An anonymous reader writes: Google has launched a hardware project dubbed 'Project Bloks' to help teach kids how to code. There are three components to the learning experience: Brain Board, Base Boards, and Pucks. The Brain Board features a processing unit that is based off of Raspberry Pi Zero, which controls and provides power to the rest of the connected components. It does also interact with Wi-Fi and Bluetooth devices. The Base Boards are connective units that let users design instruction flows. Finally, the Pucks are the components you interact with. They're shaped with switches, arrows, buttons, dials and more, and can be programmed to turn things on or off, move avatars, play music, and more. What's neat is you can record instructions from multiple pucks into a single one. Some of them can be made with simple, inexpensive materials like paper with conductive ink. You can watch the official introduction video on YouTube. Google did release a subsequent video about the project called "Developing on Project Bloks."

Microsoft on Monday announced the release of .NET Core, the open source .NET runtime platform. Finally! (It was first announced in 2014). The company also released ASP.NET Core 1.0, the open-source version of Microsoft's Web development stack. ArsTechnica reports:Microsoft picked an unusual venue to announce the release: the Red Hat Summit. One of the purposes of .NET Core was to make Linux and OS X into first-class supported platforms, with .NET developers able to reach Windows, OS X, Linux, and (with Xamarin) iOS and Android, too. At the summit today, Red Hat announced that this release would be actively supported by the company on Red Hat Enterprise Linux.

New submitter lefticus writes: The upcoming C++17 standard has reached Committee Draft stage, having been voted on in the standards committee meeting in Oulu, Finland this Saturday. This makes C++17 now feature complete, with many new interesting features such as if initializers and structured bindings having been voted in at this meeting.

An [audio] interview with the C++ committee chair, Herb Sutter, about the status of C++17 has also been posted.

An anonymous Slashdot reader writes: Ecma International, the organization in charge of managing the ECMAScript standard, has published the most recent version of the JavaScript language. ECMAScript 2016 (ES7 or JavaScript 7th Edition in the old naming scheme) comes with very few new features. The most important is that JavaScript developers will finally get a "raise to the power" operator, which was mysteriously left out of the standard for 20 years. The operator is **...
It will also become much easier to search for data in a JavaScript array with Array.prototype.includes(), but support for async functions (initially announced for ES2016), has been deferred until next year's release. "From now on, expect smaller changelogs from the ECMAScript team," reports Softpedia, "since this was the plan set out last year. Fewer breaking changes means more time to migrate code, instead of having to rewrite entire applications, as developers did when the mammoth ES6 release came out last year."

Slashdot reader Orome1 shares an article by Bitdefender's senior "e-threat analyst," warning about an increasing number of attacks on healthcare providers: In general, the healthcare industry is proving lucrative for cybercriminals because medical data can be used in multiple ways, for example fraud or identity theft. This personal data often contains information regarding a patient's medical history, which could be used in targeted spear-phishing attacks...and hackers are able to access this data via network-connected medical devices, now standard in high-tech hospitals. This is opening up new possibilities for attackers to breach a hospital or a pharmaceutical company's perimeter defenses.

If a device is connected to the internet and left vulnerable to attack, an attacker could remotely connect to it and use it as gateways for attacking network security... The majority of healthcare organizations have often been shown to fail basic security practices, such as disabling concurrent login to multiple devices, enforcing strong authentication and even isolating critical devices and medical data storing servers from a direct internet connection.
The article suggests the possibility of attackers tampering with the equipment that dispenses prescription medications, in which case "it is likely that future cyber-attacks could lead to the loss of human life."

"Researchers have discovered a vulnerability within the Swagger specification which may place tools based on NodeJS, PHP, Ruby, and Java at risk of exploit," warns ZDNet's blog Zero Day, adding "the severe flaw allows attackers to remotely execute code." Slashdot reader msm1267 writes: A serious parameter injection vulnerability exists in the Swagger Code Generator that could allow an attacker to embed executable code in a Swagger JSON file. The flaw affects NodeJS, Ruby, PHP, Java and likely other programming languages. Researchers at Rapid7 who found the flaw disclosed details...as well as a Metasploit module and a proposed patch for the specification. The matter was privately disclosed in April, but Rapid7 said it never heard a response from Swagger's maintainers.

