Microsoft gave a status update today on its experiments on using the Rust programming language instead of C and C++ to write Windows components. From a report: Microsoft began experimenting with Rust over the summer. The Redmond-based software giant said it was interested in Rust because, over the past decade, more than 70% of the security patches it shipped out fixed memory-related bugs, an issue that Rust was created to address.

[...] Today, almost four months later, we got the first feedback. "I've been tasked with an experimental rewrite of a low-level system component of the Windows codebase (sorry, we can't say which one yet)," said Adam Burch, Software Engineer at the Microsoft Hyper-V team, in a blog post today. "Though the project is not yet finished, I can say that my experience with Rust has been generally positive," Burch added. "In general, new components or existing components with clean interfaces will be the easiest to port to Rust," the Microsoft engineer said. However, not all things went smoothly. It would have been unrealistic if we expected they would. Burch cited the lack of safe transmutation, safe support for C style unions, fallible allocation, and a lack of support for at-scale unit testing, needed for Microsoft's sprawling code-testing infrastructure.

Freshly Exhumed shares a report from ZDNet: A mysterious hacker has published today a database dump of one of the internet's most infamous neo-nazi meeting places -- the IronMarch forum. The data published today includes a full copy of its content, including sensitive details such as emails, IP addresses, usernames, and private messages. The database dump is currently being analyzed by a multitude of entities, including law enforcement, in the hopes of linking forum members to accounts on other sites and potentially exposing their real-world identities. The drive to unmask forum members comes from the fact that IronMarch, while a little-known site to most internet users, has been the birthplace of two of today's most extreme far-right neo-nazi movements -- the Atomwaffen Division and SIEGE Culture -- with the first being accused of orchestrating at least eight murders around the world. The forum's data was published earlier today via the Internet Archive portal.

"The published information includes a carbon copy of the site, from user details to forum posts, and from private messages to multi-factor authentication settings and forum management logs," reports BleepingComputer. "The forum's database includes details on 3,548 registered profiles. The last user's database ID is 15,218; however, the dump only included details on 3,548 accounts -- most likely due to spam or deleted profiles. The registration date for the last user is November 20, 2017, suggesting the database is a copy of the site near the time it went offline."

An anonymous reader quotes a report from The New York Times: Last week, a Florida detective announced at a police convention that he had obtained a warrant to penetrate GEDmatch and search its full database of nearly one million users. Legal experts said that this appeared to be the first time a judge had approved such a warrant, and that the development could have profound implications for genetic privacy. "That's a huge game-changer," said Erin Murphy, a law professor at New York University. "The company made a decision to keep law enforcement out, and that's been overridden by a court. It's a signal that no genetic information can be safe."

DNA policy experts said the development was likely to encourage other agencies to request similar search warrants from 23andMe, which has 10 million users, and Ancestry.com, which has 15 million. If that comes to pass, the Florida judge's decision will affect not only the users of these sites but huge swaths of the population, including those who have never taken a DNA test. That's because this emerging forensic technique makes it possible to identify a DNA profile even through distant family relationships. [...] Genetic genealogy experts said that until now, the law enforcement community had been deliberately cautious about approaching the consumer sites with court orders: If users get spooked and abandon the sites, they will become much less useful to investigators. Barbara Rae-Venter, a genetic genealogist who works with law enforcement, described the situation as "Don't rock the boat." A spokesman for 23andMe said in a statement: "We never share customer data with law enforcement unless we receive a legally valid request such as a search warrant or written court order. Upon receipt of an inquiry from law enforcement, we use all practical legal measures to challenge such requests in order to protect our customers' privacy." Ancestry.com did not respond to request for comment.

Facebook on Tuesday said that as many as 100 software developers may have improperly accessed user data, including the names and profile pictures of people in specific groups on the social network. CNBC reports: The company recently discovered that some apps retained access to this type of user data despite making changes to its service in April 2018 to prevent this, Facebook said in a blog post. The company said it has removed this access and reached out to 100 developer partners who may have accessed the information. Facebook said that at least 11 developer partners accessed this type of data in the last 60 days.

"Although we've seen no evidence of abuse, we will ask them to delete any member data they may have retained and we will conduct audits to confirm that it has been deleted," the company said in the blog post. The company did not say how many users were affected.

