An anonymous reader quotes TechRepublic: PHP 7.3, the newest update to the widespread server-side web development language, was released on Thursday, bringing with it a handful of new features, modernizations, and modest speed improvements.... The largest improvements in 7.3 include support for Foreign Function Interface (FFI), allowing programmers to write inline C code inside PHP scripts. Though this feature does not presently provide the same level of performance as native PHP code, it can under certain circumstances be used to reduce the memory footprint of a given task.

PHP 7.3 also includes flexible heredoc and nowdoc syntax, now no longer requiring closing markers to be followed by a semicolon or new line. The feature proposal for this notes that the previous rigid requirements "caused them to be, in-part, eschewed by developers because their usage in code can look ugly and harm readability...." PHP 7.3 does bring some backward incompatible changes and deprecated functions. The use of case-insensitive constraints is now deprecated, as is the use of case-insensitive constants with a case that differs from the declaration.
Phoronix reports that PHP 7.3 is nearly 10% faster than version 7.2, while it's 31% faster than PHP 7.0 and nearly three times faster than PHP 5.6.

Microsoft's Visual Basic .NET now ranks above JavaScript, PHP, SQL on TIOBE's index of programming language popularity, which ZDNet notes is "the highest it's ever been since [TIIOBE] started tracking the Microsoft language in 2001." Tiobe analysts said it was "very surprising" that Visual Basic .Net is now the fifth most popular language, only behind C++, Python, C, and Java. It's even ahead of JavaScript, which currently lies in seventh place, down from sixth a year ago. C# meanwhile fell from fifth spot a year ago to sixth this month. The language index still reckons Visual Basic .Net will "sooner or later go into decline", but concedes it's popular for dedicated office applications in small and medium enterprises, and is probably still used by many developers because it's easy to learn.
TIOBE's methodology "basically...comes down to counting hits for the search query +"<language> programming," TIOBE explains on its web page -- though its results don't always agree with other analysts.

InfoWorld points out that on this month's PyPL Popularity of Programming Language index, which analyzes how often language tutorials are searched for on Google, VB.NET "doesn't even register Visual Basic.Net or Visual Basic among its Top 10 languages" -- and JavaScript comes in third, behind only Python and Java.

"When a pair of California Highway Patrol officers pulled alongside a car cruising down Highway 101 in Redwood City before dawn Friday, they reported a shocking sight: a man fast asleep behind the wheel," reports the San Francisco Chronicle: The car was a Tesla, the man was a Los Altos planning commissioner, and the ensuing freeway stop turned into a complex, seven-minute operation in which the officers had to outsmart the vehicle's autopilot system because the driver was unresponsive, according to the CHP...

Officers observed Samek's gray Tesla Model S around 3:30 a.m. as it sped south at 70 mph on Highway 101 near Whipple Avenue, said Art Montiel, a CHP spokesman. When officers pulled up next to the car, they allegedly saw Samek asleep, but the car was moving straight, leading them to believe it was in autopilot mode. The officers slowed the car down after running a traffic break, with an officer behind Samek turning on emergency lights before driving across all lanes of the highway, in an S-shaped path, to slow traffic down behind the Tesla, Montiel said. He said another officer drove a patrol car directly in front of Samek before gradually slowing down, prompting the Tesla to slow down as well and eventually come to a stop in the middle of the highway, north of the Embarcadero exit in Palo Alto -- about 7 miles from where the stop was initiated.
Tesla declined to comment on the incident, but John Simpson, privacy/technology project director for Consumer Watchdog, calls this proof that Tesla has wrongly convinced drivers their cars' "autopilot" function really could perform fully autonomous driving...

"They've really unconscionably led people to believe, I think, that the car is far more capable of self-driving than actually is the case. That's a huge problem."

With Shikoku Electric Power Company's 890 megawatt (MW) Ikata-3 reactor, Japan has restarted a total of five nuclear reactors in 2018. "Japan had suspended its nuclear fleet in 2013 for mandatory safety checks and upgrades following the 2011 Fukushima accident, and before 2018 only four reactors had been restarted," reports OilVoice. From the report: Following the Fukushima accident, as each Japanese nuclear reactor entered its scheduled maintenance and refueling outage, it was not returned to operation. Between September 2013 and August 2015, Japan's entire reactor fleet was suspended from operation, leaving the country with no nuclear generation. Sendai Units 1 and 2, in Japan's Kagoshima Prefecture, were the first reactors to be restarted in August and October 2015, respectively.

