A large majority of organizations are struggling to implement security into their DevOps processes, despite saying they want to do so, according to a new report. From a report: The study commissioned by application security specialist Checkmarx looks at the biggest barriers to securing software today depending on where organizations sit on the DevOps maturity curve. The report finds 96 percent of respondents believe it is 'desirable' or 'highly desirable' for developers to be properly trained on how to produce secure code.

As developers take responsibility for the security of their software, respondents believe it is more important to educate developers and empower them than it is to educate other stakeholders in the organization like ops specialists and security specialists. However, 41 percent agree that defining clear ownership and responsibility in relation to software security remains a big challenge, and just 11 percent say they have adequately addressed the need for developer education. Software security is a boardroom issue according to 57 percent of respondents, it's a matter of business risk.

It sounds like a joke, but the idea actually makes sense: More bugs, not less, could theoretically make a system safer. From a report: Carefully scatter non-exploitable decoy bugs in software, and attackers will waste time and resources on trying to exploit them. The hope is that attackers will get bored, overwhelmed, or run out of time and patience before finding an actual vulnerability. Computer science researchers at NYU suggested this strategy in a study published August 2, and call these fake-vulnerabilities "chaff bugs." Brendan Dolan-Gavitt, assistant professor at NYU Tandon and one of the researcher on this study, told me in an email that they've been working on techniques to automatically put bugs into programs for the past few years as a way to test and evaluate different bug-finding systems. Once they had a way to fill a program with bugs, they started to wonder what else they could do with it. "I also have a lot of friends who write exploits for a living, so I know how much work there is in between finding a bug and coming up with a reliable exploit -- and it occurred to me that this was something we might be able to take advantage of," he said. "People who can write exploits are rare, and their time is expensive, so if you can figure out how to waste it you can potentially have a great deterrent effect." Brendan has previously suggested that adding bugs to experimental software code could help with ultimately winding up with programs that have fewer vulnerabilities.

A new article in CIO magazine argues that when it comes to computer science, "few of us really need much of any of it." Slashdot reader itwbennett offers this summary: At the heart of the matter is the fact that most businesses don't really need programmers to be deep thinkers. For them, it's "just as worthwhile to hire someone from a physics lab who just used Python to massage some data streams from an instrument. They can learn the shallow details just as readily as the CS genius," according to the article.
CIO's anonymous author promises an incomplete list of "why we may be better off ignoring CS majors." Some of the highlights:

• Theory distracts and confuses. "Many computer scientists are mathematicians at heart and the theorem-obsessed mindset permeates the discipline."

• Academic languages are rarely used. "...the academy breeds snobbery and a love for arcane solutions."

• Many CS professors are mathematicians, not programmers. "One of the dirty secrets about most computer science departments is that most of the professors can't program computers. Their real job is giving lectures and wrangling grants...."

• Many required subjects are rarely used. "...it's too bad few of us use many data structures any more."

• Institutions breed arrogance. "...the very nature of academic degrees are designed to give graduates the ability to argue one's superiority with authority. "

• Many modern skills are ignored. "If you want to understand Node.js, React, game design or cloud computation, you'll find very little of it in the average curriculum... It's very common for computer science departments to produce deep thinkers who understand some of the fundamental challenges without any shallow knowledge of the details that dominate the average employee's day."

"It's not that CS degrees are bad," the article concludes. "It's just that they're not going to speak to the problems that most of us need to solve."

"Ever wondered why pages seem to load slower and slower? Or why it is that browsing seems to take just as long to load a page, even though your broadband connection doubled in speed a couple of months ago?" gb7djk, a long-time Slashdot reader, blames "the bullshit web" -- as described in this essay by Calgary-based front-end developer Nick Heer (who does his testing on a 50 Mbps connection). A story at the Hill took over nine seconds to load; at Politico, seventeen seconds; at CNN, over thirty seconds. This is the bullshit web... When I use the word "bullshit" in this article, it isn't in a profane sense. It is much closer to Harry Frankfurt's definition in On Bullshit: "It is just this lack of connection to a concern with truth -- this indifference to how things really are -- that I regard as of the essence of bullshit...." The average internet connection in the United States is about six times as fast as it was just ten years ago, but instead of making it faster to browse the same types of websites, we're simply occupying that extra bandwidth with more stuff. Some of this stuff is amazing.... But a lot of the stuff we're seeing is a pile-up of garbage on seemingly every major website that does nothing to make visitors happier -- if anything, much of this stuff is deeply irritating and morally indefensible.

