Microbial health company Seed is launching a campaign to collect 100,000 fecal photos to build what developers say is the world's first poop image database. The campaign dares you to "give a shit" for science by uploading photos of your feces so that scientists can use it to train an AI platform launched out of MIT. Developers say that your photos could potentially help the approximately 1 in 5 people in the U.S. who have chronic gut conditions like irritable bowel syndrome. The Verge reports: Here's how citizen scientists can contribute to the cause. To participate, go to seed.com/poop on your phone (because taking your laptop to the loo is weird, and the page doesn't allow you to submit a photo unless you're using your phone). Click on the big purple button that says "#GIVEaSHIT." You'll be prompted to enter your email address and whether you're on a morning, afternoon, or evening poop schedule. Then, if you've already dropped a deuce, you can take or upload your photo or you can ask for an email reminder to be sent to you according to the time you indicated. After you've submitted your stool for posterity, the image is separated from the metadata (your email address and other potentially identifying information) so that your donation can remain anonymous and HIPAA compliant.

A team of doctors will diligently look through every image received. (Yes, that is a real job for seven gastroenterologists who take notes on what they see in the pictures.) Poop can fall into seven categories identified along the Bristol stool scale, which can tell you and your doctor whether you're constipated, lacking fiber, have a serious case of the runs, or somewhere in between. The doctors' insights into your poop will help train artificial intelligence models to understand the same things the doctors see in the image. Similar training systems are used to teach self-driving cars how to identify a tree or a cat in the road, according to David Hachuel, a co-founder of the startup Auggi, which is building the platform.

During his Open Source Summit Europe keynote speech, Greg Kroah-Hartman, the stable Linux kernel maintainer, said Intel CPU's security problems "are going to be with us for a very long time" and are "not going away." He added: "They're all CPU bugs, in some ways they're all the same problem," but each has to be solved in its own way. "MDS, RDDL, Fallout, Zombieland: They're all variants of the same basic problem." ZDNet reports: And they're all potentially deadly for your security: "RIDL and Zombieload, for example, can steal data across applications, virtual machines, even secure enclaves. The last is really funny, because [Intel Software Guard Extensions (SGX)] is what supposed to be secure inside Intel ships" [but, it turns out it's] really porous. You can see right through this thing." To fix each problem as it pops up, you must patch both your Linux kernel and your CPU's BIOS and microcode. This is not a Linux problem; any operating system faces the same problem.

OpenBSD, a BSD Unix devoted to security first and foremost, Kroah-Hartman freely admits was the first to come up with what's currently the best answer for this class of security holes: Turn Intel's simultaneous multithreading (SMT) off and deal with the performance hit. Linux has adopted this method. But it's not enough. You must secure the operating system as each new way to exploit hyper-threading appears. For Linux, that means flushing the CPU buffers every time there's a context switch (e.g. when the CPU stops running one VM and starts another). You can probably guess what the trouble is. Each buffer flush takes a lot of time, and the more VMs, containers, whatever, you're running, the more time you lose. "The bad part of this is that you now must choose: Performance or security. And that is not a good option," Kroah-Hartman said. He added: "If you are not using a supported Linux distribution kernel or a stable/long term kernel, you have an insecure system."

dryriver writes: In talking to people who are doing software development or other tech work, many told me that they found their tech education at university lacking in various ways. Some were taught outdated software, programming languages, methods, techniques or approaches. Others had problems with academia hostile to new ideas or creative problem solving. Some didn't get enough recognition for the coursework they did at university. Others couldn't get into top-tier universities when they were finishing high school aged 17 or 18 and got a second-rate tech education at a lower-quality academic institution as a result. So to the question: How was the quality of your tech education at university? Was the curriculum up to date? Were you taught the right things? Was academia open to new ideas and new ways of doing things? Did your education prepare you well for real life tech work in a non-academic environment?

