Microsoft

Microsoft Brings Support for Arm-based AI Chips To Windows (techcrunch.com) 3

Today at Build 2022, Microsoft unveiled Project Volterra, a device powered by Qualcomm's Snapdragon platform that's designed to let developers explore "AI scenarios" via Qualcomm's new Snapdragon Neural Processing Engine (SNPE) for Windows toolkit. From a report: The hardware arrives alongside support in Windows for neural processing units (NPUs), or dedicated chips tailored for AI- and machine learning-specific workloads. Dedicated AI chips, which speed up AI processing while reducing the impact on battery, have become common in mobile devices like smartphones. But as apps like AI-powered image upscalers come into wider use, manufacturers have been adding such chips to their laptop lineups. M1 Macs feature Apple's Neural Engine, for instance, and Microsoft's Surface Pro X has the SQ1 (which was co-developed with Qualcomm). Intel at one point signaled it would offer an AI chip solution for Windows PCs, but -- as the ecosystem of AI-powered Arm apps is well-established, thanks to iOS and Android -- Project Volterra appears to be an attempt to tap it rather than reinvent the wheel.

It's not the first time Microsoft has partnered with Qualcomm to launch AI developer hardware. In 2018, the companies jointly announced the Vision Intelligence Platform, which featured "fully integrated" support for computer vision algorithms running via Microsoft's Azure ML and Azure IoT Edge services. Project Volterra offers evidence that, four years later, Microsoft and Qualcomm remain bedfellows in this arena, even after the reported expiration of Qualcomm's exclusivity deal for Windows on Arm licenses. Arriving later this year, Microsoft says (somewhat hyperbolically) that Project Volterra will come with a neural processor that has "best-in-class" AI computing capacity and efficiency. The primary chip will be Arm-based, supplied by Qualcomm, and will enable developers to build and test Arm-native apps alongside tools including Visual Studio, VSCode, Microsoft Office and Teams. Project Volterra is the harbinger of an "end-to-end" developer toolchain for Arm-native apps from Microsoft, as it turns out, which will span the full Visual Studio 2022, VSCode, Visual C++, NET 6, Windows Terminal, Java, Windows Subsystem for Linux and Windows Subsystem for Android (for running Android apps).

Programming

Developer Survey: JavaScript and Python Reign, but Rust is Rising (infoworld.com) 60

SlashData's "State of the Developer Nation" surveyed more than 20,000 developers in 166 countries, taken from December 2021 to February 2022, reports InfoWorld.

It found the most popular programming language is JavaScript — followed by Python (which apparently added 3.3 million new net developers in just the last six months). And Rust adoption nearly quadrupled over the last two years to 2.2 million developers.

InfoWorld summarizes other findings from the survey: Java continues to experience strong and steady growth. Nearly 5 million developers have joined the Java community since the beginning of 2021.

PHP has grown the least in the past six month, with an increase of 600,000 net new developers between Q3 2021 and Q1 2022. But PHP is the second-most-commonly used language in web applications after JavaScript.

Go and Ruby are important languages in back-end development, but Go has grown more than twice as fast in the past year. The Go community now numbers 3.3 million developers.

The Kotlin community has grown from 2.4 million developers in Q1 2021 to 5 million in Q1 2022. This is largely attributed to Google making Kotlin its preferred language for Android development.

Python

Is Python About to Get Faster? (zdnet.com) 134

"Python 3.11 will bear the fruits of CPython's multi-year effort to make Python a faster programming language," reports ZDNet.

"Core Python (CPython) developer Mark Shannon shared details about the project to make Python faster at the PyCon 2022 conference this week..." Last year, Microsoft funded a project for the Python Software Foundation (PSF), led by Python creator Guido van Rossum and Shannon, to make Python twice as fast as the current stable 3.10 series. The vision is to nudge Python towards the performance of C. Microsoft hired van Rossum in 2020 and gave him a free hand to pick any project. At last year's PyCon 2021 conference, he said he "chose to go back to my roots" and would work on Python's famed lack of performance....

The Faster CPython Project provided some updates about CPython 3.11 performance over the past year. Ahead of PyCon 2022, the project published more results comparing the 3.11 beta preview to 3.10 on dozens of performance metrics, showing that 3.11 was overall 1.25 times faster than 3.10. Shannon is realistic about the project's ability to improve Python performance, but believes the improvements can extend Python's viable use to more virtual machines. "Python is widely acknowledged as slow. Whilst Python will never attain the performance of low-level languages like C, Fortran, or even Java, we would like it to be competitive with fast implementations of scripting languages, like V8 for Javascript or luajit for lua," he wrote last year in the Python Enhancement Proposal (PEP) 659.

"Specifically, we want to achieve these performance goals with CPython to benefit all users of Python including those unable to use PyPy or other alternative virtual machines...."

On the question of a just-in-time (JIT) compiler for Python's performance, Shannon suggested it was not a priority and would likely not arrive until Python 3.13, according to the Python Software Foundation's coverage of the event.... According to the Faster Python implementation plan, CPython 3.12 might gain a "simple JIT compiler for small regions" that compiles small regions of specialized code, while 3.13 would enhance the compiler to extend the regions for compilation.

