Programming

Is Visual Basic .NET More Popular Than JavaScript? (zdnet.com) 100

Microsoft's Visual Basic .NET now ranks above JavaScript, PHP, SQL on TIOBE's index of programming language popularity, which ZDNet notes is "the highest it's ever been since [TIIOBE] started tracking the Microsoft language in 2001." Tiobe analysts said it was "very surprising" that Visual Basic .Net is now the fifth most popular language, only behind C++, Python, C, and Java. It's even ahead of JavaScript, which currently lies in seventh place, down from sixth a year ago. C# meanwhile fell from fifth spot a year ago to sixth this month. The language index still reckons Visual Basic .Net will "sooner or later go into decline", but concedes it's popular for dedicated office applications in small and medium enterprises, and is probably still used by many developers because it's easy to learn.
TIOBE's methodology "basically...comes down to counting hits for the search query +"<language> programming," TIOBE explains on its web page -- though its results don't always agree with other analysts.

InfoWorld points out that on this month's PyPL Popularity of Programming Language index, which analyzes how often language tutorials are searched for on Google, VB.NET "doesn't even register Visual Basic.Net or Visual Basic among its Top 10 languages" -- and JavaScript comes in third, behind only Python and Java.
Programming

Rust 1.31 Released As 'Rust 2018' In Major Push For Backwards Compatibility (rust-lang.org) 81

"The Rust programming language team has announced the first major edition of Rust since 1.0 was released in 2015," reports SD Times -- specifically, Rust 1.31, the first edition of "Rust 2018," described by Rust's developers as "the culmination of feature stabilization."

An anonymous reader writes: The Rust team is working hard to maintain backwards compatibility, for example with the way they're handling the ongoing addition of an async/await feature. "Even though the feature hasn't landed yet, the keywords are now reserved," notes the Rust Team. "All of the breaking changes needed for the next three years of development (like adding new keywords) are being made in one go, in Rust 1.31." The keyword "try" has now also been reserved, but "Almost all of the new features are 100% compatible with Rust as it is. They don't require any breaking changes... New versions of the compiler will continue to support "Rust 2015 mode", which is what you get by default... [Y]ou could think of Rust 2018 as the specifier in Cargo.toml that you use to enable the handful of features that require breaking changes."

The Rust language's blog adds, "Your 2018 project can use 2015 dependencies, and a 2015 project can use 2018 dependencies. This ensures that we don't split the ecosystem, and all of these new things are opt-in, preserving compatibility for existing code. Furthermore, when you do choose to migrate Rust 2015 code to Rust 2018, the changes can be made automatically, via cargo fix." Tooling improvements include faster and smarter "incremental" compilation (along with better IDE support), plus the addition of function-like and attribute-like (procedural) macros. There's also a rustfmt tool which can automatically reformat your code's style "like clang format does for C++ and Prettier does for JavaScript," plus an optional diagnostics linter named clippy, and automated code fixes via rustfix. There's even upgrades to Rust's module system and other path clarity improvements.

But this is only the beginning, SD Times reports: With the release of Rust 2018, the team is now starting to look at Rust's future. The team is asking developers to reflect on what they liked, didn't like or hoped to see in Rust during the last year, and propose any goals or directions for the upcoming year.
Open Source

Google Bridges Android, iOS Development With Flutter 1.0 (arstechnica.com) 116

Google has launched Flutter 1.0, the first stable release of its open source, cross-platform UI toolkit and SDK. "Flutter lets developers share a single code base across Android and iOS apps, with a focus on speed and maintaining a native feel," reports Ars Technica. From the report: Flutter enables cross-platform app code by sidestepping the UI frameworks of both Android and iOS. Flutter apps run on the Flutter rendering engine and Flutter framework, which are shipped with every app. The Flutter platform handles communication with each OS and can spit out Android and iOS binaries with native-looking widgets and scrolling behavior if desired. It's kind of like applying a "video game" style of development to apps: if you write for a game engine like Unity or Unreal, those engines are packaged with your game, allowing it to run on multiple different platforms. It's the same deal with Flutter.

