Open Source

Apple Open Sources FoundationDB (macrumors.com) 48

Apple's FoundationDB company announced on Thursday that the FoundationDB core has been open sourced with the goal of building an open community with all major development done in the open. The database company was purchased by Apple back in 2015. As described in the announcement, FoundationDB is a distributed datastore that's been designed from the ground up to be deployed on clusters of commodity hardware. Mac Rumors reports: By open sourcing the project to drive development, FoundationDB is aiming to become "the foundation of the next generation of distributed databases: "The vision of FoundationDB is to start with a simple, powerful core and extend it through the addition of "layers". The key-value store, which is open sourced today, is the core, focused on incorporating only features that aren't possible to write in layers. Layers extend that core by adding features to model specific types of data and handle their access patterns. The fundamental architecture of FoundationDB, including its use of layers, promotes the best practices of scalable and manageable systems. By running multiple layers on a single cluster (for example a document store layer and a graph layer), you can match your specific applications to the best data model. Running less infrastructure reduces your organization's operational and technical overhead." The source for FoundationDB is available on Github, and those who wish to join the project are encouraged to visit the FoundationDB community forums, submit bugs, and make contributions to the core software and documentation.
Facebook

'Login With Facebook' Data Hijacked By JavaScript Trackers (techcrunch.com) 91

An anonymous reader quotes a report from TechCrunch: Facebook confirms to TechCrunch that it's investigating a security research report that shows Facebook user data can be grabbed by third-party JavaScript trackers embedded on websites using Login With Facebook. The exploit lets these trackers gather a user's data including name, email address, age range, gender, locale, and profile photo depending on what users originally provided to the website. It's unclear what these trackers do with the data, but many of their parent companies including Tealium, AudienceStream, Lytics, and ProPS sell publisher monetization services based on collected user data. The abusive scripts were found on 434 of the top 1 million websites including freelancer site Fiverr.com, camera seller B&H Photo And Video, and cloud database provider MongoDB. That's according to Steven Englehardt and his colleagues at Freedom To Tinker, which is hosted by Princeton's Center For Information Technology Policy.
Microsoft

Microsoft Ports Edge Anti-Phishing Technology To Google Chrome (bleepingcomputer.com) 75

An anonymous reader writes: Microsoft has released a Chrome extension named "Windows Defender Browser Protection" that ports Windows Defender's -- and inherently Edge's -- anti-phishing technology to Google Chrome. The extension works by showing bright red-colored pages whenever users are tricked into accessing malicious links. The warnings are eerily similar to the ones that Chrome natively shows via the Safe Browsing API, but are powered by Microsoft's database of malicious links —also known as the SmartScreen API.

Chrome users should be genuinely happy that they can now use both APIs for detecting phishing and malware-hosting URLs. The SmartScreen API isn't as known as Google's more famous Safe Browsing API, but works in the same way, and possibly even better. An NSS Labs benchmark revealed that Edge (with its SmartScreen API) caught 99 percent of all phishing URLs thrown at it during a test last year, while Chrome only detected 87 percent of the malicious links users accessed.

Security

Hackers Stole a Casino's High-Roller Database Through a Thermometer in the Lobby Fish Tank (businessinsider.com) 245

From a report: Nicole Eagan, the CEO of cybersecurity company Darktrace, told the WSJ CEO Council in London on Thursday: "There's a lot of internet of things devices, everything from thermostats, refrigeration systems, HVAC [air conditioning] systems, to people who bring in their Alexa devices into the offices. There's just a lot of IoT. It expands the attack surface and most of this isn't covered by traditional defenses."

Eagan gave one memorable anecdote about a case Darktrace worked on where an unnamed casino was hacked via a thermometer in a lobby aquarium. "The attackers used that to get a foothold in the network. They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud," she said.

