Java has a problem -- the language and platform is evolving faster than ever, but many developers are stuck on the five-year-old Java 8. From a report: So why have developers not upgraded? Simply, Java 9 introduced major changes, including internal restructuring, new modularity (known as "Project Jigsaw"), and the removal of little-used APIs. These changes broke code, and even developers who are happy to make the necessary revisions have dependency issues. "We have problems with libraries that do not yet support the latest versions," said one QCon attendee.

"I want to explain why it was necessary," said Oracle's Ron Pressler, part of the Java platform group developing the language and lead for Project Loom. "There are billions of lines of code in Java, and Java 9, it did break some things. The reason is that Java is 20-something years old. It will probably be big and popular in another 20 years. We have to think 20 years ahead. The way the JDK was structured prior to Java 9 was just unmaintainable. We could not keep Java competitive if we had not done that change. That was an absolute necessity."

tedlistens writes: Vermont's newly enacted data broker law is the only law of its kind in the U.S. so far, and it's forced any company collecting data on its citizens to register with the state. Fast Company wrote about the limitations of the law and compiled a list of the companies, what they do, and tips for opting-out if possible.

The Vermont law only covers third-party data firms -- those trafficking in the data of people with whom they have no relationship -- as opposed to "first-party" data holders like Amazon, Facebook, or Google, which collect their own enormous piles of detailed personal data directly from users. It doesn't require data brokers to disclose who's in their databases, what data they collect, or who buys it. Nor does it require brokers to give consumers access to their own data or opt out of data collection. Brokers are, however required to provide some information about their opt-out systems under the law -- assuming they provide one. "The registry is an expansive, alphabet soup of companies, from lesser-known organizations that help landlords research potential tenants or deliver marketing leads to insurance companies, to the quiet giants of data," reports Fast Company. "Those include big names in people search, like Spokeo, ZoomInfo, White Pages, PeopleSmart, Intelius, and PeopleFinders; credit reporting, like Equifax, Experian, and TransUnion; and advertising and marketing, like Acxiom, Oracle, LexisNexis, Innovis, and KBM. Some companies also specialize in 'risk mitigation,' which can include credit reporting but also background checks and other identity verification services."

The report lists all the companies that have registered under Vermont's data broker law, with descriptions drawn from their websites or other sources where noted.

Big cloud companies are "strip-mining open-source technologies and companies," complains Michael Howard, CEO of MariaDB. At their developer conference, Howard accused "big cloud" of "really abusing the license and privilege [of open source], by not giving back to the community." ZDNet reports: Even as MariaDB grows by leaps and bounds in enterprise computing at Oracle's expense, Howard sees Oracle and Amazon fighting against it. "Oracle as the example of on-premise lock-in and Amazon being the example of cloud lock-in. You could interchange the names, you can honestly say now that Amazon should just be called Oracle Prime...."

In the first keynote, Austin Rutherford, MariaDB's VP of Customer Success, showed the result of a HammerDB benchmark on AWS EC2... In these tests, AWS's default MariaDB instances did poorly, while AWS homebrew Aurora, which is built on top of MySQL, consistently beat them. The top-performing database management system of all was MariaDB Managed Services on AWS. "My first reaction when I looked at the benchmarks," said Howard, was "maybe there's incompetence going on. Maybe they just don't know how to optimize a DBMS." He observed that one MariaDB customer, one of the biggest retail drug companies in the world, had told MariaDB that "Amazon offers the most vanilla MariaDB around. There's nothing enterprise about it. We could just install MariaDB from source on EC2 and do as well."

He then "began to wonder, Is there something that they're deliberately crippling?" Howard wouldn't go so far as to say AWS is consciously doing a poor job of implementing its MariaDB instances. Howard did say, "And then it became clear that, however, you want to articulate this, there is something not kosher happening." Howard doesn't have much against AWS promoting its own brands... But, if AWS's going out of its way to make a rival service look inferior to its own, well, Howard's not happy about that.
ZDNet adds that "it's also quite possible that unoptimized generic MariaDB instance will simply lag behind AWS-optimized Aurora.

