Subscribe: Slashdot: DevelopersSearch Slashdot
http://rss.slashdot.org/Slashdot/slashdotDevelopers
Added By: Feedage Forager Feedage Grade A rated
Language: English
Tags:
algorithms  attack  code  data  ftp  google  java  learning  new  read story  read  slashdot  software  story slashdot  story  year 
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: Slashdot: DevelopersSearch Slashdot

Slashdot: DevelopersSearch Slashdot



News for nerds, stuff that mattersSearch Slashdot stories



Published: 2017-02-25T22:07:21+00:00

 



Java and Python FTP Attacks Can Punch Holes Through Firewalls

2017-02-25T15:34:00+00:00

"The Java and Python runtimes fail to properly validate FTP URLs, which can potentially allow attackers to punch holes through firewalls to access local networks," reports CSO Online. itwbennett writes: Last weekend security researcher Alexander Klink disclosed an interesting attack where exploiting an XML External Entity vulnerability in a Java application can be used to send emails. At the same time, he showed that this type of vulnerability can be used to trick the Java runtime to initiate FTP connections to remote servers. After seeing Klink's exploit, Timothy Morgan, a researcher with Blindspot Security, decided to disclose a similar attack that works against both Java's and Python's FTP implementations. "But his attack is more serious because it can be used to punch holes through firewalls," writes Lucian Constantin in CSO Online. "The Java and Python developers have been notified of this problem, but until they fix their FTP client implementations, the researcher advises firewall vendors to disable classic mode FTP translation by default..." reports CSO Online. "It turns out that the built-in implementation of the FTP client in Java doesn't filter out special carriage return and line feed characters from URLs and actually interprets them. By inserting such characters in the user or password portions of an FTP URL, the Java FTP client can be tricked to execute rogue commands..."

Read more of this story at Slashdot.

(image)



Arizona Bill Would Make Students In Grades 4-12 Participate Once In An Hour of Code

2017-02-25T10:00:00+00:00

theodp writes: Christopher Silavong of Cronkite News reports: "A bill, introduced by [Arizona State] Sen. John Kavanagh [R-Fountain Hills] would mandate that public and charter schools provide one hour of coding instruction once between grades 4 to 12. Kavanagh said it's critical for students to learn the language -- even if it's only one session -- so they can better compete for jobs in today's world. However, some legislators don't believe a state mandate is the right approach. Senate Bill 1136 has passed the Senate, and it's headed to the House of Representatives. Kavanagh said he was skeptical about coding and its role in the future. But he changed his mind after learning that major technology companies were having trouble finding domestic coders and talking with his son, who works at a tech company." According to the Bill, the instruction can "be offered by either a nationally recognized nonprofit organization [an accompanying Fact Sheet mentions tech-backed Code.org] that is devoted to expanding access to computer science or by an entity with expertise in providing instruction to pupils on interactive computer instruction that is aligned to the academic standards."

Read more of this story at Slashdot.

(image)



Security Lapse Exposed New York Airport's Critical Servers For a Year

2017-02-24T22:00:00+00:00

An anonymous reader quotes a report from ZDNet: A security lapse at a New York international airport left its server backups exposed on the open internet for almost a year, ZDNet has found. The internet-connected storage drive contained several backup images of servers used by Stewart International Airport, but neither the backup drive nor the disk images were password protected, allowing anyone to access their contents. Since April last year, the airport had been inadvertently leaking its own highly-sensitive files as a result of the drive's misconfiguration. Vickery, who also posted an analysis of his findings, said the drive "was, in essence, acting as a public web server" because the airport was backing up unprotected copies of its systems to a Buffalo-branded drive, installed by a contract third-party IT specialist. When contacted Thursday, the contractor dismissed the claims and would not comment further. Though the listing still appears on Shodan, the search engine for unprotected devices and databases, the drive has since been secured. The files contained eleven disk images, accounting for hundreds of gigabytes of files and folders, which when mounted included dozens of airport staff email accounts, sensitive human resources files, interoffice memos, payroll data, and what appears to be a large financial tracking database. Many of the files we reviewed include "confidential" internal airport documents, which contain schematics and details of other core infrastructure.

Read more of this story at Slashdot.