The restart of Japan's nuclear power plants requires the approval of both Japan's Nuclear Regulation Authority (NRA) and the central government, as well as consent from the governments of local prefectures. In July 2013, the NRA issued more stringent safety regulations to address issues dealing with tsunamis and seismic events, complete loss of station power, and emergency preparedness. As part of Japan's long-term energy policy, issued in April 2014, the central government called for the nuclear share of total electricity generation to reach 20%-22% by 2030, which would require 25 to 30 reactors to be in operation by then. In 2017, four operating nuclear reactors provided 3% of Japan's total electricity generation.

An anonymous reader quotes a report from Ars Technica: Microsoft has won a $480 million contract to develop an augmented reality system for use in combat and military training for the U.S. Army. Called Integrated Visual Augmentation System (IVAS), formerly Heads Up Display (HUD) 3.0, the goal of the project is to develop a headset that gives soldiers -- both in training and in combat -- an increase in "Lethality, Mobility, and Situational Awareness." The ambitions for the project are high. Authorities want to develop a system with a goggle or visor form factor -- nothing mounted on a helmet -- with an integrated 3D display, digital cameras, ballistic laser, and hearing protection. The system should provide remote viewing of weapon sights to enable low risk, rapid target acquisition, perform automated or assisted target acquisition, integrate both thermal and night vision cameras, track soldier vitals such as heart and breathing rates, and detect concussions. Over the course of IVAS's development, the military will order an initial run of 2,550 prototypes, with follow-on production possibly in excess of 100,000 devices.

Friday Greg Kroah-Hartman released stable point releases of Linux kernel 4.19.4, as well as 4.14.83 and 4.9.139. While they were basic maintenance updates, the 4.19.4 and 4.14.83 releases are significant because they also reverted the performance-killing Spectre patches (involving "Single Thread Indirect Branch Predictors", or STIBP) that had been back-ported from Linux 4.20, according to Phoronix:

There is improved STIBP code on the way for Linux 4.20 that by default just applies STIBP to SECCOMP threads and processes requesting it via prctl() but otherwise is off by default (that behavior can also be changed via kernel parameters). Once that code is ready to go for Linux 4.20, we may see it then back-ported to these stable trees.

Aside from reverting STIBP, these point releases just have various fixes in them as noted for 4.19.4, 4.14.83, and 4.9.139.
Last Sunday Linus Torvalds complained that the performance impact of the STIPB code "was clearly way more expensive than people were told," according to ZDNet: "When performance goes down by 50 percent on some loads, people need to start asking themselves whether it was worth it. It's apparently better to just disable SMT entirely, which is what security-conscious people do anyway," wrote Torvalds. "So why do that STIBP slow-down by default when the people who *really* care already disabled SMT?"

PHP 7.3 RC6 was released earlier this week. Phoronix ran some benchmarks and compared the performance of v7.3 RC6 with releases going back to the v5.5 series. From the story: I ran some fresh benchmarks over the past day on PHP 5.5.38, PHP 5.6.38, PHP 7.0.32, PHP 7.1.24, PHP 7.2.12, and the PHP 7.3.0-RC6 test release. All of the PHP5/PHP7 builds were configured and built in the same manner. All tests happened from the same Dell PowerEdge R7425 dual EPYC server running Ubuntu 18.10 Linux.

Besides continuing to evolve the performance of PHP7, the PHP 7.3 release is also delivering on FFI (the Foreign Function Interface) to access functions / variables / data structures from the C language, a platform-independent manner for obtaining information on network interfaces, an is_countable() call, WebP support within GD's image create from string, updated SQLite support, improved PHP garbage collection performance, and many other enhancements. PHP 7.3 is just shy of 10% faster than PHP 7.2 in the popular PHPBench. PHP 7.3 is 31% faster than PHP 7.0 or nearly 3x the speed of PHP5.

If you're a tab-hoarder, and you use Chrome browser, Google may have some news for you soon. The company is working on a scrollable tabstrip to make it easier for users to navigate through tabs, a developer was quoted as saying. Peter Casting, who works on Chrome UI, said, "scrollable tabstrip is in the works. In the meantime, try shift-clicking and ctrl-clicking to select multiple tabs at once, then drag out to separate Windows to group tabs by Window." TechDows, which first reported the development: We're expecting this as the related bug, the 'UI: tab overflow' bug created 10 years back, reports opening too many tabs causes add tab button (+) to disappear and tabs do not scroll then, the expected result has been mentioned as 'scrollable tabs.' Further reading: Google is raiding Firefox for Chrome's next UI features.

