Thousands of etcd servers "are spitting sensitive passwords and encrypted keys," reports Fossbytes: Security researcher Giovanni Collazo was able to harvest 8781 passwords, 650 AWS access keys, 23 secret keys, and 8 private keys. First, he ran a query on the hacker search engine Shodan that returned around 2300 servers running etcd database. Then, he ran a simple script that gave him the login credentials stored on these servers which can be used to gain access to CMSs, MySQL, and PostgreSQL databases, etc.

etcd is a database used by computing clusters to store and exchange passwords and configuration settings between servers and applications over the network. With the default settings, its programming interface can return administrative login credentials without any authentication upfront... All of the data he harvested from around 1500 servers is around 750MB in size... Collazo advises that anyone maintaining etcd servers should enable authentication, set up a firewall, and take other security measures.
Another security research independently verified the results, and reported that one MySQL database had the root password "1234".

An anonymous reader quotes Application Development Trends: Oracle announced the general availability of Java SE 10 (JDK 10) this week. This release, which comes barely six months after the release of Java SE 9, is the first in the new rapid release cadence Oracle announced late last year. The new release schedule, which the company is calling an "innovation cycle," calls for a feature release every six months, update releases every quarter, and a long-term support (LTS) release every three years. Java 10 is a feature release that obsoletes Java 9. The next LTS release will be Java 11, expected in September. The next LTS version after that will be Java 17, scheduled for release in September 2021...

The six-month feature release cadence is meant to reduce the latency between major releases, explained is Sharat Chander, director of Oracle's Java SE Product Management group, said in a blog post. "This release model takes inspiration from the release models used by other platforms and by various operating-system distributions addressing the modern application development landscape," Chander wrote. "The pace of innovation is happening at an ever-increasing rate and this new release model will allow developers to leverage new features in production as soon as possible. Modern application development expects simple open licensing and a predictable time-based cadence, and the new release model delivers on both."
This release finally adds var to the Java language (though its use is limited to local variables with initializers or declared in a for-loop). It's being added "to improve the developer experience by reducing the ceremony associated with writing Java code, while maintaining Java's commitment to static type safety, by allowing developers to elide the often-unnecessary manifest declaration of local variable type."

HotHardware writes: NVIDIA has been dabbling in real-time ray tracing for over a decade. However, the company just introduced NVIDIA RTX, which is its latest effort to deliver real-time ray tracing to game developers and content creators for implementation in actual game engines. Historically, the computational horsepower to perform real-time ray tracing has been too great to be practical in actual games, but NVIDIA hopes to change that with its new Volta GPU architecture and the help of Microsoft's new DirectX Raytracing (DXR) API enhancements. Ray tracing is a method by which images are enhanced by tracing rays or paths of light as they bounce in and around an object (or objects) in a scene. Under optimum conditions, ray tracing delivers photorealistic imagery with shadows that are correctly cast; water effects that show proper reflections and coloring; and scenes that are cast with realistic lighting effects. NVIDIA RTX is a combination of software (the company's Gameworks SDK, now with ray tracing support), and next generation GPU hardware. NVIDIA notes its Volta architecture has specific hardware support for real-time ray tracing, including offload via its Tensor core engines. To show what's possible with the technology, developers including Epic, 4A Games and Remedy Entertainment will be showcasing their own game engine demonstrations this week at the Game Developers Conference. NVIDIA expects the ramp to be slow at first, but believes eventually most game developers will adopt real-time ray tracing in the future.

Magic Leap just announced a preview of its software development kit and "creator portal," which will offer resources for people who want to build for its yet-unreleased Magic Leap One headset. You can now download a preview build of the Unreal or Unity engines, designed for what Magic Leap dubs "spatial computing." This is one of Magic Leap's juiciest announcements, marking one of the secretive company's first steps toward establishing itself as an open platform. It also may be a sign that the company is finally close to releasing hardware. The Verge reports: The creator portal touts a set of tutorials, a community for technical support, and a "Magic Leap Simulator" that will presumably help people preview apps before they get a headset. The Magic Leap One was announced late last year, and it's supposed to be released this year, but we still don't know details about the exact date or pricing. The portal says that a marketplace called "Magic Leap World" will launch soon.

