An anonymous reader writes: The Ruby programming language is impacted by a similar "deserialization issue" that has affected and wreaked havoc in the Java ecosystem in 2016; an issue that later also proved to be a problem for .NET and PHP applications as well. Researchers published proof-of-concept code this week showing how to exploit serialization/deserialization operations supported by the built-in features of the Ruby programming language itself.

"Versions 2.0 to 2.5 are affected," researchers said. "There is a lot of opportunity for future work including having the technique cover Ruby versions 1.8 and 1.9 as well as covering instances where the Ruby process is invoked with the command line argument --disable-all," the elttam team added. "Alternate Ruby implementations such as JRuby and Rubinius could also be investigated."

The deserialization issues can be used for remote code execution and taking over vulnerable servers. While .NET and PHP were affected, it was Java until now that has faced the biggest issues with deserialization, earlier this year, Oracle announcing it was dropping deserialization support from the Java language's standard package.

"A Russian security researcher has published details about a zero-day vulnerability affecting VirtualBox, an Oracle software application for running virtual machines," reports ZDNet. According to a text file uploaded on GitHub, Saint Petersburg-based researcher Sergey Zelenyuk has found a chain of bugs that can allow malicious code to escape the VirtualBox virtual machine (the guest OS) and execute on the underlying (host) operating system. Once out of the VirtualBox VM, the malicious code runs in the OS' limited userspace (kernel ring 3), but Zelenyuk said that attackers can use many of the already known privilege escalation bugs to gain kernel-level access (ring 0). "The exploit is 100% reliable," Zelenyuk said. "It means it either works always or never because of mismatched binaries or other, more subtle reasons I didn't account."

The Russian researcher says the zero-day affects all current VirtualBox releases, works regardless of the host or guest operating system the user is running, and is reliable against the default configuration of newly created VMs. Besides a detailed write-up of the entire exploit chain, Zelenyuk has also published video proof, showing the zero-day in action against an Ubuntu VM running inside VirtualBox on an Ubuntu host OS.
Long-time Slashdot reader Artem Tashkinov warns that the exploit utilizes "bugs in the data link layer of the default E1000 network interface adapter which makes this vulnerability critical for everyone who uses virtualization to run untrusted code." According to ZDNet, the same security researcher "found and reported a similar issue in mid-2017, which Oracle took over 15 months to fix."

"This lengthy and drawn-out patching process appears to have angered Zelenyuk, who instead of reporting this bug to Oracle, has decided to publish details online without notifying the vendor."

An anonymous reader quotes a report from Bloomberg: Amazon.com Inc. has taken another step toward eliminating software from Oracle Corp. that has long helped the e-commerce giant run its retail business. An executive with Amazon's cloud-computing unit hit back at Oracle Executive Chairman Larry Ellison, who ridiculed the internet giant as recently as last month for relying on Oracle databases to track transactions and store information, even though Amazon sells competing software, including Redshift, Aurora and DynamoDB. Amazon's effort to end its use of Oracle's products has made new progress, Andy Jassy, the chief executive officer of Amazon Web Services, tweeted Friday. "In latest episode of 'uh huh, keep talkin' Larry,' Amazon's Consumer business turned off its Oracle data warehouse Nov. 1 and moved to Redshift," Jassy wrote. By the end of 2018, Amazon will stop using 88 percent of its Oracle databases, including 97 percent of its mission-critical databases, he added.

Samsung said Wednesday it was rolling out new voice-assistant features to challenge its U.S. rivals' dominance in AI. At its developer conference, where the company is also expected to unveil its first foldable smartphone, the company said it was fully opening its virtual assistant, called Bixby, to third-party developers and businesses for the first time. The move may help the company challenge incumbent players Amazon's Alexa, Apple's Siri, and Google's Assistant.

Much of the assistant market is yet to be tapped, and it is the right time for developers to embrace Bixby, an executive said. The company said it is offering a no-trade off set of tools (what it calls Bixby Developer Studio) to developers to make use of Bixby. It's the first time any company is offering the full suite of tools that it uses to make its assistant to developers, the company said.