Flutter apps are written in Dart, and the SDK offers programmers nice quality-of-life benefits like the "stateful hot reload," a way to instantly make code changes appear in the emulator. For IDEs, there are plugins for Visual Studio Code, Android Studio, and IntelliJ. Apps come with their own set of Flutter UI widgets for Android and iOS, with the iOS widgets closely following Apple's guidelines and the Android widgets following Google's Material Design. Flutter is designed to be fast, with its custom app engine running on Google's hardware-accelerated Skia engine. This means 60fps apps on Android and iOS and a path for 120fps apps in the future. This is a bigger deal on Android than it is on iOS.
The Google Ads app is already built on Flutter, which means Google "thinks Flutter is ready for prime time," writes Ron Amadeo. There's a list of other apps built on Flutter, too. Amadeo goes on to suggest that Flutter may be the path to Android's replacement. "Flutter ships its own app engine on Android and iOS, but in secret, Google is also developing an OS called 'Fuchsia' that runs these Flutter apps natively," writes Amadeo. "With Fuchsia, Google would switch from the Android apps written in Java to Flutter apps written in Dart..."
Privacy

The Secret Service Wants To Test Facial Recognition Around the White House (theverge.com) 55

The Secret Service is planning to test facial recognition surveillance around the White House, "with the goal of identifying 'subjects of interest' who might pose a threat to the president," reports The Verge. The document with the plans was published by the American Civil Liberties Union, describing "a test that would compare closed circuit video footage of public White House spaces against a database of images -- in this case, featuring employees who volunteered to be tracked." From the report: The test was scheduled to begin on November 19th and to end on August 30th, 2019. While it's running, film footage with a facial match will be saved, then confirmed by human evaluators and eventually deleted. The document acknowledges that running facial recognition technology on unaware visitors could be invasive, but it notes that the White House complex is already a "highly monitored area" and people can choose to avoid visiting. We don't know whether the test is actually in operation, however. "For operational security purposes we do not comment on the means and methods of how we conduct our protective operations," a spokesperson told The Verge.

The ACLU says that the current test seems appropriately narrow, but that it "crosses an important line by opening the door to the mass, suspicionless scrutiny of Americans on public sidewalks" -- like the road outside the White House. (The program's technology is supposed to analyze faces up to 20 yards from the camera.) "Face recognition is one of the most dangerous biometrics from a privacy standpoint because it can so easily be expanded and abused -- including by being deployed on a mass scale without people's knowledge or permission."

Microsoft

Microsoft Launches Visual Studio 2019 Preview 1 For Windows and Mac; Open-Sources WPF, Forms and WinUI (venturebeat.com) 72

An anonymous reader writes: At its Microsoft Connect(); 2018 virtual event today, Microsoft announced the initial public preview of Visual Studio 2019 -- you can download it now for Windows and Mac. Separately, .NET Core 2.2 has hit general availability and .NET Core 3.0 Preview 1 is also available today.

At the event today, Microsoft also made some open-source announcements, as is now common at the company's developer shindigs. Microsoft open-sourced three popular Windows UX frameworks on GitHub: Windows Presentation Foundation (WPF), Windows Forms, and Windows UI XAML Library (WinUI). Additionally, Microsoft announced the expansion of the .NET Foundation's membership model.

Christmas Cheer

2018 Advent Calendars Launched for Computer Programmers and Web Geeks (24ways.org) 39

An anonymous reader writes: Saturday the Perl Advent Calendar entered its 19th year by describing how the Wise Old Elf used a Calendar::List module from CPAN to update his Elven Perl Monger website with all the dates for 2019. ("It is a well known fact that all of Santa's Elves are enthusiastic Perl Developers in their free time, contributing regularly to many of the amazing Perl projects we've come to know and love...")