Classic Games (Games)

Guinness Strips Billy 'King of Kong' Mitchell's World Records (engadget.com) 58

In February, legendary arcade gamer Billy Mitchell was accused of cheating his way into the record books for high scores in Donkey Kong. As a result, he was stripped of his 1.062 million score on the Donkey Kong Forums. Today, Kotaku reports that "Guinness World Records will remove Billy Mitchell's Donkey Kong scores, as well as his records for Pac-Man, from their database following Mitchell's disqualification from the Twin Galaxies leaderboards yesterday." From the report: Mitchell is one of the world's most famous arcade game players, at one time holding world records in Donkey Kong, Donkey Kong Jr, and Pac-Man. Yesterday, all of Mitchell's records were removed from the leaderboards at Twin Galaxies, an organization that tracks video game records and high scores. The decision came after a lengthy arbitration process determined that Mitchell used the Multiple Arcade Machine Emulator (MAME) to achieve some record scores that had been said to be performed on arcade machines, a violation of Twin Galaxies' rules. In light of this, Guinness World Records will also remove his records.

"The Guinness World Records titles relating to Mr. Mitchell's highest scores on Donkey Kong have all been disqualified due to Twin Galaxies being our source of verification for these achievements," a representative of Guinness told Kotaku via email. Mitchell did not return request for comment. Guinness continued, "We also recognize records for First perfect score on Pac-Man and Highest score on Pac-Man. Twin Galaxies was the original source of verification for these record titles and in line with their decision to remove all of Mr. Mitchell's records from their system, we have disqualified Mr. Mitchell as the holder of these two records. Guinness World Records will look to update and find the appropriate holder of these records in the next few days."

Security

Uber's 2016 Breach Affected More Than 20 Million US Users (bloomberg.com) 6

An anonymous reader quotes a report from Bloomberg: A data breach in 2016 exposed the names, phone numbers and email addresses of more than 20 million people who use Uber's service in the U.S., authorities said on Thursday, as they chastised the ride-hailing company for not revealing the lapse earlier. The Federal Trade Commission said Uber failed to disclose the leak last year as the agency investigated and sanctioned the company for a similar data breach that happened in 2014. "After misleading consumers about its privacy and security practices, Uber compounded its misconduct," said Maureen Ohlhausen, the acting FTC chairman. She announced an expansion of last year's settlement with the company and said the new agreement was "designed to ensure that Uber does not engage in similar misconduct in the future."

In the 2016 breach, intruders in a data-storage service run by Amazon.com Inc. obtained unencrypted consumer personal information relating to U.S. riders and drivers, including 25.6 million names and email addresses, 22.1 million names and mobile phone numbers, and 607,000 names and driver's license numbers, the FTC said in a complaint. Under the revised settlement, Uber could be subject to civil penalties if it fails to notify the FTC of future incidents, and it must submit audits of its data security, the agency said.

The Courts

The Supreme Court Fight Over Microsoft's Foreign Servers Is Over (theverge.com) 94

An anonymous reader quotes a report from The Verge: The much-anticipated Supreme Court case U.S. v. Microsoft -- which could have decided the extent of American jurisdiction over foreign servers -- is now, for all intents and purposes, dead. On March 30th, the Department of Justice moved to drop the lawsuit as moot, and today, Microsoft filed to agree with the motion. While the Supreme Court has yet to officially drop the case, it's a foregone conclusion that they will. Both the government and Microsoft agree that the newly passed CLOUD Act renders the lawsuit meaningless. In U.S. v. Microsoft, federal law enforcement clashed with Microsoft over the validity of a Stored Communications Act warrant for data stored on a server in Dublin. The CLOUD Act creates clear new procedures for procuring legal orders for data in these kinds of cross-border situations. In last week's motion to vacate, DOJ disclosed that it had procured a new warrant under the CLOUD Act.
AI

Apple Hires Google's AI Chief (nytimes.com) 29

"Apple has hired Google's chief of search and artificial intelligence (Warning: source may be paywalled; alternative source), John Giannandrea, a major coup in its bid to catch up to the artificial intelligence technology of its rivals," reports The New York Times. Giannandrea will run Apple's overall "machine learning and AI strategy," reporting directly to Apple CEO Tim Cook. From the report: The hire is a victory for Apple, which many Silicon Valley executives and analysts view as lagging its peers in artificial intelligence, an increasingly crucial technology for companies that enable computers to handle more complex tasks, like understanding voice commands or identifying people in images. "Our technology must be infused with the values we all hold dear," Mr. Cook said Tuesday morning in an email to staff members obtained by The New York Times. "John shares our commitment to privacy and our thoughtful approach as we make computers even smarter and more personal." Mr. Giannandrea, a 53-year-old native of Scotland known to colleagues as J.G., helped lead the push to integrate A.I. throughout Google's products, including internet search, Gmail and its own digital assistant, Google Assistant.

