"The cost of cyber attacks is 1/10th to 1/100th the cost of cyber defense," says the CTO of Splunk -- because the labor is cheap, the tools are free, and the resources are stolen. "He says what's needed to bring down the cost of defense is collaboration between the public sector, academia and private industry...the space race for this generation," reports Slashdot reader davidmwilliams.

Splunk CTO Snehal Antani suggests earlier "shift left" code testing and continuous delivery, plus a wider use of security analytics. But he also suggests a moving target defense "in which a shapeshifting network can prevent reconnaissance attacks" with software defined networks using virtual IP addresses that would change every 10 seconds. "This disrupts reconnaissance attacks because a specific IP address may be a Windows box one moment, a Linux box another, a mainframe another."

"Most software, even critical system software, is insecure Swiss cheese held together with duct tape, bubble wrap, and bobby pins..." writes TechCrunch. An anonymous reader quotes their article: Everything is terrible because the fundamental tools we use are, still, so flawed that when used they inevitably craft terrible things... Almost all software has been bug-ridden and insecure for so long that we have grown to think that this is the natural state of code. This learned helplessness is not correct. Everything does not have to be terrible...

Vast experience has shown us that it is unrealistic to expect programmers to write secure code in memory-unsafe languages...as an industry, let's at least set a trajectory. Let's move towards writing system code in better languages, first of all -- this should improve security and speed. Let's move towards formal specifications and verification of mission-critical code.
Their article calls for LangSec testing, and applauds the use of languages like Go and Rust over memory-unsafe languages like C. "Itâ(TM)s not just systemd, not just Linux, not just software; the whole industry is at fault."

Slashdot reader McGruber reports that federal prosecutors "have filed conspiracy charges against a part-owner of two information technology firms and an employee for fraudulently using the H-1B program". Both were reportedly recruiting foreign IT workers, according to the AP: Prosecutors said the conspirators falsely represented that the foreign workers had full-time positions and were paid an annual salary [when] the workers were only paid when placed at a third-party client, and the defendants sometimes generated false payroll records... The defendants are charged with conspiracy to commit visa fraud and obstruct justice and conspiracy to harbor aliens.
They're now facing up to 15 years in prison for an "alien-harboring conspiracy" charge -- with a maximum penalty of up to 10 years in prison and a $250,000 fine -- and a separate visa fraud and obstruction of justice charge with a maximum 5-year penalty and a $250,000 fine.

An anonymous Slashdot reader quotes InfoWorld: Java applications will get faster startup times thanks to a formal proposal to include ahead-of-time compilation in the platform. The draft Java Development Kit proposal, authored by Vladimir Kozlov, principal technical staff member at Oracle, is targeted for inclusion in Java 9, which is expected to be available next summer. "We would love to see this make it into JDK 9, but that will of course depend on the outcome of the OpenJDK process for this JDK Enhancement Proposal," said Georges Saab, vice president of software development in the Java platform group at Oracle, on Thursday. Ahead-of-time compilation has been a stated goal for Java 9 to address the issue of slow startup...

The proposal summary notes that Java classes would be compiled to native code prior to launching the virtual machine. The ultimate goal is to improve the startup time of small or large Java applications while having "at most" a limited impact on peak performance and minimizing changes to the user workflow.
Tests indicates some applications perform better while some actually perform worse, so it's being proposed as an opt-in feature where dissatisfied users "can just rebuild a new JDK without ahead-of-time libraries."

An anonymous reader quotes a report from Business Insider: The actual tally of stolen user accounts from the hack Yahoo experienced could be much larger than 500 million, according to a former Yahoo executive familiar with its security practices. The former Yahoo insider says the architecture of Yahoo's back-end systems is organized in such a way that the type of breach that was reported would have exposed a much larger group of user account information. To be sure, Yahoo has said that the breach affected at least 500 million users. But the former Yahoo exec estimated the number of accounts that could have potentially been stolen could be anywhere between 1 billion and 3 billion. According to this executive, all of Yahoo's products use one main user database, or UDB, to authenticate users. So people who log into products such as Yahoo Mail, Finance, or Sports all enter their usernames and passwords, which then goes to this one central place to ensure they are legitimate, allowing them access. That database is huge, the executive said. At the time of the hack in 2014, inside were credentials for roughly 700 million to 1 billion active users accessing Yahoo products every month, along with many other inactive accounts that hadn't been deleted. In late 2013, Yahoo CEO Marissa Mayer said the company had 800 million monthly active users globally. It currently has more than 1 billion.

