Linux fréttir

Security engineer outlines self-help strategy for keeping software supply chain safe

Following the recent disclosure of a technique for hijacking certain NPM packages, security engineer Danish Tariq has proposed a defensive strategy for those looking to assess whether their web apps include dependencies tied to subvertable email domains.…

Created at Google in late 2007, the Go programming language was open sourced in late 2009, remember its creators, and "since then, it has operated as a public project, with contributions from thousands of individuals and dozens of companies." In a joint essay in Communications of the ACM, five of the language's five original creators explore what brought growing popularity to this "garbage-collected, statically compiled language for building systems" (with its self-contained binaries and easy cross-compilation). "The most important decisions made in the language's design...were the ones that made Go better for large-scale software engineering and helped us attract like-minded developers...." Although the design of most languages concentrates on innovations in syntax, semantics, or typing, Go is focused on the software development process itself. Go is efficient, easy to learn, and freely available, but we believe that what made it successful was the approach it took toward writing programs, particularly with multiple programmers working on a shared codebase. The principal unusual property of the language itself — concurrency — addressed problems that arose with the proliferation of multicore CPUs in the 2010s. But more significant was the early work that established fundamentals for packaging, dependencies, build, test, deployment, and other workaday tasks of the software development world, aspects that are not usually foremost in language design. These ideas attracted like-minded developers who valued the result: easy concurrency, clear dependencies, scalable development and production, secure programs, simple deployment, automatic code formatting, tool-aided development, and more. Those early developers helped popularize Go and seeded the initial Go package ecosystem. They also drove the early growth of the language by, for example, porting the compiler and libraries to Windows and other operating systems (the original release supported only Linux and MacOS X). Not everyone was a fan — for instance, some people objected to the way the language omitted common features such as inheritance and generic types. But Go's development-focused philosophy was intriguing and effective enough that the community thrived while maintaining the core principles that drove Go's existence in the first place. Thanks in large part to that community and the technology it has built, Go is now a significant component of the modern cloud computing environment. Since Go version 1 was released, the language has been all but frozen. The tooling, however, has expanded dramatically, with better compilers, more powerful build and testing tools, and improved dependency management, not to mention a huge collection of open source tools that support Go. Still, change is coming: Go 1.18, released in March 2022, includes the first version of a true change to the language, one that has been widely requested — the first cut at parametric polymorphism.... We considered a handful of designs during Go's first decade but only recently found one that we feel fits Go well. Making such a large language change while staying true to the principles of consistency, completeness, and community will be a severe test of the approach.

Read more of this story at Slashdot.

Survives all manner of indiginities in Reg tests but may stuggle to cross over from boots to suits

If you drop Dell's Latitude 5430 laptop from hip height onto vinyl flooring that covers a concrete slab, it lands with a sharp crack, bounces a little, then skitters to a halt. Drop it two meters onto sodden grass and it lands with a meaty squish on its long rear edge. The impact pushes a spray of water and flecks of mud through the crack between the screen and keyboard, with a spot or two of each making it onto the keyboard's ASDF row.…

Redmond claims the numbers are scary, but won't release them

Microsoft has sounded the alarm on DDoS malware called XorDdos that targets Linux endpoints and servers.…

AM5 socket to bring desktop CPUs to life in late 2022, mid-range laptop CPU to follow

AMD has revealed more details of its Zen 4 processor architecture, a desktop CPU that puts it to work, and a socket to house that product.…

Less than two weeks into his new gig, Yoon cozies up to Biden as China and DPRK loom

US president Biden and South Korea's new president Yoon Suk Yeol have pledged further co-operation in many technologies, including joint efforts to combat North Korea.…