Epic Games' Fortnite has reached 8.3 million concurrent players worldwide (or about 0.1 percent of the human population) after finally making its debut in South Korea earlier this month. From a report: Because Internet cafes still play a large role in Asian countries, VG247 reports that players were encouraged to play Fortnite at PC bang cafes to complete special challenges, which were created in order to launch the Battle Royale mode in South Korea. After Fortnite's Battle Royale mode launched in South Korea this week, Epic Games Korea CEO Sung Chul Park stated in an interview that the game now has 8.3 million concurrent players worldwide. A spokesperson from Epic confirmed the numbers to VG247 as well.

NASA is considering selling seats on the spacecraft that will ferry its astronauts to the International Space Station, offering rides to the public while opening another line of revenue as the agency attempts to broaden its appeal [Editor's note: the link may be paywalled; alternative source]. From a report: On several occasions, Russia has flown wealthy individuals who paid millions for the ride to space. And a trio of private companies backed by billionaires, is also looking to fly tourists out of the atmosphere. But except for a couple of rare exceptions, such as Christa McAuliffe, the teacher who was killed when the space Shuttle Challenger exploded in 1986, NASA has not allowed private citizens on its rockets. "Just like in the early days of aviation, with barnstorming, these initial activities will help build the infrastructure and the foundation that can lead to future innovations that, frankly, we cannot imagine right now," said Michael Gold, the general counsel of Maxar Technologies, who is leading the advisory council's policy reform effort.

The proposal, backed Friday by a NASA advisory subcommittee, is still in the nascent stage, and is part of moves by the agency to better insert itself into the public consciousness by working with the private sector. The proposals would have to be approved by the entire advisory council and then forwarded to NASA Administrator Jim Bridenstine. Friday's meeting comes two months after Bridenstine announced he was standing up the committee, and tasking it to look at how the agency could better partner with industry. He said then that he wants NASA and its astronauts "embedded into the American culture." On Friday, he reiterated the point, saying: "The reality is, we're in a new era now."

A recent TechCrunch article claimed to have identified the best indicator of programming language popularity: GitHub's annual "State of the Octoverse" reports. So Austin-based technology reporter Mike Melanson explored the new verdict in GitHub's 2018 report: It felt to me like the overarching theme of the numbers was one of quiet stasis for the year past, at least when it comes to those languages deemed the cream of the crop. One of the first graphics offered in the post shows the top languages according to the number of repositories created and we see that everything seems to be flowing along, just as it has for the last decade. While GitHub points to a "steady uptick" for JavaScript after 2011, it looks like this list of languages hasn't changed much over time. [The graphic shows the four most popular languages -- every year since early 2014 -- have been JavaScript, Java, Python, and PHP.]

When we look at the top languages according to the number of contributors, we see a similar story, with the top four languages mirrored. In this chart, of course, we see that Ruby is on a steady decline, while Typescript is on a steady rise. The only surprise to be seen here is that C, after a brief uptick in popularity, has taken a bit of a nosedive over the past year. Either way, seven of 10 languages have the same exact ranking....

Finally, beyond the language rankings themselves, GitHub offers a wonderful analysis of just what it is that makes a particular language popular in 2018, boiling it down to three key characteristics: thread safety, interoperability, and being open source.
GitHub's report also identifies its fastest growing languages over the last year -- including Kotin, TypeScript, Rust, Python, and Go. "This year, TypeScript shot up to #7 among top languages used on the platform overall, after making its way in the top 10 for the first time last year," the report notes.

"TypeScript is now in the top 10 most used languages across all regions GitHub contributors come from -- and across private, public, and open source repositories."

Freshly Exhumed writes: An intentional kernel change in Linux kernel 4.20 for enhanced Spectre mitigation is unfortunately causing Intel Linux performance to be much slower than with 4.19. That change is 'STIBP' (Single Thread Indirect Branch Predictors), which allows for preventing cross-hyperthread control of decisions that are made by indirect branch predictors. It affects Intel systems that have up-to-date microcode and CPU Hyper Threading enabled. Phoronix gives the evidence.

Yet another vulnerability has been patched that could have exposed user data. According to security company Imperva, the bug "allowed websites to obtain private information about Facebook users and their friends through unauthorized access to a company API, playing off a specific behavior in the Chrome browser," reports The Verge. From the report: In technical terms, the attack is a cross-site request forgery, using a legitimate Facebook login in unauthorized ways. For the attack to work, a Facebook user must visit a malicious website with Chrome, and then click anywhere on the site while logged into Facebook. From there, attackers could open a new pop-up or tab to the Facebook search page and run any number of queries to extract personal information. Some examples Imperva gives are checking if a user has taken photos in a certain location or country, if the user has written any recent posts that contain specific text, or checking if a user's friends like a company's Facebook page. In essence, the vulnerability exposed the interests of a user and their friends even if privacy settings were set so interests were only visible to a user's friends. Imperva says the vulnerability was not a common technique and the issue has been resolved with Facebook. However, it does mention that these more sophisticated social engineering attacks could become more common in 2019. A Facebook representative told The Verge: "We appreciate this researcher's report to our bug bounty program. We've fixed the issue in our search page and haven't seen any abuse. As the underlying behavior is not specific to Facebook, we've made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from occurring in other web applications."

