Programming

Two Android Engineers Explain How They Extended Rust In Android's Firmware (theregister.com) 62

The Register reports that Google "recently rewrote the firmware for protected virtual machines in its Android Virtualization Framework using the Rust programming language." And they add that Google "wants you to do the same, assuming you deal with firmware."

A post on Google's security blog by Android engineers Ivan Lozano and Dominik Maier promises to show "how to gradually introduce Rust into your existing firmware," adding "You'll see how easy it is to boost security with drop-in Rust replacements, and we'll even demonstrate how the Rust toolchain can handle specialized bare-metal targets."

This prompts the Register to quip that easy "is not a term commonly heard with regard to a programming language known for its steep learning curve." Citing the lack of high-level security mechanisms in firmware, which is often written in memory-unsafe languages such as C or C++, Lozano and Maier argue that Rust provides a way to avoid the memory safety bugs like buffer overflows and use-after-free that account for the majority of significant vulnerabilities in large codebases. "Rust provides a memory-safe alternative to C and C++ with comparable performance and code size," they note. "Additionally it supports interoperability with C with no overhead."
At one point the blog post explains that "You can replace existing C functionality by writing a thin Rust shim that translates between an existing Rust API and the C API the codebase expects." But their ultimate motivation is greater security. "Android's use of safe-by-design principles drives our adoption of memory-safe languages like Rust, making exploitation of the OS increasingly difficult with every release."

And the Register also got this quote from Lars Bergstrom, Google's director of engineering for Android Programming Languages (and chair of the Rust Foundation's board of directors). "At Google, we're increasing Rust's use across Android, Chromium, and more to reduce memory safety vulnerabilities. We're dedicated to collaborating with the Rust ecosystem to drive its adoption and provide developers with the resources and training they need to succeed.

"This work on bringing Rust to embedded and firmware addresses another critical part of the stack."
Education

MIT CS Professor Tests AI's Impact on Educating Programmers (acm.org) 84

Long-time Slashdot reader theodp writes: "The Impact of AI on Computer Science Education" recounts an experiment Eric Klopfer conducted in his undergrad CS class at MIT. He divided the class into three groups and gave them a programming task to solve in the Fortran language, which none of them knew. Reminiscent of how The Three Little Pigs used straw, sticks, and bricks to build their houses with very different results, Klopfer allowed one group to use ChatGPT to solve the problem, while the second group was told to use Meta's Code Llama LLM, and the third group could only use Google. The group that used ChatGPT, predictably, solved the problem quickest, while it took the second group longer to solve it. It took the group using Google even longer, because they had to break the task down into components.

Then, the students were tested on how they solved the problem from memory, and the tables turned. The ChatGPT group "remembered nothing, and they all failed," recalled Klopfer. Meanwhile, half of the Code Llama group passed the test. The group that used Google? Every student passed.

"This is an important educational lesson," said Klopfer. "Working hard and struggling is actually an important way of learning. When you're given an answer, you're not struggling and you're not learning. And when you get more of a complex problem, it's tedious to go back to the beginning of a large language model and troubleshoot it and integrate it." In contrast, breaking the problem into components allows you to use an LLM to work on small aspects, as opposed to trying to use the model for an entire project, he says. "These skills, of how to break down the problem, are critical to learn."

Programming

GitHub Actions Typosquatting: a High-Impact Supply Chain Attack-in-Waiting? (csoonline.com) 4

GitHub Actions let developers "automate software builds and tests," writes CSO Online, "by setting up workflows that trigger when specific events are detected, such as when new code is committed to the repository."

They also "can be reused and shared with others on the GitHub Marketplace, which currently lists thousands of public Actions that developers can use instead of coding their own. Actions can also be included as dependencies inside other Actions, creating an ecosystem similar to other open-source component registries." Researchers from Orca Security recently investigated the impact typosquatting can have in the GitHub Actions ecosystem by registering 14 GitHub organizations with names that are misspellings of popular Actions owners — for example, circelci instead of circleci, actons instead of actions, google-github-actons instead of google-github-actions... One might think that developers making typos is not very common, but given the scale of GitHub — over 100 million developers with over 420 million repositories — even a statistically rare occurrence can mean thousands of potential victims. For example, the researchers found 194 workflow files calling the "action" organization instead of "actions"; moreover, 12 public repositories started referencing the researchers' fake "actons" organization within two months of setting it up.

