AMD

AMD Is Open-Sourcing Their Official Vulkan Linux Driver (phoronix.com) 65

An anonymous reader writes: While many of you have likely heard of the "RADV" open-source Vulkan driver, it's been a community-written driver up to this point in the absence of AMD's official, cross-platform Vulkan driver being open-source. That's now changed with AMD now open-sourcing their official Vulkan driver. The code drop is imminent and they are encouraging the use of it for quick support of new AMD hardware, access to the Radeon GPU Profiler, easy integration of AMD Vulkan extensions, and enabling third-party extensions. For now at least it does provide better Vulkan performance than RADV but the RADV developers have indicated they plan to continue development of their Mesa-based Vulkan driver.
Python

Did Programming Language Flaws Create Insecure Apps? (bleepingcomputer.com) 99

Several popular interpreted programming languages are affected by severe vulnerabilities that expose apps built on these languages to attacks, according to research presented at the Black Hat Europe 2017 security conference. An anonymous reader writes: The author of this research is IOActive Senior Security Consultant Fernando Arnaboldi, who says he used an automated software testing technique named fuzzing to identify vulnerabilities in the interpreters of five of today's most popular programming languages: JavaScript, Perl, PHP, Python, and Ruby.

Fuzzing involves providing invalid, unexpected, or random data as input to a software application. The researcher created his own fuzzing framework named XDiFF that broke down programming languages per each of its core functions and fuzzed each one for abnormalities. His work exposed severe flaws in all five languages, such as a hidden flaw in PHP constant names that can be abused to perform remote code execution, and undocumented Python methods that can be used for OS code execution. Arnaboldi argues that attackers can exploit these flaws even in the most secure applications built on top of these programming languages.

Windows

Lead Developer of Popular Windows Application Classic Shell Is Quitting 97

WheezyJoe writes: Classic Shell is a free Windows application that for years has replaced Microsoft's Start Screen or Start Menu with a highly configurable, more familiar non-tile Start menu. Yesterday, the lead developer released what he said would be the last version of Classic Shell. Citing other interests and the frequency at which Microsoft releases updates to Windows 10, as well as lagging support for the Win32 programming model, the developer says that he won't work on the program anymore. The application's source code is available on SourceForge, so there is a chance others may come and fork the code to continue development. There are several alternatives available, some pay and some free (like Start10 and Start Is Back++), but Classic Shell has an exceptionally broad range of tweaks and customizability.
Encryption

PHP Now Supports Argon2 Next-Generation Password Hashing Algorithm (bleepingcomputer.com) 94

An anonymous reader quotes Bleeping Computer: PHP got a whole lot more secure this week with the release of the 7.2 branch, a version that improves and modernizes the language's support for cryptography and password hashing algorithms.

Of all changes, the most significant is, by far, the support for Argon2, a password hashing algorithm developed in the early 2010s. Back in 2015, Argon2 beat 23 other algorithms to win the Password Hashing Competition, and is now in the midst of becoming a universally recognized Internet standard at the Internet Engineering Task Force (IETF), the reward for winning the contest. The algorithm is currently considered to be superior to Bcrypt, today's most widely used password hashing function, in terms of both security and cost-effectiveness, and is also slated to become a favorite among cryptocurrencies, as it can also handle proof-of-work operations.

The other major change in PHP 7.2 was the removal of the old Mcrypt cryptographic library from the PHP core and the addition of Libsodium, a more modern alternative.

Education

Massive Financial Aid Data Breach Proves Stanford Lied For Years To MBAs (poetsandquants.com) 116

14 terabytes of "highly confidential" data about 5,120 financial aid applications over seven years were exposed in a breach at Stanford's Graduate School of Business -- proving that the school "misled thousands of applicants and donors about the way it distributes fellowship aid and financial assistance to its MBA students," reports Poets&Quants. The information was unearthed by a current MBA student, Adam Allcock, in February of this year from a shared network directory accessible to any student, faculty member or staffer of the business school. In the same month, on Feb. 23, the student reported the breach to Jack Edwards, director of financial aid, and the records were removed within an hour of his meeting with Edwards. Allcock, however, says he spent 1,500 hours analyzing the data and compiling an 88-page report on it...