Take that CNN article, for example. Here's what it contained when I loaded it:

- Eleven web fonts, totalling 414 KB
- Four stylesheets, totalling 315 KB
- Twenty frames
- Twenty-nine XML HTTP requests, totalling about 500 KB
- Approximately one hundred scripts, totalling several megabytes -- though it's hard to pin down the number and actual size because some of the scripts are "beacons" that load after the page is technically finished downloading.

The vast majority of these resources are not directly related to the information on the page, and I'm including advertising... In addition, pretty much any CNN article page includes an autoplaying video... Also, have you noticed just how many websites desperately want you to sign up for their newsletter?
The essay also deals harshly with AMP, "a collection of standard HTML elements and AMP-specific elements on a special ostensibly-lightweight page that needs an 80 kilobyte JavaScript file to load correctly....required by the AMP spec to be hotlinked from cdn.amp-project.org, which is a Google-owned domain. That makes an AMP website dependent on Google to display its basic markup, which is super weird for a platform as open as the web."

It argues AMP is only speedier "because AMP restricts the kinds of elements that can be used on a page and severely limits the scripts that can be used," calling it a pseudo-solution. "Better choices should be made by web developers to not ship this bullshit in the first place.... An honest web is one in which the overwhelming majority of the code and assets downloaded to a user's computer are used in a page's visual presentation, with nearly all the remainder used to define the semantic structure and associated metadata on the page."

Microsoft released version 3.0 of TypeScript, which Microsoft describes as an "extension" of JavaScript "that aims to bring static types to modern JavaScript." Quoting Microsoft's Developer Tools blog: The TypeScript compiler reads in TypeScript code, which has things like type declarations and type annotations, and emits clean readable JavaScript with those constructs transformed and removed. That code runs in any ECMAScript runtime like your favorite browsers and Node.js. At its core, this experience means analyzing your code to catch things like bugs and typos before your users run into them; but it brings more than that. Thanks to all that information and analysis TypeScript can provide a better authoring experience, providing code completion and navigation features like Find all References, Go to Definition, and Rename in your favorite editor.
Neowin reports: With any major version release, it is not unexpected for breaking changes to be introduced and that's certainly the case for TypeScript 3.0. One obvious change is that with "unknown" becoming a new type, it is now a reserved type name and can no longer be used in type declarations. Otherwise, there's a range of API breaking changes due to a number of functions and internal methods being deprecated or being made internal.
On the plus side, TypeScript 3.0 reportedly has improved error messages, along with project references that let TypeScript projects have dependencies on other TypeScript projects.

Jonathan Edwards has been programming since 1969 (starting on a PDP-11/20). "Programming today," he writes, "is exactly what you'd expect to get by paying an isolated subculture of nerdy young men to entertain themselves for fifty years. You get a cross between Dungeons & Dragons and Rubik's Cube, elaborated a thousand-fold."

theodp summarizes the rest: To be a 'full stack' developer, Edwards laments, one must master the content of something like a hundred thousand pages of documentation. "Isn't the solution to design technology that doesn't require a PhD...?" he asks. "What of the #CSForAll movement? I have mixed feelings. The name itself betrays confusion -- what we really want is #ProgrammingForAll. Computer science is not a prerequisite for most programming, and may in fact be more of a barrier to many. The confusion of computer science with programming is actually part of the problem, which seems invisible to this movement."

