Facebook on Tuesday said that as many as 100 software developers may have improperly accessed user data, including the names and profile pictures of people in specific groups on the social network. CNBC reports: The company recently discovered that some apps retained access to this type of user data despite making changes to its service in April 2018 to prevent this, Facebook said in a blog post. The company said it has removed this access and reached out to 100 developer partners who may have accessed the information. Facebook said that at least 11 developer partners accessed this type of data in the last 60 days.

"Although we've seen no evidence of abuse, we will ask them to delete any member data they may have retained and we will conduct audits to confirm that it has been deleted," the company said in the blog post. The company did not say how many users were affected.

Oracle opened its appeal in a legal challenge of a Pentagon cloud-computing contract valued at as much as $10 billion with a familiar argument: the procurement was unfairly tailored for Amazon.com. From a report: In in its opening brief, which was filed on Friday, Oracle said the cloud project violated federal procurement law and was tainted by relationships between former Pentagon officials and Amazon. Oracle is appealing a July ruling from the U.S. Court of Federal Claims that dismissed its legal challenge of the cloud contract based on similar claims. At the same time, Amazon is mulling its own potential legal challenge of the project after losing the deal to Microsoft Corp. late last month, Bloomberg has reported. The legal challenges could revive fresh criticism from industry, lawmakers and analysts of the Pentagon's handling of the controversial cloud project, known as the Joint Enterprise Defense Infrastructure, or JEDI. The project is designed to consolidate the Pentagon's cloud computing infrastructure and modernize its technology systems. The Defense Department is facing accusations that former employees with ties to Amazon may have structured the deal to favor Amazon and that President Donald Trump may have unfairly intervened in the process against Amazon. Trump has long been at odds with Amazon Chief Executive Officer Jeff Bezos, who also owns the Washington Post.

An anonymous reader writes: At Ignite 2019 today, Microsoft launched Visual Studio Online public preview. Visual Studio Online meshes Visual Studio, cloud-hosted developer environments, and a web-based editor. AI, big data, and cloud computing are shifting development beyond the "standard issue development laptop," and Visual Studio Online is clearly a reflection of this trend. "Visual Studio Online philosophically (and technically) extends Visual Studio Code Remote Development to provide managed development environments that can be created on-demand and accessed from anywhere," Microsoft explained today. "These environments can be used for long-term projects, to quickly prototype a new feature, or for short-term tasks, like reviewing pull requests." The company also announced the public preview of its Power Virtual Agents tool, a new no-code tool for building chatbots that's part of the company's Power Platform, which also includes Microsoft Flow automation tool, which is being renamed to Power Automate today, and Power BI. From a report: Built on top of Azure's existing AI smarts and tools for building bots, Power Virtual Agents promises to make building a chatbot almost as easy as writing a Word document. With this, anybody within an organization could build a bot that walks a new employee through the onboarding experience for example. "Power virtual agent is the newest addition to the Power Platform family," said Microsoft's Charles Lamanna. "Power Virtual Agent is very much focused on the same type of low code, accessible to anybody, no matter whether they're a business user or business analyst or professional developer, to go build a conversational agent that's AI-driven and can actually solve problems for your employees, for your customers, for your partners, in a very natural way." Further reading: Microsoft rebrands Flow as Power Automate, adds RPA features and virtual agents; and Visual Studio IntelliCode gets whole-line code completions, dynamic refactoring detection.

Mac developers are reporting that apps made using Electron (which is a framework that allows companies to ship web apps in a native app wrapper) are now being rejected by the automated Mac App Store review process. From a report: The apps in question are getting flagged because of their usage of private API calls. These API calls are not in the app itself, but part of the underlying Electron framework. The detected private API symbols include:" CAContext CALayerHost NSAccessibilityRemoteUIElement NSNextStepFrame NSThemeFrame NSURLFileTypeMappings." Apparently, the Electron framework has used these APIs for years. What has happened is that Apple has upgraded its server-side app review processes to detect more violations of its App Review guidelines, and now this private API usage is being identified. Individual Electron app makers are a bit helpless as the issue can only really be fixed by pushing changes in the Electron code itself. It does not appear that Electron is doing anything extreme, certainly nothing malicious. App Review doesn't care about why an app is using private API, it's a hard and fast rule (at least in theory).