Allcock's discovery that more money is being used by Stanford to entice the best students with financial backgrounds suggests an admissions strategy that helps the school achieve the highest starting compensation packages of any MBA program in the world. That is largely because prior work experience in finance is generally required to land jobs in the most lucrative finance fields in private equity, venture capital and hedge funds.

Half the school's students are awarded financial aid, and though Stanford always insisted it was awarded based only on need, the report concluded the school had been "lying to their faces" for more than a decade, also identifying evidece of "systemic biases against international students."

Besides the embarrassing exposure of their financial aid policies, there's another obvious lesson, writes Slashdot reader twentysixV. "It's actually way too easy for users to improperly secure their files in a shared file system, especially if the users aren't particularly familiar with security settings." Especially since Friday the university also reported another university-wide file-sharing platform had exposed "a variety of information from several campus offices, including Clery Act reports of sexual violence and some confidential student disciplinary information from six to 10 years ago."
Transportation

Drone Pilot Arrested After Flying Over Two Stadiums, Dropping Leaflets (cbslocal.com) 108

"A man with an anti-media agenda was arrested in Oakland after he flew a drone over two different stadiums to drop leaflets" last Sunday, writes Slashdot reader execthis. A local CBS station reports: According to investigators, [55-year-old Tracy] Mapes piloted his drone over Levi's Stadium during the second quarter of the 49ers-Seattle game and released a load of pamphlets. He then quickly landed the drone, loaded it up and drove over to Oakland. He flew a similar mission over the Raiders-Broncos game. Santa Clara Police Lt. Dan Moreno said after Mapes was apprehended he defended the illegal action as a form of free speech.
USA Today reports there's now also an ongoing federal investigation "because the Federal Aviation Administration prohibits the flying of drones within five miles of an airport. Both Levi's Stadium and Oakland Coliseum are within that range."

"The San Francisco Chronicle added that the drone was a relatively ineffective messenger because 'most of the drone-dropped leaflets were carried away by the wind.'"
NASA

Voyager 1 Fires Up Thrusters After 37 Years (nasa.gov) 127

If you tried to start a car that's been sitting in a garage for decades, you might not expect the engine to respond. But a set of thrusters aboard the Voyager 1 spacecraft successfully fired up Wednesday after 37 years without use. NASA announces: Voyager 1, NASA's farthest and fastest spacecraft, is the only human-made object in interstellar space, the environment between the stars. The spacecraft, which has been flying for 40 years, relies on small devices called thrusters to orient itself so it can communicate with Earth. These thrusters fire in tiny pulses, or "puffs," lasting mere milliseconds, to subtly rotate the spacecraft so that its antenna points at our planet. Now, the Voyager team is able to use a set of four backup thrusters, dormant since 1980. "With these thrusters that are still functional after 37 years without use, we will be able to extend the life of the Voyager 1 spacecraft by two to three years," said Suzanne Dodd, project manager for Voyager at NASA's Jet Propulsion Laboratory, Pasadena, California.
Intel

Clear Linux Beats CentOS, openSUSE, and Ubuntu in (Enterprise) Benchmark Tests (phoronix.com) 136

An anonymous reader writes: Recently completed Linux distro benchmarks by Phoronix show Intel's Clear Linux is the most powerful on x86 hardware. A six-way, enterprise-focused Linux distro comparison show Clear Linux being the fastest with a Core i9 and Xeon systems, easily beating CentOS, openSUSE, and Ubuntu in a majority of the tests.

When doing an 11-way Linux distro boot test they also found Clear Linux easily booted the fastest followed by the Clear-inspired Solus distribution. Clear Linux does work on AMD hardware and works on Intel CPUs back to Sandy Bridge but leverages its speed from optimized compiler settings, specially built libraries capable of AVX instructions on supported systems, a specially tuned kernel configuration, and other optimizations/patches.

