A new report from the open source security company WhiteSource asks the question, "Is one programming language more secure than the rest?"

An anonymous reader quotes TechRepublic: To answer this question, the report compiled information from WhiteSource's database, which aggregates information on open source vulnerabilities from sources including the National Vulnerability Database, security advisories, GitHub issue trackers, and popular open source projects issue trackers. Researchers focused in on open source security vulnerabilities in the seven most widely-used languages of the past 10 years to learn which are most secure, and which vulnerability types are most common in each...

The most common vulnerabilities across most of these languages are Cross-SiteScripting (XSS); Input Validation; Permissions, Privileges, and Access Control; and Information Leak / Disclosure, according to the report.
Across the seven most widely-used programming languages, here's how the vulnerabilities were distributed:

• C (47%)
• PHP (17%)
• Java (11%)
• JavaScript (10%)
• Python (5%)
• C++ (5%)
• Ruby (4%)

But the results are full of disclaimers -- for example, that C tops the list because it's the oldest language with "the highest volume of written code" and "is also one of the languages behind major infrastructure like Open SSL and the Linux kernel."

The report also notes a "substantial rise" across all languages for known open source security vulnerabilities over the last two years, attributing this to more awareness about vulnerable components -- thanks to more research, automated security tools, and "the growing investment in bug bounty programs" -- as well as the increasing popularity of open source software. And it also reports a drop in the percentage of critical vulnerabilities for most languages -- except JavaScript and PHP.

The report then concludes that "the Winner Of Most Secure Programming Language is...no one and everyone...! It is not about the language itself that makes it any more or less secure, but how you use it. If you are mitigating your vulnerabilities throughout the software development lifecycle with the proper management approach, then you are far more likely to stay secure."

Coincidentally, WhiteSource sells software which monitors open source components throughout the software development lifecycle to provide alerts about security (and licensing) issues.

Long-time Slashdot reader theodp writes: After seeing to it that UK Prime Minister David Cameron, US President Barack Obama, and Canadian Prime Minister Justin Trudeau all received (widely-publicized) coding lessons, Code.org CEO Hadi Partovi noted in late 2016 that he was "still working on Pope Francis." GeekWire reports that Partovi was able to cross that one off his bucket list Thursday, as he helped Pope Francis become 'the first Pope to write a line of code' at a 'Programming for Peace' event organized by the Pope's foundation, Scholas Occurrentes, in Vatican City (not ready for Twitch.TV video).

"In the 21st century, computer science is a fundamental subject that all students should learn," said Partovi, whose tech-bankrolled nonprofit has entered a partnership with Scholas to introduce children to computer science. "Schools should teach computer science to prepare students for the future, empower children with creativity and teach how to harness technology and creativity." The Pontiff's programming lesson comes a month after Partovi's next-door neighbor, Microsoft President and Code.org Board member Brad Smith, had a sit-down with the Pope to discuss the ethical use of AI and ways to bridge the digital divide between rich and poor nations.

Oracle "swung the layoff axe" Thursday, reports IEEE Spectrum, saying that the move "clear-cut teams of engineers." The exact numbers of employees cut and their specific roles have not been reported by the company, but the layoffs are clearly significant. Fifty in Mexico, 50 in New Hampshire, 100 in India, at least that many in Silicon Valley -- the numbers, according to anecdotal reports on theLayoff.com and from internal chatter, are adding up quickly....

Oracle's layoff day started at 5 a.m. Pacific Time, when an email from Oracle executive vice president Don Johnson with the subject line "Organizational Restructuring" arrived in employee inboxes. The email informed staff members that, going forward, everything in the company would revolve around the Oracle Cloud Infrastructure (OCI) operation... Then the email continued with a perky sentence that made some employees furious: "OCI's business is stronger than ever, and this team's future is bright." At approximately 10 a.m., I'm told, just five hours after that email, the layoffs began -- and according to anecdotal reports included significant cuts within at least part of that stronger-than-ever, bright-future cloud business.