Oracle opened its appeal in a legal challenge of a Pentagon cloud-computing contract valued at as much as $10 billion with a familiar argument: the procurement was unfairly tailored for Amazon.com. From a report: In in its opening brief, which was filed on Friday, Oracle said the cloud project violated federal procurement law and was tainted by relationships between former Pentagon officials and Amazon. Oracle is appealing a July ruling from the U.S. Court of Federal Claims that dismissed its legal challenge of the cloud contract based on similar claims. At the same time, Amazon is mulling its own potential legal challenge of the project after losing the deal to Microsoft Corp. late last month, Bloomberg has reported. The legal challenges could revive fresh criticism from industry, lawmakers and analysts of the Pentagon's handling of the controversial cloud project, known as the Joint Enterprise Defense Infrastructure, or JEDI. The project is designed to consolidate the Pentagon's cloud computing infrastructure and modernize its technology systems. The Defense Department is facing accusations that former employees with ties to Amazon may have structured the deal to favor Amazon and that President Donald Trump may have unfairly intervened in the process against Amazon. Trump has long been at odds with Amazon Chief Executive Officer Jeff Bezos, who also owns the Washington Post.

An anonymous reader writes: At Ignite 2019 today, Microsoft launched Visual Studio Online public preview. Visual Studio Online meshes Visual Studio, cloud-hosted developer environments, and a web-based editor. AI, big data, and cloud computing are shifting development beyond the "standard issue development laptop," and Visual Studio Online is clearly a reflection of this trend. "Visual Studio Online philosophically (and technically) extends Visual Studio Code Remote Development to provide managed development environments that can be created on-demand and accessed from anywhere," Microsoft explained today. "These environments can be used for long-term projects, to quickly prototype a new feature, or for short-term tasks, like reviewing pull requests." The company also announced the public preview of its Power Virtual Agents tool, a new no-code tool for building chatbots that's part of the company's Power Platform, which also includes Microsoft Flow automation tool, which is being renamed to Power Automate today, and Power BI. From a report: Built on top of Azure's existing AI smarts and tools for building bots, Power Virtual Agents promises to make building a chatbot almost as easy as writing a Word document. With this, anybody within an organization could build a bot that walks a new employee through the onboarding experience for example. "Power virtual agent is the newest addition to the Power Platform family," said Microsoft's Charles Lamanna. "Power Virtual Agent is very much focused on the same type of low code, accessible to anybody, no matter whether they're a business user or business analyst or professional developer, to go build a conversational agent that's AI-driven and can actually solve problems for your employees, for your customers, for your partners, in a very natural way." Further reading: Microsoft rebrands Flow as Power Automate, adds RPA features and virtual agents; and Visual Studio IntelliCode gets whole-line code completions, dynamic refactoring detection.

Mac developers are reporting that apps made using Electron (which is a framework that allows companies to ship web apps in a native app wrapper) are now being rejected by the automated Mac App Store review process. From a report: The apps in question are getting flagged because of their usage of private API calls. These API calls are not in the app itself, but part of the underlying Electron framework. The detected private API symbols include:" CAContext CALayerHost NSAccessibilityRemoteUIElement NSNextStepFrame NSThemeFrame NSURLFileTypeMappings." Apparently, the Electron framework has used these APIs for years. What has happened is that Apple has upgraded its server-side app review processes to detect more violations of its App Review guidelines, and now this private API usage is being identified. Individual Electron app makers are a bit helpless as the issue can only really be fixed by pushing changes in the Electron code itself. It does not appear that Electron is doing anything extreme, certainly nothing malicious. App Review doesn't care about why an app is using private API, it's a hard and fast rule (at least in theory).

"In a message to the OpenJDK community, Bruno Borges announced that Microsoft has now formally signed the Oracle Contributor Agreement and has been welcomed to the Java community," reports JAXenter: He went on to reaffirm Microsoft's commitment to Java and that the team is looking forward to giving something back to the Java community. However, the team will not just barge in with a heavy hand, but will start with smaller bug fixes and the like so they can learn how to be "good citizens within OpenJDK."

Borges, himself a former Oracle developer, is Principal Product Manager for Java at Microsoft. He presents Martijn Verburg as the Java engineering team lead who will be working together along with other partners in the Java ecosystem. Verburg is also CEO of jClarity, a leading AdoptOpenJDK contributor acquired by Microsoft in August this year, so presumably he will stay true to form and continue to contribute to the Java world, only now with Microsoft at his back...

Microsoft's acquisition of jClarity was just the latest in their efforts to gain a foothold in the Java community. There are many Java developers and Java champions who now practice their trade under Microsoft's banner... At JAX London a few weeks ago, Program Chair Sebastian Meyen opened the conference by giving a speech in which he said "Microsoft is now a Java shop". He sees this as a great development, as "it's always good when industry giants stand behind Java."

