O'Reilly media's Vice President of Content Strategy (also the coauthor of Unix Power Tools) recently explored why several popular programming languages wound up on the "most dreaded" list in StackOverflow's annual developer survey: There's no surprise that VBA is #1 disliked language. I'll admit to complete ignorance on Objective C (#2), which I've never had any reason to play with. Although I'm a Perl-hater from way back, I'm surprised that Perl is so widely disliked (#3), but some wounds never heal. It will be interesting to see what happens after Perl 7 has been out for a few years. Assembly (#4) is an acquired taste (and isn't a single language)...
But he eventually suggests that both C and Java might be on the list simply because they have millions of users, citing a quote from C++ creator Bjarne Stroustrup: "there are only two kinds of languages: the ones people complain about and the ones nobody uses." Dislike of a language may be "guilt by association": dislike of a large, antiquated codebase with minimal documentation, and an architectural style in which every bug fixed breaks something else. Therefore, it's not surprising to see languages that used to be widely used but have fallen from popularity on the list... Java has been the language people love to hate since its birth. I was at the USENIX session in which James Gosling first spoke about Java (way before 1.0), and people left the room talking about how horrible Java was — none of whom had actually used the language because it hadn't been released yet...

If there's one language on this list that's associated with gigantic projects, it's Java. And there are a lot of things to dislike about it — though a lot of them have to do with bad habits that grew up around Java, rather than the language itself. If you find yourself abusing design patterns, step back and look at what you're doing; making everything into a design pattern is a sign that you didn't understand what patterns are really for... If you start writing a FactoryFactoryFactory, stop and take a nice long walk. If you're writing a ClassWithAReallyLongNameBecauseThatsHowWeDoIt, you don't need to. Java doesn't make you do that... I've found Java easier to read and understand than most other languages, in part because it's so explicit — and most good programmers realize that they spend more time reading others' code than writing their own.
He also notes that Python only rose to #23 on the "most dreaded" languages list, speculating developers may appreciation its lack of curly braces, good libraries, and Jupyter notebooks. "Python wins the award for the most popular language to inspire minimal dislike. It's got a balanced set of features that make it ideal for small projects, and good for large ones."

"And what shall we say about JavaScript, sixteenth on the list? I've got nothing. It's a language that grew in a random and disordered way, and that programmers eventually learned could be powerful and productive... A language that's as widely used as JavaScript, and that's only 16th on the list of most dreaded languages, is certainly doing something right. But I don't have to like it."

American's National Security Agency (NSA) "has shared new guidance with U.S. military and intelligence personnel, suggesting they take additional precautions to safeguard their location data," reports Engadget. "The agency argues the information devices and apps collect can pose a national security threat."

Ars Technica reports: The National Security Agency is recommending that some government workers and people generally concerned about privacy turn off find-my-phone, Wi-Fi, and Bluetooth whenever those services are not needed, as well as limit location data usage by apps. "Location data can be extremely valuable and must be protected," an advisory stated. "It can reveal details about the number of users in a location, user and supply movements, daily routines (user and organizational), and can expose otherwise unknown associations between users and locations."

NSA officials acknowledged that geolocation functions are enabled by design and are essential to mobile communications. The officials also admit that the recommended safeguards are impractical for most users. Mapping, location tracking of lost or stolen phones, automatically connecting to Wi-Fi networks, and fitness trackers and apps are just a few of the things that require fine-grained locations to work at all. But these features come at a cost. Adversaries may be able to tap into location data that app developers, advertising services, and other third parties receive from apps and then store in massive databases. Adversaries may also subscribe to services such as those offered by Securus and LocationSmart, two services that The New York Times and KrebsOnSecurity documented, respectively. Both companies either tracked or sold locations of customers collected by the cell towers of major cellular carriers.

Not only did LocationSmart leak this data to anyone who knew a simple trick for exploiting a common class of website bug, but a Vice reporter was able to obtain the real-time location of a phone by paying $300 to a different service. The New York Times also published this sobering feature outlining services that use mobile location data to track the histories of millions of people over extended periods.