He joined Google in 2010 when it purchased Metaweb, a start-up where he served as chief technology officer. Metaweb was building what it described as a "database of the world's knowledge," which Google eventually rolled into its search engine to deliver direct answers to users' queries. (Try googling "How old is Steph Curry?") During Mr. Giannandrea's tenure, A.I. research became increasingly important inside Google, with its primary A.I. lab, Google Brain, moving into a space beside the chief executive, Sundar Pichai.

Privacy

When it Comes To Privacy, Consent is Immaterial. Corporate and Gov't Surveillance Systems Must Be Stopped Before They Ask For Consent: Richard Stallman (theguardian.com) 266

In a rare op-ed, Richard Stallman, the president of the Free Software Foundation, says that the surveillance imposed on us today is worse than in the Soviet Union. He argues that we need laws to stop this data being collected in the first place. From his op-ed: The surveillance imposed on us today far exceeds that of the Soviet Union. For freedom and democracy's sake, we need to eliminate most of it. There are so many ways to use data to hurt people that the only safe database is the one that was never collected. Thus, instead of the EU's approach of mainly regulating how personal data may be used (in its General Data Protection Regulation or GDPR), I propose a law to stop systems from collecting personal data.

The robust way to do that, the way that can't be set aside at the whim of a government, is to require systems to be built so as not to collect data about a person. The basic principle is that a system must be designed not to collect certain data, if its basic function can be carried out without that data. Data about who travels where is particularly sensitive, because it is an ideal basis for repressing any chosen target.

Graphics

Ask Slashdot: Should CPU, GPU Name-Numbering Indicate Real World Performance? 184

dryriver writes: Anyone who has built a PC in recent years knows how confusing the letters and numbers that trail modern CPU and GPU names can be because they do not necessarily tell you how fast one electronic part is compared to another electronic part. A Zoomdaahl Core C-5 7780 is not necessarily faster than a Boomberg ElectronRipper V-6 6220 -- the number at the end, unlike a GFLOPS or TFLOPS number for example, tells you very little about the real-world performance of the part. It is not easy to create one unified, standardized performance benchmark that could change this. One part may be great for 3D gaming, a competing part may smoke the first part in a database server application, and a third part may compress 4K HEVC video 11% faster. So creating something like, say, a Standardized Real-World Application Performance Score (SRWAPS) and putting that score next to the part name, letters, or series number will probably never happen. A lot of competing companies would have to agree to a particular type of benchmark, make sure all benchmarking is done fairly and accurately, and so on and so forth.

But how are the average consumers just trying to buy the right home laptop or gaming PC for their kids supposed to cope with the "letters and numbers salad" that follows CPU, GPU and other computer part names? If you are computer literate, you can dive right into the different performance benchmarks for a certain part on a typical tech site that benchmarks parts. But what if you are "Computer Buyer Joe" or "Jane Average" and you just want to glean quickly which two products -- two budget priced laptops listed on Amazon.com for example -- have the better performance overall? Is there no way to create some kind of rough numeric indicator of real-world performance and put it into a product's specs for quick comparison?
Programming

Ask Slashdot: Are 'Full Stack' Developers a Thing? 371

"It seems that nearly every job posting for a software developer these days requires someone who can do it all," complains Slashdot reader datavirtue, noting a main focus on finding someone to do "front end work and back end work and database work and message queue work...." I have been in a relatively small shop that for years that has always had a few guys focused on the UI. The rest of us might have to do something on the front-end but are mostly engaged in more complex "back-end" development or MQ and database architecture. I have been keeping my eye on the market, and the laser focus on full stack developers is a real turn-off.

