Programming

Microsoft Previews 'Rust for Windows' (microsoft.com) 70

From Mike Melanson's "This Week in Programming" column: "The Rustening at Microsoft has begun," tweeted Microsoft distinguished engineer Miguel de Icaza.

What de Icaza is referring to is a newly-offered course by Microsoft on taking the first steps with Rust, which much of the Twitterverse of Rust devotees sees as a sign that the company is further increasing its favor for their crab-themed language of choice. Of course, this isn't the first we've heard of Microsoft looking to Rust to handle the 70% of Microsoft vulnerabilities that it says come from using the memory-unsafe C++ programming language in its software. A few years back now, Microsoft launched Project Verona, a research programming language that takes a bite from Rust in the realm of ownership and is said to be inspired by Rust, among others.

More recently, however, Microsoft announced the preview of Rust for Windows, which "lets you use any Windows API (past, present, and future) directly and seamlessly via the windows crate (crate is Rust's term for a binary or a library, and/or the source code that builds into one)." With Rust for Windows, developers can now not only use Rust on Windows, they can also write apps for Windows using Rust...

According to the project description, the Windows crate "lets you call any Windows API past, present, and future using code generated on the fly directly from the metadata describing the API and right into your Rust package where you can call them as if they were just another Rust module" and that, along with the introduction of a course for learning Rust, is precisely what has all those Rust devotees so excited.

InfoWorld has more information...
Social Networks

'Not Even Student Work': MyPillow CEO's Social Media Site Botches Rollout (salon.com) 191

"Salon reports amateur-hour mistakes in the attempted rollout of FRANK, a social media site envisioned by Mike Lindell of MyPillow," writes Slashdot reader Tom239. "A Drupal expert described the code as 'not even student work.'" From the report: Speaking to Salon on Thursday afternoon about Lindell's site, one "Acquia Certified Drupal Grand Master," who oversees a technology firm that employs numerous other "grandmasters," said that Lindell's site was set up for failure from its inception, noting that its developers -- whom Lindell compared to Navy SEALs -- had failed to carry out basic "Drupal 101" tasks. One coder who spoke to Salon in great detail explained the potential shortcomings of the pillow maven's program code and the patchy work done by his developer team. "Drupal can power high powerful websites, sites with lots of traffic," the expert said, adding that it isn't the right software to build a social media site with, since it's not designed to handle a large amount of user-generated content. "Lindell's website was basically trying to make soup for scratch for everybody," said the expert, who claimed more than 25 years of experience in the IT field.

"In my professional opinion, it will be extremely unlikely, if not impossible, for Lindell to accomplish his vision with Drupal and his own servers," the expert told Salon. "Despite how much I love it, Drupal simply isn't the right tool for the number of users with the features that he wants to provide. It would take a massive effort of 12 to 18 months to build out the needed hosting setup and application architecture, and this would come with an enormous degree of risk. The idea that he could do this in just a couple of months is patently absurd, and I think the results speak for themselves."

"When I was looking at the code, in the browser, they basically launched the site while it was still in development mode," one expert told Salon, citing the fact that developers had failed to check a box to aggregate files on the platform as the first red flag he ran across. "Their files were not aggregated, and by the way, that's a check box in Drupal -- you literally check a box and click save, My jaw dropped when I saw that. I was like, 'They did not try to launch this thing without aggregation turned on!'" The second major red flag another Drupal expert found was that Lindell's site was spitting out coded error messages to users, which leaves the platform vulnerable to attacks. "This is a shit show," the expert said, calling this an "obvious" issue that coders learn how to prevent in "Drupal 101."

Elsewhere it was reported that Lindell's supposed free-speech haven will not allow swearing, pornography, or the use of 'god's name in vain'.
Education

Tech Giants Support Code.org's Amazon-Bankrolled Java-Based AP CS Curriculum 39

theodp writes: Code.org on Wednesday announced that dozens of industry, education, and state leaders are supporting a new Code.org AP CS A Java-focused curriculum for high school students, which will be available at no charge to all schools starting in the 2022-23 school year. "We are proud to have the following companies on our Industry Advisory Panel: Adobe, Amazon, Atlassian, Disney, Epic Games, Goldman Sachs, Google, IBM, Instagram, Microsoft, Riot Games, Roblox, Snapchat, Spotify, Tesla, Unity, Vista Equity," Code.org tweeted. "A big thank you to the following colleges and universities on our Education Advisory Panel: @BowieState @UBuffalo @CarnegieMellon @Harvard @montgomerycoll @NCWIT @thisisUIC @Illinois_Alma @unlv @UNOmaha @SpelmanCollege @UT_Dallas @UW @westminsterpa." In an accompanying Medium post, Code.org explained: "This work is all made possible through a generous [$15 million] gift from Amazon Future Engineer."