An anonymous reader quotes a report from Gadgets Now: Amazon is hiring 1,147 people just for its Alexa business. To put this number in perspective, it has to be mentioned that this number is higher than what Google is hiring for technical and product roles across its Alphabet group of companies including YouTube and Waymo. According to a report published in Forbes, Amazon is hiring engineers, data scientists, developers, analysts, payment services professionals among others. The Forbes report cites information released by Citi Research in association with Jobs.com. It's clear that Amazon is betting big on the smartphone speaker market if the hiring numbers are to go by. It was the first major company to come with a smart speaker and has almost 70% market share in the U.S. Google has been making in-roads with Google Home devices but still has a lot of catching up to do. The Citi report further mentions that other notable areas where Amazon is hiring are devices, advertising and seller services. Amazon is looking at hiring a total of about 1,700 employees for other divisions.

A new copyright proposal in the EU would require code-sharing platforms like GitHub and SourceForge to monitor all content that users upload for potential copyright infringement. "The proposal is aimed at music and videos on streaming platforms, based on a theory of a 'value gap' between the profits those platforms make from uploaded works and what copyright holders of some uploaded works receive," reports The GitHub Blog. "However, the way it's written captures many other types of content, including code."

Upload filters, also known as "censorship machines," are some of the most controversial elements of the copyright proposal, raising a number of concerns including: -Privacy: Upload filters are a form of surveillance, effectively a "general monitoring obligation" prohibited by EU law
-Free speech: Requiring platforms to monitor content contradicts intermediary liability protections in EU law and creates incentives to remove content
-Ineffectiveness: Content detection tools are flawed (generate false positives, don't fit all kinds of content) and overly burdensome, especially for small and medium-sized businesses that might not be able to afford them or the resulting litigation Upload filters are especially concerning for software developers given that: -Software developers create copyrightable works -- their code -- and those who choose an open source license want to allow that code to be shared
-False positives (and negatives) are especially likely for software code because code often has many contributors and layers, often with different licensing for different components
-Requiring code-hosting platforms to scan and automatically remove content could drastically impact software developers when their dependencies are removed due to false positives The EU Parliament continues to introduce new proposals for Article 13 but these issues remain. MEP Julia Reda explains further in a recent proposal from Parliament.

Chicago-based MBM Company's jewelry brand Limoges Jewelry has accidentally leaked the personal information for over 1.3 million people. This includes addresses, zip-codes, e-mail addresses, and IP addresses. The Germany security firm Kromtech Security, which found the leak via an unsecured Amazon S3 storage bucket, also claims the database contained plaintext passwords. The Next Web reports: In a press release, Kromtech Security's head of communicationis, Bob Diachenko, said: "Passwords were stored in the plain text, which is great negligence [sic], taking into account the problem with many users re-using passwords for multiple accounts, including email accounts." The [MSSQL database] backup file was named "MBMWEB_backup_2018_01_13_003008_2864410.bak," which suggests the file was created on January 13, 2018. It's believed to contain current information about the company's customers. Records held in the database have dates reaching as far back as 2000. The latest records are from the start of this year. Other records held in the database include internal mailing lists, promo-codes, and item orders, which leads Kromtech to believe that this could be the primary customer database for the company. Diachenko says there's no evidence a malicious third-party has accessed the dump, but that "that does not mean that nobody [has] accessed the data."

When the American job market heats up, demand for technology talent boils, an anonymous reader writes citing a Bloomberg report. From the story: Nationally, the unemployment rate was 4.1 percent in January, and analysts project that it declined to 4 percent, the lowest since 2000, in Labor Department figures due Friday. For software developers, the unemployment rate was 1.9 percent in 2017, down from 4 percent in 2011. While companies are writing bigger checks, they are also adopting new strategies to find engineers for an economy where software is penetrating even mundane processes. Companies are focusing more on training, sourcing new talent through apprenticeships, and looking at atypical pools of candidates who have transferable skills.