The advisory also warns that tracking often happens even when cellular service is turned off, since both Wi-Fi and Bluetooth can also track locations and beam them to third parties connected to the Internet or with a sensor that's within radio range.
Long-time Slashdot reader AmiMoJo shares some of the agency's other recommendations:

• Enter airplane mode when not using the device
• Minimize web browsing on your device and do not allow browsers to access location services
• Use an anonymous VPN
• Minimize location information stored in the cloud

A security researcher was awarded a $6,000 bug bounty payout after he found Instagram retained photos and private direct messages on its servers long after he deleted them. From a report: Independent security researcher Saugat Pokharel found that when he downloaded his data from Instagram, a feature it launched in 2018 to comply with new European data rules, his downloaded data contained photos and private messages with other users that he had previously deleted. It's not uncommon for companies to store freshly deleted data for a time until it can be properly scrubbed from its networks, systems and caches. Instagram said it takes about 90 days for deleted data to be fully removed from its systems. But Pokharel found that his ostensibly deleted data from more than a year ago was still stored on Instagram's servers, and could be downloaded using the company's data download tool. Pokharel reported the bug in October 2019 through Instagram's bug bounty program. The bug was fixed earlier this month, he said.

A two-day-old decentralized cryptocurrency called YAM collapsed this week after its creators revealed that a software bug had effectively vetoed human governance. From a report: "At approximately 6PM UTC, on Wednesday, August 12, we discovered a bug in the YAM rebasing contract that would mint far more YAM than intended to sell to the Uniswap YAM/yCRV pool, sending a large amount of excess YAM to the protocol reserve," the YAM project explained in a post on Thursday. "Given YAM's governance module, this bug would render it impossible to reach quorum, meaning no governance action would be possible and funds in the treasury would be locked."

The bug followed from this line of code... totalSupply = initSupply.mul(yamsScalingFactor);
...which was supposed to beâ¦
totalSupply = initSupply.mul(yamsScalingFactor).div(BASE);

YAM, a decentralized finance experiment, implements a governance system (for making protocol changes) based on supposed smart contracts that allocates votes based on assets. [...] The code flaw locked up about $750,000 worth of Curve (yCRV) tokens in the YAM treasury, assets intended to serve as a reserve currency to support the value of YAM tokens.

Firefox has fixed a bug that was being exploited in the wild by tech support scammers to create artificial mouse cursors and prevent users from easily leaving malicious sites. From a report: The bug was discovered being abused online by UK cyber-security firm Sophos and reported to Mozilla earlier this year. A bugfix was provided and has been live in Firefox since version 79.0, released last week. he bug is a classic "evil cursor" attack and works because modern browsers allow site owners to modify how the mouse cursor looks while users are navigating their websites. This type of customization might look useless, but it's often used for browser-based games, browser augmented reality, or browser virtual reality experiences. However, custom cursors have been a major problem for the regular web. In evil cursor attacks, malicious websites tamper with cursor settings in order to modify where the actual cursor is visible on screen, and where the actual click area is.

An anonymous reader shares a report: For at least the last two months, a key Instagram feature, which algorithmically pushes users toward supposedly related content, has been treating hashtags associated with President Donald Trump and presumptive Democratic presidential nominee Joe Biden in very different ways. Searches for Biden also return a variety of pro-Trump messages, while searches for Trump-related topics only returned the specific hashtags, like #MAGA or #Trump -- which means searches for Biden-related hashtags also return counter-messaging, while those for Trump do not. Earlier this week, a search on Instagram for #JoeBiden would have surfaced nearly 390,000 posts tagged with the former vice president's name along with related hashtags selected by the platform's algorithm. Users searching Instagram for #JoeBiden might also see results for #joebiden2020, as well as pro-Trump hashtags like #trump2020landslide and #democratsdestroyamerica.