An anonymous reader writes: The Ruby programming language is impacted by a similar "deserialization issue" that has affected and wreaked havoc in the Java ecosystem in 2016; an issue that later also proved to be a problem for .NET and PHP applications as well. Researchers published proof-of-concept code this week showing how to exploit serialization/deserialization operations supported by the built-in features of the Ruby programming language itself.

"Versions 2.0 to 2.5 are affected," researchers said. "There is a lot of opportunity for future work including having the technique cover Ruby versions 1.8 and 1.9 as well as covering instances where the Ruby process is invoked with the command line argument --disable-all," the elttam team added. "Alternate Ruby implementations such as JRuby and Rubinius could also be investigated."

The deserialization issues can be used for remote code execution and taking over vulnerable servers. While .NET and PHP were affected, it was Java until now that has faced the biggest issues with deserialization, earlier this year, Oracle announcing it was dropping deserialization support from the Java language's standard package.

You can have a disaster-free Election Day in the social media age, writes New York Times columnist Kevin Roose, "but it turns out that it takes constant vigilance from law enforcement agencies, academic researchers and digital security experts for months on end." It takes an ad hoc "war room" at Facebook headquarters with dozens of staff members working round-the-clock shifts. It takes hordes of journalists and fact checkers willing to police the service for false news stories and hoaxes so that they can be contained before spreading to millions. And even if you avoid major problems from bad actors domestically, you might still need to disclose, as Facebook did late Tuesday night, that you kicked off yet another group of what appeared to be Kremlin-linked trolls...

Most days, digging up large-scale misinformation on Facebook was as easy as finding baby photos or birthday greetings... Facebook was generally responsive to these problems after they were publicly called out. But its scale means that even people who work there are often in the dark... Other days, combing through Facebook falsehoods has felt like watching a nation poison itself in slow motion. A recent study by the Oxford Internet Institute, a department at the University of Oxford, found that 25 percent of all election-related content shared on Facebook and Twitter during the midterm election season could be classified as "junk news"...

Facebook has framed its struggle as an "arms race" between itself and the bad actors trying to exploit its services. But that mischaracterizes the nature of the problem. This is not two sovereign countries locked in battle, or an intelligence agency trying to stop a nefarious foreign plot. This is a rich and successful corporation that built a giant machine to convert attention into advertising revenue, made billions of dollars by letting that machine run with limited oversight, and is now frantically trying to clean up the mess that has resulted... It's worth asking, over the long term, why a single American company is in the position of protecting free and fair elections all over the world.
Despite whatever progress has been made, the article complains that "It took sustained pressure from lawmakers, regulators, researchers, journalists, employees, investors and users to force the company to pay more attention to misinformation and threats of election interference. Facebook has shown, time and again, that it behaves responsibly only when placed under a well-lit microscope.

"So as our collective attention fades from the midterms, it seems certain that outsiders will need to continue to hold the company accountable, and push it to do more to safeguard its users -- in every country, during every election season -- from a flood of lies and manipulation."

AmiMoJo writes: Apple's new-generation Macs come with a new so-called Apple T2 security chip that's supposed to provide a secure enclave co-processor responsible for powering a series of security features, including Touch ID. At the same time, this security chip enables the secure boot feature on Apple's computers, and by the looks of things, it's also responsible for a series of new restrictions that Linux users aren't going to like.

The issue seems to be that Apple has included security certificates for its own and Microsoft's operating systems (to allow running Windows via Bootcamp), but not for the certificate that was provided for systems such as Linux. Disabling Secure Boot can overcome this, but also disables access to the machine's internal storage, making installation of Linux impossible.

An anonymous reader quotes a report from TechCrunch: Georgia's secretary of state and candidate for state governor in the midterm election, Brian Kemp, has taken the unusual, if not unprecedented step of posting the personal details of 291,164 absentee voters online for anyone to download. Kemp's office posted an Excel file on its website within hours of the results of the general election, exposing the names and addresses of state residents who mailed in an absentee ballot -- including their reason why, such as if a person is "disabled" or "elderly."

