Over a million lines of code -- in existence for over 10 years -- gets updates in six-week "sprints" using source control and bug-tracking systems. But now an anonymous reader writes: In theory users report bugs, the developers "fix" the bugs, the users test and accept the fix, and finally the "fix" gets released to production as part of a larger change-set. In practice, the bug is reported, the developers implement "a fix", no one else tests it (except for the developer(s) ), and the "fix" gets released with the larger code change set, to production.

We (the developers) don't want to release "fixes" that users haven't accepted, but the code changes often include changes at all levels of the stack (database, DOAs, Business Rules, Webservices and multiple front-ends). Multiple code changes could be occurring in the same areas of code by different developers at the same time, making merges of branches very complex and error prone. Many fingers are in the same pie. Our team size, structure and locations prevent having a single gatekeeper for code check-ins... What tools and procedures do you use to prevent un-approved fixes from being deployed to production as part of the larger code change sets?
Fixes are included in a test build for users to test and accept -- but what if they never do? Leave your best answers in the comments. How woud you stop un-approved code changes from being deployed?

Researchers recently surveyed 2,200 software developers to calculate the distribution of unhappiness throughout the profession, and to identify its top causes, "incorporating a psychometrically validated instrument for measuring (un)happiness." An anonymous reader quotes Motherboard: Daniel Graziotin and his team found their survey subjects via GitHub. Contact information was found by mining archived data for past public GitHub events, where email addresses are apparently more plentiful. They wound up with 33,200 records containing developer locations, contact information, and employers. They took a random sampling from this dataset and wound up with about 1,300 valid survey responses... According to survey results released earlier this month, software developers are on average a "slightly happy" group of workers...

Survey responses were scored according to the SPANE-B metric, a standard tool used in psychology to assess "affect," defined as total negative feelings subtracted from total positive feelings. It ranges from -24 to 24. The mean score found in the developer happiness survey was 9.05. Slightly happy. The minimum was -16, while the maximum was 24. So, even in the worst cases, employees weren't totally miserable, whereas in the best cases employees weren't miserable at all.
The paper -- titled "On the Unhappiness of Software Developers" -- found that the top cause of unhappiness was being stuck while solving a problem, followed by "time pressure," bad code quality/coding practices, and "under-performing colleague."

And since happiness has been linked to productivity, the researchers write that "Our results, which are available as open data, can act as guidelines for practitioners in management positions and developers in general for fostering happiness on the job...unhappiness is present, caused by various factors and some of them could easily be prevented."

An anonymous reader quotes a report from BleepingComputer: Mozilla engineers are working on a new section in the browser's preferences that will let users control the browser's performance. Work on this new section started last Friday when an issue was opened in the Firefox bug tracker. Right now, the Firefox UI team has proposed a basic sketch of the settings section and its controls. Firefox developers are now working to isolate or implement the code needed to control those settings [1, 2, 3]. According to the current version of the planned Performance settings section UI, users will be able to control if they use UI animations (to be added in a future Firefox version), if they use page prefetching (feature to preload links listed on a page), and how many "content" processes Firefox uses (Firefox currently supports two processes [one for the Firefox core and one for content], but this will expand to more starting v54).

A team of scientists at Newcastle University in the UK managed to reveal a user's phone PIN code using its gyroscope data. "In one test, the team cracked a passcode with 70 percent accuracy," reports Digital Trends. "By the fifth attempt, the accuracy had gone up to 100 percent." From the report: It takes a lot of data, to be sure. The Guardian notes users had to type 50 known PINs five times before the researchers' algorithm learned how they held a phone when typing each particular number. But it highlights the danger of malicious apps that gain access to a device's sensors without requesting permission. The risk extends beyond PIN codes. In total, the team identified 25 different smartphone sensors which could expose compromising user information. Worse still, only a small number -- such as the camera and GPS -- ask the user's permission before granting access to that data. It's precise enough to track behavior. Using an "orientation" and "emotion trace" data, the researchers were able to determine what part of a web page a user was clicking on and what they were typing. The paper has been published in International Journal of Information Security.

