Slashdot Mirror

Attackers have been exploiting vulnerabilities in MikroTik routers to forward network traffic to a handful of IP addresses under their control. "The bug is in Winbox management component and allows a remote attacker to bypass authentication and read arbitrary files," reports Bleeping Computer. "Exploit code is freely available from at least three sources from at least three sources." From the report: 360Netlab announced in a blog post today that more than 7,500 MikroTik routers across the world are currently delivering their TZSP (TaZmen Sniffer Protocol) traffic to nine external IP addresses. According to the researchers, the attacker modified the device's packet sniffing settings to forward the data to their locations. "37.1.207.114 is the top player among all the attackers. A significant number of devices have their traffic going to this destination," Qihoo experts inform.

The analysis shows that the attacker is particularly interested in ports 20, 21, 25, 110, and 144, which are for FTP-data, FTP, SMTP, POP3, and IMAP traffic. An unusual interest is in traffic from SNMP (Simple Network Management Protocol) ports 161 and 162, which researchers cannot explain at the moment. The largest number of compromised devices, 1,628, is in Russia, followed by Iran (637), Brazil (615), India (594) and Ukraine (544). The researchers say that security outfits in the affected countries can contact them at netlab[at]360.cn for a full list of IPs.

An anonymous reader quotes Motherboard: Less than 24 hours after a software developer revoked access to Lerna, a popular open-source software management program, for any organization that contracted with U.S. immigrations and Customs Enforcement, access has been restored for any organization that wishes to use it and the developer has been removed from the project... The modified version specifically banned 16 organizations, including Microsoft, Palantir, Amazon, Northeastern University, Johns Hopkins University, Dell, Xerox, LinkedIn, and UPS... Although open-source developer Jamie Kyle acknowledged that it's "part of the deal" that anyone "can use open source for evil," he told me he couldn't stand to see the software he helped develop get used by companies contracting with ICE.

Kyle's modification of Lerna's license was originally assented to by other lead developers on the project, but the decision polarized the open-source community. Some applauded his principled stand against ICE's human rights violations, while others condemned his violation of the spirit of open-source software. Eric Raymond, the founder of the Open Source Initiative and one of the authors of the standard-bearing Open Source Definition, said Kyle's decision violated the fifth clause of the definition, which prohibits discrimination against people or groups. "Lerna has defected from the open-source community and should be shunned by anyone who values the health of that community," Raymond wrote in a blog post on his website.
The core contributor who eventually removed Kyle also apologized for Kyle's licensing change, calling it a "rash decision" (which was also "unenforceable.")

Eric Raymond had called the decision "destructive of one of the deep norms that keeps the open source community functional -- keeping politics separated from our work."

Slack developer Felix Rieseberg has made Windows 95 into an electron app that you can run on macOS, Windows, and Linux. The source code and app installers are available on GitHub. According to The Verge, "apps like Wordpad, phone dialer, MS Paint, and Minesweeper all run like you'd expect," but "Internet Explorer isn't fully functional as it simply refused to load pages." From the report: The app is only 129MB in size and you can download it over at Github for both macOS and Windows. Once it's running it surprisingly only takes up around 200MB of RAM, even when running all of the old Windows 95 system utilities, apps, and games. If you run into any issues with the app you can always reset the Windows 95 instance inside the app and start over again. Enjoy this quirky trip down memory lane.

Dexguard, a tool used to protect Android software from piracy, tampering and cloning attacks, has been removed after being illegally posted on Github. A version of the tool exposed on the code repository was stolen from a customer of Guardsquare, the software's creator. TorrentFreak reports: "We develop premium software for the protection of mobile applications against reverse engineering and hacking," the [security company Guardsquare's] website reads. "Our products are used across the world in a broad range of industries, from financial services, e-commerce and the public sector to telecommunication, gaming and media." One of Guardsquare's products is Dexguard, a tool to protect Android applications from being decompiled, something that can lead to piracy, credential harvesting, tampering and cloning. Unfortunately, a version of Dexguard itself ended up on Github.

In a takedown notice filed with the Microsoft-owned code platform, Guardsquare explains that the code is unauthorized and was obtained illegally. "The listed folders... contain an older version of our commercial obfuscation software (DexGuard) for Android applications. The folder is part of a larger code base that was stolen from one of our former customers," Guardsquare writes. Guardsquare found almost 300 "forks" of the stolen software on Github and filed a request to have them all taken down.

An anonymous reader quotes a report from Ars Technica: Hackers have uncovered and tested a screen-splitting "VR Mode" that has been buried in the Switch's system-level firmware for over a year. The discovery suggests that Nintendo at least toyed with the idea that the tablet system could serve as a stereoscopic display for a virtual reality headset. Switch hackers first discovered and documented references to a "VrMode" in the Switch OS' Applet Manager services back in December when analyzing the June 2017 release of version 3.0.0 of the system's firmware. But the community doesn't seem to have done much testing of the internal functions "IsVrModeEnabled" and "SetVrModeEnabled" at the time. That changed shortly after Switch modder OatmealDome publicly noted one of the VR functions earlier this month, rhetorically asking, "has anyone actually tried calling it?" Fellow hacker random0666 responded with a short Twitter video (and an even shorter followup) showing the results of an extremely simple homebrew testing app that activates the system's VrMode functions.

As you can see in those video links, using those functions to enable the Switch's VR mode splits the screen vertically into two identical half-sized images, in much the way other VR displays split an LCD screen to create a stereoscopic 3D effect. System-level UI elements appear on both sides of the screen when the mode is enabled, and the French text shown in the test can be roughly translated to "Please move the console away from your face and click the close button." The location of the functions in the Switch firmware suggest they're part of Nintendo's own Switch code and not generic functions included in other Nvidia Tegra-based hardware.

