An experimental psychologist at the University of Oxford argues that in two decades, "we will look back on the past 60 years -- particularly in biomedical science -- and marvel at how much time and money has been wasted on flawed research." [M]any researchers persist in working in a way almost guaranteed not to deliver meaningful results. They ride with what I refer to as the four horsemen of the reproducibility apocalypse: publication bias, low statistical power, P-value hacking and HARKing (hypothesizing after results are known). My generation and the one before us have done little to rein these in. In 1975, psychologist Anthony Greenwald noted that science is prejudiced against null hypotheses; we even refer to sound work supporting such conclusions as 'failed experiments'...

The problems are older than most junior faculty members, but new forces are reining in these four horsemen. First, the field of meta-science is blossoming, and with it, documentation and awareness of the issues. We can no longer dismiss concerns as purely theoretical. Second, social media enables criticisms to be raised and explored soon after publication. Third, more journals are adopting the 'registered report' format, in which editors evaluate the experimental question and study design before results are collected -- a strategy that thwarts publication bias, P-hacking and HARKing. Finally, and most importantly, those who fund research have become more concerned, and more strict. They have introduced requirements that data and scripts be made open and methods be described fully.

I anticipate that these forces will soon gain the upper hand, and the four horsemen might finally be slain.

An anonymous reader quotes a report from ZDNet: This week, the Apache Software Foundation has patched a severe vulnerability in the Apache (httpd) web server project that could --under certain circumstances-- allow rogue server scripts to execute code with root privileges and take over the underlying server. The vulnerability, tracked as CVE-2019-0211, affects Apache web server releases for Unix systems only, from 2.4.17 to 2.4.38, and was fixed this week with the release of version 2.4.39. According to the Apache team, less-privileged Apache child processes (such as CGI scripts) can execute malicious code with the privileges of the parent process. Because on most Unix systems Apache httpd runs under the root user, any threat actor who has planted a malicious CGI script on an Apache server can use CVE-2019-0211 to take over the underlying system running the Apache httpd process, and inherently control the entire machine.

"First of all, it is a LOCAL vulnerability, which means you need to have some kind of access to the server," Charles Fol, the security researcher who discovered this vulnerability told ZDNet in an interview yesterday. This means that attackers either have to register accounts with shared hosting providers or compromise existing accounts. Once this happens, the attacker only needs to upload a malicious CGI script through their rented/compromised server's control panel to take control of the hosting provider's server to plant malware or steal data from other customers who have data stored on the same machine. "The web hoster has total access to the server through the 'root' account. If one of the users successfully exploits the vulnerability I reported, he/she will get full access to the server, just like the web hoster," Fol said. "This implies read/write/delete any file/database of the other clients."

Google+ "was an Internet-based social network. It was almost 8 years old," reports KilledByGoogle.com, which bills itself as "The Google Graveyard: A list of dead products Google has killed and laid to rest in the Google Cemetery."

But before Google+ closes for good in April, its posts are being preserved by Internet Archive and the ArchiveTeam, reports the Verge: In a post on Reddit, the sites announced that they had begun their efforts to archive the posts using scripts to capture and back up the data in an effort to preserve it. The teams say that their efforts will only encompass posts that are currently available to the public: they won't be able to back up posts that are marked private or deleted... They also note that they won't be able to capture everything: comment threads have a limit of 500 comments, "but only presents a subset of these as static HTML. It's not clear that long discussion threads will be preserved." They also say that images and video won't be preserved at full resolution...

They also urge people who don't want their content to be archived to delete their accounts, and pointed to a procedure to request the removal of specific content.
A bit of history: Linus Torvalds launched a Google+ page in 2017 called "Gadget Reviews" -- where he made exactly six posts.

Linus Torvalds: I can pretty much guarantee that as long as everybody does cross-development, the platform won't be all that stable. Or successful. Some people think that "the cloud" means that the instruction set doesn't matter. Develop at home, deploy in the cloud. That's bullshit. If you develop on x86, then you're going to want to deploy on x86, because you'll be able to run what you test "at home" (and by "at home" I don't mean literally in your home, but in your work environment). Which means that you'll happily pay a bit more for x86 cloud hosting, simply because it matches what you can test on your own local setup, and the errors you get will translate better. This is true even if what you mostly do is something ostensibly cross-platform like just run perl scripts or whatever. Simply because you'll want to have as similar an environment as possible.