"It is probably the most competitive market in the last 20 years that I have been doing this," said Desikan Madhavanur, chief development officer at Scottsdale, Arizona-based JDA Software, whose products help companies manage supply chains. "We have to compete better to get our fair share." What's happening in the market for software engineers may help illustrate why one of the tightest American labor markets in decades isn't leading to broader wage gains. While technology firms are looking at compensation, they are also finding ways to create the supply of workers themselves, which helps hold costs down.

Stack Overflow has released the results of its annual survey of 100,000 developers, revealing the most-popular, top-earning, and preferred programming languages. ArsTechnica: JavaScript remains the most widely used programming language among professional developers, making that six years at the top for the lingua franca of Web development. Other Web tech including HTML (#2 in the ranking), CSS (#3), and PHP (#9). Business-oriented languages were also in wide use, with SQL at #4, Java at #5, and C# at #8. Shell scripting made a surprising showing at #6 (having not shown up at all in past years, which suggests that the questions have changed year-to-year), Python appeared at #7, and systems programming stalwart C++ rounded out the top 10.

These aren't, however, the languages that developers necessarily want to use. Only three languages from the most-used top ten were in the most-loved list; Python (#3), JavaScript (#7), and C# (#8). For the third year running, that list was topped by Rust, the new systems programming language developed by Mozilla. Second on the list was Kotlin, which wasn't even in the top 20 last year. This new interest is likely due to Google's decision last year to bless the language as an official development language for Android. TypeScript, Microsoft's better JavaScript than JavaScript comes in at fourth, with Google's Go language coming in at fifth. Smalltalk, last year's second-most loved, is nowhere to be seen this time around. These languages may be well-liked, but it looks as if the big money is elsewhere. Globally, F# and OCaml are the top average earners, and in the US, Erlang, Scala, and OCaml are the ones to aim for. Visual Basic 6, Cobol, and CoffeeScript were the top three most-dreaded, which is news that will surprise nobody who is still maintaining Visual Basic 6 applications thousands of years after they were originally written.

Google and Ubisoft announced on Tuesday they have a new project intended to improve the performance of fast-paced, online multi-player video games. From a report: The search giant said it teamed with Ubisoft -- the publisher of popular video games like Assassin's Creed and Far Cry -- to create a gaming developer framework intended for coders that work on online video games. The project is called Agones, which is Greek for "contest" or "gathering," and it will be available in open-source, meaning developers can use it for free and also contribute to the underlying technology. Google pitches Agones as a more cutting-edge way for developers to build multi-player games that don't crash or stutter when thousands of video gamers play at the same time.

Each time people want to play their favorite first-person shooter or other computer resource-heavy online video game with others, the underlying infrastructure that powers the online video game must create a special gaming server that hosts the players. The Agones framework was designed to more efficiently distribute the computing resources necessary to support each online gaming match, thus reducing the complexity of creating each special server while helping coders better track how the computing resources are being used.

Microsoft languages seem to be hitting the right note with coders across ops, data science, and app development. From a report: JavaScript remains the most popular programming language, but two offerings from Microsoft are steadily gaining, according to developer-focused analyst firm RedMonk's first quarter 2018 ranking. RedMonk's rankings are based on pull requests in GitHub, as well as an approximate count of how many times a language is tagged on developer knowledge-sharing site Stack Overflow. Based on these figures, RedMonk analyst Stephen O'Grady reckons JavaScript is the most popular language today as it was last year. In fact, nothing has changed in RedMonk's top 10 list with the exception of Apple's Swift rising to join its predecessor, Objective C, in 10th place. The top 10 programming languages in descending order are JavaScript, Java, Python, C#, C++, CSS, Ruby, and C, with Swift and Objective-C in tenth.

TIOBE's top programming language index for March consists of many of the same top 10 languages though in a different order, with Java in top spot, followed by C, C++, Python, C#, Visual Basic .NET, PHP, JavaScript, Ruby, and SQL. These and other popularity rankings are meant to help developers see which skills they should be developing. Outside the RedMonk top 10, O'Grady highlights a few notable changes, including an apparent flattening-out in the rapid ascent of Google's back-end system language, Go.