Orome1 quotes a report from Help Net Security: Despite high-profile, large-scale data breaches dominating the news cycle -- and repeated recommendations from experts to use strong passwords -- consumers have yet to adjust their own behavior when it comes to password reuse. A global Lab42 survey, which polled consumers across the United States, Germany, France, New Zealand, Australia and the United Kingdom, highlights the psychology around why consumers develop poor password habits despite understanding the obvious risk, and suggests that there is a level of cognitive dissonance around our online habits. When it comes to online security, personality type does not inform behavior, but it does reveal how consumers rationalize poor password habits. My personal favorite: password paradox. "The survey revealed that the majority of respondents understand that their digital behavior puts them at risk, but do not make efforts to change it," reports Help Net Security. "Only five percent of respondents didn't know the characteristics of a secure password, with the majority of respondents understanding that passwords should contain uppercase and lowercase letters, numbers and symbols. Furthermore, 91 percent of respondents said that there is inherent risk associated with reusing passwords, yet 61 percent continue to use the same or similar passwords anyway, with more than half (55 percent) doing so while fully understanding the risk." The report also found that when attempting to create secure passwords, "47 percent of respondents included family names or initials," while "42 percent contain significant dates or numbers and 26 percent use the family pet."

MojoKid writes: One common gripe in the twenty-first century is that nothing is built to last anymore. Even complex, expensive computers seem to have a relatively short shelf-life nowadays. However, one computer in a small auto repair shop in Gdansk, Poland has survived for the last twenty-five years against all odds. The computer in question here is a Commodore C64 that has been balancing driveshafts non-stop for a quarter of a century. The C64C looks like it would fit right in with a scene from Fallout 4 and has even survived a nasty flood. This Commodore 64 contains a few homemade aspects, however. The old computer uses a sinusoidal waveform generator and piezo vibration sensor in order to measure changes in pressure, acceleration, temperature, strain or force by converting them to an electrical charge. The C64C interprets these signals to help balance the driveshafts in vehicles. The Commodore 64 (also known as the C64, C-64, C= 64) was released in January 1982 and still holds the title for being the best-selling computer of all time.

MojoKid writes: If you thought that the massive DDoS attack earlier this month on Brian Krebs' security blog was record-breaking, take a look at what just happened to France-based hosting provider OVH. OVH was the victim of a wide-scale DDoS attack that was carried via a network of over 152,000 IoT devices. According to OVH founder and CTO Octave Klaba, the DDoS attack reached nearly 1 Tbps at its peak. Of those IoT devices participating in the DDoS attack, they were primarily comprised of CCTV cameras and DVRs. Many of these devices have improperly configured network settings, which leaves them ripe for the picking for hackers that would love to use them to carry out destructive attacks.The DDoS peaked at 990 Gbps on September 20th thanks to two concurrent attacks, and according to Klaba, the original botnet was capable of a 1.5 Tbps DDoS attack if each IP topped out at 30 Mbps. This massive DDoS campaign was directed at Minecraft servers that OHV was hosting. Octave Klaba / Oles tweeted: "Last days, we got lot of huge DDoS. Here, the list of 'bigger that 100Gbps' only. You can the simultaneous DDoS are close to 1Tbps!"

An anonymous Slashdot reader writes: Following a common technique among political pollsters, a technology columnist combined the results from various measures of programming language popularity for a more definitive answer about the most important languages to study. He used IEEE Spectrum's interactive list of the top programming languages, which lets you adjust the weight given to the number of job listings and number or open source projects, then combined it with the TIOBE Index (which is based on search engine results), and the PYPL Index, which checks the number of tutorials for each programming language on Google.