But meanwhile, the Perl 6 Advent Calendar was describing how Santa gets data into the North Pole's CRM by defining a grammar unit which can be parsed using a built-in method (to trim out children's signatures) -- only to be chastised by his IT elf for failing to document his solution using Perl 6's built in markup language.

And 24Ways.org is also presenting its 14th annual "advent calendar for web geeks," a nicely-formatted offering that promises "a daily dose of web design and development goodness to bring you all a little Christmas cheer."

Meanwhile, the Go language site Gopher Academy launched their 6th annual advent calendar, describing how to split data with content-defined chunking.

Jose Valim, creator of the Elixir programming language, has also announced the fourth annual "Advent of Code," an event created by Eric Wastl that features an ongoing story that presents "a series of small programming puzzles for a variety of skill sets and skill levels in any programming language you like." (The folks behind the Nim programming language are even organizing their own leaderboard at Nim-lang.org.)

And even QEMU, a free and open-source emulator performing hardware virtualization, is getting into the act with a QEMU advent calendar offering "an amazing QEMU disk image" each day through December 24th.

Feel free to leave a comment with your own reactions -- or with the URL for your own favorite online geek advent calendars...
Databases

Amazon Will Be Off All Oracle Databases By End of 2019, Says AWS Chief 61

Amazon Web Services CEO Andy Jassy said in an interview on Wednesday that almost all of Amazon's databases that ran on Oracle will be on an Amazon database instead. "We're virtually done moving away from Oracle on the database side," Jassy said. "And I think by the end of 2019 or mid-2019 we'll be done." CNBC reports: Amazon is reducing its reliance on Oracle for its data needs and is instead using its own services. Jassy said 88 percent of Amazon databases that were running on Oracle will be on Amazon DynamoDB or Amazon Aurora by January. He added that 97 percent of "mission critical databases" will run on DynamoDB or Aurora by the end of the year. On Nov. 1, Amazon moved its data warehouse from Oracle to its own service, Redshift, Jassy said.
Youtube

YouTube To Make New Originals Available For Free, Ad-Supported Viewing (variety.com) 63

YouTube is removing the paywall for its original programming. Starting next year, the company will move to make all of its new original programming available for free for anyone to watch. "With the change, YouTube is moving toward more mainstream celebrity-driven and creator-based reality fare, while it will continue to greenlight scripted productions," reports Variety. From the report: Until now, YouTube Originals have mainly been available on its YouTube Premium subscription service, although YouTube also has expanded the shows and movies it makes available on an ad-supported basis. The company calls the new YouTube Originals strategy its "Single Slate," which will combine ad-supported and subscription VOD programming initiatives that by 2020 will provide free windows for all YouTube users. Some original productions will remain behind the paywall, including season 2 of "Cobra Kai," an offshoot of the "Karate Kid" movies. Moving forward, YouTube Premium will include early access to original, exclusive content as a reason to pay for the service. YouTube has faced stiff competition in trying to lure paying customers with original content against the likes of Netflix, Hulu and Amazon, which spend far more on content. "As we look to 2019, we will continue to invest in scripted programming and shift to make our YouTube Originals ad supported to meet the growing demand of a more global fanbase," a YouTube rep said in a statement. "This next phase of our originals strategy will expand the audience of our YouTube Original creators, and provide advertisers with incredible content that reaches the YouTube generation."
Programming

Does Switching Jobs Make You a Worse Programmer? (forrestbrazeal.com) 227

Slashdot reader theodp shares some thoughts from Virginia-based cloud architect Forrest Brazeal, who believes that switching jobs or teams makes you -- at least temporarily -- a worse programmer: "When you do take a new job," Brazeal writes, "everybody else will know things you don't know. You'll expend an enormous amount of time and mental energy just trying to keep up. This is usually called 'the learning curve'. The unstated assumption is that you must add new knowledge on top of the existing base of knowledge you brought from your previous job in order to succeed in the new environment.

