Security

'High-Risk Vulnerabilities' In Oracle File-Processing SDKs Affect Major Third-Party Products (csoonline.com) 11

itwbennett writes: "Seventeen high-risk vulnerabilities out of the 276 flaws fixed by Oracle Tuesday affect products from third-party software vendors," writes Lucian Constantin on CSOonline. The vulnerabilities, which were found by researchers from Cisco's Talos team, are in the Oracle Outside In Technology (OIT), a collection of SDKs that are used in third-party products, including Microsoft Exchange, Novell Groupwise, IBM WebSphere Portal, Google Search Appliance, Avira AntiVir for Exchange, Raytheon SureView, Guidance Encase and Veritas Enterprise Vault.

"It's not clear how many of those products are also affected by the newly patched seventeen flaws, because some of them might not use all of the vulnerable SDKs or might include other limiting factors," writes Constantin. But the Cisco researchers confirmed that Microsoft Exchange servers (version 2013 and earlier) are affected if they have WebReady Document Viewing enabled. In a blog post the researchers describe how an attacker could exploit these vulnerabilities.

TL;DR version: "Attackers can exploit the flaws to execute rogue code on systems by sending specifically crafted content to applications using the vulnerable OIT SDKs."
Programming

Ask Slashdot: When Do You Include 'Unnecessary' Code? (sas.com) 239

"For more than 20 years I've been putting semicolons at the end of programming statements in SAS, C/C++, and Java/Javascript," writes Rick Wicklin, a researcher in computational statistics at SAS. "But lately I've been working in a computer language that does not require semicolons. Nevertheless... I catch myself typing unnecessary semicolons out of habit," he writes, while at other times "I include optional statements in my programs for clarity, readability, or to practice defensive programming." While Wicklin's post is geared towards SAS programming, Slashdot reader theodp writes that the question is a language-agnostic one: ...when to include technically-unnecessary code -- e.g., variable declarations, superfluous punctuation, block constructs for single statements, values for optional parameters that are the defaults, debugging/validation statements, non-critical error handling, explicitly destroying objects that would otherwise be deleted on exit, labeled NEXT statements, full qualification of objects/methods, unneeded code from templates...
He's wondering if other Slashdot readers have trouble tolerating their co-workers' unnecessary codes choices (which he demonstrates with a video clip from Silicon Valley). So leave your answers in the comments. When do you do include 'unnecessary' code in your programs -- and why?
Businesses

Cyanogen Inc. Reportedly Fires OS Development Arm, Switches To Apps (arstechnica.com) 124

An anonymous reader writes: Android Police is reporting that the Android software company Cyanogen Inc. will be laying off 20 percent of its workforce, and will transition from OS development to applications. The Android Police report says "roughly 30 out of the 136 people Cyanogen Inc. employs" are being cut, and that the layoffs "most heavily impact the open source arm" of the company. Android Police goes on to say that CyanogenMod development by Cyanogen Inc "may be eliminated entirely." Ars Technica notes the differences between each "Cyanogen" branding. Specifically, CyanogenMod is a "free, open source, OS heavily based on Android and compatible with hundreds of devices," while Cyanogen Inc. is "a for-profit company that aims to sell Cyanogen OS to OEMs." It appears that many of the core CyanogenMod developers will no longer be paid to work on CyanogenMod, though the community is still free to develop the software." Android Police details the firing process in their report: "Layoffs reportedly came after a long executive retreat for the company's leaders and were conducted with no advanced notice. Employees who were not let go were told not to show up to work today. Those who did show up were the unlucky ones: they had generic human resources meetings rather ominously added to their calendars last night. So, everyone who arrived at Cyanogen Inc. in Seattle this morning did so to lose their job (aside from those conducting the layoffs)." Early last year, Microsoft invested in a roughly $70 million round of equity financing for the then-startup Cyanogen Inc. Not too long before that, Google tried to acquire Cyanogen Inc., but the company turned down Google's offer to seek funding from investors and major tech companies at a valuation of around $1 billion. Cyanogen Inc. CEO Kirt McMaster once said the company was "attempting to take Android away from Google" and that it was "putting a bullet through Google's head."

