An anonymous reader quotes InfoWorld: To shore up Java's security, a private group that operates outside the normal open source community process is under consideration. The proposed OpenJDK Vulnerability Group would provide a secure, private forum in which trusted members of the community receive reports on vulnerabilities in code bases and then review and fix them... The vulnerability group and Oracle's internal security teams would work together, and it may occasionally need to work with external security organizations.

Due to the sensitive nature of its work, membership in the group would be more selective, there would be a strict communication policy, and members or their employers would need to sign both a nondisclosure and a license agreement, said Mark Reinhold, chief architect of the Java platform group at Oracle. "These requirements do, strictly speaking, violate the OpenJDK bylaws," Reinhold said. "The governing board has discussed this, however, and I expect that the board will approve the creation of this group with these exceptional requirements." If the Java security group is approved, Andrew Gross, leader of Oracle's internal Java vulnerability team, would lead it.

An anonymous reader writes: Facebook has awarded this year's Internet Defense Prize worth $100,000 to a team of researchers from the University of California, Berkeley, who came up with a new method of detecting spear-phishing attacks in closely monitored enterprise networks. The team created a detection system -- called DAS (Directed Anomaly Scoring) -- that identifies uncommon patterns in emails communications. They trained DAS by having it analyze 370 million emails from one single large enterprise with thousands of employees, sent between March 2013 and January 2017.

"Out of 19 spearphishing attacks, our detector failed to detect 2 attacks," the research team said. "Our detector [also] achieved an average false positive rate of 0.004%," researchers added, pointing out that this is almost 200 times better than previous research.

Honorable mentions went two other projects, one for using existing static analysis techniques to find a large number of vulnerabilities in Linux kernel drivers, and another for preventing specific classes of vulnerabilities in low-level code.

Electron, a popular framework that allows developers to write code once and seamlessly deploy it across multiple platforms, has been a topic of conversation lately among developers and users alike. Many have criticised Electron-powered apps to be "too memory intensive." A developer, who admittedly uses a high-end computer, shares his perspective: I can speak for myself when I say Electron runs like a dream. On a typical day, I'll have about three Atom windows open, a multi-team Slack up and running, as well as actively using and debugging my own Electron-based app Standard Notes. [...] So, how does it feel to run this bloat train of death every day? Well, it feels like nothing. I don't notice it. My laptop doesn't get hot. I don't hear the fan. I experience no lags in any application. [...] But aside from how it makes end-users feel, there is an arguably more important perspective to be had: how it makes software companies feel. For context, the project I work in is an open-source cross-platform notes app that's available on most platforms, including web, Mac, Windows, Linux, iOS, and Android. All the desktop applications are based off the main web codebase, and are bundled using Electron, while the iOS and Android app use their own native codebases respectively, one in Swift and the other in Kotlin. And as a new company without a lot of resources, this setup has just barely allowed us to enter the marketplace. Three codebases is two too many codebases to maintain. Every time we make a change, we have to make it in three different places, violating the most sacred tenet of computer science of keeping it DRY. As a one-person team deploying on all these platforms, even the most minor change will take at minimum three development days, one for each codebase. This includes debugging, fixing, testing, bundling, deploying, and distributing every single codebase. This is by no means an easy task.

An anonymous reader quotes Bleeping Computer: Google's security team has sent out warnings via email to Chrome extension developers after many of them have been the targets of phishing attacks, some of which have been successful and resulted in crooks taking over extensions. These phishing attacks have come into the limelight this past week when phishers managed to compromise the developer accounts for two very popular Chrome extensions -- Copyfish and Web Developer. The phishers used access to these developer accounts to insert adware code inside the extensions and push out a malicious update that overlaid ads on top of web pages users were navigating.

According to new information obtained by Bleeping Computer, these attacks started over two months ago and had been silently going on without anyone noticing. All phishing emails contained the same lure -- someone posing as Google was informing extension developers that their add-on broke Chrome Web Store rules and needed to be updated. The extension developer was lured onto a site to view what was the problem and possibly update the extension. Before seeing the alert, the site asked extension developers to log in with their Google developer account, a natural step when accessing a secure backend.