"That said, even in this most innocent take on the benchmark results, cloud customers would be wise to take into consideration that cloud instances of any specific software service may not be created equal."

A company that claims to combat app piracy is a pirate itself, according to a report Oracle released this week. From a report: Oracle claims the company, Tapcore, has been perpetrating a massive ad fraud on Android devices by infecting apps with software that ring up fake ad impressions and drain people's data. Based in The Netherlands, Tapcore works with developers to identify when apps are pirated and then enables developers to make money from those bootleg copies by serving ads. Oracle says that Tapcore's anti-piracy code was a Trojan horse that was generating fake mobile websites to trick ad serving platforms into paying them for non-existent ad inventory.

"The code is delivering a steady stream of invisible video ads and spoofing domains," Dan Fichter, VP of software development at Oracle Data Cloud, tells Ad Age. "On all those impressions it looked like the advertiser was running ads on legitimate mobile websites. Not only were they not on a website, they were on an invisible web browser." On its website, Tapcore says it works with more than 3,000 apps, serving 150 million ad impressions a day. The apps whose pirated versions it has worked with include titles like "Perfect 365," "Draw Clash of Clans," "Vertex" and "Solitaire: Season 4," according to Oracle's report.

Google is asking the Supreme Court to make the final call in its infamous dispute with Oracle. "Today, the company announced it has filed a petition with the Court, asking the justices to determine the boundaries of copyright law in code," reports The Verge. From the report: The case dates back to 2010, when Oracle first accused Google of improperly using elements of Oracle's Java programming language to build Android. Oracle said that Google's use of Java application programing interfaces was a violation of copyright law. Google has responded that APIs are too fundamental to programming to be copyrighted. The case has led to two jury trials, and several rulings have doled out wins and losses to both companies over the course of eight years. Last year, a favorable Oracle decision set Google up to potentially lose billions of dollars.

Google asked for a Supreme Court hearing on the case in 2014, but the Court rejected the request at the time. The company says new issues are now at play, and is asking the Court to decide whether software interfaces can be copyrighted, and whether using them to build something new constitutes fair use under the law. In its new petition to the Supreme Court, Google says the case is not only important to copyright law, but has "sheer practical importance," as it centers around two touchstones of computing: Google's Android and Oracle's Java. The Court's intervention could alter the future of software, the company argues.

Thousands of women were systematically underpaid at Oracle, one of Silicon Valley's largest corporations, according to a new motion in a class-action complaint that details claims of pervasive wage discrimination. From a report: A motion filed in California on Friday said attorneys seek to represent more than 4,200 women and alleged that female employees were paid on average $13,000 less per year than men doing similar work. An analysis of payroll data found disparities with an "extraordinarily high degree of statistical significance," the complaint said. Women made 3.8% less in base salaries on average than men in the same job categories, 13.2% less in bonuses, and 33.1% less in stock value, it alleges.

The civil rights suit comes as the tech industries faces increased scrutiny of gender and racial discrimination, including sexual misconduct, unequal pay and biased workplaces. The case against Oracle, which is headquartered in Redwood Shores and provides cloud computing services to companies across the globe, resembles high-profile litigation against Google, which has also faced repeated claims of systematic wage discrimination.

The Model 3 will be entered into Pwn2Own this year, the first time a car has been included in the annual high-profile hacking contest. The prize for the winning security researchers: a Model 3. TechCrunch reports: Pwn2Own, which is in its 12th year and run by Trend Micro's Zero Day Initiative, is known as one of the industry's toughest hacking contests. ZDI has awarded more than $4 million over the lifetime of the program. Pwn2Own's spring vulnerability research competition, Pwn2Own Vancouver, will be held March 20 to 22 and will feature five categories, including web browsers, virtualization software, enterprise applications, server-side software and the new automotive category. The targets, chosen by ZDI, include software products from Apple, Google, Microsoft, Mozilla, Oracle and VMware. And, of course, Tesla . Pwn2Own is run in conjunction with the CanSec West conference. There will be "more than $900,000 worth of prizes available for attacks that subvert a variety of [the Model 3's] onboard systems," reports Ars Technica. "The biggest prize will be $250,000 for hacks that execute code on the car's getaway, autopilot, or VCSEC."

