Slashdot Mirror

theodp writes "'Why do programmers start counting at zero?' wondered Mike Hoye, questioning the conventional programming wisdom. Code.org will soon introduce the practice to a hoped-for audience of 10 million schoolchildren as part of Computer Science Education Week's Hour of Code. In a tutorial created by engineers from Microsoft, Google, Twitter and Facebook that's intended to introduce programming to kids as young as six years old, an otherwise breezy lesson featuring look-ma-no-typing Blockly and characters out of Angry Birds and Plants vs. Zombies, a Mark Zuckerberg video introducing the concept of Repeat Loops includes an out-of-place JavaScript example that shows kids it's as easy as 0-1-2-3 to generate 4 lines of lyrics from Happy Birthday to You by using zero-based numbering with a For-loop and ternary If statement. Accompanying videos by Bill Gates on If Statements and basketball star Chris Bosh on Repeat Until Blocks show the Code.org tutorial is still a work-in-progress. That's no big deal, since CSEdWeek has pushed back the delivery date for final Hour of Code tutorials from its prior little-time-for-testing due date to Dec. 9th, the first day of a five-day period during which teachers are expected to deliver the lessons to 10 million students."

An anonymous reader writes "'When the first NSA surveillance story broke in June,' writes Dennis Fisher at Threatpost, 'most people likely had never heard the word metadata before. Even some security and privacy experts weren't sure what the term encompassed.' The NSA and its supporters have, of course, emphasized that phone records collection is 'not surveillance.' Researchers at Stanford are now crowdsourcing data to incontrovertibly establish just how much the NSA knows. 'Phone metadata is inherently revealing,' says a study author. 'We want to rigorously prove it—for the public, for Congress, and for the courts.' If you have an Android phone and a Facebook account, you can grab the MetaPhone app on Google Play."

Dega704 sends this story from Ars: "A Senate bill called the 'Consumer Choice in Online Video Act' (PDF) takes aim at many of the tactics Internet service providers can use to overcharge customers and degrade the quality of rival online video services. Submitted yesterday by U.S. Sen. Jay Rockefeller (D-WV), the 63-page bill provides a comprehensive look at the potential ways in which ISPs can limit consumer choice, and it boots the Federal Communications Commission's power to prevent bad outcomes. 'It shall be unlawful for a designated Internet service provider to engage in unfair methods of competition or unfair or deceptive acts or practices, the purpose or effect of which are to hinder significantly or to prevent an online video distributor from providing video programming to a consumer,' the bill states. A little more specifically, it would be illegal to 'block, degrade, or otherwise impair any content provided by an online video distributor' or 'provide benefits in the transmission of the video content of any company affiliated with the Internet service provider through specialized services or other means.' Those provisions overlap a bit with the FCC's authority under its own net neutrality law, the Open Internet Order, which already prevents the blockage of websites and services. However, Verizon is in court attempting to kill that law, and there is a real possibility that it could be limited in some way. The Consumer Choice in Online Video Act could provide a hedge against that possible outcome."

Zanadou writes "CyanogenMod today released for general availability a friendly[er]-to-use Windows-based installer that will automagically (no need to first root and/or unlock the bootloader) step users though downloading, flashing and setting up an appropriate CyanogenMod version on supported Android phones. Along with this, a 'companion app' that apparently helps set up the installer is now available the Play Store, along with a newly-refreshed download page. Still no image for 'hammerhead' (Nexus 5), though."

An anonymous reader writes "Google today released Chrome version 31 for Windows, Mac, and Linux. The new version includes support for Web payments, Portable Native Client, and 25 security fixes. 'Under the hood, PNaCl works by compiling native C and C++ code to an intermediate representation, rather than architecture-specific representations as in Native Client. The LLVM-style bytecode is wrapped into a portable executable, which can be hosted on a web server like any other website asset. When the site is accessed, Chrome fetches and translates the portable executable into an architecture-specific machine code optimized directly for the underlying device. This translation approach means developers don’t need to recompile their applications multiple times to run across x86, ARM or MIPS devices.' You can update to the latest release now using the browser's built-in silent updater, or download it directly from google.com/chrome."

First time accepted submitter VZ writes "The first new stable wxWidgets release in years and the first new major release since 1998 has just been announced. wxWidgets 3.0 now includes official support for Cocoa-based 32 and 64 bit applications under OS X, GTK+ 3 under Unix and has thousands of other improvements." Update: 11/12 01:00 GMT by U L : Clarification: it's been several years since the 2.8 release series, and fifteen years since wxWidgets 2.0.

agizis writes "Google presented their new QUIC (Quick UDP Internet Connections) protocol to the IETF yesterday as a future replacement for TCP. It was discussed here when it was originally announced, but now there's real working code. How fast is it really? We wanted to know, so we dug in and benchmarked QUIC at different bandwidths, latencies and reliability levels (test code included, of course), and ran our results by the QUIC team."

Slashdot contributor Bennett Haselton writes "In 2007, I wrote that you could find troves of credit card numbers on Google, most of them still active, using the simple trick of Googling the first 8 digits of your credit card number. The trick itself had been publicized by other writers at least as far back as 2004, but in 2013, it appears to still be just as easy. One possible solution that I didn't consider last time, would be for Google itself to notify the webmasters and credit card companies of the leaked information, and then display a warning alongside the search results." Read on for the rest of Bennett's thoughts.

If you have a Visa, Mastercard, or Discover Card number handy, do a Google search for the first 8 digits in the form "1234 5678" (don't forget the double quotes around the numbers, and the space in the middle). The odds are that you will find at least some pages among the search results which include other credit card numbers that begin with the same 8 digits. Those Google hits will frequently be in the form of a spreadsheet or document that looks like it was made for someone's internal use and wasn't meant to be leaked on the Web, and some of those documents will include entire lists of other credit card numbers as well. (The search trick doesn't work for American Express cards, since their card numbers are usually stored in the form "3xxx xxxxxx xxxxx", and it's far less likely for your card to share the same initial 10 digits with someone else's credit card. But of course if you hit on a page that contains a list of credit card numbers, there will probably be some AmEx cards in that list.) Of the pages that I found containing leaked credit cards, often they would also contain other sensitive data like passwords and social security numbers. Don't do anything I wouldn't do.

