Python

Did Programming Language Flaws Create Insecure Apps? (bleepingcomputer.com) 95

Several popular interpreted programming languages are affected by severe vulnerabilities that expose apps built on these languages to attacks, according to research presented at the Black Hat Europe 2017 security conference. An anonymous reader writes: The author of this research is IOActive Senior Security Consultant Fernando Arnaboldi, who says he used an automated software testing technique named fuzzing to identify vulnerabilities in the interpreters of five of today's most popular programming languages: JavaScript, Perl, PHP, Python, and Ruby.

Fuzzing involves providing invalid, unexpected, or random data as input to a software application. The researcher created his own fuzzing framework named XDiFF that broke down programming languages per each of its core functions and fuzzed each one for abnormalities. His work exposed severe flaws in all five languages, such as a hidden flaw in PHP constant names that can be abused to perform remote code execution, and undocumented Python methods that can be used for OS code execution. Arnaboldi argues that attackers can exploit these flaws even in the most secure applications built on top of these programming languages.

Programming

What Mistakes Can Stall An IT Career? (cio.com) 201

Quoting snydeq: "In the fast-paced world of technology, complacency can be a career killer," Paul Heltzel writes in an article on 20 ways to kill your IT career without knowing it. "So too can any number of hidden hazards that quietly put your career on shaky ground -- from not knowing your true worth to thinking you've finally made it. Learning new tech skills and networking are obvious ways to solidify your career. But what about accidental ways that could put your career in a slide? Hidden hazards -- silent career killers? Some tech pitfalls may not be obvious."
CIO's reporter "talked to a number of IT pros, recruiters, and developers about how to build a bulletproof career and avoid lesser-known pitfalls," citing hazards like burning bridges and skipping social events. But it also warns of the dangers of staying in your comfort zone too long instead of asking for "stretch" assignments and accepting training opporunities.

The original submission puts the same question to Slashdot readers. "What silent career killers have you witnessed (or fallen prey to) in your years in IT?"
Android

Google Puts Android Accessibility Crackdown On Hold (slashgear.com) 28

Last month, Google issued a warning to Android app developers that they will no longer be able to access Android accessibility service functions in their apps, unless they can demonstrate that those functions are specifically used to help users with "disabilities." Since a lot of password managers use the Accessibility API, as well as poplar apps like Tasker automation and Greenify battery saver, there was a large amount of backlash from developers and users alike. According to SlashGear, Google is putting the Android accessibility crackdown on hold. From the report: Google has now sent another email that basically says "we'll think about it." It is evaluating "responsible and innovative use" of those services on a case to case basis. It is also requiring developers to explicitly inform users why they are asking for accessibility permissions rather than just informing them. This, of course, puts a heavier burden on Google, as it has to be more involved in the screening of apps rather than just rely on good ol' machine learning and automation. Developers and users probably won't mind, if it means still having access to those features that make Android a platform above all the rest.
Chrome

Chrome 63 Offers Even More Protection From Malicious Sites, Using Even More Memory (arstechnica.com) 63

An anonymous reader quotes a report from Ars Technica: To further increase its enterprise appeal, Chrome 63 -- which hit the browser's stable release channel yesterday -- includes a couple of new security enhancements aimed particularly at the corporate market. The first of these is site isolation, an even stricter version of the multiple process model that Chrome has used since its introduction. Chrome uses multiple processes for several security and stability reasons. On the stability front, the model means that even if a single tab crashes, other tabs (and the browser itself) are unaffected. On the security front, the use of multiple processes makes it much harder for malicious code from one site to steal secrets (such as passwords typed into forms) of another. [...]

Naturally, this greater use of multiple processes incurs a price; with this option enabled, Chrome's already high memory usage can go up by another 15 to 20 percent. As such, it's not enabled by default; instead, it's intended for use by enterprise users that are particularly concerned about organizational security. The other new capability is the ability for administrators to block extensions depending on the features those extensions need to use. For example, an admin can block any extension that tries to use file system access, that reads or writes the clipboard, or that accesses the webcam or microphone. Additionally, Google has started to deploy TLS 1.3, the latest version of Transport Layer Security, the protocol that enables secure communication between a browser and a Web server. In Chrome 63, this is only enabled between Chrome and Gmail; in 2018, it'll be turned on more widely.