UPDATE 7/25/16: Cyanogen CEO and cofounder Kirt McMaster took to Twitter to dispel some of the rumors, tweeting: "Cyanogen NOT pivoting to apps. We are an OS company and our mission of creating an OPEN ANDROID stands. FALSE reporting was outstanding."
Chrome

Safari Browser May Soon Be Just As Fast As Chrome With WebP Integration (thenextweb.com) 105

An anonymous reader writes from a report via The Next Web: The Safari browser included in Apple's iOS 10 and macOS Sierra software is testing WebP, technology from Google that allows developers to create smaller, richer images that make the web faster. Basically, it's a way for webpages to load more quickly. The Next Web reports: "WebP was built into Chrome back at build 32 (2013!), so it's not unproven. It's also used by Facebook due to its image compression underpinnings, and is in use across many Google properties, including YouTube." Microsoft is one of the only major players to not use WebP, according to CNET. It's not included in Internet Explorer and the company has "no plans" to integrate it into Edge. Even though iOS 10 and macOS Sierra are in beta, it's promising that we will see WebP make its debut in Safari latest this year. "It's hard to imagine Apple turning away tried and true technology that's found in a more popular browser -- one that's favored by many over Safari due to its speed, where WebP plays a huge part," reports The Next Web. "Safari is currently the second most popular browser to Chrome." What's also interesting is how WebP isn't mentioned at all in the logs for Apple's Safari Technology Preview.
Databases

Ex Cardinal's Scouting Director Chris Correa Sentenced To 46 Months For Hacking Astros' Computer System (go.com) 42

New submitter yzf750 quotes a report from ESPN: A federal judge sentenced the former scouting director of the St. Louis Cardinals [Christopher Correa] to nearly four years in prison Monday for hacking the Houston Astros' player personnel database and email system in an unusual case of high-tech cheating involving two Major League Baseball clubs. "The data breach was reported in June 2014 when Astros general manager Jeff Luhnow told reporters the team had been the victim of hackers who accessed servers and proceeded to publish online months of internal trade talks," reports ESPN. "Luhnow had previously worked for the Cardinals. The FBI said Correa was able to gain access using a password similar to that used by a Cardinals employee who 'had to turn over his Cardinals-owned laptop to Correa along with the laptop's password' when he was leaving for a job with the Astros in 2011. Prosecutors have said Correa in 2013 improperly downloaded a file of the Astros' scouting list of every eligible player for that year's draft. They say he also improperly viewed notes of trade discussions as well as a page that listed information such as potential bonus details, statistics and notes on recent performances and injuries by team prospects. Authorities say that after the Astros took security precautions involving [a database called Ground Control] following a Houston Chronicle story about the database, Correa was able to still get into it. Authorities say he hacked the email system and was able to view 118 pages of confidential information, including notes of trade discussions, player evaluations and a 2014 team draft board that had not yet been completed. Federal prosecutors say the hacking cost the Astros about $1.7 million, taking into account how Correa used the Astros' data to draft players. Christopher Correa had pleaded guilty in January to five counts of unauthorized access of a protected computer from 2013 to at least 2014, the same year he was promoted to director of baseball development in St. Louis. He was fired last summer and now faces 46 months behind bars and a court order to pay $279,038 in restitution. He had faced up to five years in prison on each count."
Security

Hacking Group 'OurMine' Claims Credit For Attack On Pokemon Go Servers (independent.co.uk) 48

An anonymous reader writes: A group of hackers known as OurMine have attacked Pokemon Go's login servers, making it all but impossible for players to get online. The group says they hacked the game in an effort for the game to be more stable. They want to show the developers behind Pokemon Go that the app can and should be made more secure. Prior to the hack, the servers have been shaky as interest in the game has spiked. But over the weekend, users faced the most extreme connectivity issues yet. "No one will be able to play this game till Pokemon Go contact us on our website to teach them how to protect it!" the group wrote on its website. A different hacking group, which claimed to be part of OurMine, said that the latest attack had been launched after the huge outage caused by a group called Poodlecorp, on Saturday. "The group makes money from charging for vulnerability assessment, where hackers attempt to break into corporate networks to check how safe they are," reports The Independent. A representative said via Twitter that the group wasn't requesting money from those behind Pokemon Go, and that OurMine "just don't want other hackers [to] attack their servers." It should come as no surprise to see that the servers have been having trouble keeping up with demand as Pokemon Go has become the biggest mobile game in U.S. history after launching just about two weeks ago.
Chrome

Slashdot Asks: What's Your Computer Set-Up Look Like? 326

I thought it'd be fun to ask Slashdot readers one of the same questions we asked Larry Wall: What's your computer set-up look like? Slashdot reader LichtSpektren had asked: Can you give us a glimpse into what your main work computer looks like? What's the hardware and OS, your preferred editor and browser, and any crucial software you want to give a shout-out to?
Larry Wall is running Linux Mint (Cinnamon edition), and he surfs the web with Firefox (and Chrome on his phone) -- "but I'm not a browser wonk. Maybe I'll have more opinions on that after our JS backend is done for Perl 6..." And for a text editor, he's currently ensconced in the vi/vim camp, though "I've used lots of them, so I have no strong religious feelings."