Java

Oracle Java Popularity Sliding, Reports New Relic (infoworld.com) 95

InfoWorld reports that "While still the industry's leading Java distribution, Oracle Java's popularity is half what it was just two years ago, according to a report from application monitoring company New Relic." (With the usual caveat that data from New Relic's report "was drawn entirely from applications reporting to New Relic in January 2022 and does not provide a global picture of Java usage,") The finding was included the company's 2022 State of the Java Ecosystem report, released April 26, which is based on data culled from millions of applications providing performance data to New Relic. Among Java Development Kit (JDK) distributions, Oracle had roughly 75% of the market in 2020, but just 34.48% in 2022, New Relic reported. Not far behind was Amazon, at 22.04%, up from 2.18% in 2020.

New Relic said its numbers show movement away from Oracle binaries after the company's "more restrictive licensing" of its JDK 11 distribution before returning to a more open stance with JDK 17, released in September 2021. Behind Oracle and Amazon were Eclipse Adoptium (11.48%), Azul Systems (8.17%), Red Hat (6.05%), IcedTea (5.38%), Ubuntu (2.91%), and BellSoft (2.5%).

GNU is Not Unix

Richard Stallman Speaks on the State of Free Software, and Answers Questions (libreplanet.org) 112

Richard Stallman celebrated his 69th birthday last month. And Wednesday, he gave a 92-minute presentation called "The State of the Free Software Movement."

Stallman began by thanking everyone who's contributed to free software, and encouraged others who want to help to visit gnu.org/help. "The Free Software movement is universal, and morally should not exclude anyone. Because even though there are crimes that should be punished, cutting off someone from contributing to free software punishes the world. Not that person."

And then he began by noting some things that have gotten better in the free software movement, including big improvements in projects like GNU Emacs when displaying external packages. (And in addition, "GNU Health now has a hospital management facility, which should make it applicable to a lot more medical organizations so they can switch to free software. And [Skype alternative] GNU Jami got a big upgrade.")

What's getting worse? Well, the libre-booted machines that we have are getting older and scarcer. Finding a way to support something new is difficult, because Intel and AMD are both designing their hardware to subjugate people. If they were basically haters of the public, it would be hard for them to do it much worse than they're doing.

And Macintoshes are moving towards being jails, like the iMonsters. It's getting harder for users to install even their own programs to run them. And this of course should be illegal. It should be illegal to sell a computer that doesn't let users install software of their own from source code. And probably shouldn't allow the computer to stop you from installing binaries that you get from others either, even though it's true in cases like that, you're doing it at your own risk. But tying people down, strapping them into their chairs so that they can't do anything that hurts themselves -- makes things worse, not better. There are other systems where you can find ways to trust people, that don't depend on being under the power of a giant company.

We've seen problems sometimes where supported old hardware gets de-supported because somebody doesn't think it's important any more — it's so old, how could that matter? But there are reasons...why old hardware sometimes remains very important, and people who aren't thinking about this issue might not realize that...


Stallman also had some advice for students required by their schools to use non-free software like Zoom for their remote learning. "If you have to use a non-free program, there's one last thing... which is to say in each class session, 'I am bitterly ashamed of the fact that I'm using Zoom for this class.' Just that. It's a few seconds. But say it each time.... And over time, the fact that this is really important to you will sink in."

And then halfway through, Stallman began taking questions from the audience...

Read on for Slashdot's report on Stallman's remarks, or jump ahead to...
Privacy

Deception, Exploited Workers, and Cash Handouts: How Worldcoin Recruited Its First Half a Million Test Users (technologyreview.com) 10

The startup promises a fairly-distributed, cryptocurrency-based universal basic income. So far all it's done is build a biometric database from the bodies of the poor. MIT Technology Review reports: On a sunny morning last December, Iyus Ruswandi, a 35-year-old furniture maker in the village of Gunungguruh, Indonesia, was woken up early by his mother. A technology company was holding some kind of "social assistance giveaway" at the local Islamic elementary school, she said, and she urged him to go. Ruswandi joined a long line of residents, mostly women, some of whom had been waiting since 6 a.m. In the pandemic-battered economy, any kind of assistance was welcome. At the front of the line, representatives of Worldcoin Indonesia were collecting emails and phone numbers, or aiming a futuristic metal orb at villagers' faces to scan their irises and other biometric data. Village officials were also on site, passing out numbered tickets to the waiting residents to help keep order. Ruswandi asked a Worldcoin representative what charity this was but learned nothing new: as his mother said, they were giving away money.

Gunungguruh was not alone in receiving a visit from Worldcoin. In villages across West Java, Indonesia -- as well as college campuses, metro stops, markets, and urban centers in two dozen countries, most of them in the developing world -- Worldcoin representatives were showing up for a day or two and collecting biometric data. In return they were known to offer everything from free cash (often local currency as well as Worldcoin tokens) to Airpods to promises of future wealth. In some cases they also made payments to local government officials. What they were not providing was much information on their real intentions. This left many, including Ruswandi, perplexed: What was Worldcoin doing with all these iris scans?

