Slashdot Mirror

9to5Mac has learned of several new features expected to be included in iOS 13. From the report: Dark Mode: There will be a system-wide Dark Mode that can be enabled in Settings, including a high contrast version, similar to what's already available on macOS. Speaking of macOS, iPad apps that run on the Mac using Marzipan will finally take advantage of the Dark Mode support on both systems.
Multitasking: There are many changes coming to iPad with iOS 13, including the ability for apps to have multiple windows. Each window will also be able to contain sheets that are initially attached to a portion of the screen, but can be detached with a drag gesture, becoming a card that can be moved around freely, similar to what an open-source project called "PanelKit" could do. These cards can also be stacked on top of each other, and use a depth effect to indicate which cards are on top and which are on the bottom. Cards can be flung away to dismiss them.
Undo gesture: With iOS 13, Apple is introducing a new standard undo gesture for text input on the iPad. The gesture starts as a three-finger tap on the keyboard area, sliding left and right allows the user to undo and redo actions interactively.
Safari improvements: Safari on iOS 13 for the iPad will automatically ask for a desktop version of websites when necessary, preventing a common issue where websites will render their iPhone version even when running on an iPad with a big screen. YouTube is notorious for this behavior, forcing users to rely on a 'Request Desktop Site' button.
Font management: Font management is getting a major upgrade on iOS 13. It will not be necessary to install a profile to get new fonts into the system anymore. Instead there will be a new font management panel in Settings. A new standard font picker component will be available for developers and the system will notify the user when they open a document that has missing fonts.
Smarter Mail: The upgraded Mail app will be able to organize messages into categories such as marketing, purchases, travel, "not important" and more, with the categories being searchable. Users will also be able to add messages to a "read later" queue similar to third-party email apps. Improved multiple item selection: The focus on productivity on iOS continues with the inclusion of new gestures to allow for the selection of multiple items in table views and collection views, which make up for most of the user interfaces found in apps that list large amounts of data. Users will be able to drag with multiple fingers on a list or collection of items to draw a selection, similar to clicking and dragging in Finder on the Mac.
New Volume HUD and other changes: Other features to come with iOS 13 include a redesigned Reminders app, which is also coming to the Mac, a new volume HUD, better "Hey Siri" rejection for common mistaken noises such as laughter and crying babies, better multilingual support for keyboards and dictation, and expanded in-app printing controls. Apple is expected to officially unveil the next major iPhone and iPad OS at its annual Worldwide Developers Conference on June 3rd.

arnieswap quotes TFIR's report on the black hole image: Free and Open Source software was at the heart of this image. The team used three different imaging software libraries to achieve the feat. Out of the three, two were fully open source libraries. The source code of the software is publicly available on GitHub.

Richard M Stallman, the founder of the GNU Project will be glad to see that both libraries (Sparselab and ehtim) are released under GNU GPL v3. Yes, you read it right – GNU GPL v3.

arnieswap quotes TFIR's report on the black hole image: Free and Open Source software was at the heart of this image. The team used three different imaging software libraries to achieve the feat. Out of the three, two were fully open source libraries. The source code of the software is publicly available on GitHub.

Richard M Stallman, the founder of the GNU Project will be glad to see that both libraries (Sparselab and ehtim) are released under GNU GPL v3. Yes, you read it right – GNU GPL v3.

By making programming more mathematical, a community of computer scientists is hoping to eliminate the coding bugs that can open doors to hackers, spill digital secrets and generally plague modern society. From a report: Now a set of computer scientists has taken a major step toward this goal with the release today of EverCrypt, a set of digital cryptography tools. The researchers were able to prove -- in the sense that you can prove the Pythagorean theorem -- that their approach to online security is completely invulnerable to the main types of hacking attacks that have felled other programs in the past. "When we say proof, we mean we prove that our code can't suffer these kinds of attacks," said Karthik Bhargavan, a computer scientist at Inria in Paris who worked on EverCrypt.

EverCrypt was not written the way most code is written. Ordinarily, a team of programmers creates software that they hope will satisfy certain objectives. Once they finish, they test the code. If it accomplishes the objectives without showing any unwanted behavior, the programmers conclude that the software does what it's supposed to do. Yet coding errors often manifest only in extreme "corner cases" -- a perfect storm of unlikely events that reveals a critical vulnerability. Many of the most damaging hacking attacks in recent years have exploited just such corner cases.

Earlier this month, Microsoft made the source code for its Windows calculator available on GitHub. This has spurred developers to add new features to the app, like a new graphing mode that will make its way to the official Windows Calculator app. The "Graphing Mode" is one of 30+ suggestions that open-source contributors have proposed so far. The ZDNet reports: As its name implies, Graphing Mode will allow users to create graphs based on mathematical equations, in a similar way to Matlab's (way more advanced) Plotting Mode. The feature was proposed by Microsoft engineer Dave Grochocki, also a member of the Windows Calculator team. In a GitHub issue Grochocki submitted to support his proposal, he argued that a graphing mode would help students learn algebra easier.

"High school algebra is the gateway to mathematics and all other disciplines of STEM," Grochocki said. "However, algebra is the single most failed course in high school, as well as the most failed course in community college." By adding a Graphing Mode to Windows Calculator, an app included with all Windows 10 versions, the Microsoft engineer hopes to provide students and teachers with a free tool to help schools across the world. "Physical graphing calculators can be expensive, software solutions require licenses and configuration by school IT departments, and online solutions are not always an option," he added. "Graphing capabilities in their daily tools are essential for students who are beginning to explore linear algebra as early as 8th grade. [...] At present, Windows Calculator does not currently have the needed functionality to meet the demands of students."

There's no timeline for when the new graphing mode will arrive, but it should arrive soon.

An anonymous reader writes: A security researcher has uncovered a ring of malicious GitHub accounts promoting over 300 backdoored Windows, Mac, and Linux applications and software libraries. The malicious apps contained code to gain boot persistence on infected systems and later download other malicious code -- which appeared to be a "sneaker bot," a piece of malware that would add infected systems to a botnet that would later participate in online auctions for limited edition sneakers.

All the GitHub accounts that were hosting these files -- backdoored versions of legitimate apps -- have now been taken down. One account, in particular, registered in the name of Andrew Dunkins, hosted 305 backdoored ELF binaries. Another 73 apps were hosted across 88 other accounts.

An anonymous reader writes: A security researcher has uncovered a ring of malicious GitHub accounts promoting over 300 backdoored Windows, Mac, and Linux applications and software libraries. The malicious apps contained code to gain boot persistence on infected systems and later download other malicious code -- which appeared to be a "sneaker bot," a piece of malware that would add infected systems to a botnet that would later participate in online auctions for limited edition sneakers.

All the GitHub accounts that were hosting these files -- backdoored versions of legitimate apps -- have now been taken down. One account, in particular, registered in the name of Andrew Dunkins, hosted 305 backdoored ELF binaries. Another 73 apps were hosted across 88 other accounts.

A website that uses AI -- Generative Adversarial Networks (GANs) -- to generate photos of people who do not exist is circulating on social media and forums this week. A news writeup adds: Every time the site is refreshed, a shockingly realistic -- but totally fake --picture of a person's face appears. Uber software engineer Phillip Wang created the page to demonstrate what GANs are capable of, and then posted it to the public Facebook group "Artificial Intelligence & Deep Learning" on Tuesday. The underlying code that made this possible, titled StyleGAN, was written by Nvidia and featured in a paper that has yet to be peer-reviewed. This exact type of neural network has the potential to revolutionize video game and 3D-modeling technology, but, as with almost any kind of technology, it could also be used for more sinister purposes.