In my 2007 article, I wrote, "Of course, it's not the card companies' fault that these card numbers are leaked onto the Web; it's the fault of the merchants that allowed them to get leaked. But the credit card companies are the only ones who are in a position to do something about it." I suggested for credit card companies to run a Google search every day or week for all of the possible 8-digit prefixes that could correspond to their card numbers, and then to deactivate any card numbers that were found in this way. They could also send a request to Google to remove the page from Google's index because it contains credit card numbers (there is already a public-facing removal request tool for this purpose). And finally, if it was a merchant that leaked customers' credit card numbers online, then the merchant should be sanctioned as well.

The problem with all of these suggestions is that there doesn't seem to be sufficient incentive on the part of the people who have to implement them. If a credit card company has to refund a fraudulent charge, they usually just take the money back from the merchant who originally received it, and it costs the credit card company nothing. (During my brief stint running a company that accepted online credit card payments, sometimes a "customer" that we had interacted with and who definitely knew who we were, would decide to call their credit card company and "dispute" the charge for no reason, and the card processor would just take the money out of our balance and hand it back to the customer.) So credit card companies themselves apparently lack the incentive to fix the problem.

So perhaps the easiest fix could come from Google, a company that actually has no incentive at all to fix the problem, except for the fact that it would be a neat idea. Although their "Don't Be Evil" motto has taken a lot of beatings, they still do some basically responsible things for reasons that don't seem to contribute directly to their bottom line. (The fact that they have a tool at all for requesting the removal of pages containing credit card numbers, for example.)

It should be pretty easy for Google to run its own queries internally, based on all possible 8-digit credit card prefixes, to find pages that list any sequence of 16 digits beginning with those 8. Then could do a quick mathematical test on the 16-digit sequence to see if it's a valid credit card number. Then scan their own cached copy of that web page to see how many other valid credit card numbers they can find. Then propagate all of those numbers back to contact points at Visa, MasterCard, American Express and Discover, saying, "We found this credit card number leaked onto the Web; you should cancel the number and issue a new one."

After that point, should Google delete the page from their search results themselves? On the one hand, it clearly helps reduce credit card fraud to remove pages from their index that contain working credit cards. On the other hand, the purist in me doesn't like the thought of Google removing information from their index. After all, if the problem is that a list of credit card numbers has been leaked on a webpage, having that page show up in Google shines a light on the problem; removing it from the index doesn't make the problem go away. (The page could still be found through other search engines; or credit card thieves could have already found the page on Google and saved a copy before Google de-indexed it.) Perhaps a compromise could be that once Google has received confirmation from the credit card companies that all of the card numbers on a given page had been de-activated, it could restore the page to their index, but it would be displayed in search results with a warning saying, "This page contains personal credit card account information; all of the credit card account numbers listed have been de-activated."

Unfortunately this doesn't work if the page also contains other sensitive information that can't be un-compromised just by closing an account — e.g., Social Security Numbers, or addresses and phone numbers. (In any case, Google's removal policies specifically say that they won't remove a page from their index just because the page contains a person's address or phone number.) So maybe the better answer really is to just leave the page out of the search results permanently, over the objections of the "purists."

(I may or may not have found some evidence that Bing is more aggressive about removing pages from search results that contain credit cards. I took a "trove" of 11 credit cards that I found through one of my Google searches, and for each of the 11 card numbers, ran a query on both Google and Bing for the first 8 digits. On Google, 8 out of the 11 queries returned at least one page containing more credit card numbers, not counting the original page which had had supplied the "trove" of numbers that I started with. On Bing, however, only 3 out of 11 queries returned pages with more card numbers. This could indicate that Bing is more conscientious about removing pages from search results that contain sensitive personal information. Or it might just mean that they're not as good as Google.)

Of course the fundamental problem with credit card number security has always been that you have to use the same "token" — your credit card number — for every purchase, with every merchant. (There are card companies that let you generate one-time-use numbers for every purchase, but almost nobody uses those.) Maybe in a few years, credit card numbers will be supplanted by more secure payment protocols and fall by the wayside, but that's also what I thought in 2007.

Slashdot contributor Bennett Haselton writes "In 2007, I wrote that you could find troves of credit card numbers on Google, most of them still active, using the simple trick of Googling the first 8 digits of your credit card number. The trick itself had been publicized by other writers at least as far back as 2004, but in 2013, it appears to still be just as easy. One possible solution that I didn't consider last time, would be for Google itself to notify the webmasters and credit card companies of the leaked information, and then display a warning alongside the search results." Read on for the rest of Bennett's thoughts.

If you have a Visa, Mastercard, or Discover Card number handy, do a Google search for the first 8 digits in the form "1234 5678" (don't forget the double quotes around the numbers, and the space in the middle). The odds are that you will find at least some pages among the search results which include other credit card numbers that begin with the same 8 digits. Those Google hits will frequently be in the form of a spreadsheet or document that looks like it was made for someone's internal use and wasn't meant to be leaked on the Web, and some of those documents will include entire lists of other credit card numbers as well. (The search trick doesn't work for American Express cards, since their card numbers are usually stored in the form "3xxx xxxxxx xxxxx", and it's far less likely for your card to share the same initial 10 digits with someone else's credit card. But of course if you hit on a page that contains a list of credit card numbers, there will probably be some AmEx cards in that list.) Of the pages that I found containing leaked credit cards, often they would also contain other sensitive data like passwords and social security numbers. Don't do anything I wouldn't do.

In my 2007 article, I wrote, "Of course, it's not the card companies' fault that these card numbers are leaked onto the Web; it's the fault of the merchants that allowed them to get leaked. But the credit card companies are the only ones who are in a position to do something about it." I suggested for credit card companies to run a Google search every day or week for all of the possible 8-digit prefixes that could correspond to their card numbers, and then to deactivate any card numbers that were found in this way. They could also send a request to Google to remove the page from Google's index because it contains credit card numbers (there is already a public-facing removal request tool for this purpose). And finally, if it was a merchant that leaked customers' credit card numbers online, then the merchant should be sanctioned as well.