Swagger produces and consumes RESTful web services APIs; Swagger docs can be consumed to automatically generate client-server code. As of January 1, the Swagger specification was donated to the Open API Initiative and became the foundation for the OpenAPI Specification. The vulnerability lies in the Swagger Code Generator, and specifically in that parsers for Swagger documents (written in JSON) don't properly sanitize input. Therefore, an attacker can abuse a developer's trust in Swagger to include executable code that will run once it's in the development environment.

An anonymous reader writes: After changing its DRM to exclude ReVive last month, Oculus has changed its mind again and is now allowing HTC Vive games to play on the Oculus Rift. "We continually revise our entitlement and anti-piracy systems, and in the June update we've removed the check for Rift hardware from the entitlement check. We won't use hardware checks as part of DRM on PC in the future," Oculus VR said. "We believe protecting developer content is critical to the long-term success of the VR industry, and we'll continue taking steps in the future to ensure that VR developers can keep investing in ground-breaking new VR content." VentureBeat reports: "ReVive developers have acted quickly following the removal of the check. An update to the software has been posted on GitHub to bring it back in line, meaning you'll now be able to access the games that were previously available without jumping through extra hoops. Perhaps even more games might work going forward. CrossVR, one of the system's developers, took to Reddit to thank Oculus for the decision. 'I'm delighted to see this change and I hope it can generate a lot of goodwill for Oculus.' CrossVR said."

An anonymous reader writes: [Softpedia reports:] "A study from GeoEdge (PDF), an ad scanning vendor, reveals that Flash has been wrongly accused as the root cause of today's malvertising campaigns, but in reality, switching to HTML5 ads won't safeguard users from attacks because the vulnerabilities are in the ad platforms and advertising standards themselves. The company argues that for video ads, the primary root of malvertising is the VAST and VPAID advertising standards. VAST and VPAID are the rules of the game when it comes to online video advertising, defining the road an ad needs to take from the ad's creator to the user's browser. Even if the ad is Flash or HTML5, there are critical points in this ad delivery path where ad creators can alter the ad via JavaScript injections. These same critical points are also there so advertisers or ad networks can feed JavaScript code that fingerprints and tracks users." The real culprit is the ability to send JavaScript code at runtime, and not if the ad is a Flash object, an image or a block of HTML(5) code.

If you're on the fence on whether or not should you spring for learning how to code, Google is willing to offer a helping hand. The company has partnered with Udacity to offer a "nanodegree" class designed for people with no programming experience at all. The program costs $199 per month. ZDNet reports:The course material, developed by Google, is hosted on learning platform Udacity and builds on earlier programs such as the Android Nanodegree for Beginners. The basics course takes around four weeks if the student commits six hours a week and upon completion they'll have created two basic apps built in Android Studio."Google, in partnership with Udacity, is making Android development accessible and understandable to everyone, so that regardless of your background, you can learn to build apps that improve the lives of people around you," Google announced on its developer blog.

blottsie writes: Chris Vickery, a security researcher at MacKeeper, has uncovered a new voter database containing 154 million voter records, exposed as a result of a CouchDB installation error. The database includes names, addresses, Facebook profile URLs, gun ownership, and more. Who exposed the voter database? Vickery believes the suspect may be linked to L2, a company specializing in voter data utilization, after he noticed that the voter ID field was labeled "LALVOTERID." After calling the company, L2 said the database likely belongs to one of their clients, noting that there are very few clients big enough to have a national database like that. The database was secured within three hours of their phone call. L2's CEO Bruce Willsie said that the client told L2 that they were hacked and the firewall had been taken down. Their client is conducting their own research to figure out the extent of the incursion. The Daily Dot reports: "Why does this keep happening, and what is our government doing about it? No federal agency is enforcing data security in political organizations or non-profits, and so far, neither are state attorneys general."