A similar search for #DonaldTrump on the platform, however, provided a totally different experience. Besides showing 7 million posts tagged with the president's name, Instagram did not present any related hashtags that would have pushed users toward different content or promoted alternative viewpoints. The difference between these two results, which an Instagram spokesperson told BuzzFeed News was a "bug," prevented hashtags including #Trump and #MAGA from being associated with potentially negative content. Meanwhile, Instagram hashtags associated with the Democratic presidential candidate -- #JoeBiden and #Biden, for example -- were presented alongside content that included overtly pro-Trump content and attacks on the former vice president.

Twitter says a security bug may have exposed the private direct messages of its Android app users, but said that there was no evidence that the vulnerability was ever exploited. From a report: The bug could have allowed a malicious Android app running on the same device to siphon off a user's direct messages stored in the Twitter app by bypassing Android's in-built data permissions. But, Twitter said that the bug only worked on Android 8 (Oreo) and Android 9 (Pie), and has since been fixed. A Twitter spokesperson told TechCrunch that the bug was reported by a security researcher "a few weeks ago" through HackerOne, which Twitter uses for its bug bounty program. "Since then, we have been working to keep accounts secure," said the spokesperson. "Now that the issue has been fixed, we're letting people know." Twitter said it waited to let its users know in order to prevent someone from learning about the issue and taking advantage of it before it was fixed.

Microsoft has revealed it has awarded security researchers $13.7m for reporting bugs in Microsoft software since July last year. From a report: Microsoft's bug bounties are one of the largest source of financial awards for researchers probing software for flaws and, importantly, reporting them to the relevant vendor rather than selling them to cybercriminals via underground markets or exploit brokers who distribute them to government agencies. The Redmond company has 15 bug-bounty programs through which researchers netted $13.7m between July 1, 2019 and June 30, 2020. That figure is triple the $4.4m it awarded in the same period the previous year. [...] Microsoft's total annual bug-bounty payouts are now much larger than Google's awards for security flaws in its software, which totaled $6.5m in calendar year 2019. That figure was double the previous year's payouts from the ad and search giant, which called it a "record-breaking year."

"Microsoft's new Edge browser started randomly crashing when users typed into the address bar," reported the Verge on Thursday.

"The issues appear to have affected Edge users who had selected Google as the default search engine." Microsoft investigated the problem and now says it's believed to have been resolved. The Microsoft Edge crashes started at around 7PM ET, and were affecting macOS and Windows users. Microsoft resolved the problems after around four hours of crashes, but it's not clear why they were only limited to Google search users in Edge.

If users switched to Microsoft's Bing search engine within Edge, the crashes never occured.

PAjamian writes: A recently released Red Hat update for the BootHole Vulnerability (firehose link) is causing systems to become unbootable. It is widely reported that updates to the shim, grub2 and kernel packages in RHEL and CentOS 7 and 8 are leaving various systems that use secure boot unbootable. Current recommendations are to avoid updating your system until the issue is resolved, or at least avoid updating the shim, grub2 and kernel packages. Update, shared by PAjamian: Red Hat is now recommending that users do not apply grub2, fwupd, fwupdate or shim updates until new packages are available.

Mozilla says it's working on fixing a bug in Firefox for Android that keeps the smartphone camera active even after users have moved the browser in the background or the phone screen was locked. From a report: A Mozilla spokesperson told ZDNet in an email this week that a fix is expected for later this year in October. The bug was first spotted and reported to Mozilla a year ago, in July 2019, by an employee of video delivery platform Appear TV. The bug manifests when users chose to video stream from a website loaded in Firefox instead of a native app. Mobile users often choose to stream from a mobile browser for privacy reasons, such as not wanting to install an intrusive app and grant it unfettered access to their smartphone's data. Mobile browsers are better because they prevent websites from accessing smartphone data, keeping their data collection to a minimum. The Appear TV developer noticed that Firefox video streams kept going, even in situations when they should have normally stopped.

