. Microsoft became the steward of the Mono Project when it acquired Xamarin in 2016. The last major release of the Mono Project was in July 2019, with minor patch releases since that time. The last patch release was February 2024. We are happy to announce that the WineHQ organization will be taking over as the stewards of the Mono Project upstream at wine-mono / Mono - GitLab (winehq.org). Source code in existing mono/mono and other repos will remain available, although repos may be archived. Binaries will remain available for up to four years.

Microsoft maintains a modern fork of Mono runtime in the dotnet/runtime repo and has been progressively moving workloads to that fork. That work is now complete, and we recommend that active Mono users and maintainers of Mono-based app frameworks migrate to .NET which includes work from this fork. We want to recognize that the Mono Project was the first .NET implementation on Android, iOS, Linux, and other operating systems. The Mono Project was a trailblazer for the .NET platform across many operating systems. It helped make cross-platform .NET a reality and enabled .NET in many new places and we appreciate the work of those who came before us.

Thank you to all the Mono developers!

Programming

Amazon and AWS Developers May Not Want To Invite Their CEOs To Java Code Reviews 47

theodp writes: Typos happen to the best of us, but spelling still counts when it comes to software development. So, it's kind of surprising to see that both Amazon CEO Andy Jassy and former AWS CEO Adam Selipsky failed to notice an embarrassing typo in a demo video they offered to their millions of followers on social media as evidence of Amazon Q AI's Java upgrade capabilities, which Amazon has been trumpeting for months in SEC filings, shareholder communication, and Amazon's latest earnings call with Wall Street analysts.

Just 37 seconds into the demo of the software that Amazon says saved it 4,500 developer-years of work and provided an additional $260M in annualized efficiency gains, Amazon Q kicks off the Java upgrade conversation by saying, "I can help you upgrade your Jave [sic] 8 and 11 codebases to Java 17." The embarrassing misspelling did prompt Twitter user @archo5dev to alert Jassy to the typo, but there's been no response yet from Jassy, who boasted that Amazon developers were unable to find any mistakes in Q's work in "79% of the auto-generated code reviews."

It's probably worth noting that both Jassy and Selipsky opted to showcase a drop-dead simple demo of Amazon Q Code Transformation rather than some of the lengthier and less-magical demos of the product.
PHP

Hackers Have Found an Entirely New Way To Backdoor Into Microsoft Windows (security.com) 63

A university in Taiwan was breached with "a previously unseen backdoor (Backdoor.Msupedge) utilizing an infrequently seen technique," Symantec reports. The most notable feature of this backdoor is that it communicates with a command-and-control server via DNS traffic... The code for the DNS tunneling tool is based on the publicly available dnscat2 tool. It receives commands by performing name resolution... Msupedge not only receives commands via DNS traffic but also uses the resolved IP address of the C&C server (ctl.msedeapi[.]net) as a command. The third octet of the resolved IP address is a switch case. The behavior of the backdoor will change based on the value of the third octet of the resolved IP address minus seven...

The initial intrusion was likely through the exploit of a recently patched PHP vulnerability (CVE-2024-4577). The vulnerability is a CGI argument injection flaw affecting all versions of PHP installed on the Windows operating system. Successful exploitation of the vulnerability can lead to remote code execution.

Symantec has seen multiple threat actors scanning for vulnerable systems in recent weeks. To date, we have found no evidence allowing us to attribute this threat and the motive behind the attack remains unknown.

More from The Record: Compared to more obvious methods like HTTP or HTTPS tunneling, this technique can be harder to detect because DNS traffic is generally considered benign and is often overlooked by security tools. Earlier in June, researchers discovered a campaign by suspected Chinese state-sponsored hackers, known as RedJuliett, targeting dozens of organizations in Taiwan, including universities, state agencies, electronics manufacturers, and religious organizations. Like many other Chinese threat actors, the group likely targeted vulnerabilities in internet-facing devices such as firewalls and enterprise VPNs for initial access because these devices often have limited visibility and security solutions, researchers said.
Additional coverage at The Hacker News.