Despite having the support of some of the world's richest corporations and individuals whose goals the nonprofit helps advance, recently-released SBA records show that Code.org applied for and was approved for its second forgivable Federal Paycheck Protection Program loan in the amount of $1.9 million dollars on March 25, a month after Amazon and Code.org issued a joint press release announcing their $15 million plan to work on a new AP CS A curriculum and other initiatives. Amazon certainly has ambitious plans for influencing K-12 CS education. Last week, the company announced a 2021 goal to "reach 1.6 million underrepresented students globally through Amazon Future Engineer with real world-inspired virtual and hands-on computer science project learning." And an Amazon Future Engineer job listing for a U.S. Country Senior Manager notes the job will require working "with national and local educational non-profits and governmental entities such as BootUp, Project STEM, Code.org, and the US and State Departments of Education," as well as positioning Amazon "as subject matter experts on US computer science education, as well as the local education systems of our headquarter regions."
Programming

How Often Do People Actually Copy and Paste From Stack Overflow? (stackoverflow.blog) 124

Stack Overflow blog: They say there's a kernel of truth behind every joke. In the case of our recent April Fools gag, it might be more like an entire cob, perhaps a bushel of truth. We wanted to embrace a classic Stack Overflow meme and tweak one of our core principles. Our company was inspired by the founders frustration with websites that kept answers to coding questions behind paywalls. What would the world look like if we suddenly decided to monetize the act of copying code from Stack Overflow? Ok, jokes over, hope everyone had a good laugh and no one got too freaked out. But wait, there's more. Once we set up a system to react every time someone typed Command+C, we realized there was also an opportunity to learn about how people use our site. We were able to catalog every copy command made on Stack Overflow over the course of two weeks, and here's what we found.

One out of every four users who visits a Stack Overflow question copies something within five minutes of hitting the page. That adds up to 40,623,987 copies across 7,305,042 posts and comments between March 26th and April 9th. People copy from answers about ten times as often as they do from questions and about 35 times as often as they do from comments. People copy from code blocks more than ten times as often as they do from the surrounding text, and surprisingly, we see more copies being made on questions without accepted answers than we do on questions which are accepted. So, if you've ever felt bad about copying code from our site instead of writing it from scratch, forgive yourself!

Programming

Student's First Academic Paper Solves Decades-Old Quantum Computing Problem (abc.net.au) 96

"Sydney university student Pablo Bonilla, 21, had his first academic paper published overnight and it might just change the shape of computing forever," writes Australia's national public broadcaster ABC: As a second-year physics student at the University of Sydney, Mr Bonilla was given some coding exercises as extra homework and what he returned with has helped to solve one of the most common problems in quantum computing. His code spiked the interest of researchers at Yale and Duke in the United States and the multi-billion-dollar tech giant Amazon plans to use it in the quantum computer it is trying to build for its cloud platform Amazon Web Services....

Assistant professor Shruti Puri of Yale's quantum research program said the new code solved a problem that had persisted for 20 years. "What amazes me about this new code is its sheer elegance," she said. "Its remarkable error-correcting properties are coming from a simple modification to a code that has been studied extensively for almost two decades...."

Co-author of the paper, the University of Sydney's Ben Brown, said the brilliance of Pablo Bonilla's code was in its simplicity... "We just made the smallest of changes to a chip that everybody is building, and all of a sudden it started doing a lot better. It's quite amazing to me that nobody spotted it in the 20-or-so years that people have been working on that model."

Programming

Linus Torvalds Says Rust Closer for Linux Kernel Development, Calls C++ 'A Crap Language' (itwire.com) 270

Google's Android team supports Rust for developing the Android operating system. Now they're also helping evaluate Rust for Linux kernel development. Their hopes, among other things, are that "New code written in Rust has a reduced risk of memory safety bugs, data races and logic bugs overall," that "abstractions that are easier to reason about," and "More people get involved overall in developing the kernel, thanks to the usage of a modern language."