Software developer Chris Krycho writes: Over the past few months, I have been trying to get up to speed on the Apple developer ecosystem, as part of working on my rewrite project. This means I have been learning Swift (again), SwiftUI, and (barely) the iOS and macOS APIs. It has been terrible. The number of parts of this ecosystem which are entirely undocumented is frankly shocking to me. Some context: I have spent the last five years working very actively in the JavaScript front-end application development world, working in first AngularJS and then Ember.js. Ember's docs once had a reputation of being pretty bad, but in the ~4 years I've been working with it, they've gone from decent to really good. On the other hand, when I was working in AngularJS 5 years ago, I often threw up my hands in quiet despair at the utter lack of explanation (or, occasionally, the inane explanations) of core concepts. I thought that would have to be the absolute worst a massive tech company (in that case, Google) providing public apis could possibly do. I was wrong.

The current state of Apple's software documentation is the worst I've ever seen for any framework anywhere. Swift itself is relatively well covered (courtesy of the well-written and well-maintained book). But that's where the good news ends. Most of SwiftUI is entirely undocumented -- not even a single line explanation of what a given type or modifier does. Swift Package Manager has okay docs, but finding out the limits of what it can or can't do from the official docs is difficult to impossible; I got my ground truth from Stack Overflow questions. I've repeatedly been reduced to searching through WWDC video transcripts to figure out where someone says something relevant to whatever I'm working on. Several people have complained in recent years that Apple's documentation is often incomplete or missing altogether. A developer has tried to figure out. Accidental Tech Podcast, a popular podcast that talks about Apple's ecosystem, discussed the issue in a recent episode.

The October issue of Oracle's Java magazine includes an article reminding us that Java 13 includes a long-awaited new features: text blocks. With text blocks, Java 13 is making it easier for you to work with multiline string literals. You no longer need to escape the special characters in string literals or use concatenation operators for values that span multiple lines. You can also control how to format your strings. Text blocks -- Java's term for multiline strings -- immensely improve the readability of your code...

A text block is defined using three double quotes (""") as the opening and closing delimiters. The opening delimiter can be followed by zero or more white spaces and a line terminator. A text block value begins after this line terminator.

nickwinlund77 shares this story from ZDNet: A recently patched security flaw in modern versions of the PHP programming language is being exploited in the wild to take over servers, ZDNet has learned from threat intelligence firm Bad Packets. The vulnerability is a remote code execution (RCE) in PHP 7, the newer branch of PHP, the most common programming language used to build websites.

The issue, tracked as CVE-2019-11043, lets attackers run commands on servers just by accessing a specially-crafted URL. Exploiting the bug is trivial, and public proof-of-concept exploit code has been published on GitHub earlier this week. Only NGINX servers with PHP-FPM enabled are vulnerable. PHP-FPM, or FastCGI Process Manager, is an alternative PHP FastCGI implementation with some additional features, and according to reports, a common server configuration option.

Software engineer Kieran Potts asks: does JavaScript need to be renamed? There's no doubt there are problems with JavaScript's branding...

- Correctly, "JavaScript" refers to a subset of ECMAScript specified by Mozilla, but the word is used interchangeably to refer to multiple different ECMAScript supersets, depending on context.

- JavaScript is a trademark of Oracle Corporation, which doesn't fit comfortably with the language's position as a central component of the web platform, which is meant to be built entirely from open technologies and standards.

- There isn't even an official logo for JavaScript, let alone a cute mascot like Go's gopher or PHP's elephant.

- And famously, JavaScript is unrelated to Java. This has confused the hell out of non-technical managers and recruiters for decades.
The article also suggests "a standard convention" to identify the runtime's host system (for example, "WebJS" or "ServerJS").

But in response to the question of rebranding JavaScript, "the most common, knee jerk reaction was a quick guffaw and an exclaimed 'no!'" notes tech columnist Mike Melanson, "while others offered that the simple contraction to JS would suffice."

The senior editor of Dice Insights writes: Which programming languages are most in-demand by employers? That's an excellent (and vital) question for developers out there, especially those who want to leverage their skills to land a particularly high-paying job. Fortunately, a new list gives us a pretty accurate rundown, and it's filled with the usual suspects: SQL, Java, JavaScript, Python, and so on.

