Zeljka Zorz, writing for Help Net Security: The number of open source components in the codebase of proprietary applications keeps rising and with it the risk of those apps being compromised by attackers leveraging vulnerabilities in them, a recent report has shown. Compiled after examining the findings from the anonymized data of over 1,100 commercial codebases audited in 2017 by the Black Duck On-Demand audit services group, the report revealed two interesting findings:

96 percent of the scanned applications contain open source components, with an average 257 components per application. The average percentage of open source in the codebases of the applications scanned grew from 36% last year to 57%, suggesting that a large number of applications now contain much more open source than proprietary code.

Jeremy Allison - Sam shares a blog post from Software Freedom Conservancy, congratulating Tesla on their first public step toward GPL compliance: Conservancy rarely talks publicly about specifics in its ongoing GNU General Public License (GPL) enforcement and compliance activity, in accordance with our Principles of Community Oriented GPL Enforcement. We usually keep our compliance matters confidential -- not for our own sake -- but for the sake of violators who request discretion to fix their mistakes without fear of public reprisal. We're thus glad that, this week, Tesla has acted publicly regarding its current GPL violations and has announced that they've taken their first steps toward compliance. While Tesla acknowledges that they still have more work to do, their recent actions show progress toward compliance and a commitment to getting all the way there.

Even as Apple has addressed some of the concerns outlined by iOS developers in the recent years, many say it's not enough. As the iOS App Store approaches its tenth anniversary, some app developers are still arguing for better App Store policies, ones that they say will allow them to make a better living as independent app makers. On Friday, a small group of developers, including one who recently made a feature-length film about the App Store and app culture, are forming a union to lobby for just that. From a report: In an open letter to Apple that published this morning, a group identifying themselves as The Developers Union wrote that "it's been difficult for developers to earn a living by writing software" built on Apple's existing values. The group then asked Apple to allow free trials for apps, which would give customers "the chance to experience our work for themselves, before they have to commit to making a purchase."

The grassroots effort is being lead by Jake Schumacher, the director of App: The Human Story; software developer Roger Ogden and product designer Loren Morris, who both worked for a timesheet app that was acquired last year; and Brent Simmons, a veteran developer who has made apps like NetNewsWire, MarsEdit, and Vesper, which he co-created with respected Apple blogger John Gruber.

An anonymous reader writes: Stuxnet is the most sophisticated piece of software ever written, given the difficulty of the objective: Deny Iran's efforts to obtain weapons grade uranium without need for diplomacy or use of force, John Byrd, CEO of Gigantic Software (formerly Director of Sega and SPM at EA), argues in a blog post, which is being widely shared in developer circles, with most agreeing with Byrd's conclusion.

He writes, "It's a computer worm. The worm was written, probably, between 2005 and 2010. Because the worm is so complex and sophisticated, I can only give the most superficial outline of what it does. This worm exists first on a USB drive. Someone could just find that USB drive laying around, or get it in the mail, and wonder what was on it. When that USB drive is inserted into a Windows PC, without the user knowing it, that worm will quietly run itself, and copy itself to that PC. It has at least three ways of trying to get itself to run. If one way doesn't work, it tries another. At least two of these methods to launch itself were completely new then, and both of them used two independent, secret bugs in Windows that no one else knew about, until this worm came along."

"Once the worm runs itself on a PC, it tries to get administrator access on that PC. It doesn't mind if there's antivirus software installed -- the worm can sneak around most antivirus software. Then, based on the version of Windows it's running on, the worm will try one of two previously unknown methods of getting that administrator access on that PC. Until this worm was released, no one knew about these secret bugs in Windows either. At this point, the worm is now able to cover its tracks by getting underneath the operating system, so that no antivirus software can detect that it exists. It binds itself secretly to that PC, so that even if you look on the disk for where the worm should be, you will see nothing. This worm hides so well, that the worm ran around the Internet for over a year without any security company in the world recognizing that it even existed." What do Slashdot readers think?

