An anonymous reader quotes a report from Ars Technica: Malicious apps hosted in the Google Play market are trying a clever trick to avoid detection -- they monitor the motion-sensor input of an infected device before installing a powerful banking trojan to make sure it doesn't load on emulators researchers use to detect attacks. The thinking behind the monitoring is that sensors in real end-user devices will record motion as people use them. By contrast, emulators used by security researchers -- and possibly Google employees screening apps submitted to Play -- are less likely to use sensors. Two Google Play apps recently caught dropping the Anubis banking malware on infected devices would activate the payload only when motion was detected first. Otherwise, the trojan would remain dormant.

Security firm Trend Micro found the motion-activated dropper in two apps -- BatterySaverMobi, which had about 5,000 downloads, and Currency Converter, which had an unknown number of downloads. Google removed them once it learned they were malicious. The motion detection wasn't the only clever feature of the malicious apps. Once one of the apps installed Anubis on a device, the dropper used requests and responses over Twitter and Telegram to locate the required command and control server. Once Anubis was installed, it used a built-in keylogger that can steal users' account credentials. The malware can also obtain credentials by taking screenshots of the infected users' screen.

A collection of almost 773 million unique email addresses and just under 22 million unique passwords were exposed on cloud service MEGA. Security researcher Troy Hunt said the collection of data, dubbed Collection #1, totaled over 12,000 separate files and more than 87GB of data. ZDNet reports: "What I can say is that my own personal data is in there and it's accurate; right email address and a password I used many years ago," Hunt wrote. "In short, if you're in this breach, one or more passwords you've previously used are floating around for others to see." Some passwords, including his own, have been "dehashed", that is converted back to plain text. Hunt said he gained the information after multiple people reached out to him with concerns over the data on MEGA, with the Collection #1 dump also being discussed on a hacking forum. "The post on the forum referenced 'a collection of 2000+ dehashed databases and Combos stored by topic' and provided a directory listing of 2,890 of the files," Hunt wrote. The collection has since been removed. You can visit Hunt's Have I Been Pwned service to see if you are affected by this breach.

In a bid to deliver better software experience on devices powered by 64-bit processors in the coming years, Google aims to shift Android towards a 64-bit app ecosystem. From a report: The company has now shed more light on the transition and has announced that developers will have to submit a 64-bit version of their Android apps starting August this year. This move will eventually culminate in a universal implementation of the 64-bit app policy that will be enforced in 2021, after which, Google will no longer host 32-bit apps on the Play Store accessed on a device based on 64-bit hardware. Google announced the move towards 64-bit apps in 2017, claiming that apps with 64-bit code offer significantly better performance. However, the search giant did not provide any details regarding the exceptions to the new rule or when the Play Store will cease to serve 32-bit apps. Google has now revealed that starting August 1 this year, developers must submit 64-bit versions of all new apps and app updates, alongside the old 32-bit versions prior to their publishing from the Play Store.

Federal prosecutors unveiled charges in an international stock-trading scheme that involved hacking into the Securities and Exchange Commission's EDGAR corporate filing system. "The scheme allegedly netted $4.1 million for fraudsters from the U.S., Russia and Ukraine," reports CNBC. "Using 157 corporate earnings announcements, the group was able to execute trades on material nonpublic information. Most of those filings were 'test filings,' which corporations upload to the SEC's website." From the report: The scheme involves seven individuals and operated from May to at least October 2016. Prosecutors said the traders were part of the same group that previously hacked into newswire services. Carpenito, in a press conference Tuesday, said the thefts included thousands of valuable, private business documents. "After hacking into the EDGAR system they stole drafts of [these] reports before the information was disseminated to the general public," he said.

Those documents included quarterly earnings, mergers and acquisitions plans and other sensitive news, and the criminals were able to view it before it was released as a public filing, thus affecting the individual companies' stock prices. The alleged hackers executed trades on the reports and also sold them to other illicit traders. One inside trader made $270,000 in a single day, according to Carpenito. The hackers used malicious software sent via email to SEC employees. Then, after planting the software on the SEC computers, they sent the information they were able to gather from the EDGAR system to servers in Lithuania, where they either used it or distributed the data to other criminals, Carpenito said.