Google

Inside Oracle's Cloak-and-dagger Political War With Google (recode.net) 83

schwit1 shares a Recode report: The story that appeared in Quartz this November seemed shocking enough on its own: Google had quietly tracked the location of its Android users, even those who had turned off such monitoring on their smartphones. But missing from the news site's report was another eyebrow-raising detail: Some of its evidence, while accurate, appears to have been furnished by one of Google's fiercest foes: Oracle. For the past year, the software and cloud computing giant has mounted a cloak-and-dagger, take-no-prisoners lobbying campaign against Google, perhaps hoping to cause the company intense political and financial pain at a time when the two tech giants are also warring in federal court over allegations of stolen computer code. Since 2010, Oracle has accused Google of copying Java and using key portions of it in the making of Android. Google, for its part, has fought those claims vigorously. More recently, though, their standoff has intensified. And as a sign of the worsening rift between them, this summer Oracle tried to sell reporters on a story about the privacy pitfalls of Android, two sources confirmed to Recode.
IT

Amazon Opens Registration For .BOT Domain Name (amazonregistry.com) 44

Amazon began accepting registration requests for .BOT domain name from the public this week as the e-commerce giant comes to realize the potential of the top level domain name it secured rights for two years ago. For now, Amazon is keeping the registration for .BOT domains limited. "Creators with published bots who use Amazon Lex, Microsoft Bot Framework and Dialogflow can validate a bot and register a .BOT domain name," the company said, noting that the limited registration phase would end on March 30, 2018. At the time of registration, Amazon requires users to sign into their Amazon account and validate their published bot.
Windows

Lead Developer of Popular Windows Application Classic Shell Is Quitting 97

WheezyJoe writes: Classic Shell is a free Windows application that for years has replaced Microsoft's Start Screen or Start Menu with a highly configurable, more familiar non-tile Start menu. Yesterday, the lead developer released what he said would be the last version of Classic Shell. Citing other interests and the frequency at which Microsoft releases updates to Windows 10, as well as lagging support for the Win32 programming model, the developer says that he won't work on the program anymore. The application's source code is available on SourceForge, so there is a chance others may come and fork the code to continue development. There are several alternatives available, some pay and some free (like Start10 and Start Is Back++), but Classic Shell has an exceptionally broad range of tweaks and customizability.
Programming

'24 Pull Requests' Suggests Contributing Code For Christmas (24pullrequests.com) 30

An anonymous reader writes: "On December 1st, 24 Pull Requests will be opening its virtual doors once again, asking you to give the gift of a pull request to an open source project in need," writes UK-based software developer Andrew Nesbitt -- noting that last year the site registered more than 16,000 pull requests. "And they're not all by programmers. Often the contribution with the most impact might be an improvement to technical documentation, some tests, or even better -- guidance for other contributors."

This year they're even touting "24 Pull Requests hack events," happening around the world from Lexington, Kentucky to Torino, Italy. (Last year 80 people showed up for an event in London.) "You don't have to hack alone this Christmas!" suggests the site, also inviting local communities and geek meetups (as well as open source-loving companies) to host their own events.

Contributing to open source projects can also beef up your CV (for when you're applying for your next job), the site points out, and "Even small contributions can be really valuable to a project."

"You've been benefiting from the use of open source projects all year. Now is the time to say thanks to the maintainers of those projects, and a little birdy tells me that they love receiving pull requests!"
Encryption

PHP Now Supports Argon2 Next-Generation Password Hashing Algorithm (bleepingcomputer.com) 94

An anonymous reader quotes Bleeping Computer: PHP got a whole lot more secure this week with the release of the 7.2 branch, a version that improves and modernizes the language's support for cryptography and password hashing algorithms.

