An anonymous reader writes: A Google researcher has discovered a way in which he could exploit some npm registry design flaws to propagate a malicious package to other packages, and in the projects that load them. The exploit leverages things such as npm's persistent authentication, developers who never lock down dependencies (and often use version number ranges), npm lifecycle scripts that run with the user's privileges (sometimes as root), and npm's centralized registry, which doesn't review or scan code. Attackers can compromise other projects with malicious code, can compromise Node apps used in corporate environments, or they can launch worm-like viruses that poison npm packages at random.

New submitter FourG writes: Not much fanfare (which is to be expected given the niche of the device now) but it looks like Sony posted a fix for the much maligned "can't download dashboard" error. It requires a USB key and can't be done over-the-air. My Dash required a factor reset afterward before it successfully downloaded the dashboard, but YMMV...

Reader Thelasko writes: The BBC has a story about people with names that break computer databases. "When Jennifer Null tries to buy a plane ticket, she gets an error message on most websites. The site will say she has left the surname field blank and ask her to try again." Thelasko compares it to the XKCD comic about Bobby Tables, though it's a real problem that's also been experienced by a Hawaiian woman named Janice Keihanaikukauakahihulihe'ekahaunaele, whose last name exceeds the 36-character limit on state ID cards. And in 2010, programmer John Graham-Cumming complained about web sites (including Yahoo) which refused to accept hyphenated last names. Programmer Patrick McKenzie pointed the BBC to a 2011 W3C post highlighting the key issues with names, along with his own list of common mistaken assumptions. "They don't necessarily test for the edge cases," McKenzie says, noting that even when filing his own income taxes in Japan, his last name exceeds the number of characters allowed.

Over the years, several governments and organizations have become increasingly focused on teaching kids how to code. It has given rise to startups such as Codecademy, KhanAcademy and Code.org that are making it easier and more affordable for many to learn how to program. Many believe that becoming literate in code is as essential as being educated in language, science, and math. But can this guarantee you a job? And can coding help you save that job? An anonymous reader cites an interesting article on Fast Company which sheds more light into this: Looking for job security in the knowledge economy? Just learn to code. At least, that's what we've been telling young professionals and mid-career workers alike who want to hack it in the modern workforce. Unfortunately, many have already learned the hard way that even the best coding chops have their limits. More and more, 'learn to code' is looking like bad advice. Anyone competent in languages such as Python, Java, or even Web coding like HTML and CSS, is currently in high demand by businesses that are still just gearing up for the digital marketplace. However, as coding becomes more commonplace, particularly in developing nations like India, we find a lot of that work is being assigned piecemeal by computerized services such as Upwork to low-paid workers in digital sweatshops. This trend is bound to increase.

Matthew Wall from the BBC has written a fascinating piece detailing our reliance on banks in today's connected and ever-changing world of technology. The premise: "You put your card in the cash machine but nothing comes out. The bank's IT systems have crashed again. But you need money fast, so what do you do? It's an unsettling scenario that is likely to become more common over the next few years as the big banks try to upgrade their IT systems, experts are warning."

Bruce66423 writes: In the old days everything was batch programs and reconciled once a day. Now, online access and the expectation that money will be immediately available makes the old systems obsolete, but impossible to replace because there are layers upon layers of complexity...

An anonymous reader writes: A customer database as well as information about Verizon security flaws were reportedly put up for sale by criminals this week after a data breach at Verizon Enterprise Solutions. According to KrebsOnSecurity, "a prominent member of a closely guarded underground cybercrime forum posted a new thread advertising the sale of a database containing the contact information on some 1.5 million customers of Verizon Enterprise." The entire database was priced at $100,000, or $10,000 for each set of 100,000 customer records. "Buyers also were offered the option to purchase information about security vulnerabilities in Verizon's Web site," security journalist Brian Krebs reported. Verizon has apparently fixed the security flaws and has reassured its customers by saying "our investigation to date found an attacker obtained basic contact information on a number of our enterprise customers" and that "no customer proprietary network information (CPNI) or other data was accessed or accessible."

jones_supa writes: Moving a big software project to a new compiler can be a lot of work, and few projects are bigger than the Chromium web browser. In addition to the main Chromium repository, which includes all of WebKit, there are over a hundred other open-source projects which Chromium incorporates by reference, totaling more than 48,000 C/C++ files and 40,000 header files. As of March 11th, Chromium has switched to Visual C++ 2015, and it doesn't look like it's looking back. The tracking bug for this effort currently has over 330 comments on it, with contributions from dozens of developers. Bruce Dawson has written an interesting showcase of some VC++ compiler bugs that the process has uncovered. His job was to investigate them, come up with a minimal reproduce case, and report them to Microsoft. The Google and Microsoft teams get praise for an excellent symbiotic relationship, and the compiler bugs have been fixed quickly by the Visual Studio team.