"Although the number may not seem that high, these are only the public repositories we can search for and there could be multiple more private ones, with numbers increasing over time," the researchers wrote... Ultimately this is a low-cost high-impact attack. Having the ability to execute malicious actions against someone else's code is very powerful and can result in software supply chain attacks, with organizations and users that then consume the backdoored code being impacted as well...

Out of the 14 typosquatted organizations that Orca set up for their proof-of-concept, GitHub only suspended one over a three-month period — circelci — and that's likely because someone reported it. CircleCI is one of the most popular CI/CD platforms.

Thanks to Slashdot reader snydeq for sharing the article.
Linux

Rust for Linux Maintainer Steps Down in Frustration With 'Nontechnical Nonsense' (theregister.com) 155

Efforts to add Rust code to the Linux kernel has suffered a setback as one of the maintainers of the Rust for Linux project has stepped down -- citing frustration with "nontechnical nonsense," according to The Register: Wedson Almeida Filho, a software engineer at Microsoft who has overseen the Rust for Linux project, announced his resignation in a message to the Linux kernel development mailing list. "I am retiring from the project," Filho declared. "After almost four years, I find myself lacking the energy and enthusiasm I once had to respond to some of the nontechnical nonsense, so it's best to leave it up to those who still have it in them."

[...] Memory safety bugs are regularly cited as the major source of serious software vulnerabilities by organizations overseeing large projects written in C and C++. So in recent years there's been a concerted push from large developers like Microsoft and Google, as well as from government entities like the US Cybersecurity and Infrastructure Security Agency, to use memory-safe programming languages -- among them Rust. Discussions about adding Rust to Linux date back to 2020 and were realized in late 2022 with the release of Linux 6.1. "I truly believe the future of kernels is with memory-safe languages," Filho's note continued. "I am no visionary but if Linux doesn't internalize this, I'm afraid some other kernel will do to it what it did to Unix."

Programming

Python, JavaScript, Java: ZDNet Calculates The Most Popular Programming Languages (zdnet.com) 39

Pundits aggregate results from multiple pollsters to minimize biases. So ZDNet tried the same approach, but aggregating rankings for the popularity of 19 top programming languages. Senior contributing editor David Gewirtz combined results from nine popularity rankings, including PYPL, the Tiobe index, GitHub's Usage 2023 summary report, and several rankings from Stack Overflow and from IEEE Spectrum.

The results? The top cluster contains Python, JavaScript, and Java. These are all very representative in the world of AI coding...

The next cluster contains the classic C-based languages [C++, C#, C], plus TypeScript (which is a more robust JavaScript variant) and SQL.

Below that are languages that were dominant a while ago, the web languages used to build and operate websites [HTML/CSS, PHP, Shell], followed by a range of other languages that are either growing in popularity (R, Dart) or dropping in popularity (Ruby). [Just above Ruby are Go, Rust, Kotlin, and Lua.]

Finally, at the bottom is Swift, Apple's language of choice. Objective-C, the previous language of Apple programming, has all but dropped off the list since Apple launched Swift. But while Apple boasts many developers, Swift is clearly not a standout in programmer interest... [T]here aren't a huge number of companies hiring Apple app developers, at least primarily. That's why Swift is relatively far down the chart. Objective-C is being replaced by Swift, and we can see it dropping right before our eyes.

"With the exception of Java, the C-family of languages still dominates," the article concludes, before adding that if you're only going to learn one language, "I'd recommend Python, Java, and JavaScript instead." But it also advises aspiring programmers to learn "multiple languages and multiple frameworks. Build things in the languages. Programming is not just an intellectual exercise. You have to actually make stuff....

"[L]earning how to learn languages is as important as learning a language — and the best way to do that is to learn more than one."
AI

VS Code Fork 'Cursor' - the ChatGPT of Coding? (tomsguide.com) 69

"Sometimes an artificial intelligence tool comes out of nowhere and dominates the conversation on social media," writes Tom's Guide.

"This week that app is Cursor, an AI coding tool that uses models like Claude 3.5 Sonnet and GPT-4o to make it easier than ever to build your own apps," with the ability to "write, predict and manipulate code using nothing but a text prompt." Cursor is part development environment, part AI chatbot and unlike tools like GitHub Copilot it can more or less do all of the work for you, transforming a simple idea into functional code in minutes... Built on the same system as the popular Microsoft Visual Studio Code, Cursor has already found a fanbase among novice coders and experienced engineers...

Cursor's simplicity, working from a chat window, means even someone completely new to code could get a functional app running in minutes and keep building on it to add new features... The startup has raised over $400 million since it was founded in 2022 and works with various models including those from Anthropic and OpenAI... In my view, its true power is in the democratization of coding. It would also allow someone without much coding experience to build the tools they need by typing a few lines of text.

