IOS

iOS 11 Released (theverge.com) 38

Today, Apple released the final version of iOS 11, its latest mobile operating system. If you have an iPhone or iPad that was released within the last few years, you should be able to download the new update if you navigate to the Settings panel and check for a software update under the General tab. The Verge reports: OS 11, first unveiled in detail back at Apple's WWDC in June, is the same incremental annual refresh we've come to expect from the company, but it hides some impressive complexity under the surface. Not only does it add some neat features to iOS for the first time, like ARKit capabilities for augmented reality and a new Files app, but it also comes with much-needed improvements to Siri; screenshot capture and editing; and the Control Center, which is now more fully featured and customizable. For iPads, iOS 11 is more of an overhaul. The software now better supports multitasking so you can more easily bring two apps into split-screen mode, or even add a third now. The new drag-and-drop features are also much more powerful on iPad, letting you manage stuff in the Files app more intuitively and even letting you drag and drop photos and text from one app to another.
Technology

What Comes After User-Friendly Design? (fastcodesign.com) 87

Kelsey Campbell-Dollaghan, writing for FastCoDesign: "User-friendly" was coined in the late 1970s, when software developers were first designing interfaces that amateurs could use. In those early days, a friendly machine might mean one you could use without having to code. Forty years later, technology is hyper-optimized to increase the amount of time you spend with it, to collect data about how you use it, and to adapt to engage you even more. [...] The discussion around privacy, security, and transparency underscores a broader transformation in the typical role of the designer, as Khoi Vinh, principal designer at Adobe and frequent design writer on his own site, Subtraction, points out. So what does it mean to be friendly to users-er, people-today? Do we need a new way to talk about design that isn't necessarily friendly, but respectful? I talked to a range of designers about how we got here, and what comes next.
Privacy

In a 'Plot Twist', Wikileaks Releases Documents It Claims Detail Russia Mass Surveillance Apparatus (techcrunch.com) 93

WikiLeaks, believed by many to be a Kremlin front, surprised some observers Tuesday morning (Snowden called it a "plot twist") when it released documents linking a Russian tech company with access to thousands of citizens' telephone and internet communications with Moscow. From a report: Writing a summary of the cache of mostly Russian-language documents, Wikileaks claims they show how a long-established Russian company which supplies software to telcos is also installing infrastructure, under state mandate, that enables Russian state agencies to tap into, search and spy on citizens' digital activity -- suggesting a similar state-funded mass surveillance program to the one utilized by the U.S.'s NSA or by GCHQ in the U.K. (both of which were detailed in the 2013 Snowden disclosures). The documents which Wikileaks has published (there are just 34 "base documents" in this leak) relate to a St. Petersburg-based company, called Peter-Service, which it claims is a contractor for Russian state surveillance. The company was set up in 1992 to provide billing solutions before going on to become a major supplier of software to the mobile telecoms industry.
Iphone

Developer Marco Arment Shares Thoughts On iPhone X's Notch (marco.org) 176

Developer Marco Arment writes about the infamous notch on the iPhone X, which Apple has told developers to embrace rather than ignore: This is the new shape of the iPhone. As long as the notch is clearly present and of approximately these proportions, it's unique, simple, and recognizable. It's probably not going to significantly change for a long time, and Apple needs to make sure that the entire world recognizes it as well as we could recognize previous iPhones. That's why Apple has made no effort to hide the notch in software, and why app developers are being told to embrace it in our designs. That's why the HomePod software leak depicted the iPhone X like this: it's the new basic, recognizable form of the iPhone. Apple just completely changed the fundamental shape of the most important, most successful, and most recognizable tech product that the world has ever seen.
Windows

'Bashware' Attacks Exploit Windows 10's Subsystem for Linux (betanews.com) 79

Mark Wilson quote BetaNews: While many people welcomed the arrival of Windows Subsystem for Linux (WSL) in Windows 10, it has been found to be a potential security issue. A new technique known as a Bashware has been discovered by security researchers that makes it possible for malware to use the Linux shell to bypass security software.

