secwatcher shares a report from Threatpost: A gamut of kids' GPS-tracking watches are exposing sensitive data involving 35,000 children -- including their location, in real time. Researchers from Pen Test Partners specifically took a look at the Gator portfolio of watches from TechSixtyFour. The Gator line had been in the spotlight in 2017 for having a raft of vulnerabilities, called out by the Norwegian Consumers Council in its WatchOut research. "A year on, we decided to have a look at the Gator watch again to see how their security had improved," said Vangelis Stykas, in a Tuesday posting. "Guess what: a train wreck. Anyone could access the entire database, including real-time child location, name, parents' details etc. Not just Gator watches either -- the same back end covered multiple brands and tens of thousands of watches." "At issue was an easy-to-exploit, severe privilege-escalation vulnerability: The system failed to validate that the user had the appropriate permission to take admin control," reports Threatpost. "An attacker with access to the watch's credentials simply needed to change the user level parameter in the backend to an admin designation, which would provide access to all account information and all watch information."

Facebook is not the only one abusing Apple's system for distributing employee-only apps to sidestep the App Store and collect extensive data on users. Google has been running an app called Screenwise Meter, which bears a strong resemblance to the app distributed by Facebook Research that has now been barred by Apple, TechCrunch reported Wednesday. From the report: In its app, Google invites users aged 18 and up (or 13 if part of a family group) to download the app by way of a special code and registration process using an Enterprise Certificate. That's the same type of policy violation that led Apple to shut down Facebook's similar Research VPN iOS app, which had the knock-on effect of also disabling usage of Facebook's legitimate employee-only apps -- which run on the same Facebook Enterprise Certificate -- and making Facebook look very iffy in the process. It needs to be pointed out that Google's app is relatively transparent about what it does and who runs it.

Following Mozilla's footsteps, Google has released Chrome 72 for Windows, Mac, and Linux. From a report: The release includes code injection blocking and new developer features. You can update to the latest version now using Chrome's built-in updater or download it directly from google.com/chrome. With over 1 billion users, Chrome is both a browser and a major platform that web developers must consider. In fact, with Chrome's regular additions and changes, developers often must make an effort to stay on top of everything available -- as well as what has been deprecated or removed -- most notably, Chrome 72 removes support for Chromecast setup on a computer. To set up a Chromecast, you'll now need to use a mobile device.

As this isn't a major release, there aren't many new features to cover. Chrome 72 for Windows, however, blocks code injections, reducing crashes caused by third-party software. The initiative to block code injections in Chrome started last year, with warnings letting users know that Chrome was fighting back. Those warnings are now gone, and Chrome blocks code injections full stop. Further reading: All the Chromium-based browsers.

An anonymous reader writes: Today, HackerRank released the 2019 edition of its annual Developer Skills Report (PDF), surveying over 71,000 software developers from more than 100 countries. Every single industry requires software developers, meaning competition for technical talent is fierce. The idea here is to help everyone from CEOs and executives to hiring managers and recruiters understand the developers they're pursuing. We've put together a quick video to summarize the results. HackerRank asked developers which programming languages they knew and which ones they wanted to learn. Seventy-three percent of developers said they knew JavaScript in 2018, up from 66 percent in 2017. JavaScript was 2018's most well-known language, compared to Java in 2017.

According to a report from Reason magazine, Twitter users who comment the "learn to code" advice at journalists who just lost their jobs might be treated as "abusive behavior," which is a violation of the social media site's terms of service. The rumor comes from Jon Levine, Media Editor at The Wrap. From the report: The Wrap's Jon Levine said representatives for the social media company had backed away from the position they related to him earlier, which was that the phrase "learn to code" itself constituted abusive behavior. The new position seems to be that "learn to code" is not de facto harassment, but could be considered harassment if tweeted aggressively as part of campaign to intimidate a specific user, in accordance with Twitter's somewhat vague abusive behavior policy. In an email to Reason, a Twitter spokesperson said: "Twitter is responding to a targeted harassment campaign against specific individuals -- a policy that's long been against the Twitter Rules."