"In a message to the OpenJDK community, Bruno Borges announced that Microsoft has now formally signed the Oracle Contributor Agreement and has been welcomed to the Java community," reports JAXenter: He went on to reaffirm Microsoft's commitment to Java and that the team is looking forward to giving something back to the Java community. However, the team will not just barge in with a heavy hand, but will start with smaller bug fixes and the like so they can learn how to be "good citizens within OpenJDK."

Borges, himself a former Oracle developer, is Principal Product Manager for Java at Microsoft. He presents Martijn Verburg as the Java engineering team lead who will be working together along with other partners in the Java ecosystem. Verburg is also CEO of jClarity, a leading AdoptOpenJDK contributor acquired by Microsoft in August this year, so presumably he will stay true to form and continue to contribute to the Java world, only now with Microsoft at his back...

Microsoft's acquisition of jClarity was just the latest in their efforts to gain a foothold in the Java community. There are many Java developers and Java champions who now practice their trade under Microsoft's banner... At JAX London a few weeks ago, Program Chair Sebastian Meyen opened the conference by giving a speech in which he said "Microsoft is now a Java shop". He sees this as a great development, as "it's always good when industry giants stand behind Java."

"Guido van Rossum, the creator of the hugely popular Python programming language, is leaving cloud file storage firm Dropbox and heading into retirement," reports ZDNet: That ends his six and half years with the company, which hired in him in 2013 because so much of its functionality was built on Python. And, after last year stepping down from his leadership role over Python decision making, that means the Python creator is officially retiring....

According to Dropbox, in 2011, when van Rossum first met Dropbox CEO Drew Houston, the Dropbox server and desktop client were written "almost exclusively in Python". Today, Dropbox also relies on Go, TypeScript, and Rust, as well as the open source Mypy static type checker that Dropbox develops to manage Python code at scale. Mypy helps developers overcome the challenge of understanding dynamically typed Python code written by other developers in the past...

Dropbox said van Rossum has had a major impact on its engineering culture. "There was a small number of really smart, really young coders who produced a lot of very clever code that only they could understand," said van Rossum. "That is probably the right attitude to have when you're a really small startup." However, as Dropbox notes, when the company grew, new engineers could not understand the clever but 'short and cryptic' code written by and for earlier developers. Van Rossum called this "cowboy coding culture" and educated the company about the value of maintainable code. "When asked, I would give people my opinion that maintainable code is more important than clever code," he said.... Dropbox also credits van Rossum with sharpening the company's testing processes for its continuous integration program and helping engineers understand why tests were broken.
"Thank you, Guido" is the title of the post on Dropbox's blog announcing the news that van Rossum is now retiring. Sharing that article on Twitter Thursday, van Rossum added "It's bittersweet... I've learned a lot during my time as an engineer here -- e.g. type annotations came from this experience -- and I'll miss working here."

But by Friday he was heading off to the North Bay Python conference in Petaluma, California.

schwit1 writes: A private DNA ancestry database that's been used by police to catch criminals is a security risk from which a nation-state could steal DNA data on a million Americans, according to security researchers. Security flaws in the service, called GEDmatch, not only risk exposing people's genetic health information but could let an adversary such as China or Russia create a powerful biometric database useful for identifying nearly any American from a DNA sample. GEDMatch, which crowdsources DNA profiles, was created by genealogy enthusiasts to let people search for relatives and is run entirely by volunteers. It shows how a trend toward sharing DNA data online can create privacy risks affecting everyone, even people who don't choose to share their own information.

"You can replace your credit card number, but you can't replace your genome," says Peter Ney, a postdoctoral researcher in computer science at the University of Washington. Ney, along with professors and DNA security researchers Luis Ceze and Tadayoshi Kohno, described in a report posted online how they developed and tested a novel attack employing DNA data they uploaded to GEDmatch. Using specially designed DNA profiles, they say, they were able to run searches that let them guess more than 90% of the DNA data of other users. The founder of GEDmatch, Curtis Rogers, confirmed that the researchers alerted him to the threat during the summer. "The same attack wouldn't work on other genealogy sites, like 23andMe, because they don't permit data uploads," the report notes. "Others, like MyHeritage, do allow uploads but don't give users as much information about their matches."

"The problem with GEDmatch is the browser is too good, and searches too deeply," says Erlich. "If I were them, I would remove it, fix it, then put it back."