Since WannaCry and NotPetya struck the internet just over three years ago, the security industry has scrutinized every new Windows bug that could be used to create a similar world-shaking worm. Now one potentially "wormable" vulnerability -- meaning an attack can spread from one machine to another with no human interaction -- has appeared in Microsoft's implementation of the domain name system protocol, one of the fundamental building blocks of the internet. From a report: As part of its Patch Tuesday batch of software updates, Microsoft today released a fix for a bug discovered by Israeli security firm Check Point, which the company's researchers have named SigRed. The SigRed bug exploits Windows DNS, one of the most popular kinds of DNS software that translates domain names into IP addresses. Windows DNS runs on the DNS servers of practically every small and medium-sized organization around the world. The bug, Check Point says, has existed in that software for a remarkable 17 years. Check Point and Microsoft warn that the flaw is critical, a 10 out of 10 on the common vulnerability scoring system, an industry standard severity rating. Not only is the bug wormable, Windows DNS software often runs on the powerful servers known as domain controllers that set the rules for networks. Many of those machines are particularly sensitive; a foothold in one would allow further penetration into other devices inside an organization.

On top of all of that, says Check Point's head of vulnerability research Omri Herscovici, the Windows DNS bug can in some cases be exploited with no action on the part of the target user, creating a seamless and powerful attack. "It requires no interaction. And not only that, once you're inside the domain controller that runs the Windows DNS server, expanding your control to the rest of the network is really easy," says Omri Herscovici. "It's basically game over." Check Point found the SigRed vulnerability in the part of Windows DNS that handles a certain piece of data that's part of the key exchange used in the more secure version of DNS known as DNSSEC. That one piece of data can be maliciously crafted such that Windows DNS allows a hacker to overwrite chunks of memory they're not meant to have access to, ultimately gaining full remote code execution on the target server. (Check Point says Microsoft asked the company not to publicize too many details of other elements of the technique, including how it bypasses certain security features on Windows servers.)

"Microsoft's LinkedIn was sued by a New York-based iPhone user on Friday for allegedly reading and diverting users' sensitive content from Apple Inc's Universal Clipboard application," reports Reuters. According to Apple's website, Universal Clipboard allows users to copy text, images, photos, and videos on one Apple device and then paste the content onto another Apple device. According to the lawsuit filed in San Francisco federal court by Adam Bauer, LinkedIn reads the Clipboard information without notifying the user. LinkedIn did not immediately respond to Reuters request for comment.

According to media reports from last week, 53 apps including TikTok and LinkedIn were reported to be reading users' Universal Clipboard content, after Apple's latest privacy feature started alerting users whenever the clipboard was accessed with a banner saying "pasted from Messages..."

A LinkedIn executive had said on Twitter last week that the company released a new version of its app to end this practice... According to the complaint, LinkedIn has not only been spying on its users, it has been spying on their nearby computers and other devices, and it has been circumventing Apple's Universal Clipboard timeout.

AI researchers have created a language-model testing tool that discovers major bugs in commercially available cloud AI offerings from Amazon, Google, and Microsoft. Yesterday, a paper detailing the CheckList tool received the Best Paper award from organizers of the Association for Computational Linguistics (ACL) conference. From a report: NLP models today are often evaluated based on how they perform on a series of individual tasks, such as answering questions using benchmark data sets with leaderboards like GLUE. CheckList instead takes a task-agnostic approach, allowing people to create tests that fill in cells in a spreadsheet-like matrix with capabilities (in rows) and test types (in columns), along with visualizations and other resources. Analysis with CheckList found that about one in four sentiment analysis predictions by Amazon's Comprehend change when a random shortened URL or Twitter handle is placed in text, and Google Cloud's Natural Language and Amazon's Comprehend makes mistakes when the names of people or locations are changed in text. "The [sentiment analysis] failure rate is near 100% for all commercial models when the negation comes at the end of the sentence (e.g. 'I thought the plane would be awful, but it wasn't'), or with neutral content between the negation and the sentiment-laden word," the paper reads.