The results? "The top cluster contains Java, C, Python, and C++. Without a doubt, you should attain familiarity with these four languages." He points out they're not tied to a specific programming platform, unlike languages in the second cluster -- JavaScript, C#, PHP, and Swift -- while the last two languages in the top 10 were Objective-C and R. "The C-family of languages still dominates. Java, C++, C, C#, and even Objective-C are all C-based languages. If you're only going to learn one language, you should pick one of those." But his ultimate advice is to "learn multiple languages and multiple frameworks... Programming is not just an intellectual exercise. You have to actually make stuff."

An anonymous Slashdot reader quotes the AP: All 800 police departments in California must begin using a new online tool launched Thursday to report and help track every time officers use force that causes serious injuries... The tool, named URSUS for the bear on California's flag, includes fields for the race of those injured and the officers involved, how their interaction began and why force was deemed necessary.

"It's sort of like TurboTax for use-of-force incidents," said Justin Erlich, a special assistant attorney general overseeing the data collection and analysis. Departments must report the data under a new state law passed last November. Though some departments already tracked such data on their own, many did not... "As a country, we must engage in an honest, transparent, and data-driven conversation about police use of force," California Attorney General Kamala Harris said in a news release.
It's an open source tool developed by Bayes Impact, and California plans to share the code with other interested law enforcement agencies across the country. Only three other states currently require their police departments to track data about use-of-force incidents, "but their systems aren't digital, and in Colorado's case, only capture shootings."

"One sure sign your language is successful: When people build other languages that transpile into it." An anonymous Slashdot reader quotes a report from InfoWorld: The Have project uses Go's toolchain, but sports a different syntax and makes key additions to the language... Previously, a language named Oden worked with Go's toolchain to add features that Go didn't support. Now Polish developer Marcin Wrochniak has introduced Have, a language that transpiles to and expands on Go.

In the blog post that introduces the project to Go developers, Wrochniak describes Have as a hobby project, with the goal of becoming a "companion" to Go that addresses some of its common "landmines"... Go uses curly braces in the manner of C/C++, while Have uses block indents, like Python... The way that variable declaration, structs, and interfaces work have all been modified in Have to be more consistent with each other and to avoid internal inconsistencies that Wrochniak feels are a common source of bugs.

A blockchain "produces a permanent ledger of transactions with which no one can tamper," reports TechWeekEurope. "Until now." Slashdot reader Mickeycaskill quotes their report: One of the core principles of Blockchain technology has potentially been undermined by the creation of an editing tool. The company responsible however, Accenture, says edits would only be carried out "under extraordinary circumstances to resolve human errors, accommodate legal and regulatory requirements, and address mischief and other issues, while preserving key cryptographic features..."

Accenture's move to create an editing system will no doubt be viewed by some technology observers as a betrayal of what blockchain technology is all about. But the company insisted it is needed, especially in the financial services industry... "The prototype represents a significant breakthrough for enterprise uses of blockchain technology particularly in banking, insurance and capital markets," said Accenture.
They're envisioning "permissioned" blockchain systems, "managed by designated administrators under agreed governance rules," while acknowledging that cyptocurrency remains a different environment where "immutable" record-keeping would still be essential.

After it was revealed that Oculus founder Palmer Luckey backed a pro-Trump political organization called Nimble America that is dedicated to "shitposting" and spreading inflammatory memes about Hillary Clinton, several developers of the Oculus Rift virtual-reality headset have announced that they will stop supporting the headset until its founder steps down. One of the biggest developers for Oculus Rift, Insomniac Games, told Motherboard, "Insomniac Games condemns all forms of hate speech. While everyone has a right to express his or her political opinion, the behavior and sentiments reported do not reflect the values of our company. We are also confident that his behavior and sentiment does not reflect the values of the many Oculus employees we work with on a daily basis." Fez and Superhypercube developer Polytron also said in a statement, "In a political climate as fragile and horrifying as this one, we cannot tacitly endorse these actions by supporting Luckey or his platform." Motherboard reports: Motherboard has reached out to several other, more well-known VR developers who work with Oculus including Fantastic Contraption makers Northway Games and Job Simulator makers Owlchemy Labs. Northway Games couldn't be reached immediately for comment but tweeted the following: "What. The. Fuck. [accompanied with a link to the news via Kotaku]" and "Definitely using every fibre of my 'professionalism' to not tweet some tweets right now." Owlchemy Labs, which is currently developing for Job Simulator for the Oculus Touch controls, declined to comment either way. E McNeill, who has developed a couple of games for Oculus Rift and GearVR, suggested that like-minded VR developers raise money for Hillary Clinton's campaign to counter the money Luckey has raised for Trump. [E McNeill tweeted: "Idle Q: Would any Oculus devs join me in a donation drive for HIllary? We could aim to beat Nimble America's $11k. I'd start with $1k myself."] "This backlash is nonsense," said James Green, co-founder of VR developer Carbon Games. "I absolutely support him doing whatever he wants politically if it's legal. To take any other position is against American values."

