×
Java

Microsoft Previews Its Open Source Java Distribution, Microsoft Build of OpenJDK (betanews.com) 145

Mark Wilson writes: Microsoft has launched a preview version of its own distribution of Java, making it available for Windows, macOS and Linux. The company has named the release Microsoft Build of OpenJDK, and describes it as its "new way to collaborate and contribute to the Java ecosystem". The company has made available Microsoft Build of OpenJDK binaries for Java 11, which are based on OpenJDK source code. Microsoft says it is looking to broaden and deepen its support for Java, "one of the most important programming languages used today".
Programming

Google Now Supports Rust for Underlying Android OS Development (9to5google.com) 28

For the past few years, Google has been encouraging developers to write Android apps with Kotlin. The underlying OS still uses C and C++, though Google today announced Android Open Source Project (AOSP) support for Rust. From a report: This is part of Google's work to address memory safety bugs in the operating system: "We invest a great deal of effort and resources into detecting, fixing, and mitigating this class of bugs, and these efforts are effective in preventing a large number of bugs from making it into Android releases. Yet in spite of these efforts, memory safety bugs continue to be a top contributor of stability issues, and consistently represent ~70% of Android's high severity security vulnerabilities."

The company believes that memory-safe languages, like Rust, are the "most cost-effective means for preventing memory bugs" in the bootloader, fastboot, kernel, and other low-level parts of the OS. Unlike C and C++, where developers manage memory lifetime, Rust "provides memory safety guarantees by using a combination of compile-time checks to enforce object lifetime/ownership and runtime checks to ensure that memory accesses are valid." Google has been working to add this support to AOSP for the past 18 months. Performance is equivalent to the existing languages, while increasing the effectiveness of current sandboxing and reducing the overall need for it. This allows for "new features that are both safer and lighter on resources." Other improvements include data concurrency, a more expressive type system, and safer integer handling.

Databases

LexisNexis To Provide Giant Database of Personal Information To ICE (theintercept.com) 64

An anonymous reader quotes a report from The Intercept: The popular legal research and data brokerage firm LexisNexis signed a $16.8 million contract to sell information to U.S. Immigration and Customs Enforcement, according to documents shared with The Intercept. The deal is already drawing fire from critics and comes less than two years after the company downplayed its ties to ICE, claiming it was "not working with them to build data infrastructure to assist their efforts." Though LexisNexis is perhaps best known for its role as a powerful scholarly and legal research tool, the company also caters to the immensely lucrative "risk" industry, providing, it says, 10,000 different data points on hundreds of millions of people to companies like financial institutions and insurance companies who want to, say, flag individuals with a history of fraud. LexisNexis Risk Solutions is also marketed to law enforcement agencies, offering "advanced analytics to generate quality investigative leads, produce actionable intelligence and drive informed decisions" -- in other words, to find and arrest people.

The LexisNexis ICE deal appears to be providing a replacement for CLEAR, a risk industry service operated by Thomson Reuters that has been crucial to ICE's deportation efforts. In February, the Washington Post noted that the CLEAR contract was expiring and that it was "unclear whether the Biden administration will renew the deal or award a new contract." LexisNexis's February 25 ICE contract was shared with The Intercept by Mijente, a Latinx advocacy organization that has criticized links between ICE and tech companies it says are profiting from human rights abuses, including LexisNexis and Thomson Reuters. The contract shows LexisNexis will provide Homeland Security investigators access to billions of different records containing personal data aggregated from a wide array of public and private sources, including credit history, bankruptcy records, license plate images, and cellular subscriber information. The company will also provide analytical tools that can help police connect these vast stores of data to the right person.
In a statement to The Intercept, a LexisNexis Risk Solutions spokesperson said: "Our tool contains data primarily from public government records. The principal non-public data is authorized by Congress for such uses in the Drivers Privacy Protection Act and Gramm-Leach-Bliley Act statutes." They declined to say exactly what categories of data the company would provide ICE under the new contract, or what policies, if any, will govern how agency agency uses it.
Google

Google Wins Oracle Copyright Fight as Top Court Overturns Ruling (bloomberg.com) 155