Josh Schwartz, Salesforce's director of offensive security, and John Cramb, a senior offensive security engineer, have been fired by the company after they gave talk at the Defcon security conference talk in Las Vegas last month, reports ZDNet. Schwartz and Cramb were presenting the details of their tool, called Meatpistol, a "modular malware implant framework (PDF)" similar in intent to the Metasploit toolkit used by many penetration testers. The tool, "pitched as taking 'the boring work' out of pen-testing to make red teams, including at Salesforce, more efficient and effective", was anticipated to be released as open source at the time of the presentation, but Salesforce has held back the code. From the report: [...] The two were fired "as soon as they got off stage" by a senior Salesforce executive, according to one of several people who witnessed the firing and offered their accounts. The unnamed Salesforce executive is said to have sent a text message to the duo half an hour before they were expected on stage to not to give the talk, but the message wasn't seen until after the talk had ended. The talk had been months in the making. Salesforce executives were first made aware of the project in a February meeting, and they had signed off on the project, according to one person with knowledge of the meeting. The tool was expected to be released later as an open-source project, allowing other red teams to use the project in their own companies. But in another text message seen by Schwartz and Cramb an hour before their talk, the same Salesforce executive told the speakers that they should not announce the public release of the code, despite a publicized and widely anticipated release. Later, on stage, Schwartz told attendees that he would fight to get the tool published.

Reader joshtops shares a report: Apps are getting bigger in size, in part because developers add new features, something many users obviously appreciate, developers say. "Apps are getting bigger because iOS devices are more powerful, and developers are building more and more complex things for them without considering the impact the size will have around the world," developer Stephen Troughton-Smith tells Gadgets 360. But in part, it is also happening because developers are being careless, and adding more than one instance of files, Troughton-Smith added. "So Facebook, Twitter, and other large companies have perhaps tens or hundreds of people building their iOS apps. A lot of the components for these apps are developed independently as components, or frameworks. For each additional component you glue together into an app, there is some overhead," he explained. "Some of the teams will duplicate functionality some other team wrote. Images and other resources end up being duplicated." The high-resolution image assets that developers are required to add also contributes to the size of an app, two India-based developers, and Peter Steinberger, founder and CEO of PSPDFKit, a dev kit that is used by several popular PDF apps, told Gadgets 360. Apple can itself take some blame, too. Developers using Apple's Swift language, which the company introduced in 2014, are required to add several components to their apps that make them heavier. "Apple's new Swift language, for example, requires a bunch of components to be embedded each time it's used, because it's not yet 'ABI stable,'" Troughton-Smith explained. This means developers need to embed the versions of libraries they've developed against, and not count on the one available on the system. Another developer who didn't want to be identified said a typical app built with Swift language requires as many as 30 Swift runtime libraries to be stuffed within the app. On top of this, he added, "you will be surprised at just how many apps use common code found at places like GitHub. Developers often don't care about removing the bits that wasn't relevant to their app," he added.

randomErr shares a report from MIT Technology Review: The first known attempt at creating genetically modified human embryos in the United States has been carried out by a team of researchers in Portland, Oregon, MIT Technology Review has learned. The effort, led by Shoukhrat Mitalipov of Oregon Health and Science University, involved changing the DNA of a large number of one-cell embryos with the gene-editing technique CRISPR. Until now, American scientists have watched as scientists elsewhere were first to explore the controversial practice. To date, three previous reports of editing human embryos were all published by scientists in China. Now Mitalipov is believed to have broken new ground both in the number of embryos experimented upon and by demonstrating that it is possible to safely and efficiently correct defective genes that cause inherited diseases. In altering the DNA code of human embryos, the objective of scientists is to show that they can eradicate or correct genes that cause inherited disease, like the blood condition beta-thalassemia. The process is termed "germline engineering" because any genetically modified child would then pass the changes on to subsequent generations via their own germ cells -- the egg and sperm. Reached by Skype, Mitalipov declined to comment on the results, which he said are pending publication. But other scientists confirmed the editing of embryos using CRISPR.

BrianFagioli quotes BetaNews: Thursday, Microsoft released yet another open source tool on GitHub -- Visual Studio Code Extension for Arduino. This MIT-licensed code should greatly help developers that are leveraging Arduino hardware for Internet of Things-related projects and more. "Our team at Visual Studio IoT Tooling, researched the development tools developers are using today, interviewed many developers to learn about their pain points developing IoT applications, and found that of all layers of IoT, there are abundant dev tools for cloud, gateway, interactive devices, and industrial devices, but limited availability and capability for micro-controllers and sensors...