"Guido van Rossum, the creator of the hugely popular Python programming language, is leaving cloud file storage firm Dropbox and heading into retirement," reports ZDNet: That ends his six and half years with the company, which hired in him in 2013 because so much of its functionality was built on Python. And, after last year stepping down from his leadership role over Python decision making, that means the Python creator is officially retiring....

According to Dropbox, in 2011, when van Rossum first met Dropbox CEO Drew Houston, the Dropbox server and desktop client were written "almost exclusively in Python". Today, Dropbox also relies on Go, TypeScript, and Rust, as well as the open source Mypy static type checker that Dropbox develops to manage Python code at scale. Mypy helps developers overcome the challenge of understanding dynamically typed Python code written by other developers in the past...

Dropbox said van Rossum has had a major impact on its engineering culture. "There was a small number of really smart, really young coders who produced a lot of very clever code that only they could understand," said van Rossum. "That is probably the right attitude to have when you're a really small startup." However, as Dropbox notes, when the company grew, new engineers could not understand the clever but 'short and cryptic' code written by and for earlier developers. Van Rossum called this "cowboy coding culture" and educated the company about the value of maintainable code. "When asked, I would give people my opinion that maintainable code is more important than clever code," he said.... Dropbox also credits van Rossum with sharpening the company's testing processes for its continuous integration program and helping engineers understand why tests were broken.
"Thank you, Guido" is the title of the post on Dropbox's blog announcing the news that van Rossum is now retiring. Sharing that article on Twitter Thursday, van Rossum added "It's bittersweet... I've learned a lot during my time as an engineer here -- e.g. type annotations came from this experience -- and I'll miss working here."

But by Friday he was heading off to the North Bay Python conference in Petaluma, California.

schwit1 writes: A private DNA ancestry database that's been used by police to catch criminals is a security risk from which a nation-state could steal DNA data on a million Americans, according to security researchers. Security flaws in the service, called GEDmatch, not only risk exposing people's genetic health information but could let an adversary such as China or Russia create a powerful biometric database useful for identifying nearly any American from a DNA sample. GEDMatch, which crowdsources DNA profiles, was created by genealogy enthusiasts to let people search for relatives and is run entirely by volunteers. It shows how a trend toward sharing DNA data online can create privacy risks affecting everyone, even people who don't choose to share their own information.

"You can replace your credit card number, but you can't replace your genome," says Peter Ney, a postdoctoral researcher in computer science at the University of Washington. Ney, along with professors and DNA security researchers Luis Ceze and Tadayoshi Kohno, described in a report posted online how they developed and tested a novel attack employing DNA data they uploaded to GEDmatch. Using specially designed DNA profiles, they say, they were able to run searches that let them guess more than 90% of the DNA data of other users. The founder of GEDmatch, Curtis Rogers, confirmed that the researchers alerted him to the threat during the summer. "The same attack wouldn't work on other genealogy sites, like 23andMe, because they don't permit data uploads," the report notes. "Others, like MyHeritage, do allow uploads but don't give users as much information about their matches."

"The problem with GEDmatch is the browser is too good, and searches too deeply," says Erlich. "If I were them, I would remove it, fix it, then put it back."

The steering council of Python said it is adopting a 12-month release cycle as it seeks to bring more consistency to schedule. In their mailing list they announced the change would mean developers would: 1. Know when to start testing the beta to provide feedback.
2. Know when the expect the RC so the community can prepare their projects for the final release.
3. Know when the final release will occur to coordinate their own releases (if necessary) when the final release of Python occurs.
4. Allow core developers to more easily plan their work to make sure work lands in the release they are targeting.
5. Make sure that core developers and the community have a shorter amount of time to wait for new features to be released. They added: It should also fit into the release schedule of Linux distributions like Fedora better than previously proposed so the distributions can test the RC when they start preparing for their own October releases. If this turns out to be a mistake after we try it out for Python 3.9 we can then discuss going back to longer betas and shorter RCs for the release after that. This will not change when feature development is cut off relative to PyCon US nor the core dev sprints happening just before the final release or the alpha of the next version.

Apple's iOS 13 has had a rocky start since its release last month, with it being among the most buggy Apple software releases in recent memory. Now, iPhone owners are complaining of yet another issue that may be bug-related. From a report: A growing number of iPhone and iPad users have complained about poor RAM management on iOS 13 and iPadOS 13, leading to apps like Safari, YouTube, and Overcast reloading more frequently upon being reopened. We've lightly edited some of the comments to correct things like capitalization.