The BBC reports on "the next generation of genetic modification technology" — which goes beyond simply introducing a "lab-tweaked gene" into an organism. Instead it introduces a "gene drive" — a lab-tweaked gene "that targets and removes a specific natural gene." if an animal (parent A) that contains a gene drive mates with one that doesn't (parent B), then in the forming embryo that starts to combine their genetic material, parent A's gene drive immediately gets to work. It recognises the natural gene version of itself in the opposite chromosome from parent B, and destroys it, by cutting it out of the DNA chain. Parent B's chromosome then repairs itself — but does so, by copying parent A's gene drive. So, the embryo, and the resulting offspring, are all but guaranteed to have the gene drive, rather than a 50% chance with standard GM — because an embryo takes half its genes from each parent. Gene drives are created by adding something called Crispr, a programmable DNA sequence, to a gene. This tells it to target the natural version of itself in the DNA of the other parent in the new embryo. The gene drive also contains an enzyme that does the actual cutting. It is hoped that gene drives can be used to greatly reduce the numbers of malarial mosquitos, and other pests or invasive species.... One organisation at the forefront of this is Target Malaria, which has developed gene drives that stop mosquitos from producing female offspring. This is important for two reasons — only the females bite, and without females, mosquito numbers will plummet. The core aim is to greatly reduce the number of people who die from malaria — of which there were sadly 627,000 in 2020, according to the World Health Organization. It could also slash the economic impact of the disease. With 241 million cases in 2020, mostly in Africa, malaria is estimated to cost the continent $12bn (£9.7bn) in reduced economic output every year.... One of the world's pioneering developers of gene drives is US biologist Kevin Esvelt, an assistant professor at Massachusetts Institute of Technology. He first came up with the technology back in 2013.... Prof Esvelt adds that this technology is being provided by something called "daisy chain". This is where a gene drive is designed to become inert after a few generations. Or halving its spread every generation until it eventually stops. Using this technology he says it is possible to control and isolate the spread of gene drives. "A town could release GM organisms with its boundaries to alter the local population [of a particular organism] while minimally affecting the town next door," he says. The technology has not been authorized for use "in the wild," the article points out. But there are currently no bans on laboratories researching it.

Read more of this story at Slashdot.

Michael Dell could be the key to any deal

Broadcom is in early talks to buy VMware, according to The New York Times, Bloomberg, and Reuters.…

Nicholas Weaver is a senior staff researcher at the International Computer Science Institute and lecturer in the computer science department at UC Berkeley. But he's also a raging cryptocurrency skeptic, arguing that cryptocurrency is useless and destructive, and should "die in a fire." In a recent interview in Current Affairs he promulgates what he calls Weaver's Iron Law of Blockchain. "When somebody says you can solve X with blockchain, they don't understand X, and you can ignore them." So for those pushing cryptocurrency for "Banking the unbanked," Weaver points to M-Pesa, a payment system Vodafone started in Kenya in 2007 "about the same time as Bitcoin..." It has eaten the Third World. It's huge. Because it just basically attaches a balance to your phone account. And you can text to somebody else to transfer money that way.... So even with the most basic dumb phone you have easy-to-use electronic money. And this has taken over multiple countries and become a huge primary payment system. [Whereas] the cryptocurrency doesn't work." Weaver also contends that when companies say they accept payments in Bitcoin, "They're lying." (They're using a service which pays them in "actual money" after performing conversions on any Bitcoin proferred-up by a customer.) He believes cryptocurrency is only seriously used for payments for ransomware and drug deals — the things that non-decentralized currencies are legally obligated to block. The reason I've gotten so sour on the cryptocurrency space is the ransomware. It's doing tens to hundreds of billions of dollars worth of damage to the global economy. And it only exists because people can pay in Bitcoin. Weaver also believes cryptocurrency lets venture capitalists "carry out securities fraud as a business model" when they sell one of their startup's tokens to retail investors. This is blatantly an unlicensed security. This is blatant securities fraud, but they didn't commit the securities fraud. It was just the companies they invested in that did the securities fraud, and the SEC has not been proactively enforcing this. They only retroactively enforce against the initial coin offerings after they fail.... and when things fail, the only people to prosecute are the companies, not Andreessen Horowitz itself. So they've been able to make securities fraud a business in such a way that they are legally remote, so you will not be able to throw them in jail.... The SEC has the authority to stop those proactively rather than reactively. They choose not to.... Basically, there's a fear among regulators — that I think started in the '80s — of being accused of "stifling innovation." There's no innovation to stifle. So regulate away. He's also skeptical of cryptocurrency's other supposed advantages. Weaver argues cryptocurrency incentivizes green power "the same way that a whole bunch of random shootings would incentivize bulletproof vests." And even as an investment vehicle, Weaver sees it as "a self-created pyramid scheme." [Y]ou have to keep getting new suckers in. As soon as the number of suckers dries up, it collapses. And because it's not zero-sum, but deeply negative-sum, there are actually a lot of mechanisms that can cause it to collapse suddenly to zero. We saw this just the other day with the Terra stablecoin and the Luna side token. So when asked for the future of cryptocurrency, Weaver predicts "It will implode spectacularly." (By which he means it will "collapse greatly.") The only question is when. I thought it would have actually imploded a year ago. But basically, what we saw with Terra and Luna, where it collapsed suddenly due to these downward positive feedback loops — situations where basically the system is designed to collapse utterly and quickly — those will happen to the larger cryptocurrency space.... [T]he Washington Nationals just the other day started doing a lot of tweets for their business relationship with Terra. That was $5 million for five years prepaid in advance in cash. So for the next five years, the Washington Nationals are obliged to hype a cryptocurrency that failed spectacularly already. Thanks to Slashdot reader sdinfoserv for sharing the article...