The U.S. Supreme Court ruled that Alphabet's Google didn't commit copyright infringement when it used Oracle's programming code in the Android operating system, sparing Google from what could have been a multibillion-dollar award. From a report: The 6-2 ruling, which overturns a victory for Oracle, marks a climax to a decade-old case that divided Silicon Valley and promised to reshape the rules for the software industry. Oracle was seeking as much as $9 billion. The court said Google engaged in legitimate "fair use" when it put key aspects of Oracle's Java programming language in the Android operating system. Writing for the court, Justice Stephen Breyer said Google used "only what was needed to allow users to put their accrued talents to work in a new and transformative program." Each side contended the other's position would undercut innovation. Oracle said that without strong copyright protection, companies would have less incentive to invest the large sums needed to create groundbreaking products. Google said Oracle's approach would discourage the development of new software that builds on legacy products.
Security

GitHub is Investigating Crypto-mining Campaign Abusing Its Server Infrastructure (therecord.media) 27

An anonymous Slashdot reader shared this report from The Record: Code-hosting service GitHub is actively investigating a series of attacks against its cloud infrastructure that allowed cybercriminals to implant and abuse the company's servers for illicit crypto-mining operations, a spokesperson told The Record today.

The attacks have been going on since the fall of 2020 and have abused a GitHub feature called GitHub Actions, which allows users to automatically execute tasks and workflows once a certain event happens inside one of their GitHub repositories. In a phone call today, Dutch security engineer Justin Perdok told The Record that at least one threat actor is targeting GitHub repositories where GitHub Actions might be enabled. The attack involves forking a legitimate repository, adding malicious GitHub Actions to the original code, and then filing a Pull Request with the original repository in order to merge the code back into the original.

But the attack doesn't rely on the original project owner approving the malicious Pull Request. Just filing the Pull Request is enough for the attack, Perdok said. The Dutch security engineer told us attackers specifically target GitHub project owners that have automated workflows that test incoming pull requests via automated jobs. Once one of these malicious Pull Requests is filed, GitHub's systems will read the attacker's code and spin up a virtual machine that downloads and runs cryptocurrency-mining software on GitHub's infrastructure.

Perdok, who's had projects abused this way, said he's seen attackers spin up to 100 crypto-miners via one attack alone, creating huge computational loads for GitHub's infrastructure. The attackers appear to be happening at random and at scale. Perdok said he identified at least one account creating hundreds of Pull Requests containing malicious code.

Programming

Node.js Rival Deno Gets Seed Capital For Full-time Deno Engineers (infoworld.com) 74

"The creators of Deno have formed the Deno Company, a business venture around the JavaScript/TypeScript runtime and rival to Node.js," reports InfoWorld: In a bulletin on March 29, Deno creator Ryan Dahl and Bert Belder, both of whom also led the development of Node.js, announced the formation of the company and said they had $4.9 million in seed capital, enough to pay for a staff of full-time engineers working to improve Deno...

Dahl and Belder said that, while they planned to pursue commercial applications of Demo, Deno itself would remain MIT-licensed, adding that for Deno to be maximally useful it must remain permissively free. "Our business will build on the open source project, not attempt to monetize it directly," they Deno authors said.

From their announcement: We find server-side JavaScript hopelessly fragmented, deeply tied to bad infrastructure, and irrevocably ruled by committees without the incentive to innovate. As the browser platform moves forward at a rapid pace, server-side JavaScript has stagnated. Deno is our attempt to breathe new life into this ecosystem...

Not every use-case of server-side JavaScript needs to access the file system; our infrastructure makes it possible to compile out unnecessary bindings. This allows us to create custom runtimes for different applications: Electron-style GUIs, Cloudflare Worker-style Serverless Functions, embedded scripting for databases, etc.