It wasn't always this way, Edwards notes, citing spreadsheets, HyperCard, and the many incarnations of Basic as examples of how programming technology can be vastly easier and more accessible. "Unfortunately application programming got trampled in the internet gold rush," Edwards explains. "Suddenly all that mattered was building large-scale systems as fast as possible, and money was no object, so the focus shifted to 'rock star' programmers and the sophisticated high-powered tools they preferred. As a result the internet age has seen an exponential increase in the complexity of programming, as well as its exclusivity."
"It is long past time to return to designing tools not just for rock stars at Google but the vast majority of programmers and laypeople with simple small-scale problems," the essay concludes, arguing we need new institutions to fund changes in both the technology and culture of programming.

"We've done it before so we can do it again, even better this time."

Kotlin, which Google blessed last year as an alternative to Java for programming Android apps, has already made its way into almost 12 per cent of open source Android apps, and in so doing has elevated their code quality. From a report: So we're told by computer scientists Bruno Gois Mateus and Matias Martinez, affiliated with University of Valenciennes in France, who observed that Google at the end of 2017 said Kotlin had infiltrated more than 17 per cent of Android apps developed with its IDE, Android Studio 3.0. Kotlin is an open source statically typed programing language that targets the JVM, Android, JavaScript (transpiling to ES5.1) and native platforms (via LLVM). JetBrains, the company that created it, contends Kotlin is more concise and more type-safe than Java. It estimates that apps written in Kotlin require about 40 per cent less code than they would with Java. With fewer lines of code, in theory, one can expect fewer bugs. In a paper distributed through pre-print service ArXiv, "An Empirical Study on Quality of Android Applications written in Kotlin language," Mateus and Martinez describe how they gathered 925 apps from the open source F-Droid repository, measured the amount of Kotlin code in each, and analyzed the code for "smells" as an indicator of code quality.

New submitter rfengineer shares a report: Welcome to IEEE Spectrum's fifth annual interactive ranking of the top programming languages. Because no one can peer over the shoulders of every coder out there, anyone attempting to measure the popularity of computer languages must rely on proxy measures of relative popularity. In our case, this means combining metrics from multiple sources to rank 47 languages. But recognizing that different programmers have different needs and domains of interest, we've chosen not to blend all those metrics up into One Ranking to Rule Them All. [...] Python has tightened its grip on the No. 1 spot. Last year it came out on top by just barely beating out C, with Python's score of 100 to C's 99.7. But this year, there's a wider gap between first and second place, with C++ coming in at 98.4 for the No. 2 slot (last year, Java had come third with a score of 99.4, while this year its fallen to 4th place with a score of 97.5). C has fallen to third place, with a score of 98.2.

In a post, Apple announced the following changes: With the launch of the new App Store on both iOS and macOS and their increased methods of app discovery, we will be removing apps from the affiliate program. Starting on October 1st, 2018, commissions for iOS and Mac apps and in-app content will be removed from the program. All other content types (music, movies, books, and TV) remain in the affiliate program. Stephen Hackett, a long time Apple blogger and podcaster, said, "This is not totally surprising after Apple cut the rate for in-app purchases last year. However, this is going to hurt a lot of people in the media ecosystem around Apple." The post includes thoughts of several developers.

Amazon plans to be completely off Oracle's proprietary database software by the first quarter of 2020, reports CNBC. The plans come after the company moved most of its infrastructure internally to Amazon Web Services. From the report: Amazon began moving off Oracle about four or five years ago, said one of the people, who asked not to be named because the project is confidential. Some parts of Amazon's core shopping business still rely on Oracle, the person said, and the full migration should wrap up in about 14 to 20 months. Another person said that Amazon had been considering a departure from Oracle for years before the transition began but decided at the time that it would require too much engineering work with perhaps too little payoff. The primary issue Amazon has faced on Oracle is the inability for the database technology to scale to meet Amazon's performance needs, a person familiar with the matter said. Another person, who said the move could be completed by mid-2019, added that there hasn't been any development of new technology relying on Oracle databases for quite a while.