Those affected were given 30 minutes to turn in company assets and leave the building, and were told that Friday (today) would their last official day. "The morning felt like a slaughter," one Oracle employee told me. "One person after another...." And, that employee said, the layoff process was handled very badly, with entire teams being ushered into conference rooms as groups and told that they no longer had jobs. This employee indicated that technical teams, particularly those involved in product development and focused on software development, data science, and engineering, seemed to take the biggest hit.
Business Insider reports that Oracle hasn't formally announced the number of people laid off, but adds that "One source we spoke to was told by his manager that 1,500 people worldwide were cut."

dmoberhaus writes: In a major breakthrough for DNA computing, researchers from UC Davis, Caltech and Maynooth University developed a technique for creating molecular algorithms that can be reprogrammed. Prior to this research, molecular algorithms had to be painstakingly designed for specific purposes, which is "like having to build a new computer out of new hardware just to run a new piece of software," according to the researchers. This new technique could blow open the door for a host of futuristic DNA computing applications -- nanofactories, light-based computers, etc. -- that would've been impossible before. The paper was published this week in Nature.

Microsoft's programming language TypeScript has become one of the most popular languages among developers, at least according to a report published by the analyst firm RedMonk this week. Wired: TypeScript jumped from number 16 to number 12, just behind Apple's programming language Swift in RedMonk's semiannual rankings, which were last published in August. Microsoft unveiled TypeScript in 2012, and while it hasn't grown as quickly as Swift -- which has grown faster than any other language, ever since RedMonk started compiling the rankings in 2011 -- TypeScript's own ascendance is impressive, given the sheer number of available programming languages.

More and more applications these days use TypeScript. Google's programming framework Angular, the second most popular tool of its type according to data released last year by the startup NPM, is written in TypeScript. So is Vue, an increasingly popular framework finding a home both among smaller companies and tech giants like Alibaba. But RedMonk doesn't look at how many jobs are available for people skilled in a particular language, nor how many companies actually use the language. Instead, the firm tries to spot trends in developer interest by looking at how many projects on GitHub use certain languages, and how many questions are asked about those languages on the programmer Q&A site Stack Overflow. The idea is to get a sense of where the software development profession is heading.

A scan of billions of files from 13 percent of all GitHub public repositories over a period of six months has revealed that over 100,000 repos have leaked API tokens and cryptographic keys, with thousands of new repositories leaking new secrets on a daily basis. From a report: The scan was the object of academic research carried out by a team from the North Carolina State University (NCSU), and the study's results have been shared with GitHub, which acted on the findings to accelerate its work on a new security feature called Token Scanning, currently in beta. The NCSU study is the most comprehensive and in-depth GitHub scan to date and exceeds any previous research of its kind. NCSU academics scanned GitHub accounts for a period of nearly six months, between October 31, 2017, and April 20, 2018, and looked for text strings formatted like API tokens and cryptographic keys.

An anonymous reader quotes a report from The Guardian: Facebook employees were aware of concerns about "improper data-gathering practices" by Cambridge Analytica months before the Guardian first reported, in December 2015, that the political consultancy had obtained data on millions from an academic. The concerns appeared in a court filing by the attorney general for Washington DC and were subsequently confirmed by Facebook. The new information "could suggest that Facebook has consistently mislead [sic]" British lawmakers "about what it knew and when about Cambridge Analytica," tweeted Damian Collins, the chair of the House of Commons digital culture media and sport select committee (DCMS) in response to the court filing.

In a statement, a company spokesperson said: "Facebook absolutely did not mislead anyone about this timeline." After publication of this article, the spokesperson acknowledged that Facebook employees heard rumors of data scraping by Cambridge Analytica in September 2015. The spokesperson said that this was a "different incident" from Cambridge Analytica's acquisition of a trove of data about as many as 87 million users that has been widely reported on for the past year. "In September 2015 employees heard speculation that Cambridge Analytica was scraping data, something that is unfortunately common for any internet service," the spokesperson said. "In December 2015, we first learned through media reports that Kogan sold data to Cambridge Analytica, and we took action. Those were two different things." The filing raised questions about when Facebook first learned about the misuse of personal data by Cambridge Analytica, the now defunct political consultancy.