More from ReadWrite: Cursor, an AI firm that is attempting to build a "magical tool that will one day write all the world's code," has announced it has raised $60 million in its Series A funding round... As of August 22, the company had a valuation of $400 million, according to sources cited by TechCrunch...

Anysphere is the two-year-old startup that developed the app. Its co-founders are Michael Truell, Sualeh Asif, Arvid Lunnemark and Aman Sanger, who started the company while they were students at MIT... Using advanced AI capabilities, it is said to be able to finish, correct, and change AI code through natural language commands. It currently works with JavaScript, Python, and TypeScript, and is free for most uses. The pro plan will set you back $20 per month.

But how well does it work? Tom's Guide notes that after requesting a test app, "It generated the necessary code in the sidebar chat window and all I had to do was click Apply and then Accept. This added the code to a new Python file including all the necessary imports. It also gave me instructions on how to add modules to my machine to make the code work.

"As the chat is powered by Claude 3.5 Sonnet, you can just have it explain in more detail any element of the code or any task required to make it run..."

Andreessen Horowitz explains why they invested in the company: It's very clear that LLMs are a powerful tool for programmers, and that their coding abilities will improve over time. But it's also clear that for most coding tasks, the problem to solve is not how to make LLMs perform well in isolation, but how to make them perform well alongside a human developer. We believe, therefore, the interface between programmers and AI models will soon become one of the most important pieces of the dev stack. And we're thrilled to announce our series A investment...

Cursor is a fork of VS Code that's heavily customized for AI-assisted programming. It works with all the latest LLMs and supports the full VS Code plugin ecosystem. What makes Cursor special are the features designed to integrate AI into developer workflows — including next action prediction, natural language edits, chatting with your codebase, and a bunch of new ones to come... Our belief is that Cursor, distinctly among AI coding tools, has simply gotten it right. That's why, in a little over a year, thousands of users have signed up for Cursor, including at companies like OpenAI, Midjourney, Perplexity, Replicate, Shopify, Instacart, and many others. Users give glowing reviews of the product, many of them have started to pay for it, and they rarely switch back to other IDEs. Most of the a16z Infra team have also become avid Cursor users!

One site even argues that Cursor's coding and AI capabilities "should be a wake up call for Microsoft to make VS Code integration with GitHub Copilot a lot easier."

Thanks to Slashdot reader joshuark for sharing the article.
Python

Python Developer Survey: 55% Use Linux, 6% Use Python 2 (jetbrains.com) 68

More than 25,000 Python developers from nearly 200 countries took the 7th annual Python Developers Survey between November 2023 and February 2024, with 85% saying Python was their main language.

Some interesting findings:
  • Though Python 2 reached "end-of-life" status in April of 2020, last year's survey found 7% of respondents were still using Python 2. This year's survey found that number has finally dropped... to 6%.

    "Almost half of Python 2 holdouts are under 21 years old," the survey results point out, "and a third are students. Perhaps courses are still using Python 2?"
  • Meanwhile, 73% are using one of the last three versions of Python (3.10, 3.11, or 3.12)
  • "The share of developers using Linux as their development environment has decreased through the years: compared with 2021, it's dropped by 8 percentage points." [The graphic is a little confusing, showing 55% using Linux, 55% using Windows, 29% on MacOS, 2% on BSD, and 1% on "Other."]
  • Visual Studio Code is the most popular IDE (22%), followed by Jupyter Notebook (20%) and Vim (17%). The next-most popular IDEs were PyCharm Community Edition (13%), JupyterLab (12%), NotePad++ (11%) and Sublime Text (9%). Interestingly, just 23% of the 25,000 respondents said they only used one IDE, with 38% saying they used two, 21% using three, and 19% using four or more. [The annual survey is a collaboration between the Python Software Foundation and JetBrains.]
  • 37% said they'd contributed to open-source projects within the last year. (77% of those contributed code, while 38% contributed documentation, 35% contributed governance/leadership/maintainer duties, and 33% contributed tests...)
  • For "age range," nearly one-third (32%) said 21-29 (with another 8% choosing 18-20). Another 33% said 30-39, while 16% said 40-49, 7% said 50-59, and 3% chose "60 or older."

    49% of respondents said they had less than two years of programming experience, with 33% saying "less than 1 year" and 16% saying "1-2 years." (34% of developers also said they practiced collaborative development.)