An anonymous reader shares a report: People are rioting in the streets of Barcelona. For the last month, hundreds of thousands of people have joined demonstrations in Spain to voice their objection to the jailing of Catalan separatist leaders and support Catalonian independence. As with almost all modern activist and public protest movements, activists are using social media and apps to communicate with and organize public actions. But this week, in a move that puts the Spanish government on par with censorship-heavy places like China and Russia, the country requested that Github block access to one of those apps, by revoking local access to its Github repository. Github, which is owned by Microsoft, complied with the order.

According to Spanish news outlet El Confidencial, last week the government ordered takedowns of websites and app made by Tsunami Democratic, an activist group organizing protests in the region. To try to keep access to the app download alive, Tsunami Democratic moved the .apk file to Github. But the government shut that down, too, blocking the site in Spain. Motherboard tested the download using a VPN, and the Github repo was blocked from Madrid. It's still accessible from the US. Currently, a version of Tsunami Democratic's website (but not its Github repo) is up.

An anonymous reader quotes a report from The Verge: This week, the developer of the popular text- and code-editing software Notepad++ released a new version update. Nothing seemed particularly strange about it, except maybe the name: Notepad++ v7.8.1 is the "Free Uyghur" edition. In a blog post announcing the updated version, developer Don Ho writes about the plight of the Uyghur people, an ethnic minority in China that's faced persecution from the country's authoritarian government. China operates internment camps that are used to detain Uyghur people throughout the country's Xinjiang region.

Since the announcement, the software's GitHub "issues" page has been bombarded with spam, much of it in the Chinese language. "Stop sending meaningless political-related issues, it just makes you look like an idiot," reads one comment. Another one simply reads, "Bye ! Uninstall." There's a litany of curses, and one asks, "What do you know about China?" Others have moved in to criticize the Chinese government in response. Ho told The Verge that the software's dedicated site was also under a distributed-denial-of-service attack, but that it has been stopped by an anti-DDoS service provided by the site's host. Ho writes in the announcement that he anticipated potential pushback, saying "talking about politics is exactly what software and commercial companies generally try to avoid," but decided to take the step anyway. "The problem is," Ho writes in the announcement of the Free Uyghur edition, "if we don't deal with politics, politics will deal with us."

Microbial health company Seed is launching a campaign to collect 100,000 fecal photos to build what developers say is the world's first poop image database. The campaign dares you to "give a shit" for science by uploading photos of your feces so that scientists can use it to train an AI platform launched out of MIT. Developers say that your photos could potentially help the approximately 1 in 5 people in the U.S. who have chronic gut conditions like irritable bowel syndrome. The Verge reports: Here's how citizen scientists can contribute to the cause. To participate, go to seed.com/poop on your phone (because taking your laptop to the loo is weird, and the page doesn't allow you to submit a photo unless you're using your phone). Click on the big purple button that says "#GIVEaSHIT." You'll be prompted to enter your email address and whether you're on a morning, afternoon, or evening poop schedule. Then, if you've already dropped a deuce, you can take or upload your photo or you can ask for an email reminder to be sent to you according to the time you indicated. After you've submitted your stool for posterity, the image is separated from the metadata (your email address and other potentially identifying information) so that your donation can remain anonymous and HIPAA compliant.

A team of doctors will diligently look through every image received. (Yes, that is a real job for seven gastroenterologists who take notes on what they see in the pictures.) Poop can fall into seven categories identified along the Bristol stool scale, which can tell you and your doctor whether you're constipated, lacking fiber, have a serious case of the runs, or somewhere in between. The doctors' insights into your poop will help train artificial intelligence models to understand the same things the doctors see in the image. Similar training systems are used to teach self-driving cars how to identify a tree or a cat in the road, according to David Hachuel, a co-founder of the startup Auggi, which is building the platform.

During his Open Source Summit Europe keynote speech, Greg Kroah-Hartman, the stable Linux kernel maintainer, said Intel CPU's security problems "are going to be with us for a very long time" and are "not going away." He added: "They're all CPU bugs, in some ways they're all the same problem," but each has to be solved in its own way. "MDS, RDDL, Fallout, Zombieland: They're all variants of the same basic problem." ZDNet reports: And they're all potentially deadly for your security: "RIDL and Zombieload, for example, can steal data across applications, virtual machines, even secure enclaves. The last is really funny, because [Intel Software Guard Extensions (SGX)] is what supposed to be secure inside Intel ships" [but, it turns out it's] really porous. You can see right through this thing." To fix each problem as it pops up, you must patch both your Linux kernel and your CPU's BIOS and microcode. This is not a Linux problem; any operating system faces the same problem.