In a blog post, Facebook said that it's shutting off access to its application programming interface for hundreds of thousands of inactive apps. This interface is what lets app developers access user data. The Verge reports: The company had set an August 1st deadline back in May, during its F8 developer conference, for developers and businesses to re-submit apps to an internal review, a process that involves signing new contracts around user data collection and verifying one's authenticity. The goal is to ensure third-party software on Facebook was in line with the company's data privacy rules and new restrictions put in place in the wake of the Cambridge Analytica scandal, in which a third-party developer siphoned user data and sold it to another firm in violation of Facebook's terms of service. Now, after it identified numerous apps that were either inactive or from developers who had not submitted the software for review, Facebook is cutting off those apps' access to its Platform API.

Lubuntu, a popular Ubuntu flavor, has gained traction over the years for supporting older hardware. As Brian Fagioli writes at BetaNews, one of the focuses of the Lubuntu developers is to support aging computers. However, that is about to change. He adds: When Lubunu 18.10 is released in October 2018, it will ditch LXDE for the newer LXQt. Despite it also being a desktop environment that is easy on resources, the Lubuntu developers are planning to drop their focus on old hardware after the transition. "[...] Our main focus is shifting from providing a distribution for old hardware to a functional yet modular distribution focused on getting out of the way and letting users use their computer. In essence, this is leveraging something we have always done with Lubuntu; providing an operating system which users can use to revive their old computers, but bringing this to the age of modern computing," says Simon Quigley of Lubuntu team.

MightyMartian shares a report from The Guardian: On April 30, 2019, Emperor Akihito of Japan is expected to abdicate the chrysanthemum throne. The decision was announced in December 2017 so as to ensure an orderly transition to Akihito's son, Naruhito, but the coronation could cause concerns in an unlikely place: the technology sector. The Japanese calendar counts up from the coronation of a new emperor, using not the name of the emperor, but the name of the era they herald. Akihito's coronation in January 1989 marked the beginning of the Heisei era, and the end of the Shwa era that preceded him; and Naruhito's coronation will itself mark another new era. But that brings problems. For one, Akihito has been on the throne for almost the entirety of the information age, meaning that many systems have never had to deal with a switchover in era. For another, the official name of Naruhito's era has yet to be announced, causing concern for diary publishers, calendar printers and international standards bodies. It's why some are calling it "Japan's Y2K problem." "The magnitude of this event on computing systems using the Japanese Calendar may be similar to the Y2K event with the Gregorian Calendar," said Microsoft's Shawn Steele. "For the Y2K event, there was world-wide recognition of the upcoming change, resulting in governments and software vendors beginning to work on solutions for that problem several years before January 1, 2000. Even with that preparation many organizations encountered problems due to the millennial transition. Fortunately, this is a rare event, however it means that most software has not been tested to ensure that it will behave with an additional era."

Unicode's Ken Whistler wrote in a message earlier this month: "The [Unicode Technical Committee] cannot afford to make any mistakes here, nor can it just *guess* and release the code point early. All of this is pointing directly to the necessity of issuing a Unicode 12.1 release sharply on the heels of Unicode 12.0, incorporating the addition of the new Japanese era name character, which all vendors will be under great pressure to immediately support in 2019 software releases."

BrianFagioli shares a report from BetaNews: Microsoft seems eager to get programmers on the quantum bandwagon, as today, it launched the open-source Quantum Katas on GitHub. What exactly is it? It is essentially a project deigned to teach Q# programming for free. "For those who want to explore quantum computing and learn the Q# programming language at their own pace, we have created the Quantum Katas -- an open-source project containing a series of programming exercises that provide immediate feedback as you progress," says The Microsoft Quantum Team. "Coding katas are great tools for learning a programming language. They rely on several simple learning principles: active learning, incremental complexity growth, and feedback."

The team further says, "The Microsoft Quantum Katas are a series of self-paced tutorials aimed at teaching elements of quantum computing and Q# programming at the same time. Each kata offers a sequence of tasks on a certain quantum computing topic, progressing from simple to challenging. Each task requires you to fill in some code; the first task might require just one line, and the last one might require a sizable fragment of code. A testing framework validates your solutions, providing real-time feedback." You can view the project on GitHub here.