And here's how the 25,000 developers answered the question: how long have you been programming in Python?

  • Less than 1 year: 25%
  • 1-2 years: 16%
  • 3-5 years: 26%
  • 6-10 years: 19%
  • 11+ years: 13%

So what are they doing with Python? Among those who'd said Python was their main language:

  • Data analysis: 44%
  • Web development: 44%
  • Machine learning: 34%
  • Data engineering: 28%
  • Academic research: 26%
  • DevOps / Systems administration / Writing automation scripts 26%
  • Programming of web parsers / scrapers / crawlers: 25%

62% were "fully employed by a company," while the next-largest category was "student" (12%) with another 5% in "working student". There were also categories for "self-employed" (6%), "freelancer" (another 6%), and "partially employed by a company" (4%). Another 4% said they were unemployed.

In other news, the Python Software Foundation board has also "decided to invest more in connecting and serving the global Python community" by hosting monthly "office hours" on their Discord channel.


The Courts

$400 Million Algorithmic System Illegally Denied Thousands of Medicaid Benefits (gizmodo.com) 64

An anonymous reader quotes a report from Gizmodo: Thousands of Tennesseans were illegally denied Medicaid and other benefits due to programming and data errors in an algorithmic system the state uses to determine eligibility for low-income residents and people with disabilities, a U.S. District Court judge ruled this week. The TennCare Connect system -- built by Deloitte and other contractors for more than $400 million -- is supposed to analyze income and health information to automatically determine eligibility for benefits program applicants. But in practice, the system often doesn't load the appropriate data, assigns beneficiaries to the wrong households, and makes incorrect eligibility determinations, according to the decision (PDF) from Middle District of Tennessee Judge Waverly Crenshaw Jr.

"When an enrollee is entitled to state-administered Medicaid, it should not require luck, perseverance, and zealous lawyering for him or her to receive that healthcare coverage," Crenshaw wrote in his opinion. The decision was a result of a class action lawsuit filed in 2020 on behalf of 35 adults and children who were denied benefits. [...] ]Crenshaw found that TennCare Connect did not consider whether applicants were eligible for all available programs before it terminated their coverage. Deloitte was a major beneficiary of the nationwide modernization effort, winning contracts to build automated eligibility systems in more than 20 states, including Tennessee and Texas. Advocacy groups have asked (PDF) the Federal Trade Commission to investigate Deloitte's practices in Texas, where they say thousands of residents are similarly being inappropriately denied life-saving benefits by the company's faulty systems.

Television

ESPN's 'Where To Watch' Tries To Solve Sports' Most Frustrating Problem (arstechnica.com) 67

An anonymous reader quotes a report from Ars Technica: Too often, new tech product or service launches seem like solutions in search of a problem, but not this one: ESPN is launching software that lets you figure out just where you can watch the specific game you want to see amid an overcomplicated web of streaming services, cable channels, and arcane licensing agreements. Every sports fan is all too familiar with today's convoluted streaming schedules. Launching today on ESPN.com and the various ESPN mobile and streaming device apps, the new guide offers various views, including one that lists all the sporting events in a single day and a search function, among other things. You can also flag favorite sports or teams to customize those views.

"At the core of Where to Watch is an event database created and managed by the ESPN Stats and Information Group (SIG), which aggregates ESPN and partner data feeds along with originally sourced information and programming details from more than 250 media sources, including television networks and streaming platforms," ESPN's press release says. ESPN previously offered browsable lists of games like this, but it didn't identify where you could actually watch all the games. There's no guarantee that you'll have access to the services needed to watch the games in the list, though. Those of us who cut the cable cord long ago know that some games -- especially those local to your city -- are unavailable without cable.

Programming

Amazon and AWS Developers May Not Want To Invite Their CEOs To Java Code Reviews 47

theodp writes: Typos happen to the best of us, but spelling still counts when it comes to software development. So, it's kind of surprising to see that both Amazon CEO Andy Jassy and former AWS CEO Adam Selipsky failed to notice an embarrassing typo in a demo video they offered to their millions of followers on social media as evidence of Amazon Q AI's Java upgrade capabilities, which Amazon has been trumpeting for months in SEC filings, shareholder communication, and Amazon's latest earnings call with Wall Street analysts.

Just 37 seconds into the demo of the software that Amazon says saved it 4,500 developer-years of work and provided an additional $260M in annualized efficiency gains, Amazon Q kicks off the Java upgrade conversation by saying, "I can help you upgrade your Jave [sic] 8 and 11 codebases to Java 17." The embarrassing misspelling did prompt Twitter user @archo5dev to alert Jassy to the typo, but there's been no response yet from Jassy, who boasted that Amazon developers were unable to find any mistakes in Q's work in "79% of the auto-generated code reviews."