The steering council of Python said it is adopting a 12-month release cycle as it seeks to bring more consistency to schedule. In their mailing list they announced the change would mean developers would: 1. Know when to start testing the beta to provide feedback.
2. Know when the expect the RC so the community can prepare their projects for the final release.
3. Know when the final release will occur to coordinate their own releases (if necessary) when the final release of Python occurs.
4. Allow core developers to more easily plan their work to make sure work lands in the release they are targeting.
5. Make sure that core developers and the community have a shorter amount of time to wait for new features to be released. They added: It should also fit into the release schedule of Linux distributions like Fedora better than previously proposed so the distributions can test the RC when they start preparing for their own October releases. If this turns out to be a mistake after we try it out for Python 3.9 we can then discuss going back to longer betas and shorter RCs for the release after that. This will not change when feature development is cut off relative to PyCon US nor the core dev sprints happening just before the final release or the alpha of the next version.

Apple's iOS 13 has had a rocky start since its release last month, with it being among the most buggy Apple software releases in recent memory. Now, iPhone owners are complaining of yet another issue that may be bug-related. From a report: A growing number of iPhone and iPad users have complained about poor RAM management on iOS 13 and iPadOS 13, leading to apps like Safari, YouTube, and Overcast reloading more frequently upon being reopened. We've lightly edited some of the comments to correct things like capitalization.

An anonymous reader shares a report: People are rioting in the streets of Barcelona. For the last month, hundreds of thousands of people have joined demonstrations in Spain to voice their objection to the jailing of Catalan separatist leaders and support Catalonian independence. As with almost all modern activist and public protest movements, activists are using social media and apps to communicate with and organize public actions. But this week, in a move that puts the Spanish government on par with censorship-heavy places like China and Russia, the country requested that Github block access to one of those apps, by revoking local access to its Github repository. Github, which is owned by Microsoft, complied with the order.

According to Spanish news outlet El Confidencial, last week the government ordered takedowns of websites and app made by Tsunami Democratic, an activist group organizing protests in the region. To try to keep access to the app download alive, Tsunami Democratic moved the .apk file to Github. But the government shut that down, too, blocking the site in Spain. Motherboard tested the download using a VPN, and the Github repo was blocked from Madrid. It's still accessible from the US. Currently, a version of Tsunami Democratic's website (but not its Github repo) is up.

An anonymous reader quotes a report from The Verge: This week, the developer of the popular text- and code-editing software Notepad++ released a new version update. Nothing seemed particularly strange about it, except maybe the name: Notepad++ v7.8.1 is the "Free Uyghur" edition. In a blog post announcing the updated version, developer Don Ho writes about the plight of the Uyghur people, an ethnic minority in China that's faced persecution from the country's authoritarian government. China operates internment camps that are used to detain Uyghur people throughout the country's Xinjiang region.

Since the announcement, the software's GitHub "issues" page has been bombarded with spam, much of it in the Chinese language. "Stop sending meaningless political-related issues, it just makes you look like an idiot," reads one comment. Another one simply reads, "Bye ! Uninstall." There's a litany of curses, and one asks, "What do you know about China?" Others have moved in to criticize the Chinese government in response. Ho told The Verge that the software's dedicated site was also under a distributed-denial-of-service attack, but that it has been stopped by an anti-DDoS service provided by the site's host. Ho writes in the announcement that he anticipated potential pushback, saying "talking about politics is exactly what software and commercial companies generally try to avoid," but decided to take the step anyway. "The problem is," Ho writes in the announcement of the Free Uyghur edition, "if we don't deal with politics, politics will deal with us."

Microbial health company Seed is launching a campaign to collect 100,000 fecal photos to build what developers say is the world's first poop image database. The campaign dares you to "give a shit" for science by uploading photos of your feces so that scientists can use it to train an AI platform launched out of MIT. Developers say that your photos could potentially help the approximately 1 in 5 people in the U.S. who have chronic gut conditions like irritable bowel syndrome. The Verge reports: Here's how citizen scientists can contribute to the cause. To participate, go to seed.com/poop on your phone (because taking your laptop to the loo is weird, and the page doesn't allow you to submit a photo unless you're using your phone). Click on the big purple button that says "#GIVEaSHIT." You'll be prompted to enter your email address and whether you're on a morning, afternoon, or evening poop schedule. Then, if you've already dropped a deuce, you can take or upload your photo or you can ask for an email reminder to be sent to you according to the time you indicated. After you've submitted your stool for posterity, the image is separated from the metadata (your email address and other potentially identifying information) so that your donation can remain anonymous and HIPAA compliant.