"But that's not really what's happening. After all, some of your new coworkers have never worked at any other company. You have way more experience than they do. Why are they more effective than you right now? Because, for the moment, your old experience doesn't matter. You don't just need to add knowledge; you need to replace a wide body of experiences that became irrelevant when you turned in your notice at the old job. To put it another way: if you visualize your entire career arc as one giant learning curve, the places where you change jobs are marked by switchbacks."

He concludes, "I'm not saying you shouldn't switch jobs. Just remember that you can't expect to be the same person in the new cubicle. Your value is only partly based on your own knowledge and ingenuity. It's also wrapped up in the connections you've made inside your team: your ability to help others, their shared understanding of your strengths and weaknesses, and who knows what else. You will have to figure out new paths of communication in the new organization, build new backlogs of code references pertaining to your new projects, and find new mentors who can help you continue to grow. You will have to become a different programmer.

"There is no guarantee you will be a better one."

This seems counter-intuitive to me -- but what do Slashdot's readers think? Does switching jobs make you a worse programmer?
Programming

Microsoft's TypeScript Dominates In 'State of JavaScript 2018' Report (stateofjs.com) 68

This week a Paris-born designer/developer (now living in Osaka) announced the results of the third annual "State of JavaScript" survey of over 20,000 JavaScript developers in 153 countries "to figure out what they're using, what they're happy with, and what they want to learn."

An anonymous reader writes: Among its findings? The number of people who have used Microsoft's TypeScript and said they would use it again has increased from 20.08% in 2016 to 46.7% in 2018, "and in some countries that ratio even went over 50%." More than 7,000 respondents indicated they liked its "robust, less error-prone code" and another 5,500 cited "elegant programming style and patterns." A blog post announcing the results declares TypeScript "the clear leader" among other syntaxes and languages that can compile to JavaScript.

Meanwhile, when it comes to frameworks, "only React has both a high satisfaction ratio and a large user base, although Vue is definitely getting there." Elsewhere the report notes Vue has already overtaken React for certain metrics such as total GitHub stars. "Angular on the other hand does boast a large user base, but its users don't seem too happy," the announcement adds, although later the report argues that Angular's poor satisfaction ratio "is probably in part due to the confusion between Angular and the older, deprecated AngularJS (previous surveys avoided this issue by featuring both as separate items)."

94% of the survey's respondents were male, and "Years of experience" for the respondents seemed to cluster in three cohorts in the demographics breakdown: 27.8% of respondents reported they had 2-5 years of experience, while 28% reported 5-10 years, and 24% reported 10-20 years.

There's a beautiful interactive graphic visualizing "connections between technologies," where a circle's outer red band is segmented based on the popularity of JavaScript libraries, while hovering over each band reveals the popularity of other libraries with its users. But while this year's results were presented on a "dark mode" web page, the survey's announcement concedes that this year's trends didn't include many surprises.

"TL;DR: things didn't change that much this year."
Microsoft

That Time The Windows Kernel Fought Gamma Rays Corrupting Its Processor Cache (microsoft.com) 166

Long-time Microsoft programmer Raymond Chen recently shared a memory about an unusual single-line instruction that was once added into the Windows kernel code -- accompanied by an "incredulous" comment from the Microsoft programmer who added it:

;
; Invalidate the processor cache so that any stray gamma
; rays (I'm serious) that may have flipped cache bits
; while in S1 will be ignored.
;
; Honestly. The processor manufacturer asked for this.
; I'm serious.
invd


"Less than three weeks later, the INVD instruction was commented out," writes Chen. "But the comment block remains.