Programming

Turing Award Goes To Creators of Computer Programming Building Blocks (nytimes.com) 48

Jeffrey Ullman and Alfred Aho developed many of the fundamental concepts that researchers use when they build new software. From a report: When Alfred Aho and Jeffrey Ullman met while waiting in the registration line on their first day of graduate school at Princeton University in 1963, computer science was still a strange new world. Using a computer required a set of esoteric skills typically reserved for trained engineers and mathematicians. But today, thanks in part to the work of Dr. Aho and Dr. Ullman, practically anyone can use a computer and program it to perform new tasks. On Wednesday, the Association for Computing Machinery, the world's largest society of computing professionals, said Dr. Aho and Dr. Ullman would receive this year's Turing Award for their work on the fundamental concepts that underpin computer programming languages. Given since 1966 and often called the Nobel Prize of computing, the Turing Award comes with a $1 million prize, which the two academics and longtime friends will split. Dr. Aho and Dr. Ullman helped refine one of the key components of a computer: the "compiler" that takes in software programs written by humans and turns them into something computers can understand.

Over the past five decades, computer scientists have built increasingly intuitive programming languages, making it easier and easier for people to create software for desktops, laptops, smartphones, cars and even supercomputers. Compilers ensure that these languages are efficiently translated into the ones and zeros that computers understand. Without their work, "we would not be able to write an app for our phones," said Krysta Svore, a researcher at Microsoft who studied with Mr. Aho at Columbia University, where he was chairman of the computer science department. "We would not have the cars we drive these days." The researchers also wrote many textbooks and taught generations of students as they defined how computer software development was different from electrical engineering or mathematics. "Their fingerprints are all over the field," said Graydon Hoare, the creator of a programming language called Rust. He added that two of Dr. Ullman's books were sitting on the shelf beside him. After leaving Princeton, both Dr. Aho, a Canadian by birth who is 79, and Dr. Ullman, a native New Yorker who is 78, joined the New Jersey headquarters of Bell Labs, which was then one of the world's leading research labs.

Databases

SEGA Lawyers Demand 'Immediate Suspension' of Steam Database Over Alleged Piracy (torrentfreak.com) 66

An anonymous reader quotes a report from TorrentFreak: The popular and entirely legal Steam Database has found itself in a precarious position following two erroneous DMCA notices from SEGA. Steam Database's host is being asked to suspend the platform due to a claimed lack of response to the first notice. This prompted the site to take down entirely legal content in an effort to address the problem. [...]

TorrentFreak was able to review the notice sent by SEGA to SteamDB's host and it pulls no punches. SEGA doubles down by stating that SteamDB is illegally distributing the game Yakuza: Like a Dragon, noting that it has tried to inform SteamDB but was "not able" to resolve the issue. Worryingly, it then implies that legal action might be taken against SteamDB for non-compliance, adding that the host should "immediately suspend" SteamDB due to the alleged ongoing infringement. Which, of course, is not taking place.

This puts SteamDB's host in a tough position. Failure to act against an allegedly infringing customer can put the host at risk in terms of liability but disabling a customer's website can cause a whole new set of problems, especially when that customer has not infringed anyone's rights. In an effort to sort the problem out, SteamDB's host asked for additional input from the operators of SteamDB but nevertheless warned that if that information was not received, it may still block the SteamDB server within 24 hours, as demanded in the SEGA takedown notice. In order to defuse the situation, SteamDB took down the allegedly-infringing page which as far as SEGA goes (and at least in theory) should solve the disconnection threat problem. However, the entire situation has proven counterproductive for SEGA too.

Programming

Apple's WWDC Stays Online-Only, Kicking Off June 7 (techcrunch.com) 17

Apple this morning announced that it will be returning to an all-virtual format for a second year. The company went online-only for the first time in 2020, as Covid-19 ground in-person events to a halt. From a report: While vaccine rollouts have begun in much of the world, the return of the in-person event industry still seems iffy for most of the rest of the year. The event will run June 7-11. "We are working to make WWDC21 our biggest and best yet, and are excited to offer Apple developers new tools to support them as they create apps that change the way we live, work, and play," Developer Relations VP Susan Prescott said in a release tied to the news. The virtual format certainly has its advantage -- accessibility being at the top of the list. Apple said last year's was its "biggest ever," and expects roughly 28 million developers from around the world at this one. In addition to not having to deal with traveling -- not to mention the South Bay hotel crunch -- the company offers up free access to the event for all qualified developers.
PHP

PHP's Git Server Hacked To Add Backdoors To PHP Source Code (bleepingcomputer.com) 87

dotancohen writes: Late Sunday night, on March 28, 2021, Nikita Popov, a core PHP committer, released a statement indicating that two malicious commits had been pushed to the php-src Git repository. These commits were pushed to create a backdoor that would have effectively allowed attackers to achieve remote code execution through PHP and an HTTP header. "The incident is alarming considering PHP remains the server-side programming language to power over 79% of the websites on the Internet," adds BleepingComputer.