The problem with all of these suggestions is that there doesn't seem to be sufficient incentive on the part of the people who have to implement them. If a credit card company has to refund a fraudulent charge, they usually just take the money back from the merchant who originally received it, and it costs the credit card company nothing. (During my brief stint running a company that accepted online credit card payments, sometimes a "customer" that we had interacted with and who definitely knew who we were, would decide to call their credit card company and "dispute" the charge for no reason, and the card processor would just take the money out of our balance and hand it back to the customer.) So credit card companies themselves apparently lack the incentive to fix the problem.

So perhaps the easiest fix could come from Google, a company that actually has no incentive at all to fix the problem, except for the fact that it would be a neat idea. Although their "Don't Be Evil" motto has taken a lot of beatings, they still do some basically responsible things for reasons that don't seem to contribute directly to their bottom line. (The fact that they have a tool at all for requesting the removal of pages containing credit card numbers, for example.)

It should be pretty easy for Google to run its own queries internally, based on all possible 8-digit credit card prefixes, to find pages that list any sequence of 16 digits beginning with those 8. Then could do a quick mathematical test on the 16-digit sequence to see if it's a valid credit card number. Then scan their own cached copy of that web page to see how many other valid credit card numbers they can find. Then propagate all of those numbers back to contact points at Visa, MasterCard, American Express and Discover, saying, "We found this credit card number leaked onto the Web; you should cancel the number and issue a new one."

After that point, should Google delete the page from their search results themselves? On the one hand, it clearly helps reduce credit card fraud to remove pages from their index that contain working credit cards. On the other hand, the purist in me doesn't like the thought of Google removing information from their index. After all, if the problem is that a list of credit card numbers has been leaked on a webpage, having that page show up in Google shines a light on the problem; removing it from the index doesn't make the problem go away. (The page could still be found through other search engines; or credit card thieves could have already found the page on Google and saved a copy before Google de-indexed it.) Perhaps a compromise could be that once Google has received confirmation from the credit card companies that all of the card numbers on a given page had been de-activated, it could restore the page to their index, but it would be displayed in search results with a warning saying, "This page contains personal credit card account information; all of the credit card account numbers listed have been de-activated."

Unfortunately this doesn't work if the page also contains other sensitive information that can't be un-compromised just by closing an account — e.g., Social Security Numbers, or addresses and phone numbers. (In any case, Google's removal policies specifically say that they won't remove a page from their index just because the page contains a person's address or phone number.) So maybe the better answer really is to just leave the page out of the search results permanently, over the objections of the "purists."

(I may or may not have found some evidence that Bing is more aggressive about removing pages from search results that contain credit cards. I took a "trove" of 11 credit cards that I found through one of my Google searches, and for each of the 11 card numbers, ran a query on both Google and Bing for the first 8 digits. On Google, 8 out of the 11 queries returned at least one page containing more credit card numbers, not counting the original page which had had supplied the "trove" of numbers that I started with. On Bing, however, only 3 out of 11 queries returned pages with more card numbers. This could indicate that Bing is more conscientious about removing pages from search results that contain sensitive personal information. Or it might just mean that they're not as good as Google.)

Of course the fundamental problem with credit card number security has always been that you have to use the same "token" — your credit card number — for every purchase, with every merchant. (There are card companies that let you generate one-time-use numbers for every purchase, but almost nobody uses those.) Maybe in a few years, credit card numbers will be supplanted by more secure payment protocols and fall by the wayside, but that's also what I thought in 2007.

mrspoonsi writes "Engadget reports 'California is technology's spiritual home in the US, where Teslas roam free, and Google Glass is already a social norm. Well, unless you're a member of the San Diego law enforcement that is — as one unlucky driver just found out. That commuter was Cecilia Abadie, and she's (rather fittingly) taken to Google+ after being given a ticket for driving while wearing her Explorer Edition.'"

Goodwill Industries rehabs computers and sells computer parts, at least in Austin, Texas. The Goodwill Computer Museum is a natural outgrowth of that effort. In this video, museum curator Lisa Worley takes Slashdot's Timothy Lord on a tour of the museum. Remember that TRS-80 you threw away in 1982? Well, they saved several of them to stimulate your nostalgia-based pleasure nodules. Ditto many other devices both common and rare, including a pre-Dell computer made and signed by Texas computer celebrity Michael Dell. So sit back and enjoy the ride, as Timothy does the walking and Lisa does the talking, kind of like Night at the Museum -- but without CGI dinosaurs and other life forms getting between you and the classic computers.

An anonymous reader writes "Mozilla today officially launched Firefox 25 for Windows, Mac, Linux, and Android. Additions include Web Audio API support, as well as guest browsing and mixed content blocking on Android. Firefox 25 can be downloaded from Firefox.com and all existing users should be able to upgrade to it automatically. As always, the Android version is trickling out slowly on Google Play. The release notes are here: desktop, mobile."

An anonymous reader writes "The open source PHP project site was compromised earlier today. The site appears to have been compromised and had some of its Javascript altered to exploit vulnerable systems visiting the website. Google's stop-badware system caught this as well and flagged php.net as distributing malware, warning users whose browsers support it not to visit the site. The comment by a Google employee over at the hacker news thread (official Google webmaster forum thread) seems to suggest that php.net wasn't incorrectly flagged."

An anonymous reader writes "The open source PHP project site was compromised earlier today. The site appears to have been compromised and had some of its Javascript altered to exploit vulnerable systems visiting the website. Google's stop-badware system caught this as well and flagged php.net as distributing malware, warning users whose browsers support it not to visit the site. The comment by a Google employee over at the hacker news thread (official Google webmaster forum thread) seems to suggest that php.net wasn't incorrectly flagged."