Debian 9.2 and Fedora 27 "ended up being dropped from this article due to data overload," the article concludes, "and those distributions really not offering anything really different in terms of the performance."
Businesses

Dark Side of Gig Economy: Some Instacart Workers Go On Strike Over Pay That Can Be as Low as $1 Per Hour (fastcompany.com) 436

From a report: Instacart shoppers and drivers -- the people who gather your groceries and deliver them to you after you order via the Instacart app -- are on strike. While independent contractors can't technically strike, via a Facebook group some of the company's thousands of employees have organized a "no delivery day" in the hopes of getting higher wages, the San Francisco Chronicle reports. The strike is only taking place in a few of the 154 cities nationwide that Instacart operates in. The action may be small, but the grievances are big. While Instacart, the 5-year-old San Francisco startup, is valued at $3.4 billion, it allegedly pays its workers as little as $1 per order. Ars Technica has a great breakdown of all the issues surrounding how Instacart employees get paid and it's complex, with three different income streams coming together Voltron-like to form a wage. The result, though, is that some shoppers are being paid less than the federal minimum wage, like a Jackson, Miss., worker who put in a 19-hour week in Jackson, Mississippi, that paid out $37.75 (roughly $2/hour). That's far below the $14/hour wage that Ars Technica says Instacart is targeting.
Intel

Intel Planning To End Legacy BIOS Support By 2020, Report Says (phoronix.com) 122

Michael Larabel, writing for Phoronix: Intel is planning to end "legacy BIOS" support in their new platforms by 2020 in requiring UEFI Class 3 or higher. Making rounds this weekend is a slide deck from the recent UEFI Plugfest. Brian Richardson of Intel talked about the "last mile" barriers to removing legacy BIOS support from systems. By 2020, they will be supporting no less than UEFI Class 3, which means only UEFI support and no more legacy BIOS or CSM compatibility support mode. But that's not going to force on UEFI Secure Boot unconditionally: Secure Boot enabled is considered UEFI Class 3+. Intel hasn't removed legacy BIOS / CSM support yet due to many customers' software packages still relying upon legacy BIOS, among other reasons. Removing the legacy BIOS support will mitigate some security risks, needs less validation by vendors, allows for supporting more modern technologies, etc.
Crime

Apple Is Served A Search Warrant To Unlock Texas Church Gunman's iPhone (nydailynews.com) 450

An anonymous reader quotes the New York Daily News: Authorities in Texas served Apple with a search warrant in order to gain access to the Sutherland Springs church shooter's cellphone files. Texas Ranger Kevin Wright obtained the warrant last week, according to San Antonio Express-News.

Investigators are hoping to gain access to gunman Devin Patrick Kelley's digital photos, messages, calls, videos, social media passwords, address book and data since January 2016. Authorities also want to know what files Kelley stored in his iCloud account.

Fast Company writes that "it's very likely that Apple will give the Rangers the same answer it gave the FBI in 2016 (in effect, hell no!)... That may be why, in the Texas case, the FBI and the Rangers didn't even bother calling Apple, but rather went straight to court."
Businesses

The Brutal Fight To Mine Your Data and Sell It To Your Boss (bloomberg.com) 75

An anonymous reader shares a report from Bloomberg, explaining how Silicon Valley makes billions of dollars peddling personal information, supported by an ecosystem of bit players. Editor Drake Bennett highlights the battle between an upstart called HiQ and LinkedIn, who are fighting for your lucrative professional identity. Here's an excerpt from the report: A small number of the world's most valuable companies collect, control, parse, and sell billions of dollars' worth of personal information voluntarily surrendered by their users. Google, Facebook, Amazon, and Microsoft -- which bought LinkedIn for $26.2 billion in 2016 -- have in turn spawned dependent economies consisting of advertising and marketing companies, designers, consultants, and app developers. Some operate on the tech giants' platforms; some customize special digital tools; some help people attract more friends and likes and followers. Some, including HiQ, feed off the torrents of information that social networks produce, using software bots to scrape data from profiles. The services of the smaller companies can augment the offerings of the bigger ones, but the power dynamic is deeply asymmetrical, reminiscent of pilot fish picking food from between the teeth of sharks. The terms of that relationship are set by technology, economics, and the vagaries of consumer choice, but also by the law. LinkedIn's May 23 letter to HiQ wasn't the first time the company had taken legal action to prevent the perceived hijacking of its data, and Facebook and Craigslist, among others, have brought similar actions. But even more than its predecessors, this case, because of who's involved and how it's unfolded, has spoken to the thorniest issues surrounding speech and competition on the internet.
Linux