"In the malicious commits [1, 2] the attackers published a mysterious change upstream, 'fix typo' under the pretense this was a minor typographical correction. However, taking a look at the added line 370 where zend_eval_string function is called, the code actually plants a backdoor for obtaining easy Remote Code Execution (RCE) on a website running this hijacked version of PHP."

According to Popov, the first commit was detected a couple hours after it was made, and the changes were reverted right away. "Although a complete investigation of the incident is ongoing, according to PHP maintainers, this malicious activity stemmed from the compromised git.php.net server, rather than compromise of an individual's Git account," reports BleepingComputer. "As a precaution following this incident, PHP maintainers have decided to migrate the official PHP source code repository to GitHub."
Security

'Incompetent Developers' Blamed For NZ Patient Privacy Breach of COVID-19 Vaccine Booking Systems (stuff.co.nz) 54

An anonymous reader writes: The New Zealand Ministry of Health has launched a "sweeping review" of the nation's COVID vaccine-booking system, after a data breach led to exposure of personal information for more than 700 patients. A whistleblower reported over the weekend that they could access information about other patients, which was "readily accessible within the public-facing code of the website" -- apparently hard coded.

As a response, the Ministry of Health has ordered a review of all systems made by the developer, Valentia Technologies, which also makes software used by the Ambulance service, many GP practices, and the managed isolation and quarantine system.
"It is not a coding error. It is incompetence. The developer who developed this is incompetent ... This is basic stuff," said the man who spotted the booking system problem.

"The source code of the website, flagged a few concerning features, including someone's name, and an NHI number hard coded into the website, for what reason? I don't know," he said. "We could see everyone's details. We skimmed through, we didn't look at names, but their names, dates of birth, NHI numbers for those who entered them, contact details, where they were getting their vaccinations, what time they were vaccinated."

He said it appeared that Canterbury DHB had used a modified internal system to create the booking system. "You can tell by the source code, this was never meant to be a public facing website. This was only for people to use on like iPads, in doctors' surgeries, it was not supposed to be for this."
The Internet

On cURL's 23rd Anniversary, Creator Daniel Stenberg Celebrated With 3D-Printed 'GitHub Steel' Contribution Graph (daniel.haxx.se) 25

This week Swedish developer Daniel Stenberg posted a remarkable reflection on the 23rd anniversary of his command-line data tool, cURL: curl was adopted in Red Hat Linux in late 1998, became a Debian package in May 1999, shipped in Mac OS X 10.1 in August 2001. Today, it is also shipped by default in Windows 10 and in iOS and Android devices. Not to mention the game consoles, Nintendo Switch, Xbox and Sony PS5.

Amusingly, libcurl is used by the two major mobile OSes but not provided as an API by them, so lots of apps, including many extremely large volume apps bundle their own libcurl build: YouTube, Skype, Instagram, Spotify, Google Photos, Netflix etc. Meaning that most smartphone users today have many separate curl installations in their phones.

Further, libcurl is used by some of the most played computer games of all times: GTA V, Fortnite, PUBG mobile, Red Dead Redemption 2 etc.

libcurl powers media players and set-top boxes such as Roku, Apple TV by maybe half a billion TVs.

curl and libcurl ships in virtually every Internet server and is the default transfer engine in PHP, which is found in almost 80% of the world's almost two billion websites.

Cars are Internet-connected now. libcurl is used in virtually every modern car these days to transfer data to and from the vehicles.

Then add media players, kitchen and medical devices, printers, smart watches and lots of "smart"; IoT things. Practically speaking, just about every Internet-connected device in existence runs curl.

I'm convinced I'm not exaggerating when I claim that curl exists in over ten billion installations world-wide...

Those 300 lines of code in late 1996 have grown to 172,000 lines in March 2021.