The WordPress open-source content management system (CMS) will show warnings in its backend admin panel if the site runs on top of an outdated PHP version. From a report: The current plan is to have the warnings appear for sites using a PHP version prior to the 5.6.x branch (5.6 or lower). The warnings will contain a link to a WordPress support page with information on how site owners can update their server's underlying PHP version. In instances where site owners are running their WordPress portals on top of tightly-controlled web hosting environments, the web host has the option to change this link with a custom URL pointing at its own support site. [...] Around 66.7 percent of all Internet sites run an unsupported PHP version, according to W3Techs. Almost a quarter of all internet sites run on top of a WordPress CMS.

secwatcher quotes a report from Threatpost: Researchers hacked the Docker test platform called Play-with-Docker, allowing them to access data and manipulate any test Docker containers running on the host system. The proof-of-concept hack does not impact production Docker instances, according to CyberArk researchers that developed the proof-of-concept attack. "The team was able to escape the container and run code remotely right on the host, which has obvious security implications," wrote researchers in a technical write-up posted Monday.

Play-with-Docker is an open source free in-browser online playground designed to help developers learn how to use containers. While Play-with-Docker has the support of Docker, it was not created by nor is it maintained by the firm. The environment approximates having the Alpine Linux Virtual Machine in browser, allowing users to build and run Docker containers in various configurations. The vulnerability was reported to the developers of the platform on November 6. On January 7, the bug was patched. As for how many instances of Play-with-Docker may have been affected, "CyberArk estimated there were as many as 200 instances of containers running on the platform it analyzed," reports Threatpost. "It also estimates the domain receives 100,000 monthly site visitors."

Android Studio 3.3 is now available to download through stable channel, Google said Monday. The top new features of Android Studio 3.3 include a navigation editor, profiler tracking options, improvements on the build system, and lazy task configuration. However, the big focus with the new version was on "refinement and quality," the company said. Further reading: VentureBeat.

According to a report from HackenProof, a database containing resumes of over 200 million job seekers in China was exposed last month. "The leaked info included not just the name and working experience of people, but also their mobile phone number, email, marriage status, children, politics, height, weight, driver license, and literacy level as well," reports The Next Web. From the report: Bob Diachenko, Director of Cyber Risk Research at Hacken.io and bug bounty platform HackenProof, found an unprotected instance of MongoDB containing these resumes on December 28. Diachenko found the resumes in the open database search engines Shodan and BinaryEdge. The 854GB database didn't have any password protection and was open to anyone to read.

Diachenko wasn't able to identify who generated the database or who owned it, but a now-defunct GitHub code repository featured a code that used an identical data structure to the leaked database. The database contained scraped data from multiple Chinese classified websites like bj.58.com. However, in a blog post, the website's spokesperson denied the leak. Interestingly, the database was taken down as soon as Diachenko posted about the database on Twitter. Sadly, the MongoDB log showed at least a dozen IP addresses that read the instance before it went off the grid.

Python "is often described as being slow when it comes to performance... But is that truly the case?" writes Patrick Wohlschlegel, Arm's senior product manager for infrastructure and high-performance computing tools.

Slashdot reader igor.sfiligoi writes: Effectively profiling Python has always been a pain. Arm recently announced that their Arm Forge is now able to profile both Python and compiled code.
It's available for any hardware architecture, Wohlschlegel writes, adding that developers "typically assume that most of the execution time is spent in compiled, optimized C/C++ or Fortran libraries (e.g. NumPy) which are called from Python..."

"How confident are you that your application is not wasting your precious computing resources for the wrong reasons?"

Lucas Matney writes via TechCrunch: Improbable is taking a daring step after announcing earlier today that Unity had revoked its license to operate on the popular game development engine. The U.K.-based cloud gaming startup has inked a late-night press release with Unity rival Epic Games, which operates the Unreal Engine and is the creator of Fortnite, establishing a $25 million fund designed to help game developers move to "more open engines." This is pretty bold on Improbable's part and seems to suggest that Unity didn't give them a call after Improbable published a blog post that signed off with, "You [Unity] are an incredibly important company and one bad day doesn't take away from all you've given us. Let's fix this for our community, you know our number."