Andy Greenberg writes via Wired: Late last week, government agencies, including the United States Computer Emergency Readiness Team and Cyber Command, sounded the alarm about a particularly nasty vulnerability in a line of BIG-IP products sold by F5. The agencies recommended security professionals immediately implement a patch to protect the devices from hacking techniques that could fully take control of the networking equipment, offering access to all the traffic they touch and a foothold for deeper exploitation of any corporate network that uses them. Now some security companies say they're already seeing the F5 vulnerability being exploited in the wildâ"and they caution that any organization that didn't patch its F5 equipment over the weekend is already too late.

The F5 vulnerability, first discovered and disclosed to F5 by cybersecurity firm Positive Technologies, affects a series of so-called BIG-IP devices that act as load balancers within large enterprise networks, distributing traffic to different servers that host applications or websites. Positive Technologies found a so-called directory traversal bug in the web-based management interface for those BIG-IP devices, allowing anyone who can connect to them to access information they're not intended to. That vulnerability was exacerbated by another bug that allows an attacker to run a "shell" on the devices that essentially lets a hacker run any code on them that they choose. The result is that anyone who can find an internet-exposed, unpatched BIG-IP device can intercept and mess with any of the traffic it touches. Hackers could, for instance, intercept and redirect transactions made through a bank's website, or steal users' credentials. They could also use the hacked device as a hop point to try to compromise other devices on the network. Since BIG-IP devices have the ability to decrypt traffic bound for web servers, an attacker could even use the bug to steal the encryption keys that guarantee the security of an organization's HTTPS traffic with users, warns Kevin Gennuso, a cybersecurity practitioner for a major American retailer. While only a small minority of F5 BIG-IP devices are directly exploitable, Positive Technologies says that still includes 8,000 devices worldwide. "About 40 percent of those are in the U.S., along with 16 percent in China and single-digit percentages in other countries around the globe," reports Wired.

"Owners of those devices have had since June 30, when F5 first revealed the bug along with its patch, to update," adds Wired. "But many may not have immediately realized the seriousness of the vulnerability. Others may have been hesitant to take their load balancing equipment offline to implement an untested patch, points out Gennuso, for fear that critical services might go down, which would further delay a fix."

A LinkedIn spokesperson told ZDNet this week that a bug in the company's iOS app was responsible for a seemingly privacy-intrusive behavior spotted by one of its users on Thursday. From a report: The issue was discovered using the new beta version of iOS 14. For iOS 14, set to be officially released in the fall, Apple has added a new privacy feature that shows a quick popup that lets users know when an app has read content from their clipboard. Using this new mechanism, users spotted last week how Chinese mobile app TikTok was reading content from their clipboard at regular short intervals. TikTok said the feature was part of a fraud detection mechanism and that the company never stole the clipboard content, but promised to remove the behavior anyway, to put users' minds at ease. This week, users continued experimenting with this new iOS 14 clipboard access detection system. Yesterday, a developer from the portfolio-building portal Urspace.io discovered a similar mechanism in the LinkedIn iOS app. In a video shared on Twitter, the Urspace developer showed how LinkedIn's app was reading the clipboard content after every user key press, even accessing the shared clipboard feature that allows iOS apps to read content from a user's macOS clipboard.

Microsoft is removing the ability for business users to defer manually Windows 10 feature updates using Windows Update settings starting with the Windows 10 2004/May Update. Microsoft seemingly made this change public with a change in its Windows 10 2004 for IT Pros documentation on June 23. From a report: Microsoft officials say this change is happening in the name of reducing confusion. Here's the explanation from the Microsoft page (which I saw thanks to WindowsTimes.com), and which I had heard about from a reader last week. (Last week, I assumed this was a bug, but now it seems like it's actually a "feature.") "Last year, we changed update installation policies for Windows 10 to only target devices running a feature update version that is nearing the end of service. As a result, many devices are only updating once a year. To enable all devices to make the most of this policy change, and to prevent confusion, we have removed deferrals from the Windows Update settings Advanced Options page starting on Windows 10, version 2004."