"Keeping open source and open platform in mind, we started the work to add an extension on Visual Studio Code, the cross-platform, open sourced advanced code editor, for Arduino application development," says Zhidi Shang, R&D and Product Development, Microsoft.
Microsoft's adds that its tool "is almost fully compatible and consistent with the official Arduino IDE," extending its capabilities with "the most sought-after features, such as IntelliSense, Auto code completion, and on-device debugging for supported boards."

Maybe this would be a good time to ask if anybody has a favorite IDE that they'd like to recommend?

troublemaker_23 shares a report from ITWire: The EU is contemplating another record fine against Google over how it pays and limits mobile phone providers who use the search company's Android mobile operating system and app store. Reuters reported that a decision could be expected by the end of the year if the opinion of a team of experts, set up by the EU to obtain a second opinion, agree with the decisions reached by the team that has worked on the case. The report quoted Richard Windsor, an independent financial analyst, as saying that the Android fine was likely to hurt Google more than the search fine or the verdict in a third EU probe over AdSense. "If Google was forced to unbundle Google Play from its other Digital Life services, handset makers and operators would be free to set whatever they like by default potentially triggering a decline in the usage of Google's services," he said.

In the chargesheet, issued on April 20, 2016, the European Commission said Google had breached EU anti-trust rules by:
-Requiring manufacturers to pre-install Google Search and Google's Chrome browser and requiring them to set Google Search as default search service on their devices, as a condition to license certain Google proprietary apps;
-Preventing manufacturers from selling smart mobile devices running on competing operating systems based on the Android open source code;
-Giving financial incentives to manufacturers and mobile network operators on condition that they exclusively pre-install Google Search on their devices.

theodp writes: EdSurge reports that a new PBS show will teach preschoolers how to think like computers. Marisa Wolsky, an executive producer at WGBH Boston, believes television can be a way to teach Computational Thinking. She is in the first stages of creating an animated television show called Monkeying Around [$3,000,000 NSF award] that uses four monkeys to teach the subject. Why monkeys? EdSurge explains, "Initially, Wolsky said her team wanted to use rabbits to teach the kids, but after realizing the animal would need to use its hands, they decided to go with monkeys [Rabbits historically enjoyed success teaching the 3 R's]." In a press release announcing the new pre-K show, WGBH cited "a great deal of national interest in computer science and coding," adding that "it is never too early to start." WGBH is not the only PBS station that's bullish on CS. According to an NSF Award Abstract, "Twin Cities PBS (TPT), the National Girls Collaborative (NGC) and [tech-bankrolled] Code.org will lead Code: SciGirls! Media to Engage Girls in Computing Pathways, a three-year [$2.63 million] project designed to engage 8-13 year-old girls in coding through transmedia programming which inspires and prepares them for future computer science studies and career paths [...] Drawing on narrative transportation theory and character identification theory, TPT will commission two exploratory knowledge-building studies to investigate: To what extent and how do the narrative formats of the Code: SciGirls! online media affect girls' interest, beliefs, and behavioral intent towards coding and code-related careers?" And Code Trip, a PBS series touted by Microsoft that aired in 2016 [$200,000 NSF award], explored computer science opportunities for young people by, as Microsoft explained, following "three students traveling around the country to speak with leaders including Elizabeth Holmes, founder of Theranos, and Hadi Partovi, entrepreneur and cofounder of Code.org."

BrianFagioli writes: Not content with simply following Canonical and embracing vanilla GNOME, System76 has decided to take its future into its own hands. Today, the company releases the first alpha of an all-new Linux-based operating system called "Pop!_OS," which will eventually be the only OS pre-loaded on its computers. While it will still be based on Ubuntu and GNOME, System76 is tweaking it with its own style and included drivers. In other words, the company is better controlling the user experience, and that is smart.

"The Pop!_OS community is in its infancy. This is a fantastic time to engage with and help develop the processes and practices that will govern the future development of the operating system and its community. The team is currently opening up planning for the development roadmap, code of conduct, discussion forums, and the processes surrounding code contribution. Progress made on Pop!_OS has established an inviting, modern, and minimalist look and has improved the first-use experience including streamlining installation and user setup. Work on the first release, scheduled for October 19th, centers on appearance, stability, and overall tightness of the user experience followed by adding new features and greater customization ability," says System76. You can check out the project on GitHub here and download the alpha ISO here. For more information, the company has set up a subreddi.