An anonymous reader quotes a report from VentureBeat: Google today launched Chrome 65 for Windows, Mac, Linux, and Android. Additions in this release include Material Design changes and new developer features. You can update to the latest version now using the browser's built-in silent updater or download it directly from google.com/chrome. Chrome 65 comes with a few visual changes. The most obvious is related to Google's Material Design mantra. The extensions page has been completely revamped to follow it. Next up, Chrome 65 replaces the Email Page Location link in Chrome for Mac's File menu with a Share submenu. As you might expect, Mac users can use this submenu to share the URL of a current tab via installed macOS Share Extensions. Speaking of Macs, Chrome 65 is also the last release for OS X 10.9 users. Chrome 66 will require OS X 10.10 or later. Moving on to developer features, Chrome 65 includes the CSS Paint API, which allows developers to programmatically generate an image, and the Server Timing API, which allows web servers to provide performance timing information via HTTP headers.

erickhill shares a short documentary about Samia Halaby, an 81-year-old Commodore Amiga artist and programmer: Samia Halaby is a world renowned painter who purchased a Commodore Amiga 1000 in 1985 at the tender age of 50 years old. She taught herself the BASIC and C programming languages to create "kinetic paintings" with the Amiga and has been using the Amiga ever since. Samia has exhibited in prestigious venues such as The Guggenheim Museum, The British Museum, Lincoln Center, The Chicago Institute of Art, Arab World Institute, Mathaf: Arab Museum of Modern Art, Sakakini Art Center, and Ayyam Gallery just to name a few.

AI has a new task: helping to keep the bugs out of video games. From a report: At the recent Ubisoft Developer Conference in Montreal, the French gaming company unveiled a new AI assistant for its developers. Dubbed Commit Assistant, the goal of the AI system is to catch bugs before they're ever committed into code, saving developers time and reducing the number of flaws that make it into a game before release. "I think like many good ideas, it's like 'how come we didn't think about that before?'," says Yves Jacquier, who heads up La Forge, Ubisoft's R&D division in Montreal. His department partners with local universities including McGill and Concordia to collaborate on research intended to advance the field of artificial intelligence as a whole, not just within the industry.

La Forge fed Commit Assistant with roughly ten years' worth of code from across Ubisoft's software library, allowing it to learn where mistakes have historically been made, reference any corrections that were applied, and predict when a coder may be about to write a similar bug. "It's all about comparing the lines of code we've created in the past, the bugs that were created in them, and the bugs that were corrected, and finding a way to make links [between them] to provide us with a super-AI for programmers," explains Jacquier.

A 1.35 terabit-per-second DDoS attack hit GitHub all at once last Wednesday. "It was the most powerful distributed denial of service attack recorded to date -- and it used an increasingly popular DDoS method, no botnet required," reports Wired. From the report: GitHub briefly struggled with intermittent outages as a digital system assessed the situation. Within 10 minutes it had automatically called for help from its DDoS mitigation service, Akamai Prolexic. Prolexic took over as an intermediary, routing all the traffic coming into and out of GitHub, and sent the data through its scrubbing centers to weed out and block malicious packets. After eight minutes, attackers relented and the assault dropped off. "We modeled our capacity based on fives times the biggest attack that the internet has ever seen," Josh Shaul, vice president of web security at Akamai told WIRED hours after the GitHub attack ended. "So I would have been certain that we could handle 1.3 Tbps, but at the same time we never had a terabit and a half come in all at once. It's one thing to have the confidence. It's another thing to see it actually play out how you'd hope."

Akamai defended against the attack in a number of ways. In addition to Prolexic's general DDoS defense infrastructure, the firm had also recently implemented specific mitigations for a type of DDoS attack stemming from so-called memcached servers. These database caching systems work to speed networks and websites, but they aren't meant to be exposed on the public internet; anyone can query them, and they'll likewise respond to anyone. About 100,000 memcached servers, mostly owned by businesses and other institutions, currently sit exposed online with no authentication protection, meaning an attacker can access them, and send them a special command packet that the server will respond to with a much larger reply.