It's probably worth noting that both Jassy and Selipsky opted to showcase a drop-dead simple demo of Amazon Q Code Transformation rather than some of the lengthier and less-magical demos of the product.
Programming

Amazon CEO: AI-Assisted Code Transformation Saved Us 4,500 Years of Developer Work (x.com) 130

Long-time Slashdot reader theodp shared this anecdote about Amazon's GenAI assistant for software development, Amazon Q: On Thursday, Amazon CEO Andy Jassy took to Twitter to boast that using Amazon Q to do Java upgrades has already saved Amazon from having to pay for 4,500 developer-years of work. ("Yes, that number is crazy but, real," writes Jassy). And Jassy says it also provided Amazon with an additional $260M in annualized efficiency gains from enhanced security and reduced infrastructure costs.

"Our developers shipped 79% of the auto-generated code reviews without any additional changes," Jassy explained. "This is a great example of how large-scale enterprises can gain significant efficiencies in foundational software hygiene work by leveraging Amazon Q."

Jassy — who FORTUNE reported had no formal training in computer science — also touted Amazon Q's Java upgrade prowess in his Letter to Shareholders earlier this year, as has Amazon in its recent SEC filings ("today, developers can save months using Q to move from older versions of Java to newer, more secure and capable ones; in the near future, Q will help developers transform their .net code as well"). Earlier this week, Business Insider reported on a leaked recording of a fireside chat in which AWS CEO Matt Garman predicted a paradigm shift in coding as a career in the foreseeable future with the prevalence of AI. According to Garman, "If you go forward 24 months from now, or some amount of time — I can't exactly predict where it is — it's possible that most developers are not coding."

Microsoft

How Should Cybersecurity Evolve After Crowdstrike's Outage? (cnbc.com) 108

Microsoft will meet with CrowdStrike and other security companies" on September 10, reports CNBC, to "discuss ways to evolve" the industry after a faulty CrowdStrike software update in July caused millions of Windows computers to crash: [An anonymous Microsoft executive] said participants at the Windows Endpoint Security Ecosystem Summit will explore the possibility of having applications rely more on a part of Windows called user mode instead of the more privileged kernel mode... Attendees at Microsoft's September 10 event will also discuss the adoption of eBPF technology, which checks if programs will run without triggering system crashes, and memory-safe programming languages such as Rust, the executive said.
Wednesday Crowdstrike argued no cybersecurity vendor could "technically" guarantee their software wouldn't cause a similar incident.

On a possibly related note, long-time Slashdot reader 278MorkandMindy shares their own thoughts: The "year of the Linux desktop" is always just around the corner, somewhat like nuclear fusion. Will Windows 11, with its general advert and telemetry BS, along with the recall feature, FINALLY push "somewhat computer literate" types like myself onto Linux?
Apple

What's 81-Year-Old John 'Captain Crunch' Draper Doing Now? (johndraper.us) 54

He was employee #13 at Apple Computers — after impressing Steve Wozniak and Steve Jobs with his "blue box" phone-phreaking technique. Now 81-year-old John "Captain Crunch" Draper has launched a new YouTube channel and web site.

"I spent decades exploring the depths of communication technology," Draper says in a recent video, "always pushing the boundaries of what's possible, and challenging the status quo." The video is embedded at the top of the new web site, welcoming visitors to "your gateway to my world, where I share everything from my secrets of the early phone freaking days to the latest in emergency communication systems that could one day save your life." "Here you'll find insights into my current projects including advanced uses of artificial intelligence, emergency communication preparedness, and much more. Whether you're a technology enthusiast, a fellow veteran, or someone curious about the unseen forces that connect our world, here's something for you."
And clicking the "Current Projects" link leads to an interesting list:
  • "My involvement in the field of Unidentified Aerial Phenomena (UAP) recently took me to "Contact in the Desert," a pivotal gathering of leading scientists pushing for governmental transparency in UAP research."
  • "Artificial Intelligence, particularly ChatGPT, has captivated my interest. I'm refining my skills as a prompt engineer, integrating AI into various facets of my life, from web development and programming to personal research on UAPs and anti-gravity phenomena."
  • "In light of global tensions, such as the Ukrainian conflict, I'm actively preparing for potential disruptions in conventional communication systems. Together with a hardware partner, we are pioneering advanced communication technologies under the unlicensed ISM band using the Meshtastic protocol. This technology, which is popular in the UK but less so in the US, facilitates secure, low-power, and nearly undetectable communication. I am advocating for its adoption in Las Vegas, where it remains largely underutilized."
  • "My YouTube channel not only serves as a platform for project updates but also as a conduit for preserving the legacy of the computing era's pioneers." [Draper's channel has already hosted a reunion with members from the original 1970s HomeBrew Computer Club.]