So leave your answers in the comments. What's your OS, hardware, preferred editor, browser, "and any crucial software you want to give a shout-out to?" What does your computer set-up look like?
Perl

The Slashdot Interview With Larry Wall 167

You asked, he answered!

Perl creator Larry Wall has responded to questions submitted by Slashdot readers. Read on for his answers...
Databases

First Open Source-Based Database Completes U.S. Security Review 49

RaDag writes: The U.S. government has published a DoD-validated implementation guide, known as a STIG, for EDB Postgres Advanced Server from EnterpriseDB (EDB). This is a first. No other open source database, or open source-based database, has been through the US government's security review process and gotten a STIG published. Having this guide will help agencies seeking an open source-based alternative to costly traditional vendors like Oracle [and] will speed and ease deployment of EDB Postgres, which has database compatibility for Oracle.
They're now working with the U.S. Army, Navy, Marine Corps, and Air Force, according to a company statement. It also says that the Department of Defense and other U.S. government agencies "seek open source alternatives to traditional proprietary software," and see their database solution as "an opportunity to quickly reduce costs and shift away from expensive proprietary vendors, particularly as public policy initiatives around the world mandate adoption of more open source."
Operating Systems

How (And Why) FreeDOS Keeps DOS Alive (computerworld.com.au) 211

FreeDOS was originally created in response to Microsoft's announcement that after Windows 95, DOS would no longer be developed as a standalone operating system, according to a new interview about how (and why) Jim Hall keeps FreeDOS alive. For its newest version, Hall originally imagined "what 'DOS' would be like in 2015 or 2016 if Microsoft hadn't stopped working on MS-DOS in favor of Windows" -- before he decided there's just no such thing as "modern DOS". An anonymous Slashdot reader writes: No major changes are planned in the next version. "The next version of FreeDOS won't be multitasking, it won't be 32-bit, it won't run on ARM," Hall said. "FreeDOS is still intended for Intel and Intel-compatible computers. You should still be able to run FreeDOS on your old 486 or old Pentium PC to play classic DOS games, run legacy business programs, and support embedded development."
By day, Hall is the CIO for a county in Minnesota, and he's also a member of the board of directors for GNOME (and contributes to other open source projects) -- but he still remembers using DOS's built-in BASIC system to write simple computer programs. "Many of us older computer nerds probably used DOS very early, on our first home computer..." he tells ComputerWorld. Even without John Romero's new Doom level, "The popularity of DOS games and DOS shareware applications probably contributes in a big way to FreeDOS's continued success." I'd be curious how many Slashdot readers have some fond memories about downloading DOS shareware applications.
Android

Google Decided To Nix Its Oculus Rift Competitor (recode.net) 50

An anonymous reader writes from a report via Recode: Google recently nixed an internal project to create a high-end standalone virtual-reality headset that would compete directly against the Oculus Rift and HTC Vive, according to sources familiar with the plans. Google instead decided to shift more of its resources behind mobile VR and provide tools for other companies to build apps, games and services on Android-powered smartphones, rather than expensive hardware. In May, the company announced "Google Daydream," a platform that will help hardware and software developers create VR hardware, games, and experiences for its new Android Nougat operating system. Google did say they would be releasing their own VR headset, but it's mostly geared towards developers. A different VR project was started inside the Google X research lab, which is now a separate Alphabet company, with around 50 employees working on it, according to one source. That project was creating a separate operating system for the device, unique from Android. Now, it appears that the OS and project were scratched in favor of Android. The report suggests that Google is not as interested in competing directly with hardware from Facebook, Samsung, HTC and others. Apple has been recently granted another AR/VR patent, suggesting the company might be building a VR headset of its own.
Earth