Of all changes, the most significant is, by far, the support for Argon2, a password hashing algorithm developed in the early 2010s. Back in 2015, Argon2 beat 23 other algorithms to win the Password Hashing Competition, and is now in the midst of becoming a universally recognized Internet standard at the Internet Engineering Task Force (IETF), the reward for winning the contest. The algorithm is currently considered to be superior to Bcrypt, today's most widely used password hashing function, in terms of both security and cost-effectiveness, and is also slated to become a favorite among cryptocurrencies, as it can also handle proof-of-work operations.

The other major change in PHP 7.2 was the removal of the old Mcrypt cryptographic library from the PHP core and the addition of Libsodium, a more modern alternative.

Republicans

Valuable Republican Donor Database Breached -- By Other Republicans (politico.com) 73

Politico reports: Staffers for Senate Republicans' campaign arm seized information on more than 200,000 donors from the House GOP campaign committee over several months this year by breaking into its computer system, three sources with knowledge of the breach told Politico... Multiple NRSC staffers, who previously worked for the NRCC, used old database login information to gain access to House Republicans' donor lists this year. The donor list that was breached is among the NRCC's most valuable assets, containing not only basic contact information like email addresses and phone numbers but personal information that could be used to entice donors to fork over cash -- information on top issues and key states of interest to different people, the names of family members, and summaries of past donation history... Donor lists like these are of such value to party committees that they can use them as collateral to obtain loans worth millions of dollars when they need cash just before major elections...

"The individuals on these lists are guaranteed money," said a Republican fundraiser. "They will give. These are not your regular D.C. PAC list"... The list has helped the NRCC raise over $77 million this year to defend the House in 2018... Though the House and Senate campaign arms share the similar goal of electing Republican candidates and often coordinate strategy in certain states, they operate on distinct tracks and compete for money from small and large donors.

Long-time Slashdot reader SethJohnson says the data breach "is the result of poor deprovisioning policies within the House Republican Campaign Committee -- allowing staff logins to persist after a person has left the organization."

NRCC officials who learned of the breach "are really pissed," one source told the site.
Perl

Perl, Perl 6, and Two Application Frameworks Release 2017 Advent Calendars (perladvent.org) 38

An anonymous reader writes: Friday saw this year's first new posts on the Perl Advent Calendar, a geeky tradition first started back in 2000. It describes Santa including Unicode's "Father Christmas" emoji by enabling UTF-8 encoding and then using the appropriate hexadecimal code.

But in another corner of the North Pole, you can also unwrap the Perl 6 Advent Calendar, which this year celebrates the two-year anniversary of the official launch of Perl 6. Its first post follows a Grinch who used the but and does operators in Perl 6, while wrapping methods and subroutines to add extra sneaky features, "and even mutated the language itself to do our bidding."

Perl/Python guru Joel Berger has also started an advent calendar for the Mojolicious web application framework (written in Perl), and there's apparently also an advent calendar coming for the Perl Dancer web application framework.

Chrome

Wondering Why Your Internal .dev Web App Has Stopped Working? (theregister.co.uk) 311

Kieren McCarthy, writing for The Register: Network admins, code wranglers and other techies have hit an unusual problem this week: their test and development environments have vanished. Rather than connecting to private stuff on an internal .dev domain to pick up where they left off, a number of engineers and sysadmins are facing an error message in their web browser complaining it is "unable to provide a secure connection." How come? It's thanks to a recent commit to Chromium that has been included in the latest version of Google Chrome. As developers update their browsers, they may find themselves booted out their own systems. Under the commit, Chrome forces connections to all domains ending in .dev (as well as .foo) to use HTTPS via a HTTP Strict Transport Security (HSTS) header. This is part of Google's larger and welcome push for HTTPS to be used everywhere for greater security.
Software

Amazon Will Let Alexa Developers Use Voice Recognition To Personalize Apps (theverge.com) 30