OpenBSD, a BSD Unix devoted to security first and foremost, Kroah-Hartman freely admits was the first to come up with what's currently the best answer for this class of security holes: Turn Intel's simultaneous multithreading (SMT) off and deal with the performance hit. Linux has adopted this method. But it's not enough. You must secure the operating system as each new way to exploit hyper-threading appears. For Linux, that means flushing the CPU buffers every time there's a context switch (e.g. when the CPU stops running one VM and starts another). You can probably guess what the trouble is. Each buffer flush takes a lot of time, and the more VMs, containers, whatever, you're running, the more time you lose. "The bad part of this is that you now must choose: Performance or security. And that is not a good option," Kroah-Hartman said. He added: "If you are not using a supported Linux distribution kernel or a stable/long term kernel, you have an insecure system."

dryriver writes: In talking to people who are doing software development or other tech work, many told me that they found their tech education at university lacking in various ways. Some were taught outdated software, programming languages, methods, techniques or approaches. Others had problems with academia hostile to new ideas or creative problem solving. Some didn't get enough recognition for the coursework they did at university. Others couldn't get into top-tier universities when they were finishing high school aged 17 or 18 and got a second-rate tech education at a lower-quality academic institution as a result. So to the question: How was the quality of your tech education at university? Was the curriculum up to date? Were you taught the right things? Was academia open to new ideas and new ways of doing things? Did your education prepare you well for real life tech work in a non-academic environment?

Software developer Chris Krycho writes: Over the past few months, I have been trying to get up to speed on the Apple developer ecosystem, as part of working on my rewrite project. This means I have been learning Swift (again), SwiftUI, and (barely) the iOS and macOS APIs. It has been terrible. The number of parts of this ecosystem which are entirely undocumented is frankly shocking to me. Some context: I have spent the last five years working very actively in the JavaScript front-end application development world, working in first AngularJS and then Ember.js. Ember's docs once had a reputation of being pretty bad, but in the ~4 years I've been working with it, they've gone from decent to really good. On the other hand, when I was working in AngularJS 5 years ago, I often threw up my hands in quiet despair at the utter lack of explanation (or, occasionally, the inane explanations) of core concepts. I thought that would have to be the absolute worst a massive tech company (in that case, Google) providing public apis could possibly do. I was wrong.

The current state of Apple's software documentation is the worst I've ever seen for any framework anywhere. Swift itself is relatively well covered (courtesy of the well-written and well-maintained book). But that's where the good news ends. Most of SwiftUI is entirely undocumented -- not even a single line explanation of what a given type or modifier does. Swift Package Manager has okay docs, but finding out the limits of what it can or can't do from the official docs is difficult to impossible; I got my ground truth from Stack Overflow questions. I've repeatedly been reduced to searching through WWDC video transcripts to figure out where someone says something relevant to whatever I'm working on. Several people have complained in recent years that Apple's documentation is often incomplete or missing altogether. A developer has tried to figure out. Accidental Tech Podcast, a popular podcast that talks about Apple's ecosystem, discussed the issue in a recent episode.

The October issue of Oracle's Java magazine includes an article reminding us that Java 13 includes a long-awaited new features: text blocks. With text blocks, Java 13 is making it easier for you to work with multiline string literals. You no longer need to escape the special characters in string literals or use concatenation operators for values that span multiple lines. You can also control how to format your strings. Text blocks -- Java's term for multiline strings -- immensely improve the readability of your code...

A text block is defined using three double quotes (""") as the opening and closing delimiters. The opening delimiter can be followed by zero or more white spaces and a line terminator. A text block value begins after this line terminator.

nickwinlund77 shares this story from ZDNet: A recently patched security flaw in modern versions of the PHP programming language is being exploited in the wild to take over servers, ZDNet has learned from threat intelligence firm Bad Packets. The vulnerability is a remote code execution (RCE) in PHP 7, the newer branch of PHP, the most common programming language used to build websites.

The issue, tracked as CVE-2019-11043, lets attackers run commands on servers just by accessing a specially-crafted URL. Exploiting the bug is trivial, and public proof-of-concept exploit code has been published on GitHub earlier this week. Only NGINX servers with PHP-FPM enabled are vulnerable. PHP-FPM, or FastCGI Process Manager, is an alternative PHP FastCGI implementation with some additional features, and according to reports, a common server configuration option.