travers_r writes: Superior Court Judge Elihu Berle affirmed last week that all coffee sold in California must come with a warning label stating that chemicals in coffee (acrylamide, a substance created naturally during the brewing process) are known to cause cancer and birth defects or other reproductive harm. But judges, journalists, and environmental advocates fail to recognize the critical difference between probably and certainly, which fuels the inaccurate belief that cancer is mostly caused by things in the environment. From a report at Undark: "IARC is one of the leading scientific bodies in the world, and it is also one of several expert panels on which California relies for scientific opinions in such cases. The IARC has concluded that while there is sufficient evidence to consider acrylamide carcinogenic in experimental animals, there is insufficient evidence for carcinogenicity in humans. Therefore, its overall evaluation is that 'acrylamide is probably carcinogenic to humans.'
[...]
Leading experts, in fact, believe that roughly two-thirds of all cancers are the result of mutations to DNA that are caused by natural bodily processes, not exposure to environmental chemicals. This is quite the opposite of the prevailing belief among the public that most cancers are caused by exogenous substances imposed on us by the products and technologies of the modern world. It's this belief -- this fear -- that prompted voters to pass Proposition 65 in 1986. It was a time when fear of hazardous waste and industrial chemicals was high, when chemophobia -- a blanket fear of anything having to do with the word 'chemicals' -- was being seared into the public's mind."

Twitter said on Wednesday that it will be giving developers more time to adjust to its API platform overhaul, which has affected some apps' ability to continue operating in the same fashion. From a report: The company clarified this morning, along with news of the general availability of its Account Activity API, that it will be delaying the shutdown of some of its legacy APIs by three months' time. That is, APIs originally slated for a June 19, 2018 shutdown -- including Site Streams, User Streams, and legacy Direct Message Endpoints -- will now be deprecated on Wednesday, August 16, 2018.

Christina Chiou Yeh, writing for Google Registry: On May 1 we announced .app, the newest top-level domain (TLD) from Google Registry. It's now open for general registration so you can register your desired .app name right now. We begin our journey with sitata.app, which provides real-time travel information about events like protests or transit strikes. Looks all clear, so our first stop is the Caribbean, where we use thelocal.app and start exploring. After getting some sun, we fly to the Netherlands, where we're feeling hungry. Luckily, picnic.app delivers groceries, right to our hotel. With our bellies full, it's time to head to India, where we use myra.app to order the medicine, hygiene, and baby products that we forgot to pack. Did we mention this was a business trip? Good thing lola.app helped make such a complex trip stress free. Time to head home now, so we slip on a hoodie we bought on ov.app and enjoy the ride.

An anonymous reader writes: "An unidentified hacker has breached Bycyklen -- Copenhagen's city bikes network -- and deleted the organization's entire database, disabling the public's access to bicycles over the weekend," reports Bleeping Computer. "The hack took place on the night between Friday, May 4, and Saturday, May 5, the organization said on its website. Bycyklen described the hack as "rather primitive," alluding it may have been carried out "by a person with a great deal of knowledge of its IT infrastructure." Almost 2,000 bikes were affected, and the company's employees have been working for days, searching for bikes docked across the city and installing a manual update to restore functionality. The company is holding a "treasure hunt," asking users to hunt down and identify non-functional bikes.

Earlier this week, Carnegie Mellon University announced plans to offer an undergrad degree in artificial intelligence. The news may be especially attractive for students given how much tech giants have been ramping up their AI efforts in the recent years, and how U.S. News & World Report ranked Carnegie Mellon University as the No. 1 graduate school for AI. An anonymous reader shares the announcement with us: Carnegie Mellon University's School of Computer Science will offer a new undergraduate degree in artificial intelligence beginning this fall, providing students with in-depth knowledge of how to transform large amounts of data into actionable decisions. SCS has created the new AI degree, the first offered by a U.S. university, in response to extraordinary technical breakthroughs in AI and the growing demand by students and employers for training that prepares people for careers in AI.

The bachelor's degree program in computer science teaches students to think broadly about methods that can accomplish a wide variety of tasks across many disciplines, said Reid Simmons, research professor of robotics and computer science and director of the new AI degree program. The bachelor's degree in AI will focus more on how complex inputs -- such as vision, language and huge databases -- are used to make decisions or enhance human capabilities, he added. AI majors will receive the same solid grounding in computer science and math courses as other computer science students. In addition, they will have additional course work in AI-related subjects such as statistics and probability, computational modeling, machine learning, and symbolic computation. Simmons said the program also would include a strong emphasis on ethics and social responsibility. This will include independent study opportunities in using AI for social good, such as improving transportation, health care or education.

