Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Desktops (Apple)

Malwarebytes Discovers 'First Mac Malware of 2017' (securityweek.com) 60

wiredmikey writes: Security researchers have a uncovered a Mac OS based espionage malware they have named "Quimitchin." The malware is what they consider to be "the first Mac malware of 2017," which appears to be a classic espionage tool. While it has some old code and appears to have existed undetected for some time, it works. It was discovered when an IT admin noticed unusual traffic coming from a particular Mac, and has been seen infecting Macs at biomedical facilities. From SecurityWeek.com: "Quimitchin comprises just two files: a .plist file that simply keeps the .client running at all times, and the .client file containing the payload. The latter is a 'minified and obfuscated' perl script that is more novel in design. It combines three components, Thomas Reed, director of Mac offerings at Malwarebytes and author of the blog post told SecurityWeek: 'a Mac binary, another perl script and a Java class tacked on at the end in the __DATA__ section of the main perl script. The script extracts these, writes them to /tmp/ and executes them.' Its primary purpose seems to be screen captures and webcam access, making it a classic espionage tool. Somewhat surprisingly the code uses antique system calls. 'These are some truly ancient functions, as far as the tech world is concerned, dating back to pre-OS X days,' he wrote in the blog post. 'In addition, the binary also includes the open source libjpeg code, which was last updated in 1998.' The script also contains Linux shell commands. Running the malware on a Linux machine, Malwarebytes 'found that -- with the exception of the Mach-O binary -- everything ran just fine.' It is possible that there is a specific Linux variant of the malware in existence -- but the researchers have not been able to find one. It did find two Windows executable files, courtesy of VirusTotal, that communicated with the same CC server. One of them even used the same libjpeg library, which hasn't been updated since 1998, as that used by Quimitchin."
Programming

Meet Lux, A New Lisp-like Language (javaworld.com) 204

Drawing on Haskell, Clojure, and ML, the new Lux language first targeted the Java Virtual Machine, but will be a universal, cross-platform language. An anonymous reader quotes JavaWorld: Currently in an 0.5 beta release, Lux claims that while it implements features common to Lisp-like languages, such as macros, they're more flexible and powerful in Lux... [W]hereas Clojure is dynamically typed, as many Lisp-like languages have been, Lux is statically typed to reduce bugs and enhance performance. Lux also lets programmers create new types programmatically, which provides some of the flexibility found in dynamically typed languages. The functional language Haskell has type classes, but Lux is intended to be less constraining. Getting around any constraints can be done natively to the language, not via hacks in the type system.
There's a a 16-chapter book about the language on GitHub.
Education

Ask Slashdot: What's The Best Job For This Recent CS Grad? 261

One year away from graduating with a CS degree, an anonymous reader wants some insights from the Slashdot community: [My] curriculum is rather broad, ranging from systems programming on a Raspberry Pi to HTML, CSS, JavaScript, C, Java, JPA, Python, Go, Node.js, software design patterns, basic network stuff (mostly Cisco) and various database technologies... I'm working already part-time as a system administrator for two small companies, but don't want to stay there forever because it's basically a dead-end position. Enjoying the job, though... With these skills under my belt, what career path should I pursue?
There's different positions as well as different fields, and the submission explains simply that "I'm looking for satisfying and rewarding work," adding that "pay is not that important." So leave your suggestions in the comments. What's the best job for this recent CS grad?
Programming

Is The C Programming Language Declining In Popularity? (dice.com) 286

An anonymous reader writes: Java overtook C as the most popular language in mid-2015 on the TIOBE Programming Community index. But now over the last 13 months, they show C's popularity consistently dropping more and more. C's score had hovered between 15% and 20% for over 15 years but as 2016 ended, the language's popularity is now down to 8.7%. "There is no clear way back to the top," reports the site, asking what happened to C? "It is not a language that you think of while writing programs for popular fields such as mobile apps or websites, it is not evolving that much and there is no big company promoting the language."