A group of programmers and device hackers are working to bring proper support for Ubuntu to Arm-powered Windows laptops, starting with first-generation Snapdragon 835 systems, like the HP Envy x2 and Asus NovaGo. From a report: The aarch64-laptops project provides prebuilt images for the aforementioned notebook PCs, as well as the Lenovo Miix 630. Although Ubuntu and other Linux distributions support aarch64 (ARMv8) by default, various obstacles including the design and configuration of Qualcomm Snapdragon processors make these default images not practically usable. The aarch64-laptops project developers are aiming to address these difficulties, though work is still ongoing. Presently, the TouchPad does not work properly on the Asus, with all three lacking proper support for on-board storage and Wi-Fi, which rely on UFS support. According to their documentation, this is being worked on upstream.

Raspberry Pi is finally ready for the full Windows 10 experience. From a report: A new installer lets you put Windows 10 on Arm, including the Pi. And it's made by the same people who got Windows 10 on Arm onto Lumia 950 and 950 XL handset. You can find the Github page here, in which developer Jose Manuel Nieto Sanchez call the tool "super easy to use" and "no-hassle." It requires a Raspberry Pi 3 Model B or B+, a microSD card (he recommends an A1 rating) and a Windows 10ARM64 image, which is linked to from the page where you get the download instructions.

Mark Wycislik-Wilson, writing for BetaNews: Last year, developer Felix Rieseberg released Windows 95 as an Electron app to let 90s computer users relive their younger years. Now he's back with a second version of the Windows 95 app, and it's even better than ever -- gaming classics such as Doom and Wolfenstein3D are now included, for starters! Based on the Electron framework, Windows 95 2.0 is written in JavaScript, and is essentially a 500MB standalone virtual machine. The original release was lacking in a number of areas -- such as no sound or internet access. This second release is described as a "big update" and includes a web browser in the form of Netscape Navigator 2.0.

Slashdot reader internet-redstar writes: The Tesla Hacker, Jasper Nuyens -- who uncovered Tesla's "unconfirmed lane change" last year -- now launched at FOSDEM an open-source project called "FreedomEV" to run on top of rooted Teslas. It adds new features to the vehicles, such as a "Hotspot Mode" for in-car Wi-Fi and a "Cloak Mode" to prevent all location tracking and more. It hopes to become available for other cars too. Full presentation video can be found here. The Github project and the website. He is looking for contributors and support from Tesla.

An anonymous reader quotes a report from Ars Technica, written by Sean Gallagher: Want to be able to run classic Mac OS applications compiled for the Motorola 68000 series of processors on your ever-so-modern Mac OS X machine? Or maybe you'd rather run them on a Raspberry Pi, or an Android device for that matter? There's an emulation project that's trying to achieve just that: Advanced Mac Substitute (AMS). Advanced Mac Substitute is an effort by long-time Mac hacker Josh Juran to make it possible to run old Mac OS software (up to Mac OS 6) without a need for an Apple ROM or system software. Other emulators out there for 64000 Mac applications such as Basilisk II require a copy of MacOS installation media -- such as install CDs from Mac OS 7.5 or Mac OS 8. But AMS uses a set of software libraries that allow old Mac applications to launch right within the operating environment of the host device, without needing to have a full virtual hardware and operating system instance behind them. And it's all open source.

I got a demo of AMS from Juran at Shmoocon in Washington, DC, this past weekend. He showed me an early attempt at getting the game LoadRunner to work with the emulator -- it's not yet interactive. A version of the project, downloadable from Github, includes a "Welcome" screen application (a sort of Mac OS "hello world"), Mac Tic-Tac-Toe, and an animation of NyanCat. Applications are launched from the command line for now and are executed by the emulation software, which interprets the system and firmware calls. Unfortunately, there's still a lot of work to be done. While AMS works on Mac OS X up to version 10.12 -- both on Intel and PowerPC versions of the operating system -- the code currently won't compile on MacOS Mojave. And the Linux implementation of AMS does not yet support keyboard input. I was unable to get the front end to execute at all on Debian 9 on Intel.

"Google engineers have proposed changes to the open-source Chromium browser that will break content-blocking extensions, including various ad blockers," reports The Register. "The drafted changes will also limit the capabilities available to extension developers, ostensibly for the sake of speed and safety. Chromium forms the central core of Google Chrome, and, soon, Microsoft Edge." From the report: In a note posted Tuesday to the Chromium bug tracker, Raymond Hill, the developer behind uBlock Origin and uMatrix, said the changes contemplated by the Manifest v3 proposal will ruin his ad and content blocking extensions, and take control of content away from users. Manifest v3 refers to the specification for browser extension manifest files, which enumerate the resources and capabilities available to browser extensions. Google's stated rationale for making the proposed changes is to improve security, privacy and performance, and supposedly to enhance user control.

But one way Google would like to achieve these goals involves replacing the webRequest API with a new one, declarativeNetRequest. The webRequest API allows extensions to intercept network requests, so they can be blocked, modified, or redirected. This can cause delays in web page loading because Chrome has to wait for the extension. In the future, webRequest will only be able to read network requests, not modify them. The declarativeNetRequest allows Chrome (rather than the extension itself) to decide how to handle network requests, thereby removing a possible source of bottlenecks and a potentially useful mechanism for changing browser behavior. The report notes that Adblock Plus "should still be available" since "Google and other internet advertising networks apparently pay Adblock Plus to whitelist their online adverts."

"Google engineers have proposed changes to the open-source Chromium browser that will break content-blocking extensions, including various ad blockers," reports The Register. "The drafted changes will also limit the capabilities available to extension developers, ostensibly for the sake of speed and safety. Chromium forms the central core of Google Chrome, and, soon, Microsoft Edge." From the report: In a note posted Tuesday to the Chromium bug tracker, Raymond Hill, the developer behind uBlock Origin and uMatrix, said the changes contemplated by the Manifest v3 proposal will ruin his ad and content blocking extensions, and take control of content away from users. Manifest v3 refers to the specification for browser extension manifest files, which enumerate the resources and capabilities available to browser extensions. Google's stated rationale for making the proposed changes is to improve security, privacy and performance, and supposedly to enhance user control.

But one way Google would like to achieve these goals involves replacing the webRequest API with a new one, declarativeNetRequest. The webRequest API allows extensions to intercept network requests, so they can be blocked, modified, or redirected. This can cause delays in web page loading because Chrome has to wait for the extension. In the future, webRequest will only be able to read network requests, not modify them. The declarativeNetRequest allows Chrome (rather than the extension itself) to decide how to handle network requests, thereby removing a possible source of bottlenecks and a potentially useful mechanism for changing browser behavior. The report notes that Adblock Plus "should still be available" since "Google and other internet advertising networks apparently pay Adblock Plus to whitelist their online adverts."

An anonymous reader summarizes the changes in Thursday's release of Rust 1.32.0 stable: "Quality of life" improvements include a new dbg macro to easily print values for debugging without having to use a println statement. For example, dbg!(x); prints the filename and line number, as well as the variable's name and value, to stderr (rather than to standard output). Making it even more useful, the macro also returns the value of what it's debugging -- even all the boolean values returned by each execution of an if-then statement.

Rust macros can now match literals of any type (string, numeric, char) -- and the 2018 edition of Rust also allows ? for matching zero or one repetitions of a pattern.

In addition, all integral numeric primitives now provide conversion functions to and from byte-arrays with specified endianness.