Apple has been removing some apps that share location data with third parties and informing developers that their app violates two parts of the App Store Review Guidelines. "The company informs developers via email that 'upon re-evaluation,' their application is in violation of sections 5.1.1 and 5.1.2 of the App Store Review Guidelines, which pertain to transmitting user location data and user awareness of data collection," reports 9to5Mac. From the report: Apple explains that developers must remove any code, frameworks, or SDKs that relate to the violation before their app can be resubmitted to the App Store. Apple's crackdown on these applications comes amid a growing industry shift due to General Data Protection Regulation, or GDPR, in the European Union. While Apple has always been a privacy-focused company, it is seemingly looking to ensure that developers take the same care of user data.

In the instances we've seen, the apps in question don't do enough to inform users about what happens with their data. In addition to simply asking for permission, Apple appears to want developers to explain what the data is used for and how it is shared. Furthermore, the company is cracking down on instances where the data is used for purposes unrelated to improving the user experience.

An anonymous reader quotes a report from Ars Technica: An update Google rolled out for its popular Chrome browser this weekend helps prevent those annoying auto-playing video ads on many websites from disturbing your day with unwanted sound as well. But that update is causing consternation for many Web-based game developers who are finding that the change completely breaks the audio in their online work. The technical details behind the problem involve the way Chrome handles WebAudio objects, which are now automatically paused when a webpage starts up, stymying auto-playing ads. To get around this, Web-based games now have to actively restart that pre-loaded audio object when the player makes an action to start the game, even if that audio wasn't autoplaying beforehand. "The standard doesn't require you to do this, so no one would have thought to do this before today," developer Andi McClure told Ars Technica. "With Chrome's new autoplay policies, developers shouldn't assume that audio can be played before a user gesture," Google told The Daily Dot in a statement. "With gaming in Chrome, this may affect Web Audio. We have shared details on what developers can do to address this, and the design for the policy was published last year."

An anonymous reader quotes a report form Techdirt: Last month, [...] an unnamed 19-year-old was facing criminal charges for downloading publicly-available documents from a government Freedom of Information portal. The teen had written a script to fetch all available documents from the Nova Scotia's government FOI site -- a script that did nothing more than increment digits at the end of the URL to find everything that had been uploaded by the government. The government screwed up. It uploaded documents to the publicly-accessible server that hadn't been redacted yet. It was a very small percentage of the total haul -- 250 of the 7,000 docs obtained -- but the government made a very big deal out of it after discovering they had been accessed.

Fortunately, Nova Scotia law enforcement has decided there's nothing to pursue in this case: "In an email to CBC News, Halifax police Supt. Jim Perrin did not mention what kind of information police were given from the province, but he said it was a 'high-profile case that potentially impacted many Nova Scotians.' 'As the investigation evolved, we have determined that the 19-year-old who was arrested on April 11 did not have intent to commit a criminal offense by accessing the information,' Perrin said in the email."

Several months after the data breach was first reported, Equifax has published the details on the personal records and sensitive information stolen in the cybersecurity incident. The good news: the number of individuals affected by the network intrusion hasn't increased from the 146.6 million Equifax previously announced, but extra types of records accessed by the hackers have turned up in Mandiant's ongoing audit of the security breach," reports The Register. From the report: Late last week, the company gave the numbers in letters to the various U.S. congressional committees investigating the network infiltration, and on Monday, it submitted a letter to the SEC, corporate America's financial watchdog. As well as the -- take a breath -- 146.6 million names, 146.6 million dates of birth, 145.5 million social security numbers, 99 million address information and 209,000 payment cards (number and expiry date) exposed, the company said there were also 38,000 American drivers' licenses and 3,200 passport details lifted, too.

The further details emerged after Mandiant's investigators helped "standardize certain data elements for further analysis to determine the consumers whose personally identifiable information was stolen." The extra data elements, the company said, didn't involve any individuals not already known to be part of the super-hack, so no additional consumer notifications are required.

An anonymous reader shares a report: At the Build 2018 developer conference that's taking place these days in Seattle, USA, Microsoft announced support for custom JavaScript functions in Excel. What this means is that Excel users will be able to use JavaScript code to create a custom Excel formula that will appear in Excel's default formula database. Users will then be able to insert and call these formulas from within Excel spreadsheets, but have a JavaScript interpreter compute the spreadsheet data instead of Excel's native engine. "Office developers have been wanting to write JavaScript custom functions for many reasons," Microsoft says, "such as: (1) Calculate math operations, like whether a number is prime. (2) Bring information from the web, like a bank account balance. (3) Stream live data, like a stock price."