Unity, for its part, claims that they gave Improbable ample notice that they were in violation of their Terms of Service and that the two had been deep in a "partnership" agreement that obviously fell short. The termination of Improbable's Unity license essentially cut them off from a huge portion of indie developers who build their stuff on Unity. Epic Games CEO Tim Sweeney was quick to jump on the news earlier today, rebuking Unity's actions. "Epic Games' partnership with Improbable, and the integration of Improbable's cloud-based development platform SpatialOS, is based on shared values, and a shared belief in how companies should work together to support mutual customers in a straightforward, no-surprises way," the blog post reads.

An anonymous reader quotes a report from ZDNet: Amazon Web Services (AWS) has announced a fully-managed document database service, building the Amazon DocumentDB (with MongoDB compatibility) to support existing MongoDB workloads. The cloud giant said developers can use the same MongoDB application code, drivers, and tools as they currently do to run, manage, and scale workloads on Amazon DocumentDB. Amazon DocumentDB uses an SSD-based storage layer, with 6x replication across three separate Availability Zones. This means that Amazon DocumentDB can failover from a primary to a replica within 30 seconds, and supports MongoDB replica set emulation so applications can handle failover quickly. Each MongoDB database contains a set of collections -- similar to a relational database table -- with each collection containing a set of documents in BSON format. Amazon DocumentDB is compatible with version 3.6 of MongoDB and storage can be scaled from 10 GB up to 64 TB in increments of 10 GB. The new offering implements the MongoDB 3.6 API that allows customers to use their existing MongoDB drivers and tools with Amazon DocumentDB. In a separate report, TechCrunch's Frederic Lardinois says AWS is "giving open source the middle finger" by "taking the best open-source projects and re-using and re-branding them without always giving back to those communities."

"The wrinkle here is that MongoDB was one of the first companies that aimed to put a stop to this by re-licensing its open-source tools under a new license that explicitly stated that companies that wanted to do this had to buy a commercial license," Frederic writes. "Since then, others have followed."

"Imitation is the sincerest form of flattery, so it's not surprising that Amazon would try to capitalize on the popularity and momentum of MongoDB's document model," MongoDB CEO and president Dev Ittycheria told us. "However, developers are technically savvy enough to distinguish between the real thing and a poor imitation. MongoDB will continue to outperform any impersonations in the market."

According to U.S. News and World Report's annual best jobs rankings, software developer is the top pick for the new year. "The publication's Best Jobs of 2019 list takes seven factors into account, including median salary, employment rate and stress level," reports USA Today. "The median salary for a software developer is $101,790, and the unemployment rate is 1.9 percent, according to the most recent data from the U.S. Bureau of Labor Statistics." From the report: Though software developers have neither the highest median salary nor lowest unemployment rate on the U.S. News Best Jobs of 2019 list, the position's projected increase in demand -- roughly 30 percent between 2016 and 2026 -- and average stress levels helped it land the top spot, said Rebecca Koenig, careers reporter at U.S. News and World Report. "Unlike some other jobs that do pretty well on the list, which are very demanding, software developer tends not to be a really stressful profession," Koenig said. Here are the Top 10, in order:

1. Software Developer
2. Statistician
3. Physician assistant
4. Dentist
5. (tie) Orthodontist
6. (tie) Nurse anesthetist
7. Nurse practitioner
8. Pediatrician
9. (tie) Obstetrician and gynecologist
9. (tie) Oral and maxillofacial surgeon
9. (tie) Prosthodontist
9. (tie) Physician

GitHub has always offered free accounts, but users were forced to make their code public. To get private repositories, you had to pay. Now, as TechCrunch reports, "Free GitHub users now get unlimited private projects with up to three collaborators." From the report: The amount of collaborators is really the only limitation here and there's no change to how the service handles public repositories, which can still have unlimited collaborators. This feels like a sign of goodwill on behalf of Microsoft, which closed its acquisition of GitHub last October, with former Xamarin CEO Nat Friedman taking over as GitHub's CEO.