Further reading: VentureBeat.

Oracle's Internet Intelligence division has confirmed today the findings of a recently published academic paper that accused China of "hijacking the vital internet backbone of western countries." From a report: The research paper was authored by researchers from the US Naval War College and Tel Aviv University and it made quite a few waves online after it was published. Researchers accused China Telecom, one of China's biggest state-owned internet service providers, of hijacking and detouring internet traffic through its normally-closed internet infrastructure. Some security experts contested the research paper's findings because it didn't come from an authoritative voice in the world of internet BGP hijacks, but also because the paper touched on many politically sensitive topics, such as China's cyber-espionage activities and how China used BGP hijacks as a way to circumvent the China-US cyber pact of 2015. But today, Doug Madory, Director of Oracle's Internet Analysis division (formerly Dyn), confirmed that China Telecom has, indeed, engaged in internet traffic "misdirection." "I don't intend to address the paper's claims around the motivations of these actions," said Madori. "However, there is truth to the assertion that China Telecom (whether intentionally or not) has misdirected internet traffic (including out of the United States) in recent years."

A new study conducted at the University of Innsbruck in Austria finds that people who drink their coffee black often has psychopathic or sadistic traits. The study surveyed more than 1,000 adults about their taste preferences with foods and drinks that are bitter. They also took four different personality tests that assessed traits like narcissism, psychopathy, sadism, and aggression. From a report: Researchers found a trend that suggested a correlation between preferences for black coffee, and other bitter tastes, and sadistic or psychopathic personality traits. They also found that people who enjoyed milky or sugary coffee, and other sweet flavors, generally tended to have more "agreeable" personality traits like sympathy, cooperation, and kindness. The closest correlation found in the study was between bitter foods, like radishes and tonic water, and "everyday sadism," or the enjoyment of inflicting moderate levels of pain on others. The researchers went further, suggesting that this association between bitter foods and psychopathic tendencies could "become chronic" and get worse with time.

ZDNet writes: There have been three great movements shaping the information technology landscape. There is Agile, which emphasizes collaboration in software development; Lean IT, which promotes delivering software faster, better and cheaper; and DevOps, which seeks to align software development with continuous delivery...

These three movements have their own advocates, methodologies and terminology. But when you think about Agile, Lean IT and Agile, aren't these all the same thing, essentially? They all have the same goals, which is to deliver high-quality software on a continuous basis, collaboratively. Is it time to chuck the terminology and semantics and bring these three activities under the same roof?
Their article cites "advocates" -- two authors who have both written books about Lean It -- who are pushing for the concepts to all be brought together into a single mold. But it'd be interesting to get some opinions and real-world anecdotes from Slashdot's readers. So leave your own thoughts in the comments.

Are DevOps, Agile, and Lean IT the same thing?

An anonymous reader quotes a report from ZDNet: Google announced today four new security features for securing Google accounts. These four updates are meant to bolster protections before and after users sign into accounts, but also in the case of recovering after a hack. According to Google's Jonathan Skelker, the first of these protections that Google has rolled out today comes into effect even before users start typing their username and password. In the coming future, Skelker says that Google won't allow users to sign into accounts if they disabled JavaScript in their browser. The reason is that Google uses JavaScript to run risk assessment checks on the users accessing the login page, and if JavaScript is disabled, this allows crooks to pass through those checks undetected. This change is likely to impact only a very small number of users -- around 0.01 percent according to Google's data -- but it will likely impact bots harder, as many of them run through headless browsers where this feature is turned off for performance reasons. Google also plans to pull data from Google Play Protect and list all malicious apps that are still installed on a user's Android smartphone. Google's Jonathan Skelker says they will be notifying you "whenever you share any data from your Google Account," expanding on the notifications it sends when you've granted access to sensitive information, like Gmail data or your Google Contacts.

"Last but not least is a security feature that Google plans to use after an account hack," reports ZDNet. "This feature is already live and is a new set of procedures for regaining access and re-securing compromised profiles. The procedure is detailed in this Google support page, and besides just helping users regain access to accounts, it will also help them check financial activity related to Google Pay accounts, review new files added to Gmail or Drive, and secure other accounts at other services that are tied to the main Google account."