The file, according to the web page, allows Georgia residents to "check the status of your mail-in absentee ballot." Millions of Americans across the country mail in their completed ballots ahead of election day, particularly if getting to a polling place is difficult -- such as if a person is disabled, elderly or traveling. When reached, Georgia secretary of state's press secretary Candice Broce told TechCrunch that all of the data "is clearly designated as public information under state law," and denied that the data was "confidential or sensitive." "State law requires the public availability of voter lists, including names and address of registered voters," she said in an email. "While the data may already be public, it is not publicly available in aggregate like this," said security expert Jake Williams, founder of Rendition Infosec, who lives in Georgia. Williams took issue with the reasons that the state gave for each absentee ballot, saying it "could be used by criminals to target currently unoccupied properties." "Releasing this data in aggregate could be seen as suppressing future absentee voters in Georgia who do not want their information released in this manner," he said.

An anonymous reader quotes a report from Ars Technica: Police in the Netherlands said they decrypted more than 258,000 messages sent using IronChat, an app billed as providing end-to-end encryption that was endorsed by National Security Agency leaker Edward Snowden. In a statement published Tuesday, Dutch police said officers achieved a "breakthrough in the interception and decryption of encrypted communication" in an investigation into money laundering. The encrypted messages, according to the statement, were sent by IronChat, an app that runs on a device that cost thousands of dollars and could send only text messages.

"Criminals thought they could safely communicate with so-called crypto phones which used the application IronChat," Tuesday's statement said. "Police experts in the east of the Netherlands have succeeded in gaining access to this communication. As a result, the police have been able to watch live the communication between criminals for some time." Blackbox-security.com, the site selling IronChat and IronPhone, quoted Snowden as saying: "I use PGP to say hi and hello, i use IronChat (OTR) to have a serious conversation," according to Web archives. Whether the endorsement was authentic or not wasn't immediately known. The site has been seized by Dutch police.

Californians warmed to the idea of year-round daylight-saving time, approving an initiative that would urge state lawmakers to junk the annual springing forward and falling back. From a report: With 43 percent of precincts reporting Tuesday night, Proposition 7 was leading 61 percent to 39 percent. It's a long way from here to year-round daylight-saving time. First, the Legislature would have to approve it by a two-thirds vote. Then Congress would have to allow California to deviate from standard time when most of the rest of the nation shifts to it.

An anonymous reader quotes Krebs on Security: A year after offering free credit monitoring to all Americans on account of its massive data breach that exposed the personal information of nearly 148 million people, Equifax now says it has chosen to extend the offer by turning to a credit monitoring service offered by a top competitor -- Experian. And to do that, it will soon be sharing with Experian contact information that affected consumers gave to Equifax in order to sign up for the service... Equifax says it will share the name, address, date of birth, Social Security number and self-provided phone number and email address with Experian for anyone who signed up for its original TrustedID Premier offering. That is, unless those folks affirmatively opt-out of having that information transferred from Equifax to Experian. But not to worry, Equifax says: Experian already has most of this data. "Experian currently has and is using this information (except phone number and email address) in the fulfillment of the Experian file monitoring which is part of your current service with TrustedID Premier," Equifax wrote in its email.
Krebs also points out the big problem with all credit monitoring services: "while they might let you know when someone has stolen your identity, they're not likely to prevent that from occurring in the first place." The best mechanism for preventing identity thieves from creating and abusing new accounts in your name is to freeze your credit file with Experian, Equifax and TransUnion. This process is now free for all Americans, and simply blocks potential creditors from viewing your credit file. Since very few creditors are willing to grant new lines of credit without being able to determine how risky it is to do so, freezing your credit file with the Big Three is a great way to stop all sorts of ID theft shenanigans... All three big bureaus tout their credit lock services as an easier and faster alternative to freezes -- mainly because these alternatives aren't as disruptive to their bottom lines....

TransUnion and Equifax both offer free credit lock services, while Experian's is free for 30 days and $19.99 for each additional month. However, TransUnion says those who take advantage of their free lock service agree to receive targeted marketing offers. What's more, TransUnion also pushes consumers who sign up for its free lock service to subscribe to its "premium" lock services for a monthly fee with a perpetual auto-renewal. Unsurprisingly, the bureaus' use of the term credit lock has confused many consumers; this was almost certainly by design. But here's one basic fact consumers should keep in mind about these lock services: Unlike freezes, locks are not governed by any law, meaning that the credit bureaus can change the terms of these arrangements when and if it suits them to do so.