An anonymous reader quotes a report from The Stack: Mesosphere, creator of the world's first data center operating system, has confirmed significant strategic investment from Microsoft and Hewlett Packard Enterprise. Mesosphere, built on the open-source Apache Mesos project, closed $73.5 million in a Series C funding round. With HPE and Microsoft leading the round, the startups total funding to date tallies at almost $126 million. The operating system is currently used at mega-scale by customers including Verizon, Netflix and Twitter. It also underpins Microsoft's Azure Container solutions.

mmoorebz writes: Guiding Eyes for the Blind, a nonprofit organization, announced that it is adopting the IBM Cloud to improve access and analysis of canine data. Some people rely on their service dogs to help them with everyday life, and as a way to continue its mission to serving the blind, Guiding Eyes migrated more than half a million health records and more than 65,000 temperament records on thousands of dogs to the IBM Cloud. President and CEO of Guiding Eyes, Thomas Panek, said, "People don't typically think about an organization like ours as a Big Data company but we cannot succeed or grow without it."
"Guiding Eyes is a great example of how IBM Cloud can help organizations innovate new business models and processes that were heretofore unthinkable," said William Karpovich, General Manager, IBM Cloud Platform. "Through the IBM Cloud, Guiding Eyes is now able to advance even further its critical work in breeding, raising and training service dogs for those in need."

An anonymous reader writes: Famous TV personality Jason Bradbury, who hosts The Gadget Show, believes that the UK government is wasting its time trying to teach kids learn how to code. In a recent interview, he said, 'My kids won't need to code because soon computers will just code for them. I fundamentally disagree with the government initiatives to get my kids coding. It's a complete waste of time. Soon startups will just be run by really creative people -- there won't be a coder with bad social skills stood on the stage. The future will just be about being creative. This is why we need to challenge STEM and introduce an art component and rename it STEAM -- science, technology, engineering, art and maths."

An anonymous reader quotes a report from TechCrunch: Google is planning to compete with Nuance and other voice recognition companies head on by opening up its speech recognition API to third-party developers. To attract developers, the app will be free at launch with pricing to be introduced at a later date. The company formally announced the service today during its NEXT cloud user conference, where it also unveiled a raft of other machine learning developments and updates, most significantly a new machine learning platform. The Google Cloud Speech API, which will cover over 80 languages and will work with any application in real-time streaming or batch mode, will offer full set of APIs for applications to "see, hear and translate," Google says. It is based on the same neural network tech that powers Google's voice search in the Google app and voice typing in Google's Keyboard. Google's move will have a large impact on the industry as a whole -- and particularly on Nuance, the company long thought of as offering the best voice recognition capabilities in the business, and most certainly the biggest offering such services.

An anonymous reader writes: According to Business Insider, "[Apple] worries that some of the equipment and cloud services it buys has been compromised by vendors who have agreed to put "back door" technology for government spying, according to a report from The Information's Amir Efrati and Steve Nellis." With many of its cloud-based services like iTunes, the App Store, and iCloud requiring enormous data center to operate, Apple hasn't been able to build all the data centers it needs, and has instead been using services from its rivals, namely Amazon Web Services and Microsoft. Google recently landed Apple as a customer for the Google Cloud Platform. "Meanwhile, [Apple] has embarked on yet another attempt to build more of its own data centers to handle all of that, called Project McQueen, reports Jordan Novet at VentureBeat, and the project is having a rough go of it, reports The Information." Apple suspects that backdoors have been added to many of the servers it has been ordering from others. "At one point, the company even had people taking photographs of the motherboards in the computer servers it was using, then mark down exactly what each chip was, to make sure everything was fully understood."

An anonymous reader quotes a report from ZDNet: Red Hat just became the first open-source company to make a cool 2 billion bucks. Not bad considering Red Hat became the first billion dollar Linux company only four years ago. Red Hat did it the old-fashioned way: They earned the money instead of playing upon the gullibility of venture capitalists. Red Hat's total revenue for its fourth quarter was $544 million. That's up 17 percent in U.S. dollars year-over-year, or 21 percent measured constant currency. Subscription revenue for the quarter was $480 million, up 18 percent in U.S. dollars year-over-year, or 22 percent measured in constant currency. Subscription revenue in the quarter was 88 percent of total revenue. Analysts estimated Red Hat would make $534 million. Looking ahead for its 2016 FY Red Hat expects to see between $2.380 billion to $2.420 billion. At this rate, Red Hat should easily become the first $3 billion open-source company.
While Red Hat's president and CEO Jim Whitehurst credits the "hybrid cloud infrastructures," Red Hat's subscription revenue can largely be ascribed to Red Hat's flagship product: Red Hat Enterprise Linux. Still, RHEL, which is now available on Microsoft Azure, is becoming a prominent cloud operating system.