Which in turn means that cloud providers will end up making more money from their x86 side, which means that they'll prioritize it, and any ARM offerings will be secondary and probably relegated to the mindless dregs (maybe front-end, maybe just static html, that kind of stuff). Guys, do you really not understand why x86 took over the server market? It wasn't just all price. It was literally this "develop at home" issue. Thousands of small companies ended up having random small internal workloads where it was easy to just get a random whitebox PC and run some silly small thing on it yourself. Then as the workload expanded, it became a "real server". And then once that thing expanded, suddenly it made a whole lot of sense to let somebody else manage the hardware and hosting, and the cloud took over. Do you really not understand? This isn't rocket science. This isn't some made up story. This is literally what happened, and what killed all the RISC vendors, and made x86 be the undisputed king of the hill of servers, to the point where everybody else is just a rounding error. Something that sounded entirely fictional a couple of decades ago. Without a development platform, ARM in the server space is never going to make it. Trying to sell a 64-bit "hyperscaling" model is idiotic, when you don't have customers and you don't have workloads because you never sold the small cheap box that got the whole market started in the first place.

One of Windows Subsystem for Linux's more annoying tricks is it's hard to get at your Linux files from Windows. From a report: Oh, you can do it, but you take a real chance of ruining the files. To quote Microsoft, "DO NOT, under ANY circumstances, access, create, and/or modify files in your distro's filesystem using Windows apps, tools, scripts, consoles, etc." In the forthcoming Windows 10 April 2019 Update, aka Windows 10 19H1, this Linux file problem will finally be fixed. According to Craig Loewen, a Microsoft programming manger working on Windows Subsystem for Linux (WSL), "The next Windows update is coming soon and we're bringing exciting new updates to WSL with it! These include accessing the Linux file system from Windows, and improvements to how you manage and configure your distros in the command line."

An anonymous reader quotes a report from ZDNet: The U.S. Department of Justice unsealed today espionage-related charges against a former U.S. Air Force service member who defected to Iran and helped the country's hackers target her former Air Force colleagues. Besides charges and an arrest warrant issued in the name of the former USAF service member, the DOJ also indicted four Iranian hackers who supposedly carried out the cyber-attacks acting on information provided by Witt. The most notable of the four Iranian hackers is Behzad Mesri, who U.S. authorities also charged in November 2017 with hacking HBO, stealing scripts for unaired episodes of season 6 of the hit series Game Of Thrones TV show, and later attempting to extort HBO execs for $6 million.

But at the heart of today's indictment stands Monica Elfriede Witt, 39, a former US Air Force counter-intelligence special agent specialized in Middle East operations, who served for the Air Force between 1997 and 2008, and later worked as a DOD contractor until 2010 --including for Booz Allen Hamilton, the same defense company where Edward Snowden worked. [...] The DOJ claims Witt has been working ever since with IRGC hacking units to craft and fine-tune cyber-operations against her former Air Force colleagues, some of whom she knew personally. [...] All the five suspects named in the indictment are still at large, believed to be located in Iran. The DOJ says Witt now goes by the names of Fatemah Zahra or Narges Witt.

A new variant of the multi-stage Shlayer malware known to target macOS users has been observed in the wild, now being capable to escalate privileges using a two-year-old technique and to disable the Gatekeeper protection mechanism to run unsigned second stage payloads. Bleeping Computer reports: This new Shlayer variant unearthed by Carbon Black's Threat Analysis Unit (TAU) targets all macOS releases up to the latest 10.14.3 Mojave, and will arrive on the targets' machines as a DMG, PKG, ISO, or ZIP files, some of them also signed with a valid Apple developer ID to make them look legitimate. Shlayer samples found by TAU also use malicious shell scripts to download additional payloads just like older installments did, and, in the case of samples distributed as DMG images, will surreptitiously launch a .command script in the background after the user launches the fake Flash installer. The malicious script included in the DMG is encoded using base64 and will decrypt a second AES encrypted script which will be executed automatically after being decrypted.