Talking about teams, GitHub also today announced that it is changing the name of the GitHub Developer suite to 'GitHub Pro.' The company says it's doing so in order to "help developers better identify the tools they need." But what's maybe even more important is that GitHub Business Cloud and GitHub Enterprise (now called Enterprise Cloud and Enterprise Server) have become one and are now sold under the 'GitHub Enterprise' label and feature per-user pricing. In response, GitLab CEO Sid Sijbrandij said: "GitHub today announced the launch of free private repositories with up to three collaborators. GitLab has offered unlimited collaborators on private repositories since the beginning. We believe Microsoft is focusing more on generating revenue with Azure and less on charging for DevOps software. At GitLab, we believe in a multi-cloud future where organizations use multiple public cloud platforms."

Tech Republic re-visits the story of the earliest attempts to build the Raspberry Pi, and the dramatic launch of a quest "to rekindle the curiosity about computing in a generation immersed in technology but indifferent to how it worked." [T]he dominant computers -- games consoles and later tablets and smartphones -- no longer offered an invitation to create, but rather to consume. Eben Upton recalls a bonfire party in 2007 where an 11-year-old boy told him he wanted to be an electrical engineer, and his disappointment at realizing the boy didn't have access to a computer he could program on. "I said, 'Oh, what computer have you got?'. He said, 'I've got a Nintendo Wii'. And there was just that awful feeling about there being a kid who was excited, a kid who was showing concrete interest in our profession, and who didn't have access to a programmable computer, a computer of any sort. He just had a games console."

At this time Upton was working as a system-on-a-chip architect at chip designer Broadcom, and realized he had the skills to try to halt this drift away from computers that encouraged users to code.
Upton describes the Raspberry Pi as "a very conscious attempt" to bring back the easily programmable home computers that he remembered as a child in the 1980s -- and he was gratified at its success. "Even early on you started to see those pictures of kids lying on the living room floor, looking up at the TV with Raspberry Pi plugged into it, the same way we used to."

It was named "Pi" because it booted into a version of Python, and Raspberry because "There's a lot of fruit-named computer companies, and the 'blowing a raspberry' thing was also deliberate."

It's gone on to become the world's third best-selling general-purpose computer.

An anonymous reader quotes a report from IEEE Spectrum: Ethereum mining consumes a quarter to half of what Bitcoin mining does, but that still means that for most of 2018 it was using roughly as much electricity as Iceland. Indeed, the typical Ethereum transaction gobbles more power than an average U.S. household uses in a day. "That's just a huge waste of resources, even if you don't believe that pollution and carbon dioxide are an issue. There are real consumers -- real people -- whose need for electricity is being displaced by this stuff," says Vitalik Buterin, the 24-year-old Russian-Canadian computer scientist who invented Ethereum when he was just 18.

Buterin plans to finally start undoing his brainchild's energy waste in 2019. This year Buterin, the Ethereum Foundation he cofounded, and the broader open-source movement advancing the cryptocurrency all plan to field-test a long-promised overhaul of Ethereum's code. If these developers are right, by the end of 2019 Ethereum's new code could complete transactions using just 1 percent of the energy consumed today.

The GIMP developers on Wednesday published a blog post in which they look back at the year 2018 (release of GIMP 2.10) and outline the things that they intend to get around this year. From the post: We expect to be shipping 2.10.x updates throughout 2019, starting with the version 2.10.10 currently expected in January/February. This version will feature faster layer groups rendering, smart colorization with the Bucket Fill tool, and various usability improvements. We are also planning the first unstable release of GIMP that will have version 2.99.2, eventually leading up to version 3.0. The prerequisite for releasing that version will be the completion of the space invasion. ZeMarmot project (which can be supported on Patreon or Tipeee) is also planning to focus a bit more on better canvas interactions, as well as animation support improvements, starting from merging existing work. On the GEGL and babl front, we expect to continue working towards better CMYK support and performance.