To answer that question, and better understand Worldcoin's registration and distribution process, MIT Technology Review interviewed over 35 individuals in six countries -- Indonesia, Kenya, Sudan, Ghana, Chile, and Norway -- who either worked for or on behalf of Worldcoin, had been scanned, or were unsuccessfully recruited to participate. We observed scans at a registration event in Indonesia, read conversations on social media and in mobile chat groups, and consulted reviews of Worldcoin's wallet in the Google Play and Apple stores. We interviewed Worldcoin CEO Alex Blania, and submitted to the company a detailed list of reporting findings and questions for comment. Our investigation revealed wide gaps between Worldcoin's public messaging, which focused on protecting privacy, and what users experienced. We found that the company's representatives used deceptive marketing practices, collected more personal data than it acknowledged, and failed to obtain meaningful informed consent. These practices may violate the European Union's General Data Protection Regulations (GDPR) -- a likelihood that the company's own data consent policy acknowledged and asked users to accept -- as well as local laws.

Security

Log4Shell Exploited To Infect VMware Horizon Servers With Backdoors, Crypto Miners (zdnet.com) 10

An anonymous reader quotes a report from ZDNet: The Log4Shell vulnerability is being actively exploited to deliver backdoors and cryptocurrency miners to vulnerable VMware Horizon servers. On Tuesday, Sophos cybersecurity researchers said the attacks were first detected in mid-January and are ongoing. Not only are backdoors and cryptocurrency miners being deployed, but in addition, scripts are used to gather and steal device information. Log4Shell is a critical vulnerability in Apache Log4J Java logging library. The unauthenticated remote code execution (RCE) vulnerability was made public in December 2021 and is tracked as CVE-2021-44228 with a CVSS score of 10.0.

According to Sophos, the latest Log4Shell attacks target unpatched VMware Horizon servers with three different backdoors and four cryptocurrency miners. The attackers behind the campaign are leveraging the bug to obtain access to vulnerable servers. Once they have infiltrated the system, Atera agent or Splashtop Streamer, two legitimate remote monitoring software packages, may be installed, with their purpose twisted into becoming backdoor surveillance tools.

The other backdoor detected by Sophos is Silver, an open source offensive security implant released for use by pen testers and red teams. Sophos says that four miners are linked to this wave of attacks: z0Miner, JavaX miner, Jin, and Mimu, which mine for Monero (XMR). Previously, Trend Micro found z0Miner operators were exploiting the Atlassian Confluence RCE (CVE-2021-26084) for cryptojacking attacks. A PowerShell URL connected to this both campaigns suggests there may also be a link, although that is uncertain. [...] In addition, the researchers uncovered evidence of reverse shell deployment designed to collect device and backup information.

Programming

'Biggest Change Ever' to Go Brings Generics, Native Fuzzing, and a Performance Boost (go.dev) 35

"Supporting generics has been Go's most often requested feature, and we're proud to deliver the generic support that the majority of users need today," the Go blog announced this week. *

It's part of what Go's development team is calling the "biggest change ever to the language".

SiliconANGLE writes that "Right out of the gate, Go 1.18 is getting a CPU speed performance boost of up to 20% for Apple M1, ARM64 and PowerPC64 chips. This is all from an expansion of Go 1.17's calling conventions for the application binary interface on these processor architectures."

And Go 1.18 also introduces native support for fuzz testing — the first major programming language to do so, writes ZDNet: As Google explains, fuzz testing or 'fuzzing' is a means of testing the vulnerability of a piece of software by throwing arbitrary or invalid data at it to expose bugs and unknown errors. This adds an additional layer of security to Go's code that will keep it protected as its functionality evolves — crucial as attacks on software continue to escalate both in frequency and complexity. "At Google we are committed to securing the online infrastructure and applications the world depends upon," said Eric Brewer, VIP infrastructure at Google....

While other languages support fuzzing, Go is the first major programming language to incorporate it into its core toolchain, meaning — unlike other languages — third-party support integrations aren't required.

Google is emphasizing Go's security features — and its widespread adoption. ZDNet writes: Google created Go in 2007 and was designed specifically to help software engineers build secure, open-source enterprise applications for modern, multi-core computing systems. More than three-quarters of Cloud Native Computing Foundation projects, including Kubernetes and Istio, are written in Go, says Google. [Also Docker and Etc.] According to data from Stack Overflow, some 10% of developers are writing in Go worldwide, and there are signs that more recruiters are seeking out Go coders in their search for tech talent..... "Although we have a dedicated Go team at Google, we welcome a significant amount of contributions from our community. It's a shared effort, and with their updates we're helping our community achieve Go's long-term vision.
Or, as the Go blog says: We want to thank every Go user who filed a bug, sent in a change, wrote a tutorial, or helped in any way to make Go 1.18 a reality. We couldn't do it without you. Thank you.

Enjoy Go 1.18!