An anonymous reader quotes a report from Ars Technica: The federal judge who presided over the Google-Oracle API copyright infringement trial excoriated one of Oracle's lawyers Thursday for disclosing confidential information in open court earlier this year. The confidential information included financial figures stating that Google generated $31 billion in revenue and $22 billion in profits from the Android operating system in the wake of its 2008 debut. The Oracle attorney, Annette Hurst, also revealed another trade secret: Google paid Apple $1 billion in 2014 to include Google search on iPhones. Judge William Alsup of San Francisco has been presiding over the copyright infringement trial since 2010, when Oracle lodged a lawsuit claiming that Google's Android operating system infringed Oracle's Java APIs. After two trials and various trips to the appellate courts, a San Francisco federal jury concluded in May that Google's use of the APIs amounted to fair use. Oracle's motion before Alsup for a third trial is pending. Oracle argues that Google tainted the verdict by concealing a plan to extend Android on desktop and laptop computers. As this legal saga was playing out, Hurst blurted out the confidential figures during a January 14 pre-trial hearing, despite those numbers being protected by a court order. The transcript of that proceeding has been erased from the public record. But the genie is out of the bottle. Google lodged a motion (PDF) for sanctions and a contempt finding against Hurst for unveiling a closely guarded secret of the mobile phone wars. During a hearing on that motion Thursday, Judge Alsup had a back-and-forth with Hurst's attorney, former San Francisco U.S. Attorney Melinda Haag. According to the San Francisco legal journal The Recorder, Haag said that her client Hurst -- of the law firm Orrick, Herrington and Sutcliffe -- should not be sanctioned because of "one arguable mistake made through the course of a very complex litigation."

An anonymous reader quotes a report from Ars Technica: Since its introduction, TypeScript has included new features to improve performance, enhance JavaScript compatibility, and extend the range of error checking that the TypeScript compiler performs. TypeScript 2.0 introduces a big step forward here by giving developers greater control over null values. null, used to denote (in some broad, hand-waving sense) that a variable holds no value at all, has been called the billion dollar mistake. Time and time again, programs trip up by not properly checking to see if a variable is null, and for good or ill, every mainstream programming language continues to support the null concept. TypeScript 2.0 brings a range of new features, but the biggest is control over these null values. With TypeScript 2.0, programmers can opt into a new behavior that by default prevents values from being null. With this option enabled, variables by default will be required to have a value and can't be set to null accidentally. This in turn allows the compiler to find other errors such as variables that are never initialized.

An anonymous reader quotes a report from Softpedia: Members of the World Wide Web Consortium (W3C) are getting ready to launch the HTML 5.1 specification and have already started work on the upcoming HTML 5.2 version since mid-August. The HTML 5.1 standard has been promoted from a "Release Candidate" to a "Proposed Recommendation," the last step before it becomes a "W3C Recommendation," and officially replaces HTML 5 as the current HTML standard. As a Proposed Recommendation, HTML 5.1 is practically locked against major changes, and outside small tweaks here and there, we are currently looking at a 99.99 percent version of the upcoming HTML 5.1 standard. The vote to promote HTML 5.1 from RC to PR was approved in unanimity, a clear sign that major browser makers have reached a general consensus on what the standard should look like, and what they should be implementing in their browsers in upcoming versions. You can read more on HTML 5.1 here, the changes and support table here, and the HTML 5.2 specification draft here.

