Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Open Source

Pull Requests Are Accepted At About The Same Rate, Regardless of Gender (techinasia.com) 94

An anonymous reader writes: Remember that story about how women "get pull requests accepted more (except when you know they're women)." The study actually showed that men also had their code accepted more often when their gender wasn't known, according to Tech In Asia -- and more importantly, the lower acceptance rates (for both men and women) applied mostly to code submitters from outside the GitHub community. "Among insiders, there's no evidence of discrimination against women. In fact, the reverse is true: women who are on the inside and whose genders are easy to discern get more of their code approved, and to a statistically significant degree."

Eight months after the story ran, the BBC finally re-wrote their original headline ("Women write better code, study suggests") and added the crucial detail that acceptance rates for women fell "if they were not regulars on the service and were identified by their gender."

Facebook

Facebook Buys Data From Third-Party Brokers To Fill In User Profiles (ibtimes.com) 116

An anonymous reader quotes a report from International Business Times: According to a report from ProPublica, the world's largest social network knows far more about its users than just what they do online. What Facebook can't glean from a user's activity, it's getting from third-party data brokers. ProPublica found the social network is purchasing additional information including personal income, where a person eats out and how many credit cards they keep. That data all comes separate from the unique identifiers that Facebook generates for its users based on interests and online behavior. A separate investigation by ProPublica in which the publication asked users to report categories of interest Facebook assigned to them generated more than 52,000 attributes. The data Facebook pays for from other brokers to round out user profiles isn't disclosed by the company beyond a note that it gets information "from a few different sources." Those sources, according to ProPublica, come from commercial data brokers who have access to information about people that isn't linked directly to online behavior. The social network doesn't disclose those sources because the information isn't collected by Facebook and is publicly available. Facebook does provide a page in its help center that details how to get removed from the lists held by third-party data brokers. However, the process isn't particularly easy. In the case of the Oracle-owned Datalogix, users who want off the list have to send a written request and a copy of a government-issued identification in the mail to Oracle's chief privacy officer. Another data collecting service, Acxiom, requires users provide the last four digits of their social security number to see the information the company has gathered about them.
Bug

Nevada Website Bug Leaks Thousands of Medical Marijuana Dispensary Applications (zdnet.com) 55

An anonymous reader quotes a report from ZDNet: Nevada's state government website has leaked the personal data on over 11,700 applicants for dispensing medical marijuana in the state. Each application, eight pages in length, includes the person's full name, home address, citizenship, and even their weight and height, race, and eye and hair color. The applications also include the applicant's citizenship, their driving license number (where applicable), and social security number. Security researcher Justin Shafer found the bug in the state's website portal, allowing anyone with the right web address to access and enumerate the thousands of applications. Though the medical marijuana portal can be found with a crafted Google search query, we're not publishing the web address out of caution until the bug is fixed. A spokesperson for the Nevada Dept. Health and Human Services, which runs the medical marijuana application program, told ZDNet that the website has been pulled offline to limit the vulnerability. The spokesperson added that the leaked data was a "portion" of one of several databases.
PHP

Millions of Websites Vulnerable Due To Security Bug In Popular PHP Script (bleepingcomputer.com) 104

An anonymous reader writes from a report via BleepingComputer: A security flaw discovered in a common PHP class allows knowledgeable attackers to execute code on a website that uses a vulnerable version of the script, which in turn can allow an attacker to take control over the underlying server. The vulnerable library is PHPMailer, a PHP script that allows developers to automate the task of sending emails using PHP code, also included with WordPress, Drupal, Joomla, and more. The vulnerability was fixed on Christmas with the release of PHPMailer version 5.2.18. Nevertheless, despite the presence of a patched version, it will take some time for the security update to propagate. Judging by past incidents, millions of sites will never be updated, leaving a large chunk of the Internet open to attacks. Even though the security researcher who discovered the flaw didn't publish any in-depth details about his findings, someone reverse-engineered the PHPMailer patch and published their own exploit code online, allowing others to automate attacks using this flaw, which is largely still unpatched due to the holiday season.
Programming