Security researcher David Buchanan has found that Twitter image uploads can be polyglot files, meaning they can be valid simultaneously in multiple formats, such as a .jpg, a .rar archive and a .zip archive. From a report: Using some Python code he wrote, he created a thumbnail image of William Shakespeare overlaid with the words, "Unzip Me" and posted it to Twitter. The .jpg image is also a valid .zip file, so if you download it, you can unzip it and extract the contents, a multipart .rar archive of the text of Shakespeare's plays. [...] Twitter performs some processing on uploaded images, which has the potential to mess with the data. But Buchanan found that his multi-format file survived this process. It may be that image itself (excluding the rather bulky metadata) is light enough not to trigger any compression or post-upload processing.

Donald Fischer, who served as a product manager for Red Hat Enterprise Linux during its creation and early years of growth, writes: Red Hat saw, earlier than most, that the ascendance of open source made the need to pay for code go away, but the need for support and maintenance grew larger than ever. Thus Red Hat was never in the business of selling software, rather it was in the business of addressing the practical challenges that have always come along for the ride with software. [...] As an open source developer, you created that software. You can keep your package secure, legally documented, and maintained; who could possibly do it better? So why does Red Hat make the fat profits, and not you? Unfortunately, doing business with large companies requires a lot of bureaucratic toil. That's doubly true for organizations that require security, legal, and operational standards for every product they bring in the door. Working with these organizations requires a sales and marketing team, a customer support organization, a finance back-office, and lots of other "business stuff" in addition to technology. Red Hat has had that stuff, but you haven't.

And just like you don't have time to sell to large companies, they don't have time to buy from you alongside a thousand other open source creators, one at a time. Sure, big companies know how to install and use your software. (And good news! They already do.) But they can't afford to put each of 1100 npm packages through a procurement process that costs $20k per iteration. Red Hat solved this problem for one corner of open source by collecting 2,000+ open source projects together, adding assurances on top, and selling it as one subscription product. That worked for them, to the tune of billions. But did you get paid for your contributions?

Jeffrey M. Perkel, writing for Nature: Perched atop the Cerro Pachon ridge in the Chilean Andes is a building site that will eventually become the Large Synoptic Survey Telescope (LSST). When it comes online in 2022, the telescope will generate terabytes of data each night as it surveys the southern skies automatically. And to crunch those data, astronomers will use a familiar and increasingly popular tool: the Jupyter notebook. Jupyter is a free, open-source, interactive web tool known as a computational notebook, which researchers can use to combine software code, computational output, explanatory text and multimedia resources in a single document. Computational notebooks have been around for decades, but Jupyter in particular has exploded in popularity over the past couple of years. This rapid uptake has been aided by an enthusiastic community of user-developers and a redesigned architecture that allows the notebook to speak dozens of programming languages -- a fact reflected in its name, which was inspired, according to co-founder Fernando Perez, by the programming languages Julia (Ju), Python (Py) and R.

[...] For data scientists, Jupyter has emerged as a de facto standard, says Lorena Barba, a mechanical and aeronautical engineer at George Washington University in Washington DC. Mario Juric, an astronomer at the University of Washington in Seattle who coordinates the LSST's data-management team, says: "I've never seen any migration this fast. It's just amazing." Computational notebooks are essentially laboratory notebooks for scientific computing. Instead of pasting, say, DNA gels alongside lab protocols, researchers embed code, data and text to document their computational methods. The result, says Jupyter co-creator Brian Granger at California Polytechnic State University in San Luis Obispo, is a "computational narrative" -- a document that allows researchers to supplement their code and data with analysis, hypotheses and conjecture. For data scientists, that format can drive exploration.

An anonymous reader writes: A software security engineer has identified 12 Python libraries uploaded on the official Python Package Index (PyPI) that contained malicious code. The 12 packages used typo-squatting in the hopes a user would install them by accident or carelessness when doing a "pip install" operation for a mistyped more popular package, like Django (ex: diango).