"Valve appears to be working on a set of 'compatibility tools,' called Steam Play, that would allow at least some Windows-based titles to run on Linux-based SteamOS systems," writes Kyle Orland from Ars Technica. From the report: Yesterday, Reddit users noticed that Steam's GUI files (as captured by SteamDB's Steam Tracker) include a hidden section with unused text related to the unannounced Steam Play system. According to that text, "Steam Play will automatically install compatibility tools that allow you to play games from your library that were built for other operating systems." Other unused text in the that GUI file suggests Steam Play will offer official compatibility with "supported tiles" while also letting users test compatibility for "games in your library that have not been verified with a supported compatibility tool." That latter use comes with a warning that "this may not work as expected, and can cause issues with your games, including crashes and breaking save games."

olsmeister writes: A security flaw in the Comcast Xfinity online portal exposed social security numbers and partial home addresses of more than 26.5 million subscribers, according to security researcher Ryan Stevenson. Comcast says the flaws have already been patched and that it currently has no reason to believe that the flaws were ever exploited. BuzzFeed reports of the two vulnerabilities: One of the flaws could be exploited by going to an "in-home authentication" page where customers can pay their bills without signing in. The portal asked customers to verify their account by choosing from one of four partial home addresses it suggested, if the device was (or seemed like it was) connected to the customer's home network. If a hacker obtained a customer's IP address and spoofed Comcast using an "X-forwarded-for" technique, they could repeatedly refresh this login page to reveal the customer's location. That's because each time the page refreshed, three addresses would change, while one address, the correct address, remained the same. Eventually, the page would show the first digit of the street number and first three letters of the correct street name, while asterisks hid the remaining characters. A hacker could then use IP lookup websites to determine the city, state, and postal code of the partial address.

In the second vulnerability that Stevenson discovered, a sign-up page through the website for Comcast's Authorized Dealers (sales agents stationed at non-Comcast retail locations) revealed the last four digits of customers' Social Security numbers. Armed with just a customer's billing address, a hacker could brute-force (in other words, repeatedly try random four-digit combinations until the correct combination is guessed) the last four digits of a customer's Social Security number. Because the login page did not limit the number of attempts, hackers could use a program that runs until the correct Social Security number is inputted into the form. After learning of these vulnerabilities, Comcast disabled in-home authentication and put a strict rate limit on the portal. Here's what a Comcast spokesperson had to say about the matter: "We quickly investigated these issues and within hours we blocked both vulnerabilities, eliminating the ability to conduct the actions described by these researchers. We take our customers' security very seriously, and we have no reason to believe these vulnerabilities were ever used against Comcast customers outside of the research described in this report."

tacarat shares a report from The Next Web with the caption, "Oops": A GitHub with the handle i5xx, believed to be from the village of Tando Bago in Pakistan's southeastern Sindh province, created a GitHub repository called Source-Snapchat. At the time of writing, the repo has been removed by GitHub following a DMCA request from Snap Inc, so we can't take a closer look and see what it contains. That said, there are a few clues to its contents. The repository has a description of "Source Code for SnapChat," and is written in Apple's Objective-C programming language. This strongly suggests that the repo contained part or whole of the company's iOS application, although there's no way we can know for certain. It could just as easily be a minor component to the service, or a separate project from the company.

The most fascinating part of this saga is that the leak doesn't appear to be malicious, but rather comes from a researcher who found something, but wasn't able to communicate his findings to the company. According to several posts on a Twitter account believed to belong to i5xx, the researcher tried to contact SnapChat, but was unsuccessful. "The problem we tried to communicate with you but did not succeed In that we decided [sic] Deploy source code," wrote i5xx. The account also threatened to re-upload the source code. "I will post it again until you reply :)," he said. A Snap spokesperson said in a statement: "An iOS update in May exposed a small amount of our source code and we were able to identify the mistake and rectify it immediately. We discovered that some of this code had been posted online and it has been subsequently removed. This did not compromise our application and had no impact on our community."

According to Motherboard, some researchers appear to be trading the data privately.

tacarat shares a report from The Next Web with the caption, "Oops": A GitHub with the handle i5xx, believed to be from the village of Tando Bago in Pakistan's southeastern Sindh province, created a GitHub repository called Source-Snapchat. At the time of writing, the repo has been removed by GitHub following a DMCA request from Snap Inc, so we can't take a closer look and see what it contains. That said, there are a few clues to its contents. The repository has a description of "Source Code for SnapChat," and is written in Apple's Objective-C programming language. This strongly suggests that the repo contained part or whole of the company's iOS application, although there's no way we can know for certain. It could just as easily be a minor component to the service, or a separate project from the company.

The most fascinating part of this saga is that the leak doesn't appear to be malicious, but rather comes from a researcher who found something, but wasn't able to communicate his findings to the company. According to several posts on a Twitter account believed to belong to i5xx, the researcher tried to contact SnapChat, but was unsuccessful. "The problem we tried to communicate with you but did not succeed In that we decided [sic] Deploy source code," wrote i5xx. The account also threatened to re-upload the source code. "I will post it again until you reply :)," he said. A Snap spokesperson said in a statement: "An iOS update in May exposed a small amount of our source code and we were able to identify the mistake and rectify it immediately. We discovered that some of this code had been posted online and it has been subsequently removed. This did not compromise our application and had no impact on our community."

According to Motherboard, some researchers appear to be trading the data privately.

BrianFagioli shares a report from BetaNews: Microsoft seems eager to get programmers on the quantum bandwagon, as today, it launched the open-source Quantum Katas on GitHub. What exactly is it? It is essentially a project deigned to teach Q# programming for free. "For those who want to explore quantum computing and learn the Q# programming language at their own pace, we have created the Quantum Katas -- an open-source project containing a series of programming exercises that provide immediate feedback as you progress," says The Microsoft Quantum Team. "Coding katas are great tools for learning a programming language. They rely on several simple learning principles: active learning, incremental complexity growth, and feedback."

The team further says, "The Microsoft Quantum Katas are a series of self-paced tutorials aimed at teaching elements of quantum computing and Q# programming at the same time. Each kata offers a sequence of tasks on a certain quantum computing topic, progressing from simple to challenging. Each task requires you to fill in some code; the first task might require just one line, and the last one might require a sizable fragment of code. A testing framework validates your solutions, providing real-time feedback." You can view the project on GitHub here.