The Bank of Canada has hid a "Konami Code" Easter egg on its website celebrating their new $10 bank note. The Konami Code is a cheat code that appears in many Konami video games, allowing players to press a sequence of buttons on their game controller to enable the cheat. "The Bank of Canada's web team thought the Konami code [Easter egg] was a fun way to celebrate Canada's 150th anniversary of Confederation," Bank of Canada spokeswoman Josianne Menard told CTV news. Engadget reports: On top of being laden with anti-counterfeiting tech that makes it extremely difficult to copy (holograms, raised ink, color-changing images and polymer materials), the new ten is a who's who and what's what of Canadian history. It features Canada's founding Prime Minister John A. MacDonald, Agnes Macphail, first woman parliamentarian, and Indigenous peoples pioneer James Gladstone, known in his Blackfoot language as Akay-na-muka. It also shows Canada's prairies, the coastal mountains of British Columbia, the Canadian Shield, Atlantic coast, northern lights, Metis Assomption Sash, maple leaf and much more (no poutine, though). All of that is squeezed on the 152.4 x 69.85 mm note -- that's exactly 6 x 2.75 inches, because Canada uses the metric system but probably still buys its printing presses from the U.S. The Konami code is in keeping with Canada's tradition of doing cute, pop-culture things with its history.

An anonymous reader quotes a report from Ars Technica: Rensenware" forces players to get a high score in a difficult PC shoot-em-up to decrypt their files. As Malware Hunter Team noted yesterday, users on systems infected with Rensenware are faced with the usual ransomware-style warning that "your precious data like documents, musics, pictures, and some kinda project files" have been "encrypted with highly strong encryption algorithm." The only way to break the encryption lock, according to the warning, is to "score 0.2 billion in LUNATIC level" on TH12 ~ Undefined Fantastic Object. That's easier said than done, as this gameplay video of the "bullet hell" style Japanese shooter shows. As you may have guessed from the specifics here, the Rensenware bug was created more in the spirit of fun than maliciousness. After Rensenware was publicized on Twitter, its creator, who goes by Tvple Eraser on Twitter and often posts in Korean, released an apology for releasing what he admitted was "a kind of highly-fatal malware." The apology is embedded in a Rensenware "forcer" tool that Tvple Eraser has released to manipulate the game's memory directly, getting around the malware's encryption without the need to play the game (assuming you have a copy installed, that is). While the original Rensenware source code has been taken down from the creator's Github page, a new "cut" version has taken its place, showing off the original joke without any actually malicious forced encryption.

Backchannel's Steven Levy reports that Amazon "has a site at an undisclosed semi-rural location where it attempts to simulate the possible obstacles that drones will face in real-world deliveries." Amazon's drones reach speeds of 60 miles per hour, and can perform a 20-mile round trip, which makes Amazon believe they could especially useful deliveries to the suburbs, some rural areas. "The facility features a faux backyard and other simulated locations where drones might have to drop off their cargo." An anonymous reader quotes their report: "For a while, we were missing clotheslines," says Paul Viola, an AI expert who is charge of Prime Air's autonomy efforts. Now, Amazon's vehicles have a "Don't Hit Clotheslines!" rule in their code. There's even a simulated dog (though not a robot) that Amazon uses to see how the vehicles will respond to canine threats... Amazon is also planning for urban deliveries, with the idea of landing drones on rooftops [and] eventually it might expand to multiple deliveries per expedition, or even take returns back to the warehouse...

All of this is done without human intervention. Drones know where to go and how to get there without a human sitting at a ground station actually flying the plane... [A]n Air Prime technician can order a drone to land, but ultimately the drones are autonomous. Amazon envisions that eventually it will have sort of an air traffic controller monitoring the flight patterns of multiple drones.
If something goes wrong, "the first rule of Amazon drones is to abort the flight, returning to base or even carefully finding a landing spot from which to send a rescue signal. 'If it doesn't seem safe, it will land as soon as safely possible,' says Gur Kimchi, who has headed the Prime Air team for four years. (He previously worked at Microsoft.)"