One it successfully downloads the second stage malware payload, Shlayer will "to escalate privileges with sudo using a technique invoking /usr/libexec/security_authtrampoline," presented by Patrick Wardle in his Death by 1000 Installers talk at DEFCON 2017. The next step is to download extra payloads which all contain adware according to TAU and it makes sure they'll be able to run on the compromised Mac by disabling the Gatekeeper protection mechanism. After this is accomplished, all extra payloads downloaded and launched by Shlayer will be seen as whitelisted software because the OS will no longer check if they are signed with an Apple developer ID. Also, just in case the malware is not able to disable Gatekeeper on the infected Mac, some of the second stage payloads are also signed with valid developer IDs.

An anonymous reader quotes a report from ZDNet: A Chinese software manager has been sentenced after being found guilty of stealing approximately $1 million from Huaxia Bank ATMs containing security weaknesses. The 43-year-old former manager employed in Huaxia Bank's software and technology development center spotted a "loophole" in the bank's core operating system which offered an unrecorded timeframe in which to make withdrawals, as reported by the South China Morning Post. Qin Qisheng realized that cash withdrawals made close to midnight were not recorded by the bank's systems in 2016, and in the same year, began systematically abusing the glitch.

Qin wrote a number of scripts which, once implanted in the bank's software, allowed him to probe the loophole without raising suspicion. It appears these tests were successful as the software chief then made withdrawals for over a year of between $740 and $2,965, the publication says. The money had to come from somewhere, and so Qin used a "dummy account" established by the bank for testing purposes. In total, Chinese law enforcement says that the former manager was able to steal over seven million yuan, equivalent to roughly $1 million. Huaxia Bank eventually uncovered the scheme, which Qin attempted to explain away as "internal security tests." When it came to the money, the software manager said the funds were simply "resting" in his own account but were due to be returned to the bank. The financial institution accepted his explanation and fixed the problem, but law enforcement didn't and arrested him for theft in December 2018. Qin was given a jail term of ten and a half years, and on appeal, the sentence was upheld.

At some point in the future, Chrome may gain a new feature, dubbed 'Never-Slow Mode', which would trim heavy web pages to keep browsing fast. From a report: The prototype feature is referenced in a work-in-progress commit for the Chromium open-source project. With Never-Slow Mode enabled, it would "enforce per-interaction budgets designed to keep the main thread clean." The design document for Never-Slow Mode hasn't been made public. However, the feature's owner, Chrome developer Alex Russell, has provided a rough outline of how it would work to speed up web pages with large scripts. "Currently blocks large scripts, sets budgets for certain resource types (script, font, css, images), turns off document.write(), clobbers sync XHR, enables client-hints pervasively, and buffers resources without 'Content-Length' set," wrote Russell.

Homebrew, a popular package manager for macOS, has released version 2.0 with official support for Linux and Windows 10 (with Windows Subsystem Linux). Cross-platform setup scripts just got a whole lot easier. Other highlights: Homebrew does not run on OS X Mountain Lion (10.8) and below. For 10.4 - 10.6 support, see Tigerbrew. This has allowed us to remove large amounts of legacy code.
Homebrew does not migrate old, pre-1.0.0 installations from the Homebrew/legacy-homebrew (formerly Homebrew/homebrew repository. This has allowed us to delete legacy code that dealt with migrations from old versions.
Homebrew does not have any formulae with options in Homebrew/homebrew-core. Options will still be supported and encouraged by third-party taps. This change allows us to better focus on delivering binary packages rather than options. Formulae with options had to be built from source, could not be tested on our CI system and provided a disproportionate support burden on our volunteer maintainers.