Amazon today announced that third-party developers will be able to make use of the Alexa assistant's voice recognition feature to personalize apps for its line of Echo speakers. The news builds on the company's announcement in October that Alexa can now identify individual users' voices to personalize responses. The Verge reports: Until today, that recognition feature only worked for Amazon-built services like shopping lists, flash briefing news updates, and Amazon Music, among other built-in skills. Starting some time in early 2018, however, developers will be able to tap into those voice-based profiles to make apps more personalized to various members of a household. This yet again puts Amazon ahead of rival Google in the smart home and digital assistant fields. In addition to announcing voice recognition for third-party apps, Amazon also revealed today at its re:Invent conference that it's bringing Alexa notifications on Echo speakers to a wider pool of developers starting today.
Sci-Fi

Destiny 2 Misrepresented XP Gains To Its Players Until the Developers Got Caught (arstechnica.com) 112

An anonymous reader quotes a report from Ars Technica: Destiny 2, like its predecessor, depends largely on an open-ended "end game" system. Once you beat the game's primary "quest" content, you can return to previously covered ground to find remixed and upgraded battles, meant to be played ad nauseam alone or with friends. To encourage such replay, Bungie dangles a carrot of XP gain, which works more slowly than during the campaign stages. Players are awarded a "bright engram" every time they "level up" past the level cap; the engrams are essentially loot boxes that contain a random assortment of cosmetics and weapon mods. Everything you do in the game, from killing a weak bad guy to completing a major raid-related milestone, is supposed to reward you a fixed XP amount. As series fans gear up for the game's first expansion, slated to launch December 5 on PC, PlayStation 4, and Xbox One, its eagle-eyed fans at r/DestinyTheGame began questioning whether those rewards were really as fixed as claimed. Some players began to suspect that they were actually getting less XP than advertised each time they repeated certain in-game missions and tasks, such as the game's "Public Events."

With stopwatch in hand, a user named EnergiserX tracked the modes he played, keeping an eye on any shifts in XP gain over time. He put enough data together to confirm those suspicions: the XP gained in certain modes would shrink with each repetition. Worse, the game gave no indication of these diminishing returns. The XP-gain numbers that popped up above the game's XP bar didn't reflect the game's hidden scaling system. Thus, there was no way for a player to accurately calculate how their XP gain had been affected or scaled without going through EnergiserX's exhaustive process. With findings in hand, the tester posted on Reddit with calls to the developers for a response, which the community received on Saturday. Bungie confirmed its use of an "XP scaler" and added that it was "not performing the way we'd like it to," which meant the developer would remove that XP-scaling system upon the game's next patch. However, Bungie didn't clarify how the developers actually would have liked for this XP-scaling system to work, nor what factored into it announcing any changes beyond the system simply being discovered.
Bungie issued a patch on Sunday that removed the XP-scaling systems, but it introduced another unannounced change to the XP system. "Bungie decided to tune the speed of XP gain by doubling the required XP needed to 'level up,' from 80,000 points to 160,000," reports Ars Technica. "Patch notes didn't mention this change; Bungie, once again, had to be questioned by its fanbase before confirming the exact amount of this XP-related change."
Android

The Pixel 2's Dormant 'Visual Core' Chip Gets Activated In Latest Android Developer Preview (techcrunch.com) 32

The Google Pixel 2 and Pixel 2 XL both feature a custom Intel "Visual Core" co-processor, which is meant to improve speed and battery life when shooting photos with Google's HDR+ technology. The chip has been hanging out in the phone not really doing much of anything -- until now. TechCrunch reports of a new developer preview of Android 8.1 due out today that puts the chip to use. "The component is expected to further improve the handsets' cameras, which were already scoring good marks, production issues aside." From the report: According to the company, Pixel Visual Core has eight image processing unit (IPU) cores and 512 arithmetic logic units. Using machine learning, the company says it's able to speed things up by 5x, with one tenth of the energy. Access to the chip, combined with the Android Camera API means third-party photo apps will be able to take advantage of the system's speedy HDR+. Sounds swell, right? Of course, this is still just an early preview, only available to people who sign up for Google's Beta program. That means, among other things, dealing with potential bugs of an early build. Google wouldn't give us any more specific information with regards to when the feature will be unlocked for the public, but it's expected to arrive along with the 8.1 public beta in December.

Slashdot Top Deals