Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. ×
Security

Apache Subversion Fails SHA-1 Collision Test, Exploit Moves Into The Wild (arstechnica.com) 159

WebKit's bug-tracker now includes a comment from Friday noting "the bots all are red" on their git-svn mirror site, reporting an error message about a checksum mismatch for shattered-2.pdf. "In some cases, due to the corruption, further commits are blocked," reports the official "Shattered" web site. Slashdot reader Artem Tashkinov explains its significance: A WebKit developer who tried to upload "bad" PDF files generated from the first successful SHA-1 attack broke WebKit's SVN repository because Subversion uses SHA-1 hash to differentiate commits. The reason to upload the files was to create a test for checking cache poisoning in WebKit.

Another news story is that based on the theoretical incomplete description of the SHA-1 collision attack published by Google just two days ago, people have managed to recreate the attack in practice and now you can download a Python script which can create a new PDF file with the same SHA-1 hashsum using your input PDF. The attack is also implemented as a website which can prepare two PDF files with different JPEG images which will result in the same hash sum.

Security

Java and Python FTP Attacks Can Punch Holes Through Firewalls (csoonline.com) 18

"The Java and Python runtimes fail to properly validate FTP URLs, which can potentially allow attackers to punch holes through firewalls to access local networks," reports CSO Online. itwbennett writes: Last weekend security researcher Alexander Klink disclosed an interesting attack where exploiting an XML External Entity vulnerability in a Java application can be used to send emails. At the same time, he showed that this type of vulnerability can be used to trick the Java runtime to initiate FTP connections to remote servers. After seeing Klink's exploit, Timothy Morgan, a researcher with Blindspot Security, decided to disclose a similar attack that works against both Java's and Python's FTP implementations. "But his attack is more serious because it can be used to punch holes through firewalls," writes Lucian Constantin in CSO Online.
"The Java and Python developers have been notified of this problem, but until they fix their FTP client implementations, the researcher advises firewall vendors to disable classic mode FTP translation by default..." reports CSO Online. "It turns out that the built-in implementation of the FTP client in Java doesn't filter out special carriage return and line feed characters from URLs and actually interprets them. By inserting such characters in the user or password portions of an FTP URL, the Java FTP client can be tricked to execute rogue commands..."
Robotics

New Kit Turns A Raspberry Pi Into A Robot Arm (raspberrypi.org) 36

An anonymous reader writes: A new kit turns your Raspberry Pi into a robotic arm. It's controlled by an on-board joystick, or even a web browser, and "because it's connected to the Pi you can program it through any of the various programming languages that already run on the Pi," according to its creators. "There's also free software available which lets you program it through a web interface using drag and drop programming environments like Scratch and Blockly or with Python and Javascript for the more experienced."

They explain in a video on Kickstarter that "Our mission is to get children excited about technology through building and programming their own robots," and they've already raised three times their original $12,411 fundraising goal. The Raspberry Pi blog describes it as "a great kit for anyone wanting to step into the world of digital making."

Long-time Slashdot reader bjpirt adds that "It's completely open source and hackable."
AI

Google Releases TensorFlow 1.0 With New Machine Learning Tools (venturebeat.com) 20

An anonymous reader shares a VentureBeat report: At Google's inaugural TensorFlow Dev Summit in Mountain View, California, today, Google announced the release of version 1.0 of its TensorFlow open source framework for deep learning, a trendy type of artificial intelligence. Google says the release is now production-ready by way of its application programing interface (API). But there are also new tools that will be part of the framework, which includes artificial neural networks that can be trained on data and can then make inferences about new data. Now there are more traditional machine learning tools, including K-means and support vector machines (SVMs), TensorFlow's engineering director, Rajat Monga, said at the conference. And there's an integration with the Python-based Keras library, which was originally meant to ease the use of the Theano deep learning framework. And there are now "canned estimators," or models, Monga said, including simple neural networks to start using quickly.
Java

Ask Slashdot: How To Get Started With Programming? [2017 Edition] 312

Reader joshtops writes: I know this is a question that must have been asked -- and answered -- on Slashdot several times, but I am hoping to listen from the community again (fresh perspective, if you will). I'm in my 20s, and have a day job that doesn't require any programming skills. But I want to learn it nonetheless. I have done some research but people have varied opinions. Essentially my question is: What is perhaps the best way to learn programming for my use case? I am looking for best possible resources -- perhaps tutorials on the internet, the right books and the order in which I should read/watch them. Some people have advised me to start with C language, but I was wondering if I could kickstart things with other languages such as perhaps Apple's Swift as well?
Programming