* Supporting generics "includes major — but fully backward-compatible — changes to the language," explains the release notes. Although it adds a few cautionary notes: These new language changes required a large amount of new code that has not had significant testing in production settings. That will only happen as more people write and use generic code. We believe that this feature is well implemented and high quality. However, unlike most aspects of Go, we can't back up that belief with real world experience. Therefore, while we encourage the use of generics where it makes sense, please use appropriate caution when deploying generic code in production.

While we believe that the new language features are well designed and clearly specified, it is possible that we have made mistakes.... it is possible that there will be code using generics that will work with the 1.18 release but break in later releases. We do not plan or expect to make any such change. However, breaking 1.18 programs in future releases may become necessary for reasons that we cannot today foresee. We will minimize any such breakage as much as possible, but we can't guarantee that the breakage will be zero.

China

Cybersecurity Firm Says Chinese Hackers Breached Six US State Agencies (cnn.com) 19

An anonymous reader quotes a report from CNN: A Chinese government-backed hacking group has breached local government agencies in at least six US states in the last 10 months as part of a persistent information-gathering operation, investigators at cybersecurity firm Mandiant said Tuesday. The wide range of state agencies targeted include "health, transportation, labor (including unemployment benefit systems), higher education, agriculture, and court networks and systems," the FBI and US Cybersecurity and Infrastructure Security Agency (CISA) said in a separate, private advisory to state governments obtained by CNN. For agencies in two states, the hackers broke into networks using a critical software flaw that was revealed in December just as the Biden administration was scrambling to respond to the flaw's discovery, according to Mandiant.

The hackers' motives aren't clear, but their victims are "consistent with an espionage operation," the firm said. The list of state agencies affected by the hacking could grow as the investigation continues. CISA on December 10 publicly warned that Log4J -- software used by big tech firms around the world -- had a vulnerability that hackers could easily exploit to gain further access to computer systems. Hundreds of millions of computers around the world ran the vulnerable software, US officials later estimated. For weeks, US officials urged companies to update their software; the White House hosted a meeting in January with tech executives to try to address the root problem of software that is not secure by design. Within hours of the CISA advisory, the Chinese hackers had begun using the Log4J flaw to break into the two US state agencies, according to Mandiant.

Agencies in four other states were hacked via other means. In one state, Mandiant said, the hackers accessed personal data on some Americans, including names, email addresses and mobile phone numbers. Mandiant declined to name the US states or agencies affected. While the hackers' ultimate objectives are unclear, state agencies could provide a wealth of useful information to foreign spies, whether data related to elections or government contracting. Mandiant blamed the hacking campaign on a group that the Justice Department has linked with China's civilian intelligence agency. That hacking group, according to a US indictment unsealed in September 2020, has been linked to attempts to breach hundreds of organizations around the world, from hardware makers to pro-democracy politicians in Hong Kong.

Cloud

Is It More Energy-Efficient to Program in Rust? (amazon.com) 243

A recent post on the AWS Open Source blog announced that AWS "is investing in the sustainability of Rust, a language we believe should be used to build sustainable and secure solutions."

It was written by the chair of the Rust foundation (and leader of AWS's Rust team) with a Principal Engineer at AWS, and reminds us that Rust "combines the performance and resource efficiency of systems programming languages like C with the memory safety of languages like Java."

But there's another reason they're promoting Rust: Worldwide, data centers consume about 200 terawatt hours per year. That's roughly 1% of all energy consumed on our planet... [C]loud and hyperscale data centers have been implementing huge energy efficiency improvements, and the migration to that cloud infrastructure has been keeping the total energy use of data centers in balance despite massive growth in storage and compute for more than a decade... [I]s the status quo good enough? Is keeping data center energy use to 1% of worldwide energy consumption adequate..? [Will] innovations in energy efficiency continue to keep pace with growth in storage and compute in the future? Given the explosion we know is coming in autonomous drones, delivery robots, and vehicles, and the incredible amount of data consumption, processing, and machine learning training and inference required to support those technologies, it seems unlikely that energy efficiency innovations will be able to keep pace with demand...

[J]ust like security, sustainability is a shared responsibility. AWS customers are responsible for energy efficient choices in storage policies, software design, and compute utilization, while AWS owns efficiencies in hardware, utilization features, and cooling systems.... In the same way that operational excellence, security, and reliability have been principles of traditional software design, sustainability must be a principle in modern software design. That's why AWS announced a sixth pillar for sustainability to the AWS Well-Architected Framework. What that looks like in practice is choices like relaxing service-level agreements for non-critical functions and prioritizing resource use efficiency. We can take advantage of virtualization and allow for longer device upgrade cycles. We can leverage caching and longer times-to-live whenever possible. We can classify our data and implement automated lifecycle policies that delete data as soon as possible. When we choose algorithms for cryptography and compression, we can include efficiency in our decision criteria.

Last, but not least, we can choose to implement our software in energy efficient programming languages.