Google's Stadio cloud-gaming service may be intercepted by a similar service from Walmart. According to a report from US Gamer, the American retail giant is looking into launching its own cloud gaming service. From the report: Multiple sources familiar with Walmart's plans, who wish to remain anonymous, confirmed to USG that the retail giant is exploring its own platform to enter in the now-competitive video game streaming race. No other details were revealed other than it will be a streaming service for video games, and that Walmart has been speaking with developers and publishers since earlier this year and throughout this year's Game Developers Conference. Walmart's discussions with developers for its streaming service have been secretive, and it's unclear how far along the service is in-development. But our sources are confident that this is a space Walmart is trying to move into.

Though Walmart might sound like a strange company to be jumping into the streaming tech space, the move isn't wholly unexpected. In recent years due to competition from Amazon, Walmart has been increasingly looking into more tech-focused markets beyond its traditional physical retail chain. Over time, Walmart has integrated its physical stores with its large online presence, offering deliveries, app integrations, and in-store pick up services. Walmart also has a technology arm in Silicon Valley called Walmart Labs, which has 6,000 employees and develops tech for Walmart's digital presence. In addition it boasts tools like Cruxlux, which is a search engine designed to reveal the connection between any two people, places, or things. Finally, Walmart has a data center unofficially called Area 71 in Caverna, Missouri which holds over 460 trillion bytes of data. Data centers are a centerpiece of Google's Stadia streaming service and companies like Microsoft, Amazon, and Apple also own powerful data facilities, all of whom are also coincidentally working in streaming technology.

Tesla is suing a former engineer at the company, claiming he copied the source code for its Autopilot technology before joining a Chinese self-driving car startup in January. Reuters reports: The engineer, Guangzhi Cao, copied more than 300,000 files related to Autopilot source code as he prepared to join China's Xiaopeng Motors Technology Company Ltd, the Silicon Valley carmaker said in the lawsuit filed in a California court. Separately, Tesla lawyers on Wednesday filed a lawsuit against four former employees and U.S. self-driving car startup Zoox Inc, alleging the employees stole proprietary information and trade secrets for developing warehousing, logistics and inventory control operations. The Verge reported on the lawsuit filed against Cao: Tesla says that last year, Cao started uploading "complete copies of Tesla's Autopilot-related source code" to his iCloud account. The company claims he ultimately moved more than 300,000 files and directories related to Autopilot. After accepting a job with XPeng at the end of last year, Tesla says Cao deleted 120,000 files off his work computer and disconnected his personal iCloud account, and then "repeatedly logged into Tesla's secure networks" to clear his browser history before his last day with the company. Tesla also claims Cao recruited another Autopilot employee to XPeng in February. Tesla claims that it gives XPeng "unfettered access" to Autopilot: "Absent immediate relief, Tesla believes Cao and his new employer, [XPeng], will continue to have unfettered access to Tesla's marquee technology, the product of more than five years' work and over hundreds of millions of dollars of investment, which they have no legal right to possess," the company's lawyers write.

For software engineers, lack of friction is an aesthetic joy, an emotional high, the ideal existential state. It's what drives them, and what shapes our world. An excerpt from an upcoming book on coding, via Wired: The thrust of Silicon Valley is always to take human activity and shift it into metabolic overdrive. And maybe you've wondered, why the heck is that? Why do techies insist that things should be sped up, torqued, optimized? There's one obvious reason, of course: They do it because of the dictates of the market. Capitalism handsomely rewards anyone who can improve a process and squeeze some margin out. But with software, there's something else going on too. For coders, efficiency is more than just a tool for business. It's an existential state, an emotional driver.

Coders might have different backgrounds and political opinions, but nearly every one I've ever met found deep, almost soulful pleasure in taking something inefficient -- even just a little bit slow -- and tightening it up a notch. Removing the friction from a system is an aesthetic joy; coders' eyes blaze when they talk about making something run faster or how they eliminated some bothersome human effort from a process. This passion for efficiency isn't unique to software developers. Engineers and inventors have long been motivated by it. During the early years of industrialization, engineers elevated the automation of everyday tasks to a moral good. The engineer was humanity's "redeemer from despairing drudgery and burdensome labor," as Charles Hermany, an engineer himself, wrote in 1904.

