Python

Python May Let Security Tools See What Operations the Runtime Is Performing (bleepingcomputer.com) 75

An anonymous reader writes: A new feature proposal for the Python programming language wants to add "transparency" to the runtime and let security and auditing tools view when Python may be running potentially dangerous operations. In its current form, Python does not allow security tools to see what operations the runtime is performing. Unless one of those operations generates particular errors that may raise a sign of alarm, security and auditing tools are blind that an attacker may be using Python to carry out malicious operations on a system.

But in Python Enhancement Proposal 551 (PEP-551), Steve Dower, a core Python developer, has proposed the addition of two new APIs that will let security tools detect when Python is executing potentially dangerous operations. The first, the Audit Hook API, will raise warning messages about certain type of Python operations; while the second, the Verified Open Hook API, is a mechanism to let the Python runtime know what files it is permitted to execute or tamper with.

Initial plans were to have PEP-551 ship with Python 3.7, scheduled for release in mid-June 2018, but the proposal did not make the final cut, according to a list of new features added for next month's release. This doesn't mean PEP-551 won't ship with a future version of Python. This is the second major scripting engine to open its runtime to security tools, after PowerShell.

Android

Huawei Will No Longer Allow Bootloader Unlocking On Its Android Handsets (androidauthority.com) 253

Chinese smartphone maker Huawei has long made it easier for users to unlock the bootloader on its phones. But that is changing now. Android Authority: Earlier this month a support page, which detailed ways to unlock a bootloader, disappeared without any explanation from the company's websites. In a statement, the company said, "In order to deliver the best user experience and prevent users from experiencing possible issues that could arise from ROM flashing, including system failure, stuttering, worsened battery performance, and risk of data being compromised, Huawei will cease providing bootloader unlock codes for devices launched after May 25, 2018." It added, "For devices launched prior to the aforementioned date, the termination of the bootloader code application service will come into effect 60 days after today's announcement. Moving forward, Huawei remains committed to providing quality services and experiences to its customers. Thank you for your continued support."
Businesses

Oracle's Aggressive Sales Tactics Are Backfiring With Customers (lightreading.com) 232

An anonymous reader shares a report: Oracle's aggressive sales tactics are turning off customers, setting a roadblock in the company's race to catch up with Amazon Web Services in the cloud, according to a report on The Information. [Editor's note: the link may be paywalled; alternative source]. Oracle is threatening customers of its on-premises software with potentially expensive usage audits and strongly suggesting those customers could solve their problems by moving to the cloud, The Information says. But the tactic is backfiring. "Several big Oracle customers, including oil and gas exploration company Halliburton, toy maker Mattel and electricity provider Edison Southern California, have recently rejected big cloud services deals proposed by Oracle, according to an Oracle employee with knowledge of the situation," the publication reported. "Oracle representatives had suggested the customers strike the deals to avoid expensive audits of how they were using Oracle software, according to the employee. Instead, that approach to selling cloud is irritating customers," it added.
Java

Oracle Calls Java Serialization 'A Horrible Mistake', Plans to Dump It (infoworld.com) 198

An anonymous reader quotes InfoWorld: Oracle plans to drop from Java its serialization feature that has been a thorn in the side when it comes to security. Also known as Java object serialization, the feature is used for encoding objects into streams of bytes... Removing serialization is a long-term goal and is part of Project Amber, which is focused on productivity-oriented Java language features, says Mark Reinhold, chief architect of the Java platform group at Oracle.

To replace the current serialization technology, a small serialization framework would be placed in the platform once records, the Java version of data classes, are supported. The framework could support a graph of records, and developers could plug in a serialization engine of their choice, supporting formats such as JSON or XML, enabling serialization of records in a safe way. But Reinhold cannot yet say which release of Java will have the records capability. Serialization was a "horrible mistake" made in 1997, Reinhold says. He estimates that at least a third -- maybe even half -- of Java vulnerabilities have involved serialization. Serialization overall is brittle but holds the appeal of being easy to use in simple use cases, Reinhold says.