When was the last time you had an outage because the UI didn't work right? I can't count the number of outages resulting from inexperienced developers introducing a bug in the business logic or middle tier. Am I correct in assuming that the shops that are always looking for full stack developers just aren't grown up yet?

sjames (Slashdot reader #1,099) responded that "They are a thing, but in order to have comprehensive experience in everything involved, the developer will almost certainly be older than HR departments in 'the valley' like to hire."

And Dave Ostrander argues that "In the last 10 years front end software development has gotten really complex. Gulp, Grunt, Sass, 35+ different mobile device screen sizes and 15 major browsers to code for, has made the front end skillset very valuable." The original submitter argues that front-end development "is a much simpler domain," leading to its own discussion.

Share your own thoughts in the comments. Are "full-stack" developers a thing?
Social Networks

Instagram Reenables GIF Sharing After GIPHY Promises No More Racism (techcrunch.com) 87

Earlier this month, Instagram and Snapchat dropped their GIPHY integrations when a racial slur slipped into the company's online database. Now Instagram is bringing GIPHY Integration back after GIPHY confirmed it's reviewed its GIF library four times and will preemptively review any new GIFs it adds. Snapchat has yet to bring the service back. TechCrunch reports: "We've been in close contact with GIPHY throughout this process and we're confident that they have put measures in place to ensure that Instagram users have a good experience," an Instagram spokesperson told TechCrunch. GIPHY told TechCrunch in a statement: "To anyone who was affected: we're sorry. We take full responsibility for this recent event and under no circumstances does GIPHY condone or support this kind of content. We have also finished a full investigation into our content moderations systems and processes and have made specific changes to our process to ensure something like this does not happen again." The racial slur was spotted by a user in the UK around March 8th. "We've shared a censored version of the image below, but warning, it still includes graphic content that may be offensive to some users," reports TechCrunch.
Science

Consumer Genetic Tests May Have a Lot of False Positives (theverge.com) 99

A new study, published in the journal Genetics in Medicine, found that consumer genetic tests bring up a lot of false positives. "In this case, 40 percent of the results from the consumer tests were false positives," reports The Verge, noting that the findings "cover a very small sample size and don't show that consumer tests always have a 40 percent false positive rate." From the report: The research was done by scientists at Ambry Genetics, a medical laboratory in California. By looking through their own database, they found that 49 people had been referred to them because of some worrying results from their consumer genetic tests. Still, scientists at Ambry were able to confirm only 60 percent of the results when they compared the raw data from consumer tests with more thorough genetic tests done by themselves and other clinical laboratories. So, 40 percent of variants in a variety of genes reported in DTC raw data were false positives, meaning that they said a genetic variant was there when it wasn't. (Most of these turned out to be variants linked to cancer.) Additionally, the authors write, some variants classified as "increased risk" were not only classified as "benign" by clinical laboratories, but they were actually common variants.
Cloud

Google Launches More Realistic Text-To-Speech Service Powered By DeepMind's AI (theverge.com) 34

Google is launching a new AI voice synthesizer, named Cloud Text-to-Speech, that will be available for any developer or business that needs voice synthesis on tap, whether that's for an app, website, or virtual assistant. The Cloud Text-to-Speech service is being powered by WaveNet, software created by Google's UK-based AI subsidiary DeepMind. The Verge explains why this is significant: First, ever since Google bought DeepMind in 2014, it's been exploring ways to turn the company's AI talent into tangible products. So far, this has meant using DeepMind's algorithms to reduce electricity costs in Google's data centers by 40 percent and DeepMind's forays into health care. But, directly integrating WaveNet into its cloud service is arguably more significant, especially as Google tries to win cloud business away from Amazon and Microsoft, presenting its AI skills as its differentiating factor. Second, DeepMind's AI voice synthesis tech is some of the most advanced and realistic in the business. Most voice synthesizers (including Apple's Siri) use what's called concatenative synthesis, in which a program stores individual syllables -- sounds such as "ba," "sht," and "oo" -- and pieces them together on the fly to form words and sentences. This method has gotten pretty good over the years, but it still sounds stilted.