"A gateway is the central hub that interconnects the car's powertrain, chassis, and other components and processes the data they send. The autopilot is a driver assistant feature that helps control lane changing, parking, and other driving functions. Short for Vehicle Controller Secondary, VCSEC is responsible for security functions, including the alarm."

The catch is shifting northward as water temperatures rise, forcing crews to retool their boats and rework their businesses. From a report: Aboard the Stanley K and the Oracle, two 58-foot vessels, Buck Laukitis and his crews chase halibut across the Bering Sea worth $5 a pound at the docks. As sea temperatures rise, and Arctic ice retreats the fish appear to be avoiding warming waters, migrating northward where they cost more to reach, federal fisheries biologists say. Twice this past fall, the Oracle sailed 800 miles north from the seaport of Dutch Harbor in the Aleutian Islands, before finding the halibut that a decade ago lived several hundred miles closer to home. Each voyage took twice as long and yielded half as many fish. "It keeps me up at night," he says. "I woke up at three in the morning. I couldn't sleep thinking about where the fish are going."

Across the continent from Mr. Laukitis in Rhode Island, black sea bass have moved in with the warming waters. The bulk once lived roughly 700 miles south off North Carolina. Now they are a staple catch in Point Judith, R.I., along with the summer flounder that also have begun appearing. [...] The impact of climate change has a price, and for fishing-boat owners in sea ports, that means following the catch. The northward movement of fish around the world is disrupting some fishing grounds and revitalizing others -- and fishing businesses are trying to adapt their operations.

The impact of temperature on oceans is varied. As the atmosphere warmed in recent decades, oceans absorbed heat unevenly, causing marine hot spots that can last months, scientists say. Spikes of warmer water affect fisheries differently depending on ocean currents, ocean depth and seafloor topography. Higher temperatures mean less dissolved oxygen in the water while increasing a fish's demand for oxygen by speeding up its metabolism. Warming water may also favor predators or drive off species on which commercial fish feed. All told, warming ocean temperatures are pushing hundreds of marine species outside of their traditional ranges, ocean scientists say.

What's new with Oracle's free and open-source hosted hypervisor? Long-time Slashdot reader Freshly Exhumed writes: Oracle has released major version 6.0 of VirtualBox with a variety of new features, including support for exporting a virtual machine to the Oracle Cloud; improved HiDPI and scaling (with better detection and per-machine configuration); a UI rework with simpler application and virtual machine set-up; a new file manager that allows control of the guest file system; a 3D graphics support update for Windows guests; VMSVGA 3D graphics device emulation on Linux and Solaris guests; surround speaker setups used by Windows 10 Build 1809; a new 'vboximg-mount' utility on Apple hosts to access the content of guest disks on the host; Hyper-V as the fallback execution core on Windows hosts to avoid inability to run VMs at reduced performance; and support for Linux Kernel 4.20 .

A previously unknown hacker group is behind a mounting number of breaches that have been reported by local governments across the US. From a report: In a report published today, US cyber-security vendor FireEye has revealed that this yet-to-be-identified hacker group has been breaking into Click2Gov servers and planting malware that stole payment card details. Click2Gov is a popular self-hosted payments solution, a product of US software supplier Superion. It is sold primarily to US local governments, and you can find a Click2Gov server installed anywhere from small towns to large metropolitan areas, where it's used to handle payments for utility bills, permits, fines, and more.

FireEye says this new hacker group has been attacking Click2Gov portals for almost a year. The company's investigators believe hackers are using one or more vulnerabilities in one of Click2Gov's components --the Oracle WebLogic Java EE application server-- to gain a foothold and install a web shell named SJavaWebManage on hacked portals. Forensic evidence suggests the hackers are using this web shell to turn on Click2Gov's debug mode, which, in turn, starts logging payment transactions, card details included.