Linus Torvalds responded in a new interview with IT Wire (shared by Slashdot reader juul_advocate): The first patches for Rust support in the Linux kernel have been posted and the man behind the kernel says the fact that these are being discussed is much more important than a long post by Google about the language. Linus Torvalds told iTWire in response to queries that Rust support was "not there yet", adding that things were "getting to the point where maybe it might be mergeable for 5.14 or something like that..." Torvalds said that it was still early days for Rust support, "but at least it's in a 'this kind of works, there's an example, we can build on it'."

Asked about a suggestion by a commenter on the Linux Weekly News website, who said, during a discussion on the Google post, "The solution here is simple: just use C++ instead of Rust", Torvalds could not restrain himself from chortling. "LOL," was his response. "C++ solves _none_ of the C issues, and only makes things worse. It really is a crap language.

"For people who don't like C, go to a language that actually offers you something worthwhile. Like languages with memory safety and [which] can avoid some of the dangers of C, or languages that have internal GC [garbage collection] support and make memory management easier. C++ solves all the wrong problems, and anybody who says 'rewrite the kernel in C++' is too ignorant to even know that."

He said that when one spoke of the dangers of C, one was also speaking about part of what made C so powerful, "and allows you to implement all those low-level things efficiently".

Torvalds added that, while garbage collection is "a very good thing in most other situations," it's "generally not necessarily something you can do in a low-level system programming."
PHP

Git.PHP.net Not Compromised in Supply Chain Attack, but User Database Leak Possible (inside.com) 18

Inside.com's developer newsletter reports: The PHP team no longer believes the git.php.net server was compromised in a recent attack, which prompted PHP to move servers to GitHub and caused the team to temporarily put releases on hold until mid-April...

In an update offering further insight into the root cause of the late March attack, the team says because it's possible the master.php.net user database was exposed, master.php.net has been moved to main.php.net. The team also reset php.net passwords, and you can visit https://main.php.net/forgot.php to set a new password. In addition, git.php.net and svn.php.net are both read-only now.

Two malicious commits were pushed to the php-src repo from PHP founder Rasmus Lerdorf and PHP core developer Nikita Popov, Popov announced March 28. After an investigation, the PHP team reassured users these malicious commits never reached end-users. However, the team decided to move to GitHub after determining maintaining its own git infrastructure is "an unnecessary security risk."

"In 2019, the PHP team temporarily shut down its Git server after discovering that an attacker had maliciously replaced the official PHP Extension and Application Repository with a malicious one," reports CPO magazine. But this newer supply chain attack "targeted any server that uses PHP ZLib compression when sending data. Most servers use this functionality on almost all content except images and archives that are already size optimized." The supply chain attack would have turned PHP into a remote web shell through which the attackers could execute any command without authentication. This is because the malicious attackers would have the same privileges as the web server running PHP. The backdoor is triggered at the start of a request by checking if the request contains the word "zerodium." If this condition was met, PHP executes the code in the "User-Agentt" request header. The header closely resembles the PHP "User-Agent" request for checking for browser properties.

The rest of the request would thus be treated as a command that could be executed on a PHP server using the server's privileges. This would allow the hackers to run any arbitrary command without the need for further privileges...

PHP powers 80% of all websites. Thus, a successful supply chain attack exploiting the language could prove catastrophic.

Java

Microsoft Previews Its Open Source Java Distribution, Microsoft Build of OpenJDK (betanews.com) 145

Mark Wilson writes: Microsoft has launched a preview version of its own distribution of Java, making it available for Windows, macOS and Linux. The company has named the release Microsoft Build of OpenJDK, and describes it as its "new way to collaborate and contribute to the Java ecosystem". The company has made available Microsoft Build of OpenJDK binaries for Java 11, which are based on OpenJDK source code. Microsoft says it is looking to broaden and deepen its support for Java, "one of the most important programming languages used today".
Programming

Google Now Supports Rust for Underlying Android OS Development (9to5google.com) 28

For the past few years, Google has been encouraging developers to write Android apps with Kotlin. The underlying OS still uses C and C++, though Google today announced Android Open Source Project (AOSP) support for Rust. From a report: This is part of Google's work to address memory safety bugs in the operating system: "We invest a great deal of effort and resources into detecting, fixing, and mitigating this class of bugs, and these efforts are effective in preventing a large number of bugs from making it into Android releases. Yet in spite of these efforts, memory safety bugs continue to be a top contributor of stability issues, and consistently represent ~70% of Android's high severity security vulnerabilities."