Linux 4.14 Has Been Released (kernelnewbies.org) 89

diegocg quotes Kernel Newbies: Linux 4.11 has been released. This release adds support for bigger memory limits in x86 hardware (128PiB of virtual address space, 4PiB of physical address space); support for AMD Secure Memory Encryption; a new unwinder that provides better kernel traces and a smaller kernel size; support for the zstd compression algorithm has been added to Btrfs and Squashfs; support for zero-copy of data from user memory to sockets; support for Heterogeneous Memory Management that will be needed in future GPUs; better cpufreq behaviour in some corner cases; faster TBL flushing by using the PCID instruction; asynchronous non-blocking buffered reads; and many new drivers and other improvements.
Phoronix has more on the changes in Linux 4.14 -- and notes that its codename is still "Fearless Coyote."
Encryption

iPhone Encryption Hampers Investigation of Texas Shooter, Says FBI (chron.com) 240

"FBI officials said Tuesday they have been stymied in their efforts to unlock the cellphone of the man who shot and killed at least 26 people at a church here on Sunday," reports the Houston Chronicle. Slashdot reader Anon E. Muss writes: The police obtained a search warrant for the phone, but so far they've been unable to unlock it. The phone has been sent to the FBI, in the hope that they can break in... If it is secure, and the FBI can't open it, expect all hell to break loose. The usual idiots (e.g. politicians) will soon be ranting hysterically about the evil tech industry, and how they're refusing to help law enforcement.
FBI special agent Christopher Combs complained to the Chronicle that "law enforcement increasingly cannot get in to these phones."

A law professor at the Georgia Institute of Technology argues there's other sources of information besides a phone, and police officers might recognize this with better training. As just one example, Apple says the FBI could've simply just used the dead shooter's fingerprint to open his iPhone. But after 48 hours, the iPhone's fingerprint ID stops working.
Classic Games (Games)

Text Adventure Competition Reports A 36% Spike In Entries (ifcomp.org) 21

There's just four days left to vote for the winner of the 23rd Annual Interactive Fiction Competition. An anonymous reader writes: This year's contest set a record, drawing 79 new text adventures -- 36% more entries than the previous year's 58. All of this year's games are available online, furthering the competition's goal of "making them freely available in order to encourage the creation, play, and discussion of interactive fiction." (And they're also available in a 236-megabyte .zip archive.)

Each game's developer is competing for $4,800 in cash prizes, to be shared among everyone who finishes in the top two-thirds (including a $247 prize to the first-place winner). Authors of the top-rated games will also get to choose from a 38-prize pool (which includes another $200 cash prize donated by Asymmetric Publications, as well as a "well-loved" used Wii console). But the most important thing is there's a bunch of fun new text adventures to play. Reviews are already appearing online, lovingly collected by the Interactive Fiction Wiki. And one game designer even livestreamed their text adventure-playing on Twitch.

Social Networks

9.6% of Facebook's Users 'May Be Fakes' (nytimes.com) 96

An anonymous reader quotes the New York Times: Facebook estimates that about 200 million of its more than 2.07 billion users may be fakes... [Non-paywalled article here.] Colin Stretch, the general counsel of Facebook, told the Senate Intelligence Committee the company was doubling its review staff to 20,000 and using artificial intelligence to find more "bad actors"... Sean Edgett, Twitter's general counsel, testified before Congress that about 5 percent of its 330 million users are "false accounts or spam," which would add up to more than 16 million fakes.

Independent experts say the real numbers are far higher. On Twitter, little more than an email address is needed to start tweeting. Facebook's requirement that users be their authentic selves means the company asks for a smattering of information to sign up -- name, birthday, gender and email address. But few checks exist to verify if that information is true when a user signs up.