"In case we decide to resume trying to deal with gamma rays corrupting the the processor cache, I guess."
PHP

PHP 7.3 Performance Benchmarks Are Looking Good Days Ahead Of Its Release (phoronix.com) 91

PHP 7.3 RC6 was released earlier this week. Phoronix ran some benchmarks and compared the performance of v7.3 RC6 with releases going back to the v5.5 series. From the story: I ran some fresh benchmarks over the past day on PHP 5.5.38, PHP 5.6.38, PHP 7.0.32, PHP 7.1.24, PHP 7.2.12, and the PHP 7.3.0-RC6 test release. All of the PHP5/PHP7 builds were configured and built in the same manner. All tests happened from the same Dell PowerEdge R7425 dual EPYC server running Ubuntu 18.10 Linux.

Besides continuing to evolve the performance of PHP7, the PHP 7.3 release is also delivering on FFI (the Foreign Function Interface) to access functions / variables / data structures from the C language, a platform-independent manner for obtaining information on network interfaces, an is_countable() call, WebP support within GD's image create from string, updated SQLite support, improved PHP garbage collection performance, and many other enhancements. PHP 7.3 is just shy of 10% faster than PHP 7.2 in the popular PHPBench. PHP 7.3 is 31% faster than PHP 7.0 or nearly 3x the speed of PHP5.

Programming

GitHub's Four Most Popular Programming Languages Remain: JavaScript, Java, Python, and PHP (thenewstack.io) 144

A recent TechCrunch article claimed to have identified the best indicator of programming language popularity: GitHub's annual "State of the Octoverse" reports. So Austin-based technology reporter Mike Melanson explored the new verdict in GitHub's 2018 report: It felt to me like the overarching theme of the numbers was one of quiet stasis for the year past, at least when it comes to those languages deemed the cream of the crop. One of the first graphics offered in the post shows the top languages according to the number of repositories created and we see that everything seems to be flowing along, just as it has for the last decade. While GitHub points to a "steady uptick" for JavaScript after 2011, it looks like this list of languages hasn't changed much over time. [The graphic shows the four most popular languages -- every year since early 2014 -- have been JavaScript, Java, Python, and PHP.]

When we look at the top languages according to the number of contributors, we see a similar story, with the top four languages mirrored. In this chart, of course, we see that Ruby is on a steady decline, while Typescript is on a steady rise. The only surprise to be seen here is that C, after a brief uptick in popularity, has taken a bit of a nosedive over the past year. Either way, seven of 10 languages have the same exact ranking....

Finally, beyond the language rankings themselves, GitHub offers a wonderful analysis of just what it is that makes a particular language popular in 2018, boiling it down to three key characteristics: thread safety, interoperability, and being open source.

GitHub's report also identifies its fastest growing languages over the last year -- including Kotin, TypeScript, Rust, Python, and Go. "This year, TypeScript shot up to #7 among top languages used on the platform overall, after making its way in the top 10 for the first time last year," the report notes.

"TypeScript is now in the top 10 most used languages across all regions GitHub contributors come from -- and across private, public, and open source repositories."
Java

Amazon Releases A No-Cost Distribution of OpenJDK (sdtimes.com) 95

An anonymous reader quotes SD Times: Amazon wants to make sure Java is available for free to its users in the long term with the introduction of Amazon Corretto. The solution is a no-cost, multi-platform, production-ready distribution of the Open Java Development Kit (OpenJDK). "Java is one of the most popular languages in use by AWS customers, and we are committed to supporting Java and keeping it free," Arun Gupta, principal open-source technologist at Amazon, wrote in a blog post. "Many of our customers have become concerned that they would have to pay for a long-term supported version of Java to run their workloads. As a first step, we recently re-affirmed long-term support for Java in Amazon Linux. However, our customers and the broader Java community run Java on a variety of platforms, both on and off of AWS."

Amazon Corretto will be available with long-term support and Amazon will continue to make performance enhancements and security fixes to it, the company explained. Amazon plans on making quarterly updates with bug fixes and patches, as well as any urgent fixes necessary outside of its schedule... Corretto 8 is available as a preview with features corresponding to those in OpenJDK 8. General availability for the solution is planned for Q1 2019... "Corretto is designed as a drop-in replacement for all Java SE distributions unless you're using features not available in OpenJDK (e.g., Java Flight Recorder)," Gupta wrote....