Read more of this story at Slashdot.

Adds 'feature activation' for Intel silicon, but Chipzilla still isn't saying what that means

Linus Torvalds has released version 5.18 of the Linux kernel.…

If you'd like to deter "digital voyeurs," Popular Science points out that you can ask the map apps from Google, Apple, and Microsoft "to draw a veil of privacy across your property. "You'd be in good company too: Apple CEO Tim Cook had his home blurred from mapping apps after issues with a stalker." There is something to bear in mind before you do this, though: you may not be able to reverse the process. The blur could be there for good. This is the case for Google Maps, and while Apple and Microsoft don't specify whether blurs on their services are permanent, they may follow the same protocol or decide to do so in the future. The case for blurring? "Having strangers from all over the world stare at your home isn't necessarily something you want to happen — but it can be done in seconds on the mapping apps we all carry around on our phones." ("Stop people from peering at your place," suggests the article's subtitle.) But is there also a case against demanding platforms blur what's essentially just the exterior of a building? Where's the boundary where we're honoring the wishes of the privacy-conscious — and does the public ever have a right to see? Share your own thoughts in the comments. And would you blur your house on every map app? (Thanks to long-time Slashdot reader schwit1 for sharing the article...)

Read more of this story at Slashdot.

SlashData's "State of the Developer Nation" surveyed more than 20,000 developers in 166 countries, taken from December 2021 to February 2022, reports InfoWorld. It found the most popular programming language is JavaScript — followed by Python (which apparently added 3.3 million new net developers in just the last six months). And Rust adoption nearly quadrupled over the last two years to 2.2 million developers. InfoWorld summarizes other findings from the survey: Java continues to experience strong and steady growth. Nearly 5 million developers have joined the Java community since the beginning of 2021. PHP has grown the least in the past six month, with an increase of 600,000 net new developers between Q3 2021 and Q1 2022. But PHP is the second-most-commonly used language in web applications after JavaScript. Go and Ruby are important languages in back-end development, but Go has grown more than twice as fast in the past year. The Go community now numbers 3.3 million developers. The Kotlin community has grown from 2.4 million developers in Q1 2021 to 5 million in Q1 2022. This is largely attributed to Google making Kotlin its preferred language for Android development.

Read more of this story at Slashdot.