An anonymous reader writes from a report via The Verge: TechPowerUp discovered that the MSI GeForce GTX 1080 Gaming X card they were sent for review was running at faster GPU and memory clock speeds than the retail version. This was because the review card was set to operate in the OC (overclocking) mode out of the box, whereas the retail card runs in the more regular Gaming mode out of the box. This may result in an unobservant reviewer accidentally misrepresenting the OC performance numbers as the stock results from the card, lending MSI's product an unearned helping hand. The site found this was a recurring pattern with MSI stretching back for years. Fellow Taiwanese manufacturer ASUS, in spite of having better global name recognition and reputation, has also show itself guilty of preprogramming review cards with an extra overclocking boost. Needless to say, the only goal of such actions is to deceive -- both the consumer and the reviewer -- though perhaps some companies have felt compelled to follow suit after the trend was identified among competitors. The Verge notes that TechPowerUp revealed its finding on Thursday of last week, and has not received any official response from either MSI or ASUS. They did update their story to note that MSI addressed the matter, in a comment provided to HardOCP Editor-in-Chief Kyle Bennett, back in 2014.

An anonymous reader quotes a report from Paste Magazine: Indie developer TinyBuild, the studio behind Punch Club, Party Hard and SpeedRunners, had thousands of their game codes stolen through fraudulent credit card purchases, which then wound up on G2A.com, a site that allows people to resell game codes. The basic idea behind G2A is straightforward and pretty harmless: with the amount of game codes sold through Steam, the Humble Store/Bundle, and more, the site gives consumers a place to sell unwanted game codes. However, in doing so, G2A has created a huge black market for game codes sales. As TinyBuild described in their blog post on the matter, the common practice for scammers is to "get ahold of a database of stolen credit cards on the dark web. Go to a bundle/3rd party key reseller and buy a ton of game keys. Put them up onto G2A and sell them at half the retail price." This allows scammers to make thousands of dollars while preventing any profit from reaching the game developers because, once the stolen credit cards are processed, the payments will be denied. G2A states that TinyBuild's retail partners are the ones selling the codes on G2A, not scammers, despite the thousands of codes they lost through their online store to fraudulent credit card purchases. In 2011, TinyBuild was in the news for uploading their own game, a platformer called No Time To Explain, to the Pirate Bay.

An anonymous reader writes: Following a report that Russian hackers penetrated the DNC's database, a hacker, who identifies himself as "Guccifer 2.0" after a popular Romanian hacker who hacked various American political figures, most notably Hillary Clinton and her private server, has published documents on Tuesday that he says came from the party's digital files. The documents detail Clinton's weaknesses as a candidate, and include a collection of negative press clips about the Clinton Foundation and a list of defenses against attacks on her private email use. Washington Examiner reports: "Another document, titled '2016 Democrats Positions Cheat Sheet,' listed major policy issues and indicated where Clinton, Bernie Sanders, Martin O'Malley, Jim Webb, Lincoln Chaffee, Elizabeth Warren and Joe Biden -- all former or possible rivals for the Democratic nomination -- stood on each issue." The documents contain information ranging from how the Clinton Foundation and its allies should respond to criticisms of the Clinton Foundation's revenue sources to how Chelsea Clinton wasn't able to answer questions about Clinton Foundation donations and other instances in which Bill Clinton was called a "sexual predator" for his past indiscretions. Even though the cybersecurity breach was blamed on the Russian government, the Kremlin has denied any involvement. The DNC also has yet to confirm or deny the authenticity of the leaked documents.

An anonymous reader writes from a report via ZDNet: OpenAI, the artificial-intelligence non-profit backed by Elon Musk, Amazon Web Services, and others, is working on creating a physical robot that performs household chores. In a blog post Monday, OpenAI leaders said they don't want to manufacture the robot itself, but "enable a physical robot [...] to perform basic housework." The company says it is "inspired" by DeepMind's work in the deep learning and reinforcement learning field of AI, as displayed by its AlphaGo victory over human Go masters. OpenAI says it wants to "train an agent capable enough to solve any game," noting that significant advances in AI will be required in order for that to happen. In May, the company released a public beta of a new Open Source gym for computer programmers working on AI. They also have plans to build an agent that can understand natural language and seek clarification when following instructions to complete a task. OpenAI plans to build new algorithms that can advance this field. Finally, OpenAI wants to measure its progress across games, robotics, and language-based tasks, which is where OpenAI's Gym Beta will come into play.