[...] Many of today's programmers have their efficiency "aha" moment in their teenage years, when they discover that life is full of blindingly dull repetitive tasks and that computers are really good at doing them. (Math homework, with its dull litany of exercises, was one thing that inspired a number of coders I've talked to.) Larry Wall, who created the Perl programming language, and several coauthors wrote that one of the key virtues of a programmer is "laziness" -- of the variety where your unwillingness to perform rote actions inspires you to do the work to automate them.

After being delayed for the better part of one month, LLVM 8.0 officially is finally available. From a report: LLVM release manager Hans Wennborg announced the release a few minutes ago and summed up this half-year update to LLVM and its sub-project as: "speculative load hardening, concurrent compilation in the ORC JIT API, no longer experimental WebAssembly target, a Clang option to initialize automatic variables, improved pre-compiled header support in clang-cl, the /Zc:dllexportInlines- flag, RISC-V support in lld. And as usual, many bug fixes, optimization and diagnostics improvements, etc."

schwit1 shares a report from ScienceAlert: Researchers at the University of Southern Carolina (USC) claim to have created the first AI-controlled robotic limb that can learn how to walk without being explicitly programmed to do so. The algorithm they used is inspired by real-life biology. Just like animals that can walk soon after birth, this robot can figure out how to use its animal-like tendons after only five minutes of unstructured play.

Today, most robots take months or years before they are ready to interact with the rest of the world. But with this new algorithm, the team has figured out how to make robots that can learn by simply doing. This is known in robotics as "motor babbling" because it closely mimics how babies learn to speak through trial and error. "During the babbling phase, the system will send random commands to motors and sense the joint angles," co-author Ali Marjaninejad an engineer at USC, told PC Mag. "Then, it will train the three-layer neural network to guess what commands will produce a given movement. We then start performing the task and reinforce good behavior."

To prevent its own Cambridge Analytica moment and make sure it's getting paid for its data, Twitter said today it will audit developers that use its APIs. From a report: Starting June 19th, Twitter will require developers of any app that calls recent tweets from or mentions a user more than 100,000 times per day to submit their app for review. If a developer proves they have a legitimate consumer use case, like running a third-party Twitter client or doing research, they'll be granted free access to the API at the same rate they have today. If they primarily use the data to serve business customers as a B2B tool, like for customer service or social media monitoring, they'll have to pay to enter a commercial licensing agreement with Twitter with a custom price based on usage. Twitter refused to even specify the range those prices fall into, which won't win it any extra trust.

Developers found to be breaking Twitter's policies will be booted from the platform, while those that don't submit for review will be capped at 100,000 requests per day for the user timeline and mentions APIs. Twitter says it suspended 162,000 apps in the second half of 2018, showing it's willing to play hardball with developers that endanger its ecosystem.

Medium's technology publication ran a 3,600-word investigation into a mystery that began when a 66-year-old New York woman Googled directions to her neighborhood, "and found that the app had changed the name of her community..." It's just as well no one contacted Google, because Google wasn't the company that renamed the Fruit Belt to Medical Park. When residents investigated, they found the misnomer repeated on several major apps and websites including HERE, Bing, Uber, Zillow, Grubhub, TripAdvisor, and Redfin... Monica Stephens, a geographer at the University at Buffalo who studies digital maps and misinformation, immediately suspected the geographic clearinghouse Pitney Bowes. Founded in 1920 as a maker of postage meters -- the machines that stamp mail with proof it's been sent -- Pitney Bowes expanded into neighborhood data in 2016 when it bought the leading U.S. provider, Maponics. In its 15-year run, Maponics had supplied neighborhood data to companies from Airbnb to Twitter to the Houston Chronicle. And it had also just acquired a longtime competitor, Urban Mapping, which has previously supplied Facebook, Microsoft, MapQuest, Yahoo, and Apple. Though Pitney Bowes is far from a household name, the $3.4 billion data broker is "a huge company at this point," says Stephens, with enough influence to inadvertently rename a neighborhood across hundreds of sites...