Eleven libraries would attempt to either collect data about each infected environment, obtain boot persistence, or even open a reverse shell on remote workstations. A twelfth package, named "colourama," was financially-motivated and hijacked an infected users' operating system clipboard, where it would scan every 500ms for a Bitcoin address-like string, which it would replace with the attacker's own Bitcoin address in an attempt to hijack Bitcoin payments/transfers made by an infected user.
54 users downloaded that package -- although all 12 malicious packages have since been taken down.

Four of the packages were misspellings of django -- diango, djago, dajngo, and djanga.

"In 2012, most CS teacher professional development was paid for by the National Science Foundation or Google." And in the years that followed, 80,000 primary and secondary school teachers received opportunities to learn how to teach computer science without paying any fees -- thanks to tech-bankrolled Code.org.

But is anyone taking the classes? Slashdot reader theodp quotes a Communications of the ACM post by University of Michigan professor Mark Guzdial: In 2013, Code.org began, and they changed the face of CS education in the United States . It started out as just a video (linked here, seen over 14 million times), and grew into an organization that created and provided curriculum, offered teacher professional development, and worked with states and districts around public policy initiatives. A recent report from Code.org showed that 44 states have enacted public policies to promote computing education in the five years from 2013 to 2018, and much of that happened through Code.org's influence....

Now, Code.org has announced that they are starting to scale back their funding, which begins a multi-year transition to shift the burden of paying for teacher professional development to the local regions.... The only question is whether it's too soon. Will local regions step up and demonstrate that they value computer science by paying for it...? I'd guess that many states have between 40% and 70% of their high schools now offering computer science. However, even though many schools offer computer science, there are still few students taking computer science.
Indiana reported that only 0.4% of Indiana high school students had enrolled in their most popular course. Meanwhile in one region in Texas, 54 of 159 high schools offer computer science, yet only 2.3% of their students have ever taken a computer science class. But of course, there's another issue.

"If Code.org (or NSF or Google) are paying for all the development of CS teachers, then the districts don't get to say, 'In our community we care about this and we care less about that.' The U.S. education system is organized around the local regions calling the shots, setting the priorities, and deciding what they want teachers to teach."

Microsoft has official closed its acquisition of GitHub, the Git-based code sharing and collaboration service with 31 million developers. "The Redmond, WA-based software behemoth first said it would acquire GitHub for $7.5 billion in stock in June of this year, and after the acquisition closed it would continue to run it as an independent platform and business," reports TechCrunch. From the report: The acquisition is yet another sign of how Microsoft has been doubling down on courting developers and presenting itself as a neutral partner to help them with their projects. That is because, despite its own very profitable proprietary software business, Microsoft also has a number of other businesses -- for example, Azure, which competes with AWS and Google Cloud -- that rely heavily on it being unbiased towards one platform or another. And GitHub, Microsoft hopes, will be another signal to the community of that position. In that regard, it will be an interesting credibility test for the companies. Nat Friedman, previously the CEO of Xamarin, will be the CEO of GitHub on Monday. He says the site will be run as an independent platform and business.

"We will always support developers in their choice of any language, license, tool, platform, or cloud," he writes, noting that there will be more tools to come. "We will continue to build tasteful, snappy, polished tools that developers love," he added.

An anonymous reader quotes a report from Quartz: If you haven't heard, universities around the world are offering their courses online for free (or at least partially free). These courses are collectively called MOOCs or Massive Open Online Courses. In the past six years or so, over 800 universities have created more than 10,000 of these MOOCs. And I've been keeping track of these MOOCs the entire time over at Class Central, ever since they rose to prominence.

In the past four months alone, 190 universities have announced 600 such free online courses. I've compiled a list of them and categorized them according to the following subjects: Computer Science, Mathematics, Programming, Data Science, Humanities, Social Sciences, Education & Teaching, Health & Medicine, Business, Personal Development, Engineering, Art & Design, and finally Science. The full list is available in the report. If you need help signing up, there's a report for that too.