(image)



Cloudflare Leaks Sensitive User Data Across the Web

2017-02-24T10:00:00+00:00

ShaunC writes: In a bug that's been christened "Cloudbleed," Cloudflare disclosed today that some of their products accidentally exposed private user information from a number of websites. Similar to 2014's Heartbleed, Cloudflare's problem involved a buffer overrun that allowed uninitialized memory contents to leak into normal web traffic. Tavis Ormandy, of Google's Project Zero, discovered the flaw last week. Affected sites include Uber, Fitbit, and OK Cupid, as well as unnamed services for hotel booking and password management. Cloudflare says the bug has been fixed, and Google has purged affected pages from its search index and cache. Further reading: The Register, Ars Technica

Read more of this story at Slashdot.

(image)



Microsoft Research Developing An AI To Put Coders Out of a Job

2017-02-23T13:00:00+00:00

jmcbain writes: Are you a software programmer who voted in a recent Slashdot poll that a robot/AI would never take your job? Unfortunately, you're wrong. Microsoft, in collaboration with the University of Cambridge, is developing such an AI. This software "can turn your descriptions into working code in seconds," reports MSPoweruser. "Called DeepCoder, the software can take requirements by the developer, search through a massive database of code snippets and deliver working code in seconds, a significant advance in the state of the art in program synthesis." New Scientist describes program synthesis as "creating new programs by piecing together lines of code taken from existing software -- just like a programmer might. Given a list of inputs and outputs for each code fragment, DeepCoder learned which pieces of code were needed to achieve the desired result overall." The original research paper can be read here.

Read more of this story at Slashdot.

(image)



PHP Becomes First Programming Language To Add 'Modern' Cryptography Library In Its Core

2017-02-21T22:00:00+00:00

An anonymous reader writes from a report via BleepingComputer: The PHP team has unanimously voted to integrate the Libsodium library in the PHP core, and by doing so, becoming the first programming language to support a modern cryptography library by default. Developers approved a proposal with a vote of 37 to 0 and decided that Libsodium will be added to the upcoming PHP 7.2 release that will be launched towards the end of 2017. Scott Arciszewski, the cryptography expert who made the proposal, says that by supporting modern crypto in the PHP core, the PHP team will force the WordPress team to implement better security in its CMS, something they avoided until now. Additionally, it will allow PHP and CMS developers to add advanced cryptography features to their apps that run on shared hosting providers, where until now they weren't able to install custom PHP extensions to support modern cryptography. Other reasons on why he made the proposal are detailed here. Arciszewski also says that PHP is actually "the first" programming language to support a "modern" cryptography library in its core, despite Erlang and Go including similar libraries, which he claims are not as powerful and up-to-date as PHP's upcoming Libsodium implementation.

Read more of this story at Slashdot.

(image)



Slashdot Asks: Are Remote Software Teams More Productive?

2017-02-19T04:34:00+00:00

A recruiter with 20 years of experience recently reported on the research into whether remote software teams perform better. One study of 10,000 coding sessions concluded it takes 10-15 minutes for a programmer to resume work after an interruption. Another study actually suggests unsupervised workers are more productive, and the founders of the collaboration tool Basecamp argue the bigger danger is burnout when motivated employees overwork themselves. mikeatTB shares his favorite part of the article: One interesting take on the issues is raised by ThoughtWorks' Martin Fowler: Individuals are more productive in a co-located environment, but remote teams are often more productive than co-located teams. This is because a remote team has the advantage of hiring without geographic boundaries, and that enables employers to assemble world-class groups. The article shares some interesting anecdotes from remote workers, but I'd be interested to hear from Slashdot's readers. Leave your own experiences in the comments, and tell us what you think. Are remote software teams more productive?

Read more of this story at Slashdot.

(image)



Mozilla Will Deprecate XUL Add-ons Before the End of 2017

2017-02-17T16:40:00+00:00

Artem Tashkinov writes: Mozilla has published a plan of add-ons deprecation in future Firefox releases. Firefox 53 will run in multi process mode by default for all users with some exceptions. Most add ons will continue to function, however certain add ons have already ceased to function because they don't expect multi user mode under the hood. Firefox 54-56 will introduce even more changes which will ultimately break even more addons. Firefox 57, which will be preliminarily released on the 28th of Novermber, 2017, will only run WebExtensions: which means no XUL (overlay) add ons, no bootstrapped extensions, no SDK extensions and no Embedded WebExtensions. In other words by this date the chromification of Firefox will have been completed. If you depend on XUL add ons your only choice past this date will be Pale Moon.