But the Insights blog at Dice.com counters that TIOBE "has hammered on C for quite some time. Earlier this year, it again emphasized how C is 'hardly suitable for the booming fields of web and mobile app development.' That being said, job postings on Dice (as well as rankings compiled by other organizations) suggest there's still widespread demand for C, which can be used in everything from operating systems to data-intensive applications, and serves many programmers well as an intermediate language."

i-programmer suggests this could just be an artifact of the way TIOBE calculates language popularity (by totaling search engine queries). Noting that Assembly language rose into TIOBE's top 10 this year, their editor wrote, "Perhaps it is something to do with the poor state of assembly language documentation that spurs on increasingly desperate searches for more information." Maybe C programmers are just referring to their K&R book instead of searching for solutions online?
Java

Oracle Begins Aggressively Pursuing Java Licensing Fees (theregister.co.uk) 295

Java SE is free, but Java SE Suite and various flavors of Java SE Advanced are not, and now Oracle "is massively ramping up audits of Java customers it claims are in breach of its licenses," reports the Register. Oracle bought Java with Sun Microsystems in 2010 but only now is its License Management Services division chasing down people for payment, we are told by people familiar with the matter. The database giant is understood to have hired 20 individuals globally this year, whose sole job is the pursuit of businesses in breach of their Java licenses... Huge sums of money are at stake, with customers on the hook for multiple tens and hundreds of thousands of dollars.
Slashdot reader rsilvergun writes, "Oracle had previously sued Google for the use of Java in Android but had lost that case. While that case is being appealed, it remains to be seen if the latest push to monetize Java is a response to that loss or part of a broader strategy on Oracle's part." The Register interviewed the head of an independent license management service who says Oracle's even targeting its own partners now.

But after acquiring Sun in 2010, why did Oracle's License Management Services wait a full six years? "It is believed to have taken that long for LMS to devise audit methodologies and to build a detailed knowledge of customers' Java estates on which to proceed."
Security

Does Code Reuse Endanger Secure Software Development? (threatpost.com) 148

msm1267 quotes ThreatPost: The amount of insecure software tied to reused third-party libraries and lingering in applications long after patches have been deployed is staggering. It's a habitual problem perpetuated by developers failing to vet third-party code for vulnerabilities, and some repositories taking a hands-off approach with the code they host. This scenario allows attackers to target one overlooked component flaw used in millions of applications instead of focusing on a single application security vulnerability.

The real-world consequences have been demonstrated in the past few years with the Heartbleed vulnerability in OpenSSL, Shellshock in GNU Bash, and a deserialization vulnerability exploited in a recent high-profile attack against the San Francisco Municipal Transportation Agency. These are three instances where developers reuse libraries and frameworks that contain unpatched flaws in production applications... According to security experts, the problem is two-fold. On one hand, developers use reliable code that at a later date is found to have a vulnerability. Second, insecure code is used by a developer who doesn't exercise due diligence on the software libraries used in their project.

That seems like a one-sided take, so I'm curious what Slashdot readers think. Does code reuse endanger secure software development?
Intel

Qualcomm Debuts 10nm Server Chip To Attack Intel Server Stronghold (tomshardware.com) 110

An anonymous reader quotes a report from Tom's Hardware: Qualcomm and its Qualcomm Datacenter Technologies subsidiary announced today that the company has already begun sampling its first 10nm server processor. The Centriq 2400 is the second generation of Qualcomm server SOCs, but it is the first in its new family of 10nm FinFET processors. The Centriq 2400 features up to 48 custom Qualcomm ARMv8-compliant Falkor cores and comes a little over a year after Qualcomm began developing its first-generation Centriq processors. Qualcomm's introduction of a 10nm server chip while Intel is still refining its 14nm process appears to be a clear shot across Intel's bow--due not only to the smaller process, but also its sudden lead in core count. Intel's latest 14nm E7 Broadwell processors top out at 24 cores. Qualcomm isn't releasing more information, such as clock speeds or performance specifications, which would help to quantify the benefit of its increased core count. The server market commands the highest margins, which is certainly attractive for the mobile-centric Qualcomm, which found its success in the relatively low-margin smartphone segment. However, Intel has a commanding lead in the data center with more than a 99% share of the world's server sockets, and penetrating the segment requires considerable time, investment, and ecosystem development. Qualcomm unveiled at least a small portion of its development efforts by demonstrating Apache Spark and Hadoop on Linux and Java running on the Centriq 2400 processor. The company also notes that Falkor is SBSA compliant, which means that it is compatible with any software that runs on an ARMv8-compliant server platform.
Java