Programming

Perl is the Most Hated Programming Language, Developers Say (theregister.co.uk) 472

Thomas Claburn, writing for The Register: Developers really dislike Perl, and projects associated with Microsoft, at least among those who volunteer their views through Stack Overflow. The community coding site offers programmers a way to document their technical affinities on their developer story profile pages. Included therein is an input box for tech they'd prefer to avoid. For developers who have chosen to provide testaments of loathing, Perl tops the list of disliked programming languages, followed by Delphi and VBA. The yardstick here consists of the ratio of "likes" and "dislikes" listed in developer story profiles; to merit chart position, the topic or tag in question had to show up in at least 2,000 stories. Further down the down the list of unloved programming language comes PHP, Objective-C, CoffeeScript, and Ruby. In a blog post seen by The Register ahead of its publication today, Stack Overflow data scientist David Robinson said usually there's a relationship between how fast a particular tag is growing and how often it's disliked. "Almost everything disliked by more than 3 per cent of Stories mentioning it is shrinking in Stack Overflow traffic (except for the quite polarizing VBA, which is steady or slightly growing)," said Robinson. "And the least-disliked tags -- R, Rust, TypeScript and Kotlin -- are all among the fast-growing tags (TypeScript and Kotlin growing so quickly they had to be truncated in the plot)."
Programming

Why Do Web Developers Keep Making The Same Mistakes? (hpe.com) 335

An anonymous reader quotes HPE Insights: Software developers and testers must be sick of hearing security nuts rant, "Beware SQL injection! Monitor for cross-site scripting! Watch for hijacked session credentials!" I suspect the developers tune us out... The industry has generated newer tools, better testing suites, Agile methodologies, and other advances in writing and testing software. Despite all that, coders keep making the same dumb mistakes, peer reviews keep missing those mistakes, test tools fail to catch those mistakes, and hackers keep finding ways to exploit those mistakes. One way to see the repeat offenders is to look at the Open Web Application Security Project Top 10, a sometimes controversial ranking of the 10 primary vulnerabilities, published every three or four years by the Open Web Application Security Project... It boggles the mind that a majority of top 10 issues appear across the 2007, 2010, 2013, and draft 2017 OWASP lists...

It's sad that eight out of 10 of the issues from 2013 are still top security issues in 2017. In fact, if you consider that the draft 2017 list combined two of the 2013 items, it's actually nine out of 10. Ouch... What can you do? Train everyone better, for starters. Look at coding and test tools that can help detect or prevent security vulnerabilities, but don't consider them silver bullets. Do dynamic application security testing, including penetration testing and fuzz testing. Ensure admins do their part to protect applications. And finally, make sure you establish a culture of security-aware programming and deployment.

Medicine

Scientists Find a Better Way To Wash Pesticides Off Your Apples (cnet.com) 138

According to a new study, the best way to reduce pesticides from your supermarket apple is to use a baking soda solution. The discovery was made by a team of scientists from the University of Massachusetts at Amherst. They compared the effectiveness of plain tap water, a commercial bleach solution and a baking soda/water mix in removing pesticides from apples. CNET reports: The scientists started with organic Gala apples and applied the fungicide thiabendazole and the insecticide phosmet before testing the different washing liquids. "The baking soda solution was the most effective at reducing pesticide," a release on the study notes. "After 12 and 15 minutes, 80 percent of the thiabendazole was removed, and 96 percent of the phosmet was removed, respectively." The researchers say the industry-standard approach of washing fruit in a bleach solution for two minutes after harvest is not an effective way to completely remove pesticides. They also found the fungicide thiabendazole penetrated into the apple peel much more than the insecticide. Apple lovers would need to remove the peel to also get rid of the pesticide that wasn't washed off with the baking soda solution. The researchers published the findings this week in the American Chemical Society's Journal of Agricultural and Food Chemistry.
Open Source

Oracle Engineer Talks of ZFS File System Possibly Still Being Upstreamed On Linux (phoronix.com) 131

New submitter fstack writes: Senior software architect Mark Maybee who has been working at Oracle/Sun since '98 says maybe we "could" still see ZFS be a first-class upstream Linux file-system. He spoke at the annual OpenZFS Developer Summit about how Oracle's focus has shifted to the cloud and how they have reduced investment in Solaris. He admits that Linux rules the cloud. Among the Oracle engineer's hopes is that ZFS needs to become a "first class citizen in Linux," and to do so Oracle should port their ZFS code to Oracle Linux and then upstream the file-system to the Linux kernel, which would involve relicensing the ZFS code.

Slashdot Top Deals