A team of doctors will diligently look through every image received. (Yes, that is a real job for seven gastroenterologists who take notes on what they see in the pictures.) Poop can fall into seven categories identified along the Bristol stool scale, which can tell you and your doctor whether you're constipated, lacking fiber, have a serious case of the runs, or somewhere in between. The doctors' insights into your poop will help train artificial intelligence models to understand the same things the doctors see in the image. Similar training systems are used to teach self-driving cars how to identify a tree or a cat in the road, according to David Hachuel, a co-founder of the startup Auggi, which is building the platform.

During his Open Source Summit Europe keynote speech, Greg Kroah-Hartman, the stable Linux kernel maintainer, said Intel CPU's security problems "are going to be with us for a very long time" and are "not going away." He added: "They're all CPU bugs, in some ways they're all the same problem," but each has to be solved in its own way. "MDS, RDDL, Fallout, Zombieland: They're all variants of the same basic problem." ZDNet reports: And they're all potentially deadly for your security: "RIDL and Zombieload, for example, can steal data across applications, virtual machines, even secure enclaves. The last is really funny, because [Intel Software Guard Extensions (SGX)] is what supposed to be secure inside Intel ships" [but, it turns out it's] really porous. You can see right through this thing." To fix each problem as it pops up, you must patch both your Linux kernel and your CPU's BIOS and microcode. This is not a Linux problem; any operating system faces the same problem.

OpenBSD, a BSD Unix devoted to security first and foremost, Kroah-Hartman freely admits was the first to come up with what's currently the best answer for this class of security holes: Turn Intel's simultaneous multithreading (SMT) off and deal with the performance hit. Linux has adopted this method. But it's not enough. You must secure the operating system as each new way to exploit hyper-threading appears. For Linux, that means flushing the CPU buffers every time there's a context switch (e.g. when the CPU stops running one VM and starts another). You can probably guess what the trouble is. Each buffer flush takes a lot of time, and the more VMs, containers, whatever, you're running, the more time you lose. "The bad part of this is that you now must choose: Performance or security. And that is not a good option," Kroah-Hartman said. He added: "If you are not using a supported Linux distribution kernel or a stable/long term kernel, you have an insecure system."

dryriver writes: In talking to people who are doing software development or other tech work, many told me that they found their tech education at university lacking in various ways. Some were taught outdated software, programming languages, methods, techniques or approaches. Others had problems with academia hostile to new ideas or creative problem solving. Some didn't get enough recognition for the coursework they did at university. Others couldn't get into top-tier universities when they were finishing high school aged 17 or 18 and got a second-rate tech education at a lower-quality academic institution as a result. So to the question: How was the quality of your tech education at university? Was the curriculum up to date? Were you taught the right things? Was academia open to new ideas and new ways of doing things? Did your education prepare you well for real life tech work in a non-academic environment?

Software developer Chris Krycho writes: Over the past few months, I have been trying to get up to speed on the Apple developer ecosystem, as part of working on my rewrite project. This means I have been learning Swift (again), SwiftUI, and (barely) the iOS and macOS APIs. It has been terrible. The number of parts of this ecosystem which are entirely undocumented is frankly shocking to me. Some context: I have spent the last five years working very actively in the JavaScript front-end application development world, working in first AngularJS and then Ember.js. Ember's docs once had a reputation of being pretty bad, but in the ~4 years I've been working with it, they've gone from decent to really good. On the other hand, when I was working in AngularJS 5 years ago, I often threw up my hands in quiet despair at the utter lack of explanation (or, occasionally, the inane explanations) of core concepts. I thought that would have to be the absolute worst a massive tech company (in that case, Google) providing public apis could possibly do. I was wrong.

The current state of Apple's software documentation is the worst I've ever seen for any framework anywhere. Swift itself is relatively well covered (courtesy of the well-written and well-maintained book). But that's where the good news ends. Most of SwiftUI is entirely undocumented -- not even a single line explanation of what a given type or modifier does. Swift Package Manager has okay docs, but finding out the limits of what it can or can't do from the official docs is difficult to impossible; I got my ground truth from Stack Overflow questions. I've repeatedly been reduced to searching through WWDC video transcripts to figure out where someone says something relevant to whatever I'm working on. Several people have complained in recent years that Apple's documentation is often incomplete or missing altogether. A developer has tried to figure out. Accidental Tech Podcast, a popular podcast that talks about Apple's ecosystem, discussed the issue in a recent episode.