There was a really interesting study a few years ago that looked at the correlation between energy consumption, performance, and memory use.... What the study did is implement 10 benchmark problems in 27 different programming languages and measure execution time, energy consumption, and peak memory use. C and Rust significantly outperformed other languages in energy efficiency. In fact, they were roughly 50% more efficient than Java and 98% more efficient than Python. It's not a surprise that C and Rust are more efficient than other languages. What is shocking is the magnitude of the difference. Broad adoption of C and Rust could reduce energy consumption of compute by 50% — even with a conservative estimate....

No one developer, service, or corporation can deliver substantial impact on sustainability. Adoption of Rust is like recycling; it only has impact if we all participate. To achieve broad adoption, we are going to have to grow the developer community.

That "interesting study" cited also found that both C and Rust execute faster than other programming languages, the blog post points out, so "when you choose to implement your software in Rust for the sustainability and security benefits, you also get the optimized performance of C."

And the post also notes Linus Torvalds' recent acknowledgement that while he really loves C, it can be like juggling chainsaws, with easily-overlooked and "not always logical" type interactions. (Torvalds then went on to call Rust "the first language I saw which looked like this might actually be a solution.")

The Rust Foundation is a non-profit partnership between Amazon Web Services (AWS), Google, Huawei, Microsoft, and Mozilla.
Programming

TIOBE Adjusts Programming Language Popularity Calculations. Python, C, and Java Still Popular (techrepublic.com) 31

"As of the 1st of May, the Alexa web traffic ranking engine is going to stop its services," the TIOBE Index reminds us. So for the first time, TIOBE has switched to Similarweb this month to choose which search engines' results to use for its ranking of the popularity of programming languages. Fortunately, there are no big changes in the index due to this swap. The only striking difference is that the top 3 languages, Python, C, and Java, all gained more than 1 percent in the rankings.

We are still fine-tuning the integration with Similarweb, which is combined with a shift to HtmlUnit in the back-end. Some websites are not onboarded yet, but will follow soon. Now that HtmlUnit is applied for web crawling, it will become possible to add more sites to the index, such as Stackoverflow and Github. This will hopefully happen in the next few months.

TechRepublic reports: Python continues to sit atop the index, with C and Java directly behind it. In Feb. 2021, those three also occupied the top spot, but with Python in the number three position, C at top, and Java in second place.

Beyond the top three, there hasn't been much movement in the index, with positions four through eight unchanged from the same time last year. Those slots are occupied, respectively, by C++, C#, Visual Basic, JavaScript and PHP. Positions nine and 10 swapped from Feb. 21 to now, with Assembly Language and SQL now occupying each other's positions.

The one big move of note between Feb. 2021 and Feb. 2022 was with the Groovy programming language, an object-oriented language for Java. Over the course of the year, Groovy fell from 12th position all the way to 20th, putting it perilously close to the "other programming languages" list.

Thanks to Amigan (Slashdot reader #25,469) for sharing the story.
Security

VMware Horizon Servers Are Under Active Exploit By Iranian State Hackers (arstechnica.com) 17

An anonymous reader quotes a report from Ars Technica: Hackers aligned with the government of Iran are exploiting the critical Log4j vulnerability to infect unpatched VMware users with ransomware, researchers said on Thursday. Security firm SentinelOne has dubbed the group TunnelVision. The name is meant to emphasize TunnelVision's heavy reliance on tunneling tools and the unique way it deploys them. In the past, TunnelVision has exploited so-called 1-day vulnerabilities -- meaning vulnerabilities that have been recently patched -- to hack organizations that have yet to install the fix. Vulnerabilities in Fortinet FortiOS (CVE-2018-13379) and Microsoft Exchange (ProxyShell) are two of the group's better-known targets. [...] The SentinelOne research shows that the targeting continues and that this time the target is organizations running VMware Horizon, a desktop and app virtualization product that runs on Windows, macOS, and Linux.

Apache Tomcat is an open source Web server that VMware and other enterprise software use to deploy and serve Java-based Web apps. Once installed, a shell allows the hackers to remotely execute commands of their choice on exploited networks. The PowerShell used here appears to be a variant of this publicly available one. Once it's installed, TunnelVision members use it to: Execute reconnaissance commands; Create a backdoor user and adding it to the network administrators group; Harvest credentials using ProcDump, SAM hive dumps, and comsvcs MiniDump; and Download and run tunneling tools, including Plink and Ngrok, which are used to tunnel remote desktop protocol traffic.

The hackers use multiple legitimate services to achieve and obscure their activities. Those services include: transfer.sh, pastebin.com, webhook.site, ufile.io, and raw.githubusercontent.com. People who are trying to determine if their organization is affected should look for unexplained outgoing connections to these legitimate public services.

Python

Python Dominates, But Developers Are Adding New Skills To Stand Out (zdnet.com) 18

An anonymous reader writes: Ransomware is driving developer interest in cybersecurity while the Internet of Things and games development has spurred more interest in 35-year-old programming language C++, according to O'Reilly Media's 2021 learning platform analysis. However, it could the case that developers are looking at some newer languages to give them the edge. O'Reilly, a developer-focused education content provider, creates an analysis of search terms and content modules consumed on its learning platform each year to reveal developer trends. Content usage is an aggregate measurement of "units viewed" across all forms, including online-training courses, books, videos, online conferences, and other products.