Long-time Slashdot reader slack_justyb writes, "Jonathan Blow, an independent video game developer, indicated to gamesindustry.biz that while working on a recent project he stopped and considered how miserable programming can be. After some reflection Blow came to the realization as to why. [C++ is a] 'really terrible, terrible language.'"

The main flaw with C++, in Blow's opinion, is that it's a fiendishly complex and layered ecosystem that has becoming increasingly convoluted in its effort to solve different problems; the more layers, the higher the stack, the more wobbly it becomes, and the harder it is to understand.
"Blow is the developer of two games so far -- Braid and The Witness -- and developed a new programming language known as Jai in hopes to help C++ game developers become more productive."

With Jai, Blow hopes to achieve three things: improve the quality of life for the programmer because "we shouldn't be miserable like many of us are"; simplify the systems; and increase expressive power by allowing programmers to build a large amount of functionality with a small amount of code.

Long-time Slashdot reader xx_chris calls C++ "the triumph of syntax over clarity," while in the interview Blow calls C++ 'a weird mess.' But the original submission ends with these questions. "Is Blow correct? Has C++ become a horrific mess that we should ultimately relegate to the bins of COBOL and Pascal? Are there redeeming qualities of C++ that justify the tangle it has become?

"And is Jai a solution or just yet another programming language?"

An anonymous reader quotes a report from MSPoweruser: Today, Microsoft announced that it is releasing 124 Million building footprints in the United States to the OpenStreetMap community. Bing Maps team used Microsoft's CNTK Unified Toolkit to apply its Deep Neural Networks and the ResNet34 with RefineNet up-sampling layers to detect building footprints from the Bing imagery. OpenStreetMap currently has 30,567,953 building footprints in the U.S., thanks to editor contributions and various city or county wide imports. Using DNNs and Bing Imagery, Microsoft has extracted 124,885,597 footprints in the United States and making it available for download free of charge.

DevNull127 writes: A grateful reporter whose father-in-law liberated a concentration camp after D-Day reports on a high-tech team that "accomplished in 13 minutes what took Alan Turing years to do — and at a cost of just $7."

"In late 2017, at the Imperial War Museum in London, developers applied modern AI techniques to break the 'unbreakable' Enigma machine used by the Nazis to encrypt their correspondences in World War II."

Two Polish co-founders of a company called Enigma Pattern decided to honor Alan Turing's ground-breaking work at Bletchley Park, where Turing had automated the testing of over 15 billion possible passwords each day by building what's considered the first modern computer. They took the problem to a modern cloud infrastructure provider, renting what one describes as "2,000 minions that do the tedious work" — specifically, crunching 41 million combinations each second — using Grimm's Fairy Tales to train an algorithm to recognize when they had found a commonly-used German word (including familiar bedtime stories like Hansel & Gretl and Rumpelstiltskin). "In the end the AI could not understand German. But it did what machine learning does best: recognize patterns."

"After 13 minutes of minion work, boom! The new Bombe had broken the code."

Turing's birthday is Saturday — and it's nice to see him being remembered so fondly.

An anonymous reader writes: Microsoft recently published an interesting open source project called "PQCrypto-VPN" that implements post-quantum cryptography (PQC) within OpenVPN. Being developed by the Microsoft Research Security and Cryptography group, as part of their research into post-quantum cryptography, this fork is being used to test PQC algorithms and their performance and functionality when used with VPNs.

Microsoft's PQCrypto-VPN is published on Github and allows anyone to build an OpenVPN implementation that can encrypt communications using three different post-quantum cryptography protocols, with more coming as they are developed. These protocols are: (1) Frodo: a key exchange protocol based on the learning with errors problem (2) SIKE: a key exchange protocol based on Supersingular Isogeny Diffie-Hellman and (3) Picnic: a signature algorithm using symmetric-key primitives and non-interactive zero-knowledge proofs.

New submitter Fatalis writes: Substack is a venture capital funded startup for subscription-based newsletters, and it admittedly chose its name following the advice from a Paul Graham (co-founder of Y Combinator) article to prefer names not registered in the .com zone. The same name has also been the user handle for a prolific open-source developer who now finds themselves competing for recognition in the tech space with a capital backed company. The lesson seems to be for developers to protect their personal brand by registering a domain name with the .com extension due to it being perceived as the default.

DuroSoft writes: Earlier this week an article ran about how Microsoft's multi-year refusal to rename its terabyte-scale Git extension "GVFS" (Git Virtual File System) had drawn the ire and dismay of the GNOME GVfs project (Gnome Virtual File System) which predates the Microsoft project by years. Thanks to Slashdot coverage and community pressure, Microsoft has now officially promised to rename GVFS to something else, and is asking the community for suggestions for a new name. Is this an official sign that MIcrosoft is finally listening to developers (albeit with a Slashdot-level of negative attention), or are they simply trying to appease the crowd while they are still in the news due to their acquisition of GitHub?

DuroSoft writes: Earlier this week an article ran about how Microsoft's multi-year refusal to rename its terabyte-scale Git extension "GVFS" (Git Virtual File System) had drawn the ire and dismay of the GNOME GVfs project (Gnome Virtual File System) which predates the Microsoft project by years. Thanks to Slashdot coverage and community pressure, Microsoft has now officially promised to rename GVFS to something else, and is asking the community for suggestions for a new name. Is this an official sign that MIcrosoft is finally listening to developers (albeit with a Slashdot-level of negative attention), or are they simply trying to appease the crowd while they are still in the news due to their acquisition of GitHub?

Programmer Mat Kelsey created a bee counter to see exactly how many bees are hanging out in his hives. "His system, which uses a Raspberry Pi and a machine learning algorithm that recognizes the number of individual bees entering a hive, is used to see bee trends over time and see just how the bees are faring," reports TechCrunch. From the report: The system looks at sets of pictures of the hive door taken every 10 seconds. It then extrapolates out the background, assesses the objects that have moved in the frame, and then counts the things that are likely to be bees. It's a fascinating problem to solve since the bees are constantly moving and because it can also ignore bees that are coming out of the hive. You can download the source on Github and check out his detailed blog post here. Given the need for bee protection as we enter an era of colony collapses, tools like this one are wildly important. Plus it's cool to see a Raspberry Pi do something so complex.