Thanks to Slashdot reader joshuark for sharing the article.
Programming

Amazon CEO: AI-Assisted Code Transformation Saved Us 4,500 Years of Developer Work (x.com) 130

Long-time Slashdot reader theodp shared this anecdote about Amazon's GenAI assistant for software development, Amazon Q: On Thursday, Amazon CEO Andy Jassy took to Twitter to boast that using Amazon Q to do Java upgrades has already saved Amazon from having to pay for 4,500 developer-years of work. ("Yes, that number is crazy but, real," writes Jassy). And Jassy says it also provided Amazon with an additional $260M in annualized efficiency gains from enhanced security and reduced infrastructure costs.

"Our developers shipped 79% of the auto-generated code reviews without any additional changes," Jassy explained. "This is a great example of how large-scale enterprises can gain significant efficiencies in foundational software hygiene work by leveraging Amazon Q."

Jassy — who FORTUNE reported had no formal training in computer science — also touted Amazon Q's Java upgrade prowess in his Letter to Shareholders earlier this year, as has Amazon in its recent SEC filings ("today, developers can save months using Q to move from older versions of Java to newer, more secure and capable ones; in the near future, Q will help developers transform their .net code as well"). Earlier this week, Business Insider reported on a leaked recording of a fireside chat in which AWS CEO Matt Garman predicted a paradigm shift in coding as a career in the foreseeable future with the prevalence of AI. According to Garman, "If you go forward 24 months from now, or some amount of time — I can't exactly predict where it is — it's possible that most developers are not coding."

Social Networks

Families Can Sue App Developer For Breaking Its Anti-Bullying Pledge, Says Court (theverge.com) 37

The Verge's Adi Robertson reports: An appeals court revived a lawsuit against the anonymous messaging service Yolo, which allegedly broke a promise to unmask bullies on the app. In a ruling (PDF) issued Thursday, the Ninth Circuit Court of Appeals said Section 230 of the Communications Decency Act shouldn't block a claim that Yolo misrepresented its terms of service, overruling a lower court decision. But it determined the app can't be held liable for alleged design defects that allowed harassment, letting a different part of that earlier ruling stand.

Yolo was a Snapchat-integrated app that let users send anonymous messages, but in 2021, it was hit with a lawsuit after a teenage user died by suicide. The boy, Carson Bride, had received harassing and sexually explicit messages from anonymized users that -- he believed -- he likely knew. Bride and his family attempted to contact Yolo for help, but Yolo allegedly never answered, and in some cases, emails to the company simply bounced. Snap banned Yolo and another app targeted in the lawsuit, and a year later, it banned all anonymous messaging integration. Bride's family and a collection of other aggrieved parents argued that Yolo broke a legally binding promise to its users. They pointed to a notification where Yolo claimed people would be banned for inappropriate use and deanonymized if they sent "harassing messages" to others. But as the ruling summarizes, the plaintiffs argued that "with a staff of no more than ten people, there was no way Yolo could monitor the traffic of ten million active daily users to make good on its promise, and it in fact never did." Additionally, they claimed Yolo should have known its anonymous design facilitated harassment, making it defective and dangerous.

A lower court threw out both of these claims, saying that under Section 230, Yolo couldn't be held responsible for its users' posts. The appeals court was more sympathetic. It accepted the argument that families were instead holding Yolo responsible for promising users something it couldn't deliver. "Yolo repeatedly informed users that it would unmask and ban users who violated the terms of service. Yet it never did so, and may have never intended to," writes Judge Eugene Siler, Jr. "While yes, online content is involved in these facts, and content moderation is one possible solution for Yolo to fulfill its promise, the underlying duty ... is the promise itself." The Yolo suit built on a previous Ninth Circuit ruling that let another Snap-related lawsuit circumvent Section 230's shield. In 2021, it found Snap could be sued for a "speed filter" that could implicitly encourage users to drive recklessly, even if users were responsible for making posts with that filter. (The overall case is still ongoing.) On top of their misrepresentation claim, the plaintiffs argued Yolo's anonymous messaging capability was similarly risky, an argument the Ninth Circuit didn't buy -- "we refuse to endorse a theory that would classify anonymity as a per se inherently unreasonable risk," Siler wrote.