Microsoft corporate vice president Brian Harry announced in a blog post today that they are shutting down CodePlex, its service for hosting repositories of open source software. "As of this post, we've disabled the ability to create new CodePlex projects," Harry wrote. "In October, we'll set CodePlex to read-only, before shutting it down completely on December 15th, 2017." VentureBeat reports: While people will be able to download an archive of their data, Microsoft is teaming up with GitHub, which provides similar functionality for hosting code that people can collaborate on, to give users "a streamlined import experience" to migrate code and related content there. "Over the years, we've seen a lot of amazing options come and go but at this point, GitHub is the de facto place for open source sharing and most open source projects have migrated there," Harry wrote. Microsoft has been leaning in more and more to GitHub in the past few years. It moved the CNTK deep learning toolkit from CodePlex to GitHub last year. Today Microsoft's GitHub organization has more than 16,000 open source contributors, Harry wrote. And last year GitHub itself made a big deal about Microsoft's adoption of GitHub. At the same time, CodePlex has rotted. In the past month people have made commits to fewer than 350 projects, Harry wrote. GitHub is based on the Git open source version control software, which keeps track of changes by multiple people. People can move code to alternative systems like Atlassian's Bitbucket and Microsoft's Visual Studio Team Services, Harry wrote. The startup GitLab also offers hosting for open and closed source projects.

Slashvertisement: Here is SourceForge's message to CodePlex devs.

After WikiLeaks revealed data exposing information about the CIA's arsenal of hacking tools, Intel Security has released a tool that allows users to check if their computer's low-level system firmware has been modified and contains unauthorized code. PCWorld reports: The release comes after CIA documents leaked Tuesday revealed that the agency has developed EFI (Extensible Firmware Interface) rootkits for Apple's Macbooks. The documents from CIA's Embedded Development Branch (EDB) mention an OS X "implant" called DerStarke that includes a kernel code injection module dubbed Bokor and an EFI persistence module called DarkMatter. In addition to DarkMatter, there is a second project in the CIA EDB documents called QuarkMatter that is also described as a "Mac OS X EFI implant which uses an EFI driver stored on the EFI system partition to provide persistence to an arbitrary kernel implant." The Advanced Threat Research team at Intel Security has created a new module for its existing CHIPSEC open-source framework to detect rogue EFI binaries. CHIPSEC consists of a set of command-line tools that use low-level interfaces to analyze a system's hardware, firmware, and platform components. It can be run from Windows, Linux, macOS, and even from an EFI shell. The new CHIPSEC module allows the user to take a clean EFI image from the computer manufacturer, extract its contents and build a whitelist of the binary files inside. It can then compare that list against the system's current EFI or against an EFI image previously extracted from a system.

Apple has long permitted "hot code push", a feature that allows developers to continuously deploy changes to their mobile apps and have those changes reflect in their apps instantly. This allowed developers to make quick changes to their apps without having to resubmit the new iteration and get approval from the Apple Store review team. But that's changing now. In response to a developer's query, Apple confirmed that it no longer permits "hot code push." The company told the developer: Your app, extension, and/or linked framework appears to contain code designed explicitly with the capability to change your app's behavior or functionality after App Review approval, which is not in compliance with section 3.3.2 of the Apple Developer Program License Agreement and App Store Review Guideline 2.5.2. This code, combined with a remote resource, can facilitate significant changes to your app's behavior compared to when it was initially reviewed for the App Store. While you may not be using this functionality currently, it has the potential to load private frameworks, private methods, and enable future feature changes.

Uber has been using a secretive program to evade authorities for years, particularly at times when city regulators were trying to block the ride-hailing service, according to a new report by the New York Times. From the report: Uber is using a tool called "Greyball" to work identify requests made by certain users and deny them service, according to the report. The application, later renamed the "violation of terms of service" or VTOS program, is said to employ data analysis on info collected by the Uber app to identify individuals violating Uber's terms of service, and blocks riders from being able to hail rides who fall into that category -- including, according to the report, members of code enforcement authorities or city officials who are attempting to gather data about Uber offering service where it's currently prohibited. The report claims that that Uber's "violation of terms of service" or VTOS program, briefly known as Greyball, began around 2014, and has sign-off from Uber's legal team.In a statement, Uber said, "This program denies ride requests to users who are violating our terms of service -- whether that's people aiming to physically harm drivers, competitors looking to disrupt our operations, or opponents who collude with officials on secret 'stings' meant to entrap drivers."

Journalists, putting things in context. Russell Brandom, a reporter at The Verge said, This is the kind of thing a DA would put in front of a judge if they wanted to subpoena Uber's business records for an entire city. Matt Rosoff, editorial director at CNBC Digital added, I've been a tech journalist on and off for 21 years and I can't remember any company having a worse month news cycle-wise than Uber is now.