Stenberg attributes cURL's success to persistence. "We hold out. We endure and keep polishing. We're here for the long run. It took me two years (counting from the precursors) to reach 300 downloads. It took another ten or so until it was really widely available and used." But he adds that 22 different CPU architectures and 86 different operating systems are now known to have run curl.

In a later blog post titled "GitHub Steel," Stenberg also reveals that GitHub gave him a 3D-printed steel version of his 2020 GitHub contribution matrix — accompanied by a friendly note. "Please accept this small gift as a token of appreciation on behalf of all of us here at GitHub, and everyone who benefits from your work."
Programming

Will Programming by Voice Be the Next Frontier in Software Development? (ieee.org) 119

Two software engineers with injuries or chronic pain conditions have both started voice-coding platforms, reports IEEE Spectrum. "Programmers utter commands to manipulate code and create custom commands that cater to and automate their workflows." The voice-coding app Serenade, for instance, has a speech-to-text engine developed specifically for code, unlike Google's speech-to-text API, which is designed for conversational speech. Once a software engineer speaks the code, Serenade's engine feeds that into its natural-language processing layer, whose machine-learning models are trained to identify and translate common programming constructs to syntactically valid code...

Talon has several components to it: speech recognition, eye tracking, and noise recognition. Talon's speech-recognition engine is based on Facebook's Wav2letter automatic speech-recognition system, which [founder Ryan] Hileman extended to accommodate commands for voice coding. Meanwhile, Talon's eye tracking and noise-recognition capabilities simulate navigating with a mouse, moving a cursor around the screen based on eye movements and making clicks based on mouth pops. "That sound is easy to make. It's low effort and takes low latency to recognize, so it's a much faster, nonverbal way of clicking the mouse that doesn't cause vocal strain," Hileman says...

Open-source voice-coding platforms such as Aenea and Caster are free, but both rely on the Dragon speech-recognition engine, which users will have to purchase themselves. That said, Caster offers support for Kaldi, an open-source speech-recognition tool kit, and Windows Speech Recognition, which comes preinstalled in Windows.

Open Source

FreeBSD's Close Call: How Flawed Code Almost Made It Into the Kernel (arstechnica.com) 60

"40,000 lines of flawed code almost made it into FreeBSD's kernel," writes Ars Technica, reporting on what happened when the CEO of Netgate, which makes FreeBSD-powered routers, decided it was time for FreeBSD to enjoy the same level of in-kernel WireGuard support that Linux does. The issue arose after Netgate offered a burned-out developer a contract to port WireGuard into the FreeBSD kernel (where Netgate could then use it in the company's popular pfSense router distribution): [The developer] committed his port — largely unreviewed and inadequately tested — directly into the HEAD section of FreeBSD's code repository, where it was scheduled for incorporation into FreeBSD 13.0-RELEASE. This unexpected commit raised the stakes for WireGuard founding developer Jason Donenfeld, whose project would ultimately be judged on the quality of any production release under the WireGuard name. Donenfeld identified numerous problems...but rather than object to the port's release, Donenfeld decided to fix the issues. He collaborated with FreeBSD developer Kyle Evans and with Matt Dunwoodie, an OpenBSD developer who had worked on WireGuard for that operating system...

How did so much sub-par code make it so far into a major open source operating system? Where was the code review which should have stopped it? And why did both the FreeBSD core team and Netgate seem more focused on the fact that the code was being disparaged than its actual quality?

There's more to the story, but ultimately Ars Technica confirmed the presences of multiple buffer overflows, printf statements that are still being triggered in production, and even empty validation function which always "return true" rather than actually validating the data. The original developer argued the real issue is an absence of quality reviewers, but Ars Technica sees a larger problem. "There seems to be an absence of process to ensure quality code review." Several FreeBSD community members would only speak off the record. In essence, most seem to agree, you either have a commit bit (enabling you to commit code to FreeBSD's repositories) or you don't. It's hard to find code reviews, and there generally isn't a fixed process ensuring that vitally important code gets reviewed prior to inclusion. This system thus relies heavily on the ability and collegiality of individual code creators.
Ars Technica published this statement from the FreeBSD Core Team: Core unconditionally values the work of all contributors, and seeks a culture of cooperation, respect, and collaboration. The public discourse over WireGuard in the past week does not meet these standards and is damaging to our community if not checked. As such, WireGuard development for FreeBSD will now proceed outside of the base system. For those who wish to evaluate, test, or experiment with WireGuard, snapshots will be available via the ports and package systems.