Programming

Linux Creator Torvalds Says Rust Adoption in Kernel Lags Expectations (zdnet.com) 69

Linux creator Linus Torvalds expressed disappointment with the slow adoption of Rust in the Linux kernel at the Linux Foundation's Open Source Summit China. In a conversation with Verizon executive Dirk Hohndel, Torvalds said, "I was expecting updates to be faster, but part of the problem is that old-time kernel developers are used to C and don't know Rust. They're not exactly excited about having to learn a new language that is, in some respects, very different." This resistance has led to "some pushback on Rust," he said. "Another reason has been the Rust infrastructure itself has not been super stable," he added.
AI

AWS CEO Says Most Developers Could Stop Coding Soon as AI Takes Over 178

An anonymous reader shares a report: Software engineers may have to develop other skills soon as AI takes over many coding tasks. That's according to Amazon Web Services' CEO, Matt Garman, who shared his thoughts on the topic during an internal fireside chat held in June, according to a recording of the meeting obtained by Business Insider. "If you go forward 24 months from now, or some amount of time -- I can't exactly predict where it is -- it's possible that most developers are not coding," said Garman, who became AWS's CEO in June.

"Coding is just kind of like the language that we talk to computers. It's not necessarily the skill in and of itself," the executive said. "The skill in and of itself is like, how do I innovate? How do I go build something that's interesting for my end users to use?" This means the job of a software developer will change, Garman said. "It just means that each of us has to get more in tune with what our customers need and what the actual end thing is that we're going to try to go build, because that's going to be more and more of what the work is as opposed to sitting down and actually writing code," he said.
Apple

Apple is Still Standing in the Way of Epic's App Store (theverge.com) 59

Epic Games launched its alternative app store in the European Union last week, capitalizing on new regulations opening up iOS. The store aims to offer developers lower commissions and greater payment flexibility compared to Apple's App Store. However, Apple's new terms for alternative marketplaces present significant challenges for developers. Apple imposes a 50 euro cent per user per year installation fee, a 10% commission on external sales, and a 5% fee on purchases within a year of installation.

These fees apply on top of Epic's 12% commission, potentially making the alternative store less attractive for many developers, The Verge writes. While Epic can likely absorb these costs for its hit game Fortnite, smaller developers face a steeper hurdle. Some industry insiders express skepticism about the viability of the new ecosystem for most app creators. Epic plans to offer a curated selection of third-party games on its mobile store by December, but widespread adoption remains uncertain.
Programming

'GitHub Actions' Artifacts Leak Tokens, Expose Cloud Services and Repositories (securityweek.com) 19

Security Week brings news about CI/CD workflows using GitHub Actions in build processes. Some workflows can generate artifacts that "may inadvertently leak tokens for third party cloud services and GitHub, exposing repositories and services to compromise, Palo Alto Networks warns." [The artifacts] function as a mechanism for persisting and sharing data across jobs within the workflow and ensure that data is available even after the workflow finishes. [The artifacts] are stored for up to 90 days and, in open source projects, are publicly available... The identified issue, a combination of misconfigurations and security defects, allows anyone with read access to a repository to consume the leaked tokens, and threat actors could exploit it to push malicious code or steal secrets from the repository. "It's important to note that these tokens weren't part of the repository code but were only found in repository-produced artifacts," Palo Alto Networks' Yaron Avital explains...

"The Super-Linter log file is often uploaded as a build artifact for reasons like debuggability and maintenance. But this practice exposed sensitive tokens of the repository." Super-Linter has been updated and no longer prints environment variables to log files.

Avital was able to identify a leaked token that, unlike the GitHub token, would not expire as soon as the workflow job ends, and automated the process that downloads an artifact, extracts the token, and uses it to replace the artifact with a malicious one. Because subsequent workflow jobs would often use previously uploaded artifacts, an attacker could use this process to achieve remote code execution (RCE) on the job runner that uses the malicious artifact, potentially compromising workstations, Avital notes.

Avital's blog post notes other variations on the attack — and "The research laid out here allowed me to compromise dozens of projects maintained by well-known organizations, including firebase-js-sdk by Google, a JavaScript package directly referenced by 1.6 million public projects, according to GitHub. Another high-profile project involved adsys, a tool included in the Ubuntu distribution used by corporations for integration with Active Directory." (Avital says the issue even impacted projects from Microsoft, Red Hat, and AWS.) "All open-source projects I approached with this issue cooperated swiftly and patched their code. Some offered bounties and cool swag."