"Threatpost has a link to some recent research about ways web pages can exploit browser extensions to steal information or write files," writes Slashdot reader jbmartin6. "Did we need another reason to be deeply suspicious of any browser extension? Not only do they spy on us for their makers, now other people can use them to spy on us as well. The academic paper is titled 'Empowering Web Applications with Browser Extensions' (PDF)." From the report: "An attacker [uses] a script that is present in a web application currently running in the user browser. The script either belongs to the web application or to a third party. The goal of the attacker is to interact with installed extensions, in order to access user sensitive information. It relies on extensions whose privileged capabilities can be exploited via an exchange of messages with scripts in the web application," researchers wrote. They added, "Even though content scripts, background pages and web applications run in separate execution contexts, they can establish communication channels to exchange messages with one another... APIs [are used] for sending and receiving (listening for) messages between the content scripts, background pages and web applications."

The researcher behind the paper focused on a specific class of web extension called "WebExtensions API," a cross-browser extensions system compatible with major browsers including Chrome, Firefox, Opera and Microsoft Edge. After analyzing 78,315 extensions that used the specific WebExtension API, it found 3,996 that were suspicious. While it seems voluminous, they noted that research found a small number of vulnerable extensions overall, and that concern should be measured. However, "browser vendors need to review extensions more rigorously, in particular take into consideration the use of message passing interfaces in extensions."

An anonymous reader quotes TechRepublic: PHP 7.3, the newest update to the widespread server-side web development language, was released on Thursday, bringing with it a handful of new features, modernizations, and modest speed improvements.... The largest improvements in 7.3 include support for Foreign Function Interface (FFI), allowing programmers to write inline C code inside PHP scripts. Though this feature does not presently provide the same level of performance as native PHP code, it can under certain circumstances be used to reduce the memory footprint of a given task.

PHP 7.3 also includes flexible heredoc and nowdoc syntax, now no longer requiring closing markers to be followed by a semicolon or new line. The feature proposal for this notes that the previous rigid requirements "caused them to be, in-part, eschewed by developers because their usage in code can look ugly and harm readability...." PHP 7.3 does bring some backward incompatible changes and deprecated functions. The use of case-insensitive constraints is now deprecated, as is the use of case-insensitive constants with a case that differs from the declaration.
Phoronix reports that PHP 7.3 is nearly 10% faster than version 7.2, while it's 31% faster than PHP 7.0 and nearly three times faster than PHP 5.6.

An anonymous reader quotes a report from ZDNet: New Delhi police have arrested 63 suspects in the last two months working and operating 26 call centers that were engaging in tech support scams, posing as tech support staff at Microsoft, Google, Apple, and other major tech companies. The raids on Delhi-based call centers have taken place over the last two months, Microsoft said. Police first raided 10 call centers and arrested 24 people in October, and then raided 16 other call centers and made 39 more arrests this week.

Microsoft said its staff received over 7,000 victim reports associated with the 16 call centers raided this week, from over 15 countries. Users reported paying between $100 and $500 for unnecessary tech support services and products. The raids resulted in the seizure of substantial evidence including call scripts, live chats, voice call recordings and customer records from tech support fraud operations, Microsoft said. The Delhi police's crackdown on tech support call centers came after Microsoft filed legal complaints earlier this year. Microsoft has been collecting customer complaints about tech support scams since 2014, via its "Report a technical support scam" portal.

The next time you see, say, a wedding scene on a USA Network show followed by a champagne commercial, it may not be a coincidence. From a report: NBCUniversal announced a new machine learning tool today that helps brands place ads around scenes relevant to their product across any of the media giant's broadcast and cable properties. The Contextual Intelligence Platform analyzes programming scripts, closed captioning data and visual descriptors of both ads and shows to find opportune moments for a given advertiser to appear as well as an emotional gauge for each scene determined by proprietary algorithms.

Focus groups for ads placed with the platform thus far have shown an average bump of 19 percent in brand memorability, 13 percent in likability and 64 percent in message memorability, according to Josh Feldman, vp and head of marketing and advertising creative, NBCU. The announcement comes as linear television providers continue to grapple with how to bring digital targeting practices to a medium that still largely operates on traditional phone-call media buying and manual ad placements. NBCU is now working with three to five advertisers for the system's beta-test, and is aiming for an official release date early next year.