Last week, journalists from BuzzFeed, HuffPost, Yahoo, AOL, and others, were let go. BuzzFeed founder and CEO, Jonah Peretti, said the company "would reduce headcount by 15%, or about 250 jobs, to around 1,100 employees globally," reports The Guardian. "At the same time, Verizon said it would trim 7% of headcount, about 800 people, from its media unit, which includes HuffPost, Yahoo and AOL. The job losses followed sales or cuts at Mic, Refinery29 and elsewhere."

Wave723 writes: To make its developers' jobs more rewarding, Facebook is now using two automated tools called Sapienz and SapFix to find and repair low-level bugs in its mobile apps. Sapienz runs the apps through many tests to figure out which actions will cause it to crash. Then, SapFix recommends a fix to developers, who review it and decide whether to accept the fix, come up with their own, or ignore the problem.

"Time and again, security experts and vendors alike will recommend to organizations and end users to keep software and systems updated with the latest patches," reports eWeek. "But what happens when the application infrastructure that is supposed to deliver those patches itself is at risk?" That's what open-source and Linux users were faced with this past week with a pair of projects reporting vulnerabilities. On January 22, the Debian Linux distribution reported a vulnerability in its APT package manager that is used by end users and organizations to get application updates. That disclosure was followed a day later, on January 23, with the PHP PEAR (PHP Extension and Application Repository) shutting down its primary website, warning that it was the victim of a data breach. PHP PEAR is a package manager that is included with many Linux distributions as part of the open-source PHP programming language binaries....

In the Debian APT case, a security researcher found a flaw, reported it, and the open-source project community responded rapidly, fixing the issue. With PHP PEAR issue, researchers with the Paranoids FIRE (Forensics, Incident Response and Engineering) Team reported that they discovered a tainted file on the primary PEAR website... Both PHP PEAR and Debian have issued updates fixing their respective issues. While both projects are undoubtably redoubling their efforts now with different security technologies and techniques, the simple fact is that the two issues highlight a risk with users trusting updating tools and package management systems.

Aside from some out-of-tree experiments last year by one of Valve's developers on a RADV Vulkan HUD of similar nature to the popular Gallium HUD option, it turns out an Intel developer has recently been working on a Vulkan overlay layer to provide "Gallium HUD" inspired information. From a report: Lionel Landwerlin is the open-source Intel developer that has begun working on this Intel Vulkan driver "heads-up display" implemented as a Vulkan overlay layer. The code is intended to provide Vulkan swapchain information and various statistics of use to Vulkan driver developers and game developers. The code is under a merge request for Mesa but is considered experimental at this point. Particularly for multi-threaded Vulkan programs it may end up crashing in its current form.

Google is asking the Supreme Court to make the final call in its infamous dispute with Oracle. "Today, the company announced it has filed a petition with the Court, asking the justices to determine the boundaries of copyright law in code," reports The Verge. From the report: The case dates back to 2010, when Oracle first accused Google of improperly using elements of Oracle's Java programming language to build Android. Oracle said that Google's use of Java application programing interfaces was a violation of copyright law. Google has responded that APIs are too fundamental to programming to be copyrighted. The case has led to two jury trials, and several rulings have doled out wins and losses to both companies over the course of eight years. Last year, a favorable Oracle decision set Google up to potentially lose billions of dollars.

Google asked for a Supreme Court hearing on the case in 2014, but the Court rejected the request at the time. The company says new issues are now at play, and is asking the Court to decide whether software interfaces can be copyrighted, and whether using them to build something new constitutes fair use under the law. In its new petition to the Supreme Court, Google says the case is not only important to copyright law, but has "sheer practical importance," as it centers around two touchstones of computing: Google's Android and Oracle's Java. The Court's intervention could alter the future of software, the company argues.

An anonymous reader quotes a report from Engadget: Unionization isn't a new idea for the game development industry, but it is a particularly hot and contentious topic right now. A handful of events in 2018 thrust the unionization conversation to the forefront, including Rockstar boss Dan Houser's comments about developers working 100-hour weeks to finish Red Dead Redemption 2, and the tragic implosion and bitter residue of Telltale Games. Groups like Game Workers Unite have been pounding the pavement (physically and digitally) and gathering support for unionization across the globe, with a goal to "bring hope to and empower those suffering in this industry." In December, a UK chapter of Game Workers Unite became a legal trade union.