The data comes from Burning Glass, which compiles and analyzes millions of job postings, so we can treat it as pretty comprehensive (although, as with any massive dataset, there's always the potential for errors)... The top-ranked presence of SQL shouldn't come as a shocker to anyone: although the language is older than many of the technologists who utilize it (it was created in 1974), it's still very much a key standardized language for relational databases (it's ranked eighth on the TIOBE Index, a popular but controversial ranking of the world's most popular programming languages). Businesses always need databases; and they're clearly hungry for technologists who can set up and manage them.

A recent study by IEEE Spectrum also noted that employers want developers skilled in Python, Java, C, C++, and JavaScript, so these languages' presence on the Burning Glass list should come as no surprise, either. All of these programming languages enjoy massive install bases across a variety of platforms, including mobile and the web; they're also taught widely in schools and bootcamps, ensuring that there's a steady pipeline of newly minted technologists who know them. In addition to building new stuff, businesses need to maintain legacy code written in these languages.

Nearly 7.5 million Adobe Creative Cloud users are left open to phishing campaigns after their records were left exposed to the internet. Threatpost reports: Adobe Creative Cloud, which has an estimated 15 million subscribers, is a monthly service that gives users access to a suite of popular Adobe products such as Photoshop, Lightroom, Illustrator, InDesign, Premiere Pro, Audition, After Effects and others. Comparitech partnered with security researcher Bob Diachenko to uncover the exposed database. The Elasticsearch database could be tapped without a password or any other authentication; offering an attacker access to email addresses, account information and which Adobe products that users purchased. The data did not include payment information or passwords. The user data "wasn't particularly sensitive," but it could be used to create convincing phishing emails aimed at Adobe users, according to Comparitech researcher Paul Bischoff, in Friday research shared with Threatpost. "The information exposed in this leak could be used against Adobe Creative Cloud users in targeted phishing emails and scams," Bischoff noted. "Fraudsters could pose as Adobe or a related company and trick users into giving up further info, such as passwords, for example."

In July, GitHub blocked several accounts to prevent users in Iran from accessing several portions of its service. A few days later Amazon Web Services followed suite. With major cloud services pulling support for developers in the country, many lost their academic work and several apps ceased to function. A solution for these developers now is to cut reliance on American giants and build their own services. But there's a catch: Internet in Iran is heavily censored, so they can't rely on local networks.

After Trump backed away from the nuclear deal, there's been a tremendous pressure on tech companies to block IPs from Iran. Plus, Mozilla decided to omit a whole transparency section in its report on the country succumbing to the government pressure. With sanctions on one side and censorship on the other, there's a tough road ahead for developers. Ivan Mehta, a journalist at The Next Web, looks at the issue.

An open database exposing records containing the sensitive data of hotel customers as well as US military personnel and officials has been disclosed by researchers. ZDNet reports: On Monday, vpnMentor's cybersecurity team, led by Noam Rotem and Ran Locar, said the database belonged to Autoclerk, a service owned by Best Western Hotels and Resorts group. Autoclerk is a reservations management system used by resorts to manage web bookings, revenue, loyalty programs, guest profiles, and payment processing.

In a report shared with ZDNet, the researchers said the open Elasticsearch database was discovered through vpnMentor's web mapping project. It was possible to access the database, given it had no encryption or security barriers whatsoever, and perform searches to examine the records contained within. The team says that "thousands" of individuals were impacted, although due to ethical reasons it was not possible to examine every record in the leaking database to come up with a specific number. Hundreds of thousands of booking reservations for guests were available to view and data including full names, dates of birth, home addresses, phone numbers, dates and travel costs, some check-in times and room numbers, and masked credit card details were also exposed. Some of the records were logs for U.S. Army generals visiting Russia and Israel, the report says. In total, the AWS-hosted database contained over 179GB of data.