WaveNet, by comparison, uses machine learning to generate audio from scratch. It actually analyzes the waveforms from a huge database of human speech and re-creates them at a rate of 24,000 samples per second. The end result includes voices with subtleties like lip smacks and accents. When Google first unveiled WaveNet in 2016, it was far too computationally intensive to work outside of research environments, but it's since been slimmed down significantly, showing a clear pipeline from research to product.
The Verge has embedded some samples in their report to see how WaveNet sounds.
AI

Jaywalkers Under Surveillance In China Will Soon Be Punished Via Text Messages (scmp.com) 139

An anonymous reader quotes a report from South China Morning Post: Traffic police in the southern Chinese city of Shenzhen have always had a reputation for strict enforcement of those flouting road rules in the metropolis of 12 million people. Now with the help of artificial intelligence and facial recognition technology, jaywalkers will not only be publicly named and shamed, they will be notified of their wrongdoing via instant messaging -- along with the fine. Intellifusion, a Shenzhen-based AI firm that provides technology to the city's police to display the faces of jaywalkers on large LED screens at intersections, is now talking with local mobile phone carriers and social media platforms such as WeChat and Sina Weibo to develop a system where offenders will receive personal text messages as soon as they violate the rules, according to Wang Jun, the company's director of marketing solutions.

For the current system installed in Shenzhen, Intellifusion installed cameras with 7 million pixels of resolution to capture photos of pedestrians crossing the road against traffic lights. Facial recognition technology identifies the individual from a database and displays a photo of the jaywalking offense, the family name of the offender and part of their government identification number on large LED screens above the pavement. In the 10 months to February this year, as many as 13,930 jaywalking offenders were recorded and displayed on the LED screen at one busy intersection in Futian district, the Shenzhen traffic police announced last month. Taking it a step further, in March the traffic police launched a webpage which displays photos, names and partial ID numbers of jaywalkers. These measures have effectively reduced the number of repeat offenders, according to Wang. The next step -- informing the errant pedestrians by text or Weibo instant messaging -- could have the added benefit of eliminating the cost of erecting large LED screens across the cities, he said.

Databases

Shodan Search Exposes Thousands of Servers Hosting Passwords and Keys (fossbytes.com) 41

Thousands of etcd servers "are spitting sensitive passwords and encrypted keys," reports Fossbytes: Security researcher Giovanni Collazo was able to harvest 8781 passwords, 650 AWS access keys, 23 secret keys, and 8 private keys. First, he ran a query on the hacker search engine Shodan that returned around 2300 servers running etcd database. Then, he ran a simple script that gave him the login credentials stored on these servers which can be used to gain access to CMSs, MySQL, and PostgreSQL databases, etc.

etcd is a database used by computing clusters to store and exchange passwords and configuration settings between servers and applications over the network. With the default settings, its programming interface can return administrative login credentials without any authentication upfront... All of the data he harvested from around 1500 servers is around 750MB in size... Collazo advises that anyone maintaining etcd servers should enable authentication, set up a firewall, and take other security measures.

Another security research independently verified the results, and reported that one MySQL database had the root password "1234".
Security

Jewelry Site Leaks Personal Details, Plaintext Passwords of 1.3 Million Users (thenextweb.com) 37

Chicago-based MBM Company's jewelry brand Limoges Jewelry has accidentally leaked the personal information for over 1.3 million people. This includes addresses, zip-codes, e-mail addresses, and IP addresses. The Germany security firm Kromtech Security, which found the leak via an unsecured Amazon S3 storage bucket, also claims the database contained plaintext passwords. The Next Web reports: In a press release, Kromtech Security's head of communicationis, Bob Diachenko, said: "Passwords were stored in the plain text, which is great negligence [sic], taking into account the problem with many users re-using passwords for multiple accounts, including email accounts." The [MSSQL database] backup file was named "MBMWEB_backup_2018_01_13_003008_2864410.bak," which suggests the file was created on January 13, 2018. It's believed to contain current information about the company's customers. Records held in the database have dates reaching as far back as 2000. The latest records are from the start of this year. Other records held in the database include internal mailing lists, promo-codes, and item orders, which leads Kromtech to believe that this could be the primary customer database for the company. Diachenko says there's no evidence a malicious third-party has accessed the dump, but that "that does not mean that nobody [has] accessed the data."
China

Chinese Police Begin Tracking Citizens With Face-Recognizing Smart Glasses (reuters.com) 112

An anonymous reader quotes Reuters: At a highway check point on the outskirts of Beijing, local police are this week testing out a new security tool: smart glasses that can pick up facial features and car registration plates, and match them in real-time with a database of suspects. The AI-powered glasses, made by LLVision, scan the faces of vehicle occupants and the plates, flagging with a red box and warning sign to the wearer when any match up with a centralized "blacklist".