Muni System Hacker Hit Others By Scanning For Year-Old Java Vulnerability (arstechnica.com) 30

An anonymous reader quotes a report from Ars Technica: The attacker who infected servers and desktop computers at the San Francisco Metropolitan Transit Agency (SFMTA) with ransomware on November 25 apparently gained access to the agency's network by way of a known vulnerability in an Oracle WebLogic server. That vulnerability is similar to the one used to hack a Maryland hospital network's systems in April and infect multiple hospitals with crypto-ransomware. And evidence suggests that SFMTA wasn't specifically targeted by the attackers; the agency just came up as a target of opportunity through a vulnerability scan. In an e-mail to Ars, SFMTA spokesperson Paul Rose said that on November 25, "we became aware of a potential security issue with our computer systems, including e-mail." The ransomware "encrypted some systems mainly affecting computer workstations," he said, "as well as access to various systems. However, the SFMTA network was not breached from the outside, nor did hackers gain entry through our firewalls. Muni operations and safety were not affected. Our customer payment systems were not hacked. Also, despite media reports, no data was accessed from any of our servers." That description of the ransomware attack is not consistent with some of the evidence of previous ransomware attacks by those behind the SFMTA incident -- which Rose said primarily affected about 900 desktop computers throughout the agency. Based on communications uncovered from the ransomware operator behind the Muni attack published by security reporter Brian Krebs, an SFMTA Web-facing server was likely compromised by what is referred to as a "deserialization" attack after it was identified by a vulnerability scan. A security researcher told Krebs that he had been able to gain access to the mailbox used in the malware attack on the Russian e-mail and search provider Yandex by guessing its owner's security question, and he provided details from the mailbox and another linked mailbox on Yandex. Based on details found in e-mails for the accounts, the attacker ran a server loaded with open source vulnerability scanning tools to identify and compromise servers to use in spreading the ransomware, known as HDDCryptor and Mamba, within multiple organizations' networks.
Microsoft

Microsoft Exec Urges Linux Developers To Try Windows 10 (softpedia.com) 403

An anonymous reader shares a Softpedia article: Microsoft has finally acknowledged the potential that the open-source world in general, and Linux in particular, boasts, so the company is exploring its options to expand in this area with every occasion. Most recently, an episode posted on Channel 9 and entitled "Improvements to Bash on Windows and the Windows Console" with senior program manager Rich Turner calls for Linux developers to give up on their platforms for Windows 10. "Fire up a Windows 10 Insiders' build instance and run your code, run your tools, host your website on Apache, access your MySQL database from your Java code," he explained. Turner went on to point out that the Windows subsystem for Linux is there to provide developers with all the necessary tools to code just like they'd do it on Linux, all without losing the advantages of Windows 10. "Whatever it is that you normally do on Linux to build an application: whether it's in Go, in Erlang, in C, whatever you use, please, give it a try on Bash WSL, and importantly file bugs on us. It really makes our life a lot easier and helps us build a product that we can all use and be far more productive with, he continued. Editor's note: The original title from Softpedia was edited because it was misleading. A Microsoft employee doesn't represent the entire company (at least in this instant he wasn't speaking for the company), and at no point has he asked "all Linux developers" to "give up" on Linux.
Java