Daniel_Stuckey writes "Check out the Digital Attack Map. It was produced in a collaborative effort by Google Ideas and Arbor Networks to raise awareness about distributed denial of service attacks. You know, those malicious digital attempts to choke, or shutdown websites by sending them volumes of traffic far too large for them to handle. The map 'surfaces anonymous attack traffic data to let users explore historic trends and find reports of outages happening on a given day,' as its about page explains. Created using attack data from Arbor's 'ATLAS® global threat intelligence system,' this is the D.A.R.E. of DDoS — it's about the danger of having information streams cut off. Under the heading 'DDoS Attacks Matter,' Google and Arbor explain that 'sites covering elections are brought down to influence their outcome, media sites are attacked to censor stories, and businesses are taken offline by competitors looking for a leg up.'" This comes alongside Google's announcement of Project Shield, the company's homegrown DDoS mitigation service.

BartlebyScrivener writes "I am a author, screenwriter, law prof, and a hobbyist programmer. I love MacVim and write almost everything in it: Exams, novels, even screenplays now that Fountain is available. I use LaTeX and WordPress and so on, but several years ago I discovered Markdown and the wonderful Pandoc. I searched Slashdot expecting to find lively discussions of both Markdown and Pandoc, but found nothing. Do Slashdotters look down their noses at these tools and do their work in HTML and LaTeX? I can't imagine computer geeks using Word instead of their favorite text editors. If not Markdown and Pandoc, what tools do Slashdotters use when they create documents that probably need to be distributed in more than one format: HTML, PDF, EPUB or perhaps even docx?" And then there's DocBook, LyX, and a host of other markup languages. What do you use, in what context?

jones_supa writes "If you want to find the computer geniuses of tomorrow, you could do worse than to check out which kids are playing Minecraft. In a Google+ post, the Google Quantum A.I. Lab Team says that they've released a mod called qCraft to enable kids (and adults) to play around with blocks that exhibit behaviors like quantum entanglement, superposition and observer dependency. qCraft obviously isn't a perfect scientific simulation, but it's a fun way for players to experience a few parts of quantum mechanics outside of thought experiments or dense textbook examples. The team doesn't know the full potential of what you can make with the mod, but they are excited to see what Minecraft's players can discover."

slack_justyb writes "In a blog post, Mark Shuttleworth sends his congrats to the Ubuntu developers for the recent release of 13.10 and talks about 14.04's codename (Trusty Tahr). He also takes aim at what he calls 'The Open Source Tea Party.' He writes, 'Mir is really important work. When lots of competitors attack a project on purely political grounds, you have to wonder what their agenda is. At least we know now who belongs to the Open Source Tea Party ;)' He cites all the complaints about Mir and even calls out Lennart Poettering's systemd, who is the past has pointed out Canonical's tendency to favor projects they control. Shuttleworth continues, 'And to put all the hue and cry into context: Mir is relevant for approximately 1% of all developers, just those who think about shell development. Every app developer will consume Mir through their toolkit. By contrast, those same outraged individuals have NIH’d just about every important piece of the stack they can get their hands on most notably SystemD, which is hugely invasive and hardly justified. What closely to see how competitors to Canonical torture the English language in their efforts to justify how those toolkits should support Windows but not Mir. But we'll get it done, and it will be amazing.' However, not all has earned Mark's scorn. He even goes so far to show some love for Linux Mint: 'So yes, I am very proud to be, as the Register puts it, the Ubuntu Daddy. My affection for this community in its broadest sense – from Mint to our cloud developer audience, and all the teams at Canonical and in each of our derivatives, is very tangible today.'"

barlevg writes "A college student at Rensselaer Polytechnic Institute spent nine months meticulously remaking Super Mario Bros. based on the latest web standards. His project is open source and the code freely available through Github. The site recently gained widespread media attention, which unfortunately brought it to the attention of Nintendo, which has requested that the site be taken down. In a column on the Washington Post website, tech blogger Timothy Lee makes the case for how this is a prime example of copyrights hindering innovation and why copyright lengths should be shortened. Among his arguments: copyrights hinder innovation by game designers seeking to build upon such games, and shortening copyright would breathe new life into games who have long since passed into obsolescence."

An anonymous reader writes "Google [on Friday] announced an upcoming change to its terms of service that will let the company add users' names and photos to certain parts of its advertising as of November 11. Make no mistake: this is a direct attack against Facebook. One of the few advantages of Google+ is that it features no ads. To be perfectly clear, Google isn't changing that. Google+ will still have a clean interface, at least for the foreseeable future. Instead, Google is tying Google+ into yet another one of its properties, and arguably its most important one: Google Ads."

Hugh Pickens DOT Com writes "Andrew Binstock writes at Dr. Dobb's that a recurring prejudice in the forums where the cool kids hang out is against Java, often described as verbose and fading in popularity but Binstock sees little supporting evidence of Java being in some kind of long-term decline. While it is true that Java certainly can be verbose, several scripting languages have sprung up which are purpose-designed to spare developers from long syntactical passages to communicate a simple action, including NetRexx, Groovy, and Scala. As far as Java's popularity goes, normally, when technologies start their ultimate decline, tradeshows are the first to reflect the disintegrating community. But the recent JavaOne show was clearly larger and better attended than it has been in either of the last two years and vendors on the exhibiting floor were unanimous in saying that traffic, leads, and inquiries were up significantly over last year. Technically, the language continues to advance says Binstock. Java 8, expected in March, will add closures (that is, lambda expressions) that will reduce code, diminish the need for anonymous inner classes, and facilitate functional-like coding. Greater modularity which will be complete in Java 9 (due in 2016) will help efficient management of artifacts, as will several enhancements that simplify syntax in that release. 'When you add in the Android ecosystem, whose native development language is Java, it becomes very difficult to see how a language so widely used in so many areas — server, Web, desktop, mobile devices — is in some kind of decline,' concludes Binstock. 'What I'm seeing is a language that is under constant refinement and development, with a large and very active community, which enjoys a platform that is widely used for new languages. None of this looks to me like a language in decline.'"

An anonymous reader writes with this excerpt from a short article at Geek.com, based on this Chinese newspaper report (Google translation) that thousands of students have been (figuratively) press-ganged into assembling PlayStation 4 consoles, ahead of the PS4's November launch. From the article: "The students involved were offered internships at the company while studying an IT engineering course. But those that accepted aren't being assigned work that matches their course or skill set. Instead, they are being put on the production lines. The reason it is being called a forced internship is because if any of the students refuse to do the work they are assigned, six credits will be deducted from their course total. Without those six credits it's thought to be impossible to pass, meaning the students have to do the work or risk losing their qualification."