As a project, we remain committed to continually improving our development process. We'll also continue to refine our tooling to make code reviews and continuous integration easier and more effective. The Core Team asks that the community use these tools and work together to improve FreeBSD.

Ars Technica applauds the efforts — while remaining concerned about the need for them. "FreeBSD is an important project that deserves to be taken seriously. Its downstream consumers include industry giants such as Cisco, Juniper, NetApp, Netflix, Sony, Sophos, and more. The difference in licensing between FreeBSD and Linux gives FreeBSD a reach into many projects and spaces where the Linux kernel would be a difficult or impossible fit."
Programming

Progress Continues On Recreating the Babbage Programmable Computer (plan28.org) 12

Long-time Slashdot reader RockDoctor writes: A project to create a working example of [english mathematician and computer pioneer Charles Babbage's] original "steampunk computer," referred to by Babbage as the "Analytical Engine 30," is continuing. The update comes via a "Spring 2021 report" to the Computer Conservation Society.

The main news is that a new series of plans, dating from about 1857 have been found and are being examined for incorporation into the final design. "One remarkable feature is the extension of the Store to 1000 registers, and most intriguingly various methods of mechanically addressing the store contents," reads the update. This would compare well with electronic processor design... not that anyone is expecting this machine, when built, to be blisteringly fast.

Could a steam-powered Analytical Engine support backup DNS services in a post-apocalyptic world? Is this Cloudflare's ultimate plan?

Programming

Apple Says iOS Developers Have 'Multiple' Ways of Reaching Users and Are 'Far From Limited' To Using Only the App Store 98

As it faces a barrage of probes and investigations regarding the App Store and the distribution of apps on its devices, Apple has told Australia's consumer watchdog that developers have "multiple" ways to reach iOS users and claims that they are "far from limited" to simply using the App Store. From a report: In a new filing responding to concerns from the Australian Competition & Consumer Commission that it exploits "alleged market power in its role as a distributor of apps," Apple highlights multiple avenues that developers can take to reach customers. Specifically, Apple points out that the "whole web" exists as an alternative means of distribution, arguing that the web has become a platform unto itself. Apple supports this claim by noting that iOS devices have "unrestricted and uncontrolled" access to the web, allowing users to download web apps. Apple says: Web browsers are used not only as a distribution portal but also as platforms themselves, hosting "progressive web applications" (PWAs) that eliminate the need to download a developer's app through the App Store (or other means) at all. PWAs are increasingly available for and through mobile-based browsers and devices, including on iOS. [...] As explained further below, Apple faces competitive constraints from distribution alternatives within the iOS ecosystem (including developer websites and other outlets through which consumers may obtain third-party apps and use them on their iOS devices) and outside iOS. Prominent iOS developer Marco Arment commented on Apple's argument, saying: LOL
Programming

Rust Takes 'Tentative First Step' Toward Linux Kernel (thenewstack.io) 120

In his This Week in Programming column, Mike Melanson writes: Rustaceans' dreams of Rust's inclusion in the Linux kernel are one tiny, ever so slight step closer to becoming a reality, with this week's "intentionally bare-bones" inclusion in Linux-next, the development branch of the Linux kernel... Curb your enthusiasm, however, as this remains a rather tentative first step of many necessary steps before Rust fully lands in the Linux kernel.

A rather brief post on LWN.net summarizes where we are rather succinctly:

Followers of the linux-next integration tree may have noticed a significant addition: initial support for writing device drivers in the Rust language. There is some documentation in Documentation/rust, while the code itself is in the rust top-level directory. Appearance in linux-next generally implies readiness for the upcoming merge window, but it is not clear if that is the case here; this code has not seen a lot of wider review yet. It is, regardless, an important step toward the ability to write drivers in a safer language.

Indeed, Miguel Ojeda, a software developer and maintainer of the Rust for Linux project writes that the proposed inclusion "does not mean we will make it into mainline, of course, but it is a nice step to make things as smooth as possible," with some changes expected before any decision as to Rust's inclusion are made.