Amazon may have turned off its Oracle data warehouse in favor of Amazon Web Services database technology, but no one else in their right mind would, Oracle's outspoken co-founder and CTO Larry Ellison says. From a report: "We have a huge technology leadership in database over Amazon," Ellison said on a conference call following the release of Oracle's second quarter financial results. "In terms of technology, there is no way that... any normal person would move from an Oracle database to an Amazon database." During last month's AWS re:Invent conference, AWS CTO Werner Vogels gave an in-the-weeds talk explaining why Amazon turned off its Oracle data warehouse. In a clear jab at Oracle, Vogels wrote off the "90's technology" behind most relational databases. Cloud native databases, he said, are the basis of innovation.

The remarks may have gotten under Ellison's skin. Moving from Oracle databases to AWS "is just incredibly expensive and complicated," he said Monday. "And you've got to be willing to give up tons of reliability, tons of security, tons of performance... Nobody, save maybe Jeff Bezos, gave the command, 'I want to get off the Oracle database." Ellison said that Oracle will not only hold onto its 50 percent relational database market share but will expand it, thanks to the combination of Oracle's new Generation 2 Cloud infrastructure and its autonomoius database technology. "You will see rapid migration of Oracle from on-premise to the Oracle public cloud," he said. "Nobody else is going to go through that forced march to go on to the Amazon database."

Amazon Web Services CEO Andy Jassy said in an interview on Wednesday that almost all of Amazon's databases that ran on Oracle will be on an Amazon database instead. "We're virtually done moving away from Oracle on the database side," Jassy said. "And I think by the end of 2019 or mid-2019 we'll be done." CNBC reports: Amazon is reducing its reliance on Oracle for its data needs and is instead using its own services. Jassy said 88 percent of Amazon databases that were running on Oracle will be on Amazon DynamoDB or Amazon Aurora by January. He added that 97 percent of "mission critical databases" will run on DynamoDB or Aurora by the end of the year. On Nov. 1, Amazon moved its data warehouse from Oracle to its own service, Redshift, Jassy said.

An anonymous reader quotes SD Times: Amazon wants to make sure Java is available for free to its users in the long term with the introduction of Amazon Corretto. The solution is a no-cost, multi-platform, production-ready distribution of the Open Java Development Kit (OpenJDK). "Java is one of the most popular languages in use by AWS customers, and we are committed to supporting Java and keeping it free," Arun Gupta, principal open-source technologist at Amazon, wrote in a blog post. "Many of our customers have become concerned that they would have to pay for a long-term supported version of Java to run their workloads. As a first step, we recently re-affirmed long-term support for Java in Amazon Linux. However, our customers and the broader Java community run Java on a variety of platforms, both on and off of AWS."

Amazon Corretto will be available with long-term support and Amazon will continue to make performance enhancements and security fixes to it, the company explained. Amazon plans on making quarterly updates with bug fixes and patches, as well as any urgent fixes necessary outside of its schedule... Corretto 8 is available as a preview with features corresponding to those in OpenJDK 8. General availability for the solution is planned for Q1 2019... "Corretto is designed as a drop-in replacement for all Java SE distributions unless you're using features not available in OpenJDK (e.g., Java Flight Recorder)," Gupta wrote....

According to Gupta, Corretto 8 will be available at no cost until at least June of 2023. The company is working on Corretto 11, which will be available until at least August of 2024. "Amazon has already made several contributions to OpenJDK 8 and we look forward to working closely with the OpenJDK community on future enhancements to OpenJDK 8 and 11," Gupta wrote. "We downstream fixes made in OpenJDK, add enhancements based on our own experience and needs, and then produce Corretto builds. In case any upstreaming efforts for such patches is not successful, delayed, or not appropriate for OpenJDK project, we will provide them to our customers for as long as they add value. If an issue is solved a different way in OpenJDK, we will move to that solution as soon as it is safe to do so."