The October issue of Oracle's Java magazine includes an article reminding us that Java 13 includes a long-awaited new features: text blocks. With text blocks, Java 13 is making it easier for you to work with multiline string literals. You no longer need to escape the special characters in string literals or use concatenation operators for values that span multiple lines. You can also control how to format your strings. Text blocks -- Java's term for multiline strings -- immensely improve the readability of your code...

A text block is defined using three double quotes (""") as the opening and closing delimiters. The opening delimiter can be followed by zero or more white spaces and a line terminator. A text block value begins after this line terminator.

nickwinlund77 shares this story from ZDNet: A recently patched security flaw in modern versions of the PHP programming language is being exploited in the wild to take over servers, ZDNet has learned from threat intelligence firm Bad Packets. The vulnerability is a remote code execution (RCE) in PHP 7, the newer branch of PHP, the most common programming language used to build websites.

The issue, tracked as CVE-2019-11043, lets attackers run commands on servers just by accessing a specially-crafted URL. Exploiting the bug is trivial, and public proof-of-concept exploit code has been published on GitHub earlier this week. Only NGINX servers with PHP-FPM enabled are vulnerable. PHP-FPM, or FastCGI Process Manager, is an alternative PHP FastCGI implementation with some additional features, and according to reports, a common server configuration option.

Software engineer Kieran Potts asks: does JavaScript need to be renamed? There's no doubt there are problems with JavaScript's branding...

- Correctly, "JavaScript" refers to a subset of ECMAScript specified by Mozilla, but the word is used interchangeably to refer to multiple different ECMAScript supersets, depending on context.

- JavaScript is a trademark of Oracle Corporation, which doesn't fit comfortably with the language's position as a central component of the web platform, which is meant to be built entirely from open technologies and standards.

- There isn't even an official logo for JavaScript, let alone a cute mascot like Go's gopher or PHP's elephant.

- And famously, JavaScript is unrelated to Java. This has confused the hell out of non-technical managers and recruiters for decades.
The article also suggests "a standard convention" to identify the runtime's host system (for example, "WebJS" or "ServerJS").

But in response to the question of rebranding JavaScript, "the most common, knee jerk reaction was a quick guffaw and an exclaimed 'no!'" notes tech columnist Mike Melanson, "while others offered that the simple contraction to JS would suffice."

The senior editor of Dice Insights writes: Which programming languages are most in-demand by employers? That's an excellent (and vital) question for developers out there, especially those who want to leverage their skills to land a particularly high-paying job. Fortunately, a new list gives us a pretty accurate rundown, and it's filled with the usual suspects: SQL, Java, JavaScript, Python, and so on.

The data comes from Burning Glass, which compiles and analyzes millions of job postings, so we can treat it as pretty comprehensive (although, as with any massive dataset, there's always the potential for errors)... The top-ranked presence of SQL shouldn't come as a shocker to anyone: although the language is older than many of the technologists who utilize it (it was created in 1974), it's still very much a key standardized language for relational databases (it's ranked eighth on the TIOBE Index, a popular but controversial ranking of the world's most popular programming languages). Businesses always need databases; and they're clearly hungry for technologists who can set up and manage them.

A recent study by IEEE Spectrum also noted that employers want developers skilled in Python, Java, C, C++, and JavaScript, so these languages' presence on the Burning Glass list should come as no surprise, either. All of these programming languages enjoy massive install bases across a variety of platforms, including mobile and the web; they're also taught widely in schools and bootcamps, ensuring that there's a steady pipeline of newly minted technologists who know them. In addition to building new stuff, businesses need to maintain legacy code written in these languages.

Nearly 7.5 million Adobe Creative Cloud users are left open to phishing campaigns after their records were left exposed to the internet. Threatpost reports: Adobe Creative Cloud, which has an estimated 15 million subscribers, is a monthly service that gives users access to a suite of popular Adobe products such as Photoshop, Lightroom, Illustrator, InDesign, Premiere Pro, Audition, After Effects and others. Comparitech partnered with security researcher Bob Diachenko to uncover the exposed database. The Elasticsearch database could be tapped without a password or any other authentication; offering an attacker access to email addresses, account information and which Adobe products that users purchased. The data did not include payment information or passwords. The user data "wasn't particularly sensitive," but it could be used to create convincing phishing emails aimed at Adobe users, according to Comparitech researcher Paul Bischoff, in Friday research shared with Threatpost. "The information exposed in this leak could be used against Adobe Creative Cloud users in targeted phishing emails and scams," Bischoff noted. "Fraudsters could pose as Adobe or a related company and trick users into giving up further info, such as passwords, for example."