Programming

A Middle-Aged Writer's Quest To Start Learning To Code For the First Time (1843magazine.com) 183

OpenSourceAllTheWay writes: The Economist's 1843 magazine details one middle-aged writer's (Andrew Smith) quest to learn to code for the first time, after becoming interested in the "alien" logic mechanisms that power completely new phenomena like crypto-currency and effectively make the modern world function in the 21st Century. The writer discovers that there are over 1,700 actively used computer programming languages to choose from, and that every programmer that he asks "Where should someone like me start with coding?" contradicts the next in his or her recommendation. One seasoned programmer tells him that programmers discussing what language is best is the equivalent of watching "religious wars." The writer is stunned by how many of these languages were created by unpaid individuals who often built them for "glory and the hell of it." He is also amazed by how many people help each other with coding problems on the internet every day, and the computer programmer culture that non-technical people are oblivious of.

Eventually the writer finds a chart of the most popular programming languages online, and discovers that these are Python, Javascript, and C++. The syntax of each of these languages looks indecipherable to him. The writer, with some help from online tutorials, then learns how to write a basic Python program that looks for keywords in a Twitter feed. The article is interesting in that it shows what the "alien world of coding" looks like to people who are not already computer nerds and in fact know very little about how computer software works. There are many interesting observations on coding/computing culture in the article, seen through the lens of someone who is not a computer nerd and who has not spent the last two decades hanging out on Slashdot or Stackoverflow.

The Courts

ACLU Sues ICE For License Plate Reader Contracts, Records (sfgate.com) 84

An anonymous reader quotes a report from SFGate: The American Civil Liberties Union on Wednesday sued U.S. Immigration and Customs Enforcement for records about the agency's use of license plate reader technology, after ICE apparently failed to turn over records following multiple requests. In December, ICE purchased access to two databases of ALPR data, the complaint reads. One of those databases is managed by Vigilant Solutions, which has contracts with more than two dozen Bay Area law enforcement agencies. "We believe the other is managed by Thomson Reuters," ACLU laywer Vasudha Talla said. The ACLU and other privacy advocates have expressed concern about how this data will be stored and used for civil immigration enforcement. The ACLU filed two requests under the Freedom of Information Act in March seeking records from ICE, including contracts, memos, associated communications, training materials and audit logs. Since then, ICE has not provided any records, the ACLU said in the complaint, which was filed Tuesday morning in the Northern District Court for the Northern District of California. "The excessive collection and storing of this data in databases -- which is then pooled and shared nationally -- results in a systemic monitoring that chills the exercise of constitutional rights to free speech and association, as well as essential tasks such as driving to work, picking children up from school, and grocery shopping," the complaint said. "We have essentially two concerns: one that is general to ALPR databases, and one that's specific to this situation with ICE," Talla said. "The ACLU has done a lot of work around surveillance technology and ALPR, and we're generally concerned about the aggregation of all this data about license plates paired with a time and location, stretching back for so many months and years."
Open Source

The Percentage of Open Source Code in Proprietary Apps is Rising (helpnetsecurity.com) 60

Zeljka Zorz, writing for Help Net Security: The number of open source components in the codebase of proprietary applications keeps rising and with it the risk of those apps being compromised by attackers leveraging vulnerabilities in them, a recent report has shown. Compiled after examining the findings from the anonymized data of over 1,100 commercial codebases audited in 2017 by the Black Duck On-Demand audit services group, the report revealed two interesting findings:

96 percent of the scanned applications contain open source components, with an average 257 components per application. The average percentage of open source in the codebases of the applications scanned grew from 36% last year to 57%, suggesting that a large number of applications now contain much more open source than proprietary code.

Open Source

Tesla Releases Some of Its Software To Comply With Open-Source Licenses (sfconservancy.org) 24

Jeremy Allison - Sam shares a blog post from Software Freedom Conservancy, congratulating Tesla on their first public step toward GPL compliance: Conservancy rarely talks publicly about specifics in its ongoing GNU General Public License (GPL) enforcement and compliance activity, in accordance with our Principles of Community Oriented GPL Enforcement. We usually keep our compliance matters confidential -- not for our own sake -- but for the sake of violators who request discretion to fix their mistakes without fear of public reprisal. We're thus glad that, this week, Tesla has acted publicly regarding its current GPL violations and has announced that they've taken their first steps toward compliance. While Tesla acknowledges that they still have more work to do, their recent actions show progress toward compliance and a commitment to getting all the way there.
Businesses

Fed Up With Apple's Policies, App Developers Form a 'Union' (wired.com) 108

Even as Apple has addressed some of the concerns outlined by iOS developers in the recent years, many say it's not enough. As the iOS App Store approaches its tenth anniversary, some app developers are still arguing for better App Store policies, ones that they say will allow them to make a better living as independent app makers. On Friday, a small group of developers, including one who recently made a feature-length film about the App Store and app culture, are forming a union to lobby for just that. From a report: In an open letter to Apple that published this morning, a group identifying themselves as The Developers Union wrote that "it's been difficult for developers to earn a living by writing software" built on Apple's existing values. The group then asked Apple to allow free trials for apps, which would give customers "the chance to experience our work for themselves, before they have to commit to making a purchase."