New submitter DuroSoft writes: It has been over a year since Microsoft unveiled its open source GVFS (Git Virtual File System) project, designed to make terabyte-scale repositories, like it's own 270GB Windows source code, manageable using Git. The problem is that the GNOME project already has a virtual file system by the name of GVfs that has been in use for years, with hundreds of threads on Stack Overflow, etc. Yet Microsoft's GVFS has already surpassed GVfs in Google and is causing confusion. To make matters worse, Microsoft has officially refused to change the name, despite a large public backlash on GitHub and social media, and despite pull requests providing scripts that can change the name to anything Microsoft wants. Is this mere arrogance on Microsoft's part, laziness to do a quick Google search before using a name, or is it something more sinister?

Long-time Slashdot reader t0qer writes: In the early days of PC gaming, there was 3 major titles. Doom, Duke Nukem, and Descent. Descent was the first game to have true 3D environments and enemies, whereas Doom/Duke was considered "2.5D." Even though Descent never gained the popularity of Quake or Doom, it's had a dedicated fanbase that has continued playing and updating the game over the last 20 years.

The original programmers got together, and created a "Spiritual Successor" called Overload. Already garnering mostly postive reviews on Steam, the game features the same controls and overall feel of the original Descent, but without the frustration of having to set IRQ, DMA, and port jumpers for your sound blaster.
Engadget reports that the Overload devs "made sure to replicate what defined Descent and its two sequels, and what is still unique today: packing players in tight corridors to constrict their free-flying movement and transforming battles into maddening close-quarters space combat."

The game's lead designer tells them that first-person-shooter games "have evolved a lot, but that evolution has left some gaping holes in its wake."

The Welcome Rain shares a report from ZDNet: Microsoft officials have been talking to GitHub about possibly acquiring the company, according to a June 1 report in Business Insider. BI claims that the two have discussed the possibility of an acquisition on an on-and-off-again basis over the years "but in the last few weeks talks have grown more serious." BI is citing unnamed "people close to the companies" as its sources. "This isn't as surprising as it would have been ten or more years ago," writes The Welcome Rain. "Microsoft is investing a lot in git, including GVFS, a Git Virtual File System to help Git work with very large codebases. What might this mean for the future of Github?"

An anonymous reader quotes a report from Linux Uprising: Oh, snap! Just because some packages are available to install directly from the Ubuntu Software Center doesn't make them safe. This is proved by a recent discovery of malware in some snap packages from the Ubuntu Snaps Store.

At least two of the snap packages, 2048buntu and hextris, uploaded to the Ubuntu Snaps Store by user Nicolas Tomb, contained malware. All packages by Nicolas have since been removed from the Ubuntu Snaps Store, "pending further investigations." The report comes from a bug which mentions that the 2048buntu snap package (and other packages by Nicolas Tomb) contains a hidden cryptocurrency miner inside.

An anonymous reader quotes a report from Linux Uprising: Oh, snap! Just because some packages are available to install directly from the Ubuntu Software Center doesn't make them safe. This is proved by a recent discovery of malware in some snap packages from the Ubuntu Snaps Store.

At least two of the snap packages, 2048buntu and hextris, uploaded to the Ubuntu Snaps Store by user Nicolas Tomb, contained malware. All packages by Nicolas have since been removed from the Ubuntu Snaps Store, "pending further investigations." The report comes from a bug which mentions that the 2048buntu snap package (and other packages by Nicolas Tomb) contains a hidden cryptocurrency miner inside.

An anonymous reader writes: "An Argentinian security researcher named Ezequiel Fernandez has published a powerful new tool yesterday that can easily extract plaintext credentials for various DVR brands and grant attackers access to those systems, and inherently the video feeds they're supposed to record," reports Bleeping Computer. "The tool, named getDVR_Credentials, is a proof-of-concept for CVE-2018-9995, a vulnerability discovered by Fernandez at the start of last month, [affecting TBK DVR systems]. Fernandez discovered that by accessing the control panel of specific DVRs with a cookie header of 'Cookie: uid=admin,' the DVR would respond with the device's admin credentials in cleartext." Tens of thousands of vulnerable devices available online can be hijacked with their video feeds assembled in voyeur sites, like it's been done in the past.

Google's DeepMind isn't the only team working to defeat professional Go players with artificial intelligence. At Facebook's F8 developer conference today, the company announced a Go bot of its own that has now achieved professional status after winning all 14 games it played against a group of top 30 human Go players. TechCrunch reports: "We salute our friends at DeepMind for doing awesome work," Facebook CTO Mike Schroepfer said in today's keynote. "But we wondered: Are there some unanswered questions? What else can you apply these tools to." As Facebook notes in a blog post today, the DeepMind model itself also remains under wraps. In contrast, Facebook has open-sourced its bot. "To make this work both reproducible and available to AI researchers around the world, we created an open source Go bot, called ELF OpenGo, that performs well enough to answer some of the key questions unanswered by AlphaGo," the team writes today. Facebook's AI Research group is also developing a StarCraft bot that it too plans to open source.