An anonymous reader writes "Major newspapers in Germany (FAZ, Die Welt, SZ, ...) and the Huffington Post report that the author Ilja Trojanow has been prevented from boarding a plane from Salvador da Bahia to the U.S. where he was invited to attend a conference. He had ESTA documents showing that his visit was approved as part of the Visa Waiver Program and was last year given a visa to teach at the university of Saint Louis. Trojanow was one of the initiators of an open letter (Google translation to English) urging Chancellor Merkel to take actions against NSA surveillance in Germany."

An anonymous reader writes "In the process of standardizing the SHA-3 competition winning algorithm Keccak, the National Institute of Standards and Technology (NIST) may have lowered the bar for attacks, which might be useful for or even initiated by NSA. 'NIST is proposing a huge reduction in the internal strength of Keccak below what went into final SHA-3 comp,' writes cryptographer Marsh Ray on Twitter. In August, John Kelsey, working at NIST, described (slides 44-48) the changes to the algorithm, including reduction of the bit length from 224, 256, 384 and 512-bit modes down to 128 and 256-bit modes."

An anonymous reader writes "Recent reports from around the net suggest that SSL certificate chain for gmail has either changed this week, or has been widely compromised. Even less-than-obvious places to look for information, such as Google's Online Security Blog, are silent. The problem isn't specific to gmail, of course, which leads me to ask: What is the canonically-accepted out-of-band means by which a new SSL certificate's fingerprint may be communicated and/or verified by end users?"

mystikkman writes "In what is a serious bug, GMail Chat/GTalk/Google Hangouts is sending messages to unintended recipients. ZDNet has confirmed first-hand that the glitch is present within Google Apps for Business accounts, including those that have not yet switched over to Google's new Hangouts platform. Messages appear to be visible on the mobile version of Hangouts. There are multiple reports of this issue."

An anonymous reader writes "Google today announced it is dropping Netscape Plugin Application Programming Interface support in Chrome. The company will be phasing out support over the coming year, starting with blocking webpage-instantiated plugins in January 2014. Google has looked at anonymous Chrome usage data and estimates that just six NPAPI plug-ins were used by more than 5 percent of users in the last month. To 'avoid disruption' (read: attempt to minimize the confusion) for users, Google will temporarily whitelist the most popular NPAPI plugins: Silverlight, Unity, Google Earth, Google Talk, and Facebook Video." Google offers NaCl as an alternative, and "Moving forward, our goal is to evolve the standards-based web platform to cover the use cases once served by NPAPI."

theodp writes "To paraphrase Sean Parker: "Flying your fleet of planes using NASA-discounted fuel isn't cool, you know what's cool? Flying your fleet of planes using zero-cost fuel." Having piqued CEO Larry Page's interest with its solar and battery-powered aircraft, Solar Impulse is partnering with Google to promote its goal of circumnavigating the globe in 2015, a Green Movement take on Wiley Post's 1933 achievement."

Google has announced the formation of a new company called Calico, which aims to promote health and fight aging. Larry Page said, "That’s a lot different from what Google does today. And you’re right. But as we explained in our first letter to shareholders, there’s tremendous potential for technology more generally to improve people’s lives. So don’t be surprised if we invest in projects that seem strange or speculative compared with our existing Internet businesses." He expanded upon this in an interview with Time: "I'm not proposing that we spend all of our money on those kinds of speculative things. But we should be spending a commensurate amount with what normal types of companies spend on research and development, and spend it on things that are a little more long-term and a little more ambitious than people normally would. More like moon shots." The new company's CEO will be Arthur Levinson, who is currently the chairman of Apple and biotech company Genentech. Apple CEO Tim Cook said, "For too many of our friends and family, life has been cut short or the quality of their life is too often lacking. Art is one of the crazy ones who thinks it doesn't have to be this way."

New submitter urdak writes "At CloudOpen in New Orleans, KVM veterans Avi Kivity and Dor Laor revealed their latest venture, a new open-source (BSD license) operating system named OSv. OSv can run existing Linux programs and runtime environments such as a JVM, but unlike Linux, OSv was designed from the ground up to run efficiently on virtual machines. For example, OSv avoids the traditional (but slow) userspace-kernel isolation, as on the cloud VMs normally run a single application. OSv is also much smaller than Linux, and breaks away from tradition by being written in C++11 (the language choice is explained in in this post)."

New submitter urdak writes "At CloudOpen in New Orleans, KVM veterans Avi Kivity and Dor Laor revealed their latest venture, a new open-source (BSD license) operating system named OSv. OSv can run existing Linux programs and runtime environments such as a JVM, but unlike Linux, OSv was designed from the ground up to run efficiently on virtual machines. For example, OSv avoids the traditional (but slow) userspace-kernel isolation, as on the cloud VMs normally run a single application. OSv is also much smaller than Linux, and breaks away from tradition by being written in C++11 (the language choice is explained in in this post)."

An anonymous reader writes "Mozilla today officially launched Firefox 24 for Windows, Mac, Linux, and Android. Improvements include a new option to mass close tabs 'to the right,' as well as WebRTC support and NFC sharing on Android. Firefox 24 has now been released over on Firefox.com and all existing users should be able to upgrade to it automatically. As always, the Android version is trickling out slowly on Google Play. Compared to Firefox 23, this isn’t a big release for the desktop. Mac users will notice a new scrollbar style on OS X 10.7 and users of the browsers social features will appreciate the ability to tear-off chat windows by just dragging (full release notes: desktop, mobile)."

fermion writes "This weeks 'Who Made That' column in The New York Times concerns the built in pencil eraser. In 1858 Hymen Lipman put a rubber plug into the wood shaft of a pencil. An investor then paid about 2 million in today's dollars for the patent. This investor might have become very rich had the supreme court not ruled that all Lipmen had done was put together two known technologies, so the patent was not valid. The question is where has this need for patents to be innovative gone? After all there is the Amazon one-click patent which, after revision, has been upheld. Microsoft Activesync technology patent seems to simply patent copying information from one place to another. In this modern day do patents promote innovation, or simply protect firms from competition?"