Null Island: The Land of Lousy Directional Data (vice.com) 91

An anonymous reader writes: Null Island is one of the world's most visited places for directional data that doesn't exist in real life. The Wall Street Journal reports (Warning: source may be paywalled): "In the world of geographic information systems, the island is an apparition that serves a practical purpose. It lies at 'zero-zero,' a mapper's shorthand for zero degrees latitude and zero degrees longitude. By a programming quirk introduced by developers, those are the default coordinates where Google maps and other digital Global Positioning System applications are directed to send the millions of users who make mistakes in their searches. [About seven years ago, Mr. Kelso, who had heard the phrase used by other cartographers, encoded Null Island as the default destination for mistakes into a widely used public-domain digital-mapping data set called Natural Earth, which has been downloaded several million times. On a whim, he made the location at zero-zero appear as a tiny outcrop one-meter square. In no time at all, other mappers gave the 'island' its own natural geography, created a website, and designed T-shirts and a national flag.]" If you're feeling cognitively lazy, you can watch the short animated YouTube video explaining Null Island.
Open Source

A Smaller Version of Raspberry Pi 3 Is Coming Soon (pcworld.com) 89

An anonymous reader quotes a report from PCWorld: A smaller version of the popular Raspberry Pi 3 will go on sale in a few months. Raspberry Pi is developing a new version of its Compute Module, a single-board computer that plugs into specific on-board memory slots. The new Pi will be more like a mini-computer inside a computer, and it won't come with a power supply. The Compute Module will have similar circuitry to that of Raspberry Pi 3, a wildly successful computer that can be a PC replacement. But it will be smaller, with the memory, CPU, and storage embedded tightly on a board. While the Compute Module will have a 64-bit ARM processor like the Pi 3, it won't have Wi-Fi, Eben Upton, founder of Raspberry Pi, said in an interview with IDG News Service. The Compute Module could ship as soon as this quarter, Upton said. It will be priced similar to its predecessor, the 2-year-old Compute Module, available from reseller RS Components for about $24. The older Compute Module is based on the original Raspberry Pi. Like Raspberry Pi 3, the new Compute Module will work with Linux and Microsoft's Windows 10 IoT Core, Upton said. A Compute Module Development Kit, in which the Compute Module can be slotted for testing, may also be sold. The Development Kit could have multiple connectivity and port options, much like the Raspberry Pi 3. Last month, the biggest manufacturer of the Raspberry Pi, Premier Farnell, was acquired by Swiss industrial component supplier Daetwyler Holding AG for roughly $871 million.
Communications

Emirati Man Gets 3-Month Prison Sentence Over Instagram Insult (go.com) 96

An anonymous reader quotes a report from ABC News: A state-owned newspaper in the United Arab Emirates is reporting that an Emirati man has received a three-month prison sentence and a fine after being convicted of insulting his brother on Instagram. The Arabic-language newspaper Al Etihad reported on Thursday that the man's brother became upset after finding his photo on his brother's Instagram account with an expletive as the caption. The newspaper says the unidentified defendant also must pay a 250,000-dirham ($68,000) fine under the sentence from the Khor Fakkan Court of Misdemeanors. The newspaper says the defendant planned to appeal. In other insult-related stories, we asked Slashdotters back in April, "What are some insults no developer wants to hear?" Some of the standout responses include: "Wow this is microsoft quality!" and "It compiled cleanly, so he shipped it."
Graphics

NVIDIA's Releases Its First VR Game, Along With An Interactive Screenshot Tool 'Ansel' (techgage.com) 20

Deathspawner writes: NVIDIA has today released a Game Ready GeForce driver that introduces its interactive screenshot tool 'Ansel.' Named after famed photographer Ansel Adams, this new tool requires a developer to integrate up to a couple hundred lines of code to give players the ability to pause their game, move around the environment, and then capture a more "artistic" image. To further that artistic value, users will have the ability to apply filters as well as capture an image in high-res 360 mode so that they can be viewed properly with a virtual-reality (VR) headset. Currently, Ansel supports only a single game -- Mirror's Edge Catalyst -- but NVIDIA promises that many more supported titles are on the way. In addition, NVIDIA has released its first ever video game via Steam that just so happens to be a VR game. The game is called VR Funhouse and is available for free via Steam but is only playable on the HTC Vive. The game consists of a virtual-reality carnival and employs many NVIDIA graphics technologies, like collision-based haptic feedback and advanced physics simulation.
Television

Apple Launching Reality TV Show Called 'Planet of the Apps' (venturebeat.com) 62

theodp writes: The Verge reports Apple is making good on an earlier threat to create a reality TV show about app developers. An open casting call has been issued for "Planet of the Apps," with the goal of finding "100 of the world's most talented app creators" -- news which VentureBeat suggests must be making Steve Jobs' ghost weep. Apple has teamed up with Propagate, a new production company created by the producer of "The Biggest Loser." The description of the show says: "Join us on the search for the next great app in a new original series. Those selected will have the chance to receive hands-on guidance from some of the most influential experts in the tech community, featured placement on the App Store, and funding from top-tier VCs." The show is expected to be released in 2017.
Bitcoin