An anonymous reader quotes a report from Ars Technica: A newly published "exploit chain" for Nvidia Tegra X1-based systems seems to describe an apparently unpatchable method for running arbitrary code on all currently available Nintendo Switch consoles. Hardware hacker Katherine Temkin and the hacking team at ReSwitched released an extensive outline of what they're calling the Fusee Gelee coldboot vulnerability earlier today, alongside a proof-of-concept payload that can be used on the Switch. "Fusee Gelee isn't a perfect, 'holy grail' exploit -- though in some cases it can be pretty damned close," Temkin writes in an accompanying FAQ. The exploit, as outlined, makes use of a vulnerability inherent in the Tegra X1's USB recovery mode, circumventing the lock-out operations that would usually protect the chip's crucial bootROM. By sending a bad "length" argument to an improperly coded USB control procedure at the right point, the user can force the system to "request up to 65,535 bytes per control request." That data easily overflows a crucial direct memory access (DMA) buffer in the bootROM, in turn allowing data to be copied into the protected application stack and giving the attacker the ability to run arbitrary code. The exploit can't be fixed via a downloadable patch because the flawed bootROM can't be modified once the Tegra chip leaves the factory. As Temkin writes, "unfortunately, access to the fuses needed to configure the device's ipatches was blocked when the ODM_PRODUCTION fuse was burned, so no bootROM update is possible. It is suggested that consumers be made aware of the situation so they can move to other devices, where possible." Ars notes that Nintendo may however be able to detect "hacked" systems when they sign on to Nintendo's servers. "The company could then ban those systems from using the Switch's online functions."

Apple's FoundationDB company announced on Thursday that the FoundationDB core has been open sourced with the goal of building an open community with all major development done in the open. The database company was purchased by Apple back in 2015. As described in the announcement, FoundationDB is a distributed datastore that's been designed from the ground up to be deployed on clusters of commodity hardware. Mac Rumors reports: By open sourcing the project to drive development, FoundationDB is aiming to become "the foundation of the next generation of distributed databases: "The vision of FoundationDB is to start with a simple, powerful core and extend it through the addition of "layers". The key-value store, which is open sourced today, is the core, focused on incorporating only features that aren't possible to write in layers. Layers extend that core by adding features to model specific types of data and handle their access patterns. The fundamental architecture of FoundationDB, including its use of layers, promotes the best practices of scalable and manageable systems. By running multiple layers on a single cluster (for example a document store layer and a graph layer), you can match your specific applications to the best data model. Running less infrastructure reduces your organization's operational and technical overhead." The source for FoundationDB is available on Github, and those who wish to join the project are encouraged to visit the FoundationDB community forums, submit bugs, and make contributions to the core software and documentation.

An anonymous reader quotes VentureBeat: GitHub is launching a new bot-powered learning lab to help budding developers get up to speed on all things GitHub... The GitHub Learning Lab, which officially launched Thursday, builds on GitHub's prior history of training people, except this time GitHub is using bots to expedite the learning process. There is no videoconferencing or webcasts here. "After training thousands of people to use Git and GitHub, the GitHub Training Team has established a tried-and-true method for helping new developers retain more information and ramp up quickly as they begin their software journeys," the company said in a blog post. "And now, we're making those experiences accessible to developers everywhere with GitHub Learning Lab."

The bot helps users work through issues in a repository environment, passing comment on any work that you do while checking over pull requests -- notifications of changes you've made -- in a similar fashion to how a human project lead might do. If the bot isn't able to help with a specific question you have, there are humans on hand too via the GitHub Learning Lab forum, which includes outside experts and members of GitHub's in-house training team.

An anonymous reader quotes VentureBeat: GitHub is launching a new bot-powered learning lab to help budding developers get up to speed on all things GitHub... The GitHub Learning Lab, which officially launched Thursday, builds on GitHub's prior history of training people, except this time GitHub is using bots to expedite the learning process. There is no videoconferencing or webcasts here. "After training thousands of people to use Git and GitHub, the GitHub Training Team has established a tried-and-true method for helping new developers retain more information and ramp up quickly as they begin their software journeys," the company said in a blog post. "And now, we're making those experiences accessible to developers everywhere with GitHub Learning Lab."

The bot helps users work through issues in a repository environment, passing comment on any work that you do while checking over pull requests -- notifications of changes you've made -- in a similar fashion to how a human project lead might do. If the bot isn't able to help with a specific question you have, there are humans on hand too via the GitHub Learning Lab forum, which includes outside experts and members of GitHub's in-house training team.

An anonymous reader writes: Linus Torvalds has released Linux 4.17-rc1. This kernel comes with a significant amount of new capabilities as outlined by the Linux 4.17 feature overview. Among the new features are AMDGPU WattMan support, Intel HDCP support, Vega 12 GPU enablement, NVIDIA Xavier SoC support, removal of obsolete CPU architectures, and even better support for the original Macintosh PowerBook 100 series. Phoronix testing has also revealed measurable power savings improvements and better power efficiency on Intel hardware. The kernel is expected to be stabilized by June.

The new version of Firefox 11.0 for iOS turns on tracking protection by default, lets you reorder your tabs, and adds a handful of iPad-specific features. The latest version is currently available via Apple's App Store. VentureBeat details the new features: Tracking protection means Firefox blocks website elements (ads, analytics trackers, and social share buttons) that could track you while you're surfing the web. It's almost like a built-in ad blocker, though it's really closer to browser add-ons like Ghostery and Privacy Badger because ads that don't track you are allowed through. The feature's blocking list, which is based on the tracking protection rules laid out by the anti-tracking startup Disconnect, is published under the General Public License and available on GitHub. The feature is great for privacy, but it also improves performance. Content loads faster for many websites, which translates into less data usage and better battery life. If tracking protection doesn't work well on a given site, just turn it off there and Firefox for iOS should remember your preference.

Tracking protection aside, iOS users can now reorder their tabs. Organizing your tabs is very straightforward: Long-press the specific tab and drag it either left or right. iPad users have gained two new features, as well. You can now share URLs by just dragging and dropping links to and from Firefox with any other iOS app. If you're in side-by-side view, just drag the link or tab into the other app. Otherwise, bring up the doc or app switcher, drag the link into the other app until it pulses, release the link, and the other app will open the link. Lastly, iPad users have gained a few more keyboard shorts, including the standard navigation keys from the desktop. There's also cursor navigation through the bookmarks and history results, an escape key in the URL bar, and easier tab tray navigation (try using the keyboard shortcut Command + Option + Tab to get to and from the tabs view).