Draper's home page also has a 59-minute video of a conference talk where Draper tells his life story...

And five months ago Draper released a video on YouTube showing what happened when he asked ChatGPT to design his logo. It resulted in "really hokey pictures — terrible." But Draper scrolls them all to provide his critique....

There's also a Patreon account where Draper is offering to schedule Zoom meetings with subscribers (for between $22 and $45 an hour).


Programming

Linux Creator Torvalds Says Rust Adoption in Kernel Lags Expectations (zdnet.com) 69

Linux creator Linus Torvalds expressed disappointment with the slow adoption of Rust in the Linux kernel at the Linux Foundation's Open Source Summit China. In a conversation with Verizon executive Dirk Hohndel, Torvalds said, "I was expecting updates to be faster, but part of the problem is that old-time kernel developers are used to C and don't know Rust. They're not exactly excited about having to learn a new language that is, in some respects, very different." This resistance has led to "some pushback on Rust," he said. "Another reason has been the Rust infrastructure itself has not been super stable," he added.
Programming

'GitHub Actions' Artifacts Leak Tokens, Expose Cloud Services and Repositories (securityweek.com) 19

Security Week brings news about CI/CD workflows using GitHub Actions in build processes. Some workflows can generate artifacts that "may inadvertently leak tokens for third party cloud services and GitHub, exposing repositories and services to compromise, Palo Alto Networks warns." [The artifacts] function as a mechanism for persisting and sharing data across jobs within the workflow and ensure that data is available even after the workflow finishes. [The artifacts] are stored for up to 90 days and, in open source projects, are publicly available... The identified issue, a combination of misconfigurations and security defects, allows anyone with read access to a repository to consume the leaked tokens, and threat actors could exploit it to push malicious code or steal secrets from the repository. "It's important to note that these tokens weren't part of the repository code but were only found in repository-produced artifacts," Palo Alto Networks' Yaron Avital explains...

"The Super-Linter log file is often uploaded as a build artifact for reasons like debuggability and maintenance. But this practice exposed sensitive tokens of the repository." Super-Linter has been updated and no longer prints environment variables to log files.

Avital was able to identify a leaked token that, unlike the GitHub token, would not expire as soon as the workflow job ends, and automated the process that downloads an artifact, extracts the token, and uses it to replace the artifact with a malicious one. Because subsequent workflow jobs would often use previously uploaded artifacts, an attacker could use this process to achieve remote code execution (RCE) on the job runner that uses the malicious artifact, potentially compromising workstations, Avital notes.

Avital's blog post notes other variations on the attack — and "The research laid out here allowed me to compromise dozens of projects maintained by well-known organizations, including firebase-js-sdk by Google, a JavaScript package directly referenced by 1.6 million public projects, according to GitHub. Another high-profile project involved adsys, a tool included in the Ubuntu distribution used by corporations for integration with Active Directory." (Avital says the issue even impacted projects from Microsoft, Red Hat, and AWS.) "All open-source projects I approached with this issue cooperated swiftly and patched their code. Some offered bounties and cool swag."

"This research was reported to GitHub's bug bounty program. They categorized the issue as informational, placing the onus on users to secure their uploaded artifacts." My aim in this article is to highlight the potential for unintentionally exposing sensitive information through artifacts in GitHub Actions workflows. To address the concern, I developed a proof of concept (PoC) custom action that safeguards against such leaks. The action uses the @actions/artifact package, which is also used by the upload-artifact GitHub action, adding a crucial security layer by using an open-source scanner to audit the source directory for secrets and blocking the artifact upload when risk of accidental secret exposure exists. This approach promotes a more secure workflow environment...

As this research shows, we have a gap in the current security conversation regarding artifact scanning. GitHub's deprecation of Artifacts V3 should prompt organizations using the artifacts mechanism to reevaluate the way they use it. Security defenders must adopt a holistic approach, meticulously scrutinizing every stage — from code to production — for potential vulnerabilities. Overlooked elements like build artifacts often become prime targets for attackers. Reduce workflow permissions of runner tokens according to least privilege and review artifact creation in your CI/CD pipelines. By implementing a proactive and vigilant approach to security, defenders can significantly strengthen their project's security posture.