The topic of cybersecurity has grown significantly on the platform, likely as a result of the high-profile ransomware attack on Colonial Pipeline, and software supply chain attacks on customers of SolarWinds and IT management firm Kaseya. Content usage on ransomware grew 270% over the past year, according to O'Reilly, while privacy grew 90%, identity was up 50%, and application security was up 45%. Developers building Internet of Things products and games are boosting interest in the C++ programming language. Software quality firm Tiobe has also noted a recent surge in interest in C++. While interest in C++ did see a noteworthy rise, Python and Java still dominate O'Reilly's platform usage. O'Reilly says it has seen usage of content about Mozilla-hatched Rust and Google-backed Go "growing rapidly." Both are popular for systems and infrastructure programming. Rust in particular is being used in place of C++ to help avoid memory-related security issues. It's being used at Microsoft, AWS and Google, and has been positioned as the second official language for the Linux kernel.

AI

O'Reilly Reports Increasing Interest in Cybersecurity, AI, Go, Rust, and C++ (oreilly.com) 33

"Focus on the horse race and the flashy news and you'll miss the real stories," argues Mike Loukides, the content strategy VP at O'Reilly Media. So instead he shares trends observed on O'Reilly's learning platform in the first nine months of 2021: While new technologies may appear on the scene suddenly, the long, slow process of making things that work rarely attracts as much attention. We start with an explosion of fantastic achievements that seem like science fiction — imagine, GPT-3 can write stories! — but that burst of activity is followed by the process of putting that science fiction into production, of turning it into real products that work reliably, consistently, and fairly. AI is making that transition now; we can see it in our data. But what other transitions are in progress...?

Important signals often appear in technologies that have been fairly stable. For example, interest in security, after being steady for a few years, has suddenly jumped up, partly due to some spectacular ransomware attacks. What's important for us isn't the newsworthy attacks but the concomitant surge of interest in security practices — in protecting personal and corporate assets against criminal attackers. That surge is belated but healthy.... Usage of content about ransomware has almost tripled (270% increase). Content about privacy is up 90%; threat modeling is up 58%; identity is up 50%; application security is up 45%; malware is up 34%; and zero trust is up 23%. Safety of the supply chain isn't yet appearing as a security topic, but usage of content about supply chain management has seen a healthy 30% increase....

Another important sign is that usage of content about compliance and governance was significantly up (30% and 35%, respectively). This kind of content is frequently a hard sell to a technical audience, but that may be changing.... This increase points to a growing sense that the technology industry has gotten a regulatory free ride and that free ride is coming to an end. Whether it's stockholders, users, or government agencies who demand accountability, enterprises will be held accountable. Our data shows that they're getting the message.

According to a study by UC Berkeley's School of Information, cybersecurity salaries have crept slightly ahead of programmer salaries in most states, suggesting increased demand for security professionals. And an increase in demand suggests the need for training materials to prepare people to supply that demand. We saw that play out on our platform....

C++ has grown significantly (13%) in the past year, with usage that is roughly twice C's. (Usage of content about C is essentially flat, down 3%.) We know that C++ dominates game programming, but we suspect that it's also coming to dominate embedded systems, which is really just a more formal way to say "internet of things." We also suspect (but don't know) that C++ is becoming more widely used to develop microservices. On the other hand, while C has traditionally been the language of tool developers (all of the Unix and Linux utilities are written in C), that role may have moved on to newer languages like Go and Rust. Go and Rust continue to grow. Usage of content about Go is up 23% since last year, and Rust is up 31%. This growth continues a trend that we noticed last year, when Go was up 16% and Rust was up 94%....

Both Rust and Go are here to stay. Rust reflects significantly new ways of thinking about memory management and concurrency. And in addition to providing a clean and relatively simple model for concurrency, Go represents a turn from languages that have become increasingly complex with every new release.

Other highlights from their report:
  • "Quantum computing remains a topic of interest. Units viewed is still small, but year-over-year growth is 39%. That's not bad for a technology that, honestly, hasn't been invented yet...."
  • "Whether it's the future of finance or history's biggest Ponzi scheme, use of content about cryptocurrency is up 271%, with content about the cryptocurrencies Bitcoin and Ethereum (ether) up 166% and 185% respectively...."
  • "Use of JavaScript content on our platform is surprisingly low — though use of content on TypeScript (a version of JavaScript with optional static typing) is up.... Even with 19% growth, TypeScript has a ways to go before it catches up; TypeScript content usage is roughly a quarter of JavaScript's..."
  • "Python, Java, and JavaScript are still the leaders, with Java up 4%, Python down 6%, and JavaScript down 3%...."
  • "Finally, look at the units viewed for Linux: it's second only to Kubernetes. While down very slightly in 2021, we don't believe that's significant. Linux has long been the most widely used server operating system, and it's not ceding that top spot soon."