While administrator access is needed to execute a Bashware attack, this is fairly easily obtained, and the technique can be used to disguise malicious operations from antivirus software and other security tools. Researchers from Check Point Research point out that the danger stems from the fact that "existing security solutions are still not adapted to monitor processes of Linux executables running on Windows."

Java

IBM Open Sources Their Own JVM/JDK As Eclipse OpenJ9 (eclipse.org) 171

IBM has open sourced a "high performance, scalable virtual machine" with "a great pedigree... [it's] at the core of many IBM enterprise software products." Slashdot reader dxb1230 writes: IBM has open sourced their JDK/JVM implementation named J9 as OpenJ9. The community now has an alternative implementation of Java which has been well tested on enterprise workloads and hardware. This unlike, OpenJDK, has all the bells and whistles like jit.
Open Source

Ask Slashdot: What's the Best Business Model for An Open Source Developer? 83

An anonymous reader writes: I'm interested in creating really good open source software. However, unless programmers have an incentive to work on their projects for long periods, many projects are be abandoned.

There's many business models surrounding free/libre open source software: support (pay for help, or additional features), premium (pay for more advanced software), hosting (pay for using the software on someone else's servers), donation (two versions of the same app, pay because you want to be nice to the developers), etc. Not all of those business models align the interests of the developer and the customer/user in the same way: support-based models for example, benefit developers who introduce certain mistakes or delay introducing features. (In the short term. In the long run, it opens a door for competitors...) Which of those align the interests of both?

The original submission also asks if any of these models are "morally questionable" -- and if there's other business models that have proven successful for open source software. Leave your best thoughts in the comments. What's the best business model for an open source developer?
Python

Python's Official Repository Included 10 'Malicious' Typo-Squatting Modules (bleepingcomputer.com) 69

An anonymous reader quotes BleepingComputer: The Slovak National Security Office (NBU) has identified ten malicious Python libraries uploaded on PyPI -- Python Package Index -- the official third-party software repository for the Python programming language. NBU experts say attackers used a technique known as typosquatting to upload Python libraries with names similar to legitimate packages -- e.g.: "urlib" instead of "urllib." The PyPI repository does not perform any types of security checks or audits when developers upload new libraries to its index, so attackers had no difficulty in uploading the modules online.

Developers who mistyped the package name loaded the malicious libraries in their software's setup scripts. "These packages contain the exact same code as their upstream package thus their functionality is the same, but the installation script, setup.py, is modified to include a malicious (but relatively benign) code," NBU explained. Experts say the malicious code only collected information on infected hosts, such as name and version of the fake package, the username of the user who installed the package, and the user's computer hostname. Collected data, which looked like "Y:urllib-1.21.1 admin testmachine", was uploaded to a Chinese IP address. NBU officials contacted PyPI administrators last week who removed the packages before officials published a security advisory on Saturday."

The advisory lays some of the blame on Python's 'pip' tool, which executes arbitrary code during installations without requiring a cryptographic signature.

Ars Technica also reports that another team of researchers "was able to seed PyPI with more than 20 libraries that are part of the Python standard library," and that group now reports they've already received more than 7,400 pingbacks.
Facebook

WordPress Ditches ReactJS Over Facebook's Patent Clause (techcrunch.com) 72

An anonymous reader quote TechCrunch: Matt Mullenweg, the co-founder of the popular open source web publishing software WordPress, has said the community will be pulling away from using Facebook's React JavaScript library over concerns about a patent clause in Facebook's open source license. In a blog post explaining the decision yesterday, Mullenweg said he had hoped to officially adopt React for WordPress -- noting that Automattic, the company behind WordPress.com which he also founded, had already used React for the Calypso ground-up rewrite of WordPress.com a few years ago, while the WordPress community had started using it for its major Gutenberg core project.

But he said he has changed his mind after seeing Facebook dig in behind the patent clause -- which was recently added to the Apache Software Foundation's list of disallowed licenses... [H]e writes that he cannot, in good conscience, require users of the very widely used open source WordPress software to inherit the patent clause and associated legal risk. So he's made the decision to ditch React.