Diane Greene, whose pursuit of Pentagon contracts for artificial intelligence technology sparked a worker uprising at Google, is stepping down as chief executive of the company's cloud computing business (Warning: source may be paywalled; alternative source). "Ms. Greene said she would stay on as chief executive until January. She will be replaced by Thomas Kurian, who oversaw product development at Oracle until his resignation in October. Ms. Greene will remain a board director at Google's parent company, Alphabet," reports The New York Times. From the report: The change in leadership caps a turbulent three years for Ms. Greene, who was brought on to expand Google's cloud computing business. Google Cloud has struggled to make major inroads in persuading corporate customers to use its computing infrastructure over alternatives like Amazon's A.W.S. and Microsoft's Azure. In a blog post published by the company, Ms. Greene said she had initially told friends and family that she was planning to run Google Cloud for only two years but stayed for three. Ms. Greene, a widely respected technologist and entrepreneur, said that after leaving Google Cloud, she planned to help female founders of companies by investing in and mentoring them. Ms. Greene joined Google in 2015 when it acquired Bebop, a start-up she had founded, for $380 million. Ms. Greene defended Google's pursuit of a Defense Department contract for the Maven program, which uses AI to interpret video images and could be used to improve the targeting of drone strikes. In March, she said it was a small contract worth "only" $9 million and that the technology would be used for nonlethal purposes.

Google suffered a brief outage and slowdown Monday, with some of its traffic getting rerouted through networks in Russia, China and Nigeria. From a report: Incorrect routing instructions sent some of the search giant's traffic to Russian network operator TransTelekom, China Telecom (which, as you may recall, has been found of misdirecting internet traffic in recent months) and Nigerian provider MainOne between 1:00 p.m. and 2:23 p.m. PT, according to internet research group ThousandEyes. "This incident at a minimum caused a massive denial of service to G Suite and Google Search," wrote Ameet Naik, ThousandEyes' technical marketing manager, in a blog post. "However, this also put valuable Google traffic in the hands of ISPs in countries with a long history of Internet surveillance. Applications like Gmail and Google Drive don't appear to have been affected, but YouTube users experienced some slowdown. Google noted that the issue was resolved and said it would conduct an internal investigation. Update: Nigeria's Main One Cable Co has taken responsibility for the glitch.

An anonymous reader writes: The Ruby programming language is impacted by a similar "deserialization issue" that has affected and wreaked havoc in the Java ecosystem in 2016; an issue that later also proved to be a problem for .NET and PHP applications as well. Researchers published proof-of-concept code this week showing how to exploit serialization/deserialization operations supported by the built-in features of the Ruby programming language itself.

"Versions 2.0 to 2.5 are affected," researchers said. "There is a lot of opportunity for future work including having the technique cover Ruby versions 1.8 and 1.9 as well as covering instances where the Ruby process is invoked with the command line argument --disable-all," the elttam team added. "Alternate Ruby implementations such as JRuby and Rubinius could also be investigated."

The deserialization issues can be used for remote code execution and taking over vulnerable servers. While .NET and PHP were affected, it was Java until now that has faced the biggest issues with deserialization, earlier this year, Oracle announcing it was dropping deserialization support from the Java language's standard package.

"A Russian security researcher has published details about a zero-day vulnerability affecting VirtualBox, an Oracle software application for running virtual machines," reports ZDNet. According to a text file uploaded on GitHub, Saint Petersburg-based researcher Sergey Zelenyuk has found a chain of bugs that can allow malicious code to escape the VirtualBox virtual machine (the guest OS) and execute on the underlying (host) operating system. Once out of the VirtualBox VM, the malicious code runs in the OS' limited userspace (kernel ring 3), but Zelenyuk said that attackers can use many of the already known privilege escalation bugs to gain kernel-level access (ring 0). "The exploit is 100% reliable," Zelenyuk said. "It means it either works always or never because of mismatched binaries or other, more subtle reasons I didn't account."