Java's Open Sourcing Still Controversial Ten Years Later (infoworld.com) 89

An anonymous reader quotes InfoWorld: Sun Microsystems officially open-sourced Java on November 13, 2006... "The source code for Java was available to all from the first day it was released in 1995," says [Java creator James] Gosling, who is now chief architect at Liquid Robotics. "What we wanted out of that was for the community to help with security analysis, bug reporting, performance enhancement, understanding corner cases, and a whole lot more. It was very successful." Java's original license, Gosling says, allowed people to use the source code internally but not redistribute. "It wasn't 'open' enough for the 'open source' crowd," he says... While Gosling has taken Oracle to task for its handling of Java at times, he sees the [2006] open-sourcing as beneficial. "It's one of the most heavily scrutinized and solid bodies of software you'll find. Community participation was vitally important..."

A former Oracle Java evangelist, however, sees the open source move as watered down. "Sun didn't open-source Java per se," says Reza Rahman, who has led a recent protest against Oracle's handling of enterprise Java. "What they did was to open-source the JDK under a modified GPL license. In particular, the Java SE and Java EE TCKs [Technology Compatibility Kits] remain closed source."

Rahman adds that "Without open-sourcing the JDK, I don't think Java would be where it is today."
Google

Oracle Will Officially Appeal Its 'Fair Use' Loss Against Google (arstechnica.com) 99

An anonymous reader quotes a report from Ars Technica: The massive Oracle v. Google litigation has entered a new phase, as Oracle filed papers (PDF) yesterday saying it will appeal its loss on "fair use" grounds to the U.S. Court of Appeals for the Federal Circuit. For a brief recap of the case: after Oracle purchased Sun Microsystems and acquired the rights to Java, it sued Google in 2010, saying that Google infringed copyrights and patents related to Java. The case went to trial in 2012. Oracle initially lost but had part of its case revived on appeal. The sole issue in the second trial was whether Google infringed the APIs in Java, which the appeals court held are copyrighted. In May, a jury found in Google's favor after a second trial, stating that Google's use of the APIs was protected by "fair use." Oracle's appeal is no surprise, but it will be a long shot. The four-factor "fair use" test is a fairly subjective one, and Oracle lawyers will have to argue that the jury's unanimous finding must be overturned. There are various ways a jury could arrive at the conclusion that Google was protected by fair use. The case will go back to the Federal Circuit, the same appeals court that decided APIs could be copyrighted in the first place. That decision overruled U.S. District Judge William Alsup, the lower court judge, and was extremely controversial in the developer community. However, the same decision that insisted APIs can be copyrighted clearly held the door open to the idea that "fair use" might apply. Unless Oracle pulls off a stunning move on appeal, its massive legal expenditures in this case will be for naught.
Google

Google's Go Language Surges In Popularity (infoworld.com) 252

2016 saw a big spike in the popularity of Go, attributed to the rising importance of Docker and Kubernetes. An anonymous Slashdot reader quotes InfoWorld: Ranked 65th a year ago in the Tiobe Index of language popularity, it has climbed to 16th this month and is on track to become Tiobe's Programming Language of the Year, a designation awarded to the language with the biggest jump in the index...which gauges popularity based on a formula assessing searches on languages in popular search engines...

Elsewhere in the index, Java again came in first place, with an 18.799 rating while C, still in second place, nonetheless continued its precipitous drop, to 9.835% (it had been 16.185% a year ago). In third was C++ (5.797%) followed by C# (4.367%), Python (3.775%), JavaScript (2.751%), PHP (2.741%), Visual Basic .Net (2.66%), and Perl (2.495%).

The article also cites an alternate set of rankings. "In the PyPL index, the top 10 were: Java, with a share of 23.4%, followed by Python (13.6%), PHP (9.9%), C# (8.8%), JavaScript (7.6%), C++ (6.9%), C (6.9%), Objective-C (4.5%), R (3.3%), and Swift (3.1%)."
Security

The Slashdot Interview With Security Expert Mikko Hypponen: 'Backupception' 38

You asked, he answered!