An anonymous reader quotes a report from The Verge: Microsoft is releasing the source code for its original Windows File Manager from nearly 28 years ago. Originally released for Windows 3.0, the File Manager was a replacement for managing files through MS-DOS, and allowed Windows users to copy, move, delete, and search for files. While it's a relic from the past, you can still compile the source code Microsoft has released and run the app on Windows 10 today. The source code is available on GitHub, and is maintained by Microsoft veteran Craig Wittenberg under the MIT license. Wittenberg copied the File Manager code from Windows NT 4 back in 2007, and has been maintaining it before open sourcing it recently. It's a testament to the backward compatibility of Windows itself, especially that this was originally included in Windows more than 20 years ago.

An anonymous reader quotes a report from The Verge: Microsoft is releasing the source code for its original Windows File Manager from nearly 28 years ago. Originally released for Windows 3.0, the File Manager was a replacement for managing files through MS-DOS, and allowed Windows users to copy, move, delete, and search for files. While it's a relic from the past, you can still compile the source code Microsoft has released and run the app on Windows 10 today. The source code is available on GitHub, and is maintained by Microsoft veteran Craig Wittenberg under the MIT license. Wittenberg copied the File Manager code from Windows NT 4 back in 2007, and has been maintaining it before open sourcing it recently. It's a testament to the backward compatibility of Windows itself, especially that this was originally included in Windows more than 20 years ago.

"The folks at Nightdive Studios this week released the source code for a Mac version of Looking Glass Studios' 1994 classic System Shock," reports Gamasutra. Friday the game's new owners unveiled on GitHub "the original, unaltered source code that was discovered by OtherSide Entertainment and graciously shared with us a few months ago... We have been hard at work updating this code and plan to release a new version of System Shock: Enhanced Edition as well as the code in the near future." We've gone back to the original vision we shared with you at the start of our Kickstarter campaign -- this time with more reliable performance and higher fidelity visuals thanks to the Unreal Engine... We have been able to re-use the majority of work we've done over the past year and we're making significant progress in a very short amount of time. With that said we'll be inviting our highest tier backers to privately test the game beginning in September at which point we estimate that the game will be fully playable, from start to finish. The majority of the art won't be finished, but we'll be ready to start high-level testing.
Going forward there's even a Twitch component. "In an effort to remain transparent throughout development we're going to begin streaming on a regular basis and inviting the backers to join us." And the audio department has also revealed some of the music from the medical deck.

After their Kickstarter was funded, Nightdive had explored making a "bigger, better game" after receiving a verbal commitment from a game publisher, but then "were left high and dry after making crucial, consequential changes in staff and scope... We still have the funds necessary to complete the game, but the timeline will inevitably move back with our shift in direction..."

"This will be closer to a 1:1 remake with updates to the weapon/character designs but without altering the core gameplay of the original."

Long-time Slashdot reader Billly Gates writes: Debian is now available in the Windows app store. It joins Ubuntu, Suse Leap, SuSe enterprise, and Kali Linux for those who cannot or do not want to bother with a virtual machine or a full install of the OS. However, it included stable 9.3. 9.4 is available from the repository if you run apt-get update and apt-get upgrade.
"Fedora is not yet available, although Microsoft has stated openly that it is working to make it so," reports Computer Weekly. And there's more: Microsoft has also provided an open source tool called Microsoft WSL/DistroLauncher for users who want to build their own Linux package where a particular distribution is either a) not available yet or b) is available, but the user wants to apply a greater degree of customisation to it than comes as standard.

An anonymous reader quotes a report from BuzzFeed: The gay hookup app Grindr, which has more than 3.6 million daily active users across the world, has been providing its users' HIV status to two other companies, BuzzFeed News has learned. The two companies -- Apptimize and Localytics, which help optimize apps -- receive some of the information that Grindr users choose to include in their profiles, including their HIV status and "last tested date." Because the HIV information is sent together with users' GPS data, phone ID, and email, it could identify specific users and their HIV status, according to Antoine Pultier, a researcher at the Norwegian nonprofit SINTEF, which first identified the issue.

Grindr was founded in 2009 and has been increasingly branding itself as the go-to app for healthy hookups and gay cultural content. In December, the company launched an online magazine dedicated to cultural issues in the queer community. The app offers free ads for HIV-testing sites, and last week, it debuted an optional feature that would remind users to get tested for HIV every three to six months. But the new analysis, confirmed by cybersecurity experts who analyzed SINTEF's data and independently verified by BuzzFeed News, calls into question how seriously the company takes its users' privacy. SINTEF's analysis also showed that Grindr was sharing its users' precise GPS position, "tribe" (meaning what gay subculture they identify with), sexuality, relationship status, ethnicity, and phone ID to other third-party advertising companies. And this information, unlike the HIV data, was sometimes shared via "plain text," which can be easily hacked.

dmoberhaus writes: Last December, NASA announced that two new exoplanets had been hiding in plain sight among data from the Kepler space telescope. These two new planets weren't discovered by a human, however. Instead, an exoplanet hunting neural network -- a type of machine learning algorithm loosely modeled after the human brain -- had discovered the planets by finding subtle patterns in the Kepler data that would've been nearly impossible for a human to see. Last Thursday, Christopher Shallue, the lead Google engineer behind the exoplanet AI, announced in a blog post that the company was making the algorithm open source. In other words, anyone can download the code and help hunt for exoplanets in Kepler data.
Google's research blog called the December discovery "a successful proof-of-concept for using machine learning to discover exoplanets, and more generally another example of using machine learning to make meaningful gains in a variety of scientific disciplines (e.g. healthcare, quantum chemistry, and fusion research)."