How Would You Generate C Code Using Common Lisp Macros? (github.com) 108

Long-time Slashdot reader kruhft brings news about a new S-Expression based language transpiler that has the feel of C. This structure allows for the creation of code generation macros using the full power of the host Common Lisp environment, a language designed for operating on S-Expressions, also known as Lists. It is unknown exactly what power might come about from this combination of low level processing with high level code generation.
This has prompted some discussion online about other attempts to convert Lisp to C -- raising several more questions. How (and why) would you convert your Lisp code into C, and what would then be the best uses for this capability?
Python

Python 3.6 Released (python.org) 187

On Friday, more than a year after Python 3.5, core developers Elvis Pranskevichus and Yury Selivanov announced the release of version 3.6. An anonymous reader writes: InfoWorld describes the changes as async in more places, speed and memory usage improvements, and pluggable support for JITs, tracers, and debuggers. "Python 3.6 also provides support for DTrace and SystemTap, brings a secrets module to the standard library [to generate authentication tokens], introduces new string and number formats, and adds type annotations for variables. It also gives us easier methods to customize the creation of subclasses."
You can read Slashdot's interview with Python creator Guido van Rossum from 2013. I also remember an interview this July where Perl creator Larry Wall called Python "a pretty okay first language, with a tendency towards style enforcement, monoculture, and group-think...more interested in giving you one adequate way to do something than it is in giving you a workshop that you, the programmer, get to choose the best tool from." Anyone want to share their thoughts today about the future of Python?
Programming

Apple Delays App Store Security Deadline For Developers 25

Reader Trailrunner7 writes: Apple has pushed back a deadline for developers to support a key transport security technology in apps submitted to the company's app stores. Officials said at the Apple Worldwide Developers Conference earlier this year that developers would have to support Apple Transport Security by the end of 2016. But on Thursday, the company announced that it has decided to extend the deadline indefinitely. ATS is Apple's collection of transport security standards designed to provide attack resistance for data that's sent between iOS and macOS apps and backend servers. It requires apps to support a number of modern transport security technologies, including TLS 1.2, AES-128 or stronger, and certificates must be signed using SHA-2. ATS also requires the use of forward secrecy, a key-exchange method that protects encrypted sessions even if the server certificate is compromised at some point in the future.
Businesses

Crytek Closing Five Studios, Will Refocus On 'Premium IPs' and CryEngine (polygon.com) 54

In a press release, Crytek, the developer behind hits such as the Crysis and Far Cry shooters, announced that it will be closing five of its studios in an effort to "refocus on its core strengths." The only studios remaining will be Crytek's Frankfurt, Germany and Kiev, Ukraine locations. Polygon reports: Other than Crytek's Frankfurt headquarters and Kiev studio, which develops free-to-play shooter Warface, the company held offices in Budapest, Hungary; Sofia, Bulgaria; Seoul, Korea; Shanghai, China; and Istanbul, Turkey. Crytek's co-founder and managing director, Avni Yerli, said in the release that the "changes are part of the essential steps we are taking to ensure Crytek is a healthy and sustainable business moving forward that can continue to attract and nurture our industry's top talent. The reasons for this have been communicated internally along the way. "Our focus now lies entirely on the core strengths that have always defined Crytek -- world-class developers, state-of-the-art technology and innovative game development, and we believe that going through this challenging process will make us a more agile, viable, and attractive studio, primed for future success," he added. The studio will now focus on its CryEngine technology, which is used by many other developers and licensors. Crytek said it will also continue to "develop and work on premium IPs."
Java