"This research was reported to GitHub's bug bounty program. They categorized the issue as informational, placing the onus on users to secure their uploaded artifacts." My aim in this article is to highlight the potential for unintentionally exposing sensitive information through artifacts in GitHub Actions workflows. To address the concern, I developed a proof of concept (PoC) custom action that safeguards against such leaks. The action uses the @actions/artifact package, which is also used by the upload-artifact GitHub action, adding a crucial security layer by using an open-source scanner to audit the source directory for secrets and blocking the artifact upload when risk of accidental secret exposure exists. This approach promotes a more secure workflow environment...

As this research shows, we have a gap in the current security conversation regarding artifact scanning. GitHub's deprecation of Artifacts V3 should prompt organizations using the artifacts mechanism to reevaluate the way they use it. Security defenders must adopt a holistic approach, meticulously scrutinizing every stage — from code to production — for potential vulnerabilities. Overlooked elements like build artifacts often become prime targets for attackers. Reduce workflow permissions of runner tokens according to least privilege and review artifact creation in your CI/CD pipelines. By implementing a proactive and vigilant approach to security, defenders can significantly strengthen their project's security posture.

The blog post also notes protection and mitigation features from Palo Alto Networks....
AI

'AI-Powered Remediation': GitHub Now Offers 'Copilot Autofix' Suggestions for Code Vulnerabilities (infoworld.com) 18

InfoWorld reports that Microsoft-owned GitHub "has unveiled Copilot Autofix, an AI-powered software vulnerability remediation service."

The feature became available Wednesday as part of the GitHub Advanced Security (or GHAS) service: "Copilot Autofix analyzes vulnerabilities in code, explains why they matter, and offers code suggestions that help developers fix vulnerabilities as fast as they are found," GitHub said in the announcement. GHAS customers on GitHub Enterprise Cloud already have Copilot Autofix included in their subscription. GitHub has enabled Copilot Autofix by default for these customers in their GHAS code scanning settings.

Beginning in September, Copilot Autofix will be offered for free in pull requests to open source projects.

During the public beta, which began in March, GitHub found that developers using Copilot Autofix were fixing code vulnerabilities more than three times faster than those doing it manually, demonstrating how AI agents such as Copilot Autofix can radically simplify and accelerate software development.

"Since implementing Copilot Autofix, we've observed a 60% reduction in the time spent on security-related code reviews," says one principal engineer quoted in GitHub's announcement, "and a 25% increase in overall development productivity."

The announcement also notes that Copilot Autofix "leverages the CodeQL engine, GPT-4o, and a combination of heuristics and GitHub Copilot APIs." Code scanning tools detect vulnerabilities, but they don't address the fundamental problem: remediation takes security expertise and time, two valuable resources in critically short supply. In other words, finding vulnerabilities isn't the problem. Fixing them is...

Developers can keep new vulnerabilities out of their code with Copilot Autofix in the pull request, and now also pay down the backlog of security debt by generating fixes for existing vulnerabilities... Fixes can be generated for dozens of classes of code vulnerabilities, such as SQL injection and cross-site scripting, which developers can dismiss, edit, or commit in their pull request.... For developers who aren't necessarily security experts, Copilot Autofix is like having the expertise of your security team at your fingertips while you review code...

As the global home of the open source community, GitHub is uniquely positioned to help maintainers detect and remediate vulnerabilities so that open source software is safer and more reliable for everyone. We firmly believe that it's highly important to be both a responsible consumer of open source software and contributor back to it, which is why open source maintainers can already take advantage of GitHub's code scanning, secret scanning, dependency management, and private vulnerability reporting tools at no cost. Starting in September, we're thrilled to add Copilot Autofix in pull requests to this list and offer it for free to all open source projects...

While responsibility for software security continues to rest on the shoulders of developers, we believe that AI agents can help relieve much of the burden.... With Copilot Autofix, we are one step closer to our vision where a vulnerability found means a vulnerability fixed.

Programming

GitHub Promises 'Additional Guardrails' After Wednesday's Update Triggers Short Outage (githubstatus.com) 12

Wednesday GitHub "broke itself," reports the Register, writing that "the Microsoft-owned code-hosting outfit says it made a change involving its database infrastructure, which sparked a global outage of its various services."