According to a report from HackenProof, a database containing resumes of over 200 million job seekers in China was exposed last month. "The leaked info included not just the name and working experience of people, but also their mobile phone number, email, marriage status, children, politics, height, weight, driver license, and literacy level as well," reports The Next Web. From the report: Bob Diachenko, Director of Cyber Risk Research at Hacken.io and bug bounty platform HackenProof, found an unprotected instance of MongoDB containing these resumes on December 28. Diachenko found the resumes in the open database search engines Shodan and BinaryEdge. The 854GB database didn't have any password protection and was open to anyone to read.

Diachenko wasn't able to identify who generated the database or who owned it, but a now-defunct GitHub code repository featured a code that used an identical data structure to the leaked database. The database contained scraped data from multiple Chinese classified websites like bj.58.com. However, in a blog post, the website's spokesperson denied the leak. Interestingly, the database was taken down as soon as Diachenko posted about the database on Twitter. Sadly, the MongoDB log showed at least a dozen IP addresses that read the instance before it went off the grid.

An anonymous reader writes: At its Microsoft Connect(); 2018 virtual event today, Microsoft announced the initial public preview of Visual Studio 2019 -- you can download it now for Windows and Mac. Separately, .NET Core 2.2 has hit general availability and .NET Core 3.0 Preview 1 is also available today.

At the event today, Microsoft also made some open-source announcements, as is now common at the company's developer shindigs. Microsoft open-sourced three popular Windows UX frameworks on GitHub: Windows Presentation Foundation (WPF), Windows Forms, and Windows UI XAML Library (WinUI). Additionally, Microsoft announced the expansion of the .NET Foundation's membership model.

An anonymous reader writes: At its Microsoft Connect(); 2018 virtual event today, Microsoft announced the initial public preview of Visual Studio 2019 -- you can download it now for Windows and Mac. Separately, .NET Core 2.2 has hit general availability and .NET Core 3.0 Preview 1 is also available today.

At the event today, Microsoft also made some open-source announcements, as is now common at the company's developer shindigs. Microsoft open-sourced three popular Windows UX frameworks on GitHub: Windows Presentation Foundation (WPF), Windows Forms, and Windows UI XAML Library (WinUI). Additionally, Microsoft announced the expansion of the .NET Foundation's membership model.

An anonymous reader writes: At its Microsoft Connect(); 2018 virtual event today, Microsoft announced the initial public preview of Visual Studio 2019 -- you can download it now for Windows and Mac. Separately, .NET Core 2.2 has hit general availability and .NET Core 3.0 Preview 1 is also available today.

At the event today, Microsoft also made some open-source announcements, as is now common at the company's developer shindigs. Microsoft open-sourced three popular Windows UX frameworks on GitHub: Windows Presentation Foundation (WPF), Windows Forms, and Windows UI XAML Library (WinUI). Additionally, Microsoft announced the expansion of the .NET Foundation's membership model.

Kubernetes has become the most popular cloud container orchestration system by far, so it was only a matter of time until its first major security hole was discovered. And the bug, CVE-2018-1002105, aka the Kubernetes privilege escalation flaw, is a doozy. It's a CVSS 9.8 critical security hole. From a report: With a specially crafted network request, any user can establish a connection through the Kubernetes application programming interface (API) server to a backend server. Once established, an attacker can send arbitrary requests over the network connection directly to that backend. Adding insult to injury, these requests are authenticated with the Kubernetes API server's Transport Layer Security (TLS) credentials. Can you say root? I knew you could. Worse still, "In default configurations, all users (authenticated and unauthenticated) are allowed to perform discovery API calls that allow this escalation." So, yes, anyone who knows about this hole can take command of your Kubernetes cluster.

Trailrunner7 writes: Like real estate, we're not making any more IPv4 addresses. But instead of trying to colonize Mars or build cities under the sea, the Internet's architects developed a separate address scheme with an unfathomably large pool of addresses. IPv6 has an address space of 2^128, compared to IPv4's 2^32, and as the exhaustion of the IPv4 address space began to approach, registries started allocating IPv6 addresses and there now are billions of those addresses active at any given time. But no one really knows how many or where they are or what's behind them or how they're organized.

A pair of researchers decided to tackle the problem and developed a suite of tools that can find active IPv6 addresses both in the global address space and in smaller, targeted networks. Known as ipv666, the open source tool set can scan for live IPv6 hosts using a statistical model that the researchers built. The researchers, Chris Grayson and Marc Newlin, faced a number of challenges as they went about developing the ipv666 tools, including getting a large IPv6 address list, which they accumulated from several publicly available data sets. They then began the painful process of building the statistical model to predict other IPv6 addresses based on their existing list.

That may seem weird, but IPv6 addresses are nothing at all like their older cousins and come in a bizarre format that doesn't lend itself to simple analysis or prediction. Grayson and Newlin wanted to find as many live addresses as possible and ultimately try to figure out what the security differences are between devices on IPv4 and those on IPv6.

"[O]n Nov. 26 it was publicly revealed that a widely deployed open-source Node.js programming language module known as event-stream had been injected with malicious code that looked to steal cryptocurrency wallets," reports eWeek, adding "The event-stream library has over two million downloads."

An anonymous reader quotes Ars Technica: The backdoor came to light [November 20th] with this report from Github user Ayrton Sparling. Officials with the NPM, the open source project manager that hosted event-stream, didn't issue an advisory until six days later.... "This compromise was not targeting module developers in general or really even developers," an NPM official told Ars in an email. "It targeted a select few developers at a company, Copay, that had a very specific development environment set up. Even then, the payload itself didn't run on those developers' computers; rather, it would be packaged into a consumer-facing app when the developers built a release. The goal was to steal Bitcoin from this application's end users...."

According to the Github discussion that exposed the backdoor, the longtime event-stream developer no longer had time to provide updates. So several months ago, he accepted the help of an unknown developer. The new developer took care to keep the backdoor from being discovered. Besides being gradually implemented in stages, it also narrowly targeted only the Copay wallet app. The malicious code was also hard to spot because the flatmap-stream module was encrypted. The attack is the latest to exploit weaknesses in a widely used supply chain to target downstream end users... The supply-chain attacks show one of the weaknesses of open source code. Because of its openness and the lack of funds of many of its hobbyist developers and users, open source code can be subject to malicious modifications that often escape notice.
"The time has come," concludes Ars Technica, "for maintainers and users of open source software to devise new measures to better police the millions of packages being used all around us." Sophos' security blog also asks why so many developers "immediately and blindly trusted the new maintainer," and shared a concerned comment from developer named Chris Northwood.

"Nothing's stopping this happening again, and it's terrifying."

"[O]n Nov. 26 it was publicly revealed that a widely deployed open-source Node.js programming language module known as event-stream had been injected with malicious code that looked to steal cryptocurrency wallets," reports eWeek, adding "The event-stream library has over two million downloads."

An anonymous reader quotes Ars Technica: The backdoor came to light [November 20th] with this report from Github user Ayrton Sparling. Officials with the NPM, the open source project manager that hosted event-stream, didn't issue an advisory until six days later.... "This compromise was not targeting module developers in general or really even developers," an NPM official told Ars in an email. "It targeted a select few developers at a company, Copay, that had a very specific development environment set up. Even then, the payload itself didn't run on those developers' computers; rather, it would be packaged into a consumer-facing app when the developers built a release. The goal was to steal Bitcoin from this application's end users...."