David Shayer, who worked as a software engineer at Apple for 18 years across iPod, the Apple Watch, and Apple's bug-tracking system Radar, among other projects, looks at the current iOS and macOS releases and tries to work out why they are so buggy. He writes: 1. Overloaded Feature Lists Lead to Schedule Chicken: Apple is aggressive about including significant features in upcoming products. Tight schedules and ambitious feature sets mean software engineers and quality assurance (QA) engineers routinely work nights and weekends as deadlines approach. Inevitably some features are postponed for a future release, as we saw with iCloud Drive Folder Sharing. In a well-run project, features that are lagging behind are cut early, so engineers can devote their time to polishing the features that will actually ship. But sometimes managers play "schedule chicken" since no one wants to admit in the departmental meeting that their part of the project is behind. Instead, they hope someone else working on another aspect of that feature is running even later, so they reap the benefit of the feature being delayed without taking the hit of being the one who delayed it. But if no one blinks, engineers continue to work on a feature that can't possibly be completed in time and that eventually gets pushed off to a future release.

2. Crash Reports Don't Identify Non-Crashing Bugs: If you have reporting turned on (which I recommend), Apple's built-in crash reporter automatically reports application crashes, and even kernel crashes, back to the company. A crash report includes a lot of data. Especially useful is the stack trace, which shows exactly where the code crashed, and more importantly, how it got to that point. A stack trace often enables an engineer to track down the crash and fix it. Crash reports are uniquely identified by the stack trace. The same stack trace on multiple crash reports means all those users are seeing the same crash. The crash reporter backend sorts crash reports by matching the stack traces, and those that occur most often get the highest priority. Apple takes crash reports seriously and tries hard to fix them. As a result, Apple software crashes a lot less than it used to. Unfortunately, the crash reporter can't catch non-crashing bugs. It's blind to the photos that never upload to iCloud, the contact card that just won't sync from my Mac to my iPhone, the Time Capsule backups that get corrupted and have to be restarted every few months, and the setup app on my new iPhone 11 that got caught in a loop repeatedly asking me to sign in to my iCloud account, until I had to call Apple support. (These are all real problems I've experienced.) Shayer has offered several more possible explanations in the original post.

Christine Peterson, a long-time futurist who co-founded the nanotech advocacy group the Foresight Institute in 1986 and coined the term "Open Source software" among other things writes: I am currently cited on the home page of the Ethical Source Movement, home of the Ethical Source Definition: "In the twenty years since Christine Peterson first coined the term 'open source', our community has grown astronomically, all the while learning from its successes and failures." While it is pleasant to be cited, some might interpret this as my 100% endorsement, and this would be incorrect. The Definition calls for a code of conduct, which by itself is not a problem. And a sample of such a code that I examined uses plain, seemingly-clear English words such as reasonable, inappropriate, harassment, etc. As always, the devil is in the details, or in this case, the interpretation. Although I am not a coder, and am only peripherally involved with the Open Source community these days, it has come to my attention that guidelines such as these are being used to, for example, suppress discussion of male/female differences. This would be problematic for me to endorse, since as part of my never-ending quest to help people find their life partner, I routinely discuss such topics at length myself (video online now).

This raises the broader question of whether speech bans in general are a good idea and serve effectively to advance positive goals, or not. To explore this issue with less emotion, let's make up a fantasy example. Let's say that a rumor arises that people who are genetically able to taste phenylthiocarbamide (PTC) are better at coding. The rumor goes viral. Job seekers with the supposedly favorable status put it on their LinkedIn page and try to send genetic test results to prospective employers, along with their resumes.

Those unable to taste PTC try to suppress the rumor, fail, organize protests, and finally resort to speech bans regarding PTC status. People who brag about their tasting status, point out that someone else is a non-taster, or even just try to discuss the topic itself more generally, lose their positions on open source projects and even in some cases their jobs.