Microsoft is serious about finding a cure for cancer. In June, Microsoft researchers published a paper that shows how analyzing online activities can provide clues as to a person's chances of having cancer. They were able to identify internet users who had pancreatic cancer even before they'd been diagnosed, all from analyzing web query logs. Several months later, researchers on behalf of the company now say they will "solve" cancer within the next 10 years by treating it like a computer virus that invades and corrupts the body's cells. The goal is to monitor the bad cells and potentially reprogram them to be healthy again. The Independent reports: The company has built a "biological computation" unit that says its ultimate aim is to make cells into living computers. As such, they could be programmed and reprogrammed to treat any diseases, such as cancer. In the nearer term, the unit is using advanced computing research to try and set computers to work learning about drugs and diseases and suggesting new treatments to help cancer patients. The team hopes to be able to use machine learning technologies -- computers that can think and learn like humans -- to read through the huge amounts of cancer research and come to understand the disease and the drugs that treat it. At the moment, so much cancer research is published that it is impossible for any doctor to read it all. But since computers can read and understand so much more quickly, the systems will be able to read through all of the research and then put that to work on specific people's situations. It does that by bringing together biology, math and computing. Microsoft says the solution could be with us within the next five or ten years.

Oracle has unveiled its second generation of cloud infrastructure for third-party developers to run their applications in Oracle data centers. What is interesting about the announcement is that Oracle co-founder and chief technology officer Larry Ellison claiming that "Amazon's lead is over. Amazon's going to have serious competition going forward." From a VentureBeat report: One particular instance, or virtual-machine (VM) type, that Oracle is making available in this second-generation offering -- the Dense IO Shape -- offers 28.8TB, 512GB, and 36 cores, at a price of $5.40 per hour. This product offers more than 10 times the input-output capacity of Amazon Web Services (AWS), specifically the i2.8xlarge instance, said Ellison. Currently, AWS leads the cloud infrastructure market, with Microsoft Azure, Google Cloud Platform, and IBM trailing behind. Oracle's public cloud was not included in the most recent version of Gartner's highly regarded cloud infrastructure as a service (IaaS) Magic Quadrant, which was released last month. "Oracle also does not have enough market share to qualify for inclusion," the authors of the report wrote.

An anonymous Slashdot reader quotes TechCrunch: When Google announced Angular 2 in 2014, it created quite a stir in the web development community because this new version wasn't just an update, but instead a complete rewrite that wasn't compatible with the older version... "Angular 1 first solved the problem of how to develop for an emerging web," the company writes... "Six years later, the challenges faced by today's application developers, and the sophistication of the devices that applications must support, have both changed immensely."
Announcing the final release version of Angular 2 last week, Google thanked the open source community, saying "We are grateful to the large number of contributors who dedicated time to submitting pull requests, issues, and repro cases, who discussed and debated design decisions, and validated (and pushed back on) our RCs." TechCrunch writes that Google's Angular team "now also recommends that developers use TypeScript to write their apps...a Microsoft-developed superset of JavaScript that adds features like static typing and class-based object-oriented programming."

An anonymous Slashdot reader quotes InfoWorld: "Move fast and break things," the saying goes. Apple does both with the 3.0 version of its Swift programming language...its first full point revision since it became an open source project... In a blog post detailing the full body of changes for Swift 3.0, Apple singled out the two biggest breaking changes. The first is better translation of Objective-C APIs into Swift, meaning that code imported from Objective-C and translated into Swift will be more readable and Swift-like. The bad news is any code previously imported from Objective-C into Swift will not work in Swift 3; it will need to be re-imported.

The other major change... Most every item referenced in the standard library has been renamed to be less wordy. But again, this brings bad news for anyone with an existing Swift codebase: Apple says "the proposed changes are massively source-breaking for Swift code, and will require a migrator to translate Swift 2 code into Swift 3 code."
Apple will provide migration tools in version 8.0 of their XCode IDE, "but such tools go only so far," notes the article, questioning what will happen to the Linux and Windows ports of Swift.