Joseph Cox, reporting for Motherboard: On Tuesday, a new, worldwide ransomware outbreak took off, infecting targets in Ukraine, France, Spain, and elsewhere. The hackers hit everything from international law firms to media companies. The ransom note demands victims send bitcoin to a predefined address and contact the hacker via email to allegedly have their files decrypted. But the email company the hacker happened to use, Posteo, says it has decided to block the attacker's account, leaving victims with no obvious way to unlock their files. [...] The hacker tells victims to send $300 worth of bitcoin. But to determine who exactly has paid, the hacker also instructs people to email their bitcoin wallet ID, and their "personal installation key." This is a 60 character code made up of letters and digits generated by the malware, which is presumably unique to each infection of the ransomware. That process is not possible now, though. "Midway through today (CEST) we became aware that ransomware blackmailers are currently using a Posteo address as a means of contact," Posteo, the German email provider the hacker had an account with, wrote in a blog post. "Our anti-abuse team checked this immediately -- and blocked the account straight away.

An anonymous reader quotes a report from Ars Technica: Back in February, Microsoft made the surprising announcement that the Windows development team was going to move to using the open source Git version control system for Windows development. A little over three months after that first revelation, and about 90 percent of the Windows engineering team has made the switch. The Windows repository now has about 4,400 active branches, with 8,500 code pushes made per day and 6,600 code reviews each day. An astonishing 1,760 different Windows builds are made every single day -- more than even the most excitable Windows Insider can handle.

In addition to Java and C++, Google announced at its I/O 2017 conference today that Android is gaining official support for the Kotlin programming language. VentureBeat reports: Kotlin is developed by JetBrains, the same people who created IntelliJ. Google describes Kotlin, which is an open sourced project under the Apache 2.0 license, as "a brilliantly designed, mature language that we believe will make Android development faster and more fun." The company notes that some have already adopted the programming language for their production apps, including Expedia, Flipboard, Pinterest, and Square. There are already many enthusiastic Kotlin developers for Android, and the company says it is simply listening to what the community wants. But Google's choice didn't just come down to the team believing Kotlin will make writing Android apps easier. Developers will be happy to know that Kotlin's compiler emits Java byte-code. Kotlin can call Java, and Java can call Kotlin. Indeed, "the effortless interoperation between the two languages" was a large part of Kotlin's appeal to the Android team. This means you can add as little or as much Kotlin into your existing codebase as you want, mixing the two languages freely within the same project. Calling out to Kotlin code from Java code should just work, while calling to Java code requires some automatically applied translation conventions.

Games company ZeniMax successfully sued Facebook-owned Oculus for $500 million earlier this year, and now it has a new target in sight: Samsung. The company has filed a new lawsuit over Samsung's Gear VR headset, claiming that "Samsung knowingly profited from Oculus technology that was first developed at ZeniMax, then misappropriated by Oculus executive John Carmack," reports The Verge. From the report: Carmack, whose company id Software was acquired by ZeniMax in 2009, was one of the driving forces behind the Gear VR. While the headset was released by Samsung, it's described as "powered by Oculus," with heavy software optimizations developed by Carmack. But the lawsuit alleges that Carmack owed much of his success at Oculus to software he developed as part of a team at ZeniMax. Among other things, the Texas court filing claims that Carmack secretly brought Oculus (and former ZeniMax) employee Matt Hooper into id Software's offices to develop an "attack plan" for mobile VR, which Oculus would later take to Samsung. The Samsung Gear VR was also built on some of the same code as the Oculus Rift, which was the subject of ZeniMax's earlier lawsuit. ZeniMax's basic argument is that Samsung would have been aware of the lawsuit against Oculus, which was filed during the initial development of the Gear VR. But "Samsung continued to develop the Gear VR with full knowledge of ZeniMax's allegations and without obtaining any right or permission from ZeniMax to use any of its copyrights or other confidential information." The new lawsuit officially accuses Samsung of copyright infringement for using ZeniMax VR code in the Gear VR, as well as trade secret misappropriation, unfair competition, and unjust enrichment.

Philipp Kewisch, writing for Mozilla: The investigations on Thunderbird's future home have concluded. The Mozilla Foundation has agreed to serve as the legal and fiscal home for the Thunderbird project, but Thunderbird will migrate off Mozilla Corporation infrastructure, separating the operational aspects of the project. [...] The Mozilla Foundation has agreed to continue as Thunderbird's legal, fiscal and cultural home, with the following provisos:
1. The Thunderbird Council (see footnote) and the Mozilla Foundation executive team maintain a good working relationship and make decisions in a timely manner.
2. The Thunderbird Council and the team make meaningful progress in short order on operational and technical independence from Mozilla Corporation.
3. Either side may give the other six months notice if they wish to discontinue the Mozilla Foundation's role as the legal and fiscal host of the Thunderbird project. In a conversation with Slashdot, a spokesperson of Mozilla acknowledged that the general sentiment is "Thunderbird code needs to be modernized and the dependencies on the Mozilla code framework need to be reduced. This may include re-implementing or migrating features to make better use of web technologies."