PolygamousRanchKid shares a report from 9to5Mac: At the Jamf Nation User Conference, IBM has announced that it is open sourcing its Mac@IBM provisioning code. The code being open-sourced offers IT departments the ability to gather additional information about their employees during macOS setup and allows employees to customize their enrollment by selecting apps or bundles of apps to install.

Back in 2015, IBM discussed how it went from zero to 30,000 Macs in six months. In 2016, IBM said Apple products were cheaper to manage when you looked at the entire life cycle: "IBM is saving a minimum of $265 (up to $535 depending on model) per Mac compared to a PC, over a 4-year lifespan. While the upfront workstation investment is lower for PCs, the residual value for Mac is higher The program's success has improved IBM's ability to attract and retain top talent -- a key advantage in today's competitive market."

Amazon is learning how hard it can be to move off of Oracle's database software. From a report: On Prime Day, while the e-retailer was dealing with a major website glitch that slowed sales, the company was also dealing with a technical problem in Ohio at one of its biggest warehouses, leading to thousands of delayed package deliveries, according to an internal report obtained by CNBC. The problem was in large part due to Amazon's migration from Oracle's database to its own technology, the documents show. The outage underscores the challenge Amazon faces as it looks to move completely off Oracle's database by 2020, and how difficult it is to re-create that level of reliability. It also shows that Oracle's database is more efficient in some aspects than Amazon's rival software, a point that Oracle will likely emphasize during this week's annual OpenWorld conference in San Francisco.

An anonymous reader writes: Undoubtedly in response to this politically motivated sort of claptrap, SQLite has released their own Code of Conduct. From the preamble:

Not everyone has found SQLite's attempt informative or funny (though many did). A developer wrote, for instance, "So is the SQLite CoC thing a joke or not? If it's not a joke, f*ck this. If it is a joke, that's even worse. Your CoC should be taken seriously." A security researcher, chimed in, "This sort of stunt will make actual code of conduct discussions harder. It's not funny, helpful, or wise."

Github engineers are trying to repair the data storage system underpinning the code hosting website, which has been presenting users with a "What!?" error for much of the Sunday. From a report: Depending on where you are, you may have been working on some Sunday evening programming, or getting up to speed with work on a Monday morning, using resources on GitHub.com -- and possibly failing miserably as a result of the outage. From about 4pm US West Coast time on Sunday, the website has been stuttering and spluttering. Specifically, the site is still up and serving pages -- it's just intermittently serving out-of-date files, and ignoring submitted Gists, bug reports, and posts. Sometimes, it appears to be serving a read-only cache or older backup of itself, although some fresh code pushes are coming through onto the site. From the status page, it appears a data storage system died, forcing the platform's engineers to move the dot-com's files over to another box. In the meantime, some older versions of files and repos are being served to visitors and users. "We're continuing to work on migrating a data storage system in order to restore access to GitHub.com," the team said just after 5pm PT, adding in the past few minutes: "We are continuing to repair a data storage system for GitHub.com. You may see inconsistent results during this process."

America's Multi-State Information Sharing & Analysis Center is operated in collaboration with its Department of Homeland Security's Office of Cybersecurity and Communications -- and they've got some bad news. MS-ISAC released an advisory warning government agencies, businesses, and home users of multiple high-risk security issues in PHP that can allow attackers to execute arbitrary code. Furthermore, if the PHP vulnerabilities are not successfully exploited, attackers could still induce a denial-of-service condition rendering the probed servers unusable... The PHP Group has issued fixes in the PHP 7.1.23 and 7.2.11 releases for all the high-risk bugs that could lead to DoS and arbitrary code execution in all vulnerable PHP 7.1 and 7.2 versions before these latest updates.
But meanwhile, Threatpost reported this week that 62% of the world's web sites are still running PHP version 5 -- even though its end of life is December 31st. "The deadlines will not be extended, and it is critical that PHP-based websites are upgraded to ensure that security support is provided," warned a recent CERT notice.

So far Drupal is the only CMS posting an official notice requiring upgrades to PHP 7 (by March, three months after the PHP 5.6's end of life deadline). Threatpost notes that "There has been no such notice from WordPress or Joomla."