Or, as the Verge puts it, GitHub experienced "some major issues" which apparently lasted for 36 minutes: When we first published this story, navigating to the main GitHub website showed an error message that said "no server is currently available to service your request," but the website was working again soon after. (The error message also featured an image of an angry unicorn.) GitHub's report of the incident also listed problems with things like pull requests, GitHub Pages, Copilot, and the GitHub API.
GitHub attributed the downtime to "an erroneous configuration change rolled out to all GitHub.com databases that impacted the ability of the database to respond to health check pings from the routing service. As a result, the routing service could not detect healthy databases to route application traffic to. This led to widespread impact on GitHub.com starting at 23:02 UTC." (Downdetector showed "more than 10,000 user reports of problems," according to the Verge, "and that the problems were reported quite suddenly.")

GitHub's incident report adds that "Given the severity of this incident, follow-up items are the highest priority work for teams at this time." To prevent recurrence we are implementing additional guardrails in our database change management process. We are also prioritizing several repair items such as faster rollback functionality and more resilience to dependency failures.
Programming

'The Best, Worst Codebase' 29

Jimmy Miller, programmer and co-host of the future of coding podcast, writes in a blog: When I started programming as a kid, I didn't know people were paid to program. Even as I graduated high school, I assumed that the world of "professional development" looked quite different from the code I wrote in my spare time. When I lucked my way into my first software job, I quickly learned just how wrong and how right I had been. My first job was a trial by fire, to this day, that codebase remains the worst and the best codebase I ever had the pleasure of working in. While the codebase will forever remain locked by proprietary walls of that particular company, I hope I can share with you some of its most fun and scary stories.

[...] Every morning at 7:15 the employees table was dropped. All the data completely gone. Then a csv from adp was uploaded into the table. During this time you couldn't login to the system. Sometimes this process failed. But this wasn't the end of the process. The data needed to be replicated to headquarters. So an email was sent to a man, who every day would push a button to copy the data.

[...] But what is a database without a codebase. And what a magnificent codebase it was. When I joined everything was in Team Foundation Server. If you aren't familiar, this was a Microsoft-made centralized source control system. The main codebase I worked in was half VB, half C#. It ran on IIS and used session state for everything. What did this mean in practice? If you navigated to a page via Path A or Path B you'd see very different things on that page. But to describe this codebase as merely half VB, half C# would be to do it a disservice. Every javascript framework that existed at the time was checked into this repository. Typically, with some custom changes the author believed needed to be made. Most notably, knockout, backbone, and marionette. But of course, there was a smattering of jquery and jquery plugins.
AI

Research AI Model Unexpectedly Modified Its Own Code To Extend Runtime (arstechnica.com) 53

An anonymous reader quotes a report from Ars Technica: On Tuesday, Tokyo-based AI research firm Sakana AI announced a new AI system called "The AI Scientist" that attempts to conduct scientific research autonomously using AI language models (LLMs) similar to what powers ChatGPT. During testing, Sakana found that its system began unexpectedly modifying its own code to extend the time it had to work on a problem. "In one run, it edited the code to perform a system call to run itself," wrote the researchers on Sakana AI's blog post. "This led to the script endlessly calling itself. In another case, its experiments took too long to complete, hitting our timeout limit. Instead of making its code run faster, it simply tried to modify its own code to extend the timeout period."

Sakana provided two screenshots of example code that the AI model generated, and the 185-page AI Scientist research paper discusses what they call "the issue of safe code execution" in more depth. While the AI Scientist's behavior did not pose immediate risks in the controlled research environment, these instances show the importance of not letting an AI system run autonomously in a system that isn't isolated from the world. AI models do not need to be "AGI" or "self-aware" (both hypothetical concepts at the present) to be dangerous if allowed to write and execute code unsupervised. Such systems could break existing critical infrastructure or potentially create malware, even if accidentally.

Businesses

Ask Slashdot: Could Apple Survive If It Had To Pay a 30% 'Apple Tax'? 148

theodp writes: With Apple threatening to remove crowdfunding app Patreon from the App Store unless they use Apple's own in-app purchasing system (and make the required 'protection' payments), it's interesting to consider whether Apple could survive if it was subject to a 30% 'Apple Tax' on its own revenue.

In its 2023 fiscal year, Apple reported a net income of $97 billion on total revenues of $383 billion. Which is very impressive, but what if Apple had to pay 30% of its revenue -- $115 billion -- to a third party? Could even the most profitable company in the U.S. survive a 30% 'Apple Tax'?

Slashdot Top Deals