According to the Github discussion that exposed the backdoor, the longtime event-stream developer no longer had time to provide updates. So several months ago, he accepted the help of an unknown developer. The new developer took care to keep the backdoor from being discovered. Besides being gradually implemented in stages, it also narrowly targeted only the Copay wallet app. The malicious code was also hard to spot because the flatmap-stream module was encrypted. The attack is the latest to exploit weaknesses in a widely used supply chain to target downstream end users... The supply-chain attacks show one of the weaknesses of open source code. Because of its openness and the lack of funds of many of its hobbyist developers and users, open source code can be subject to malicious modifications that often escape notice.
"The time has come," concludes Ars Technica, "for maintainers and users of open source software to devise new measures to better police the millions of packages being used all around us." Sophos' security blog also asks why so many developers "immediately and blindly trusted the new maintainer," and shared a concerned comment from developer named Chris Northwood.

"Nothing's stopping this happening again, and it's terrifying."

"Recently, I found a typo in the District of Columbia's legal code and corrected it using GitHub," writes D.C. based "civic hacker" Joshua Tauberer, adding "My feat highlights the groundbreaking way the District manages its legal code." The District does something with its legal code that no other jurisdiction in the world does (to my knowledge): it publishes the law on GitHub.... This isn't a copy of the DC law. It is an authoritative source. It is where the DC Council stores the digital versions of enacted laws, and this source feeds directly into the Council's DC Code website.... This is a milestone in the advancement of open government and open legal publishing.

No one should expect that editing the law on GitHub is going to become the new normal, however. My edit wasn't substantive. This sort of "technical correction," as lawyers would call it, didn't need to be passed by the Council and signed by the Mayor. I also happen to have expertise in this particular law, GitHub, XML, and the Council's new publishing process created by the Open Law Library.... GitHub's pull-request feature isn't going to replace public hearings, expert testimony, negotiations between stakeholders, votes by elected representatives, etc. -- and it shouldn't. Yet Open Law Library's new legal publishing process is groundbreaking. The Open Law Library is changing how we change the law...

Open Law Library's mission as a nonprofit is to make all laws as open and accessible as possible. The library's strategy is to achieve openness by making openness pay off for governments: it uses open, machine-readable laws to build software tools that make codification faster and more accurate. The cool thing about this is that governments can benefit from using Open Law Library's software even if open data isn't their highest priority, but in the background they'll still be publishing their laws in an open and accessible format -- everybody wins. Today, instead of authoring the DC Code in Word documents stored on a hard drive in a locked room in a basement, the Code is now stored in XML format in a place everyone can see -- on the Web."
The article notes that 18 more states have now enacted "Uniform Electronic Legal Material Acts" -- and that several other jurisdictions are already publishing their legal codes with official bulk XML downloads. "The US federal government began publishing XML downloads for the Code of Federal Regulations in 2009 and the United States Code in 2013."

But the District of Columbia "appears to be the first jurisdiction to combine the two by putting its legal code on GitHub and accepting a change from a member of the public."

A recent TechCrunch article claimed to have identified the best indicator of programming language popularity: GitHub's annual "State of the Octoverse" reports. So Austin-based technology reporter Mike Melanson explored the new verdict in GitHub's 2018 report: It felt to me like the overarching theme of the numbers was one of quiet stasis for the year past, at least when it comes to those languages deemed the cream of the crop. One of the first graphics offered in the post shows the top languages according to the number of repositories created and we see that everything seems to be flowing along, just as it has for the last decade. While GitHub points to a "steady uptick" for JavaScript after 2011, it looks like this list of languages hasn't changed much over time. [The graphic shows the four most popular languages -- every year since early 2014 -- have been JavaScript, Java, Python, and PHP.]

When we look at the top languages according to the number of contributors, we see a similar story, with the top four languages mirrored. In this chart, of course, we see that Ruby is on a steady decline, while Typescript is on a steady rise. The only surprise to be seen here is that C, after a brief uptick in popularity, has taken a bit of a nosedive over the past year. Either way, seven of 10 languages have the same exact ranking....

Finally, beyond the language rankings themselves, GitHub offers a wonderful analysis of just what it is that makes a particular language popular in 2018, boiling it down to three key characteristics: thread safety, interoperability, and being open source.
GitHub's report also identifies its fastest growing languages over the last year -- including Kotin, TypeScript, Rust, Python, and Go. "This year, TypeScript shot up to #7 among top languages used on the platform overall, after making its way in the top 10 for the first time last year," the report notes.

"TypeScript is now in the top 10 most used languages across all regions GitHub contributors come from -- and across private, public, and open source repositories."

A recent TechCrunch article claimed to have identified the best indicator of programming language popularity: GitHub's annual "State of the Octoverse" reports. So Austin-based technology reporter Mike Melanson explored the new verdict in GitHub's 2018 report: It felt to me like the overarching theme of the numbers was one of quiet stasis for the year past, at least when it comes to those languages deemed the cream of the crop. One of the first graphics offered in the post shows the top languages according to the number of repositories created and we see that everything seems to be flowing along, just as it has for the last decade. While GitHub points to a "steady uptick" for JavaScript after 2011, it looks like this list of languages hasn't changed much over time. [The graphic shows the four most popular languages -- every year since early 2014 -- have been JavaScript, Java, Python, and PHP.]

When we look at the top languages according to the number of contributors, we see a similar story, with the top four languages mirrored. In this chart, of course, we see that Ruby is on a steady decline, while Typescript is on a steady rise. The only surprise to be seen here is that C, after a brief uptick in popularity, has taken a bit of a nosedive over the past year. Either way, seven of 10 languages have the same exact ranking....

Finally, beyond the language rankings themselves, GitHub offers a wonderful analysis of just what it is that makes a particular language popular in 2018, boiling it down to three key characteristics: thread safety, interoperability, and being open source.
GitHub's report also identifies its fastest growing languages over the last year -- including Kotin, TypeScript, Rust, Python, and Go. "This year, TypeScript shot up to #7 among top languages used on the platform overall, after making its way in the top 10 for the first time last year," the report notes.

"TypeScript is now in the top 10 most used languages across all regions GitHub contributors come from -- and across private, public, and open source repositories."

A recent TechCrunch article claimed to have identified the best indicator of programming language popularity: GitHub's annual "State of the Octoverse" reports. So Austin-based technology reporter Mike Melanson explored the new verdict in GitHub's 2018 report: It felt to me like the overarching theme of the numbers was one of quiet stasis for the year past, at least when it comes to those languages deemed the cream of the crop. One of the first graphics offered in the post shows the top languages according to the number of repositories created and we see that everything seems to be flowing along, just as it has for the last decade. While GitHub points to a "steady uptick" for JavaScript after 2011, it looks like this list of languages hasn't changed much over time. [The graphic shows the four most popular languages -- every year since early 2014 -- have been JavaScript, Java, Python, and PHP.]

When we look at the top languages according to the number of contributors, we see a similar story, with the top four languages mirrored. In this chart, of course, we see that Ruby is on a steady decline, while Typescript is on a steady rise. The only surprise to be seen here is that C, after a brief uptick in popularity, has taken a bit of a nosedive over the past year. Either way, seven of 10 languages have the same exact ranking....

Finally, beyond the language rankings themselves, GitHub offers a wonderful analysis of just what it is that makes a particular language popular in 2018, boiling it down to three key characteristics: thread safety, interoperability, and being open source.
GitHub's report also identifies its fastest growing languages over the last year -- including Kotin, TypeScript, Rust, Python, and Go. "This year, TypeScript shot up to #7 among top languages used on the platform overall, after making its way in the top 10 for the first time last year," the report notes.