The Russian researcher says the zero-day affects all current VirtualBox releases, works regardless of the host or guest operating system the user is running, and is reliable against the default configuration of newly created VMs. Besides a detailed write-up of the entire exploit chain, Zelenyuk has also published video proof, showing the zero-day in action against an Ubuntu VM running inside VirtualBox on an Ubuntu host OS.
Long-time Slashdot reader Artem Tashkinov warns that the exploit utilizes "bugs in the data link layer of the default E1000 network interface adapter which makes this vulnerability critical for everyone who uses virtualization to run untrusted code." According to ZDNet, the same security researcher "found and reported a similar issue in mid-2017, which Oracle took over 15 months to fix."

"This lengthy and drawn-out patching process appears to have angered Zelenyuk, who instead of reporting this bug to Oracle, has decided to publish details online without notifying the vendor."

An anonymous reader quotes a report from Bloomberg: Amazon.com Inc. has taken another step toward eliminating software from Oracle Corp. that has long helped the e-commerce giant run its retail business. An executive with Amazon's cloud-computing unit hit back at Oracle Executive Chairman Larry Ellison, who ridiculed the internet giant as recently as last month for relying on Oracle databases to track transactions and store information, even though Amazon sells competing software, including Redshift, Aurora and DynamoDB. Amazon's effort to end its use of Oracle's products has made new progress, Andy Jassy, the chief executive officer of Amazon Web Services, tweeted Friday. "In latest episode of 'uh huh, keep talkin' Larry,' Amazon's Consumer business turned off its Oracle data warehouse Nov. 1 and moved to Redshift," Jassy wrote. By the end of 2018, Amazon will stop using 88 percent of its Oracle databases, including 97 percent of its mission-critical databases, he added.

Oracle's Internet Intelligence division has confirmed today the findings of a recently published academic paper that accused China of "hijacking the vital internet backbone of western countries." From a report: The research paper was authored by researchers from the US Naval War College and Tel Aviv University and it made quite a few waves online after it was published. Researchers accused China Telecom, one of China's biggest state-owned internet service providers, of hijacking and detouring internet traffic through its normally-closed internet infrastructure. Some security experts contested the research paper's findings because it didn't come from an authoritative voice in the world of internet BGP hijacks, but also because the paper touched on many politically sensitive topics, such as China's cyber-espionage activities and how China used BGP hijacks as a way to circumvent the China-US cyber pact of 2015. But today, Doug Madory, Director of Oracle's Internet Analysis division (formerly Dyn), confirmed that China Telecom has, indeed, engaged in internet traffic "misdirection." "I don't intend to address the paper's claims around the motivations of these actions," said Madori. "However, there is truth to the assertion that China Telecom (whether intentionally or not) has misdirected internet traffic (including out of the United States) in recent years."

Microsoft said Friday it will not pull out of the competition for a $10 billion cloud contract for the Department of Defense, despite growing concerns about private companies selling new technologies to the federal government. From a report: The Redmond, Wash., company defended its position in a blog post Friday, claiming that technologists should be involved in government adoption of new innovations to ensure they are not misused. Microsoft President Brad Smith wrote in the post that "to withdraw from this market is to reduce our opportunity to engage in the public debate about how new technologies can best be used in a responsible way." He decided to share publicly sentiments that he and Microsoft CEO Satya Nadella discussed at a monthly Q&A with employees Thursday. "We want the people of this country and especially the people who serve this country to know that we at Microsoft have their back," Smith wrote. "They will have access to the best technology that we create." Smith's defense comes days after an unspecified number of Microsoft employees urged the company to not bid on the Project JEDI.

Further reading: Oracle Trying Hard To Make Sure Pentagon Knows Amazon Isn't the Only Cloud Around; Google Drops Out of Pentagon's $10 Billion Cloud Competition; Jeff Bezos Defends Big Tech Working with Department of Defense.