Long-time Slashdot reader jebrick quotes an article from Ars Technica about how Norway's government-owned public broadcasting company "employs open source tactics to fight trolling": The five-person team behind a simple WordPress plugin, which took three hours to code, never expected to receive worldwide attention as a result. But NRKbeta, the tech-testing group at Norway's largest national media organization, tapped into a meaty vein with the unveiling of last February's Know2Comment, an open source plugin that can attach to any WordPress site's comment section. "It was a basic idea," NRKbeta developer Stale Grut told a South By Southwest crowd on Tuesday. "Readers had to prove they read a story before they were able to comment on it"... He and fellow staffers spent three hours building the plugin, which Grut reminded the crowd is wholly open source... "[W]e realized not every article is in need of this. We are a tech site; we don't have a lot of controversy, so there's not a big need for it. We use it now on stories where we anticipate there'll be uninformed debate to add this speed bump."
What do you think? And would a quiz-for-commenting-privileges be a good addition to Slashdot?

A new copyright proposal in the EU would require code-sharing platforms like GitHub and SourceForge to monitor all content that users upload for potential copyright infringement. "The proposal is aimed at music and videos on streaming platforms, based on a theory of a 'value gap' between the profits those platforms make from uploaded works and what copyright holders of some uploaded works receive," reports The GitHub Blog. "However, the way it's written captures many other types of content, including code."

Upload filters, also known as "censorship machines," are some of the most controversial elements of the copyright proposal, raising a number of concerns including: -Privacy: Upload filters are a form of surveillance, effectively a "general monitoring obligation" prohibited by EU law
-Free speech: Requiring platforms to monitor content contradicts intermediary liability protections in EU law and creates incentives to remove content
-Ineffectiveness: Content detection tools are flawed (generate false positives, don't fit all kinds of content) and overly burdensome, especially for small and medium-sized businesses that might not be able to afford them or the resulting litigation Upload filters are especially concerning for software developers given that: -Software developers create copyrightable works -- their code -- and those who choose an open source license want to allow that code to be shared
-False positives (and negatives) are especially likely for software code because code often has many contributors and layers, often with different licensing for different components
-Requiring code-hosting platforms to scan and automatically remove content could drastically impact software developers when their dependencies are removed due to false positives The EU Parliament continues to introduce new proposals for Article 13 but these issues remain. MEP Julia Reda explains further in a recent proposal from Parliament.

An anonymous reader writes: GitHub has quietly made a few changes this month. Labels for issues and pull requests will now also support emojis and on-hover descriptions. And they're also deprecating the anonymous creation of "gist" code snippets on March 19th, since "as the only way to create anonymous content on GitHub, they also see a large volume of spam." Current anonymous gists will remain accessible.

But the biggest change involves permanently removing support for three weak cryptographic standards, both on github.com and api.github.com.
The three weak cryptography standards that are no longer supported are:

• TLSv1/TLSv1.1. "This applies to all HTTPS connections, including web, API, and Git connections to https://github.com and https://api.github.com."

• diffie-hellman-group1-sha1. "This applies to all SSH connections to github.com."

• diffie-hellman-group14-sha1. "This applies to all SSH connections to github.com."

An anonymous reader writes: GitHub has quietly made a few changes this month. Labels for issues and pull requests will now also support emojis and on-hover descriptions. And they're also deprecating the anonymous creation of "gist" code snippets on March 19th, since "as the only way to create anonymous content on GitHub, they also see a large volume of spam." Current anonymous gists will remain accessible.

But the biggest change involves permanently removing support for three weak cryptographic standards, both on github.com and api.github.com.
The three weak cryptography standards that are no longer supported are:

• TLSv1/TLSv1.1. "This applies to all HTTPS connections, including web, API, and Git connections to https://github.com and https://api.github.com."

• diffie-hellman-group1-sha1. "This applies to all SSH connections to github.com."

• diffie-hellman-group14-sha1. "This applies to all SSH connections to github.com."

An anonymous reader writes: GitHub has quietly made a few changes this month. Labels for issues and pull requests will now also support emojis and on-hover descriptions. And they're also deprecating the anonymous creation of "gist" code snippets on March 19th, since "as the only way to create anonymous content on GitHub, they also see a large volume of spam." Current anonymous gists will remain accessible.

But the biggest change involves permanently removing support for three weak cryptographic standards, both on github.com and api.github.com.
The three weak cryptography standards that are no longer supported are:

• TLSv1/TLSv1.1. "This applies to all HTTPS connections, including web, API, and Git connections to https://github.com and https://api.github.com."

• diffie-hellman-group1-sha1. "This applies to all SSH connections to github.com."

• diffie-hellman-group14-sha1. "This applies to all SSH connections to github.com."

Jesse Donat argues via Donut Studios why GitHub should never allow usernames to be valid again once they are deleted. He provides an example of a user who deleted his GitHub account and personal domain with a popular tool used for embedding data files into Go binaries. "While this is within his rights to do, this broke a dependency many people had within their projects," Donat writes. "To fix this, some users of the project recreated the account and the repository based on a fork of the project." Donat goes on to write: Allowing username reuse completely breaks any trust that what I pull is what it claims to be. What if this user had been malicious? It may have taken a while before someone actually noticed this wasn't the original user and the code was doing something more than it claimed to.

While Go's "go get" functionality is no doubt naive and just pulls the head of a repository, this is not exclusively Go's problem as this affects any package manager that runs on tags. Simply tag malicious changes beyond the current release and it would be deployed to many users likely with little actual review.

An anonymous reader calls it "the never-ending stupidity of copyright wars." TorrentFreak reports: Blizzard Entertainment is taking a stand against a popular World of Warcraft legacy server. The fan-operated project allows gamers to experience how the game was played over a decade ago and to revive old battles... In recent years the project has captured the hearts of tens of thousands of die-hard WoW fans. At the time of writing, the most popular realm has more than 6,000 people playing from all over the world... Blizzard, however, sees this as copyright infringement and has asked GitHub to pull the site's code offline.
The article notes the DMCA notice came "just weeks after several organizations and gaming fans asked the US Copyright Office to make a DMCA circumvention exemption for 'abandoned' games."