Oracle Begins Aggressively Pursuing Java Licensing Fees (theregister.co.uk) 295

Java SE is free, but Java SE Suite and various flavors of Java SE Advanced are not, and now Oracle "is massively ramping up audits of Java customers it claims are in breach of its licenses," reports the Register. Oracle bought Java with Sun Microsystems in 2010 but only now is its License Management Services division chasing down people for payment, we are told by people familiar with the matter. The database giant is understood to have hired 20 individuals globally this year, whose sole job is the pursuit of businesses in breach of their Java licenses... Huge sums of money are at stake, with customers on the hook for multiple tens and hundreds of thousands of dollars.
Slashdot reader rsilvergun writes, "Oracle had previously sued Google for the use of Java in Android but had lost that case. While that case is being appealed, it remains to be seen if the latest push to monetize Java is a response to that loss or part of a broader strategy on Oracle's part." The Register interviewed the head of an independent license management service who says Oracle's even targeting its own partners now.

But after acquiring Sun in 2010, why did Oracle's License Management Services wait a full six years? "It is believed to have taken that long for LMS to devise audit methodologies and to build a detailed knowledge of customers' Java estates on which to proceed."
Businesses

Are Remote Offices Becoming The New Normal? (backchannel.com) 250

"As companies tighten their purse strings, they're spreading out their hires -- this year, and for years to come," reports Backchannel, citing interviews with executives and other workplace analysts. mirandakatz writes: Once a cost-cutting strategy, remote offices are becoming the new normal: from GitHub to Mozilla and Wordpress, more and more companies are eschewing the physical office in favor of systems that allow employees to live out their wanderlust. As workplaces increasingly go remote, they're adopting tools to keep employees connected and socially fulfilled -- as Mozilla Chief of Staff David Slater tells Backchannel, "The wiki becomes the water cooler."
The article describes budget-conscious startups realizing they can cut their overhead and choose from talent located anywhere in the world. And one group of analysts calculated that the number of telecommuting workers doubled between 2005 and 2014, reporting that now "75% of employees who work from home earn over $65,000 per year, putting them in the upper 80th percentile of all employees, home or office-based." Are Slashdot's readers seeing a surge in telecommuting? And does anybody have any good stories about the digital nomad lifestyle?
Security

Does Code Reuse Endanger Secure Software Development? (threatpost.com) 148

msm1267 quotes ThreatPost: The amount of insecure software tied to reused third-party libraries and lingering in applications long after patches have been deployed is staggering. It's a habitual problem perpetuated by developers failing to vet third-party code for vulnerabilities, and some repositories taking a hands-off approach with the code they host. This scenario allows attackers to target one overlooked component flaw used in millions of applications instead of focusing on a single application security vulnerability.

The real-world consequences have been demonstrated in the past few years with the Heartbleed vulnerability in OpenSSL, Shellshock in GNU Bash, and a deserialization vulnerability exploited in a recent high-profile attack against the San Francisco Municipal Transportation Agency. These are three instances where developers reuse libraries and frameworks that contain unpatched flaws in production applications... According to security experts, the problem is two-fold. On one hand, developers use reliable code that at a later date is found to have a vulnerability. Second, insecure code is used by a developer who doesn't exercise due diligence on the software libraries used in their project.

That seems like a one-sided take, so I'm curious what Slashdot readers think. Does code reuse endanger secure software development?
Businesses

Building a Coder's Paradise Is Not Profitable: GitHub Lost $66M In Nine Months Of 2016 (bloomberg.com) 227

Though not much popular outside the technology circles, GitHub is very popular among coders around the world. The startup operates a sort of Google Docs for programmers, giving them a place to store, share and collaborate on their work. But GitHub is losing money through profligate spending and has stood by as new entrants emerged in a software category it essentially gave birth to, according to people familiar with the business and financial paperwork reviewed by Bloomberg. From the report: The rise of GitHub has captivated venture capitalists. Sequoia Capital led a $250 million investment in mid-2015. But GitHub management may have been a little too eager to spend the new money. The company paid to send employees jetting across the globe to Amsterdam, London, New York and elsewhere. More costly, it doubled headcount to 600 over the course of about 18 months. GitHub lost $27 million in the fiscal year that ended in January 2016, according to an income statement seen by Bloomberg. It generated $95 million in revenue during that period, the internal financial document says. The income statement shows a loss of $66 million in the first three quarters of this year. That's more than twice as much lost in any nine-month time frame by Twilio Inc., another maker of software tools founded the same year as GitHub. At least a dozen members of GitHub's leadership team have left since last year.
Privacy