According to Gupta, Corretto 8 will be available at no cost until at least June of 2023. The company is working on Corretto 11, which will be available until at least August of 2024. "Amazon has already made several contributions to OpenJDK 8 and we look forward to working closely with the OpenJDK community on future enhancements to OpenJDK 8 and 11," Gupta wrote. "We downstream fixes made in OpenJDK, add enhancements based on our own experience and needs, and then produce Corretto builds. In case any upstreaming efforts for such patches is not successful, delayed, or not appropriate for OpenJDK project, we will provide them to our customers for as long as they add value. If an issue is solved a different way in OpenJDK, we will move to that solution as soon as it is safe to do so."

Programming

GitHub's Annual Report Reveals This Year's Top Contributor: Microsoft (github.com) 67

GitHub saw more than 67 million pull requests this year -- more than a third of GitHub's "lifetime" total of 200 million pull requests since its launch in 2008. It now hosts 96 million repositories, and has over 31 million contributors -- including 8 million who just joined within the last 12 months.

These are among the facts released in GitHub's annual "State of the Octoverse" report -- a surprising number of which involve Microsoft.
  • GitHub's top project this year, by contributor count, was Microsoft's Visual Studio Code (with 19,000 contributors), followed by Facebook's React Native (10,000), TensorFlow (9,300) and Angular CLI (8,800) -- as well as Angular (7,600) -- and the open source documentation for Microsoft Azure (7,800).
  • Microsoft now has more employees contributing to open source projects than any other company or organization (7,700 employees), followed by Google (5,500), Red Hat (3,300), U.C. Berkeley (2,700), and Intel (2,200).
  • The open source documentation for Microsoft Azure is GitHub's fastest-growing open source project, followed by PyTorch (an open source machine learning library for Python).
  • Among the "Cool new open source projects" is an Electron app running Windows 95.

But more than 2.1 million organizations are now using GitHub (including public and private repositories) -- which is 40% more than last year -- and the report offers a fun glimpse into the minutiae of life in the coding community.

Read on for more details.


Java

People Sensitive To Caffeine's Bitter Taste Drink More Coffee, Study Finds (npr.org) 60

An anonymous reader quotes a report from NPR: A team of researchers conducted their analysis using data stored in something called the UK Biobank. More than 500,000 people have contributed blood, urine and saliva samples to the biobank, which scientists can use to answer various research questions. The volunteers also filled out questionnaires asking a variety of health-related questions, including how much coffee they drink. Part of what determines our sensitivity to bitter substances is determined by the genes we inherit from our parents. So the researchers used genetic analysis of samples from the biobank to find people who were more or less sensitive to three bitter substances: caffeine, quinine (think tonic water) and a chemical called propylthiouracil that is frequently used in genetic tests of people's ability to taste bitter compounds.

Then they looked to see if people sensitive to one or more of these substances drank more or less coffee than people who were not sensitive. To the researchers' surprise, people who were more sensitive to caffeine reported increased coffee consumption compared with people who were less sensitive. The result was restricted to the bitterness of caffeine. People sensitive to quinine and propylthiouracil -- neither of which is in coffee -- tended to drink less coffee. The effect of increased caffeine sensitivity was small: it only amounted to about two tablespoons more coffee per day. But by analyzing so many samples, the researchers were able to detect even small differences like that.
The reason may be that people "learn to associate that bitter taste with the stimulation that coffee can provide," says one of the study authors.
Java