The company believes that memory-safe languages, like Rust, are the "most cost-effective means for preventing memory bugs" in the bootloader, fastboot, kernel, and other low-level parts of the OS. Unlike C and C++, where developers manage memory lifetime, Rust "provides memory safety guarantees by using a combination of compile-time checks to enforce object lifetime/ownership and runtime checks to ensure that memory accesses are valid." Google has been working to add this support to AOSP for the past 18 months. Performance is equivalent to the existing languages, while increasing the effectiveness of current sandboxing and reducing the overall need for it. This allows for "new features that are both safer and lighter on resources." Other improvements include data concurrency, a more expressive type system, and safer integer handling.

Databases

LexisNexis To Provide Giant Database of Personal Information To ICE (theintercept.com) 64

An anonymous reader quotes a report from The Intercept: The popular legal research and data brokerage firm LexisNexis signed a $16.8 million contract to sell information to U.S. Immigration and Customs Enforcement, according to documents shared with The Intercept. The deal is already drawing fire from critics and comes less than two years after the company downplayed its ties to ICE, claiming it was "not working with them to build data infrastructure to assist their efforts." Though LexisNexis is perhaps best known for its role as a powerful scholarly and legal research tool, the company also caters to the immensely lucrative "risk" industry, providing, it says, 10,000 different data points on hundreds of millions of people to companies like financial institutions and insurance companies who want to, say, flag individuals with a history of fraud. LexisNexis Risk Solutions is also marketed to law enforcement agencies, offering "advanced analytics to generate quality investigative leads, produce actionable intelligence and drive informed decisions" -- in other words, to find and arrest people.

The LexisNexis ICE deal appears to be providing a replacement for CLEAR, a risk industry service operated by Thomson Reuters that has been crucial to ICE's deportation efforts. In February, the Washington Post noted that the CLEAR contract was expiring and that it was "unclear whether the Biden administration will renew the deal or award a new contract." LexisNexis's February 25 ICE contract was shared with The Intercept by Mijente, a Latinx advocacy organization that has criticized links between ICE and tech companies it says are profiting from human rights abuses, including LexisNexis and Thomson Reuters. The contract shows LexisNexis will provide Homeland Security investigators access to billions of different records containing personal data aggregated from a wide array of public and private sources, including credit history, bankruptcy records, license plate images, and cellular subscriber information. The company will also provide analytical tools that can help police connect these vast stores of data to the right person.
In a statement to The Intercept, a LexisNexis Risk Solutions spokesperson said: "Our tool contains data primarily from public government records. The principal non-public data is authorized by Congress for such uses in the Drivers Privacy Protection Act and Gramm-Leach-Bliley Act statutes." They declined to say exactly what categories of data the company would provide ICE under the new contract, or what policies, if any, will govern how agency agency uses it.
Google

Google Wins Oracle Copyright Fight as Top Court Overturns Ruling (bloomberg.com) 155

The U.S. Supreme Court ruled that Alphabet's Google didn't commit copyright infringement when it used Oracle's programming code in the Android operating system, sparing Google from what could have been a multibillion-dollar award. From a report: The 6-2 ruling, which overturns a victory for Oracle, marks a climax to a decade-old case that divided Silicon Valley and promised to reshape the rules for the software industry. Oracle was seeking as much as $9 billion. The court said Google engaged in legitimate "fair use" when it put key aspects of Oracle's Java programming language in the Android operating system. Writing for the court, Justice Stephen Breyer said Google used "only what was needed to allow users to put their accrued talents to work in a new and transformative program." Each side contended the other's position would undercut innovation. Oracle said that without strong copyright protection, companies would have less incentive to invest the large sums needed to create groundbreaking products. Google said Oracle's approach would discourage the development of new software that builds on legacy products.
Security

GitHub is Investigating Crypto-mining Campaign Abusing Its Server Infrastructure (therecord.media) 27

An anonymous Slashdot reader shared this report from The Record: Code-hosting service GitHub is actively investigating a series of attacks against its cloud infrastructure that allowed cybercriminals to implant and abuse the company's servers for illicit crypto-mining operations, a spokesperson told The Record today.