The test -- which coincides with the annual meeting of China's parliament in central Beijing -- underscores a major push by China's leaders to leverage technology to boost security in the country... Wu Fei, chief executive of LLVision, said people should not be worried about privacy concerns because China's authorities were using the equipment for "noble causes", catching suspects and fugitives from the law. "We trust the government," he told Reuters at the company's headquarters in Beijing.

This weekend while China's President Xi Jinping is expected to push through a reform allowing him to stay in power indefinitely, Reuters reports that the Chinese goverment is pushing the use of cutting-edge technology "to track and control behavior that goes against the interests of the ruling Communist Party online and in the wider world... A key concern is that blacklists could include a wide range of people stretching from lawyers and artists to political dissidents, charity workers, journalists and rights activists...

"The new technologies range from police robots for crowd control, to drones to monitor border areas, and artificially intelligent systems to track and censor behavior online," Reuters reports, citing one Hong Kong researcher who argues that China now sees internet and communication technologies "as absolutely indispensable tools of social and political control."
Google

Google Is Selling Off Zagat (techcrunch.com) 33

An anonymous reader quotes a report from TechCrunch: Seven years after picking up Zagat for $151 million, Google is selling off the perennial restaurant recommendation service. The New York Times is reporting this morning that the technology giant is selling off the company to The Infatuation, a review site founded nine years back by former music execs. The company had been rumored to be courting a buyer since early this year. As Reuters noted at the time, Zagat has increasingly become less of a focus for Google, as the company began growing its database of restaurant recommendations organically. Zagat, meanwhile, has lost much of the shine it had when Google purchased it nearly a decade ago. The Infatuation, which uses an in-house team of reviewers to write up restaurants in major cities like New York, San Francisco, Los Angeles and London, is picking up the service for an undisclosed amount. The site clearly believes there's value left in the Zagat brand, even as the business of online reviews has changed significantly in the seven years sinceGoogle picked it up.
Security

GitHub Survived the Biggest DDoS Attack Ever Recorded (wired.com) 144

A 1.35 terabit-per-second DDoS attack hit GitHub all at once last Wednesday. "It was the most powerful distributed denial of service attack recorded to date -- and it used an increasingly popular DDoS method, no botnet required," reports Wired. From the report: GitHub briefly struggled with intermittent outages as a digital system assessed the situation. Within 10 minutes it had automatically called for help from its DDoS mitigation service, Akamai Prolexic. Prolexic took over as an intermediary, routing all the traffic coming into and out of GitHub, and sent the data through its scrubbing centers to weed out and block malicious packets. After eight minutes, attackers relented and the assault dropped off. "We modeled our capacity based on fives times the biggest attack that the internet has ever seen," Josh Shaul, vice president of web security at Akamai told WIRED hours after the GitHub attack ended. "So I would have been certain that we could handle 1.3 Tbps, but at the same time we never had a terabit and a half come in all at once. It's one thing to have the confidence. It's another thing to see it actually play out how you'd hope."

Akamai defended against the attack in a number of ways. In addition to Prolexic's general DDoS defense infrastructure, the firm had also recently implemented specific mitigations for a type of DDoS attack stemming from so-called memcached servers. These database caching systems work to speed networks and websites, but they aren't meant to be exposed on the public internet; anyone can query them, and they'll likewise respond to anyone. About 100,000 memcached servers, mostly owned by businesses and other institutions, currently sit exposed online with no authentication protection, meaning an attacker can access them, and send them a special command packet that the server will respond to with a much larger reply.

Slashdot Top Deals