Developer Argues For 'Forgotten Code Constructs' Like GOTO and Eval (techbeacon.com) 600

mikeatTB quotes TechBeacon: Some things in the programming world are so easy to misuse that most people prefer to never use them at all. These are the programming equivalent of a flamethrower... [But] creative use of features such as goto, multiple inheritance, eval, and recursion may be just the right solution for experienced developers when used in the right situation. Is it time to resurrect these four forgotten code constructs?
The article notes that the Linux kernel uses goto statements, and links to Linus Torvalds' defense of them. ("Any if-statement is a goto. As are all structured loops...") And it points out that eval statements are supported by JavaScript, Python, PHP, and Ruby. But when the article describes recursion as "more forgotten than forbidden," it begs the inevitable question. Are you using these "forgotten code constructs" -- and should you be?
Security

Hacker Dumps iOS Cracking Tools Allegedly Stolen From Cellebrite (vice.com) 86

Last year, when Apple refused to unlock the security on an iPhone 5c belonging to the San Bernardino shooter, the FBI turned to an Israeli mobile forensics firm called Cellebrite to find another way into the encrypted iPhone. Now Motherboard reports that a hacker has released files allegedly from Cellebrite that demonstrate how cracking tools couldn't be kept private. From a report: Now the hacker responsible has publicly released a cache of files allegedly stolen from Cellebrite relating to Android and BlackBerry devices, and older iPhones, some of which may have been copied from publicly available phone cracking tools." The ripped, decrypted and fully functioning Python script set to utilize the exploits is also included within," the hacker wrote in a README file accompanying the data dump. The hacker posted links to the data on Pastebin. It's not clear when any of this code was used in the UFED. Many of the directory names start with "ufed" followed by a different type of phone, such as BlackBerry or Samsung. In their README, the hacker notes much of the iOS-related code is very similar to that used in the jailbreaking scene -- a community of iPhone hackers that typically breaks into iOS devices and release its code publicly for free.
AI

Who's Responsible For Accidents Caused By Open Source Self-Driving Car Software? (ieee.org) 114

Here's the problem. "You could download Comma.ai's new open-source Python code from Github, grab the necessary hardware, and follow the company's instructions to add semi-autonomous capabilities to specific Acura and Honda model cars (with more vehicles to follow)," writes IEEE Spectrum. But then who's legally responsible if there's an accident? Long-time Slashdot reader Registered Coward v2 writes: While many legal experts agree OSS is "buyer beware" and that Comma.ai and its CEO Georg Hotz would not be liable, it's a gray area in the law. The software is release under the MIT OSS license and the Read Me contains the disclaimer "This is alpha-quality software for research purposes only... You are responsible for complying with local laws and regulatons." The U.S. Supreme Court, in a series of court cases in the 1990s, ruled open source code as free speech protected under the First Amendment of the U.S. Constitution.

The question is does that release the author(s) from liability. The EU has no EU wide rules on liability in such cases. One open question is even if the person who used the software could not sue, a third party injured by it might be able to since they are not a party to the license agreement.

An EFF attorney told HotHardware "Prosecutors and plaintiffs often urge courts to disregard traditional First Amendment protections in the case of software." But not everyone agrees. "Most legal experts that spoke with IEEE Spectrum -- and Hotz himself -- believe that if you use the company's code and something goes wrong, then it isn't liable for damages. You are."
Programming

New Release Of Nim Borrows From Python, Rust, Go, and Lisp (fossbytes.com) 199

An anonymous reader writes: "Nim compiles and runs fast, delivers tiny executables on several platforms, and borrows great ideas from numerous other languages," according to InfoWorld. After six years, they write, Nim is finally "making a case as a mix of the best of many worlds: The compilation speed and cross-platform targeting of Go, the safe-by-default behaviors of Rust, the readability and ease of development of Python, and even the metaprogramming facilities of the Lisp family..."

Fossbytes adds that Nim's syntax "might remind you of Python as it uses indented code blocks and similar syntax at some occasions. Just like Rust and Go, it uses strong types and first class functions... Talking about the benchmarks, it's comparable to C. Nim compiler produces C code by default. With the help of different compiler back-ends, one can also get JavaScript, C++, or Objective-C.

There's an improved output system in the newest release, and both its compiler and library are MIT licensed. Share your thoughts and opinions in the comments. Is anybody excited about writing code in Nim?
Supercomputing

D-Wave Open Sources Its Quantum Computing Tool (gcn.com) 45

Long-time Slashdot reader haruchai writes: Canadian company D-Wave has released their qbsolv tool on GitHub to help bolster interest and familiarity with quantum computing. "qbsolv is a metaheuristic or partitioning solver that solves a potentially large QUBO problem by splitting it into pieces that are solved either on a D-Wave system or via a classical tabu solver," they write on GitHub.