The attacks have been going on since the fall of 2020 and have abused a GitHub feature called GitHub Actions, which allows users to automatically execute tasks and workflows once a certain event happens inside one of their GitHub repositories. In a phone call today, Dutch security engineer Justin Perdok told The Record that at least one threat actor is targeting GitHub repositories where GitHub Actions might be enabled. The attack involves forking a legitimate repository, adding malicious GitHub Actions to the original code, and then filing a Pull Request with the original repository in order to merge the code back into the original.

But the attack doesn't rely on the original project owner approving the malicious Pull Request. Just filing the Pull Request is enough for the attack, Perdok said. The Dutch security engineer told us attackers specifically target GitHub project owners that have automated workflows that test incoming pull requests via automated jobs. Once one of these malicious Pull Requests is filed, GitHub's systems will read the attacker's code and spin up a virtual machine that downloads and runs cryptocurrency-mining software on GitHub's infrastructure.

Perdok, who's had projects abused this way, said he's seen attackers spin up to 100 crypto-miners via one attack alone, creating huge computational loads for GitHub's infrastructure. The attackers appear to be happening at random and at scale. Perdok said he identified at least one account creating hundreds of Pull Requests containing malicious code.

Programming

Node.js Rival Deno Gets Seed Capital For Full-time Deno Engineers (infoworld.com) 74

"The creators of Deno have formed the Deno Company, a business venture around the JavaScript/TypeScript runtime and rival to Node.js," reports InfoWorld: In a bulletin on March 29, Deno creator Ryan Dahl and Bert Belder, both of whom also led the development of Node.js, announced the formation of the company and said they had $4.9 million in seed capital, enough to pay for a staff of full-time engineers working to improve Deno...

Dahl and Belder said that, while they planned to pursue commercial applications of Demo, Deno itself would remain MIT-licensed, adding that for Deno to be maximally useful it must remain permissively free. "Our business will build on the open source project, not attempt to monetize it directly," they Deno authors said.

From their announcement: We find server-side JavaScript hopelessly fragmented, deeply tied to bad infrastructure, and irrevocably ruled by committees without the incentive to innovate. As the browser platform moves forward at a rapid pace, server-side JavaScript has stagnated. Deno is our attempt to breathe new life into this ecosystem...

Not every use-case of server-side JavaScript needs to access the file system; our infrastructure makes it possible to compile out unnecessary bindings. This allows us to create custom runtimes for different applications: Electron-style GUIs, Cloudflare Worker-style Serverless Functions, embedded scripting for databases, etc.

Programming

Turing Award Goes To Creators of Computer Programming Building Blocks (nytimes.com) 48

Jeffrey Ullman and Alfred Aho developed many of the fundamental concepts that researchers use when they build new software. From a report: When Alfred Aho and Jeffrey Ullman met while waiting in the registration line on their first day of graduate school at Princeton University in 1963, computer science was still a strange new world. Using a computer required a set of esoteric skills typically reserved for trained engineers and mathematicians. But today, thanks in part to the work of Dr. Aho and Dr. Ullman, practically anyone can use a computer and program it to perform new tasks. On Wednesday, the Association for Computing Machinery, the world's largest society of computing professionals, said Dr. Aho and Dr. Ullman would receive this year's Turing Award for their work on the fundamental concepts that underpin computer programming languages. Given since 1966 and often called the Nobel Prize of computing, the Turing Award comes with a $1 million prize, which the two academics and longtime friends will split. Dr. Aho and Dr. Ullman helped refine one of the key components of a computer: the "compiler" that takes in software programs written by humans and turns them into something computers can understand.

Over the past five decades, computer scientists have built increasingly intuitive programming languages, making it easier and easier for people to create software for desktops, laptops, smartphones, cars and even supercomputers. Compilers ensure that these languages are efficiently translated into the ones and zeros that computers understand. Without their work, "we would not be able to write an app for our phones," said Krysta Svore, a researcher at Microsoft who studied with Mr. Aho at Columbia University, where he was chairman of the computer science department. "We would not have the cars we drive these days." The researchers also wrote many textbooks and taught generations of students as they defined how computer software development was different from electrical engineering or mathematics. "Their fingerprints are all over the field," said Graydon Hoare, the creator of a programming language called Rust. He added that two of Dr. Ullman's books were sitting on the shelf beside him. After leaving Princeton, both Dr. Aho, a Canadian by birth who is 79, and Dr. Ullman, a native New Yorker who is 78, joined the New Jersey headquarters of Bell Labs, which was then one of the world's leading research labs.