Slovakia's eastern border touches Ukraine's western border — and Saturday Bloomberg uncovered an emerging controversy. "A flood of posts pushing misinformation in Slovakia is putting the spotlight on Facebook for facilitating the spread of pro-Russian theories on the war in neighboring Ukraine, ranging from claims that Kyiv is secretly developing biological weapons to questioning whether President Vladimir Putin's invasion even happened at all." The dispute took center stage this week when members of the US House Permanent Select Committee on Intelligence called out Meta and its chief executive officer, Mark Zuckerberg, for facilitating the dangerous spread of pro-Russia disinformation in the country of 5.3 million. According to the GLOBSEC security think tank, the intensity of false messages is worse here than anywhere else in ex-communist central Europe. That has buoyed support for Putin, with more than a quarter of Slovaks saying they back his actions, even as the administration in Bratislava tries to shelter the refugees and send weapons to Kyiv to aid in its defense.... The committee said that the US and Slovak governments had repeatedly asked Meta to take action against messages that include posts accusing Ukrainians of supporting Fascism, killing their fellow countrymen and demonizing the hundreds of thousands of people who have fled abroad to escape the war. "Half of the population is prone to believe in some kind of misinformation or conspiracy theories," said GLOBSEC analyst Dominika Hajdu. At present, Meta has only one fact-checker dedicated to Slovakia, where about 2.7 million people, or almost half of the population, have Facebook accounts, making it the most widely used social-media platform, according to the US committee members' letter. They described the staffing level as "wildly inadequate...." Slovakia isn't alone. In February, the prime ministers of Poland and the Baltic trio Estonia, Latvia and Lithuania demanded executives in charge of Facebook, Google, YouTube and Twitter "take a stand" against Russian disinformation. Slovokia's prime minister decried the situation in a Facebook post of his own. "Never before in history has freedom of speech been abused in favor of murder and destruction on such a mass scale and with such a devastating effect." A Meta spokesperson told Bloomberg that when fact-checkers identify false information, Facebook positions this false content "lower in Feed so fewer people see it." "We're also giving people more information to decide what to read, trust, and share by adding warning labels on content rated false."

Read more of this story at Slashdot.

After nearly 20 years, Hollywood Designer 6.0 is "very stable and mature", write its developers — envisioning both hobbyist and professional users (with its support for modern graphics-editing features like filter effects and vector graphics) in its massive new evolution. Long-time Slashdot reader Mike Bouma explains: Airsoft Softwair has released Hollywood Designer 6.0, "a full-blown multimedia authoring system that runs on top of Hollywood and can be used to create all sorts of multimedia-based applications, for example presentations, slide shows, games, and applications. Thanks to Hollywood, all multimedia applications created using Hollywood Designer can be exported as stand-alone executables for the following systems: AmigaOS3, AmigaOS4, WarpOS, MorphOS, AROS, Windows, macOS, Linux, Android, and iOS." The current version of Hollywood is v9.1 with various updated add-ons. To see earlier versions of Hollywood 9.0 & Designer 5.0 in action have a look at Kas1e's short demonstration on AmigaOS4 / AmigaOne X5000.

Read more of this story at Slashdot.

"NASA has released a huge new report that astronomers are calling Hubble's magnum opus," reports New Atlas. "Analyzing 30 years of data from the famous space telescope, the new study makes the most precise measurement yet of how fast the universe is expanding." Astronomers have known for the better part of a century that the universe is expanding, thanks to the observation that galaxies are moving away from us — and the farther away they are, the faster they're traveling. The speed at which they're moving, relative to their distance from Earth, is a figure called the Hubble constant, and measuring this value was one of the primary missions of the space telescope of the same name. To measure the Hubble constant, astronomers study distances to objects whose brightness is known well — that way, the dimmer it appears, the farther away it is. For relatively close objects within our galaxy or in nearby ones, this role is filled by Cepheids, a class of stars that pulse in a predictable pattern. For greater distances, astronomers use what are called Type Ia supernovae — cosmic explosions with a well-defined peak brightness.... For the new study, a team of scientists has now gathered and analyzed the most comprehensive catalog of these objects so far, to make the most precise measurement of the Hubble constant yet. This was done by studying 42 galaxies that contained both Cepheids and Type Ia supernovae, as imaged by the Hubble telescope over the last 30 years. "This is what the Hubble Space Telescope was built to do, using the best techniques we know to do it," said Adam Riess, lead scientist of the team. "This is likely Hubble's magnum opus, because it would take another 30 years of Hubble's life to even double this sample size." The article points out that these detailed real-world observations of the Hubble "constant" now show a small discrepancy, which suggests "new physics could be at work." And it's the new James Webb Space Telescope that will now be studying these same phenomena at an even higher resolution.