Read more of this story at Slashdot.

(image)



Google Releases TensorFlow 1.0 With New Machine Learning Tools

2017-02-16T16:40:00+00:00

An anonymous reader shares a VentureBeat report: At Google's inaugural TensorFlow Dev Summit in Mountain View, California, today, Google announced the release of version 1.0 of its TensorFlow open source framework for deep learning, a trendy type of artificial intelligence. Google says the release is now production-ready by way of its application programing interface (API). But there are also new tools that will be part of the framework, which includes artificial neural networks that can be trained on data and can then make inferences about new data. Now there are more traditional machine learning tools, including K-means and support vector machines (SVMs), TensorFlow's engineering director, Rajat Monga, said at the conference. And there's an integration with the Python-based Keras library, which was originally meant to ease the use of the Theano deep learning framework. And there are now "canned estimators," or models, Monga said, including simple neural networks to start using quickly.

Read more of this story at Slashdot.

(image)



Apple Announces WWDC 2017, To Be Held in San Jose On June 5-9

2017-02-16T14:40:00+00:00

Apple said today it will kick off this year's Worldwide Developers Conference on June 5. Much like every year, the developer conference is the place where we can expect to see what's coming to iOS, macOS, watchOS, and tvOS later this year. This year, the event is being held in a different venue: the McEnery Convention Center in San Jose, the original home of WWDC. John Gruber, writing for DaringFireball: First, announcing early really helps people who have to travel long distances to attend, particularly those from outside the U.S. The San Jose Convention Center is the original home of WWDC -- that's where it was held from 1988 through 2002. (WWDC 2002 was the year Steve Jobs held a funeral for Mac OS 9 during the keynote.) San Jose is way closer to Apple headquarters. San Francisco is about an hour drive from 1 Infinite Loop. The San Jose Convention Center is only five minutes away from Apple's new campus. Schiller emphasized to me that this is a big deal: more Apple employees from more teams will be present, simply because they won't have to devote an entire day to being there. (This could be a particular boon to WWDC's developer labs, where attendees can get precious face time with Apple's engineers.)

Read more of this story at Slashdot.

(image)



JavaScript Attack Breaks ASLR On 22 CPU Architectures

2017-02-16T00:05:00+00:00

An anonymous reader quotes a report from BleepingComputer: Five researchers from the Vrije University in the Netherlands have put together an attack that can be carried out via JavaScript code and break ASLR protection on at least 22 microprocessor architectures from vendors such as Intel, AMD, ARM, Allwinner, Nvidia, and others. The attack, christened ASLRCache, or AnC, focuses on the memory management unit (MMU), a lesser known component of many CPU architectures, which is tasked with improving performance for cache management operations. What researchers discovered was that this component shares some of its cache with untrusted applications, including browsers. This meant that researchers could send malicious JavaScript that specifically targeted this shared memory space and attempted to read its content. In layman's terms, this means an AnC attack can break ASLR and allow the attacker to read portions of the computer's memory, which he could then use to launch more complex exploits and escalate access to the entire OS. Researchers have published two papers [1, 2] detailing the AnC attack, along with two videos[1, 2] showing the attack in action.

Read more of this story at Slashdot.

(image)