With all of this conversation swirling around studio life, the folks behind the Game Developers Conference added new questions to the seventh annual State of the Industry Survey, which included responses from nearly 4,000 developers. The questions were broad: should the games industry unionize, and will the games industry unionize? Forty-seven percent of respondents said yes, game developers should unionize, while 16 percent said no and 26 percent said maybe. However, developers weren't exactly hopeful about unionization efforts. Just 21 percent of respondents said they thought the industry would unionize, and 39 percent said maybe. Twenty-four percent said it simply wasn't going to happen. The survey also found that 44 percent of developers worked more than 40 hours per week on average. Just over 1 percent said they worked more than 110 hours in a week, while 6 percent reported working 76 to 80 hours, "suggesting that deadline-related crunch can go far beyond normal working hours," according to the survey.

An anonymous reader quotes a report from The Guardian: Science may never tell us what lies round the next corner, but researchers have come up with the nearest thing: a computer program that turns a normal digital camera into a periscope. In a demonstration of "computational periscopy" a U.S. team at Boston University showed they could see details of objects hidden from view by analyzing shadows they cast on a nearby wall. Vivek Goyal, an electrical engineer at the university, said that while the work had clear implications for surveillance he hoped it would lead to robots that could navigate better and boost the safety of driverless cars.

In the latest feat, Goyal and his team used a standard digital camera and a mid-range laptop. The researchers, writing in the journal Nature, describe how they pieced together hidden scenes by pointing the digital camera at the vague shadows they cast on a nearby wall. If the wall had been a mirror the task would have been easy, but a matt wall scatters light in all directions, so the reflected image is nothing but a blur. They found that when an object blocked part of the hidden scene, their algorithms could use the combination of light and shade at different points on the wall to reconstruct what lay round the corner. In tests, the program pieced together hidden images of video game characters -- including details such as their eyes and mouths -- along with colored strips and the letters "BU." The program takes about 48 seconds to work out a hidden scene from a digital image, but the researchers believe it could be sped up with a faster computer. Eventually, it may be fast enough to run on video footage.

Goyal also said "it is even conceivable for humans to be able to learn to see around corners with their own eyes; it does not require anything superhuman."

Thousands of women were systematically underpaid at Oracle, one of Silicon Valley's largest corporations, according to a new motion in a class-action complaint that details claims of pervasive wage discrimination. From a report: A motion filed in California on Friday said attorneys seek to represent more than 4,200 women and alleged that female employees were paid on average $13,000 less per year than men doing similar work. An analysis of payroll data found disparities with an "extraordinarily high degree of statistical significance," the complaint said. Women made 3.8% less in base salaries on average than men in the same job categories, 13.2% less in bonuses, and 33.1% less in stock value, it alleges.

The civil rights suit comes as the tech industries faces increased scrutiny of gender and racial discrimination, including sexual misconduct, unequal pay and biased workplaces. The case against Oracle, which is headquartered in Redwood Shores and provides cloud computing services to companies across the globe, resembles high-profile litigation against Google, which has also faced repeated claims of systematic wage discrimination.

Devon Zuegel, "a developer with a passion for governance and economics," recently became GitHub's open source product manager to "support maintainers in cultivating vital, productive communities" -- specifically open source software (OSS).

Thursday they put out a call for feedback from open source developers about their contribution hours, their projects, and especially their issues: As the OSS community has grown in scale and importance, the way we think about working together has to evolve, too. What works in a village or a town needs to evolve to serve a metropolis. Open source has grown from a small, academic sharing network to a giant, global web of dependencies. It now forms the backbone of the internet and technology in general. Just like any growing city, we have to coordinate the knowledge, infrastructure, and tools for the good of the whole community. OSS is an essential and special part of software development.

OSS has also been the heart of GitHub since the beginning. However, there is so much more we could do to support the people behind it. I have many ideas, but first I want to hear from you.
The essay argues OSS maintainers and contributors "don't have all the tools, support, and environment they need to succeed," including analytics, communication resources, recognition and "proportionate incentive to contribute time and money to creating and maintaining projects." (As well as deficiencies in both governance and mentorship.) And at the bottom of the blog post, there's a contact form.