"TypeScript is now in the top 10 most used languages across all regions GitHub contributors come from -- and across private, public, and open source repositories."

A recent TechCrunch article claimed to have identified the best indicator of programming language popularity: GitHub's annual "State of the Octoverse" reports. So Austin-based technology reporter Mike Melanson explored the new verdict in GitHub's 2018 report: It felt to me like the overarching theme of the numbers was one of quiet stasis for the year past, at least when it comes to those languages deemed the cream of the crop. One of the first graphics offered in the post shows the top languages according to the number of repositories created and we see that everything seems to be flowing along, just as it has for the last decade. While GitHub points to a "steady uptick" for JavaScript after 2011, it looks like this list of languages hasn't changed much over time. [The graphic shows the four most popular languages -- every year since early 2014 -- have been JavaScript, Java, Python, and PHP.]

When we look at the top languages according to the number of contributors, we see a similar story, with the top four languages mirrored. In this chart, of course, we see that Ruby is on a steady decline, while Typescript is on a steady rise. The only surprise to be seen here is that C, after a brief uptick in popularity, has taken a bit of a nosedive over the past year. Either way, seven of 10 languages have the same exact ranking....

Finally, beyond the language rankings themselves, GitHub offers a wonderful analysis of just what it is that makes a particular language popular in 2018, boiling it down to three key characteristics: thread safety, interoperability, and being open source.
GitHub's report also identifies its fastest growing languages over the last year -- including Kotin, TypeScript, Rust, Python, and Go. "This year, TypeScript shot up to #7 among top languages used on the platform overall, after making its way in the top 10 for the first time last year," the report notes.

"TypeScript is now in the top 10 most used languages across all regions GitHub contributors come from -- and across private, public, and open source repositories."

GitHub saw more than 67 million pull requests this year -- more than a third of GitHub's "lifetime" total of 200 million pull requests since its launch in 2008. It now hosts 96 million repositories, and has over 31 million contributors -- including 8 million who just joined within the last 12 months.

These are among the facts released in GitHub's annual "State of the Octoverse" report -- a surprising number of which involve Microsoft.

• GitHub's top project this year, by contributor count, was Microsoft's Visual Studio Code (with 19,000 contributors), followed by Facebook's React Native (10,000), TensorFlow (9,300) and Angular CLI (8,800) -- as well as Angular (7,600) -- and the open source documentation for Microsoft Azure (7,800).

• Microsoft now has more employees contributing to open source projects than any other company or organization (7,700 employees), followed by Google (5,500), Red Hat (3,300), U.C. Berkeley (2,700), and Intel (2,200).

• The open source documentation for Microsoft Azure is GitHub's fastest-growing open source project, followed by PyTorch (an open source machine learning library for Python).

• Among the "Cool new open source projects" is an Electron app running Windows 95.

But more than 2.1 million organizations are now using GitHub (including public and private repositories) -- which is 40% more than last year -- and the report offers a fun glimpse into the minutiae of life in the coding community.

Read on for more details.

"Since we've launched security alerts, we've alerted you to more than 5 million vulnerabilities across the open source projects your teams depend on. And you've already resolved more than 800,000 of these," GitHub reports. In addition, "This year, more than 150 hackers helped us resolve issues in an average of 6 days," with a total of 213 bug bounty reports resolved. "Together, the engineers and researchers in our program earned more than $300,000 in bounties."

There's also some statistics on how contributors use GitHub:

• Contributors are most active -- creating issues, opening pull requests, or making comments -- between two and four in the afternoon.

• GitHub reports that its contributors are less active in private repositories on weekends, "And there's always one quiet day on GitHub, regardless of location: New Year's."

• GitHub's top trending topic was "hacktoberfest", followed by "pytorch".

• GitHub's top emoji is a yellow "thumbs-up" icon, which over the last year was used 3.5 million times. GitHub even reports which programming language communities were most likely to use the yellow thumbs-up icon -- Java, followed by TypeScript, Go, JavaScript, and Python. (The Ruby community, meanwhile, was the one most likely to use the red heart icon.)

And there's also statistics on where contributors are located.

• 80% of GitHub's users come from outside of the United States, with that percentage increasing year after year. But the U.S. still has the most contributors, followed by China, and India -- and the same three countries also had the most new signups this year.

• The countries with the next-most contributors were the U.K., Germany, Canada, and Brazil (which rose three ranks this year, from the #10 position to #7...)

• Overall, more open source projects have been created in Asia than any other part of the world.

"Developers from the Czech Republic are especially chatty in public and open source repositories," the report notes -- followed by Switzerland, Germany, the United States, the Netherlands, and the United Kingdom.

GitHub saw more than 67 million pull requests this year -- more than a third of GitHub's "lifetime" total of 200 million pull requests since its launch in 2008. It now hosts 96 million repositories, and has over 31 million contributors -- including 8 million who just joined within the last 12 months.

These are among the facts released in GitHub's annual "State of the Octoverse" report -- a surprising number of which involve Microsoft.

• GitHub's top project this year, by contributor count, was Microsoft's Visual Studio Code (with 19,000 contributors), followed by Facebook's React Native (10,000), TensorFlow (9,300) and Angular CLI (8,800) -- as well as Angular (7,600) -- and the open source documentation for Microsoft Azure (7,800).

• Microsoft now has more employees contributing to open source projects than any other company or organization (7,700 employees), followed by Google (5,500), Red Hat (3,300), U.C. Berkeley (2,700), and Intel (2,200).

• The open source documentation for Microsoft Azure is GitHub's fastest-growing open source project, followed by PyTorch (an open source machine learning library for Python).

• Among the "Cool new open source projects" is an Electron app running Windows 95.

But more than 2.1 million organizations are now using GitHub (including public and private repositories) -- which is 40% more than last year -- and the report offers a fun glimpse into the minutiae of life in the coding community.

Read on for more details.

"Since we've launched security alerts, we've alerted you to more than 5 million vulnerabilities across the open source projects your teams depend on. And you've already resolved more than 800,000 of these," GitHub reports. In addition, "This year, more than 150 hackers helped us resolve issues in an average of 6 days," with a total of 213 bug bounty reports resolved. "Together, the engineers and researchers in our program earned more than $300,000 in bounties."

There's also some statistics on how contributors use GitHub:

• Contributors are most active -- creating issues, opening pull requests, or making comments -- between two and four in the afternoon.

• GitHub reports that its contributors are less active in private repositories on weekends, "And there's always one quiet day on GitHub, regardless of location: New Year's."

• GitHub's top trending topic was "hacktoberfest", followed by "pytorch".

• GitHub's top emoji is a yellow "thumbs-up" icon, which over the last year was used 3.5 million times. GitHub even reports which programming language communities were most likely to use the yellow thumbs-up icon -- Java, followed by TypeScript, Go, JavaScript, and Python. (The Ruby community, meanwhile, was the one most likely to use the red heart icon.)

And there's also statistics on where contributors are located.

• 80% of GitHub's users come from outside of the United States, with that percentage increasing year after year. But the U.S. still has the most contributors, followed by China, and India -- and the same three countries also had the most new signups this year.

• The countries with the next-most contributors were the U.K., Germany, Canada, and Brazil (which rose three ranks this year, from the #10 position to #7...)

• Overall, more open source projects have been created in Asia than any other part of the world.

"Developers from the Czech Republic are especially chatty in public and open source repositories," the report notes -- followed by Switzerland, Germany, the United States, the Netherlands, and the United Kingdom.