The grassroots effort is being lead by Jake Schumacher, the director of App: The Human Story; software developer Roger Ogden and product designer Loren Morris, who both worked for a timesheet app that was acquired last year; and Brent Simmons, a veteran developer who has made apps like NetNewsWire, MarsEdit, and Vesper, which he co-created with respected Apple blogger John Gruber.

Programming

Ask Slashdot: What's the Most Sophisticated Piece of Software Ever Written? (quora.com) 237

An anonymous reader writes: Stuxnet is the most sophisticated piece of software ever written, given the difficulty of the objective: Deny Iran's efforts to obtain weapons grade uranium without need for diplomacy or use of force, John Byrd, CEO of Gigantic Software (formerly Director of Sega and SPM at EA), argues in a blog post, which is being widely shared in developer circles, with most agreeing with Byrd's conclusion.

He writes, "It's a computer worm. The worm was written, probably, between 2005 and 2010. Because the worm is so complex and sophisticated, I can only give the most superficial outline of what it does. This worm exists first on a USB drive. Someone could just find that USB drive laying around, or get it in the mail, and wonder what was on it. When that USB drive is inserted into a Windows PC, without the user knowing it, that worm will quietly run itself, and copy itself to that PC. It has at least three ways of trying to get itself to run. If one way doesn't work, it tries another. At least two of these methods to launch itself were completely new then, and both of them used two independent, secret bugs in Windows that no one else knew about, until this worm came along."

"Once the worm runs itself on a PC, it tries to get administrator access on that PC. It doesn't mind if there's antivirus software installed -- the worm can sneak around most antivirus software. Then, based on the version of Windows it's running on, the worm will try one of two previously unknown methods of getting that administrator access on that PC. Until this worm was released, no one knew about these secret bugs in Windows either. At this point, the worm is now able to cover its tracks by getting underneath the operating system, so that no antivirus software can detect that it exists. It binds itself secretly to that PC, so that even if you look on the disk for where the worm should be, you will see nothing. This worm hides so well, that the worm ran around the Internet for over a year without any security company in the world recognizing that it even existed."
What do Slashdot readers think?
Java

California Bypasses Science To Label Coffee a Carcinogen (undark.org) 277

travers_r writes: Superior Court Judge Elihu Berle affirmed last week that all coffee sold in California must come with a warning label stating that chemicals in coffee (acrylamide, a substance created naturally during the brewing process) are known to cause cancer and birth defects or other reproductive harm. But judges, journalists, and environmental advocates fail to recognize the critical difference between probably and certainly, which fuels the inaccurate belief that cancer is mostly caused by things in the environment. From a report at Undark: "IARC is one of the leading scientific bodies in the world, and it is also one of several expert panels on which California relies for scientific opinions in such cases. The IARC has concluded that while there is sufficient evidence to consider acrylamide carcinogenic in experimental animals, there is insufficient evidence for carcinogenicity in humans. Therefore, its overall evaluation is that 'acrylamide is probably carcinogenic to humans.'
[...]
Leading experts, in fact, believe that roughly two-thirds of all cancers are the result of mutations to DNA that are caused by natural bodily processes, not exposure to environmental chemicals. This is quite the opposite of the prevailing belief among the public that most cancers are caused by exogenous substances imposed on us by the products and technologies of the modern world. It's this belief -- this fear -- that prompted voters to pass Proposition 65 in 1986. It was a time when fear of hazardous waste and industrial chemicals was high, when chemophobia -- a blanket fear of anything having to do with the word 'chemicals' -- was being seared into the public's mind."