This joins the QMASM macro assembler for D-Wave systems, a tool written in Python by Scott Pakin of Los Alamos National Labs. D-Wave president Bo Ewald says "D-Wave is driving the hardware forward but we need more smart people thinking about applications, and another set thinking about software tools."

Education

Ask Slashdot: What's The Best Job For This Recent CS Grad? 261

One year away from graduating with a CS degree, an anonymous reader wants some insights from the Slashdot community: [My] curriculum is rather broad, ranging from systems programming on a Raspberry Pi to HTML, CSS, JavaScript, C, Java, JPA, Python, Go, Node.js, software design patterns, basic network stuff (mostly Cisco) and various database technologies... I'm working already part-time as a system administrator for two small companies, but don't want to stay there forever because it's basically a dead-end position. Enjoying the job, though... With these skills under my belt, what career path should I pursue?
There's different positions as well as different fields, and the submission explains simply that "I'm looking for satisfying and rewarding work," adding that "pay is not that important." So leave your suggestions in the comments. What's the best job for this recent CS grad?
Google

Google Boosts Python By Turning It Into Go (infoworld.com) 129

An anonymous reader quotes InfoWorld: Grumpy, an experimental project from Google, transpiles Python code into Go, allowing Python programs to be compiled and run as static binaries using the Go toolchain... In a blog post announcing the open source release, Google stated the project stemmed from its efforts to speed up the Python-powered front end for YouTube. But Google hit an obstacle that's familiar to folks who've deployed Python in production: It's hard to get CPython -- the default Python interpreter written in C -- to scale efficiently. "We think Grumpy has the potential to scale more gracefully than CPython for many real world workloads," writes Google...

Because it doesn't support C extensions, Grumpy doesn't have CPython's Global Interpreter Lock, which is commonly cited as a roadblock to running Python concurrent workloads smoothly. Grumpy also uses Go's garbage collection mechanisms to manage memory under the hood, instead of CPython's. Grumpy creates close interoperation between Python and Go by allowing Go packages to be imported and used with the same syntax as Go modules.

Programming

Can Learning Smalltalk Make You A Better Programmer? 343

Slashdot reader horrido shares an article that "has done more for Smalltalk advocacy than any other article in memory." It was the second-most popular article of the year on the Hewlett Packard Enterprise site TechBeacon (recently passing 20,000 views), with Richard Eng, the founder of the nonprofit Smalltalk Renaissance, arguing that the 44-year-old language is much more than a tool for teachers -- and not just because Amber Smalltalk transpiles to JavaScript for front-end web programming. It's a superlative prototyping language for startups. It's an industrial-strength enterprise language used by businesses both big and small all around the globe... Smalltalk's implementation of the object-oriented paradigm is so excellent that it has influenced an entire generation of OO languages, such as Objective-C, Python, Ruby, CLOS, PHP 5, Perl 6, Erlang, Groovy, Scala, Dart, Swift, and so on. By learning Smalltalk, you'll understand how all of those useful features in today's OO languages came to be.
The article also argues that Smalltalk pioneered just-in-time compilation and virtual machines, the model-view-controller design paradigm, and to a large extent, even test-driven development. But most importantly, Smalltalk's reliance on domain-specific languages makes it "the 'purest' OO, and one of the earliest... It is often said that programming in Smalltalk or Python is rather like Zen; your mind just flows effortlessly with the task. This is the beauty and value of language simplicity, and Smalltalk has this in spades... Smalltalk, by virtue of its object purity and consistency, will give you a profoundly better understanding of object-oriented programming and how to use it to its best effect."
Python

Python 3.6 Released (python.org) 187

On Friday, more than a year after Python 3.5, core developers Elvis Pranskevichus and Yury Selivanov announced the release of version 3.6. An anonymous reader writes: InfoWorld describes the changes as async in more places, speed and memory usage improvements, and pluggable support for JITs, tracers, and debuggers. "Python 3.6 also provides support for DTrace and SystemTap, brings a secrets module to the standard library [to generate authentication tokens], introduces new string and number formats, and adds type annotations for variables. It also gives us easier methods to customize the creation of subclasses."
You can read Slashdot's interview with Python creator Guido van Rossum from 2013. I also remember an interview this July where Perl creator Larry Wall called Python "a pretty okay first language, with a tendency towards style enforcement, monoculture, and group-think...more interested in giving you one adequate way to do something than it is in giving you a workshop that you, the programmer, get to choose the best tool from." Anyone want to share their thoughts today about the future of Python?
Books

O'Reilly Discounts Every eBook By 50% (oreilly.com) 47

On Friday, O'Reilly Media announced "Our Cyber Monday sale starts now." An anonymous reader writes: They're offering a 50% discount on every ebook they publish -- over 14,000 titles from O'Reilly, No Starch Press, Pearson, A Book Apart, Make, Packt, and 25 other book publishers. (And they're offering a 60 percent discount on orders over $100.) Just use the code CYBER16 when checking out to claim the discount. The sale continues through Tuesday morning at 5 a.m. PST.