(Footnote: Back in 2012, Mozilla announced that it would reallocate most of the paid project members to other projects, handing off the responsibility for the project to the volunteer community that had formed around Thunderbird. This group met in Toronto in 2014 to discuss the future of Thunderbird and formed the Thunderbird Council, a group of individuals that has the power to make business decisions going forward.)

Catalin Cimpanu, writing for BleepingComputer: A team of researchers from the Brunswick Technical University in Germany has discovered an alarming number of Android apps (234, to be exact) that employ ultrasonic tracking beacons to track users and their nearby environment. Their research paper focused on the technology of ultrasound cross-device tracking (uXDT) that became very popular in the last three years. uXDT is the practice of advertisers hiding ultrasounds in their ads. When the ad plays on a TV or radio, or some ad code runs on a mobile or computer, it emits ultrasounds that are picked up by the microphone of nearby laptops, desktops, tablets or smartphones. SDKs embedded in apps installed on those devices relay the beacon back to the online advertiser, who then knows that the user of TV "x" is also the owner of smartphone "Y" and links their two previous advertising profiles together, creating a broader picture of the user's interests, device portfolio, home, and even family members.

Brian Fagioli, writing for BetaNews: The uncertainty about Ubuntu has not deterred the Linux Mint team, however, as they are moving ahead with plans for version 18.2. While details about the upcoming version of the operating system are scarce, we have learned two important details. First, the code name for the OS will be 'Sonya,' and second, the distro will use LightDM as default display manager.

Nomx, a startup that offers an email client by the same name, bills itself as the maker of the "world's most secure email service." The startup goes on to suggest that "everything else is insecure." So it was only a matter of time before someone decided to spend some time on assessing how valid Nomx's claims are. Very misleading, it turns out. From a report on Motherboard: Nomx sells a $199 device that essentially helps you set up your own email server in an attempt to keep your emails away from mail exchange (or MX) -- hence the brand name -- servers, which the company claims to be inherently "vulnerable." Security researcher Scott Helme took apart the device and tried to figure out how it really works. According to his detailed blog post, what he found is that the box is actually just a Raspberry Pi with outdated software on it, and several bugs. So many, in fact, that Helme wrote Nomx's "code is riddled with bad examples of how to do things." The worst issue, Helme explained, is that the Nomx's web application had a vulnerability that allowed anyone to take full control of the device remotely just by tricking someone to visit a malicious website. "I could read emails, send emails, and delete emails. I could even create my own email address," Helme told Motherboard in an online chat. A report on BBC adds: Nomx said the threat posed by the attack detailed by Mr Helme was "non-existent for our users." Following weeks of correspondence with Mr Helme and the BBC Click Team, he said the firm no longer shipped versions that used the Raspberry Pi. Instead, he said, future devices would be built around different chips that would also be able to encrypt messages as they travelled. "The large cloud providers and email providers, like AOL, Yahoo, Gmail, Hotmail - they've already been proven that they are under attack millions of times daily," he said. "Why we invented Nomx was for the security of keeping your data off those large cloud providers. To date, no Nomx accounts have been compromised."

Chinese tech giant Baidu has announced a new autonomous vehicle platform called Project Apollo, which aims to help speed up the development of self-driving cars. "Baidu says the platform encompasses both hardware and software, providing partners with the tech and open-source code needed to help their own vehicles perceive obstacles, plan their routes, and otherwise move around our world," reports The Verge. From the report: Baidu says it will first open up Project Apollo for cars operating in restricted environments in July, before offering it to vehicles driving in simple urban road conditions later this year. That's ahead of a gradual rollout of self-driving features that should see cars operating fully autonomously on highways and regular roads by 2020. The release comes as Baidu moves to position itself at the forefront of the autonomous vehicle industry. The Chinese company has aimed for the ambitious goal of getting a self-driving car to market by 2018, and is challenging rivals such as Google on its home turf, building a team of engineers based in Silicon Valley and scoring relevant permits so it can test vehicles in California.