Facebook has announced a new unit of time, called Flicks. "According to the GitHub page documenting Flicks, a Flick is 'the smallest time unit which is LARGER than a nanosecond,' defined as 1/705,600,000 of a second," reports The Verge. (For comparison, a nanosecond is 1/1,000,000,000 of a second, making a Flick roughly 1.41723356 nanoseconds long.) From the report: Now, you may be sitting there wondering what was wrong with regular seconds that Facebook had to go and invent its own unit, especially since the second is one of the few units that is universal across SI and imperial units. The name itself is a portmanteau of the phase "frame-tick," which is also why you might want to use them. Flicks are designed to help measure individual frame duration for video frame rates. So whether your video is 24hz, 25hz, 30hz, 48hz, 50hz, 60hz, 90hz, 100hz, or 120hz, you'll be able to use Flicks to ensure that everything is in sync while still using whole integers (instead of decimals). Programmers already use built in tools in C++ to manage these sorts of exact frame syncing, especially when it comes to designing visual effects in CGI, but the most exact timing possible in C++ is nanoseconds, which doesn't divide evenly into most frame rates. The idea to create a new unit of time to solve this problem dates back to last year, when developer Christopher Horvath posted about it on Facebook.

An anonymous reader quotes the official Rust blog: The Rust team is happy to announce a new version of Rust, 1.23.0... New year, new Rust! For our first improvement today, we now avoid some unnecessary copies in certain situations. We've seen memory usage of using rustc to drop 5-10% with this change; it may be different with your programs... The documentation team has been on a long journey to move rustdoc to use CommonMark. Previously, rustdoc never guaranteed which markdown rendering engine it used, but we're finally committing to CommonMark. As part of this release, we render the documentation with our previous renderer, Hoedown, but also render it with a CommonMark compliant renderer, and warn if there are any differences.
A few new APIs were also stabilized in this release -- see the complete release notes here -- and you no longer need to import the trait AsciiExt to provide ASCII-related functionality on u8, char, [u8], and str.

The Rust blog made another announcement earlier this week. "As open source software becomes more and more ubiquitous and popular, the Rust team is interested in exploring new and innovative ways to solicit community feedback and participation." So while defining Rust's roadmap for 2018, "we'd like to try something new in addition to the RFC process: a call for community blog posts for ideas of what the goals should be."

An anonymous reader quotes the official Rust blog: The Rust team is happy to announce a new version of Rust, 1.23.0... New year, new Rust! For our first improvement today, we now avoid some unnecessary copies in certain situations. We've seen memory usage of using rustc to drop 5-10% with this change; it may be different with your programs... The documentation team has been on a long journey to move rustdoc to use CommonMark. Previously, rustdoc never guaranteed which markdown rendering engine it used, but we're finally committing to CommonMark. As part of this release, we render the documentation with our previous renderer, Hoedown, but also render it with a CommonMark compliant renderer, and warn if there are any differences.
A few new APIs were also stabilized in this release -- see the complete release notes here -- and you no longer need to import the trait AsciiExt to provide ASCII-related functionality on u8, char, [u8], and str.

The Rust blog made another announcement earlier this week. "As open source software becomes more and more ubiquitous and popular, the Rust team is interested in exploring new and innovative ways to solicit community feedback and participation." So while defining Rust's roadmap for 2018, "we'd like to try something new in addition to the RFC process: a call for community blog posts for ideas of what the goals should be."

An anonymous reader quotes the official Rust blog: The Rust team is happy to announce a new version of Rust, 1.23.0... New year, new Rust! For our first improvement today, we now avoid some unnecessary copies in certain situations. We've seen memory usage of using rustc to drop 5-10% with this change; it may be different with your programs... The documentation team has been on a long journey to move rustdoc to use CommonMark. Previously, rustdoc never guaranteed which markdown rendering engine it used, but we're finally committing to CommonMark. As part of this release, we render the documentation with our previous renderer, Hoedown, but also render it with a CommonMark compliant renderer, and warn if there are any differences.
A few new APIs were also stabilized in this release -- see the complete release notes here -- and you no longer need to import the trait AsciiExt to provide ASCII-related functionality on u8, char, [u8], and str.

The Rust blog made another announcement earlier this week. "As open source software becomes more and more ubiquitous and popular, the Rust team is interested in exploring new and innovative ways to solicit community feedback and participation." So while defining Rust's roadmap for 2018, "we'd like to try something new in addition to the RFC process: a call for community blog posts for ideas of what the goals should be."

Greg Synek reports via TechSpot: To help with the reverse engineering of malware, Avast has released an open-source version of its machine-code decompiler, RetDec, that has been under development for over seven years. RetDec supports a variety of architectures aside from those used on traditional desktops including ARM, PIC32, PowerPC and MIPS. As Internet of Things devices proliferate throughout our homes and inside private businesses, being able to effectively analyze the code running on all of these new devices becomes a necessity to ensure security. In addition to the open-source version found on GitHub, RetDec is also being provided as a web service.

Simply upload a supported executable or machine code and get a reasonably rebuilt version of the source code. It is not possible to retrieve the exact original code of any executable compiled to machine code but obtaining a working or almost working copy of equivalent code can greatly expedite the reverse engineering of software. For any curious developers out there, a REST API is also provided to allow third-party applications to use the decompilation service. A plugin for IDA disassembler is also available for those experienced with decompiling software.

New submitter samleecole shares a report from Motherboard: There's a video of Gal Gadot having sex with her stepbrother on the internet. But it's not really Gadot's body, and it's barely her own face. It's an approximation, face-swapped to look like she's performing in an existing incest-themed porn video. The video was created with a machine learning algorithm, using easily accessible materials and open-source code that anyone with a working knowledge of deep learning algorithms could put together. It's not going to fool anyone who looks closely. Sometimes the face doesn't track correctly and there's an uncanny valley effect at play, but at a glance it seems believable. It's especially striking considering that it's allegedly the work of one person -- a Redditor who goes by the name 'deepfakes' -- not a big special effects studio that can digitally recreate a young Princess Leia in Rouge One using CGI. Instead, deepfakes uses open-source machine learning tools like TensorFlow, which Google makes freely available to researchers, graduate students, and anyone with an interest in machine learning. Anyone could do it, and that should make everyone nervous.