Facebook can revoke their license if a React user challenges Facebook's patents.
Piracy

Can The Pirate Bay Replace Ads With A Bitcoin Miner? (betanews.com) 122

Mark Wilson writes: When it comes to the Pirate Bay, it's usually movie studios, music producers and software creators that get annoyed with the site — you know, copyright and all that. But in an interesting twist it is now users who find themselves irked by and disappointed in the most famous torrent site in the world.

So what's happened? Out of the blue, the Pirate Bay has added a Javascript-powered Bitcoin miner to the site. Nestling in the code of the site is an embedded cryptocurrency miner from Coinhive. Users who have noticed an increase in resource usage on their computers as a result of this are not happy.

TorrentFreak reports the miner is being tested for about 24 hours -- as a possible way to earn enough revenue to remove advertising from the site.
Apple

Apple Explains Face ID On-stage Failure (bbc.com) 189

Apple has explained why its new facial recognition feature failed to unlock a handset at an on-stage demo (see around the 1:35:58 mark here) at the iPhone X's launch on Tuesday. From a report: The company blamed the Face ID glitch on a lockout mechanism triggered by staff members moving the device ahead of its unveil. Apple's software chief dealt with the hiccup by moving on to a back-up device, which worked as intended. But the hitch was widely reported. "People were handling the device for [the] stage demo ahead of time and didn't realise Face ID was trying to authenticate their face," an unnamed company representative is quoted as saying by Yahoo's David Pogue. "After failing a number of times, because they weren't Craig [Federighi], the iPhone did what it was designed to do, which was to require his passcode."
Android

Target's Sales Floors Are Switching From Apple To Android Devices (gizmodo.com) 115

After three years of Apple products, Target is moving to Android devices for stocking, pulling items, and other essential sales floor duties. Target first outfitted its employees with Apple products in 2014, replacing PDAs with iPod Touches. Gizmodo reports: In Fall of 2016, Target stores began testing the Zebra TC51, which runs Android 6.0 Mashmallow and was confirmed to Gizmodo as "the new MyDevices for store team members chainwide" by a company spokesperson over email. On Reddit's r/Target page and the unofficial employee forum The Breakroom, the new devices have been met with enthusiasm -- and plenty of jabs at the old iOS scanners. "The current iOS my devices we have all sorts of issues, connection issues, scanner issues, and tons more," one Breakroom poster complained. On Reddit, a former store manager wrote that "the iPod hardware they used as on the floor scanners for employees died quickly and there was no way of swapping in new batteries. There were many hardware issues that came about with the ipods." While a Target spokesperson confirmed the company will still purchase some products from Apple -- iPads for online order pickups, iPhones for managers -- the sales floor is switching to Android, and the company is staffing up on Android developers to port over all the internal software stores use.
Government

Kaspersky Software Banned From US Government Systems Over Concerns About Russia (betanews.com) 91

Mark Wilson writes: The Department of Homeland Security has told US government agencies to remove Kaspersky software from their systems. The directive was issued because of concerns about influence exerted over the company by the Russian government. Government agencies have been given three months to identify and start to remove Kaspersky's security products. Kaspersky has constantly denied connections to the Russian government, but the US is simply not willing to take the risk.
Microsoft

Windows 10 Will Soon Give Users More Control Over App Permissions (engadget.com) 76

An anonymous reader shares a report: The software giant has revealed that you'll get much more control over what apps are allowed to do with your device. Where you previously only had control over location sharing, the Fall Creators Update will ask you to grant permission before accessing all kinds of potentially sensitive hardware and software features. It'll ask to use your camera and microphone if you have a video recording app, for instance, or check before offering access to your calendar and contacts. You'll only get these prompts for apps installed after you move to the Fall Creators Update; you'll have to dive into your privacy settings to review permissions for apps you already have. Even so, it's an important boost to Windows' privacy security levels. Much as on phones, where fine-grained permissions are already fairly commonplace, you might not have to worry as much about malicious apps spamming your contacts or hijacking the camera.
Java