News

Indonesia Names New Capital that Will Replace Jakarta (bbc.com) 50

Indonesia has announced that its new capital will be called Nusantara, meaning "archipelago" in Javanese. From a report: The country's parliament approved a bill to relocate the capital from Jakarta, which is rapidly sinking. The idea of building a new capital 1,300km (800 miles) away on the island of Borneo was first proposed in 2019. But critics have said the new name could be confusing and that the move itself fails to take environmental factors into consideration. Jakarta has become crowded, polluted and is sinking at an alarming rate due to the over-extraction of groundwater. Home to more than 10 million people, it sits on swampy land on the large island of Java.

Air pollution and traffic jams in the city are notorious. Government ministers have to be escorted by police convoys to get to meetings on time. In building a new capital in East Kalimantan, an Indonesian province on the island of Borneo, the government hopes it can take some of the pressure off Jakarta. Known for its jungles and orangutan population, mineral-rich East Kalimantan is home to only 3.7 million people, according to the most recent census. Speaking in parliament on Tuesday, Planning Minister Suharso Monoarfa said "the new capital has a central function and is a symbol of the identity of the nation, as well as a new centre of economic gravity." But critics have argued that the construction of the new city will lead to the expansion of palm-oil plantations and logging in an area rich in diverse wildlife and lush rainforests.

Security

CISA Director: We'll Be Dealing With Log4j For a Long Time (cnet.com) 46

Security professionals will be dealing with the fallout from the Log4j bug for a long time to come, top officials for the Cybersecurity and Infrastructure Security Agency said Monday. CNET reports: If left unpatched or otherwise unfixed, the major security flaw discovered a month ago in the Java-logging library Apache Log4j poses risks for huge swaths of the internet. The vulnerability in the widely used software could be exploited by cyberattackers to take over computer servers, potentially putting everything from consumer electronics to government and corporate systems at risk of a cyberattack. No US federal agencies have been compromised as a result of the vulnerability, CISA Director Jen Easterly told reporters on a call Monday. In addition, no major cyberattacks involving the bug have been reported in the US, though many attacks go unreported, she said.

Easterly said the sheer scope of the vulnerability, which affects tens of millions of internet-connected devices, makes it the worst she has seen in her career. It's possible, she said, that attackers are biding their time, waiting for companies and others to lower their defenses before they attack. "We do expect Log4Shell to be used in intrusions well into the future," Easterly said, using the name for the bug in the Log4j software. She noted the Equifax data breach in 2017, which compromised the personal information of nearly 150 million Americans, stemmed from a vulnerability in open-source software. Most of the attempts to exploit the bug, so far, have been focused on low-level crypto mining or attempts to draw devices into botnets, she said.

Python

TIOBE Announces that the Programming Language of the Year Was Python (thenextweb.com) 90

The programming language of the year has been announced by the TIOBE Index: Python!

But noting that the TIOBE index is based on the number of search results for a programming language across popular search engines, a headline at The Next Web asks: "What does this title even mean?" [TIOBE] takes services such as Google, QQ, Sohu, Amazon, and Wikipedia to calculate the results. TIOBE uses "+" programming" query and a special formula to devise these ratings that change every month. You can read more about the whole process here. The programming language of the year title is decided by the jump in ratings year-on-year. Python overtook C# by a margin of 0.13% — almost a photo finish.

The index doesn't indicate the best or most efficient programming language, nor does it measure the amount of code written in a language across the internet. It simply gives us a high-level understanding of resources and pages available on the web related to them.

There's a huge amount of criticism towards the TIOBE index, especially as it uses one query and doesn't consider non-English languages. The organization said that it's trying to introduce more parameters to calculate the ratings.

TIOBE's annual award is being called "prestigious" — by the announcement at TIOBE.com: The award is given to the programming language that has gained the highest increase in ratings in one year. C# was on its way to get the title for the first time in history, but Python surpassed C# in the last month.

Python started at position #3 of the TIOBE index at the beginning of 2021 and left both Java and C behind to become the number one of the TIOBE index. But Python's popularity didn't stop there. It is currently more than 1 percent ahead of the rest [with a "rating" of 13.58%]. Java's all time record of 26.49% ratings in 2001 is still far away, but Python has it all to become the de facto standard programming language for many domains. There are no signs that Python's triumphal march will stop soon.

In fact, this makes the second year in a row Python has won TIOBE's annual award.

But it's as good a conversation-starter as any. ZDNet reminds us that Microsoft hired Python creator Guido van Rossum in 2020 to work on improving Python's efficiency, while the second most popular language on TIOBE's annual list, C#, "is a language designed by Microsoft technical fellow Anders Hejlsberg for the .NET Framework and Microsoft's developer editing tool Visual Studio."

And ZDNet also spottted a few other patterns in TIOBE's year-end look at programming language popularity: There were several movers and shakers this year. Rust, a systems programming language that deals with memory safety flaws, is now in 26th position, ahead of MIT's Julia, and Kotlin, a language endorsed by Google for Android app development. Rust was a stand out language in 2021, gaining backing from Facebook, Amazon Web Services, Microsoft Azure and Google Cloud.