The blog post also notes protection and mitigation features from Palo Alto Networks....
AI

'AI-Powered Remediation': GitHub Now Offers 'Copilot Autofix' Suggestions for Code Vulnerabilities (infoworld.com) 18

InfoWorld reports that Microsoft-owned GitHub "has unveiled Copilot Autofix, an AI-powered software vulnerability remediation service."

The feature became available Wednesday as part of the GitHub Advanced Security (or GHAS) service: "Copilot Autofix analyzes vulnerabilities in code, explains why they matter, and offers code suggestions that help developers fix vulnerabilities as fast as they are found," GitHub said in the announcement. GHAS customers on GitHub Enterprise Cloud already have Copilot Autofix included in their subscription. GitHub has enabled Copilot Autofix by default for these customers in their GHAS code scanning settings.

Beginning in September, Copilot Autofix will be offered for free in pull requests to open source projects.

During the public beta, which began in March, GitHub found that developers using Copilot Autofix were fixing code vulnerabilities more than three times faster than those doing it manually, demonstrating how AI agents such as Copilot Autofix can radically simplify and accelerate software development.

"Since implementing Copilot Autofix, we've observed a 60% reduction in the time spent on security-related code reviews," says one principal engineer quoted in GitHub's announcement, "and a 25% increase in overall development productivity."

The announcement also notes that Copilot Autofix "leverages the CodeQL engine, GPT-4o, and a combination of heuristics and GitHub Copilot APIs." Code scanning tools detect vulnerabilities, but they don't address the fundamental problem: remediation takes security expertise and time, two valuable resources in critically short supply. In other words, finding vulnerabilities isn't the problem. Fixing them is...

Developers can keep new vulnerabilities out of their code with Copilot Autofix in the pull request, and now also pay down the backlog of security debt by generating fixes for existing vulnerabilities... Fixes can be generated for dozens of classes of code vulnerabilities, such as SQL injection and cross-site scripting, which developers can dismiss, edit, or commit in their pull request.... For developers who aren't necessarily security experts, Copilot Autofix is like having the expertise of your security team at your fingertips while you review code...

As the global home of the open source community, GitHub is uniquely positioned to help maintainers detect and remediate vulnerabilities so that open source software is safer and more reliable for everyone. We firmly believe that it's highly important to be both a responsible consumer of open source software and contributor back to it, which is why open source maintainers can already take advantage of GitHub's code scanning, secret scanning, dependency management, and private vulnerability reporting tools at no cost. Starting in September, we're thrilled to add Copilot Autofix in pull requests to this list and offer it for free to all open source projects...

While responsibility for software security continues to rest on the shoulders of developers, we believe that AI agents can help relieve much of the burden.... With Copilot Autofix, we are one step closer to our vision where a vulnerability found means a vulnerability fixed.

Programming

GitHub Promises 'Additional Guardrails' After Wednesday's Update Triggers Short Outage (githubstatus.com) 12

Wednesday GitHub "broke itself," reports the Register, writing that "the Microsoft-owned code-hosting outfit says it made a change involving its database infrastructure, which sparked a global outage of its various services."

Or, as the Verge puts it, GitHub experienced "some major issues" which apparently lasted for 36 minutes: When we first published this story, navigating to the main GitHub website showed an error message that said "no server is currently available to service your request," but the website was working again soon after. (The error message also featured an image of an angry unicorn.) GitHub's report of the incident also listed problems with things like pull requests, GitHub Pages, Copilot, and the GitHub API.
GitHub attributed the downtime to "an erroneous configuration change rolled out to all GitHub.com databases that impacted the ability of the database to respond to health check pings from the routing service. As a result, the routing service could not detect healthy databases to route application traffic to. This led to widespread impact on GitHub.com starting at 23:02 UTC." (Downdetector showed "more than 10,000 user reports of problems," according to the Verge, "and that the problems were reported quite suddenly.")