lpress writes "Google and MIT have both built open source MOOC platforms and offered innovative MOOCs. They have just announced the establishment of mooc.org, a non-profit organization that will provide a platform to develop, host, and research online courses. The devil is, no doubt, in the details, but this combination of MIT's educational expertise and reputation, Google's vast infrastructure, and the lofty goals of both organizations might turn out to be revolutionary." From Google's research weblog: "Google and edX have a shared mission to broaden access to education, and by working together, we can advance towards our goals much faster. In addition, Google, with its breadth of applicable infrastructure and research capabilities, will continue to make contributions to the online education space, the findings of which will be shared directly to the online education community and the Open edX platform." Course Builder will continue to be maintained for the time being, but eventually Google will "provide an upgrade path to Open edX and MOOC.org from Course Builder."

Daniel_Stuckey writes "The iPhone 5S line has already begun, despite Apple not even having made its announcement yet. From the looks of the invite to the unveiling in San Francisco on Sept. 10 (and another event the following day in Beijing, where iPhones are all the rage), the company will not only be announcing a next generation iPhone, the 5S, but also the lower-priced 5C model, in a variety of cheaper-looking colors."

Today Google revealed that the next major version of the Android mobile operating system will be called 'KitKat.' The naming convention has always used sugary snacks in alphabetical order — Jelly Bean (4.1 - 4.3) followed Ice Cream Sandwich (4.0), which followed Honeycomb (3.1 - 3.2), which followed Gingerbread (2.3), and so on. Unlike the previous releases, KitKat is named after an actual product, rather than a generic treat. Thus, Google contacted Nestle, who was happy to jump on board and take advantage of the cross-marketing opportunities. According to an article at the BBC, the Android team was originally going to use 'Key Lime Pie,' but they decided it wasn't familiar enough to most people. After finding some KitKat bars in the company fridge, they made the choice to switch. Nestle was on board 'within an hour' of hearing the idea.

mdsolar writes in with news about negotiations between the Chinese and the UK over nuclear power plant investments. "The state-owned Chinese nuclear group that is in talks to invest in Britain's new nuclear program wants greater operational control of any new plants it finances, potentially creating a national security headache for the government. China General Nuclear Power Group (CGN), is in talks with EDF of France on sharing the cost of building a new plant at Hinkley Point, Somerset, which has an estimated price tag of £14bn. But CGN has made it clear to EDF that it will only proceed if it is given more of a say in running other plants the two companies build together in the UK, according to people familiar with the talks."

Giulia D'Amico, Business Development VP for One Laptop Per Child (OLPC) talks about the new OLPC tablets, which are now available in the U.S. through Target, Amazon, Walmart, and other retailers, with some of the $150 sales price for each tablet going to support the OLPC project in places like Uruguay, Cambodia, Rwanda, and other countries where a tablet loaded with teaching software is a way better deal than trying to supply all the books a child needs for six or eight years of school. While there are many Android tablets for sale for less than $150, Giulia points out that the OLPC tablets contain up to $300 worth of software. Plus, of course, just as with almost any other Android device, there are many thousands of apps available for it through Google Play. And let's not forget the original OLPC laptop. It has been redesigned, and renamed the OLPC XO-4 and looks much cooler than the original. You can learn more about it through olpc.tv, which has videos from the introduction of both the OPLC tablet and the XO-4 at CES 2013. OLPC has shipped close to 3 million laptops so far, and is working to port Sugar to Android so that the laptop and the tablet can use the same software. One more thing: OLPC is now focusing on software rather than hardware. When the project started at MIT, back in 2006 or so, there was no suitable hardware available. Today, many companies make low-cost tablets and keyboards for them, so there's no real need for OLPC to make its own instead of using existing hardware.

Kelly Beatty has a unique perspective on the world of astronomy: Beatty's been on the staff of Sky & Telescope magazine for nearly 40 years as a writer and editor, including a stint heading "Night Sky" magazine. He's also written what's been called "the definitive guide for the armchair astronomer," and teaches astronomy to people of all ages. (He even has an asteroid named after him.) Besides being fascinated with the objects we can see in Earth's skies, Beatty takes the skies themselves seriously: his Twitter handle is NightSkyGuy for a reason. We talked a few weeks ago, in dark-skied rural Maine, about his involvement with the International Dark-Sky Association, and why you should care about ubiquitous light pollution, even if you don't have a deep interest in star-gazing. (And it's not just to be courteous to your neighbors.)

Last week you had a chance to ask Guido van Rossum, Python's BDFL (Benevolent Dictator For Life), about all things Python and his move to Dropbox. Guido wasted no time answering your questions and you'll find his responses below. From Google to Dropbox
by nurhussein

Hi, What prompted the move from Google to Dropbox? What did you do at Google, and what are you going to do at Dropbox?

Guido: After seven years at Google I was just ready for some change in environment, and then the Dropbox offer came along. At a high level, my job hasn't changed much: I still

- spend 50% of my time on whatever I want to do for Python in my BDFL role
- am a regular engineer in the organization (not a manager or even TL)
- do a lot of code reviews, architecture and design work
- handle a lot of email
- do a lot of actual coding for my job, in Python

The specifics differ of course. I really did only two things at Google: the first two years I worked on one of the first online code review tools Mondrian, which itself was never open-sourced but begat Rietveld, which did, and is used amongst others, by the Python, Go and Chromium communities. After that I joined Google App Engine where I did a lot of different things, almost all of them in Python. My last big project there was a new Python database API, NDB.

I've been at Dropbox for 7 months and my main project has been the design of the Dropbox Datastore API . It's ironic but not my fault that this also uses the "datastore" moniker -- there's little overlap between Dropbox Datastores and the Google App Engine Datastore.