At Build conference, Microsoft announced that starting later this year, all consumer apps (except games) sold in the Microsoft Store will ship a whopping 95 percent of the revenue earned from app and in-app purchases to the developer. From a report: That is, if the customer purchases the app via a deep or direct link. If the customer gets your app via a Microsoft-assisted method, like getting featured on the Microsoft Store, then devs will get 85 percent of the revenue, which is still a pretty good amount.

"Are you tired of your existing compilers? Want fresh new language features and better optimizations?" asks an announcement on the GCC mailing list touting "a major release containing substantial new functionality not available in GCC 7.x or previous GCC releases."

An anonymous reader writes: GNU has released the GCC 8.1 compiler with initial support for the C++20 (C++2A) revision of C++ currently under development. This annual update to the GNU Compiler Collection also comes with many other new features/improvements including but not limited to new ARM CPU support, support for next-generation Intel CPUs, AMD HSA IL, and initial work on Fortran 2018 support.

Chinese company EHang has broken the Guinness World Record for the most drones flown simultaneously, despite them failing to coordinate for a light show. The company programmed a fleet of 1,374 drones to fly in set patterns, "but failed to spell out the date and the record-setting number of drones," reports the BBC. From the report: The South China Morning Post called the event an "epic fail." The record was previously held by U.S. technology company Intel, which flew 1,218 aircraft at the 2018 Pyeongchang Winter Olympic Games in February. Intel's show was pre-recorded before being aired during the opening ceremony, due to "possible freezing weather and strong winds." According to the South China Morning Post, EHang was paid 10.5 million yuan ($1.65 million) for the Labor Day performance in the north-western city of Xi'an. You can watch a video of the drone display here.

An anonymous reader quotes a report from Ars Technica: Today, Google is releasing an open source framework for the development of "confidential computing" cloud applications -- a software development kit that will allow developers to build secure applications that run across multiple cloud architectures even in shared (and not necessarily trusted) environments. The framework, called Asylo, is currently experimental but could eventually make it possible for developers to address some of the most basic concerns about running applications in any multi-tenant environment. Container systems like Docker and Kubernetes are designed largely to allow untrusted applications to run without exposing the underlying operating system to badness. Asylo (Greek for "safe place") aims to solve the opposite problem -- allowing absolutely trusted applications to run "Trusted Execution Environments" (TEEs), which are specialized execution environments that act as enclaves and protect applications from attacks on the underlying platform they run on.

Rafael Avila de Espindola is the fifth most active contributor to LLVM with more than 4,300 commits since 2006, but now he has decided to part ways with the project. From a report: Rafael posted a rather lengthy mailing list message to fellow LLVM developers today entitled I am leaving llvm. He says the reason for abandoning LLVM development after 12 years is due to changes in the community. In particular, the "social injustice" brought on the organization's new LLVM Code of Conduct and its decision to participate in this year's Outreachy program to encourage women and other minority groups to get involved with free software development. "I am definitely sad to lose Rafael from the LLVM project, but it is critical to the long term health of the project that we preserve an inclusive community. I applaud Rafael for standing by his personal principles, this must have been a hard decision," Chris Lattner, tweeted Thursday.

A fellow Slashdot reader is seeking advice on a new field of study: After many years at the same company, I'm now thinking of a change. At my current place of work, I have worked on many different projects, from server side development, to UI development, and most recently, a lot of data science work. If I were to rate myself, I consider myself to be a good developer, thorough, conscientious and always willing to learn new things. Even my recent foray into data science (though not entirely new, since my graduate studies specialized in machine learning) has had reasonable success, and ideally, I'd really like to continue working in this space.

But, I'm starting to feel in a rut and I'm looking for a change. And looking outside my company, I'm not sure how to begin. Should I hit the books again? Should I focus on any specific technologies? I haven't particularly kept up with new technology -- after working for so long, I tend to think of that as something I can learn, when I need to. Any advice on how I should go about preparing for interviews? I'm quite willing to put in a few months of work into prep, so all suggestions are welcome!