An anonymous reader quotes BleepingComputer: Google has gone public with details of a second unpatched vulnerability in Microsoft products, this time in Edge and Internet Explorer, after last week they've published details about a bug in the Windows GDI (Graphics Device Interface) component... The bug, discovered by Google Project Zero researcher Ivan Fratric, is tracked by the CVE-2017-0037 identifier and is a type confusion, a kind of security flaw that can allow an attacker to execute code on the affected machine, and take over a device.

Details about CVE-2017-0037 are available in Google's bug report, along with proof-of-concept code. The PoC code causes a crash of the exploited browser, but depending on the attacker's skill level, more dangerous exploits could be built... Besides the Edge and IE bug, Microsoft products are also plagued by two other severe security flaws, one affecting the Windows GDI component and one the SMB file sharing protocol shipped with all Windows OS versions...
Google's team notified Microsoft of the bug 90 days ago, only disclosing it publicly on Friday.

"The Pentagon is the latest government entity to join the open-source movement," writes NextGov. An anonymous reader quotes their report: The Defense Department this week launched Code.mil, a public site that will eventually showcase unclassified code written by federal employees. Citizens will be able to use that code for personal and public projects... The Defense Department's Digital Service team, whose members are recruited for short-term stints from companies including Google and Netflix, will be the first to host its code on the site once the agreement is finalized... "This is a direct avenue for the department to tap into a worldwide community of developers to collectively speed up and strengthen the software development process," a DOD post announcing the initiative said. The Pentagon also aims to find software developers and "make connections in support of DOD programs that ultimately service our national security."
Interestingly, there's no copyright protections on code written by federal employees, according to U.S. (and some international) laws, according to the site. "This can make it hard to attach an open source license to our code, and our team here at Defense Digital Service wants to find a solution. You can submit a public comment by opening a GitHub issue on this repository before we finalize the agreement at the end of March."

An anonymous reader writes: "A typo in the Zerocoin source code allowed an attacker to steal 370,000 Zerocoin, which is about $592,000 at today's price," reports BleepingComputer. According to the Zcoin team, one extra character left inside Zerocoin's source code was the cause of the bug. The hacker exploited the bugs for weeks, by initiating a transaction and receiving the money many times over.

"According to the Zcoin team, the attacker (or attackers) was very sophisticated and took great care to hide his tracks," reports the site. "They say the attacker created numerous accounts at Zerocoin exchanges and spread transactions across several weeks so that traders wouldn't notice the uneven transactions volume... The Zcoin team says they worked with various exchanges to attempt and identify the attacker but to no avail. Out of the 370,000 Zerocoin he stole, the attacker has already sold 350,000. The Zcoin team estimates the attacker made a net profit of 410 Bitcoin ($437,000)."

An anonymous reader quotes a report from BleepingComputer: Russian authorities arrested Ruslan Stoyanov, one of Kaspersky Lab's top-ranked security researchers, under article 275 of the Russian criminal code, which refers to treason. According to Russian newspaper Kommersant, who broke the story today, Stoyanov was arrested in December, together with the head of the Russian Secret Service (FSB) information security department Sergei Mikhailov. In a statement released today by Kaspersky Lab, the company says that Stoyanov was arrested based on activities he partook in before joining the company. Details regarding the investigation are murky, but according to the Russian newspaper who quotes anonymous sources, Stoyanov was involved in facilitating the transfer of funds from foreign companies to Mikhailov's accounts. According to Stoyanov's LinkedIn account, before serving as Head of the Computer Incidents Investigation Team at Kaspersky, he worked as Deputy Director for a company called Indrik, but also as a Major in the Ministry of Interior's Cyber Crime Unit.

You asked, he answered! The creator of Apple's Swift programming language (and a self-described "long-time reader/fan of Slashdot") stopped by on his way to a new job at Tesla just to field questions from Slashdot readers. Read on for Chris's answers...

"We're excited to double down on the findings of Ready to Code 1," says one Google program manager, "by equipping librarians with the knowledge and skills to cultivate computational thinking and coding skills in our youth." theodp writes: Citing the need to fill "500,000 current job openings in the field of computer science," the American Library Association argues in a new whitepaper that "all 115,000 of the nation's school and public libraries are crucial community partners to guarantee youth have skills essential to future employment and civic participation"... The ALA's Google-funded "Libraries Ready to Code" project has entered Phase II, which aims to "equip Master's in Library Science students to deliver coding programs through public and school libraries and foster computational thinking skills among the nation's youth."