Read more of this story at Slashdot.

The Drive's Adam Kehoe noticed something during this week's UFO hearings in the U.S. Congress. "After intense public speculation, stacks of official documents obtained via the Freedom Of Information Act, ambiguous statements from top officials, and an avalanche of media attention, it has now been made clear that the mysterious swarming of U.S. Navy ships off the Southern California coast in 2019 was caused by drones, not otherworldly UFOs or other mysterious craft. "Raising even more questions, a similar drone swarm event has occurred off another coast, as well." These revelations came from top Department of Defense officials during a recent and much-anticipated house hearing on UFOs, which you can read all about here. The strange series of events in question unfolded around California's Channel Islands in July of 2019. On multiple evenings, swarms of unidentified drones were spotted operating around U.S. Navy vessels. In numerous instances, the drones flew within close proximity to ships, even crossing directly over their decks. The behavior provoked defensive reactions from the ships, including the deployment of emergency security teams... Deck logs demonstrate that the Navy appears to have drilled and implemented a variety of counter-drone techniques in response to these incidents. This eventually included the deployment of Northrop Grumman's Drone Restricted Access Using Known EW (DRAKE) platform. The DRAKE system is a man-portable backpack that allows sailors to use radio frequency signals to interrupt the control links of drones. The DRAKE system appears to have been actually deployed in one of the incidents.... It is entirely unclear where the drones were operating from, how they were controlled, or who was controlling them. Still, the Navy could identify the objects as drones without those questions being fully answered at this time.... The Department of Defense's open acknowledgment of these drone swarm events just off U.S. shores shows that the threat is not theoretical. It is also not a future threat. Significant drone swarm events have occurred in the last three years, unknown to the public, and evidently unresolved by defense authorities. Judging by what is known to date about the 2019 incident, it is clear that the United States is not well-positioned to detect, identify and neutralize such threats. It remains to be seen what level of priority these issues will receive by lawmakers in relation to more speculative questions surrounding UAP. If anything else, top confirmation that adversaries are operating swarms among America's most powerful weapons in training areas where their most sensitive capabilities are put to use should make national headlines, but because it was buried in sensationalism around UFOs, it clearly did not.

Read more of this story at Slashdot.

"62-year-old Val Kilmer was just 26 when he played Iceman in the 1986 movie Top Gun," remembers long-time Slashdot reader destinyland. But in 2015 Kilmer lost his voice to throat cancer, remembers Parade: In his 2020 memoir I'm Your Huckleberry, Kilmer joked that he has less of a frog in his throat and more of a "buffalo." He said, "Speaking, once my joy and lifeblood, has become an hourly struggle." Kilmer has teamed up with Sonantic, a U.K.-based software firm that uses artificial intelligence to copy voices for actors and production studios, to replicate his speech, using old recordings of his voice and existing footage. Kilmer elaborates on the process of finding his voice again through AI in a video posted to YouTube in August 2021. In his new AI-enhanced voice, which does indeed emulate the speech audiences are familiar with, Kilmer says: "People around me struggle to understand me when I'm talking, but despite all that, I still feel I'm the exact same person, still the same creative soul. A soul that dreams ideas and stories constantly. "But now I can express myself again, I can bring these dreams to you, and show you this part of myself once more. A part that was never truly gone, just hiding away." Kilmer's health struggles, his childhood tragedies and his ambitious career were recently documented in the acclaimed 2021 feature-length doc Val, now streaming on Amazon Prime Video. Top Gun: Maverick screened at the Cannes Film Festival to rapturous reviews, with thunderous fanfare including an air show. Though reports say audiences gave the action picture (currently sitting at a 97% on Rotten Tomatoes) a five-minute standing ovation, with audible responses throughout the picture, mainly at the groundbreaking stunt work, it's also been reported an audience-favorite scene is the "overwhelming" emotional response to the reunion of Tom Cruise and Kilmer.