Google's Not-so-secret New OS

2017-02-15T15:20:00+00:00

According to reports late last year, Google is working on a new operating system called Andromeda. Much about it is still unknown, but according to the documentations Google has provided on its website, it's clear that the Fuchsia is the actual name of the operating system, and the kernel is called Magenta. A tech enthusiast dug around the documentations to share the followings: To my naive eyes, rather than saying Chrome OS is being merged into Android, it looks more like Android and Chrome OS are both being merged into Fuchsia. It's worth noting that these operating systems had previously already begun to merge together to an extent, such as when the Android team worked with the Chrome OS team in order to bring Update Engine to Nougat, which introduced A/B updates to the platform. Google is unsurprisingly bringing up Andromeda on a number of platforms, including the humble Intel NUC. ARM, x86, and MIPS bring-up is exactly what you would expect for an Android successor, and it also seems clear that this platform will run on Intel laptops. My best guess is that Android as an API and runtime will live on as a legacy environment within Andromeda. That's not to say that all development of Android would immediately stop, which seems extremely unlikely. But Google can't push two UI APIs as equal app frameworks over the long term: Mojo is clearly the future. Ah, but what is Mojo? Well it's the new API for writing Andromeda apps, and it comes from Chromium. Mojo was originally created to "extract a common platform out of Chrome's renderer and plugin processes that can support multiple types of sandboxed content."

Read more of this story at Slashdot.

(image)



How Algorithms May Affect You

2017-02-15T03:30:00+00:00

New submitter Muckluck shares an excerpt from a report via Phys.Org that provides "an interesting look at how algorithms may be shaping your life": When you browse online for a new pair of shoes, pick a movie to stream on Netflix or apply for a car loan, an algorithm likely has its word to say on the outcome. The complex mathematical formulas are playing a growing role in all walks of life: from detecting skin cancers to suggesting new Facebook friends, deciding who gets a job, how police resources are deployed, who gets insurance at what cost, or who is on a "no fly" list. Algorithms are being used -- experimentally -- to write news articles from raw data, while Donald Trump's presidential campaign was helped by behavioral marketers who used an algorithm to locate the highest concentrations of "persuadable voters." But while such automated tools can inject a measure of objectivity into erstwhile subjective decisions, fears are rising over the lack of transparency algorithms can entail, with pressure growing to apply standards of ethics or "accountability." Data scientist Cathy O'Neil cautions about "blindly trusting" formulas to determine a fair outcome. "Algorithms are not inherently fair, because the person who builds the model defines success," she said. Phys.Org cites O'Neil's 2016 book, "Weapons of Math Destruction," which provides some "troubling examples in the United States" of "nefarious" algorithms. "Her findings were echoed in a White House report last year warning that algorithmic systems 'are not infallible -- they rely on the imperfect inputs, logic, probability, and people who design them,'" reports Phys.Org. "The report noted that data systems can ideally help weed out human bias but warned against algorithms 'systematically disadvantaging certain groups.'"

Read more of this story at Slashdot.

(image)



Is IoT a Reason To Learn C?

2017-02-15T01:00:00+00:00

itwbennett writes: Whether or not beginning programmers should learn C is a question that has been roundly debated on Slashdot and elsewhere. The general consensus seems to be that learning it will make you a better programmer -- and it looks good on your resume. But now there might be another reason to learn C: the rapid growth of the internet of things (IoT) could cause a spike in demand for C skills, according to Gartner analyst Mark Driver. "For traditional workloads there is no need to be counting the bytes like there used to be. But when it comes to IoT applications there is that need once again..."

Read more of this story at Slashdot.

(image)



AI Software Juggles Probabilities To Learn From Less Data

2017-02-14T22:40:00+00:00

moon_unit2 quotes a report from MIT Technology Review: You can, for instance, train a deep-learning algorithm to recognize a cat with a cat-fancier's level of expertise, but you'll need to feed it tens or even hundreds of thousands of images of felines, capturing a huge amount of variation in size, shape, texture, lighting, and orientation. It would be lot more efficient if, a bit like a person, an algorithm could develop an idea about what makes a cat a cat from fewer examples. A Boston-based startup called Gamalon has developed technology that lets computers do this in some situations, and it is releasing two products Tuesday based on the approach. Gamalon uses a technique that it calls Bayesian program synthesis to build algorithms capable of learning from fewer examples. Bayesian probability, named after the 18th century mathematician Thomas Bayes, provides a mathematical framework for refining predictions about the world based on experience. Gamalon's system uses probabilistic programming -- or code that deals in probabilities rather than specific variables -- to build a predictive model that explains a particular data set. From just a few examples, a probabilistic program can determine, for instance, that it's highly probable that cats have ears, whiskers, and tails. As further examples are provided, the code behind the model is rewritten, and the probabilities tweaked. This provides an efficient way to learn the salient knowledge from the data.

Read more of this story at Slashdot.

(image)