Databases

SEGA Lawyers Demand 'Immediate Suspension' of Steam Database Over Alleged Piracy (torrentfreak.com) 66

An anonymous reader quotes a report from TorrentFreak: The popular and entirely legal Steam Database has found itself in a precarious position following two erroneous DMCA notices from SEGA. Steam Database's host is being asked to suspend the platform due to a claimed lack of response to the first notice. This prompted the site to take down entirely legal content in an effort to address the problem. [...]

TorrentFreak was able to review the notice sent by SEGA to SteamDB's host and it pulls no punches. SEGA doubles down by stating that SteamDB is illegally distributing the game Yakuza: Like a Dragon, noting that it has tried to inform SteamDB but was "not able" to resolve the issue. Worryingly, it then implies that legal action might be taken against SteamDB for non-compliance, adding that the host should "immediately suspend" SteamDB due to the alleged ongoing infringement. Which, of course, is not taking place.

This puts SteamDB's host in a tough position. Failure to act against an allegedly infringing customer can put the host at risk in terms of liability but disabling a customer's website can cause a whole new set of problems, especially when that customer has not infringed anyone's rights. In an effort to sort the problem out, SteamDB's host asked for additional input from the operators of SteamDB but nevertheless warned that if that information was not received, it may still block the SteamDB server within 24 hours, as demanded in the SEGA takedown notice. In order to defuse the situation, SteamDB took down the allegedly-infringing page which as far as SEGA goes (and at least in theory) should solve the disconnection threat problem. However, the entire situation has proven counterproductive for SEGA too.

Programming

Apple's WWDC Stays Online-Only, Kicking Off June 7 (techcrunch.com) 17

Apple this morning announced that it will be returning to an all-virtual format for a second year. The company went online-only for the first time in 2020, as Covid-19 ground in-person events to a halt. From a report: While vaccine rollouts have begun in much of the world, the return of the in-person event industry still seems iffy for most of the rest of the year. The event will run June 7-11. "We are working to make WWDC21 our biggest and best yet, and are excited to offer Apple developers new tools to support them as they create apps that change the way we live, work, and play," Developer Relations VP Susan Prescott said in a release tied to the news. The virtual format certainly has its advantage -- accessibility being at the top of the list. Apple said last year's was its "biggest ever," and expects roughly 28 million developers from around the world at this one. In addition to not having to deal with traveling -- not to mention the South Bay hotel crunch -- the company offers up free access to the event for all qualified developers.
PHP

PHP's Git Server Hacked To Add Backdoors To PHP Source Code (bleepingcomputer.com) 87

dotancohen writes: Late Sunday night, on March 28, 2021, Nikita Popov, a core PHP committer, released a statement indicating that two malicious commits had been pushed to the php-src Git repository. These commits were pushed to create a backdoor that would have effectively allowed attackers to achieve remote code execution through PHP and an HTTP header. "The incident is alarming considering PHP remains the server-side programming language to power over 79% of the websites on the Internet," adds BleepingComputer.

"In the malicious commits [1, 2] the attackers published a mysterious change upstream, 'fix typo' under the pretense this was a minor typographical correction. However, taking a look at the added line 370 where zend_eval_string function is called, the code actually plants a backdoor for obtaining easy Remote Code Execution (RCE) on a website running this hijacked version of PHP."

According to Popov, the first commit was detected a couple hours after it was made, and the changes were reverted right away. "Although a complete investigation of the incident is ongoing, according to PHP maintainers, this malicious activity stemmed from the compromised git.php.net server, rather than compromise of an individual's Git account," reports BleepingComputer. "As a precaution following this incident, PHP maintainers have decided to migrate the official PHP source code repository to GitHub."
Security

'Incompetent Developers' Blamed For NZ Patient Privacy Breach of COVID-19 Vaccine Booking Systems (stuff.co.nz) 54

An anonymous reader writes: The New Zealand Ministry of Health has launched a "sweeping review" of the nation's COVID vaccine-booking system, after a data breach led to exposure of personal information for more than 700 patients. A whistleblower reported over the weekend that they could access information about other patients, which was "readily accessible within the public-facing code of the website" -- apparently hard coded.

As a response, the Ministry of Health has ordered a review of all systems made by the developer, Valentia Technologies, which also makes software used by the Ambulance service, many GP practices, and the managed isolation and quarantine system.
"It is not a coding error. It is incompetence. The developer who developed this is incompetent ... This is basic stuff," said the man who spotted the booking system problem.