The National Theater in London has introduced "smart caption glasses" that display dialogue on the lenses as actors speak (Warning: source may be paywalled; alternative source). The glasses should drastically improve the experience for audience members who have hearing difficulties. According to The New York Times, "The glasses can be used without charge for the play 'War Horse' and for the musical 'Hadestown,' and they will be available for all of the theater's 2019 season." From the report: Jonathan Suffolk, the theater's technical director, said that the glasses had taken two years to develop. "We could have offered the scripts on a phone, but we wanted a technology that was much more discreet and immersive and wouldn't disturb anyone," he said. The biggest challenge was creating software that allowed the words to be displayed in real time so that people wearing the glasses reached important moments -- such as jokes -- along with everyone else, Mr. Suffolk added. It is easy to load a script into a subtitling system and hit "ego" at the start of the play, he said, but problems would then arise if actors spoke quicker or slower than expected.

The software used by the theater follows live speech and recognizes certain stage directions, like lighting changes, to ensure the subtitles appear in the right place. The words are then transmitted to the glasses over Wi-Fi. According to Andrew Lambourne, a professor at Leeds Beckett University who worked on the project, a major obstacle that the software had to overcome was recognizing speech even when actors were talking over each other or being bombarded by sound effects. Mr. Suffolk said it was difficult to know how many people would use the equipment. The theater has bought 50 pairs, at a cost of around $1,050 per pair. The National Theater will make the glasses available to some other British venues next year, including during a touring production of "Macbeth." The Barbican Theater in London said in a statement that it was in talks about using them.

Brian Merchant, writing for The Atlantic (condensed for space): In 2016, an anonymous confession appeared on Reddit: "From around six years ago up until now, I have done nothing at work." As far as office confessions go, that might seem pretty tepid. But this coder, posting as FiletOFish1066, said he worked for a well-known tech company, and he really meant nothing. He wrote that within eight months of arriving on the quality assurance job, he had fully automated his entire workload. When his bosses realized that he'd worked less in half a decade than most Silicon Valley programmers do in a week, they fired him. [...]

About a year later, someone calling himself or herself Etherable posted a query to Workplace on Stack Exchange, one of the web's most important forums for programmers: "Is it unethical for me to not tell my employer I've automated my job?" The conflicted coder described accepting a programming gig that had turned out to be "glorified data entry" -- and, six months ago, writing scripts that put the entire job on autopilot. After that, "what used to take the last guy like a month, now takes maybe 10 minutes." The job was full-time, with benefits, and allowed Etherable to work from home. The program produced near-perfect results; for all management knew, their employee simply did flawless work.

The post proved unusually divisive, and comments flooded in. Reactions split between those who felt Etherable was cheating, or at least deceiving, the employer, and those who thought the coder had simply found a clever way to perform the job at hand. [...] Call it self-automation, or auto-automation. At a moment when the specter of mass automation haunts workers, rogue programmers demonstrate how the threat can become a godsend when taken into coders' hands, with or without their employers' knowledge. Since both FiletOFish1066 and Etherable posted anonymously and promptly disappeared, neither were able to be reached for comment. But their stories show that workplace automation can come in many forms and be led by people other than executives.

When apps wants to access data from your smartphone's motion or light sensors, they often make that capability clear. That keeps a fitness app, say, from counting your steps without your knowledge. But a team of researchers has discovered that the rules don't apply to websites loaded in mobile browsers, which can often access an array of device sensors without any notifications or permissions whatsoever. From a report: That mobile browsers offer developers access to sensors isn't necessarily problematic on its own. It's what helps those services automatically adjust their layout, for example, when you switch your phone's orientation. And the World Wide Web Consortium standards body has codified how web applications can access sensor data. But the researchers -- Anupam Das of North Carolina State University, Gunes Acar of Princeton University, Nikita Borisov of the University of Illinois at Urbana-Champaign, and Amogh Pradeep of Northeastern University -- found that the standards allow for unfettered access to certain sensors. And sites are using it.