Basecamp's Hey email app is now open to everyone after Apple "definitively approved" it for the App Store. No invite code is required for users to sign up. Engadget reports: Basecamp CTO and co-founder David Heinemeier Hansson tweeted the news today. Hey will not include any in-app purchases (IAP), so Apple will not get its standard 30 percent commission. At first, Apple objected to the fact that users would download the app from the App Store but have to sign up via the web. Apple's policies require that developers use IAP to unlock paid features or functionality in an app. Hey managed to skirt around those rules by offering a free trial option.

Hey is now open to everyone, and it does not require an invite code. The app promises a more organized approach to email, for $99 per year. But perhaps more importantly, Hey is an example of how developers can avoid paying Apple 30 percent of IAP and subscription fees. "Hopefully this paves an illuminated path for approval for other multi-platform SAAS applications as well. There are still a litany of antitrust questions to answer, but things legitimately got a little better. New policies, new precedence. Apple took a great step forward," Hansson tweeted.

UnknowingFool writes: A former Intel engineer has put forth information that the QA process around Skylake was so terrible that it may have finally driven Apple to use their own processors in upcoming Macs. Not to say that Apple would not have eventually made this move, but Francois Piednoel says Skylake was abnormally bad with Apple finding the largest amount of bugs inside the architecture rivaling Intel itself. That led Apple to reconsider staying on the architecture and hastening their plans to migrate to their own chips. "The quality assurance of Skylake was more than a problem," says Piednoel. "It was abnormally bad. We were getting way too much citing for little things inside Skylake. Basically our buddies at Apple became the number one filer of problems in the architecture. And that went really, really bad. When your customer starts finding almost as much bugs as you found yourself, you're not leading into the right place."

"For me this is the inflection point," added Piednoel. "This is where the Apple guys who were always contemplating to switch, they went and looked at it and said: 'Well, we've probably got to do it.' Basically the bad quality assurance of Skylake is responsible for them to actually go away from the platform."

Apple made the switch official at its developer conference on Monday, announcing that it will introduce Macs featuring Apple-designed, ARM-based processors later this year.

An anonymous reader quotes a report from Wired: When the Natural History Museum of Los Angeles County shut down due to the pandemic in mid-March, Lisa Gonzalez headed home with the expectation that she would be back in a few weeks. But once it became clear that she wouldn't get back anytime soon, Gonzalez, the museum's assistant entomology collection manager, converted her home's craft room into a makeshift lab. Then she began sifting through thousands of insects the museum had previously collected via a citizen science project. [...] Using just her own microscope, Gonzalez identified dozens of insect species by looking at features like tiny hairs or the shape of a fly's wings. She also found some unusual insects that she turned over to her colleague, Brian Brown, the museum's curator of entomology. Using a larger Leica stereoscope that he hauled in from the office, as well as a smaller compound microscope he found on craigslist, Brown discovered nine species of small flies, all new to science. "It's always cool to find new things, and it is one of the great joys of this job," says Brown. "It's not just finding slightly different new things -- we find extravagantly different things all the time."

The insects, mostly small flies, wasps, and wasplike flies, had been collected through the BioSCAN project, which began in 2012 with insect traps set at 30 sites throughout Los Angeles, mostly in backyards or public spaces. The pair recruited volunteers who were then trained in how to use the "Malaise traps," which resemble two-person pup tents that force bugs to fly upward into collecting nets before the volunteers can put them into vials. The BioSCAN project started when Brown bet a museum trustee that he could find a new species of insect in her backyard in West LA. He did, and the project took off. In its first three years, Brown and the backyard collector discovered 30 new species of insects and published their results. The museum team found an additional 13 new species in the past two years, plus he and the staff have discovered nine more since the pandemic shutdown. "The nine new species include phorid flies, some of which are known for their ability to run across surfaces and or enter coffins to consume dead bodies," the report adds. "Brown and Gonzalez have also found botflies, parasites of rats and wasplike flies that have never been seen before in Southern California. They likely arrived from Central America, perhaps hitching a ride on a flowering plant or piece of food."

"With the help of tens of thousands of insects collected through the BioSCAN project, over the years Brown and Gonzalez have expanded the count of known insect species in the Los Angeles basin from 3,500 during the last census in 1993 to around 20,000 today."