Java EE Is Moving To the Eclipse Foundation (adtmag.com) 70

Oracle has chosen the Eclipse Foundation to be the new home of the Java Platform Enterprise Edition (Java EE), the company announced this week. Oracle made the decision in collaboration with IBM and Red Hat, the two other largest contributors to the platform. From a report: "The Eclipse Foundation has strong experience and involvement with Java EE and related technologies," wrote Oracle software evangelist David Delabassee in a blog post. This will help us transition Java EE rapidly, create community-friendly processes for evolving the platform, and leverage complementary projects such as MicroProfile. We look forward to this collaboration." Mike Milinkovich, executive director of the Eclipse Foundation, is optimistic about this move, which he said is exactly what the enterprise Java needs and what the community has been hoping for.
Movies

Disney Is Lone Holdout From Apple's Plan to Sell 4K Movies for $20 (wsj.com) 148

An anonymous reader shares a report: Apple has signed new deals to sell movies in ultra high-definition with every major Hollywood studio except the one with which it has long been closest: Walt Disney. At an event Tuesday where he announced the new Apple TV 4K, the tech giant's head of software and services, Eddy Cue, said the device will offer Hollywood movies in the high-resolution format, called either 4K or UHD, for ultra-high definition. Logos for most major studios briefly flashed on a screen behind Mr. Cue, including Time Warner's Warner Bros and Comcast's Universal Pictures. Mr. Cue said those studios' movies will be available in UHD at the same price as high-definition movies. Participating studios have agreed to a maximum price of $19.99 for 4K movies, currently the highest price for HD movies, according to a person with knowledge of the deal making. Apple had pushed studios not to raise film prices above that threshold. The one absence from Apple's list of big studios selling movies in UHD is Disney. It wasn't immediately clear why the company behind Star Wars and Marvel couldn't reach an arrangement with Apple. It currently sells its films in 4K on other digital stores, such as Wal-Mart Stores' Vudu, for $24.99.
Botnet

At Least 1.65 Million Computers Are Mining Cryptocurrency For Hackers So Far This Year (vice.com) 37

According to new statistics released on Tuesday by Kaspersky Lab, a prominent Russian information security firm, 2017 is on track to beat 2016 -- and every year since 2011 -- in terms of the sheer number of computers infected with malware that installs mining software. From a report: So far in 2017, the company says it has detected 1.65 million infected machines. The total amount of infected computers for all of the previous year was roughly 1.8 million. The infected machines are not just home computers, the firm stated in a blog post, but company servers as well. "The main effect for a home computer or organization infrastructure is reduced system performance," Anton Ivanov, a security researcher for Kaspersky, wrote me in an email. "Also some miners could download modules from a threat actor's infrastructure, and these modules could contain other malware such as Trojans [malware that disguises itself as legitimate software]." Ivanov said that the firm doesn't know how much money has been made overall with this scheme, but a digital wallet for one mining botnet that the company identified currently contains over $200,000 USD.
Businesses

The New Corporate Recruitment Pool: Workers In Dead-End Jobs (msn.com) 207

New submitter cdreimer writes: According a report from The Wall Street Journal (Warning: source may be paywalled, alternative source), corporations looking to hire new employees are opening offices in cities with high concentration of workers in dead-end jobs who are reluctant to locate but are cheaper to hire than competing locally in tight labor markets. From the report: "Pressed for workers, a New Jersey-based software company went hunting for a U.S. city with a surplus of talented employees stuck in dead-end jobs. Brian Brown, chief operating officer at AvePoint, Inc., struck gold in Richmond. Despite the city's low unemployment rate, the company had no trouble filling 70 jobs there, some at 20% below what it paid in New Jersey. New hires, meanwhile, got more interesting work and healthy raises. Irvine, Calif.-based mortgage lender Network Capital Funding Corp. opened an office in Miami to scoop up an attractive subset of college graduates -- those who settled for tolerable jobs in exchange for living in a city they loved. 'They were not in real careers,' said Tri Nguyen, Network Capital chief executive. He now plans a similar expansion in Philadelphia. Americans have traditionally moved to find jobs. But with a growing reluctance by workers to relocate, some companies have decided to move closer to potential hires. Firms are expanding to cities with a bounty of underemployed, retrieving men and women from freelance gigs, manual labor and part-time jobs with duties that, one worker said, required only a heartbeat to perform. With the national jobless rate near a 16-year low, these pockets of underemployment are a wellspring for companies that recognize most new hires already have jobs but can be poached with better pay and room for advancement. That's preferable to competing for higher-priced workers at home in a tight labor market."
Open Source