Ex-Google Engineer Launches Blockchain-Based System For Banks (reuters.com) 62

An anonymous reader quotes a report from Reuters: A former Google engineer, whose speech recognition software is used in more than a billion Android smartphones, has launched a company that uses blockchain technology to build a new operating system for banks. Paul Taylor, a Cambridge University academic with an expertise in artificial intelligence, speech synthesis and machine learning, started working on the system, called Vault OS, two years ago in a basement in London's Shoreditch district, known for being a tech start-up hub. The technology, which underpins the digital currency bitcoin, creates a shared database in which participants can trace every transaction ever made. The ledger is tamper-proof and transparent, meaning that transactions can be processed without the need for third-party verification. The system also negates the need for costly in-house data centers, as it uses cloud-based systems, which banks can use on a "pay-as-you-go" basis, which means that there is no single point of failure. Taylor said major high-street banks were spending around a billion pounds ($1.3 billion) a year on computer technology, much of which he said was being used for propping up the current "legacy" systems rather than on any innovative technology. The start-up has been working with about ten banks, Taylor said, at least one of which would be starting a trial using the new system in August. He expects the system to be up-and-running within about a year. In banking-related news, a Congressional report shows that China's spies hacked into computers at the Federal Deposit Insurance Corporation (FDIC) from 2010 until 2013 and American government officials tried to cover it up.
Software

90% Of Software Developers Work Outside Silicon Valley (qz.com) 180

An anonymous reader shares a Quartz report: So much code to write, so few developers. The chronic talent shortage afflicting Silicon Valley is now all over the US -- and the developers are too. A study by the software trade group The App Association analyzed government and private sector data to map where software developers live, and it identified 223,054 open positions around the country. It found that most developers live far away from the technology epicenter of Silicon Valley, and job openings follow a similar pattern. The upshot: Silicon Valley-style talent wars are moving away from tech hubs to smaller metro and even rural areas. Everywhere from rural Vermont to the middle of Montana is in need of programmers. "You can find places where you didn't expect software developers to be, but they are part of the local economy," said association spokesman Jonathan Godfrey in an interview. "It's pretty much everywhere."
Firefox

Mozilla Will Ship Its First Rust Component In Firefox 48 (softpedia.com) 167

An anonymous reader quotes a report from Softpedia: Mozilla announced today plans to ship its first ever Rust code with the production releases of Firefox. The first ever Rust components will arrive in Firefox 48, scheduled for release on August 2, 2016. After teasing Rust features last year, the Mozilla Foundation announced today that Firefox 48 would contain a new media stack component that's entirely coded in Rust. The first Firefox component to feature Rust code was not chosen at random because media components often execute malicious code when parsing multimedia files. "This makes a memory-safe programming language like Rust a compelling addition to Mozilla's tool-chest for protecting against potentially malicious media content on the Web," says Dave Herman, Director of Strategy at Mozilla Research. During tests of this Rust-based media component in Firefox's unstable builds, Mozilla says that after one billion uses they have yet to see a crash or issue in the Rust media component. Last month, Mozilla released the first versions of Servo, a minimal browser created in Rust code alone. At around the same time, Microsoft open-sourced Checked C, an extension to the C programming language that brings new features to address a series of security-related issues.
DRM

Sega Saturn's DRM Cracked Almost 23 Years After Launch (gamasutra.com) 96

An anonymous reader writes from a report via Gamasutra: The Sega Saturn's DRM has finally been cracked after it hit store shelves nearly 23 years ago in November 1994. Engineer James Laird-Wah first set forth to break through the console's copy protection in an attempt to harness its chiptune capabilities. Laird-Wah has, however, developed a way to run games and other software from a USB stick in the process. Since disc drive failure is a common fault with the game console, his method circumvents the disc drive altogether, instead reworking the Video CD Slot so it can take games stored on a USB stick and run them directly through the Saturn's CD Block. "This is now at the point where, not only can it boot and run games, I've finished just recently putting in audio support, so it can play audio tracks," explained Laird-Wah, speaking to YouTuber debuglive. "For the time being, I possess the only Saturn in the world that's capable of writing files to a USB stick. There's actually, for developers of home-brew, the ability to read and write files on the USB stick that's attached to the device.

Slashdot Top Deals