Mikko Hypponen, Chief Research Officer at security firm F-Secure, has answered a range of your questions. Read on to find his insight on the kind of security awareness training we need, whether anti-virus products are relevant anymore, and whether we have already lost the battle to bad guys. Bonus: his take on whether or not you should take backups of your data.
Books

O'Reilly Gives Away Free Programming Ebooks (oreilly.com) 87

An anonymous Slashdot reader writes: There's now a section on OReilly.com offering free ebooks about computer programming. There's four free Java ebooks and seven about Python, as well as an "Other" section which contains ebooks like C++ Today, Swift Pocket Reference, and Why Rust? But there's also some broader categories for Open Source and Software Architecture ebooks, as well as separate sections for their free ebooks about Data, Security, Web Development, and the Internet of Things.
Java

Oracle Formally Proposes That Java Adopt Ahead-of-Time Compilation (infoworld.com) 104

An anonymous Slashdot reader quotes InfoWorld: Java applications will get faster startup times thanks to a formal proposal to include ahead-of-time compilation in the platform. The draft Java Development Kit proposal, authored by Vladimir Kozlov, principal technical staff member at Oracle, is targeted for inclusion in Java 9, which is expected to be available next summer. "We would love to see this make it into JDK 9, but that will of course depend on the outcome of the OpenJDK process for this JDK Enhancement Proposal," said Georges Saab, vice president of software development in the Java platform group at Oracle, on Thursday. Ahead-of-time compilation has been a stated goal for Java 9 to address the issue of slow startup...

The proposal summary notes that Java classes would be compiled to native code prior to launching the virtual machine. The ultimate goal is to improve the startup time of small or large Java applications while having "at most" a limited impact on peak performance and minimizing changes to the user workflow.

Tests indicates some applications perform better while some actually perform worse, so it's being proposed as an opt-in feature where dissatisfied users "can just rebuild a new JDK without ahead-of-time libraries."
Programming

Which Programming Language Is Most Popular - The Final Answer? (zdnet.com) 401

An anonymous Slashdot reader writes: Following a common technique among political pollsters, a technology columnist combined the results from various measures of programming language popularity for a more definitive answer about the most important languages to study. He used IEEE Spectrum's interactive list of the top programming languages, which lets you adjust the weight given to the number of job listings and number or open source projects, then combined it with the TIOBE Index (which is based on search engine results), and the PYPL Index, which checks the number of tutorials for each programming language on Google.

The results? "The top cluster contains Java, C, Python, and C++. Without a doubt, you should attain familiarity with these four languages." He points out they're not tied to a specific programming platform, unlike languages in the second cluster -- JavaScript, C#, PHP, and Swift -- while the last two languages in the top 10 were Objective-C and R. "The C-family of languages still dominates. Java, C++, C, C#, and even Objective-C are all C-based languages. If you're only going to learn one language, you should pick one of those." But his ultimate advice is to "learn multiple languages and multiple frameworks... Programming is not just an intellectual exercise. You have to actually make stuff."

Google

Judge Skewers Oracle Attorney For Revealing Google, Apple Trade Secrets (arstechnica.com) 68