The researchers found that of the top 100,000 sites -- as ranked by Amazon-owned analytics company Alexa -- 3,695 incorporate scripts that tap into one or more of these accessible mobile sensors. That includes plenty of big names, including Wayfair, Priceline.com, and Kayak.

An anonymous reader shares a report: A cyber-criminal operation known as Magecart is believed to have been behind the recent card breach announced last week by British Airways. The operation has been active since 2015 when RisqIQ and ClearSky researchers spotted the malware for the first time. The group's regular mode of operation involves hacking into online stores and hiding JavaScript code that steals payment card information entered into store checkout pages, information such as credit card numbers, names, addresses, and whatever is collected via payment forms. The group has been very active in the past three years, being blamed for injecting card skimming scripts on thousands of sites, with the most recent trove of compromised sites being discovered two weeks ago. Of all its hacks, the most notorious incident was when the group compromised a third-party chat provider and used its infrastructure to drop malicious scripts on the Ticketmaster checkout page. [...] In a report published today, researchers at RisqIQ say they found clues linking the same Magecart operation to the British Airways breach. This breach was announced last week when British Airways said that an unidentified hacker compromised its systems and stole the card details of over 380,000 users.

New submitter georgecarlyle76 writes: Amazon AI researchers have publicly released a dataset of almost 400,000 transliterated names, to aid the development of natural-language-understanding systems that can search across databases that use different scripts. They describe the dataset's creation in a paper [PDF] they're presenting at COLING, together with experiments using the dataset to train different types of machine learning models.

"Ever wondered why pages seem to load slower and slower? Or why it is that browsing seems to take just as long to load a page, even though your broadband connection doubled in speed a couple of months ago?" gb7djk, a long-time Slashdot reader, blames "the bullshit web" -- as described in this essay by Calgary-based front-end developer Nick Heer (who does his testing on a 50 Mbps connection). A story at the Hill took over nine seconds to load; at Politico, seventeen seconds; at CNN, over thirty seconds. This is the bullshit web... When I use the word "bullshit" in this article, it isn't in a profane sense. It is much closer to Harry Frankfurt's definition in On Bullshit: "It is just this lack of connection to a concern with truth -- this indifference to how things really are -- that I regard as of the essence of bullshit...." The average internet connection in the United States is about six times as fast as it was just ten years ago, but instead of making it faster to browse the same types of websites, we're simply occupying that extra bandwidth with more stuff. Some of this stuff is amazing.... But a lot of the stuff we're seeing is a pile-up of garbage on seemingly every major website that does nothing to make visitors happier -- if anything, much of this stuff is deeply irritating and morally indefensible.

Take that CNN article, for example. Here's what it contained when I loaded it:

- Eleven web fonts, totalling 414 KB
- Four stylesheets, totalling 315 KB
- Twenty frames
- Twenty-nine XML HTTP requests, totalling about 500 KB
- Approximately one hundred scripts, totalling several megabytes -- though it's hard to pin down the number and actual size because some of the scripts are "beacons" that load after the page is technically finished downloading.

The vast majority of these resources are not directly related to the information on the page, and I'm including advertising... In addition, pretty much any CNN article page includes an autoplaying video... Also, have you noticed just how many websites desperately want you to sign up for their newsletter?
The essay also deals harshly with AMP, "a collection of standard HTML elements and AMP-specific elements on a special ostensibly-lightweight page that needs an 80 kilobyte JavaScript file to load correctly....required by the AMP spec to be hotlinked from cdn.amp-project.org, which is a Google-owned domain. That makes an AMP website dependent on Google to display its basic markup, which is super weird for a platform as open as the web."

It argues AMP is only speedier "because AMP restricts the kinds of elements that can be used on a page and severely limits the scripts that can be used," calling it a pseudo-solution. "Better choices should be made by web developers to not ship this bullshit in the first place.... An honest web is one in which the overwhelming majority of the code and assets downloaded to a user's computer are used in a page's visual presentation, with nearly all the remainder used to define the semantic structure and associated metadata on the page."