Twitter

Twitter Delays Shutdown of Legacy APIs By 3 Months as it Launches a Replacement (techcrunch.com) 12

Twitter said on Wednesday that it will be giving developers more time to adjust to its API platform overhaul, which has affected some apps' ability to continue operating in the same fashion. From a report: The company clarified this morning, along with news of the general availability of its Account Activity API, that it will be delaying the shutdown of some of its legacy APIs by three months' time. That is, APIs originally slated for a June 19, 2018 shutdown -- including Site Streams, User Streams, and legacy Direct Message Endpoints -- will now be deprecated on Wednesday, August 16, 2018.
The Internet

Top-Level Domain .App Is Now Open For General Registration (googleblog.com) 82

Christina Chiou Yeh, writing for Google Registry: On May 1 we announced .app, the newest top-level domain (TLD) from Google Registry. It's now open for general registration so you can register your desired .app name right now. We begin our journey with sitata.app, which provides real-time travel information about events like protests or transit strikes. Looks all clear, so our first stop is the Caribbean, where we use thelocal.app and start exploring. After getting some sun, we fly to the Netherlands, where we're feeling hungry. Luckily, picnic.app delivers groceries, right to our hotel. With our bellies full, it's time to head to India, where we use myra.app to order the medicine, hygiene, and baby products that we forgot to pack. Did we mention this was a business trip? Good thing lola.app helped make such a complex trip stress free. Time to head home now, so we slip on a hoodie we bought on ov.app and enjoy the ride.
Security

Hacker Shuts Down Copenhagen's Public City Bikes System (bleepingcomputer.com) 72

An anonymous reader writes: "An unidentified hacker has breached Bycyklen -- Copenhagen's city bikes network -- and deleted the organization's entire database, disabling the public's access to bicycles over the weekend," reports Bleeping Computer. "The hack took place on the night between Friday, May 4, and Saturday, May 5, the organization said on its website. Bycyklen described the hack as "rather primitive," alluding it may have been carried out "by a person with a great deal of knowledge of its IT infrastructure." Almost 2,000 bikes were affected, and the company's employees have been working for days, searching for bikes docked across the city and installing a manual update to restore functionality. The company is holding a "treasure hunt," asking users to hunt down and identify non-functional bikes.
Education

Carnegie Mellon Launches Undergraduate Degree In AI (cmu.edu) 76

Earlier this week, Carnegie Mellon University announced plans to offer an undergrad degree in artificial intelligence. The news may be especially attractive for students given how much tech giants have been ramping up their AI efforts in the recent years, and how U.S. News & World Report ranked Carnegie Mellon University as the No. 1 graduate school for AI. An anonymous reader shares the announcement with us: Carnegie Mellon University's School of Computer Science will offer a new undergraduate degree in artificial intelligence beginning this fall, providing students with in-depth knowledge of how to transform large amounts of data into actionable decisions. SCS has created the new AI degree, the first offered by a U.S. university, in response to extraordinary technical breakthroughs in AI and the growing demand by students and employers for training that prepares people for careers in AI.

The bachelor's degree program in computer science teaches students to think broadly about methods that can accomplish a wide variety of tasks across many disciplines, said Reid Simmons, research professor of robotics and computer science and director of the new AI degree program. The bachelor's degree in AI will focus more on how complex inputs -- such as vision, language and huge databases -- are used to make decisions or enhance human capabilities, he added. AI majors will receive the same solid grounding in computer science and math courses as other computer science students. In addition, they will have additional course work in AI-related subjects such as statistics and probability, computational modeling, machine learning, and symbolic computation. Simmons said the program also would include a strong emphasis on ethics and social responsibility. This will include independent study opportunities in using AI for social good, such as improving transportation, health care or education.

Software

Apple Cracking Down On Apps That Send Location Data To Third Parties (9to5mac.com) 28

Apple has been removing some apps that share location data with third parties and informing developers that their app violates two parts of the App Store Review Guidelines. "The company informs developers via email that 'upon re-evaluation,' their application is in violation of sections 5.1.1 and 5.1.2 of the App Store Review Guidelines, which pertain to transmitting user location data and user awareness of data collection," reports 9to5Mac. From the report: Apple explains that developers must remove any code, frameworks, or SDKs that relate to the violation before their app can be resubmitted to the App Store. Apple's crackdown on these applications comes amid a growing industry shift due to General Data Protection Regulation, or GDPR, in the European Union. While Apple has always been a privacy-focused company, it is seemingly looking to ensure that developers take the same care of user data.