These are all DRM-free ebooks (in multiple formats), and there's even some "early release" editions -- advance copies distributed before their official publication. The discount also applies to new titles like "Head First Python" as well as old-school classics like "Learning Perl". Right now their best-sellers are "Wicked Cool Shell Scripts", "Modern Linux Administration", and "You Don't Know JS: Up and Going" -- but again, the discount applies to any ebook that they sell, and they also still have their selection of free programming texts.

Tim O'Reilly was one of the first people interviewed by Slashdot -- more than 17 years ago.
AI

Is Microsoft Mainstreaming Machine Learning? (networkworld.com) 51

Tuesday Microsoft updated their open source Microsoft Cognitive Toolkit (CNTK), adding support for both C++ and Python. "This announcement is more than a point release..." argues Network World. "It's the recognition of AI and machine learning as the next big platform after mobile." This announcement represents a shift in Microsoft's customer focus from research to implementation... The toolkit is a supervised machine learning system in the same category of other open-source projects such as Tensorflow, Caffe and Torch. Microsoft is one of the leading investors in and contributors to the open machine learning software and research community. A glance at the Neural Information Processing Systems conference reveals that there are just four major technology companies committed to moving the field of neural networks forward: Microsoft, Google, Facebook and IBM.
A Microsoft engineer described CNTK as "democratizing AI," according to Microsoft's announcement, which also notes that their toolkit "has been optimized to best take advantage of the NVIDIA hardware and Azure networking capabilities that are part of the Azure offering."
Google

Google's Go Language Surges In Popularity (infoworld.com) 252

2016 saw a big spike in the popularity of Go, attributed to the rising importance of Docker and Kubernetes. An anonymous Slashdot reader quotes InfoWorld: Ranked 65th a year ago in the Tiobe Index of language popularity, it has climbed to 16th this month and is on track to become Tiobe's Programming Language of the Year, a designation awarded to the language with the biggest jump in the index...which gauges popularity based on a formula assessing searches on languages in popular search engines...

Elsewhere in the index, Java again came in first place, with an 18.799 rating while C, still in second place, nonetheless continued its precipitous drop, to 9.835% (it had been 16.185% a year ago). In third was C++ (5.797%) followed by C# (4.367%), Python (3.775%), JavaScript (2.751%), PHP (2.741%), Visual Basic .Net (2.66%), and Perl (2.495%).

The article also cites an alternate set of rankings. "In the PyPL index, the top 10 were: Java, with a share of 23.4%, followed by Python (13.6%), PHP (9.9%), C# (8.8%), JavaScript (7.6%), C++ (6.9%), C (6.9%), Objective-C (4.5%), R (3.3%), and Swift (3.1%)."
GNOME

Fedora 25 Beta Released With GNOME 3.22 and Linux Kernel 4.8.1 37

Reader prisoninmate writes: Fedora Project released of the Beta milestone of the upcoming Fedora 25 Linux operating system, due for release in mid-November. Powered by Linux kernel 4.8.1, the Fedora 25 Beta is shipping with the recently released GNOME 3.22 desktop environment, which is enabled by default on top of a Wayland 1.12 session for the Workstation Edition). Of course, you'll also find the latest software versions, including the LibreOffice 5.2.2 office suite, Flatpak 0.6.12, Mozilla Firefox 49.0 web browser, and LibVirt 2.2.0. Additionally, users will find the Mesa 12.0.3 3D Graphics Library for better and faster graphics support, OpenSSH 7.3p1 and OpenSSL 1.0.2j for improved security, Python 3.5.2, Samba 4.5.0, systemd 231, TigerVNC 1.7.0, and the latest Git snapshot of the upcoming X.Org Server 1.19.0 display server. Fedora 25 Beta Workstation is available for download now.
Books

O'Reilly Gives Away Free Programming Ebooks (oreilly.com) 87

An anonymous Slashdot reader writes: There's now a section on OReilly.com offering free ebooks about computer programming. There's four free Java ebooks and seven about Python, as well as an "Other" section which contains ebooks like C++ Today, Swift Pocket Reference, and Why Rust? But there's also some broader categories for Open Source and Software Architecture ebooks, as well as separate sections for their free ebooks about Data, Security, Web Development, and the Internet of Things.

Slashdot Top Deals