"The source code of the website, flagged a few concerning features, including someone's name, and an NHI number hard coded into the website, for what reason? I don't know," he said. "We could see everyone's details. We skimmed through, we didn't look at names, but their names, dates of birth, NHI numbers for those who entered them, contact details, where they were getting their vaccinations, what time they were vaccinated."

He said it appeared that Canterbury DHB had used a modified internal system to create the booking system. "You can tell by the source code, this was never meant to be a public facing website. This was only for people to use on like iPads, in doctors' surgeries, it was not supposed to be for this."
The Internet

On cURL's 23rd Anniversary, Creator Daniel Stenberg Celebrated With 3D-Printed 'GitHub Steel' Contribution Graph (daniel.haxx.se) 25

This week Swedish developer Daniel Stenberg posted a remarkable reflection on the 23rd anniversary of his command-line data tool, cURL: curl was adopted in Red Hat Linux in late 1998, became a Debian package in May 1999, shipped in Mac OS X 10.1 in August 2001. Today, it is also shipped by default in Windows 10 and in iOS and Android devices. Not to mention the game consoles, Nintendo Switch, Xbox and Sony PS5.

Amusingly, libcurl is used by the two major mobile OSes but not provided as an API by them, so lots of apps, including many extremely large volume apps bundle their own libcurl build: YouTube, Skype, Instagram, Spotify, Google Photos, Netflix etc. Meaning that most smartphone users today have many separate curl installations in their phones.

Further, libcurl is used by some of the most played computer games of all times: GTA V, Fortnite, PUBG mobile, Red Dead Redemption 2 etc.

libcurl powers media players and set-top boxes such as Roku, Apple TV by maybe half a billion TVs.

curl and libcurl ships in virtually every Internet server and is the default transfer engine in PHP, which is found in almost 80% of the world's almost two billion websites.

Cars are Internet-connected now. libcurl is used in virtually every modern car these days to transfer data to and from the vehicles.

Then add media players, kitchen and medical devices, printers, smart watches and lots of "smart"; IoT things. Practically speaking, just about every Internet-connected device in existence runs curl.

I'm convinced I'm not exaggerating when I claim that curl exists in over ten billion installations world-wide...

Those 300 lines of code in late 1996 have grown to 172,000 lines in March 2021.

Stenberg attributes cURL's success to persistence. "We hold out. We endure and keep polishing. We're here for the long run. It took me two years (counting from the precursors) to reach 300 downloads. It took another ten or so until it was really widely available and used." But he adds that 22 different CPU architectures and 86 different operating systems are now known to have run curl.

In a later blog post titled "GitHub Steel," Stenberg also reveals that GitHub gave him a 3D-printed steel version of his 2020 GitHub contribution matrix — accompanied by a friendly note. "Please accept this small gift as a token of appreciation on behalf of all of us here at GitHub, and everyone who benefits from your work."
Programming

Will Programming by Voice Be the Next Frontier in Software Development? (ieee.org) 119

Two software engineers with injuries or chronic pain conditions have both started voice-coding platforms, reports IEEE Spectrum. "Programmers utter commands to manipulate code and create custom commands that cater to and automate their workflows." The voice-coding app Serenade, for instance, has a speech-to-text engine developed specifically for code, unlike Google's speech-to-text API, which is designed for conversational speech. Once a software engineer speaks the code, Serenade's engine feeds that into its natural-language processing layer, whose machine-learning models are trained to identify and translate common programming constructs to syntactically valid code...

Talon has several components to it: speech recognition, eye tracking, and noise recognition. Talon's speech-recognition engine is based on Facebook's Wav2letter automatic speech-recognition system, which [founder Ryan] Hileman extended to accommodate commands for voice coding. Meanwhile, Talon's eye tracking and noise-recognition capabilities simulate navigating with a mouse, moving a cursor around the screen based on eye movements and making clicks based on mouth pops. "That sound is easy to make. It's low effort and takes low latency to recognize, so it's a much faster, nonverbal way of clicking the mouse that doesn't cause vocal strain," Hileman says...

Open-source voice-coding platforms such as Aenea and Caster are free, but both rely on the Dragon speech-recognition engine, which users will have to purchase themselves. That said, Caster offers support for Kaldi, an open-source speech-recognition tool kit, and Windows Speech Recognition, which comes preinstalled in Windows.

Slashdot Top Deals