GitHub saw more than 67 million pull requests this year -- more than a third of GitHub's "lifetime" total of 200 million pull requests since its launch in 2008. It now hosts 96 million repositories, and has over 31 million contributors -- including 8 million who just joined within the last 12 months.

These are among the facts released in GitHub's annual "State of the Octoverse" report -- a surprising number of which involve Microsoft.

• GitHub's top project this year, by contributor count, was Microsoft's Visual Studio Code (with 19,000 contributors), followed by Facebook's React Native (10,000), TensorFlow (9,300) and Angular CLI (8,800) -- as well as Angular (7,600) -- and the open source documentation for Microsoft Azure (7,800).

• Microsoft now has more employees contributing to open source projects than any other company or organization (7,700 employees), followed by Google (5,500), Red Hat (3,300), U.C. Berkeley (2,700), and Intel (2,200).

• The open source documentation for Microsoft Azure is GitHub's fastest-growing open source project, followed by PyTorch (an open source machine learning library for Python).

• Among the "Cool new open source projects" is an Electron app running Windows 95.

But more than 2.1 million organizations are now using GitHub (including public and private repositories) -- which is 40% more than last year -- and the report offers a fun glimpse into the minutiae of life in the coding community.

Read on for more details.

"Since we've launched security alerts, we've alerted you to more than 5 million vulnerabilities across the open source projects your teams depend on. And you've already resolved more than 800,000 of these," GitHub reports. In addition, "This year, more than 150 hackers helped us resolve issues in an average of 6 days," with a total of 213 bug bounty reports resolved. "Together, the engineers and researchers in our program earned more than $300,000 in bounties."

There's also some statistics on how contributors use GitHub:

• Contributors are most active -- creating issues, opening pull requests, or making comments -- between two and four in the afternoon.

• GitHub reports that its contributors are less active in private repositories on weekends, "And there's always one quiet day on GitHub, regardless of location: New Year's."

• GitHub's top trending topic was "hacktoberfest", followed by "pytorch".

• GitHub's top emoji is a yellow "thumbs-up" icon, which over the last year was used 3.5 million times. GitHub even reports which programming language communities were most likely to use the yellow thumbs-up icon -- Java, followed by TypeScript, Go, JavaScript, and Python. (The Ruby community, meanwhile, was the one most likely to use the red heart icon.)

And there's also statistics on where contributors are located.

• 80% of GitHub's users come from outside of the United States, with that percentage increasing year after year. But the U.S. still has the most contributors, followed by China, and India -- and the same three countries also had the most new signups this year.

• The countries with the next-most contributors were the U.K., Germany, Canada, and Brazil (which rose three ranks this year, from the #10 position to #7...)

• Overall, more open source projects have been created in Asia than any other part of the world.

"Developers from the Czech Republic are especially chatty in public and open source repositories," the report notes -- followed by Switzerland, Germany, the United States, the Netherlands, and the United Kingdom.

"A Russian security researcher has published details about a zero-day vulnerability affecting VirtualBox, an Oracle software application for running virtual machines," reports ZDNet. According to a text file uploaded on GitHub, Saint Petersburg-based researcher Sergey Zelenyuk has found a chain of bugs that can allow malicious code to escape the VirtualBox virtual machine (the guest OS) and execute on the underlying (host) operating system. Once out of the VirtualBox VM, the malicious code runs in the OS' limited userspace (kernel ring 3), but Zelenyuk said that attackers can use many of the already known privilege escalation bugs to gain kernel-level access (ring 0). "The exploit is 100% reliable," Zelenyuk said. "It means it either works always or never because of mismatched binaries or other, more subtle reasons I didn't account."

The Russian researcher says the zero-day affects all current VirtualBox releases, works regardless of the host or guest operating system the user is running, and is reliable against the default configuration of newly created VMs. Besides a detailed write-up of the entire exploit chain, Zelenyuk has also published video proof, showing the zero-day in action against an Ubuntu VM running inside VirtualBox on an Ubuntu host OS.
Long-time Slashdot reader Artem Tashkinov warns that the exploit utilizes "bugs in the data link layer of the default E1000 network interface adapter which makes this vulnerability critical for everyone who uses virtualization to run untrusted code." According to ZDNet, the same security researcher "found and reported a similar issue in mid-2017, which Oracle took over 15 months to fix."

"This lengthy and drawn-out patching process appears to have angered Zelenyuk, who instead of reporting this bug to Oracle, has decided to publish details online without notifying the vendor."

The Register reports that a new security bug in systemd "can be exploited over the network to, at best, potentially crash a vulnerable Linux machine, or, at worst, execute malicious code on the box" by a malicious host on the same network segment as the victim. According to one Red Hat security engineer, "An attacker could exploit this via malicious DHCP server to corrupt heap memory on client machines, resulting in a denial of service or potential code execution." According to the bug description, systemd-networkd "contains a DHCPv6 client which is written from scratch and can be spawned automatically on managed interfaces when IPv6 router advertisements are received."

OneHundredAndTen shared this article from the Register: In addition to Ubuntu and Red Hat Enterprise Linux, systemd has been adopted as a service manager for Debian, Fedora, CoreOS, Mint, and SUSE Linux Enterprise Server. We're told RHEL 7, at least, does not use the vulnerable component by default.

Systemd creator Leonard Poettering has already published a security fix for the vulnerable component -- this should be weaving its way into distros as we type. If you run a systemd-based Linux system, and rely on systemd-networkd, update your operating system as soon as you can to pick up the fix when available and as necessary.

The Register reports that a new security bug in systemd "can be exploited over the network to, at best, potentially crash a vulnerable Linux machine, or, at worst, execute malicious code on the box" by a malicious host on the same network segment as the victim. According to one Red Hat security engineer, "An attacker could exploit this via malicious DHCP server to corrupt heap memory on client machines, resulting in a denial of service or potential code execution." According to the bug description, systemd-networkd "contains a DHCPv6 client which is written from scratch and can be spawned automatically on managed interfaces when IPv6 router advertisements are received."

OneHundredAndTen shared this article from the Register: In addition to Ubuntu and Red Hat Enterprise Linux, systemd has been adopted as a service manager for Debian, Fedora, CoreOS, Mint, and SUSE Linux Enterprise Server. We're told RHEL 7, at least, does not use the vulnerable component by default.

Systemd creator Leonard Poettering has already published a security fix for the vulnerable component -- this should be weaving its way into distros as we type. If you run a systemd-based Linux system, and rely on systemd-networkd, update your operating system as soon as you can to pick up the fix when available and as necessary.

Microsoft has official closed its acquisition of GitHub, the Git-based code sharing and collaboration service with 31 million developers. "The Redmond, WA-based software behemoth first said it would acquire GitHub for $7.5 billion in stock in June of this year, and after the acquisition closed it would continue to run it as an independent platform and business," reports TechCrunch. From the report: The acquisition is yet another sign of how Microsoft has been doubling down on courting developers and presenting itself as a neutral partner to help them with their projects. That is because, despite its own very profitable proprietary software business, Microsoft also has a number of other businesses -- for example, Azure, which competes with AWS and Google Cloud -- that rely heavily on it being unbiased towards one platform or another. And GitHub, Microsoft hopes, will be another signal to the community of that position. In that regard, it will be an interesting credibility test for the companies. Nat Friedman, previously the CEO of Xamarin, will be the CEO of GitHub on Monday. He says the site will be run as an independent platform and business.

"We will always support developers in their choice of any language, license, tool, platform, or cloud," he writes, noting that there will be more tools to come. "We will continue to build tasteful, snappy, polished tools that developers love," he added.