"Libraries play a vital role in our communities, and Google is proud to build on our partnership with ALA," added Hai Hong, who leads US outreach on Google's K-12 Education team... "Given the ubiquity of technology and the half-a-million unfilled tech jobs in the country, we need to ensure that all youth understand the world around them and have the opportunity to develop the essential skills that employers -- and our nation's economy -- require."

New submitter x_t0ken_407 quotes a report from BleepingComputer: Ultrasounds emitted by ads or JavaScript code hidden on a page accessed through the Tor Browser can deanonymize Tor users by making nearby phones or computers send identity beacons back to advertisers, data which contains sensitive information that state-sponsored actors can easily obtain via a subpoena. This attack model was brought to light towards the end of 2016 by a team of six researchers, who presented their findings at the Black Hat Europe 2016 security conference in November and the 33rd Chaos Communication Congress held last week. Their research focuses on the science of ultrasound cross-device tracking (uXDT), a new technology that started being deployed in modern-day advertising platforms around 2014. uXDT relies on advertisers hiding ultrasounds in their ads. When the ad plays on a TV or radio, or some ad code runs on a mobile or computer, it emits ultrasounds that get picked up by the microphone of nearby laptops, desktops, tablets or smartphones. These second-stage devices, who silently listen in the background, will interpret these ultrasounds, which contain hidden instructions, telling them to ping back to the advertiser's server with details about that device. Advertisers use uXDT in order to link different devices to the same person and create better advertising profiles so to deliver better-targeted ads in the future. The attack that the research team put together relies on tricking a Tor user into accessing a web page that contains ads that emit ultrasounds or accessing a page that contains hidden JavaScript code that forces the browser to emit the ultrasounds via the HTML5 Audio API.

"The security of online travel booking systems are stuck in the 1990s, according to security researchers," reports Computerworld. An anonymous reader quotes their article, which argues that the ancient systems are also "woefully insecure": This allows attackers to easily modify other people's reservations, cancel their flights and even use the refunds to book tickets for themselves, according a team of researchers who analyzed this online ecosystem... They presented their findings Tuesday at the 33rd Chaos Communications Congress in Hamburg. The three major Global Distribution Systems operators...store Passenger Name Records for hundreds of millions of travelers at any given time.

Any data added or modification made to a booking is stored in their systems and all that's required to access that information is typically a last name and a six-character booking code. There are multiple access points into these systems and this includes the websites operated by airlines and travel agencies, but also third-party websites like CheckMyTrip... The booking code itself is far from secret. It's printed on luggage tags that most people throw away after each flight -- even if their entire trip has not concluded yet -- and is also embedded in the QR codes printed on tickets that an alarmingly large number of travellers photograph and post on social media websites, the researchers said.

Long-time Slashdot reader Nemosoft Unv. writes: A very brief post on Cyanogen's blog says it all really: "As part of the ongoing consolidation of Cyanogen, all services and Cyanogen-supported nightly builds will be discontinued no later than 12/31/16. The open source project and source code will remain available for anyone who wants to build CyanogenMod personally." Of course, with no focused team behind the CyanogenMod project it's effectively dead. Building an Android OS from scratch is no mean feat and most users won't be able to pull this off, let alone make fixes and updates. So what will happen next? Cyanogen had already laid off 20% of its workforce in July, and in November announced they had "separated ties" with Cyanogen founder and primary contributor Steve Kondik. One Android site quoted Kondik as saying "what I was trying to do, is over" in a private Google+ community, and the same day Kondik posted on Twitter, "Time for the next adventure." He hasn't posted since, so it's not clear what he's up to now. But the more important question is whether anyone will continue developing CyanogenMod.

UPDATE: Android Police reports that the CyanogenMod team "has posted an update of their own, confirming the shutdown of the CM infrastructure and outlining a plan to continue the open-source initiative as Lineage." The team posts on their blog that "we the community of developers, designers, device maintainers and translators have taken the steps necessary to produce a fork of the CM source code and pending patches."