An anonymous reader quotes an article written by Chris Williams for The Register: Programmers were left staring at broken builds and failed installations on Tuesday after someone toppled the Jenga tower of JavaScript. A couple of hours ago, Azer Koculu unpublished more than 250 of his modules from NPM, which is a popular package manager used by JavaScript projects to install dependencies. Koculu yanked his source code because, we're told, one of the modules was called Kik and that apparently attracted the attention of lawyers representing the instant-messaging app of the same name. According to Koculu, Kik's briefs told him to take down the module, he refused, so the lawyers went to NPM's admins claiming brand infringement. When NPM took Kik away from the developer, he was furious and unpublished all of his NPM-managed modules. 'This situation made me realize that NPM is someone's private land where corporate is more powerful than the people, and I do open source because Power To The People,' Koculu blogged. Unfortunately, one of those dependencies was left-pad. It pads out the lefthand-side of strings with zeroes or spaces. And thousands of projects including Node and Babel relied on it. With left-pad removed from NPM, these applications and widely used bits of open-source infrastructure were unable to obtain the dependency, and thus fell over.

mmoorebz writes: After three years of development and with over 150 contributors to the code, Apache PDFBox 2.0 has been released. With this release comes enhancements and improvements. The Apache PDFBox library is an open-source Java tool for working with PDF documents. The project allows creation and manipulation of PDF documents, and the ability to extract content from them. Support for forms in open-source PDF viewers is currently disappointing, and I hope this heralds improvement on that front.

itwbennett writes: The Tor Project, which provides more anonymous browsing across the Internet using a customized Firefox Web browser. is fortifying its software so that it can quickly detect if its network is tampered with. To address worries that Tor could either be technically subverted or subject to court orders, Tor developers are now designing the system in such a way that many people can verify if code has been changed and 'eliminate single points of failure,' wrote Mike Perry, lead developer of the Tor Browser, on Monday. 'Even if a government or a criminal obtains our cryptographic keys, our distributed network and its users would be able to detect this fact and report it to us as a security issue,' said Perry.

Mickeycaskill writes with this news from TechWeek Europe: Every Year 7 student in England and Wales, Year 8 student in Northern Ireland and S1 student in Scotland will be handed, for free, a BBC micro:bit computer specially designed to help pupils learn to code. Micro:bits, which are smaller than the size of a credit card and can be hooked up to a mobile app or accessed via the Internet, will be delivered nationwide through schools and made available to home-schooled students over the course of the next few weeks. The students are able to keep their devices as their own, meaning they can work with the device for homework, in school holidays, and use it for more applications as their grasp on coding increases. The initiative follows on from the BBC's Micro programme that was introduced in the 1980s, and sees a partnership between the BBC and some of the world's most notable technology companies such as ARM, Microsoft, and Samsung. The computer will hope to emulate the Raspberry Pi, of which more than eight million have been sold. A BBC story explains a bit about the project's ambitions, and points out a few "bumps in the road"; originally, the hardware was to be in classrooms several months sooner. The BBC's own micro:bit page features more on programming the device, as well as many sample projects.

An anonymous reader writes: A group of independent security researchers and major Silicon Valley tech giants have submitted a proposal for a new email protocol called SMTP STS (Strict Transport Security). In theory, this new extension looks like the HSTS (HTTP Strict Transport Security) extension to HTTPS. Much like HSTS, SMTP STS brings message confidentiality and server authenticity to the process of starting an encrypted email communications channel. HSTS works alongside HTTPS to avoid SSL/TLS downgrades and MitM attacks. to avoid SSL/TLS downgrades and MitM attacks. The biggest names on the contributors list include Microsoft, Google, Yahoo, LinkedIn, and Comcast. Last year, Oracle also submitted a similar proposal called DEEP (Deployable Enhanced Email Privacy).

Freshly Exhumed writes: Redox OS, a project on GitHub aimed at creating an alternative OS able to run almost all Linux executables with only minimal modifications, is to feature a pure Rust ecosystem, which they hope will improve correctness and security over other OSes. In their own words, 'Redox isn't afraid of dropping the bad parts of POSIX, while preserving modest Linux API compatibility.' They also level harsh criticisms at other OSes, saying "...we will not replicate the mistakes made by others. This is probably the most important tenet of Redox. In the past, bad design choices were made by Linux, Unix, BSD, HURD, and so on. We all make mistakes, that's no secret, but there is no reason to repeat others' mistakes." Not stopping there, Redox documentation contains blunt critiques of Plan 9, the GPL, and other mainstays.

reifman writes: As posted earlier, Amazon's growth and predominantly male hiring has made dating in Seattle incredibly difficult for everyone. Two Amazon employees, Becca Goldman and Mahvish Gazipura, recently launched DateADev to help coworkers optimize their dating profiles: 'at Amazon [we're] surrounded by software developers and project managers all the time, we just noticed their need. We talk to them all the time about their frustrations with dating.' Goldman's gone on more than 500 dates in the past three years. 'Her experience ... helps her quickly assess an online profile of a potential partner.' Rather than drive its employees into moonlighting, Amazon could just start hiring more women.