Glenn Fleishman, writing for MacWorld: It seems like it was only yesterday that I first used BareBones Software's BBEdit, but in actuality, yesterday is so far away -- 25 years, in fact. With all the twists and turns across more than two decades of Apple as a company, Mac hardware, and the underlying operating system, you might think that BBEdit stands alone as a continuously-developed app shepherded largely or exclusively by the same independent developer -- an app without a giant company behind it. As it turns out, BBEdit is one of several apps that's been around the block more than a few times.

The longevity of indie apps is more extraordinary when you consider the changes Apple put the Mac through from the early 1990s to 2018. Apple switched from Motorola 680x0 processors to PowerPC to Intel chips, from 32-bit to 64-bit code, and among supported coding languages. It revved System 7 to 8 to 9, then to Unix across now 15 major releases (from 10.0 to 10.14). That's a lot for any individual programmer or small company to cope with. Bare Bones's head honcho, Rich Siegel, and the developers behind three other long-running Mac software programs shared with me their insight on development histories for over 25 years, what's changed the most during that time, and any hidden treasures users haven't yet found. You can hear more on BareBones Software's in this recent episode of The Talk Show, a podcast by DaringFireball's John Gruber.

Here's an analysis by OverOps on how shared accountability affects the delivery of reliable software in a DevOps environment, and what are some of the top challenges teams face when it comes to building and maintaining quality applications. Conclusion from the report [PDF], which relies on a survey of over 2,000 IT professionals around the globe : At the center of this DevOps adoption chaos is the evolving relationship between development and operations. Many organizations are already taking a shared approach to accountability for application health, however they still lack the tools and application visibility needed to know who is ultimately responsible for addressing and fixing each issue. As the lines between these two teams continue to blur, organizations will need to focus on adopting tools that deepen visibility into their applications. Clarifying ownership of applications and services, and avoiding the "multiple owners = no owner" syndrome is a crucial for even the most bleeding edge organizations.

The "Dev vs. Ops: State of Accountability" survey revealed that as more organizations begin the transition to DevOps workflows, defining roles and processes becomes more difficult and more important. Furthermore, businesses of all sizes are building and releasing new code and application features faster than ever before, which adds additional pressure across the entire software delivery supply chain. Organizations going through the DevOps transformation are more likely to face visibility challenges that make it difficult to maintain or improve application quality and reliability.

An anonymous reader writes: Three co-creators of the MIT-incubated Julia programming language are the recipients of the 2019 James H. Wilkinson Prize for Numerical Software. With origins in the Computer Science and Artificial Intelligence Laboratory (CSAIL) and the Department of Mathematics, Julia is a programming language created in 2009 by Jeff Bezanson PhD '15, former MIT Julia Lab researchers Stefan Karpinski, and Viral B. Shah, and professor of mathematics Alan Edelman. The prize will be awarded to Bezanson, Karpinski, and Shah "for the creation of Julia, an innovative environment for the creation of high-performance tools that enable the analysis and solution of computational science problems."

Released publicly in 2012, Julia has over 3 million downloads and is used in over 1,500 universities for scientific and numerical computing. "I am proud of the intellectual contributions of the Julia Lab, which applies the latest in computer science to science and engineering problems, while engaging interdisciplinary collaborations all over campus and beyond," said Edelman. "Julia is increasingly the language of instruction for scientific computing at MIT."

An anonymous reader shares a report: Netflix is further distancing itself from Apple's 15% iTunes tax bracket. Earlier this year, the streaming giant enabled iOS users in more than two dozen markets to bypass the iTunes payment method as part of an experiment. The company now tells VentureBeat that it has concluded the experiment and has incorporated the change globally. "We no longer support iTunes as a method of payment for new members," a Netflix spokesperson told VentureBeat. Existing members, however, can continue to use iTunes as a method of payment, the spokesperson added. Additionally, the support rep added that customers who are rejoining Netflix using an iOS device, after having canceled payment for at least one month, also won't be able to use iTunes billing. The move, which will allow Netflix to keep all proceeds from its new paying iPhone and iPad customers, underscores the tension between developers and the marquee distributors of mobile apps -- Apple and Google.