Github engineers are trying to repair the data storage system underpinning the code hosting website, which has been presenting users with a "What!?" error for much of the Sunday. From a report: Depending on where you are, you may have been working on some Sunday evening programming, or getting up to speed with work on a Monday morning, using resources on GitHub.com -- and possibly failing miserably as a result of the outage. From about 4pm US West Coast time on Sunday, the website has been stuttering and spluttering. Specifically, the site is still up and serving pages -- it's just intermittently serving out-of-date files, and ignoring submitted Gists, bug reports, and posts. Sometimes, it appears to be serving a read-only cache or older backup of itself, although some fresh code pushes are coming through onto the site. From the status page, it appears a data storage system died, forcing the platform's engineers to move the dot-com's files over to another box. In the meantime, some older versions of files and repos are being served to visitors and users. "We're continuing to work on migrating a data storage system in order to restore access to GitHub.com," the team said just after 5pm PT, adding in the past few minutes: "We are continuing to repair a data storage system for GitHub.com. You may see inconsistent results during this process."

Slashdot reader generic shares a report from ZDNet: For at least three years, hackers have abused a zero-day in one of the most popular jQuery plugins to plant web shells and take over vulnerable web servers, ZDNet has learned. The vulnerability impacts the jQuery File Upload plugin authored by prodigious German developer Sebastian Tschan, most commonly known as Blueimp. The plugin is the second most starred jQuery project on GitHub, after the jQuery framework itself. It is immensely popular, has been forked over 7,800 times, and has been integrated into hundreds, if not thousands, of other projects, such as CMSs, CRMs, Intranet solutions, WordPress plugins, Drupal add-ons, Joomla components, and so on.

Earlier this year, Larry Cashdollar, a security researcher for Akamai's SIRT (Security Intelligence Response Team), has discovered a vulnerability in the plugin's source code that handles file uploads to PHP servers. Cashdollar says that attackers can abuse this vulnerability to upload malicious files on servers, such as backdoors and web shells. The Akamai researcher says the vulnerability has been exploited in the wild. "I've seen stuff as far back as 2016," the researcher told ZDNet in an interview. The vulnerability was one of the worst kept secrets of the hacker scene and appears to have been actively exploited, even before 2016. Cashdollar found several YouTube videos containing tutorials on how one could exploit the jQuery File Upload plugin vulnerability to take over servers. One of three YouTube videos Cashdollar shared with ZDNet is dated August 2015. Thankfully, the CVE-2018-9206 identifier was pushed earlier this month to address this issue. "All jQuery File Upload versions before 9.22.1 are vulnerable," reports ZDNet. "Since the vulnerability affected the code for handling file uploads for PHP apps, other server-side implementations should be considered safe."

Four years after Microsoft acquired Minecraft developer Mojang, the company has decided to open source some of Minecraft's Java code. According to Kotaku, Microsoft and Mojang released two parts of Minecraft's Java code in library form, so that "anyone can pick them up and use them in their own game," says Lead Engineer Nathan Adams. From the report: For now, there's just the two libraries: "Brigadier," a "command parser and dispatcher"; and "DataFixerUpper," designed for "incremental building, merging and optimization of data transformations ... [to convert] the game data for Minecraft: Java Edition between different versions of the game." While the news doesn't mean much for players, it will be a boon for interested programmers and developers, keen to see the guts of Minecraft. The plan is to open source more components in the future, though no time frame is specified. For now, if you want to check out Brigadier or DataFixerUpper, both can be found on Mojang's GitHub page.

Four years after Microsoft acquired Minecraft developer Mojang, the company has decided to open source some of Minecraft's Java code. According to Kotaku, Microsoft and Mojang released two parts of Minecraft's Java code in library form, so that "anyone can pick them up and use them in their own game," says Lead Engineer Nathan Adams. From the report: For now, there's just the two libraries: "Brigadier," a "command parser and dispatcher"; and "DataFixerUpper," designed for "incremental building, merging and optimization of data transformations ... [to convert] the game data for Minecraft: Java Edition between different versions of the game." While the news doesn't mean much for players, it will be a boon for interested programmers and developers, keen to see the guts of Minecraft. The plan is to open source more components in the future, though no time frame is specified. For now, if you want to check out Brigadier or DataFixerUpper, both can be found on Mojang's GitHub page.

Four years after Microsoft acquired Minecraft developer Mojang, the company has decided to open source some of Minecraft's Java code. According to Kotaku, Microsoft and Mojang released two parts of Minecraft's Java code in library form, so that "anyone can pick them up and use them in their own game," says Lead Engineer Nathan Adams. From the report: For now, there's just the two libraries: "Brigadier," a "command parser and dispatcher"; and "DataFixerUpper," designed for "incremental building, merging and optimization of data transformations ... [to convert] the game data for Minecraft: Java Edition between different versions of the game." While the news doesn't mean much for players, it will be a boon for interested programmers and developers, keen to see the guts of Minecraft. The plan is to open source more components in the future, though no time frame is specified. For now, if you want to check out Brigadier or DataFixerUpper, both can be found on Mojang's GitHub page.

An anonymous reader quotes Microsoft's Developer blog: In March 2014, Microsoft released the source code to MS-DOS 1.25 and 2.0 via the Computer History Museum. The announcement also contains a brief history of how MS-DOS came to be for those new to the subject, and ends with many links to related articles and resources for those interested in learning more. Today, we're re-open-sourcing MS-DOS on GitHub. Why? Because it's much easier to find, read, and refer to MS-DOS source files if they're in a GitHub repo than in the original downloadable compressed archive file.... Enjoy exploring the initial foundations of a family of operating systems that helped fuel the explosion of computer technology that we all rely upon for so much of our modern lives!
While non-source modifications are welcome, "The source will be kept static," reads a note on the GitHub repo, "so please don't send Pull Requests suggesting any modifications to the source files."

"But feel free to fork this repo and experiment!"

An anonymous reader quotes MSPowerUser: Nearly every Linux distro is already available in the Microsoft Store, allowing developers to use Linux scripting and other tools running on the Windows Subsystem for Linux (WSL). Now another distro has popped up in the Store, and unlike the others it claims to be specifically optimised for WSL, meaning a smaller and more appropriate package with sane defaults which helps developers get up and running faster.

WLinux is based on Debian, and the developer, Whitewater Foundry, claims their custom distro will also allow faster patching of security and compatibility issues that appear from time to time between upstream distros and WSL... Popular development tools, including git and python3, are pre-installed. Additional packages can be easily installed via the apt package management system... A handful of unnecessary packages, such as systemd, have been removed to improve stability and security.
The distro also offers out of the box support for GUI apps with your choice of X client, according to the original submission.

WLinux is open source under the MIT license, and is available for free on GitHub. It can also be downloaded from Microsoft Store at a 50% discount, with the development company promising the revenue will be invested back into new features.

An anonymous reader quotes MSPowerUser: Nearly every Linux distro is already available in the Microsoft Store, allowing developers to use Linux scripting and other tools running on the Windows Subsystem for Linux (WSL). Now another distro has popped up in the Store, and unlike the others it claims to be specifically optimised for WSL, meaning a smaller and more appropriate package with sane defaults which helps developers get up and running faster.

WLinux is based on Debian, and the developer, Whitewater Foundry, claims their custom distro will also allow faster patching of security and compatibility issues that appear from time to time between upstream distros and WSL... Popular development tools, including git and python3, are pre-installed. Additional packages can be easily installed via the apt package management system... A handful of unnecessary packages, such as systemd, have been removed to improve stability and security.
The distro also offers out of the box support for GUI apps with your choice of X client, according to the original submission.