Since Venmo's transactions are "public" by default and broadcast on Venmo's API, a Python programmer decided to publicize a few of them, reports the Mercury News: The creator of the bot named "Who's buying drugs on Venmo" under the Twitter handle @venmodrugs says he wanted users to consider their privacy settings before using Venmo. The bot finds Venmo transactions that include words such as heroin, marijuana, cocaine, meth, speed or emojis that denote drugs and tweets the transaction with the names of the sender and receiver and the sender's photo, if there is one... "I wanted to demonstrate how much data Venmo was making publicly available with their open API and their public by default settings and encourage people to consider their privacy settings," Joel Guerra, the creator of the bot, told Motherboard, a technology news outlet run by Vice.
He shut the bot after 24 hours, according to a Medium essay titled "Why I blasted your 'drug' deals on Twitter": I chose drugs, sex and alcohol keywords as the trigger for the bot because because they were funny and shocking. I removed the last names of users because I didn't want to actually contribute to the problem of lack of privacy... I braced myself for backlash but the response was overwhelmingly positive. People understood my point and I had sparked a lot of discussion about online privacy and the need for users to do a better job of understanding the terms of software they were using -- and a lot of discussion about how companies need to do a better job of informing customers how their data was being used...

After about 24 hours of tweeting everyone's drug laden Venmo transactions I shut down the bot (Python script!!) and deleted all the tweets. I had successfully made my point and gotten more attention than I had imagined possible. Thousands of people were reading tweets and articles about the bot and discussing data privacy. I saw no further value in tweeting out anyone's personal transactions anymore. However, all I ever did was format the data and automate a Twitter account -- the data is still readily available.
His closure of the bot drew some interesting reactions on Twitter.

"booooooooo. I was so entertained by this."

"I remember I had a dealer take my phone and set venmo to private lol."

"we're looking to add a Python developer to our team and I think you'd be a good fit."

Long-time Slashdot reader Qbertino does PHP for a living, but says he's growing "increasingly frustrated with the ignorant and clueless in the vincinity of PHP." Crappy code and baaaaad application setups is one thing, but people refusing to fix them or simply not even understanding the broader implications of bad applications or attempting SEO with gadgets while refusing to fix 3.5 MB-per-pagecall are just minor tidbits in a history of increasingly unnerving run-ins with knuckledragers in the "web agency" camp...

Will I leave the larger part of this backwards stuff behind if I move to another server-side programming language such as Java or Kotlin for professional work in the broader web area? Do I have a chance to do quality work on quality projects using PHP, or are those slim compare to other programming languages? In short, should I ditch PHP?
"I think .NET is a much cleaner language to work in with Microsoft's excellent Visual Studio IDE and debugger," argues Slashdot reader Agret , adding "there are many large projects in my city hiring .NET developers and being a strongly typed language the code quality is generally better than PHP."

But what's been your experience? And would a frustrated developer find more quality projects by ditching PHP?

"Bing has launched a new intelligent search feature which provides the exact piece of code a developer is looking for," writes Search Engine Journal. An anonymous reader quotes their report: The code snippet will appear right on the search results page itself, which means users will not have to skim through long threads and articles to find the one thing they're looking for. Bing calls this new feature a "Code Sample Answer" and says it's designed to help save developers' time. "Many of us are developers too, and we thought: what if Bing were intelligent enough to do this for us? What if it could save users' time by automatically finding the exact piece of code containing the answer to the question? That is how Code Sample Answer was born..."

A Code Sample Answer will trigger only when Bing intelligently detects the coding intent with high confidence. "To achieve this level of precision for query intent detection, Bing's natural language processing pipelines for developers leverages patterns found in training data from developer queries collected over the years containing commonly used terms and text structure typical for coding queries. The system also leverages a multitude of click signals to improve the precision even further"... [I]t also covers other tools used by developers. For example, a Code Sample Answer can be triggered when searching for git commands and their syntax.
Bing extracts "the best matched code samples from popular, authoritative and well moderated sites like Stackoverflow, Github, W3Schools, MSDN, Tutorialpoints, etc. taking into account such aspects as fidelity of API and programming language match, counts of up/down-votes, completeness of the solution and more."