This week HelpNetSecurity reported on a study that found that "the average data breach cost has grown to $4 million, representing a 29 percent increase since 2013.. 'The amount of time, effort and costs that companies face in the wake of a data breach can be devastating, and unfortunately most companies still don't have a plan in place to deal with this process efficiently," said Caleb Barlow, Vice President, of IBM Security."

But the most stunning part of the study was that each compromised record costs a company $158 (on average), and up to $355 per record in more highly-regulated industries like healthcare, according to the study -- $100 more than in 2013. And yet it also found that having an "incident response team" greatly reduces the cost of a data breach. So I'd be curious how many Slashdot readers work for a company that actually has a team in place to handle data breaches. Leave your answers in the comments. Does your company have an incident response team ?

Long-time Slashdot reader sandbagger writes: The Mattel people have released a new Barbie doll figurine touted as Game Developer Barbie. Dressed in jeans and a t-shirt, she was apparently designed by a game developer.
It's already sold out on Mattel's web site, with CNET saying it provides a better role model than a 2014 book In which "computer engineer" Barbie designed a cute game about puppies, then admitted "I'll need Steven's and Brian's help to turn it into a real game," before her laptop crashed with a virus. Mattel says that with this new doll, "young techies can play out the creative fun of this exciting profession," and the doll even comes with a laptop showing an IDE on the screen. Sandbagger's original submission ended with a question. Do Slashdot readers think this will inspire a new generation of programmers to stay up late writing code?

"Paper forms are a security risk", warns the web site for CareMonkey, which maintains digital and up-to-date medical information in the cloud "for any organization with a duty of care". This is raising concerns for long-time Slashdot reader rolandw, who says he's being asked by his daughter's school to approve using the site to store "her full medical details". CareMonkey say that this data is stored on AWS and their security page says that it is secured by every protocol ever claimed by AWS (apparently). As a sysadmin and developer who has used AWS extensively for non-secure information my alarm bells are sounding.
Should he ignore those alarm bells and approve the storage of his daughter's medical history in the cloud? And if not, what specific reason would you give for refusing?

The Air Force now says it will be able to recover those 100,000 investigation files dating back to 2004, after "aggressively leveraging all vendor and department capabilities." An anonymous reader quotes a report from Government Executive about the mysteriously corrupted database: In a short, four-sentence statement released midday on Wednesday, service officials said the Air Force continues to investigate the embarrassing incident in which the files and their backups were corrupted. "Through extensive data recovery efforts over the weekend and this week, the Air Force has been able to regain access to the data in the Air Force Inspector General Automated Case Tracking System..." the statement reads. Earlier on Wednesday, the Air Force chief of staff said that the effort to recover the files involved Lockheed Martin and Oracle, the two defense contractors that run the database, plus Air Force cyber and defense cyber crime personnel.
The Chief of Staff hopes "there won't be a long-term impact, other than making sure we understand exactly what happened, how it happened and how we keep it from ever happening again." The Air Force is conducting an independent review, while Lockheed Martin is now also performing a separate internal review.

An anonymous reader writes from a report via Softpedia: Microsoft has open-sourced Checked C, an extension to the C programming language that brings new features to address a series of security-related issues. As its name hints, Checked C will add checking to C, and more specifically pointer bounds checking. The company hopes to curb the high-number of security bugs such as buffer overruns, out-of-bounds memory accesses, and incorrect type casts, all which would be easier to catch in Checked C. Despite tangible benefits to security, the problem of porting code to Checked C still exists, just like it did when C# or Rust came out, both C alternatives.

John Leyden, writing for The Register: GitHub has reset the passwords of users targeted in an attack this week that relied on using stolen credentials from a breach at a third-party site. The software repository itself has not suffered a breach. Hackers behind the assault were trying to break into the accounts of users who had inadvisedly used the same login credentials on an unnamed site that had suffered a breach, as a statement by GitHub explains. GitHub said it had reset the passwords on all affected accounts before beginning the process of notifying those affected. "We encourage all users to practise good password hygiene and enable two-factor authentication to protect your account," GitHub sensibly advised.