What's even more ironic is that even though I did much of the design, and wrote two prototypes in Python, the SDKs we released last month only support Java, Objective-C and JavaScript. But I am working on a fix, this interview is just slowing me down. :-)



Why did Python avoid some common "OO" idioms?
by i_ate_god

Interfaces, abstract classes, private members, etc... Why did python avoid all this?

Guido: I can think of two reasons: (a) you don't really need them, and (b) they are hard to do if you have no compile-time type checking. Python started out as a skunkworks project (not endorsed or encouraged by management but not actively prevented), and I wanted results quickly. This led me to remove features that weren't actually needed or urgent; it also led me to do all type checking at run time, which gave me natural constraints on what features Python could support. I also had no religious OO ax to grind -- I just wanted an easy language, and it became OO more or less by accident.

In modern Python there are rough equivalents for all of these, but they don't necessarily work all that well, or they cause a lot of execution overhead, so they are often avoided, but they have their uses and their fans.



functional programming
by ebno-10db

Some people claim that Python is, at least partly, a functional language. You disagree, as do I. Simply having a few map and filter type functions does not make for a functional language. As I understand it those functions were added to the libraries by a homesick Lisper, and that several times you've been tempted to eliminate them. In general it seems you're not a fan of functional programming, at least for Python.

Question: do you feel that the functional programming approach is not very useful in general, or simply that it's not appropriate for Python? It would be nice to hear your reasons either way.

Guido: I'm not a fan of religiously taking some idea to the extreme, and I try to be pragmatic in my design choices (but not *too* pragmatic, see the start of this sentence :-). I value readability and usefulness for real code. There are some places where map() and filter() make sense, and for other places Python has list comprehensions. I ended up hating reduce() because it was almost exclusively used (a) to implement sum(), or (b) to write unreadable code. So we added builtin sum() at the same time we demoted reduce() from a builtin to something in functools (which is a dumping ground for stuff I don't really care about :-).

If I think of functional programming, I mostly think of languages that have incredibly powerful compilers, like Haskell. For such a compiler, the functional paradigm is useful because it opens up a vast array of possible transformations, including parallelization. But Python's compiler has no idea what your code means, and that's useful too. So, mostly I don't think it makes much sense to try to add "functional" primitives to Python, because the reason those primitives work well in functional languages don't apply to Python, and they make the code pretty unreadable for people who aren't used to functional languages (which means most programmers).

I also don't think that the current crop of functional languages is ready for mainstream. Admittedly I don't know much about the field besides Haskell, but any language *less* popular than Haskell surely has very little practical value, and I haven't heard of functional languages *more* popular than Haskell. As for Haskell, I think it's a great proving ground for all sorts of ideas about compiler technology, but I think its "purity" will always remain in the way of adoption. Having to come to grips with Monads just isn't worth it for most people.

(A similar comment applies to Scala. It may be the best you can do trying to combine functional and OO paradigms in one language, but the result isn't all that easy to use unless you're really smart.)



Multi-line lambdas
by NeverWorker1

One of the most common complaints about Python is the limitations of its lambdas, namely being one line only without the ability to do assignments. Obviously, Python's whitespace treatment is a major part of that (and, IIRC, I've read comments from you to that effect). I've spent quite a bit of time thinking about possible syntax for a multi-line lambda, and the best I've come up with is trying to shoehorn some unused (or little used) symbol into a C-style curly brace, but that's messy at best. Is there a better way, and do you see this functionality ever being added?

Guido: Really? I almost never hear that complaint except from people who submit questions to Slashdot interviews. :-)

There is indeed a better way, and that is using the 'def' keyword to define a regular function in a local scope. The defined function object becomes a local variable that has exactly the same semantics as a lambda except that it is bound to a local variable, and it doesn't have any of the syntactic constraints. For example, there is *no* semantic difference between

def make_adder(n):
__def adder(x):
____return x + n
__return adder

and this equivalent using lambda:

def make_adder(n):
__return lambda x: x + n

(except that when you introspect the lambda asking for its name, it will say '' instead of 'adder').

Andrew Koenig once pointed out to me that there's one pattern where lambdas are really much more convenient, and that is if you have a long list or dict (perhaps some kind of switching definition) containing lots of lambdas, since if you wanted to do that without lambda you'd end up first having to define lots of little functions, giving them all names, and then referencing them all by name from inside the list or dict. But in that pattern the lambdas are usually simple enough to be lambdas, and if you have a few exceptions, using 'def' before starting the list or dict is a fine compromise.



PyPy
by Btrot69

Do you see PyPy as the future? Or do you remain unconvinced, and -- if so -- why ?

Guido: I'm still unconvinced, for two reasons: (a) they don't support Python 3 (well) yet, and (b) there are lots of extension modules (both third party and in the standard library) that they don't support well. But I hope they'll fix those issues. I think it's competition from projects like PyPy, Jython and IronPython that keeps the CPython project honest and on its toes.



Python in the browser ?
by Btrot69

Over the years, there have been several attempts to create a sandboxed version of python that will safely run in a web browser.Mostly this was because of problems with Javascript. Now that Javascript works -- and we have nice things like CoffeeScript -- is it time to give up on python in the browser ?

Guido: I gave up on it in 1995, so yes. And please don't try to compile Python to JavaScript. The semantics are so different that you end up writing most of a Python runtime in JavaScript, which slows things down too much. (CoffeScript's strength is that it is designed to map cleanly to JavaScript, and the two are now co-evolving to make the mapping even cleaner.)



Python 3
by MetalliQaZ

How do you feel about the current state of the migration to Python 3 (Py3k)? From a user perspective it seems that the conversion of popular libraries has lagged far behind, which has impeded the transition. In my professional capacity, nearly every single system I use lacks an installed 3.x interpreter. In fact, 2.7 is a rarity. I'd like to get your thoughts.

Guido: Curious where you work. I agree that Python 3 migration will still take a long time, but if your systems don't come with Python 2.7 they must be pretty ancient! When I left Google they were about done with the internal transition to Python 2.7 (having successfully migrated from 2.4 to 2.6 over the past few years) and here at Dropbox both the client and the server are using Python 2.7. Both companies are already thinking about Python 3 too.