Twitter Blocks Government 'Spy Centers' From Accessing User Data (theguardian.com) 46

An anonymous reader quotes a report from The Guardian: Twitter has blocked federally funded "domestic spy centers" from using a powerful social media monitoring tool after public records revealed that the government had special access to users' information for controversial surveillance efforts. The American Civil Liberties Union of California discovered that so-called fusion centers, which collect intelligence, had access to monitoring technology from Dataminr, an analytics company partially owned by Twitter. The ACLU's records prompted the companies to announce that Dataminr had terminated access for all fusion centers and would no longer provide social media surveillance tools to any local, state or federal government entities. The government centers are partnerships between agencies that work to collect vast amounts of information purportedly to analyze "threats". The spy centers, according to the ACLU, target protesters, journalists and others protected by free speech rights while also racially profiling people deemed "suspicious" by law enforcement. Records that the ACLU obtained uncovered that a fusion center in southern California had access to Dataminr's "geospatial analysis application", which allowed the government to do location-based tracking as well as searches tied to keywords. That means the center could use Dataminr to search billions of tweets and monitor specific demographics or organizations.
Role Playing (Games)

Analysts Tout 'State of The Developer' Survey By Awarding RPG Characters (amazon.com) 47

An anonymous reader writes: Analysts at VisionMobile have begun conducting this year's "State of the Developer" Survey -- their perennial assessment of salaries, skills, and tools -- but this time with a twist. "Based on your responses, you'll find out what kind of character you'd be in a fantasy world: A mage? A fighter? A dragon slayer?" according to a blog post publicizing the event by Amazon's manager of developer marketing. "As in previous years, you'll also receive your personal Developer Scorecard showing how you compare to other developers in your country, a free copy of the final State of the Developer Nation report, and a chance to win some cool prizes."
The survey presents a map of seven "kingdoms" -- IoT, Mobile, Desktop, Backend, Web, Machine learning, and AR/VR -- and invites developers to complete their "quest," awarding virtual badges and real-world prizes, which include an Oculus Rift headset, a Surface Pro 3, an Apple Watch, and a Pixel Phone. Along your "journey," a developer owl even dispatches encouraging geeky jokes. (Like "Whenever I see a door that says 'push', I always pull first, to avoid conflicts.")
Communications

Google Now Lets Developers Write Apps For the Assistant On Google Home (techcrunch.com) 39

Google today announced it will open up Home to third-party developers, allowing all developers to start bringing their applications and services to the Google Assistant. Developers can start building "conversation actions" for the Google Assistant, which "allows developers to create back-and-forth conversations with users through the Assistant," writes Frederic Lardinois via TechCrunch. "Users can simply start these conversations by using a phrase like 'OK Google, talk to Eliza.'" TechCrunch reports: While the Assistant also runs on the Pixel phones and inside the Allo chat app, Google says it plans to bring actions to these other "Assistant surfaces" in the future, but it's unclear when exactly this will happen. To help developers who want to build these new Conversation Actions get started, Google has teamed up with a number of partners, including API.AI, GupShup, DashBot and VoiceLabs, Assist, Notify.IO, Witlingo and Spoken Layer. Google has also allowed a small number of partners to enable their apps on Google Home already. These integrations will roll out as early as next week. Given that users will be able to invoke these new actions with a simple command (and without having to first enable a skill, like on Alexa), Google's platform looks to be a rather accessible and low-friction way for developers to get their voice-enabled services to users. Google will have the final say over which actions will be enabled on Google Home.

Slashdot Top Deals