WLinux is open source under the MIT license, and is available for free on GitHub. It can also be downloaded from Microsoft Store at a 50% discount, with the development company promising the revenue will be invested back into new features.

A major flaw was spotted in the Bitcoin network that could have allowed miners to bring down the entire blockchain by flooding full node operators with traffic, via a Distributed Denial-of-Service (DDoS) attack. "A denial-of-service vulnerability (CVE-2018-17144) exploitable by miners has been discovered in Bitcoin Core versions 0.14.0 up to 0.16.2." the patch notes state. "It is recommended to upgrade any of the vulnerable versions to 0.16.3 as soon as possible." The Next Web reports: Developers have issued a patch for anyone running nodes, along with an appeal to update the software immediately. As far as the attack vector in question goes, there's a catch: anyone ballsy enough to try to bring down Bitcoin would have to sacrifice almost $80,000 worth of Bitcoin in order do it. The bug relates to its consensus code. It meant that some miners had the option to send transaction data twice, causing the Bitcoin network to crash when attempting to validate them. As such invalid blocks need to be mined anyway, only those willing to disregard block reward of 12.5BTC ($80,000) could actually do any real damage.

Liam Tung reporting for ZDNet: Ubuntu maintainer Canonical and Microsoft have teamed up to release an optimized Ubuntu Desktop image that's available through Microsoft's Hyper-V gallery. The Ubuntu Desktop image should deliver a better experience when running it as a guest on a Windows 10 Pro host, according to Canonical. The optimized version is Ubuntu Desktop 18.04.1 LTS release, also known as Bionic Beaver. Microsoft's work with Canonical was prompted by its users who wanted a "first-class experience" on Linux virtual machines (VMs) as well as Windows VMs. To achieve this goal, Microsoft worked with the developers of XRDP, an open-source remote-desktop protocol (RDP) for Linux based on Microsoft's RDP for Windows. Thanks to that work, XRDP now supports Microsoft's Enhanced Session Mode, which allows Hyper-V to use the open-source implementation of RDP to connect to Linux VMs. This in turn gives Ubuntu VMs on Windows hosts a better mouse experience, an integrated clipboard, windows resizing, and shared folders for easier file transfers between host and guest. Microsoft's Hyper-V Quick Create VM setup wizard should also help improve the experience. "With the Hyper-V Quick Create feature added in the Windows 10 Fall Creators Update, we have partnered with Ubuntu and added a virtual machine image so in a few quick minutes, you'll be up and developing," said Clint Rutkas, a senior technical product manager on Microsoft's Windows Developer Team. "This is available now -- just type 'Hyper-V Quick Create' in your start menu."

Longtime Slashdot reader DrYak writes: Phoronix is reporting that multiple users who all use Wine and DXVK compatibility layers have seen their Overwatch accounts banned by Blizzard. Previously, Blizzard has stated: "playing on Linux or even a Mac while on an emulated Windows environment is not bannable." But users report on Reddit getting banned simply after testing some rendering options. Tech support has answered that they are escalating the ticket and trying to take a closer look, hoping to avoid this from happening to other Linux users. According to Phoronix, the most common explanation for the bans "is a false-positive from Blizzard's anti-cheat technology having issue with DXVK."

TuballoyThunder writes: According to The Intercept, it appears that the LinkNYC free Wi-Fi might be designed to track users. This and other concerns were raised during a 2015 discussion on Slashdot. While many people are comfortable in trading their privacy for ostensibly free services, it is disheartening when municipalities collaborate with business to make it happen. "In May of this year, Charles Meyers, an undergraduate at New York City College of Technology, came across folders in LinkNYC's public library on GitHub, a platform for managing files and software, that appear to raise further questions about location tracking and the platform's protection of its users' data," reports The Intercept. "Meyers made copies of the codebases in question -- 'LinkNYC Mobile Observation' and 'RxLocation' -- and shared both folders with The Intercept."

Meyers says the "LinkNYC Mobile Observation" code collects the user's longitude and latitude, browser type, OS, device type, device identifiers, and full URL clickstreams (including data and time) and "aggregates this information into a database," the report says. Meyer's believes the company is interested in tracking the location of Wi-Fi users in real time. "If such code were run on a mobile app or kiosk, he said, the company would be able to make advertisements available in real time based on where and who someone was, and that this would constitute a potential violation of the company's privacy policy," reports The Intercept.

Following the revelations, LinkNYC said the code was never intended to be released and was part of a longer-term R&D process. "In this instance, David Mitchell, Intersection's CTO, told the Intercept in an email. "Intersection was prototyping and testing some ideas internally, using employee data only, and mistakenly made source code public on Github. This code is not in use on the LinkNYC network." [Intersection is the "key player" in CityBridge, "a chameleon-like consortium of private companies" that New York City contracted to turn the city's payphone booth network into Wi-Fi-enabled kiosks.]

Microsoft Research has pre-published a new paper to be presented at the IEEE Cybersecurity Development Conference 2018 describing their progress on Checked C, "an extension to C designed to support spatial safety, implemented in Clang and LLVM."

From "Checked C: Making C Safe By Extension": Checked C's design is distinguished by its focus on backward-compatibility, incremental conversion, developer control, and enabling highly performant code... Any part of a program may contain, and benefit from, checked pointers. Such pointers are binary-compatible with legacy, unchecked pointers but have explicitly annotated and enforced bounds. Code units annotated as checked regions provide guaranteed safety: The code within may not use unchecked pointers or unsafe casts that could result in spatial safety violations.

Checked C's bounds-safe interfaces provide checked types to unchecked code, which is useful for retrofitting third party and standard libraries. Together, these features permit incrementally adding safety to a legacy program, rather than making it an all-or-nothing proposition. Our implementation of Checked C as an LLVM extension enjoys good performance, with relatively low run-time and compilation overheads. It is freely available at https://github.com/Microsoft/checkedc and continues to be actively developed.
The extension is enabled as a flag passed to Clang -- the average run-time overhead introduced by adding dynamic checks was 8.6%, though in more than half of the benchmarks the overhead was less than 1%. They also note that from 2012 to 2018, buffer overruns were the leading single cause of CVEs.

Microsoft Research says they're now evaluating Checked C, formalizing a proof of its safety guarantee -- and developing a tool to semi-automatically rewrite legacy C programs.

Attackers have been exploiting vulnerabilities in MikroTik routers to forward network traffic to a handful of IP addresses under their control. "The bug is in Winbox management component and allows a remote attacker to bypass authentication and read arbitrary files," reports Bleeping Computer. "Exploit code is freely available from at least three sources from at least three sources." From the report: 360Netlab announced in a blog post today that more than 7,500 MikroTik routers across the world are currently delivering their TZSP (TaZmen Sniffer Protocol) traffic to nine external IP addresses. According to the researchers, the attacker modified the device's packet sniffing settings to forward the data to their locations. "37.1.207.114 is the top player among all the attackers. A significant number of devices have their traffic going to this destination," Qihoo experts inform.

The analysis shows that the attacker is particularly interested in ports 20, 21, 25, 110, and 144, which are for FTP-data, FTP, SMTP, POP3, and IMAP traffic. An unusual interest is in traffic from SNMP (Simple Network Management Protocol) ports 161 and 162, which researchers cannot explain at the moment. The largest number of compromised devices, 1,628, is in Russia, followed by Iran (637), Brazil (615), India (594) and Ukraine (544). The researchers say that security outfits in the affected countries can contact them at netlab[at]360.cn for a full list of IPs.