Equifax Blames Open-Source Software For Its Record-Breaking Security Breach (zdnet.com) 268

The blame for the record-breaking cybersecurity breach that affects at least 143 million people falls on the open-source server framework, Apache Struts, according to an unsubstantiated report by equity research firm Baird. The firm's source, per one report, is believed to be Equifax. ZDNet reports: Apache Struts is a popular open-source software programming Model-View-Controller (MVC) framework for Java. It is not, as some headlines have had it, a vendor software program. It's also not proven that Struts was the source of the hole the hackers drove through. In fact, several headlines -- some of which have since been retracted -- all source a single quote by a non-technical analyst from an Equifax source. Not only is that troubling journalistically, it's problematic from a technical point of view. In case you haven't noticed, Equifax appears to be utterly and completely clueless about their own technology. Equifax's own data breach detector isn't just useless: it's untrustworthy. Adding insult to injury, the credit agency's advice and support site looks, at first glance, to be a bogus, phishing-type site: "equifaxsecurity2017.com." That domain name screams fake. And what does it ask for if you go there? The last six figures of your social security number and last name. In other words, exactly the kind of information a hacker might ask for. Equifax's technical expertise, it has been shown, is less than acceptable. Could the root cause of the hack be a Struts security hole? Two days before the Equifax breach was reported, ZDNet reported a new and significant Struts security problem. While many jumped on this as the security hole, Equifax admitted hackers had broken in between mid-May through July, long before the most recent Struts flaw was revealed. "It's possible that the hackers found the hole on their own, but zero-day exploits aren't that common," reports ZDNet. "It's far more likely that -- if the problem was indeed with Struts -- it was with a separate but equally serious security problem in Struts, first patched in March." The question then becomes: is it the fault of Struts developers or Equifax's developers, system admins, and their management? "The people who ran the code with a known 'total compromise of system integrity' should get the blame," reports ZDNet.
Businesses

Apple Suffers 'Major iPhone X Leak' 114

Details of new iPhones and other forthcoming Apple devices have been revealed via an apparent leak. From a report: Two news sites were given access to an as-yet-unreleased version of the iOS operating system. The code refers to an iPhone X in addition to two new iPhone 8 handsets. It also details facial recognition tech that acts both as an ID system and maps users' expressions onto emojis. One tech writer said it was the biggest leak of its kind to hit the firm. [...] "As best I've been able to ascertain, these builds were available to download by anyone, but they were obscured by long, unguessable URLs [web addresses]," wrote John Gruber, a blogger known for his coverage of Apple. "Someone within Apple leaked the list of URLs to 9to5Mac and MacRumors. I'm nearly certain this wasn't a mistake, but rather a deliberate malicious act by a rogue Apple employee." Neither Mr Gruber nor the two Apple-related news sites have disclosed their sources. However, the BBC has independently confirmed that an anonymous source provided the publications with links to iOS 11's golden master (GM) code that downloaded the software from Apple's own computer servers. It's a big blow to Apple, which uses surprise as a key element at its events. The leak could take some wind out of its sails as it looks to wow consumers. In 2012, Tim Cook had said the company was planning to "double down on secrecy." At the quarterly earnings call, he blamed the leaks about the upcoming iPhone models as one of the reasons that slowed down the sales of current generation iPhone models. However, an analysis published over the weekend found that Apple itself has been the source of several of these leaks in the years since. Earlier this year, the company held a meeting to boast about its internal progress to curb leaks. The hour-long recording of the meeting ironically got leaked. Nearly all details, except the final press renders of the new iPhone models, have leaked. In a subsequent post, Gruber wrote: The BBC doesn't say definitively that the leak was sent by an Apple employee, but I can state with nearly 100 percent certainty that it was. I also think there's a good chance Apple is going to figure out who it was. [...] That person should be ashamed of themselves, and should be very worried when their phone next rings. Moments ago, 9to5Mac reported about a new tvOS firmware leak, which appeared "to be out in the wild today" that details the upcoming features of the next generation Apple TV streaming device.

Slashdot Top Deals