In the early 2000s, Urban Mapping offered new college grads $15 to $25 per hour to comb local blogs, home listings, city plans, and brochures for possible neighborhood names and locations. Maponics, meanwhile, used nascent technologies such as computer vision and natural language processing to pull neighborhoods from images and blocks of text, one former executive with the company said... I visited the Buffalo Central Library to find the source of the error... Sure enough, one of the librarians located a single planning office map that used the "Medical Park" label. It was a 1999 report on poverty and housing conditions -- long since relegated to a dusty shelf stacked with old binders and file folders... Somehow, likely in the early 2000s, this map made its way into what is now the Pitney Bowes data set -- and from there, was hoovered into Google Maps and out onto the wider internet. Buffalo published another map in 2017, with the Fruit Belt clearly marked, and broadcast on the city's open data portal. For whatever reason, Pitney Bowes and its customers never picked that map up.
This is not the first time Google Maps has seemed to spontaneously rename a neighborhood. But for Fruit Belt the reporter's query eventually prompted corrections to the maps on Redfin, TripAdvisor, Zillow, Grubhub, and Google Maps. But the article argues that when it comes to how city names are represented online, "the process is too opaque to scrutinize in public. And that ambiguity foments a sense of powerlessness."

Pitney Bowes doesn't even have a method for submitting corrections. Yet, "In an emailed statement, a spokesperson for Google defended its use of third-party neighborhood sources. 'Overall, this provides a comprehensive and up-to-date map,' the spokesperson said, 'but when we're made aware of errors, we work quickly to fix them.'"

Valve has announced the "early beta" release of Steam Link Anywhere, which will enable streamed gaming to any compatible device, and Steam Networking Sockets APIs, granting developers access to the technology and infrastructure that underlies CS:GO and Dota 2. PC Gamer reports: Steam Link Anywhere is an extension of Steam Link that will enable users to connect to their PCs and play games from anywhere (thus the name), rather than being limited to a local network. It's compatible with both the Steam Link hardware and app, and will be rolled out automatically (and freely) to everyone who owns the hardware with beta firmware installed, the Android app beta, or the Raspberry Pi app. You'll also need to be enrolled in the Steam client beta, and have the latest version installed. Assuming you've got all that covered, you'll see an "Other Computer" option on the screen when searching for computers to connect to via Steam Link. Select that, follow the instructions, and you'll be set. Valve didn't provide specific network requirements but said you'll need "a high upload speed from your computer and strong network connection to your Steam Link device" in order to use it.

Steam Networking Sockets APIs isn't as flashy (and that "flash" is definitely relative) but is aimed squarely at developers, and could be even more significant to Steam's fortunes given the pressure it's facing from the Epic Games Store: It enables developers to run their game traffic through Valve's own private gaming network, providing players "faster and more secure connections." It's free for developers, and "a large portion" of the API is now open source, which could be a pretty big draw for devs look to incorporate online play with a minimum of fuss. If that's your bag, you can get more detailed information at steamcommunity.com, and Valve will be talking about the new feature in-depth at a Game Developer's Conference panel next Thursday, March 21.

Google said today it is rolling out the first beta version of Android Q, the newest version of its mobile operating system. The company will roll out a stable version of Android Q later this year. From a report: The first beta includes a preview SDK for developers with system images for the Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, and the official Android Emulator. This is the fourth year running that Google has released the first developer preview of the next Android version in March -- Android N (later named Android Nougat), Android O (Android Oreo), and Android P (Android Pie). For the past two years, Google did not use the Android Beta Program, which lets you get early Android builds via over-their-air updates on select devices.

That changes with Android Q -- Google is making the first preview available as a beta, not just as a developer preview. That signals that it is ready for early adopters to try, in addition to developers. As before, this preview version will be referred to as Android Q until Google picks a name starting with that letter.

Amazon's Echo-branded smart speakers have attracted millions of fans with their ability to play music and respond to queries spoken from across the room. But almost four years after inviting outside developers to write apps for Alexa, Amazon's voice system has yet to offer a transformative new experience. From a report: Surveys show most people use their smart speakers to listen to tunes or make relatively simple requests -- "Alexa, set a timer for 30 minutes" -- while more complicated tasks prompt them to give up and reach for their smartphone. Developers had less trouble creating hits for previous generations of technology.