"I want you to be part of the conversation and our roadmap. These challenges are nuanced, and they are unique to each project and community, so it's crucial that we have an open dialogue as we focus on helping you address them."

An anonymous reader summarizes the changes in Thursday's release of Rust 1.32.0 stable: "Quality of life" improvements include a new dbg macro to easily print values for debugging without having to use a println statement. For example, dbg!(x); prints the filename and line number, as well as the variable's name and value, to stderr (rather than to standard output). Making it even more useful, the macro also returns the value of what it's debugging -- even all the boolean values returned by each execution of an if-then statement.

Rust macros can now match literals of any type (string, numeric, char) -- and the 2018 edition of Rust also allows ? for matching zero or one repetitions of a pattern.

In addition, all integral numeric primitives now provide conversion functions to and from byte-arrays with specified endianness.

An anonymous reader quotes ZDNet: MongoDB is an open-source document NoSQL database with a problem. While very popular, cloud companies, such as Amazon Web Services (AWS), IBM Cloud, Scalegrid, and ObjectRocket has profited from it by offering it as a service while MongoDB Inc. hasn't been able to monetize it to the same degree. MongoDB's answer? Relicense the program under its new Server Side Public License (SSPL).

Open-source powerhouse Red Hat's reaction? Drop MongoDB from Red Hat Enterprise Linux 8. Red Hat's Technical and Community Outreach Program Manager Tom Callaway explained, in a note stating MongoDB is being removed from Fedora Linux, that "It is the belief of Fedora that the SSPL is intentionally crafted to be aggressively discriminatory towards a specific class of users." Debian Linux had already dropped MongoDB from its distribution....

The business point behind MongoDB's license change is to force cloud companies to use one of MongoDB's commercial cloud offerings. This hasn't worked either. AWS just launched DocumentDB, a database, which "is designed to be compatible with your existing MongoDB applications and tools," wrote AWS evangelist Jeff Barr.

An anonymous reader quotes a report from MIT Technology Review: Algorithms are increasingly being used to make ethical decisions. They are built to pursue a single mathematical goal, such as maximizing the number of soldiers' lives saved or minimizing the number of civilian deaths. When you start dealing with multiple, often competing, objectives or try to account for intangibles like "freedom" and "well-being," a satisfactory mathematical solution doesn't always exist. "We as humans want multiple incompatible things," says Peter Eckersley, the director of research for the Partnership on AI, who recently released a paper that explores this issue. "There are many high-stakes situations where it's actually inappropriate -- perhaps dangerous -- to program in a single objective function that tries to describe your ethics." These solutionless dilemmas aren't specific to algorithms. Ethicists have studied them for decades and refer to them as impossibility theorems. So when Eckersley first recognized their applications to artificial intelligence, he borrowed an idea directly from the field of ethics to propose a solution: what if we built uncertainty into our algorithms?

Eckersley puts forth two possible techniques to express this idea mathematically. He begins with the premise that algorithms are typically programmed with clear rules about human preferences. We'd have to tell it, for example, that we definitely prefer friendly soldiers over friendly civilians, and friendly civilians over enemy soldiers -- even if we weren't actually sure or didn't think that should always be the case. The algorithm's design leaves little room for uncertainty. The first technique, known as partial ordering, begins to introduce just the slightest bit of uncertainty. You could program the algorithm to prefer friendly soldiers over enemy soldiers and friendly civilians over enemy soldiers, but you wouldn't specify a preference between friendly soldiers and friendly civilians. In the second technique, known as uncertain ordering, you have several lists of absolute preferences, but each one has a probability attached to it. Three-quarters of the time you might prefer friendly soldiers over friendly civilians over enemy soldiers. A quarter of the time you might prefer friendly civilians over friendly soldiers over enemy soldiers. The algorithm could handle this uncertainty by computing multiple solutions and then giving humans a menu of options with their associated trade-offs, Eckersley says.