In the instances we've seen, the apps in question don't do enough to inform users about what happens with their data. In addition to simply asking for permission, Apple appears to want developers to explain what the data is used for and how it is shared. Furthermore, the company is cracking down on instances where the data is used for purposes unrelated to improving the user experience.

Chrome

In Blocking Autoplay Videos, Chrome Is Breaking Many Web-Based Games (arstechnica.com) 77

An anonymous reader quotes a report from Ars Technica: An update Google rolled out for its popular Chrome browser this weekend helps prevent those annoying auto-playing video ads on many websites from disturbing your day with unwanted sound as well. But that update is causing consternation for many Web-based game developers who are finding that the change completely breaks the audio in their online work. The technical details behind the problem involve the way Chrome handles WebAudio objects, which are now automatically paused when a webpage starts up, stymying auto-playing ads. To get around this, Web-based games now have to actively restart that pre-loaded audio object when the player makes an action to start the game, even if that audio wasn't autoplaying beforehand. "The standard doesn't require you to do this, so no one would have thought to do this before today," developer Andi McClure told Ars Technica. "With Chrome's new autoplay policies, developers shouldn't assume that audio can be played before a user gesture," Google told The Daily Dot in a statement. "With gaming in Chrome, this may affect Web Audio. We have shared details on what developers can do to address this, and the design for the policy was published last year."
Crime

Police Drop Charges Filed Against 19-Year-Old Archivist For Downloading FOIA Releases (techdirt.com) 154

An anonymous reader quotes a report form Techdirt: Last month, [...] an unnamed 19-year-old was facing criminal charges for downloading publicly-available documents from a government Freedom of Information portal. The teen had written a script to fetch all available documents from the Nova Scotia's government FOI site -- a script that did nothing more than increment digits at the end of the URL to find everything that had been uploaded by the government. The government screwed up. It uploaded documents to the publicly-accessible server that hadn't been redacted yet. It was a very small percentage of the total haul -- 250 of the 7,000 docs obtained -- but the government made a very big deal out of it after discovering they had been accessed.

Fortunately, Nova Scotia law enforcement has decided there's nothing to pursue in this case: "In an email to CBC News, Halifax police Supt. Jim Perrin did not mention what kind of information police were given from the province, but he said it was a 'high-profile case that potentially impacted many Nova Scotians.' 'As the investigation evolved, we have determined that the 19-year-old who was arrested on April 11 did not have intent to commit a criminal offense by accessing the information,' Perrin said in the email."

Security

Equifax's Data Breach By the Numbers: 146 Million Social Security Numbers, 99 Million Addresses, and More (theregister.co.uk) 69

Several months after the data breach was first reported, Equifax has published the details on the personal records and sensitive information stolen in the cybersecurity incident. The good news: the number of individuals affected by the network intrusion hasn't increased from the 146.6 million Equifax previously announced, but extra types of records accessed by the hackers have turned up in Mandiant's ongoing audit of the security breach," reports The Register. From the report: Late last week, the company gave the numbers in letters to the various U.S. congressional committees investigating the network infiltration, and on Monday, it submitted a letter to the SEC, corporate America's financial watchdog. As well as the -- take a breath -- 146.6 million names, 146.6 million dates of birth, 145.5 million social security numbers, 99 million address information and 209,000 payment cards (number and expiry date) exposed, the company said there were also 38,000 American drivers' licenses and 3,200 passport details lifted, too.

The further details emerged after Mandiant's investigators helped "standardize certain data elements for further analysis to determine the consumers whose personally identifiable information was stolen." The extra data elements, the company said, didn't involve any individuals not already known to be part of the super-hack, so no additional consumer notifications are required.

Programming

Microsoft Adds Support For JavaScript Functions in Excel (bleepingcomputer.com) 171

An anonymous reader shares a report: At the Build 2018 developer conference that's taking place these days in Seattle, USA, Microsoft announced support for custom JavaScript functions in Excel. What this means is that Excel users will be able to use JavaScript code to create a custom Excel formula that will appear in Excel's default formula database. Users will then be able to insert and call these formulas from within Excel spreadsheets, but have a JavaScript interpreter compute the spreadsheet data instead of Excel's native engine. "Office developers have been wanting to write JavaScript custom functions for many reasons," Microsoft says, "such as: (1) Calculate math operations, like whether a number is prime. (2) Bring information from the web, like a bank account balance. (3) Stream live data, like a stock price."

Slashdot Top Deals