There Is No Link Between Insomnia and Early Death, Study Finds (bbc.com) 58

A new report published in the journal Science Direct says there is no link between insomnia and early death. The researchers reportedly "reviewed 17 studies, which covered close to 37 million people, to compile their results," the BBC notes. From the report: This new report goes against what the NHS says, which claims that as well as putting people at risk of obesity, heart disease and type 2 diabetes, that insomnia shortens life expectancy. The NHS recommends things like exercising to tire yourself out during the day and cutting down on caffeine. It also says smoking, eating too much or drinking alcohol late at night can stop you from sleeping well. Other recommendations include writing a list of things that are playing on your mind and trying to get to bed at a similar time every night. "There was no difference in the odds of mortality for those individuals with symptoms of insomnia when compared to those without symptoms," the study says. "This finding was echoed in the assessment of the rate of mortality in those with and without symptoms of insomnia using the outcomes of multivariate models, with the most complete adjustment for potential confounders, as reported by the individual studies included in this meta-analysis. Additional analyses revealed a tendency for an increased risk of mortality associated with hypnotic use."
Windows

Microsoft Store Starts Accepting Windows 10 on ARM Apps (venturebeat.com) 35

Microsoft announced Friday that it is opening up its online apps store to 64-bit ARM app submissions from developers, further cementing its commitment to make Windows 10 on ARM a viable platform. From a report: Also, with the release of Visual Studio 2017 version 15.9 this week, developers can now create ARM64 apps using officially supported SDK and tools. Microsoft announced Windows 10 on ARM in December 2017 with three big feature promises: The screen turns on "instantly," unlike existing PCs; LTE is built right in; and the battery can last for days. But the unveiling came with a big caveat. These Always Connected PCs, as Microsoft and Qualcomm call them, were not coming anytime soon. [...] Microsoft wants to help address the performance problems by getting developers to rebuild apps for the platform. Developers can now use Visual Studio 15.9 to recompile UWP and C++ Win32 apps to run natively on Windows 10 on ARM devices.
Bug

The Internet Has a Huge C/C++ Problem and Developers Don't Want to Deal With It (vice.com) 663

What do Heartbleed, WannaCry, and million dollar iPhone bugs have in common? From a report: One bug affects iPhones, another affects Windows, and the third affects servers running Linux. At first glance these might seem unrelated, but in reality all three were made possible because the software that was being exploited was written in programming languages which allow a category of errors called "memory unsafety." By allowing these types of vulnerabilities, languages such as C and C++ have facilitated a nearly unending stream of critical computer security vulnerabilities for years.

Imagine you had a program with a list of 10 numbers. What should happen if you asked the list for its 11th element? Most of us would say an error of some sort should occur, and in a memory safe programming language (for example, Python or Java) that's what would happen. In a memory unsafe programming language, it'll look at wherever in memory the 11th element would be (if it existed) and try to access it. Sometimes this will result in a crash, but in many cases you get whatever happens to be at that location in memory, even if that portion of memory has nothing to do with our list. This type of vulnerability is called a "buffer-overflow," and it's one of the most common types of memory unsafety vulnerabilities. HeartBleed, which impacted 17 percent of the secure web servers on the internet, was a buffer-overflow exploit, letting you read 60 kilobytes past the end of a list, including passwords and other users' data.

Ruby

Deserialization Issues Also Affect Ruby -- Not Just Java, PHP, and .NET (zdnet.com) 62

An anonymous reader writes: The Ruby programming language is impacted by a similar "deserialization issue" that has affected and wreaked havoc in the Java ecosystem in 2016; an issue that later also proved to be a problem for .NET and PHP applications as well. Researchers published proof-of-concept code this week showing how to exploit serialization/deserialization operations supported by the built-in features of the Ruby programming language itself.

"Versions 2.0 to 2.5 are affected," researchers said. "There is a lot of opportunity for future work including having the technique cover Ruby versions 1.8 and 1.9 as well as covering instances where the Ruby process is invoked with the command line argument --disable-all," the elttam team added. "Alternate Ruby implementations such as JRuby and Rubinius could also be investigated."

The deserialization issues can be used for remote code execution and taking over vulnerable servers. While .NET and PHP were affected, it was Java until now that has faced the biggest issues with deserialization, earlier this year, Oracle announcing it was dropping deserialization support from the Java language's standard package.

Slashdot Top Deals