Do these punished individuals then realize the error of their ways? By no means: they are now martyrs, drift in a more radical direction, and become leaders of PTC taster groups who feel they are victims of reverse discrimination. They form secret online groups in which genetic data must be submitted to join, and they quietly meet in person to show off tasting abilities in blind tests. They bond and form communities which reinforce their superior identity as tasters. Believing that 'tasters are better coders' is now regarded as Secret Banned Knowledge.

Statisticians try to point out that even if the claim is true, such a correlation is not usefully predictive since great coders are found among both tasters and non-tasters. They further point out that this means finding good coders requires testing for those skills regardless of PTC status, so what difference does it really make? Meanwhile the general public looks on, notices the speech ban, and decides that if such extreme action must be taken against the Secret Banned Knowledge, that knowledge must be powerful indeed, and true.

Perhaps speech bans worked better in the old days, before the internet enabled outcasts to find each other, but in any case they don't seem to work well now, as we see with racist speech bans in Europe. One can even make the case that this heavy-handed way of trying to solve social problems was one factor (among many) that helped elect Trump president.

So if speech bans aren't the answer, what is? How do we persuade people to step away from incorrect biased views and treat others better? Sadly, there are no easy answers, just difficult work. We can divide the world needing persuading into two groups: (A) those who can be persuaded with rational discussion, and (B) the others. For group A, we use rational discussion. For group B, we need to look at why they are in such desperate need of identity and community that they latch onto false stories of their superiority. For those with the stomach for it, we can try to copy the success of Daryl Davis, the African-American musician who has converted over two dozen white supremacists away from their old beliefs -- by befriending them. This is how hearts and minds are changed, one by one.

An anonymous reader quotes a report from The Associated Press: The Trump administration is planning to collect DNA samples from asylum-seekers and other migrants detained by immigration officials and will add the information to a massive FBI database used by law enforcement hunting for criminals, a Justice Department official said. The Justice Department on Monday issued amended regulations that would mandate DNA collection for almost all migrants who cross between official entry points and are held even temporarily. The official said the rules would not apply to legal permanent residents or anyone entering the U.S. legally, and children under 14 are exempt, but it's unclear whether asylum-seekers who come through official crossings will be exempt. The new policy, which was first reported in October, would allow the government to collect DNA samples from hundreds of thousands of people booked into federal immigration custody each year for entry into a national criminal database. Immigrant and privacy advocates said at the time that the move "raised privacy concerns for an already vulnerable population that could face profiling or discrimination as a result of their personal data being shared among law enforcement authorities."

Trump administration officials say hope the database will lead to more crimes being solved and act as a deterrent to prevent migrants from trying to enter the United States. The new regulations go into effect Tuesday.

Mark Hurd, who was co-chief of Oracle, one of the world's top business-software firms, until he stepped aside last month for health reasons, died Friday. He was 62. From a report: "Oracle has lost a brilliant and beloved leader who personally touched the lives of so many of us during his decade at Oracle," Oracle chairman Larry Ellison wrote. "All of us will miss Mark's keen mind and rare ability to analyze, simplify, and solve problems quickly. Some of us will miss his friendship and mentorship. I will miss his kindness and sense of humor." Hurd announced a leave of absence from Oracle in September due to unspecified health reasons. Oracle stock had gone up about 37% since he and Safra Catz were appointed as CEOs in September 2014.

theodp writes: On Thursday evening, Amazon is hosting a national field trip of sorts, inviting kids and teachers to take part in a Twitch livestream tour inside an Amazon robotics fulfillment center with the goal of inspiring students to learn about robotics and to "illustrate the importance of a computer science education." From the press release: "On the tour, students will see first-hand how teams of associates work alongside robotic technologies to fulfill customer orders. They will see where inventory items are stowed into the system, learn how robots bring storage pods to our associates to pick customer items, and finally, they'll see trucks being loaded with thousands of customer orders." Hey, "program, or be programmed," as they warn kids and parents over at Amazon-bankrolled Code.org!