Think Angry Birds or Pokemon Go on the iPhone, or, decades ago, spreadsheets on the first Windows computers. Amazon counts some 80,000 "skills" -- its name for apps -- in its marketplace. It seems impressive, but at this point in their development, Apple's App Store and the Google Play Store each boasted more than 550,000 applications and minted fortunes for many successful developers. "This platform is almost four years old, and you can't point me to one single killer app," says Mark Einhorn, who created a well-reviewed Alexa game that lets users operate a simulated lemonade stand and is one of 10 developers interviewed for this story.

The Linux Foundation today unveiled several major collaborative partnerships as it looks to cement the development of various open source projects that power much of the web. From a report: First off, the Node.js Foundation and the JS Foundation, which the Linux Foundation launched in 2016, are merging to form the OpenJS Foundation. The merger between the two chief organizations that focus on JavaScript comes six months after they publicly began to explore such a possibility with their communities. The OpenJS Foundation will focus on hosting and funding activities that support the growth of JavaScript and web technologies, the Linux Foundation said in a press release.

The OpenJS Foundation consists of 29 open source JavaScript projects including jQuery, Node.js, Appium, Dojo, and webpack. The merger is supported by 30 corporate and end user members including Google, Microsoft, IBM, PayPal, GoDaddy, and Joyent that recognize the "interconnected nature of the JavaScript ecosystem, and the importance of providing a neutral home for projects which represent significant shared value," the Linux Foundation said in a prepared statement. Also in the report: The Linux Foundation has created CHIPS Alliance, a project that aims to host and curate open source code relevant to design of chips that power mobile, IoT, and other consumer electronic devices; and the Continuous Delivery Foundation, which aims to serve as a platform for vendors, developers, and users to frequently engage and share insights and best practices to spur the development of open source projects.

It also announced that the GraphQL Foundation is collaborating with Joint Development Foundation to encourage "contributions, stewardship, and a shared investment from a broad group in vendor-neutral events, documentation, tools, and support for the data query language."

An anonymous reader quotes a report from Bleeping Computer: Microsoft has started to display notifications in the Windows 10 Action Center asking users to have a phone call with Microsoft developers and provide direct feedback about the ALT+TAB feature in Windows. While using a Windows 10 Insider build today, I was shown a Feedback Hub notification stating that "Microsoft wants to hear your opinions! To set up a phone call with Windows engineers, go to: http://www.aka.ms/alttab." This link then redirects to a web page at https://ux.microsoft.com/?AltTab. It is not known if this is only being shown to Windows Insiders users at this time.

When users visit this link they will be shown a Microsoft User Research page stating that a Windows 10 product team is looking to "understand our customer needs" and would like to have an anonymous 5-10 minute phone call with the user. In this particular case, the phone call will be with Microsoft engineers to discuss how users use the ALT+TAB feature to switch between apps. Microsoft states they are performing these calls in order to get a better understanding of how a feature is being used while they are in development. According to the web site, Windows engineers will be available on 3/11/2019 between 11:15 AM and 1:00 PM PST and on 3/12/2019 between 9:30 AM and 11:30 AM PST to schedule a call. The page goes on to say that users can expect a 5-10 minute call, but that it could last longer if there is more to discuss. They also state that the calls are not being recorded, are anonymous, and the content of the call will not be stored.

CSS, or the language that styles and arranges how page elements appear on a website, will soon get support for trigonometry functions such as sine, cosine, tangent, and others, ZDNet is reporting. From the report: The new trigonometry functions were approved at the end of February in a meeting of the World Wide Web Consortium (W3C) CSS Working Group. The new functions approved and set to join the CSS standard are: Sine - sin(), cosine - cos(), tangent - tan(), arccosine - acos(), arcsine - asin(), arctangent - atan(), arctangent (of two numbers x and y) - atan2(), square root - sqrt(), square root of the sum of squares of its arguments - hypot(), and power of - pow().