An anonymous reader quotes a report from Ars Technica: The federal judge who presided over the Google-Oracle API copyright infringement trial excoriated one of Oracle's lawyers Thursday for disclosing confidential information in open court earlier this year. The confidential information included financial figures stating that Google generated $31 billion in revenue and $22 billion in profits from the Android operating system in the wake of its 2008 debut. The Oracle attorney, Annette Hurst, also revealed another trade secret: Google paid Apple $1 billion in 2014 to include Google search on iPhones. Judge William Alsup of San Francisco has been presiding over the copyright infringement trial since 2010, when Oracle lodged a lawsuit claiming that Google's Android operating system infringed Oracle's Java APIs. After two trials and various trips to the appellate courts, a San Francisco federal jury concluded in May that Google's use of the APIs amounted to fair use. Oracle's motion before Alsup for a third trial is pending. Oracle argues that Google tainted the verdict by concealing a plan to extend Android on desktop and laptop computers. As this legal saga was playing out, Hurst blurted out the confidential figures during a January 14 pre-trial hearing, despite those numbers being protected by a court order. The transcript of that proceeding has been erased from the public record. But the genie is out of the bottle. Google lodged a motion (PDF) for sanctions and a contempt finding against Hurst for unveiling a closely guarded secret of the mobile phone wars. During a hearing on that motion Thursday, Judge Alsup had a back-and-forth with Hurst's attorney, former San Francisco U.S. Attorney Melinda Haag. According to the San Francisco legal journal The Recorder, Haag said that her client Hurst -- of the law firm Orrick, Herrington and Sutcliffe -- should not be sanctioned because of "one arguable mistake made through the course of a very complex litigation."
Oracle

Will Oracle Surrender NetBeans to Apache? (infoworld.com) 69

An anonymous Slashdot reader quotes InfoWorld: Venerable open source Java IDE NetBeans would move from Oracle's jurisdiction to the Apache Software Foundation under a proposal... endorsed by Java founder James Gosling, a longtime fan of the IDE. Moving NetBeans to a neutral venue like Apache, with its strong governance model, would help the project attract more contributions from various organizations, according to the proposal posted in the Apache wiki.

"Large companies are using NetBeans as an application framework to build internal or commercial applications and are much more likely to contribute to it once it moves to neutral Apache ground," the proposal says. While Oracle will relinquish its control over NetBeans under the proposal, individual contributors from Oracle are expected to continue contributing to the project.

On Facebook, Gosling posted the proposal meant "folks like me can more easily contribute to our favorite IDE. The finest IDE in existence will be getting even better, faster!" InfoWorld reports that when aked if Oracle had neglected NetBeans, Gosling said, "Oracle didn't single out NetBeans for neglect, they neglect everything... I'm thrilled that the NetBeans community will now be able to chart its own course."
Education

Code.org Disses Wolfram Language, Touts Apple's Swift Playgrounds (edsurge.com) 241

America is changing the way it teaches computer science. "There are now 31 states that allow CS to count towards high school graduation," according to an announcement this week by the White House, while a new Advance Placement course "will be offered in more than 2,000 U.S. classrooms this fall...the largest course launch in the history of the AP exam." But what's the best way to teach coding? theodp reports: Tech-backed Code.org, one of the leaders of the new CSforAll Consortium that was announced at the White House on Wednesday, took to its blog Thursday to say "Thanks, Tim [Cook], for supporting the effort to give every student the opportunity to learn computer science," giving a shout out to Apple for providing "resources for teachers who want to put Swift Playgrounds in their classrooms. (A day earlier, the White House said Apple developed Swift Playgrounds "in support of the President's call to action" for CS for All).

Curiously, Code.org CEO Hadi Partovi argued Friday that "the Wolfram Language has serious shortcomings for broad educational use" in an EdSurge op-ed that was called a "response to a recent blog post by Stephen Wolfram" on Wolfram's ambitious plan to teach computational thinking in schools. Partovi's complaints? "It requires login for all but the simplest use cases, but doesn't provide any privacy safeguards for young children (required in the U.S. through legislation such as COPPA). Also, a serious user would need to pay for usage, making implementation inaccessible in most schools. Lastly, it's a bit difficult to use by students who struggle with English reading or writing, such as English language learners or early elementary school students."

The submission ultimately asks how should computer science be taught to teenagers. "Would you be inclined to embrace Wolfram's approach, Apple's Swift Playgrounds, Microsoft TEALS' Java-centric AP CS curriculum, or something else (e.g., R, Tableau, Excel+VBA)?"

Slashdot Top Deals