Back to Python 3 migration, I am actually pretty optimistic. Lots of popular libraries have a working port or are working on one. (The Python Software Foundation also occasionally funds projects to port libraries that are widely used but don't have enough of a community to do a port.) It will take a long time, but I see a lot of progress, and in a few years I expect most new code will be written in Python 3. Totally eradicating Python 2 usage will probably take much longer, but then again, Windows XP isn't quite dead yet either. :-)



Key question for any language designer
by dkleinsc

Have the prospects of Python in any way improved since you grew a beard? To what degree does language success correlate to beard length?

Guido: It is absolutely essential. Just look at Perl's fate -- Larry Wall is just too clean-shaven. :-)

An anonymous reader writes "It was on this day 22 years ago when Linus Torvalds humbly announced Linux and today he played on that in announcing the Linux 3.11-rc7 kernel release. The final Linux 3.11 kernel release is expected in about one week."

An anonymous reader writes "It was on this day 22 years ago when Linus Torvalds humbly announced Linux and today he played on that in announcing the Linux 3.11-rc7 kernel release. The final Linux 3.11 kernel release is expected in about one week."

hypnosec writes "According to a new revelation by Sarah Sharp, misinterpretation of the USB 2.0 standard may have been the culprit behind USB disconnects on resume in Linux all along rather than cheap and buggy devices. According to Sharp the USB core is to blame for the disconnections rather than the devices themselves as the core doesn't wait long enough for the devices to transition from a 'resume state to U0.' The USB 2.0 standard states that system software that handles USB must provide for 10ms resume recovery time (TRSMRCY) during which it shouldn't attempt a connection to the device connected to that particular bus segment."

An anonymous reader writes "Die Zeit has access to leaked documents from the German government warning that Windows 8 is an unacceptable security risk for sensitive workloads. The story is written in German here, but automatic translators (such as Google Translate) do a readable job. Particularly of concern is the inability to opt out of TPM 2.0 usage."

hypnosec writes "The CyanogenMod team has announced the release of version 10.2 nightly builds, which are based on Google's latest Android 4.3 Jelly Bean. The current nightly builds have been released for the Google Galaxy Nexus, HTC One, Samsung Galaxy S4, Samsung Galaxy S3, LG Optimus G, Sony Xperia Z, and Motorola Razr among others. As always, CyanogenMod team reminds that these are experimental."

Daniel_Stuckey writes "This week, New Zealand-based company Martin Aircraft became certified to take what it calls 'the world's first practical jetpack' out for a series of manned test flights. If all goes well, the company plans to start selling a consumer version of the jetpack in 2015, starting at $150,000 to $200,000 and eventually dropping to $100,000. 'For us it's a very important step because it moves it out of what I call a dream into something which I believe we're now in a position to commercialize and take forward very quickly,' CEO Peter Coker told the AFP."

Hugh Pickens DOT Com writes "Since the inception of Alcoholics Anonymous — the progenitor of 12-step programs — science has sometimes been at odds with the notion that laypeople can cure themselves because the numerous spiritual references that go with the 12-step program puts A.A. on "the fringe" in the minds of many scientists. But there is an interesting read at National Geographic where Jarret Liotta writes that new research shows that the success of the 12-step approach may ultimately be explained through medical science and psychology. According to Marvin Seppala, chief medical officer at Hazelden and sober 37 years, attending 12-step meetings does more than give an addict warm, fuzzy feelings. The unconscious neurological pull of addiction undermines healthy survival drives, causing individuals to make disastrous choices, he says. "People will regularly risk their lives—risk everything—to continue use of a substance." Addicts don't want to engage in these behaviors, but they can't control themselves. "The only way to truly treat it is with something more powerful," like the 12 steps, that can change patterns in the brain. Philip Flores, author of Addiction as an Attachment Disorder, says the human need for social interaction is a physiological one, linked to the well-being of the nervous system. When someone becomes addicted, Flores says, mechanisms for healthy attachment are "hijacked," resulting in dependence on addictive substances or behaviors. Some believe that addicts, even before their disease kicks in, struggle with knowing how to form emotional bonds that connect them to other people. Co-occurring disorders, such as depression and anxiety, make it even harder to build those essential emotional attachments. "We, as social mammals, cannot regulate our central nervous systems by ourselves," Flores says. "We need other people to do that.""

In a post on Google+, Jean-Baptiste Quéru, long-time maintainer of the Android Open Source Project, has said he'll no longer be working on it. "There's no point being the maintainer of an Operating System that can't boot to the home screen on its flagship device for lack of GPU support, especially when I'm getting the blame for something that I don't have authority to fix myself and that I had anticipated and escalated more than 6 months ahead." Quéru is referring to the recently-released Nexus 7 revision, for which Google has not provided factory images of Android 4.3. This seems to be because GPU maker Qualcomm is refusing to release the blobs necessary to boot the device.

An anonymous reader writes "Mozilla today officially launched Firefox 23 for Windows, Mac, Linux, and Android. Improvements include the addition of a share button, mixed content blocker, and network monitor on the desktop side (release notes). The new desktop version was available on the organization's FTP servers last night, but that was just the initial release of the installers. Firefox 23 has now officially been released over on Firefox.com and all existing users should be able to upgrade to it automatically. As always, the Android version is trickling out slowly on Google Play."

schwit1 writes with word that Jeff Bezos decided to buy a news paper. Quoting the Washington Post: "The Washington Post Co. has agreed to sell its flagship newspaper to Amazon.com founder and chief executive Jeffrey P. Bezos, ending the Graham family's stewardship of one of America's leading news organizations after four generations. Bezos, whose entrepreneurship has made him one of the world's richest men, will pay $250 million in cash for The Post and affiliated publications to the Washington Post Co., which owns the newspaper and other businesses. Seattle-based Amazon will have no role in the purchase; Bezos himself will buy the news organization and become its sole owner when the sale is completed, probably within 60 days. The Post Co. will change to a new, still-undecided name and continue as a publicly traded company without The Post thereafter." The WaPo Labs team (including CmdrTaco) were not part of the deal, but from the sound of it they will remain part of The Post Co. and haven't been axed.