GitLab, a San-Francisco provider of hosted git software, recently changed its company handbook to declare that it won't ban potential customers on "moral/value grounds," and that employees should not discuss politics at work. The Register reports: The policy addition, created by co-founder and CEO Sid Sijbrandij and implemented as a git pull request, was merged (with no approval required) about two weeks ago. It was proposed to clarify that GitLab is committed to doing business with "customers with values that are incompatible with our own values." Such a declaration could run afoul of legal boundaries in some circumstances. While workers have no constitutional speech protection in the context of their employment, federal labor law requires that employees be allowed to discuss the terms and conditions of their employment and possible unlawful conduct like harassment, discrimination, and safety violations.

But it's perhaps understandable given how, over the past few years, workers in the tech industry have become more vocal in objecting to business deals with entities deemed to be immoral or work that conflicts with declared or presumed values. Sijbrandij amended his company's handbook to state: "We do not discuss politics in the workplace and decisions about what customer to serve might get political." And what reason does Sijbrandij's pull request provide to support this position? It says, "Efficiency is one of our values and vetting customers is time consuming and potentially distracting."

Continuing its embracing of open source, Microsoft has today announced two new open source projects. From a report: The first is Open Application Model (OAM), a new standard for developing and operating applications on Kubernetes and other platforms. The second project is Dapr (Distributed Application Runtime), designed to make it easier to build microservice applications. Microsoft says that both OAM and Dapr "help developers remove barriers when building applications for cloud and edge." Microsoft has worked on OAM with Alibaba, and the aim is to simplify the development and deployment of applications. The company explains that: "OAM is a specification for describing applications so that the application description is separated from the details of how the application is deployed onto and managed by the infrastructure. This separation of concerns is helpful for multiple reasons." The second open source project is Dapr, which Microsoft describes as "an open source, portable, event-driven runtime that makes it easy for developers to build resilient, microservice stateless and stateful applications that run on the cloud and edge."

The npm ecosystem of JavaScript libraries is more interwoven than most developers think, and the entire thing is a gigantic house of cards, being one bad hack away from compromising hundreds of thousands of projects, according to a recent academic study. From a report: The research, carried out by the Department of Computer Science from the Technical University of Darmstadt, in Germany, analyzed the dependency graph of the entire npm ecosystem. Researchers downloaded metadata for all the npm packages published until April 2018 and created a giant graph that included 676,539 nodes and 4,543,473 edges (lines connecting the nodes). In addition, academics also analyzed different versions of the same packages, looking at historical versions (5,386,239 versions for the 676,539 packages), but also at the package maintainers (199,327 npm accounts), and known security flaws impacting the packages (609 public reports). [...]

Their goal was to get an idea of how hacking one or more npm maintainer accounts, or how vulnerabilities in one or more packages, reverberated across the npm ecosystem; along with the critical mass needed to cause security incidents inside tens of thousands of npm projects at a time. [...] But while some npm packages load code from too many packages and from too many developers, there is another dangerous trend forming on the npm package repository -- namely the consolidation of popular npm packages under a few maintainer accounts. "391 highly influential maintainers affect more than 10,000 packages, making them prime targets for attacks," the research team said. "If an attacker manages to compromise the account of any of the 391 most influential maintainers, the community will experience a serious security incident."

Scientists have uncovered a glitch in a piece of code that could have yielded incorrect results in over 100 published studies that cited the original paper. From a report: The glitch caused results of a common chemistry computation to vary depending on the operating system used, causing discrepancies among Mac, Windows, and Linux systems. The researchers published the revelation and a debugged version of the script, which amounts to roughly 1,000 lines of code, last week in the journal Organic Letters. "This simple glitch in the original script calls into question the conclusions of a significant number of papers on a wide range of topics in a way that cannot be easily resolved from published information because the operating system is rarely mentioned," the new paper reads. "Authors who used these scripts should certainly double-check their results and any relevant conclusions using the modified scripts in the [supplementary information]." Yuheng Luo, a graduate student at the University of Hawai'i at Manoa, discovered the glitch this summer when he was verifying the results of research conducted by chemistry professor Philip Williams on cyanobacteria. The aim of the project was to "try to find compounds that are effective against cancer," Williams said.