Read more of this story at Slashdot.

Munich-based developer Aaron Ardiri is Slashdot reader #245,358, with a profile that still identifies him as a Palm OS developer. Which surprised me, because Palm OS's last update was in 2007. (Then again, ardiri's Slashdot profile also still includes his screen name on AOL Instant Messenger.) So, a long-time Slashdot reader. And this week he stopped by to share a little history — in more ways than one. ardiri writes: Before the iOS and Android entered the scene — heck, even before the smartphone concept — was the handheld personal digital assistant, with the likes of Newton, Palm OS, Windows Mobile and Symbian. Palm OS had a thriving gaming scene; with the likes of emulators and implementations/clones of classics such as LodeRunner, Lemmings, and the classic Game and Watch. But the real news of ardiri's original submission is hidden in its headline. "Palm OS developer releases source to classic games, 20+ years after release." Written mainly in C and optimizations in assembler — maybe these games will make their way to the various Arduino like micro-controllers out there; designed for low memory, low processing power environments they would port perfectly.

Read more of this story at Slashdot.

CNBC visited a company that burns trash from a California landfill, and then "harnesses steam to make enough electricity to power 18,000 homes in the area" — which turns out to be part of a surprisingly large industry: A portion of the waste comes from companies including American Airlines, Quest Diagnostics, Sunny Delight and Subaru.... Major retailers like Amazon also use this combustion method to dispose of returns they deem unfit to recycle, resell, or donate.... The U.S. is one of the most wasteful developed countries in the world. Of the record 292 million tons of waste generated by Americans each year, more than half is landfilled, about a third is recycled, and 12% is incinerated at waste-to-energy facilities, according to the World Bank. Online commerce poses a particular problem. Not only are internet purchases breaking records in terms of volume, but roughly 20% of items get returned, which is a higher number than for in-store purchases. Returns solutions provider Optoro says U.S. returns generate an estimated 5.8 billion pounds of landfill waste each year. But the article also points out that more than half of U.S. states define waste-to-energy as a renewable energy source." Unlike landfills, many governments and non-governmental organizations consider it a source of greenhouse gas mitigation. That includes the U.S. Environmental Protection Agency, where Susan Thorneloe leads research on materials management. U.S. climate experts say these are the three reasons the burning process produces a net reduction of greenhouse gasses. First, it keeps waste out of landfills, which emit methane that the EPA estimates is 86 times greater than carbon dioxide over a 20-year period. Second, waste-to-energy facilities reduce the need for mining because they recover 700,000 tons of metal each year. And finally, they produce energy, reducing the need to burn fossil fuels.... The steam can also be captured and piped up to a mile away to heat or cool entire buildings, like Target Field in Minneapolis.... The EPA estimates that for every megawatt-hour of electricity generated, waste-to-energy emits an average of just over half a metric ton of carbon dioxide equivalent gasses. Landfills emit six times that, and coal plants emit nearly double. At least some scientists CNBC spoke to said that air pollution technology has advanced so much in the last two decades that most common toxins have largely been eliminated.

Read more of this story at Slashdot.

Big OEMs hogging production and COVID causing supply issues

The system-on-chip (SoC) side of the semiconductor industry is poised for growth between now and 2026, when it's predicted to be worth $6.85 billion, according to an analyst's report. …