An anonymous reader quotes a report from Ars Technica: Malicious apps hosted in the Google Play market are trying a clever trick to avoid detection -- they monitor the motion-sensor input of an infected device before installing a powerful banking trojan to make sure it doesn't load on emulators researchers use to detect attacks. The thinking behind the monitoring is that sensors in real end-user devices will record motion as people use them. By contrast, emulators used by security researchers -- and possibly Google employees screening apps submitted to Play -- are less likely to use sensors. Two Google Play apps recently caught dropping the Anubis banking malware on infected devices would activate the payload only when motion was detected first. Otherwise, the trojan would remain dormant.

Security firm Trend Micro found the motion-activated dropper in two apps -- BatterySaverMobi, which had about 5,000 downloads, and Currency Converter, which had an unknown number of downloads. Google removed them once it learned they were malicious. The motion detection wasn't the only clever feature of the malicious apps. Once one of the apps installed Anubis on a device, the dropper used requests and responses over Twitter and Telegram to locate the required command and control server. Once Anubis was installed, it used a built-in keylogger that can steal users' account credentials. The malware can also obtain credentials by taking screenshots of the infected users' screen.

A collection of almost 773 million unique email addresses and just under 22 million unique passwords were exposed on cloud service MEGA. Security researcher Troy Hunt said the collection of data, dubbed Collection #1, totaled over 12,000 separate files and more than 87GB of data. ZDNet reports: "What I can say is that my own personal data is in there and it's accurate; right email address and a password I used many years ago," Hunt wrote. "In short, if you're in this breach, one or more passwords you've previously used are floating around for others to see." Some passwords, including his own, have been "dehashed", that is converted back to plain text. Hunt said he gained the information after multiple people reached out to him with concerns over the data on MEGA, with the Collection #1 dump also being discussed on a hacking forum. "The post on the forum referenced 'a collection of 2000+ dehashed databases and Combos stored by topic' and provided a directory listing of 2,890 of the files," Hunt wrote. The collection has since been removed. You can visit Hunt's Have I Been Pwned service to see if you are affected by this breach.

In a bid to deliver better software experience on devices powered by 64-bit processors in the coming years, Google aims to shift Android towards a 64-bit app ecosystem. From a report: The company has now shed more light on the transition and has announced that developers will have to submit a 64-bit version of their Android apps starting August this year. This move will eventually culminate in a universal implementation of the 64-bit app policy that will be enforced in 2021, after which, Google will no longer host 32-bit apps on the Play Store accessed on a device based on 64-bit hardware. Google announced the move towards 64-bit apps in 2017, claiming that apps with 64-bit code offer significantly better performance. However, the search giant did not provide any details regarding the exceptions to the new rule or when the Play Store will cease to serve 32-bit apps. Google has now revealed that starting August 1 this year, developers must submit 64-bit versions of all new apps and app updates, alongside the old 32-bit versions prior to their publishing from the Play Store.

Federal prosecutors unveiled charges in an international stock-trading scheme that involved hacking into the Securities and Exchange Commission's EDGAR corporate filing system. "The scheme allegedly netted $4.1 million for fraudsters from the U.S., Russia and Ukraine," reports CNBC. "Using 157 corporate earnings announcements, the group was able to execute trades on material nonpublic information. Most of those filings were 'test filings,' which corporations upload to the SEC's website." From the report: The scheme involves seven individuals and operated from May to at least October 2016. Prosecutors said the traders were part of the same group that previously hacked into newswire services. Carpenito, in a press conference Tuesday, said the thefts included thousands of valuable, private business documents. "After hacking into the EDGAR system they stole drafts of [these] reports before the information was disseminated to the general public," he said.

Those documents included quarterly earnings, mergers and acquisitions plans and other sensitive news, and the criminals were able to view it before it was released as a public filing, thus affecting the individual companies' stock prices. The alleged hackers executed trades on the reports and also sold them to other illicit traders. One inside trader made $270,000 in a single day, according to Carpenito. The hackers used malicious software sent via email to SEC employees. Then, after planting the software on the SEC computers, they sent the information they were able to gather from the EDGAR system to servers in Lithuania, where they either used it or distributed the data to other criminals, Carpenito said.