An anonymous reader quotes i-Programmer: The results are in for the vote on the new name for Java Enterprise Edition, and unsurprisingly the voters have chosen Jakarta EE. The renaming has to happen because Oracle refused to let the name Java be used. The vote was to choose between two options - 'Jakarta EE' and 'Enterprise Profile'. According to Mike Milinkovich, executive director at the Eclipse Foundation, almost 7,000 people voted, and over 64% voted in favour of Jakarta EE. The other finalist, "Enterprise Profile," came in at just 35.6% of the votes when voted ended last Friday.
"Other Java projects have also been renamed in Eclipse," notes SD Times. "Glassfish is now Eclipse Glassfish. The Java Community Process is now the Eclipse EE.next Working Group, and Oracle development management is now Eclipse Enterprise for Java Project Management Committee."

The top priority for developing talent is to train for soft skills, according to LinkedIn's 2018 Workplace Learning Report which surveyed more than 4,000 professionals. From a report: The report found that while automation is requiring workers to maintain technical fluency across roles, the rise of machine-led tasks makes it necessary for them to do what machines can't, which is to be adaptable, critical thinkers who can lead and communicate well.

theodp writes: It's exactly five years since Code.org launched with the video What Most Schools Don't Teach ," noted Code.org in a Monday blog post entitled Dedicating Our 5 year Anniversary to our Partners. "Since then, tens of millions of students have begun learning computer science, hundreds of thousands of schools have begun teaching CS, tens of thousands of teachers have attended workshops to introduce CS in their classrooms, hundreds of school districts have added CS to their curriculum, and forty U.S. states and 25 countries have announced policies and plans to support CS in schools [...] We should start by thanking our amazing donors, particularly Amazon [$10+ million], Facebook [$10+ million], Google [$3+ million], Infosys [$10+ million], and Microsoft [$10+ million]. Whether it's corporate funders, foundations, or individual donors, without your generous funding, we wouldn't exist [...] Changing education policies in forty states wouldn't be possible without the help of Microsoft, College Board, Amazon, and every partner in the Code.org Advocacy Coalition [...] We're particularly fortunate and proud to have had the vocal support of Bill Gates [$4+ million] and Mark Zuckerberg [$1+ million] since day one." Hey, it takes a corporate village to raise a CS-savvy child!

Chromebook users may soon have a simpler way to run their favorite Linux distribution and applications on Google's Chrome OS hardware. From a report: As spotted by Chrome Unboxed, there's a newly merged commit in Chromium Gerrit describing a "new device policy to allow Linux VMs on Chrome OS." A related entry suggests support could come with Chrome OS version 66, which is due out in stable release around April 24, meaning Google might announce it at its annual IO developer conference, which starts on May 8. Developers can already use a tool called Crouton to install and run Linux on Chrome OS, but there is a security trade-off because Chrome OS needs to be switched to developer mode to use it. There's also a Crouton extension called Xiwi to enable using an OS in a browser window on Chrome OS. However, it too requires developer mode to be enabled. A recent commit suggests Chrome developers are working on a project called Crostini that may solve the developer mode problem by allowing Linux VMs to run inside a container.

An anonymous reader quotes InfoWorld: Google's Dart language, once positioned a potential replacement for JavaScript in the browser, is being rebooted for client-side web and mobile development in Version 2 of the language. A beta version is now available. Dart 2 features a strengthened type system, a cleaned-up syntax, and a rebuilt developer tool chain.

Dart has a succinct syntax and can run on a VM with a just-in-time compiler, with the compiler enabling stateful, hot reload during mobile development. Developers also gain from fast development cycles where code can be edited, compiled, and replaced in apps running on a device. Compiling code ahead of time provides fast startup, Google said. Dart can be compiled to native code for ARM and x86 platforms. Google has used the language to build applications for iOS, Android, and the web.