GitHub's incident report adds that "Given the severity of this incident, follow-up items are the highest priority work for teams at this time." To prevent recurrence we are implementing additional guardrails in our database change management process. We are also prioritizing several repair items such as faster rollback functionality and more resilience to dependency failures.
Television

Judge Bars Disney, Warner, Fox From Launching Sports Streamer Venu (variety.com) 38

A federal judge blocked the launch of Venu, a sports streaming joint venture by Disney, Fox, and Warner Bros. Discovery, due to concerns it would substantially lessen competition and harm FuboTV. Variety reports: Fubo launched in 2015 as a start-up focused on streaming sports programming. [...] Venu, expected to launch in late August ahead of the start of the NFL's coming fall season and priced at an initial price tag of $42.99 per month, was to carry all of the sports offerings of ESPN, Fox Sports 1 and 2, and TNT for a price that is seen as more than a regional sports network but less than a full programming package available via YouTube TV or Hulu + Live TV. The three parent companies are targeting a new generation of consumers who disdain the high costs of traditional cable packages are more at home with signing up for streaming venues that are relatively easy to get in and out of based on the availability of favorite entertainment programs or sporting events.

Judge Garnett found that once Venu launches, FuboTV would face "a swift exodus" of large numbers of subscribers, and indicated she felt "that Fubo's bankruptcy and delisting of the company's stock will likely soon follow. These are quintessential harms that money cannot adequately repair." Fubo alleged that Venu's launch "will cause it to lose approximately 300,000 to 400,000 (or nearly 30%) of its subscribers, suffer a significant decline in its ability to attract new subscribers, lose between $75 and $95 million in revenue, and be transformed into a penny stock awaiting delisting from the New York Stock Exchange, all before year-end 2024," the judge said in her decision.
"We respectfully disagree with the court's ruling and are appealing it," Disney, Fox and Warner Bros. Discovery said in a statement. "We believe that Fubo's arguments are wrong on the facts and the law, and that Fubo has failed to prove it is legally entitled to a preliminary injunction. Venu Sports is a pro-competitive option that aims to enhance consumer choice by reaching a segment of viewers who currently are not served by existing subscription options."
Programming

'The Best, Worst Codebase' 29

Jimmy Miller, programmer and co-host of the future of coding podcast, writes in a blog: When I started programming as a kid, I didn't know people were paid to program. Even as I graduated high school, I assumed that the world of "professional development" looked quite different from the code I wrote in my spare time. When I lucked my way into my first software job, I quickly learned just how wrong and how right I had been. My first job was a trial by fire, to this day, that codebase remains the worst and the best codebase I ever had the pleasure of working in. While the codebase will forever remain locked by proprietary walls of that particular company, I hope I can share with you some of its most fun and scary stories.

[...] Every morning at 7:15 the employees table was dropped. All the data completely gone. Then a csv from adp was uploaded into the table. During this time you couldn't login to the system. Sometimes this process failed. But this wasn't the end of the process. The data needed to be replicated to headquarters. So an email was sent to a man, who every day would push a button to copy the data.

[...] But what is a database without a codebase. And what a magnificent codebase it was. When I joined everything was in Team Foundation Server. If you aren't familiar, this was a Microsoft-made centralized source control system. The main codebase I worked in was half VB, half C#. It ran on IIS and used session state for everything. What did this mean in practice? If you navigated to a page via Path A or Path B you'd see very different things on that page. But to describe this codebase as merely half VB, half C# would be to do it a disservice. Every javascript framework that existed at the time was checked into this repository. Typically, with some custom changes the author believed needed to be made. Most notably, knockout, backbone, and marionette. But of course, there was a smattering of jquery and jquery plugins.
AI

Research AI Model Unexpectedly Modified Its Own Code To Extend Runtime (arstechnica.com) 53

An anonymous reader quotes a report from Ars Technica: On Tuesday, Tokyo-based AI research firm Sakana AI announced a new AI system called "The AI Scientist" that attempts to conduct scientific research autonomously using AI language models (LLMs) similar to what powers ChatGPT. During testing, Sakana found that its system began unexpectedly modifying its own code to extend the time it had to work on a problem. "In one run, it edited the code to perform a system call to run itself," wrote the researchers on Sakana AI's blog post. "This led to the script endlessly calling itself. In another case, its experiments took too long to complete, hitting our timeout limit. Instead of making its code run faster, it simply tried to modify its own code to extend the timeout period."

Sakana provided two screenshots of example code that the AI model generated, and the 185-page AI Scientist research paper discusses what they call "the issue of safe code execution" in more depth. While the AI Scientist's behavior did not pose immediate risks in the controlled research environment, these instances show the importance of not letting an AI system run autonomously in a system that isn't isolated from the world. AI models do not need to be "AGI" or "self-aware" (both hypothetical concepts at the present) to be dangerous if allowed to write and execute code unsupervised. Such systems could break existing critical infrastructure or potentially create malware, even if accidentally.

Slashdot Top Deals