JAXenter.com notes they obtained similar results using the privacy-friendly search engine DuckDuckGo, and ultimately asks whether this functionality could affect the search habits of developers. "Is this new feature enough to make Bing a viable search engine tool for programmers or will Google be the go-to for hunting down source code?"

The Economist argues that Guido Van Rossum resembled the reluctant Messiah in Monty Python's Life of Brian. An anonymous reader quotes their report: "I certainly didn't set out to create a language that was intended for mass consumption," he explains. But in the past 12 months Google users in America have searched for Python more often than for Kim Kardashian, a reality-TV star. The rate of queries has trebled since 2010, while inquiries after other programming languages have been flat or declining. The language's popularity has grown not merely among professional developers -- nearly 40% of whom use it, with a further 25% wishing to do so, according to Stack Overflow, a programming forum -- but also with ordinary folk. Codecademy, a website that has taught 45 million novices how to use various languages, says that by far the biggest increase in demand is from those wishing to learn Python. It is thus bringing coding to the fingertips of those once baffled by the subject. Pythonistas, as aficionados are known, have helped by adding more than 145,000 packages to the Cheese Shop, covering everything from astronomy to game development....

Python was already the most popular introductory language at American universities in 2014, but the teaching of it is generally limited to those studying science, technology, engineering and mathematics. A more radical proposal is to catch 'em young by offering computer science to all, and in primary schools. Hadi Partovi, the boss of Code.org, a charity, notes that 40% of American schools now offer such lessons, up from 10% in 2013. Around two-thirds of 10- to 12-year-olds have an account on Code.org's website. Perhaps unnerved by a future filled with automated jobs, 90% of American parents want their children to study computer science.
"The CIA has employed Python for hacking, Pixar for producing films, Google for crawling web pages and Spotify for recommending songs," notes the Economist.

Though Van Rossum was Python's Benevolent Dictator For Life, "I'm uncomfortable with that fame," he tells the magazine. "Sometimes I feel like everything I say or do is seen as a very powerful force."

An anonymous reader shares an excerpt from Ars Technica: D-Wave's hardware has always occupied a unique space on the computing landscape. It's a general-purpose computer that relies on quantum mechanical effects to perform calculations. And, while other quantum-computer makers have struggled to put more than a few dozen qubits together, D-Wave's systems have already scaled to more than 2,000 addressable bits. But the D-Wave systems don't perform calculations in the same way and, despite all those bits, haven't clearly demonstrated performance that can outpace even traditional computing hardware. But D-Wave has come out with a research paper in Science that suggests that the system can do interesting things even in its current state. The company's researchers have set it loose modeling a quantum system that closely resembles the bits used in the hardware itself, allowing them to examine quantum phase transitions. While this still isn't cutting-edge performance, it does allow researchers full control over the physical parameters of a relevant quantum system as it undergoes phase changes.

Government Technology reports: On July 16, Google Maps is going to make it more difficult and expensive to use its API, which could make custom maps that rely on the service less sustainable or even unfeasible for the people who made them... First, Google Maps is requiring all projects to have an official API key in order to work. If a user doesn't have a key, the quality of the map will likely be reduced, or it could simply stop working. Second, API keys will only work if they are attached to somebody's credit card. Google will charge that card if users exceed a certain number of API requests, which is different for different services. Google will provide users a free $200 credit toward those costs each month...

There are a couple places where the changes might have more of an impact. One is in the civic hacking space, where people often work with government data to create niche projects that aim for low costs, or are free so that as many people as possible can use them... "I think that's what scares people a little bit, it certainly scares me, this thought of having this API out there and not knowing how many people are going to use it," said Derek Eder, founder of the civic tech company DataMade. "I don't want to suddenly get a bill for $1,000."
There's at least three Open Source alternatives, and Geoawesomeness.com lists nine more.

Slashdot reader Jiri_Komarek also points out that Google's move was good news for its competitor, MapTiler. "Since Google announced the pricing change the number of our users increased by 200%," said Petr Pridal, head of the MapTiler team. "We expect more people to come as they get their first bill from Google."