For those of you less familiar with Rust, part of the appeal here comes with Rust's memory safety features, especially in comparison to C, which the Linux kernel is currently coded in. Part of the problem, however, is that Rust is compiled based on LLVM, as opposed to GCC, and subsequently supports fewer architectures. This is a problem we've seen play out recently, as the Python cryptography library has replaced some old C code with Rust, leading to a situation where certain architectures will not be supported. Presently, the proposal to include Rust in the Linux kernel limits this issue by saying that Rust would be used, at least initially, for writing drivers that, as noted in another LWN.net article on the topic, "would never be used on the more obscure architectures anyway."

The Courts

iOS Developer Who Drew Attention To App Store Scams is Now Suing Apple (theverge.com) 6

Mobile app developer Kosta Eleftheriou, who publicly called out Apple earlier this year for negligence with regard to policing iOS scams and copycat apps on the App Store, has filed a lawsuit against the iPhone maker in California. From a report: He's accusing the company of exploiting its monopoly power over iOS apps "to make billions of dollars in profits at the expense of small application developers and consumers." Eleftheriou's company KPAW LLC, which he co-owns with his partner Ashley Eleftheriou, filed its complaint in Santa Clara County on Wednesday. It details the development and release timeline of Eleftheriou's Apple Watch keyboard app FlickType. At the time he began accusing Apple of abetting App Store scams early last month, Eleftheriou revealed that his FlickType app had been targeted by competing software he says either didn't work well or didn't work at all, and yet nonetheless chipped away at this sales and App Store rankings through false advertising and the purchase of fake reviews. After he complained, he said Apple did not do enough to combat the scams, though Apple did later remove some of the apps he called attention to.
Google

Google Play Drops Commissions To 15% from 30%, Following Apple's Move Last Year 50

Google will lower its Play commissions globally for developers that sell in-app digital goods and services on its marquee store, the company said, following a similar move by rival Apple late last year. From a report: The Android-maker said on Tuesday that starting July 1, it is reducing the service fee for Google Play to 15% -- down from 30% -- for the first $1 million of revenue developers earn using Play billing system each year. The company will levy a 30% cut on every dollar developers generate through Google Play beyond the first $1 million in a year, it said. Citing its own estimates, Google said 99% of developers that sell goods and services with Play will see a 50% reduction in fees, and that 97% of apps globally do not sell digital goods or pay any service fee.

Google's new approach is slightly different from Apple, which last year said it would collect 15% rather than 30% of App Store sales from companies that generate no more than $1 million in revenue through the company's platform. That drop doesn't apply to iOS apps if a developer's revenue on Apple platform exceeds $1 million. "We've heard from our partners making $2 million, $5 million and even $10 million a year that their services are still on a path to self-sustaining orbit," wrote Sameer Samat, VP of Android and Google Play, in a blog post.
Security

WeLeakInfo Leaked Customer Payment Info (krebsonsecurity.com) 14

A lapsed domain registration tied to WeLeakInfo, a wildly popular service that sold access to more than 12 billion usernames and passwords from thousands of hacked websites, "let someone plunder and publish account data on 24,000 customers who paid to access the service with a credit card," reports Krebs on Security. This comes after the service was seized a little over a year ago by the FBI and law enforcement partners overseas. From the report: In a post on the database leaking forum Raidforums, a regular contributor using the handle "pompompurin" said he stole the WeLeakInfo payment logs and other data after noticing the domain wli[.]design was no longer listed as registered. "Long story short: FBI let one of weleakinfo's domains expire that they used for the emails/payments," pompompurin wrote. "I registered that domain, & was able to [password] reset the stripe.com account & get all the Data. [It's] only from people that used stripe.com to checkout. If you used paypal or [bitcoin] ur all good."

Cyber threat intelligence firm Flashpoint obtained a copy of the data leaked by pompompurin, and said it includes partial credit card data, email addresses, full names, IP addresses, browser user agent string data, physical addresses, phone numbers, and amount paid. One forum member commented that they found their own payment data in the logs.

Slashdot Top Deals