Apple's Swift for iOS and macOS app development jumped from 13th to 10th place, while Google's Go inched up from 14 to 13, according to Tiobe. Kotlin moved from 40th to 29th. Google's Dart dropped from 25th to 37th position, Julia fell from 23rd to 28th position, while Microsoft TypeScript dropped from from 42 to 49.

The top 10 languages in Tiobe's list for January 2022 were Python, C, Java, C++,C#, Visual Basic, JavaScript, Assembly Language, SQL, and Swift.

Security

FTC Warns of Legal Action Against Organizations That Fail To Patch Log4j Flaw (techcrunch.com) 60

U.S. organizations that fail to secure customer data against Log4Shell, a zero-day vulnerability in the widely-used Log4j Java logging library, could face legal repercussions, the Federal Trade Commission (FTC) has warned. From a report: In an alert this week, the consumer protection agency warned that the "serious" flaw, first discovered in December, is being exploited by a growing number of attackers and poses a "severe risk" to millions of consumer products. The public letter urges organizations to mitigate the vulnerability in order to reduce the likelihood of harm to consumers and to avoid potential legal action.

"When vulnerabilities are discovered and exploited, it risks a loss or breach of personal information, financial loss and other irreversible harms," the agency said. "The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act. It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action."

AI

AI-Generated New Year's Resolutions Exhibited by the Smithsonian (msn.com) 36

The Washington Post says that when it comes to making New Year's resolutions, the Smithsonian has a better idea. "What if instead of relying on our own resolutions we asked an AI what it thinks we should do?" Starting this weekend, the "Futures" exhibit both online and at its Arts and Industries Building offers a "Resolutions Generator," an AI that makes suggestions on what commitments we should undertake for 2022.... It sounds like a slightly weird idea, and I'd be lying if I said it didn't turn up some weird results. "Change my name to one of my favorite shapes," it suggests, or "Every Friday for a year I will wear a different hat." And, "Every time I hear bells for a month, I will paint a potato."

Designed by AI researcher-writer Janelle Shane, the generator's odd results are deliberate; she purposely trained the AI (the powerful GPT-3) with some of the wackier resolutions humans have put online, then set its parameters wide. "We wanted the AI to come up with the kind of interesting resolutions we're not thinking of," Shane said. "We wanted whimsy," added Rachel Goslins, the director of the Arts and Industries Building, "with a little bit of real."

Okay, so probably not many people will really "Go into a library, climb up onto a shelf, yell down 'I am a giant giraffe!'" But it's a lot easier than trying to lose those 15 pounds. And this way you end up in a library.

Plus they have a point. The truth is by accessing the collective corpus of human resolutions, AI might conceive of ideas that our pale human pea brains cannot... [T]here are growing piles of evidence that deploying AI that can think faster and even differently will pay dividends in the real world. A Stanford study last month concluded that AI sped up discoveries on coronavirus antiviral drugs by as much as a month, potentially saving lives. Canadian researchers in September found that AI made consistently better choices than doctors in treating behavioral problems. Even a button-down institution like Deloitte has a staffer who has persuasively argued that we should use AI, not humans, to update government regulations.

The exhibit's AI also generated these New Year's resolutions:
  • "Treat every dog I meet like a celebrity."
  • "Every time I see a mirror I will remember that it is the gateway to another dimension."

The AI researcher behind the project also generated Slashdot headlines back in 2017, using 162,000 headlines from the site's first 20 years. Some of my favorites:

  • More Pong Users for Kernel Project
  • Red Hat Releases Linux Games And Moon
  • Why Open Source Power Man Sues Java
  • Microsoft Releases New Months
  • Ask Slashdot: Do We Want To Be the Computers?

Graphics

'Quite OK Image' Format (QOI) Coming To a Graphics Program Near You? (phoboslab.org) 103

Slashdot reader Tesseractic comes bearing gifts — specifically, news of "a new image format that is lossless, gives much faster encodes, faster decodes and roughly comparable compression compared to what's in use today."

Quite OK Image format (or QOI) is the brainchild of developer Dominic Szablewski, who complains current image formats like PNG, JPEG, MPEG, MOV and MP4 "burst with complexity at the seams," the Register reports: "Every tiny aspect screams 'design by consortium'," he added, going on to lament the fact that most common codecs are old, closed, and "require huge libraries, are compute hungry and difficult to work with." Szablewski thought he could do better and appears to have achieved that objective by cooking up some code, floating it on GitHub, and paying attention to the 500-plus comments it generated.

While Szablewski admits that QOI will not compress images as well as an optimized PNG encoder, he claims it "losslessy compresses images to a similar size of PNG, while offering 20x-50x faster encoding and 3x-4x faster decoding." Most importantly, to Szablewski, the reference en-/decoder fits in about 300 lines of C and the file format spec requires is just one page long.

"In the last few weeks QOI implementations for lot of different languages and libraries popped up," Szablewski wrote on his blog, with Zig, Rust,Go, TypeScript, Haskell, Ä, Python, C#, Elixir, Swift, Java, and Pascal among the options.

Slashdot Top Deals